CN101651697A - Method and equipment for managing network access authority - Google Patents
Method and equipment for managing network access authority Download PDFInfo
- Publication number
- CN101651697A CN101651697A CN200910176763A CN200910176763A CN101651697A CN 101651697 A CN101651697 A CN 101651697A CN 200910176763 A CN200910176763 A CN 200910176763A CN 200910176763 A CN200910176763 A CN 200910176763A CN 101651697 A CN101651697 A CN 101651697A
- Authority
- CN
- China
- Prior art keywords
- user terminal
- equipment
- access
- external network
- switch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and equipment for managing network access authority, and the access control among different host computers and the arrangement of route matrix priority are realized through route matrices, so as to supervise the flow capacity of the integral network; because the route matrices can be simply realized through software and can be combined with a plurality of application systems, simplifying the monitoring of networks and improving the flexibility of network monitoring.
Description
Technical field
The present invention relates to communication technical field, particularly a kind of management method of network access authority and equipment.
Background technology
Widely used IEEE 802.1x agreement is based on the access to netwoks control protocol of port in the present local area network (LAN), and the physics that is used for the network switch inserts level and authenticates and control inserting client.802.1x the application architecture of agreement as shown in Figure 1, comprising: subscriber equipment, switch, AAA (Authentication, Authorization and Accounting, authentication) server.
At the switch of User Access Layer Ethernet switch, be positioned at an entity of local area network (LAN) or WLAN (wireless local area network) point-to-point link one end as 802.1x; 802.1x subscriber equipment be an entity that is positioned at the local area network (LAN) or the online point-to-point link other end of wireless local as authentication requester, be installed in the personal computer usually; 802.1x aaa server be usually located at the authentication center of operator.
802.1x subscriber equipment and switch between the Extensible Authentication Protocol EAPoL based on local area network (LAN) (Extensible Authentication Protocol over LANs) of operation IEEE 802.1x definition; Same operation Extensible Authentication Protocol EAP (Extensible AuthenticationProtocol) between switch and the aaa server.There are controlled ports and uncontrolled port in Ethernet switch inside, and wherein, uncontrolled port is in the diconnected state all the time, and controlled ports is only just opened under the state that authentication is passed through, and is used for delivery network resource and service.Under above-mentioned architecture, if the subscriber equipment that is connected on the ethernet switch port can be by authentication, just can the accesses network resource; If can not pass through authentication, then can't the accesses network resource.
The general flow of subscriber equipment authentication online may further comprise the steps as shown in Figure 2:
Step S201, user reach the standard grade, the input username and password;
Step S202, switch send authentication request packet according to the information of obtaining such as username and password to aaa server;
Step S203, aaa server are analyzed this user profile and database information, if authentication success, then the authority information with the user sends to switch with the authentication response message; If authentification failure, the then response message of return authentication failure;
Step S204, switch are according to the authentication result access/refusing user's that receives.If can insert the user, then switch sends charging starting request message to aaa server;
Step S205, aaa server return the beginning response message that charges;
Step S206, user offline, switch send to charge to aaa server and stop request message;
Step S207, aaa server return to charge and finish response message.
In the prior art, subscriber equipment is initiated authentication request by switch to aaa server, at first subscriber equipment will with information such as switch interactive user name and password, switch is issued aaa server with these information then, at last judge by aaa server whether the user of subscriber equipment is legal, if the user of subscriber equipment is legal, the authentication request by subscriber equipment then, and carry out flow processs such as follow-up mandate, charging, if the user of subscriber equipment is illegal, authentification failure then, the user can't reach the standard grade.
Further expand above-mentioned authentication method, this certification policy is applied in as shown in Figure 3 the network system, at switch, if receive fly-by-night main frame (Untrusted Host) access internet (Internet) or local area network (LAN) (Local Area Network, LAN) request, then can not allow the visit of this class pass through, this class main frame should at first authenticate to certificate server, authentication by after become main frame trusty (Trusted Host) and could visit Internet or LAN;
In realizing process of the present invention, the inventor finds that there is following problem at least in prior art:
In the whole network, sometimes need preferentially to guarantee the communications access between some crucial main frame, and the flow between the non-key main frame of other is limited, and such strategy does not have clear and definite implementation in the prior art, so above-mentioned access control and priority control can't realize by existing technology.
Summary of the invention
The invention provides a kind of management method and equipment of network access authority, carry out access control and priority control by the form of route matrix.
For achieving the above object, one aspect of the present invention provides a kind of management method of network access authority, be applied to comprise in the system of a switch, at least one user terminal and a certificate server, described switch is connected respectively with described certificate server with described at least one user terminal, and be connected with external network, it is characterized in that, preserve access rights between each equipment in the described system and/or the external network by the form of route matrix in the described switch, described method comprises:
When described switch received an access request, whether described switch is inquired about described access request in described route matrix transmitting apparatus had the access rights with the destination device of described access request;
When described Query Result when being, described switch allows described transmitting apparatus to visit described destination device, when described Query Result for not the time, described switch is refused described transmitting apparatus and is visited described destination device.
Preferably, when adding new user terminal in the described system, described method also comprises:
Described switch identifies described user terminal and has the access rights of described certificate server in described route matrix, but do not have with described system in the access rights of other equipment or external network;
When the authentication of described user terminal by described certificate server, described switch identifies access rights between other equipment in described user terminal and the described system and/or the external network according to default device access authority Provisioning Policy in described route matrix.
Preferably, when adding new user terminal in the described system, described method also comprises:
When described switch receives the information of the miscellaneous equipment of specifying in described user terminal and the described system and/or the access rights between the external network, directly in described route matrix, identify access rights between other equipment in described user terminal and the described system and/or the external network according to described information.
Preferably, the access rights of other equipment or external network in described user terminal and the described system are specially:
Allow or refuse the sign of other equipment in the described system of described user terminal access or external network; Or,
The priority tag of other equipment or external network in the described system of described user terminal access, wherein, other priority tag of lowermost level represents to refuse other equipment or external network in the described system of described user terminal access.
Preferably, when the access rights of other equipment or external network in described user terminal and the described system are specially the priority tag of other equipment in the described system of described user terminal access or external network, whether described switch is inquired about described access request in described route matrix transmitting apparatus has after the access rights with the destination device of described access request, specifically comprises:
Described switch is controlled the flowing of access of described user terminal according to the rank of the priority tag of user terminal had and the purpose terminal described access request that sends described access request.
Preferably, when the access rights of other equipment or external network in described user terminal and the described system were specially the priority tag of other equipment in the described system of described user terminal access or external network, described method also comprised:
When described switch judged that there is potential safety hazard in user terminal, described switch reduced the rank of the priority tag of other equipment in the described system of the pairing visit of described user terminal or external network;
When described switch judged that the potential safety hazard of user terminal is eliminated, described switch improved the rank of the priority tag of other equipment in the described system of the pairing visit of described user terminal or external network.
On the other hand, the present invention also provides a kind of switch, be applied to comprise in the system of a switch, at least one user terminal and a certificate server, wherein, described switch is connected respectively with described certificate server with described at least one user terminal, and be connected with external network, comprising:
Memory module is used for storing the route matrix of preserving the access authority information between each equipment of described system and/or the external network;
Communication module is used for receiving the communication information that each equipment sent of described system;
Enquiry module, be connected with described memory module with described communication module, be used for when described communication module receives an access request, whether the transmitting apparatus of the described access request of inquiry has the access rights with the destination device of described access request in the route matrix that described memory module is stored;
Control module is connected with described enquiry module, when the Query Result of described enquiry module when being, allow described transmitting apparatus to visit described destination device, when the Query Result of described enquiry module for not the time, refuse described transmitting apparatus and visit described destination device.
Preferably, the access rights of other equipment or external network in user terminal that is comprised in the route matrix that described memory module is stored and the described system are specially:
Allow or refuse the sign of other equipment in the described system of described user terminal access or external network; Or,
The priority tag of other equipment or external network in the described system of described user terminal access, wherein, other priority tag of lowermost level represents to refuse other equipment or external network in the described system of described user terminal access.
Preferably, when the access rights of other equipment or external network in user terminal that is comprised in the route matrix that described memory module is stored and the described system are specially the priority tag of other equipment in the described system of described user terminal access or external network
Described control module also is used for the rank of priority tag of user terminal had and the purpose terminal described access request of the described access request of transmission that inquires according to described enquiry module, and the flowing of access of described user terminal is controlled.
Preferably, when the access rights of other equipment or external network in user terminal that is comprised in the route matrix that described memory module is stored and the described system were specially the priority tag of other equipment in the described system of described user terminal access or external network, described switch also comprised:
Judge module is used for judging whether each user terminal of described system exists potential safety hazard;
Adjusting module, be connected with described memory module with described judge module, be used for when described judge module judges that there is potential safety hazard in user terminal, reduce described in the route matrix that described memory module stores the rank of the priority tag of other equipment in the described system of the pairing visit of user terminal or external network, or when described judge module judges that the potential safety hazard of user terminal is eliminated, improve described in the route matrix that described memory module stores the rank of the priority tag of other equipment in the described system of the pairing visit of user terminal or external network.
Compared with prior art, the present invention has the following advantages:
By using technical scheme of the present invention, can realize the access control between different main frames and the setting of route matrix priority by route matrix, thereby the flow to whole network is supervised, because route matrix can very simply be realized by software, can combine with multiple application system, simplify the monitoring of network, and improved the flexibility of network monitoring.
Description of drawings
Fig. 1 is the application architecture schematic diagram of 802.1x agreement in the prior art;
Fig. 2 is the schematic flow sheet of client certificate online in the prior art;
Fig. 3 is that a kind of typical case of the prior art uses the structural representation of networking;
Fig. 4 is the schematic flow sheet of the management method of a kind of network access authority provided by the invention;
Fig. 5 is the schematic flow sheet of the initialization procedure of access rights in a kind of route matrix provided by the invention;
Fig. 6 is the schematic flow sheet that a kind of priority provided by the invention is adjusted flow process;
Fig. 7 is the structural representation of a kind of switch of the present invention's proposition.
Embodiment
As stated in the Background Art, priority treatment for the communications access between some crucial main frame, and the flow restriction between the non-key main frame of other there is not clear and definite implementation in the prior art, therefore, can't realize above-mentioned access control and priority control by existing technology.
In order to address the above problem, one aspect of the present invention provides a kind of management method of network access authority, be applied to comprise in the system of a switch, at least one user terminal and a certificate server, switch is connected respectively with certificate server with at least one user terminal, and be connected with external network, in the switch by the access rights between each equipment in the form saved system of route matrix and/or the external network.
As shown in Figure 4, the schematic flow sheet for the management method of a kind of network access authority proposed by the invention specifically may further comprise the steps:
Step S401, switch receive an access request.
It is pointed out that before this step, also comprise the access rights initialization procedure in the route matrix in the technical program, specify as follows:
When adding new user terminal in the system, switch identifying subscriber terminal in route matrix has the access rights of certificate server, but do not have with system in the access rights of other equipment or external network.
Such processing can guarantee that this user terminal has the conduct interviews right of purview certification of access registrar server, and still, before the security row of not verifying this user terminal, this user terminal can not be visited miscellaneous equipment or the external network in this system.
And when the authentication of user terminal by certificate server, switch is according to default device access authority Provisioning Policy access rights between other equipment and/or the external network in identifying subscriber terminal and the system in route matrix.
It is to be noted, if the new user terminal that inserts has directly been specified access rights, promptly when switch receives the information of miscellaneous equipment in designated user terminal and the system and/or the access rights between the external network, switch can be directly according to information access rights between other equipment and/or the external network in identifying subscriber terminal and the system in route matrix, and no longer need to carry out the access authority authentication process of certificate server.
Whether the transmitting apparatus of step S402, switch queried access request in route matrix has the access rights with the destination device of access request.
When Query Result when being, execution in step S403;
When Query Result for not the time, execution in step S404.
What need specifically note is that the access rights of other equipment or external network in user terminal and the system specifically comprise following two kinds of situations:
The sign of other equipment or external network in situation one, permission or the refusing user's terminal access system.
Only identify user terminal and whether be allowed to other equipment or external network in the access system, promptly only had " permission " and " refusal " two kinds of situations.
The priority tag of other equipment or external network in situation two, the user terminal access system, wherein, other priority tag of lowermost level is represented other equipment or external network in the refusing user's terminal access system.
In this case, no longer simply be divided into two kinds of situations, but divide for a plurality of access levels according to the significance level and/or the level of security of equipment room visit, the lowest priority rank is represented denied access, and priority-level is high more, then the visit process of the pairing equipment room of this priority is got over meeting by priority treatment, or is assigned with the visit process that more system resource is used for high priority.
Based on above-mentioned situation two, the judged result of step S402 has also had concrete adjustment accordingly, and is specific as follows:
When Query Result is not lowest priority for the rank of the pairing priority tag of this access request, execution in step S403;
When Query Result is lowest priority for the rank of the pairing priority tag of this access request, execution in step S404.
Step S403, switch allow transmitting apparatus visit destination device.
In this step, if when having the priority division of visit process according to above-mentioned situation two, need in this step according to the system resource scheduling that the priority treatment and/or be used for of process carries out in the orientation that conducts interviews of corresponding priority level rank, thereby realize corresponding flow control.
Step S404, switch refusal transmitting apparatus visit destination device.
In concrete application scenarios, when the access rights of other equipment or external network in user terminal and the system are specially the priority tag of other equipment in the user terminal access system or external network, technical scheme of the present invention also comprises the adjustment process of priority-level, specifies as follows:
When switch judges that there is potential safety hazard in user terminal, the rank of the priority tag of other equipment or external network in the pairing access system of switch reduction user terminal;
When switch judges that the potential safety hazard of user terminal is eliminated, the rank of the priority tag of other equipment or external network in the pairing access system of switch raising user terminal.
Compared with prior art, the present invention has the following advantages:
By using technical scheme of the present invention, can realize the access control between different main frames and the setting of route matrix priority by route matrix, thereby the flow to whole network is supervised, because route matrix can very simply be realized by software, can combine with multiple application system, simplify the monitoring of network, and improved the flexibility of network monitoring.
Below, in conjunction with concrete application scenarios, technical scheme proposed by the invention is described.
The present invention proposes a kind of method that " route matrix " realizes the management of network access authority of passing through, can carry out three layers of forwarding and access control and traffic policing simply and flexibly.
As shown in table 1, be a kind of schematic diagram of simple route matrix.
The simple route matrix schematic diagram of table 1
Wherein, Y represents addressablely in the table 1, and N represents inaccessible.
By this route matrix, the access rights that can be illustrated between each equipment in the current system are specific as follows:
(1) device A cannot access means B;
(2) equipment B can access means A.
At in the current system for the access control demand of each equipment, the notion of route matrix is incorporated in three layers of route control and management.Specifically as shown in table 2, with identical in the table 1, ' Y ' expression can be visited, and ' N ' represents inaccessible.
Table 2 route matrix schematic diagram
This route matrix comprises following information:
(1) can exchange visits between All hosts and certificate server;
(2) fly-by-night main frame does not allow to visit other main frame except that certificate server;
(3) trusted host accessible other All hosts except that fly-by-night main frame;
(4) trustless main frame is by behind the certificate server, can revise that corresponding node is switching to the trusted main frame for " Y " in the matrix.
By above-mentioned explanation, can draw under this kind application scenarios, a parameter in the route matrix is defined as follows:
Row (source IP just) has been represented the reliability of the main frame that will initiate to visit, has represented the confidentiality of accessed main frame and to the attention degree of safety and be listed as (purpose IP).Certain the row in ' N ' more multilist show that this main frame is unreliable more, certain row in ' N ' more multilist show that this main frame is secret more high more to security requirement.Based on this rule, can carry out safe access control to network by " route matrix " and dispose.
Need be pointed out that further that above-mentioned route matrix format restriction only is a preferred embodiment of the present invention, the adjustment of form does not influence protection scope of the present invention.
As shown in Figure 5, the schematic flow sheet for the initialization procedure of access rights in the route matrix specifically may further comprise the steps:
Step S501, route matrix initialization.
Can by the user directly dispose which destination host be give tacit consent to all addressable.
For example: it is all addressable main frame of All hosts that the user has disposed certain certificate server, so, at first the corresponding row and column of certificate server is made as full Y, and in LAN or Internet (external network) row except that certificate server and and all the other settings ' N ' self, specifically as shown in table 3:
The initial route matrix of table 3
Add new main frame in step S502, the system, its initial condition is set can only the access registrar server.
Give tacit consent to that promptly initiate main frame is defined as distrusting main frame, only allow its access registrar server, specifically as shown in table 4:
Table 4 adds the route matrix behind the distrust main frame
Step S503, initiate main frame is carried out safety certification, and adjust route matrix according to corresponding authentication result.
For example, distrust main frame 1 not authenticate and pass through, distrust main frame 2 authentications to pass through, become " trusted main frame ", therefore,, this main frame is set visits external network (LAN/Internet) distrusting the access level of main frame 2 to improve.
This process also can be specified by the user and be realized, promptly the user thinks certain initiate main frame trusted, and need not arrive the certificate server authentication can be directly with its configuration " trusted main frame ".
Specifically as shown in table 5 through the route matrix that authentication is adjusted:
Route matrix after table 5 authentication
So far just finished the security deployment in the network, and can control the visit between each equipment in the system according to corresponding access rights by " route matrix ".
On the other hand, on the basis of above-mentioned route matrix Provisioning Policy, can increase the weighted value of node in the route matrix, thereby be applied to the Limit Rate supervision.
Suppose and think and represent access privileges respectively from low to high from 0~3, think do not allow to visit be lowest priority (0 grade), the exchanging visit of trusting between main frame is limit priority (3 grades), preferentially very 1 grade of access registrar server, visit LAN/Internet priority is 2 grades, and corresponding priority level is provided with specifically as shown in table 6:
The route matrix that table 6 cum rights is heavy
On this basis, can carry out flow control to the visit between each equipment according to the height of priority-level, for example, the exchanging visit of trusting between the main frame can obtain maximum assignment of traffic, to be that 0 visit process is then actual be denied access to priority, can not obtain any assignment of traffic, by such setting, flow adjustment between the visit that can realize different brackets is carried out, the resource allocation in the realization system.
Have in the application scenarios of priority division at this kind, can further include the adjustment flow process of priority.
The action that improves priority can realize by modes such as acl rules.Can realize the flow of different source addresses and destination address is carried out speed limit and current limliting by this model, thereby the visit that guarantees limit priority meets with a response at first.
Specifically as shown in Figure 6, in technical scheme proposed by the invention, the priority in the route matrix can be passed through Network Intrusion Detection System, and (Network Intrusion Detection System NIDS) waits the output result of network monitoring device to obtain.
Come the flow existence of main frame since then to attack if network monitoring device is thought, will notify switch that the priority of the corresponding node in the route matrix is reduced, improve its priority again after waiting to eliminate attack.
Can improve internet security very flexibly in this way, concrete steps no longer describe in detail.
Compared with prior art, the present invention has the following advantages:
By using technical scheme of the present invention, can realize the access control between different main frames and the setting of route matrix priority by route matrix, thereby the flow to whole network is supervised, because route matrix can very simply be realized by software, can combine with multiple application system, simplify the monitoring of network, and improved the flexibility of network monitoring.
In order to realize above-mentioned technical scheme proposed by the invention, the invention allows for a kind of switch, be applied to comprise in the system of a switch, at least one user terminal and a certificate server, wherein, switch is connected respectively with certificate server with at least one user terminal, and is connected with external network.
Specifically as shown in Figure 7, the structural representation of a kind of switch that proposes for the present invention comprises:
In concrete application scenarios, the access rights of other equipment or external network specifically comprise following two kinds of situations in user terminal that is comprised in the route matrix that memory module 71 is stored and the system:
The sign of other equipment or external network in situation one, permission or the refusing user's terminal access system.
Only identify user terminal and whether be allowed to other equipment or external network in the access system, promptly only had " permission " and " refusal " two kinds of situations.
The priority tag of other equipment or external network in situation two, the user terminal access system, wherein, other priority tag of lowermost level is represented other equipment or external network in the refusing user's terminal access system.
In this case, no longer simply be divided into two kinds of situations, but divide for a plurality of access levels according to the significance level and/or the level of security of equipment room visit, the lowest priority rank is represented denied access, and priority-level is high more, then the visit process of the pairing equipment room of this priority is got over meeting by priority treatment, or is assigned with the visit process that more system resource is used for high priority.
Need further be pointed out that, when the access rights of other equipment or external network in user terminal that is comprised in the route matrix that memory module 71 is stored and the system are specially the priority tag of other equipment in the user terminal access system or external network, control module 74 also is used for the rank of priority tag of user terminal had and purpose terminal access request of the transmission access request that inquired according to enquiry module 73, and the flowing of access of user terminal is controlled.
In concrete application scenarios, when the access rights of other equipment or external network in user terminal that is comprised in the route matrix that memory module 71 is stored and the system were specially the priority tag of other equipment in the user terminal access system or external network, switch also comprised:
Adjusting module 76, be connected with memory module 71 with judge module 75, be used for when judge module 75 judges that there is potential safety hazard in user terminal, reduce in the route matrix that memory module 71 stored the rank of the priority tag of other equipment in the pairing access system of user terminal or external network, or when judge module 75 judges that the potential safety hazard of user terminals is eliminated, improve in the route matrix that memory module 71 stored the rank of the priority tag of other equipment in the pairing access system of user terminal or external network.
Compared with prior art, the present invention has the following advantages:
By using technical scheme of the present invention, can realize the access control between different main frames and the setting of route matrix priority by route matrix, thereby the flow to whole network is supervised, because route matrix can very simply be realized by software, can combine with multiple application system, simplify the monitoring of network, and improved the flexibility of network monitoring.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) each implements the described method of scene to carry out the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is a preferred schematic diagram of implementing scene, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device of implementing in the scene can be distributed in the device of implementing scene according to implementing scene description, also can carry out respective change and be arranged in the one or more devices that are different from this enforcement scene.The module of above-mentioned enforcement scene can be merged into a module, also can further split into a plurality of submodules.
The invention described above sequence number is not represented the quality of implementing scene just to description.
More than disclosed only be several concrete enforcement scene of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (10)
1, a kind of management method of network access authority, be applied to comprise in the system of a switch, at least one user terminal and a certificate server, wherein, described switch is connected respectively with described certificate server with described at least one user terminal, and be connected with external network, it is characterized in that preserve access rights between each equipment in the described system and/or the external network by the form of route matrix in the described switch, described method comprises:
When described switch received an access request, whether described switch is inquired about described access request in described route matrix transmitting apparatus had the access rights with the destination device of described access request;
When described Query Result when being, described switch allows described transmitting apparatus to visit described destination device, when described Query Result for not the time, described switch is refused described transmitting apparatus and is visited described destination device.
2, the method for claim 1 is characterized in that, when adding new user terminal in the described system, described method also comprises:
Described switch identifies described user terminal and has the access rights of described certificate server in described route matrix, but do not have with described system in the access rights of other equipment or external network;
When the authentication of described user terminal by described certificate server, described switch identifies access rights between other equipment in described user terminal and the described system and/or the external network according to default device access authority Provisioning Policy in described route matrix.
3, method as claimed in claim 2 is characterized in that, when adding new user terminal in the described system, described method also comprises:
When described switch receives the information of the miscellaneous equipment of specifying in described user terminal and the described system and/or the access rights between the external network, directly in described route matrix, identify access rights between other equipment in described user terminal and the described system and/or the external network according to described information.
As any described method of claim 1 to 3, it is characterized in that 4, the access rights of other equipment or external network in described user terminal and the described system are specially:
Allow or refuse the sign of other equipment in the described system of described user terminal access or external network; Or,
The priority tag of other equipment or external network in the described system of described user terminal access, wherein, other priority tag of lowermost level represents to refuse other equipment or external network in the described system of described user terminal access.
5, method as claimed in claim 4, it is characterized in that, when the access rights of other equipment or external network in described user terminal and the described system are specially the priority tag of other equipment in the described system of described user terminal access or external network, whether described switch is inquired about described access request in described route matrix transmitting apparatus has after the access rights with the destination device of described access request, specifically comprises:
Described switch is controlled the flowing of access of described user terminal according to the rank of the priority tag of user terminal had and the purpose terminal described access request that sends described access request.
6, method as claimed in claim 4, it is characterized in that, when the access rights of other equipment or external network in described user terminal and the described system were specially the priority tag of other equipment in the described system of described user terminal access or external network, described method also comprised:
When described switch judged that there is potential safety hazard in user terminal, described switch reduced the rank of the priority tag of other equipment in the described system of the pairing visit of described user terminal or external network;
When described switch judged that the potential safety hazard of user terminal is eliminated, described switch improved the rank of the priority tag of other equipment in the described system of the pairing visit of described user terminal or external network.
7, a kind of switch is applied to comprise in the system of a switch, at least one user terminal and a certificate server, wherein, described switch is connected respectively with described certificate server with described at least one user terminal, and be connected with external network, it is characterized in that, comprising:
Memory module is used for storing the route matrix of preserving the access authority information between each equipment of described system and/or the external network;
Communication module is used for receiving the communication information that each equipment sent of described system;
Enquiry module, be connected with described memory module with described communication module, be used for when described communication module receives an access request, whether the transmitting apparatus of the described access request of inquiry has the access rights with the destination device of described access request in the route matrix that described memory module is stored;
Control module is connected with described enquiry module, when the Query Result of described enquiry module when being, allow described transmitting apparatus to visit described destination device, when the Query Result of described enquiry module for not the time, refuse described transmitting apparatus and visit described destination device.
8, switch as claimed in claim 7 is characterized in that, the access rights of other equipment or external network in user terminal that is comprised in the route matrix that described memory module is stored and the described system are specially:
Allow or refuse the sign of other equipment in the described system of described user terminal access or external network; Or,
The priority tag of other equipment or external network in the described system of described user terminal access, wherein, other priority tag of lowermost level represents to refuse other equipment or external network in the described system of described user terminal access.
9, switch as claimed in claim 8, it is characterized in that, when the access rights of other equipment or external network in user terminal that is comprised in the route matrix that described memory module is stored and the described system are specially the priority tag of other equipment in the described system of described user terminal access or external network
Described control module also is used for the rank of priority tag of user terminal had and the purpose terminal described access request of the described access request of transmission that inquires according to described enquiry module, and the flowing of access of described user terminal is controlled.
10, switch as claimed in claim 8, it is characterized in that, when the access rights of other equipment or external network in user terminal that is comprised in the route matrix that described memory module is stored and the described system were specially the priority tag of other equipment in the described system of described user terminal access or external network, described switch also comprised:
Judge module is used for judging whether each user terminal of described system exists potential safety hazard;
Adjusting module, be connected with described memory module with described judge module, be used for when described judge module judges that there is potential safety hazard in user terminal, reduce described in the route matrix that described memory module stores the rank of the priority tag of other equipment in the described system of the pairing visit of user terminal or external network, or when described judge module judges that the potential safety hazard of user terminal is eliminated, improve described in the route matrix that described memory module stores the rank of the priority tag of other equipment in the described system of the pairing visit of user terminal or external network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910176763A CN101651697A (en) | 2009-09-21 | 2009-09-21 | Method and equipment for managing network access authority |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910176763A CN101651697A (en) | 2009-09-21 | 2009-09-21 | Method and equipment for managing network access authority |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101651697A true CN101651697A (en) | 2010-02-17 |
Family
ID=41673804
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910176763A Pending CN101651697A (en) | 2009-09-21 | 2009-09-21 | Method and equipment for managing network access authority |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101651697A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102185859A (en) * | 2011-05-09 | 2011-09-14 | 北京艾普优计算机***有限公司 | Computer system and data interaction method |
| CN102299859A (en) * | 2011-09-20 | 2011-12-28 | 北京星网锐捷网络技术有限公司 | Mutual information forwarding method and device |
| CN103491056A (en) * | 2012-06-12 | 2014-01-01 | 中兴通讯股份有限公司 | Control method and device for permission of application |
| CN104410644A (en) * | 2014-12-15 | 2015-03-11 | 北京国双科技有限公司 | Data configuration method and device |
| CN106603523A (en) * | 2016-12-09 | 2017-04-26 | 北京东土军悦科技有限公司 | Message forwarding method and network switching device |
| CN106982217A (en) * | 2017-04-13 | 2017-07-25 | 西安莫贝克半导体科技有限公司 | A kind of network security management mode of decentralization |
| CN107391095A (en) * | 2016-05-16 | 2017-11-24 | 广州市动景计算机科技有限公司 | Icon generating means right management method, data request method, device and terminal |
| CN107483483A (en) * | 2017-08-31 | 2017-12-15 | 中国农业银行股份有限公司 | The customer information access control method and device of a kind of financial circles information system |
| CN110475133A (en) * | 2019-08-15 | 2019-11-19 | 天脉聚源(杭州)传媒科技有限公司 | A kind of authority distributing method, device and storage medium |
| CN110995586A (en) * | 2019-11-15 | 2020-04-10 | 锐捷网络股份有限公司 | BGP message processing method and device, electronic equipment and storage medium |
-
2009
- 2009-09-21 CN CN200910176763A patent/CN101651697A/en active Pending
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102185859A (en) * | 2011-05-09 | 2011-09-14 | 北京艾普优计算机***有限公司 | Computer system and data interaction method |
| CN102299859A (en) * | 2011-09-20 | 2011-12-28 | 北京星网锐捷网络技术有限公司 | Mutual information forwarding method and device |
| CN103491056A (en) * | 2012-06-12 | 2014-01-01 | 中兴通讯股份有限公司 | Control method and device for permission of application |
| CN104410644A (en) * | 2014-12-15 | 2015-03-11 | 北京国双科技有限公司 | Data configuration method and device |
| CN107391095A (en) * | 2016-05-16 | 2017-11-24 | 广州市动景计算机科技有限公司 | Icon generating means right management method, data request method, device and terminal |
| CN106603523A (en) * | 2016-12-09 | 2017-04-26 | 北京东土军悦科技有限公司 | Message forwarding method and network switching device |
| CN106982217A (en) * | 2017-04-13 | 2017-07-25 | 西安莫贝克半导体科技有限公司 | A kind of network security management mode of decentralization |
| CN107483483A (en) * | 2017-08-31 | 2017-12-15 | 中国农业银行股份有限公司 | The customer information access control method and device of a kind of financial circles information system |
| CN110475133A (en) * | 2019-08-15 | 2019-11-19 | 天脉聚源(杭州)传媒科技有限公司 | A kind of authority distributing method, device and storage medium |
| CN110475133B (en) * | 2019-08-15 | 2023-11-03 | 北京拉近众博科技有限公司 | Authority distribution method, device and storage medium |
| CN110995586A (en) * | 2019-11-15 | 2020-04-10 | 锐捷网络股份有限公司 | BGP message processing method and device, electronic equipment and storage medium |
| CN110995586B (en) * | 2019-11-15 | 2022-07-15 | 锐捷网络股份有限公司 | BGP message processing method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101651697A (en) | Method and equipment for managing network access authority | |
| US10630725B2 (en) | Identity-based internet protocol networking | |
| US8239929B2 (en) | Multiple tiered network security system, method and apparatus using dynamic user policy assignment | |
| US9774633B2 (en) | Distributed application awareness | |
| US8280058B2 (en) | Wireless network having multiple security interfaces | |
| US8800006B2 (en) | Authentication and authorization in network layer two and network layer three | |
| US9438630B2 (en) | Network access control using subnet addressing | |
| US9231911B2 (en) | Per-user firewall | |
| US9288193B1 (en) | Authenticating cloud services | |
| EP2352323A1 (en) | Method and system for controlling context-based wireless access to secured network resources | |
| US20050188211A1 (en) | IP for switch based ACL's | |
| WO2016200656A1 (en) | System, apparatus and method for access control list processing in a constrained environment | |
| US10135942B2 (en) | Differentiated priority level communication | |
| EP2859700A1 (en) | Using neighbor discovery to create trust information for other applications | |
| US20100023618A1 (en) | System and method for supplicant based accounting and access | |
| KR100707805B1 (en) | Authentication system being capable of controlling authority based of user and authenticator | |
| US8272043B2 (en) | Firewall control system | |
| TW202137735A (en) | Programmable switching device for network infrastructures | |
| CN102271120A (en) | Trusted network access authentication method capable of enhancing security | |
| US20170230374A1 (en) | Secure communication system and method | |
| CN114915534A (en) | Network deployment architecture facing trust enhancement and network access method thereof | |
| JP5622088B2 (en) | Authentication system, authentication method | |
| US20170331838A1 (en) | Methods and computing devices to regulate packets in a software defined network | |
| KR20210123811A (en) | Apparatus and Method for Controlling Hierarchical Connection based on Token | |
| CN114640512B (en) | Security service system, access control method, and computer-readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100217 |