CN103166960A - Access control method and access control device - Google Patents
Access control method and access control device Download PDFInfo
- Publication number
- CN103166960A CN103166960A CN2013100653319A CN201310065331A CN103166960A CN 103166960 A CN103166960 A CN 103166960A CN 2013100653319 A CN2013100653319 A CN 2013100653319A CN 201310065331 A CN201310065331 A CN 201310065331A CN 103166960 A CN103166960 A CN 103166960A
- Authority
- CN
- China
- Prior art keywords
- packet
- access
- terminal
- access control
- control apparatus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an access control method and an access control device. The access control method includes that the access control device receives data packets sent by a terminal; the access control device checks whether the data packets carry access grant identifications, wherein the access grant identifications are added into the data packets by the terminal through a network driver layer according to access strategies when the access strategies used for access are prestored in the terminal; if the data packets carry the access grant identifications, the access control device allows the data packets to pass; and if the data packets do not carry the access grant identifications, the access control device performs blocking-up treatment on the data packets. The access control device is utilized for checking whether the data packets carry the access grant identifications, the data packets carrying the access grant identifications are allowed to pass, the data packets without carrying the access grant identifications are blocked up, the access of illegal terminals is prevented, and potential safety hazards of an enterprise internal network are reduced.
Description
Technical field
The present invention relates to the communication technology, relate in particular to a kind of connection control method and device.
Background technology
When the terminal that the enterprise outside is arranged or illegal terminal were attempted to access corporate intranet, general mode by forbidding accessing stoped these terminals to the access of corporate intranet, reaches the purpose of avoiding company information to leak, guarantees the safety of corporate intranet.
At present, corporate intranet mainly adopts following three kinds of modes to come the access of control terminal:
(1) gateway interlock mode, set up gateway by the convergence-level at corporate intranet, then come the access of control terminal by this gateway that sets up, and this access control mode need to change the framework of corporate intranet, can cause to the fail safe of corporate intranet certain risk.
(2) 802.1X agreement control mode, as access control equipment, switch adopts the 802.1X agreement with switch, and the terminal of request access is verified.After by checking, allow terminal access corporate intranet.In this access control mode, must guarantee that terminal and switch are directly, and switch need to support the 802.1X agreement, dispose relative complex, the corporate intranet framework is had relatively high expectations.
(3) address resolution protocol (Adress resolution protocol is referred to as ARP) attack pattern utilizes the leak of ARP agreement, the terminal of same subnet inside is carried out ARP attack, and realizes the control to the terminal of request access corporate intranet.The ARP attack pattern requires at least one station terminal deploy Intranet terminal management software in subnet inside, then by this Intranet terminal management software, the terminal of newly reaching the standard grade is carried out ARP and attacks.If the ARP fire compartment wall is installed on the terminal of newly reaching the standard grade, this ARP fire compartment wall can filter out ARP and attack, so just can't carry out to the terminal of newly reaching the standard grade the attack of ARP, the terminal of newly reaching the standard grade just can directly access corporate intranet, might bring potential safety hazard to corporate intranet.This shows, come the reliability of control terminal access corporate intranet lower by the mode that ARP attacks, and dispose complicated.
Summary of the invention
The invention provides a kind of connection control method and device, in order to solve by the lower problem of prior art control terminal access corporate intranet reliability.
To achieve these goals, the invention provides connection control method, comprising:
The packet that the access control apparatus receiving terminal sends;
Described access control apparatus checks whether described packet carries permission access sign, wherein, when described permission access sign is the access strategy that prestores for access on described terminal, added in described packet according to described access strategy by network driver layer by described terminal;
If described packet carries described permission access sign, described access control apparatus allows described packet to pass through;
If described packet does not carry described permission access sign, described access control apparatus carries out blocking processing to described packet.
To achieve these goals, the invention provides a kind of access control apparatus, comprising:
Receiver module is used for receiving the packet that described terminal sends;
Checking module, be used for checking whether described packet carries the sign that allows access, wherein, when described permission access sign is the access strategy that prestores for access on described terminal, added in described packet according to described access strategy by network driver layer by described terminal;
The access control module is carried described permission access sign if be used for described packet, allows described packet to pass through, if described packet carries not described permission access sign, described packet is carried out blocking processing.
A kind of connection control method provided by the invention and device, the packet that the access control apparatus receiving terminal sends, check whether packet carries permission access sign, when allowing the access sign to be the access strategy that prestores for access on terminal, be added in packet according to this access strategy by network driver layer by terminal, if check out that described packet carries this permission access sign, access control apparatus allows packet to pass through, if allow the access sign and check out that packet does not carry, access control apparatus carries out blocking processing to packet.The present invention allows the access sign by whether carrying in packet, come the access of control terminal, allow to carry and allow the access sign to access corporate intranet by access control apparatus, and allow the packet access control apparatus of access sign to carry out blocking processing to not carrying, the present invention no longer is subjected to terminal whether the restriction of fire compartment wall is installed, therefore, avoided the lower problem of access control reliability of problem in the prior art, can prevent the access of illegal terminal, thereby reduce the potential safety hazard of corporate intranet.
Description of drawings
A kind of connection control method schematic diagram that Fig. 1 provides for the embodiment of the present invention;
A kind of access control apparatus structural representation that Fig. 2 provides for the embodiment of the present invention.
Embodiment
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
A kind of connection control method schematic diagram that Fig. 1 provides for the embodiment of the present invention.The executive agent of this connection control method is access control apparatus, and as shown in Figure 1, this connection control method comprises the following steps:
101, the packet of access control apparatus receiving terminal transmission.
When terminal attempted to access corporate intranet, terminal can send packet in the present embodiment to access control apparatus, and this access control apparatus need to be arranged on server, for example, and on the application server of corporate intranet.
102, described access control apparatus checks whether described packet carries permission access sign, when described permission access sign is the access strategy that prestores for access on described terminal, added in described packet according to described access strategy by network driver layer by described terminal.
In actual applications, in order to guarantee the fail safe of corporate intranet, generally can set in advance for the terminal that belongs to corporate intranet the access strategy for access, and with the default pre-stored network driver layer in terminal of access strategy.In the present embodiment, the prestore terminal of the access strategy that tool should be default is legal terminal.Legal terminal to packet of transmission, and is carried a permission access sign in this packet when attempting to access corporate intranet.Wherein, this permission access sign is during the pre-stored access strategy that is useful on access, to be added in packet according to the access strategy by network driver layer by this terminal on terminal.Particularly, when attempting to access corporate intranet, can send a packet when legal terminal to access control apparatus.When legal terminal sent to access control apparatus with this packet through network driver layer, network driver layer allowed the access sign according to the access strategy that prestores for adding one in this packet.And do not prestore in the network driver layer of the illegal terminal outside corporate intranet for the access strategy of access, when these illegal terminals are attempted to access corporate intranet, also can send packet to access control apparatus, but due to this access strategy that do not prestore on these illegal terminals, so the network driver layer of terminal can not allow the access sign for packet adds, that is to say, can not allow the access sign in the packet that illegal terminal sends.
In the present embodiment, preferably, the access strategy that is used for access can be realized by a terminal software, be realized access control by this terminal software.For example, this terminal software can be for being used for the client of access corporate intranet, and this terminal software only is issued to legal terminal.After on terminal, terminal software being installed, this terminal is legal terminal.Legal terminal is added permission access sign by this terminal software in packet.
Whether access control apparatus checks to carry in packet to allow the access sign after the packet that receives the terminal transmission.Allow the access sign if access control apparatus is judged to carry in packet, execution in step 103 allows access sign, execution in step 104 if access control apparatus is judged not carry in packet.
If 103 described packets carry described permission access sign, described access control apparatus allows described packet to pass through.
Allow the access sign if access control apparatus checks out to carry in packet, access control apparatus will allow packet to pass through.In the situation that access control apparatus carries permission access sign in checking out packet, illustrate and prestored the access strategy on the terminal of attempting to access corporate intranet or terminal software has been installed, this terminal is legal terminal, access control apparatus allows legal terminal access corporate intranet, can access the resource in corporate intranet.
If 104 described packets do not carry described permission access sign, described access control apparatus carries out blocking processing to described packet.
Allow the access sign if access control apparatus checks out not carry in packet, access control apparatus will carry out blocking processing to packet.For example, access control apparatus can be for carrying out discard processing with packet to the packet blocking processing, and perhaps access control apparatus according to the type of the application request of packet, carries out re-orientation processes to packet.Particularly, access control apparatus is determined application request type corresponding to packet, after determining the application request type of packet, the blocking strategy that the access control apparatus inquiry is default and the mapping relations between request type, obtain the blocking strategy corresponding with the application request type, further, access control apparatus adopts the blocking strategy that gets to carry out blocking processing to packet.For example, when the application request of packet was the http access, access control apparatus can carry out re-orientation processes to packet, jumps to the page to be visited.And when the application request of packet was the request of mail class, access control apparatus can be redirected to the corresponding mail treatment page to packet.
In the situation that access control apparatus does not carry permission access sign in checking out packet, the terminal of attempting to access corporate intranet do not prestore access strategy or installing terminal software not are described, this terminal is illegal terminal, access control apparatus does not allow this terminal access corporate intranet, accesses the resource of this corporate intranet.
The connection control method that the present embodiment provides, the packet that the access control apparatus receiving terminal sends, check whether packet carries permission access sign, when allowing the access sign to be the access strategy that prestores for access on terminal, added in packet according to this access strategy by network driver layer by terminal, if check out that described packet carries this permission access sign, access control apparatus allows packet to pass through, if allow the access sign and check out that packet does not carry, access control apparatus carries out blocking processing to packet.The present invention allows the access sign by whether carrying in packet, come the access of control terminal, allow to carry to allow to access to identify and access corporate intranet by access control apparatus, and allow the packet access control apparatus of access sign to carry out blocking processing to not carrying.The present invention no longer is subjected to terminal whether the restriction of fire compartment wall is installed, and therefore, has avoided in the prior art problem, the problem includes: the lower problem of access control reliability can prevent the access of illegal terminal, thereby reduces the potential safety hazard of corporate intranet.
In the present embodiment, access control apparatus is after receiving packet, further, can also get the identification information of the terminal that sends packet from packet, preferably, the identification information of terminal can be Internet protocol (Internet Protocol is referred to as the IP) address of terminal.After getting the identification information of terminal, whether the identification information of access control apparatus inquiry unauthorized terminal is present in the identification information of this unauthorized terminal with the identification information that judges terminal.Preferably, the identification information in this unauthorized can be stored in access control apparatus with the form of table.
If access control apparatus checks out that packet does not carry the identification information that allows to access sign and terminal and is not present in the identification information of unauthorized terminal, access control apparatus adds the identification information of terminal in the identification information of unauthorized terminal.If access control apparatus is judged this packet and carried and allow the identification information of access sign and terminal to be present in the identification information of unauthorized terminal, access control apparatus is deleted the identification information of terminal from the identification information of unauthorized terminal.
In reality, generally based on transmission control protocol (Transmission Control Protocol, referred to as TCP) and User Datagram Protocol (User Datagram Protocol, referred to as UDP) two kinds of communication protocols, carry out network and be connected between terminal and server, to realize communicating by letter of terminal and server.
When adopting udp protocol and server to set up network to be connected, terminal directly sends packet to server, after access control apparatus receives the packet of terminal transmission, check directly whether this packet carries permission access sign, if check out to carry in packet and allow the access sign, access control apparatus will allow packet to pass through, if checking out not carry in packet allows the access sign, access control apparatus carries out blocking processing to packet.
When adopting Transmission Control Protocol and server to set up network to be connected, terminal is at first to synchronous SYN(Synchronous of server transmission) packet, this SYN packet is for the handshake when server is set up normal TCP network and is connected.Access control apparatus judges whether this packet is synchronous SYN packet, is the SYN packet if access control apparatus is judged this packet after the packet that receives the terminal transmission, access control apparatus checks whether packet carries permission access sign.If access control apparatus is judged this SYN packet and carried when allowing the access sign, access control apparatus allows packet to pass through.After if access control apparatus is judged this packet and is not the SYN packet, further, access control apparatus checks whether the tcp data district of this non-SYN packet has data, if have the identification information of data and terminal to be present in the identification information of unauthorized terminal in the tcp data district of this non-SYN packet, access control apparatus carries out blocking processing to this non-SYN packet.
Further, in the present embodiment, access control apparatus judge packet is carried out blocking processing after, return to a notification message to terminal, can be in this notification message, carry access control apparatus to the state information of this packet, this state information can indicate packet and be in discarding state and still be in redirected state.
In the present embodiment, be alternatively function choice menus of access control apparatus configuration, the keeper can be according to work requirements, for access control apparatus is selected operating state, for example, the state of this access control apparatus can be opening, also can be closed condition, perhaps is in the specific time period and opens or closed condition.Be under opening, whether access control apparatus need to check the packet that terminal sends to carry and allow the access sign, enter according to check result packet is carried out access control.And in some specific time periods, access control apparatus may be in closed condition, and when this moment, terminal sent packet to access control apparatus, access control apparatus was not processed packet.By a function choice menus is being set, can make the keeper configure flexibly the operating state of access control apparatus according to work requirements in the present embodiment.
Alternatively, the connection control method that the present embodiment provides can be realized by software mode, then access control software is arranged on server, and then server is by the access control of this access control software realization to terminal.Particularly, this access control software can comprise that application layer and go-between drive layer.Application layer can be obtained the blocking strategy that sets in advance and the mapping relations between request type, whether go-between drives layer receive data bag and checks to carry in packet and allow the access sign, then according to the inspection structure, terminal is carried out access control, if carrying, packet allows the access sign, access control software allows packet to access corporate intranet by server, do not allow the access sign if packet carries, this access control software carries out blocking processing to packet.In the present embodiment, directly be deployed in access control software on server, server is realized access control to terminal by this access control software, on the network architecture of corporate intranet without impact, avoided in prior art, the gateway series connection being accessed enterprise's convergence-level, and caused the network architecture to have the problem of risk.Realize access control to terminal no longer needing the hardware supports such as switch by software mode, dispose relatively simple, easily realize, but also can avoid existing ARP to attack under control mode, the ARP fire compartment wall is installed, the problem that can't control terminal on terminal.
A kind of access control apparatus structural representation that Fig. 2 provides for the embodiment of the present invention.As shown in Figure 2, this access control apparatus comprises: receiver module 21, checking module 22 and access control module 23.In the present embodiment, this access control apparatus need to be arranged on server, for example, and on the application server of corporate intranet.
Wherein, receiver module 21 is used for the packet that receiving terminal sends.Checking module 22 is connected with receiver module 21, be used for after receiver module 21 receives packet, check whether this packet carries the sign that allows access, wherein, when allowing the access sign to be the access strategy that prestores for access on terminal, added in packet according to this access strategy by network driver layer by terminal.Access control module 23, be connected with checking module 22, check out that packet carries permission access sign, allows packet to pass through if be used for checking module 22, if checking module 22 checks out packet and carries not permission access sign, packet carried out blocking processing.
When terminal attempted to access corporate intranet, terminal can send packets to the receiver module 21 in access control apparatus.In actual applications, in order to guarantee the fail safe of corporate intranet, generally can be for setting in advance the access strategy for access on the terminal that belongs to corporate intranet, and with the default pre-stored network driver layer in terminal of access strategy.In the present embodiment, the terminal that prestores this default access strategy is legal terminal.Legal terminal to the request of generation packet, and is carried a permission access sign in this packet when attempting to access corporate intranet.Wherein, this permission access sign is during the pre-stored access strategy that is useful on access, to be added in packet according to the access strategy by network driver layer by this terminal on terminal.Particularly,, can by network driver layer according to this access strategy, add one and allow the access sign in the packet that is sent to receiver module 21 by terminal when attempting to access corporate intranet when legal terminal.And do not prestore above the illegal terminal outside corporate intranet for the access strategy of access, when these illegal terminals are attempted to access corporate intranet, also can send packet to receiver module 21, but owing to not pacifying this access strategy that prestores on these illegal terminals, so the network driver layer of terminal can not allow the access sign for packet adds, that is to say, can not carry in the packet that illegal terminal sends and allow the access sign.
In the present embodiment, preferably, the access strategy that is used for access can be realized by a terminal software, be realized access control by this terminal software.For example, this terminal software can be for being used for the client of access corporate intranet, and this terminal software only is issued to legal terminal.After on terminal, terminal software being installed, this terminal is legal terminal.Legal terminal is added permission access sign by this terminal software in packet.
Receive the packet of terminal transmission at receiver module 21 after, whether checking module 22 checks to carry in packets and allows the access sign.Allow the access sign if checking module 22 is judged to carry in packet, access control module 23 will allow packet to pass through.In the situation that checking module 22 carries permission access sign in checking out packet, illustrate and prestored the access strategy on the terminal of attempting to access corporate intranet or terminal software has been installed, this terminal is legal terminal, access control module 23 allows legal terminal access corporate intranet, can access the resource in corporate intranet.
Allow the access sign if checking module 22 checks out not carry in packet, access control module 23 will be carried out blocking processing to packet.For example, the blocking processing of 23 pairs of packets of access control module can be for carrying out discard processing with packet, perhaps according to the type of the application request of packet, packet carried out re-orientation processes.In the situation that checking module 22 does not carry permission access sign in checking out packet, the terminal of attempting to access corporate intranet do not prestore access strategy or installing terminal software not are described, this terminal is illegal terminal, access control module 23 does not allow this terminal access corporate intranet, accesses the resource of this corporate intranet.
A kind of implementation structure mode of access control module in the present embodiment, 23 comprises: determining unit 231, acquiring unit 232 and processing unit 233.checking module 22 is connected with determining unit 231, after checking out that packet does not carry permission access sign, determining unit 231 is determined application request type corresponding to packet, determining unit 231 is connected with acquiring unit 232, after determining the application request type of packet, the blocking strategy that acquiring unit 232 inquiries are default and the mapping relations between request type, obtain the blocking strategy corresponding with the application request type, further, acquiring unit 232 also is connected with processing unit 233, processing unit 233 adopts the blocking strategy that gets to carry out blocking processing to packet.For example, when the application request of packet was the http access, processing unit 233 can carry out re-orientation processes to packet, jumps to the page to be visited.And when the application request of packet was the request of mail class, access control apparatus can be redirected to the corresponding mail treatment page to packet.
The access control apparatus that the present embodiment provides, the packet that the access control apparatus receiving terminal sends, check whether packet carries permission access sign, when allowing the access sign to be the access strategy that prestores for access on terminal, added in packet according to this access strategy by network driver layer by terminal, if check out that described packet carries this permission access sign, access control apparatus allows packet to pass through, if allow the access sign and check out that packet does not carry, access control apparatus carries out blocking processing to packet.The present invention allows the access sign by whether carrying in packet, come the access of control terminal, allow to carry and allow the access sign to access corporate intranet by access control apparatus, and allow the packet access control apparatus of access sign to carry out blocking processing to not carrying, the present invention no longer is subjected to terminal whether the restriction of fire compartment wall is installed, therefore, avoided the lower problem of access control reliability of problem in the prior art, can prevent the access of illegal terminal, thereby reduce the potential safety hazard of corporate intranet.
In the present embodiment, access control apparatus can also comprise acquisition module 24, judge module 25 and interpolation/removing module 26.After receiver module 21 received packet, acquisition module 24 can get the identification information of the terminal that sends packet from packet, and preferably, the identification information of terminal can be the IP address of terminal.After getting the identification information of terminal, whether the identification information of judge module 25 inquiry unauthorized terminals is present in the identification information of this unauthorized terminal with the identification information that judges terminal.Preferably, the identification information in this unauthorized can be stored in access control apparatus with the form of table.Check out that at checking module 22 packet does not carry during the identification information that allows access sign and judge module 25 to judge terminal is not present in the identification information of unauthorized terminal, interpolation/removing module 26 joins the identification information of described terminal in the identification information of described unauthorized terminal, and checking out that at checking module 22 packet carries during the identification information that allows access sign and judge module 25 to judge terminal is present in the identification information of unauthorized terminal, interpolation/removing module 26 is deleted the identification information of terminal from the identification information of unauthorized terminal.
In reality, generally based on Transmission Control Protocol and two kinds of communication protocols of udp protocol, carry out network and be connected between terminal and server, to realize communicating by letter of terminal and server.
In the present embodiment, a kind of mode of implementation structure alternatively of checking module 22 comprises: judging unit 221 and inspection unit 222.
When adopting udp protocol and server to set up network to be connected, terminal directly sends packet to receiver module 21, after the packet that receives the terminal transmission, inspection unit 222 checks directly whether this packet carries permission access sign, if check out to carry in packet and allow the access sign, access control module 23 allows packet to pass through, if checking out not carry in packet allows the access sign, 23 pairs of packets of access control module carry out blocking processing.
When adopting Transmission Control Protocol and server to set up network to be connected, terminal is at first to SYN packet of receiver module 21 transmissions, and this SYN packet is for the handshake when server is set up normal TCP network and is connected.Receiver module 21 is connected with judging unit 221, after the packet that receives the terminal transmission, judging unit 221 judges whether this packet is the SYN packet, judging unit 221 also is connected with inspection unit 222, judging this packet at judging unit 221 is the SYN packet, and inspection unit 222 checks whether packet carries permission access sign.Further, inspection unit 222 also is connected with access control module 23, and when inspection unit 222 checked out that this SYN packet carries permission access sign, access control module 23 allowed packets to pass through.After judging unit 221 goes out this packet and is not the SYN packet, further, inspection unit 222 checks whether the tcp data district of these non-SYN packets has data, if the identification information that has data and judge module 24 to judge terminal in the tcp data district of this non-SYN packet is present in the identification information of unauthorized terminal, 23 pairs of these non-SYN packets of access control module carry out blocking processing.
Further, in the present embodiment, access control module 23 judge packet is carried out blocking processing after, return to a notification message to terminal, can be in this notification message, carry access control apparatus to the state information of this packet, this state information can indicate packet and be in discarding state and still be in redirected state.
In the present embodiment, be alternatively function choice menus of access control apparatus configuration, the keeper can be according to work requirements, for access control apparatus is selected operating state, for example, the state of this access control apparatus can be opening, also can be closed condition, perhaps is in the specific time period and opens or closed condition.Be under opening, whether access control apparatus need to check the packet that terminal sends to carry and allow the access sign, enter according to check result packet is carried out access control.And in some specific time periods, access control apparatus may be in closed condition, and when this moment, terminal sent packet to access control apparatus, access control apparatus was not processed packet.By a function choice menus is being set, can make the keeper configure flexibly the operating state of access control apparatus according to work requirements in the present embodiment.
It should be noted that at last: above each embodiment is not intended to limit only in order to technical scheme of the present invention to be described; Although with reference to aforementioned each embodiment, the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps some or all of technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the scope of various embodiments of the present invention technical scheme.
Claims (10)
1. a connection control method, is characterized in that, comprising:
The packet that the access control apparatus receiving terminal sends;
Described access control apparatus checks whether described packet carries permission access sign, wherein, when described permission access sign is the access strategy that prestores for access on described terminal, added in described packet according to described access strategy by network driver layer by described terminal;
If described packet carries described permission access sign, described access control apparatus allows described packet to pass through;
If described packet does not carry described permission access sign, described access control apparatus carries out blocking processing to described packet.
2. connection control method according to claim 1, is characterized in that, also comprises:
Described access control apparatus obtains the identification information of described terminal from described packet;
Described access control apparatus judges whether the identification information of described terminal is present in the identification information of the unauthorized terminal of storing on described access control apparatus;
Be not present in the identification information of described unauthorized terminal if described packet carries the identification information of described permission access sign and described terminal, the identification information of described terminal is added in the identification information of described unauthorized terminal;
If carrying the identification information of described permission access sign and described terminal, described packet is present in the identification information of described unauthorized terminal, with identification information middle deletion from the identification information of described unauthorized terminal of described terminal.
3. connection control method according to claim 2, is characterized in that, described access control apparatus checks whether described packet carries permission access sign and comprise:
Described access control apparatus judges whether described packet is synchronous SYN packet;
If described packet is the SYN packet, described access control apparatus checks whether described packet carries described permission access sign.
4. connection control method according to claim 3, is characterized in that, also comprises:
If described packet is not the SYN packet, described access control apparatus checks whether the tcp data district of described non-SYN packet has data;
If described tcp data district has the identification information of data and described terminal to be present in the identification information of described unauthorized terminal, described access control apparatus carries out blocking processing to described non-SYN packet.
5. according to claim 1-4 described connection control methods of any one, is characterized in that, described access control apparatus carries out blocking processing to described packet and comprises:
Described access control apparatus is determined the application request type that described packet is corresponding;
The blocking strategy that described access control apparatus inquiry is default and the mapping relations between request type are obtained blocking strategy corresponding to described application request type;
Described access control apparatus adopts described blocking strategy to carry out blocking processing to described packet.
6. an access control apparatus, is characterized in that, comprising:
Receiver module is used for receiving the packet that described terminal sends;
Checking module, be used for checking whether described packet carries the sign that allows access, wherein, when described permission access sign is the access strategy that prestores for access on described terminal, added in described packet according to described access strategy by network driver layer by described terminal;
The access control module is carried described permission access sign if be used for described packet, allows described packet to pass through, if described packet carries not described permission access sign, described packet is carried out blocking processing.
7. access control apparatus according to claim 6, is characterized in that, also comprises:
Acquisition module is for obtain the identification information of described terminal from described packet;
Judge module is used for judging whether the identification information of described terminal is present in the identification information of the unauthorized terminal of storing on described access control apparatus;
Interpolation/removing module, if be used for the identification information that identification information that described packet do not carry described permission access sign and described terminal is not present in described unauthorized terminal, the identification information of described terminal is joined in the identification information of described unauthorized terminal, be present in the identification information of described unauthorized terminal if described packet carries the identification information of described permission access sign and described terminal, the identification information of described terminal is deleted from the identification information of described unauthorized terminal.
8. access control apparatus according to claim 7, is characterized in that, described checking module comprises:
Judging unit is used for judging whether described packet is synchronous SYN packet;
Inspection unit is the SYN packet if be used for described packet, checks whether described packet carries described permission access sign.
9. access control apparatus according to claim 8, is characterized in that, also comprises:
Described inspection unit, also being used for going out described packet in described judgment unit judges is not the SYN packet, checks whether the tcp data district of described non-SYN packet has data;
Described access control module has the identification information of data and described terminal to be present in the identification information of described unauthorized terminal if also be used for described tcp data district, and described non-SYN packet is carried out blocking processing.
10. according to claim 6-9 described access control apparatus of any one, is characterized in that, described access control module comprises:
Determining unit is used for determining application request type corresponding to described packet;
Acquiring unit is used for the default blocking strategy of inquiry and the mapping relations between request type, obtains blocking strategy corresponding to described application request type;
Processing unit is used for adopting described blocking strategy to carry out blocking processing to described packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100653319A CN103166960A (en) | 2013-03-01 | 2013-03-01 | Access control method and access control device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013100653319A CN103166960A (en) | 2013-03-01 | 2013-03-01 | Access control method and access control device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103166960A true CN103166960A (en) | 2013-06-19 |
Family
ID=48589700
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013100653319A Pending CN103166960A (en) | 2013-03-01 | 2013-03-01 | Access control method and access control device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103166960A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753962A (en) * | 2015-04-23 | 2015-07-01 | 厦门雅迅网络股份有限公司 | OBD (On-board diagnostics) safety management method and system |
| CN105049431A (en) * | 2015-06-30 | 2015-11-11 | 深圳市深信服电子科技有限公司 | Data access control method and device |
| CN105577674A (en) * | 2015-12-30 | 2016-05-11 | 深圳市深信服电子科技有限公司 | Network access control method and admission equipment |
| CN105847234A (en) * | 2016-03-11 | 2016-08-10 | 中国联合网络通信集团有限公司 | Suspicious terminal access pre-warning method, gateway management platform and gateway device |
| CN108234405A (en) * | 2016-12-15 | 2018-06-29 | 上海仪电(集团)有限公司中央研究院 | A kind of terminal device automatic identification authentication method based on intelligent gateway |
| CN108600214A (en) * | 2018-04-19 | 2018-09-28 | 深圳市联软科技股份有限公司 | A kind of network admittance method and system based on NAT |
| CN109120599A (en) * | 2018-07-23 | 2019-01-01 | 国网河南省电力公司商丘供电公司 | A kind of external connection managing and control system |
| CN111107078A (en) * | 2019-12-16 | 2020-05-05 | 深圳前海达闼云端智能科技有限公司 | Application access method, robot control unit, server and storage medium |
| CN111918361A (en) * | 2018-06-22 | 2020-11-10 | 维沃移动通信有限公司 | Processing method, terminal and network element |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6070243A (en) * | 1997-06-13 | 2000-05-30 | Xylan Corporation | Deterministic user authentication service for communication network |
| CN101060454A (en) * | 2007-05-16 | 2007-10-24 | 杭州华三通信技术有限公司 | Proxy access method, control network equipment and proxy access system |
| CN101277308A (en) * | 2008-05-23 | 2008-10-01 | 杭州华三通信技术有限公司 | Method for insulating inside and outside networks, authentication server and access switch |
| CN101808013A (en) * | 2010-04-02 | 2010-08-18 | 杭州华三通信技术有限公司 | Method and device for improving reliability of EAD system |
| CN102158487A (en) * | 2011-04-01 | 2011-08-17 | 福建星网锐捷网络有限公司 | Network access control method, system and device |
| CN102571729A (en) * | 2010-12-27 | 2012-07-11 | 方正宽带网络服务股份有限公司 | Internet protocol version (IPV)6 network access authentication method, device and system |
| CN102857515A (en) * | 2012-09-21 | 2013-01-02 | 北京神州绿盟信息安全科技股份有限公司 | Network access control method and network access control device |
-
2013
- 2013-03-01 CN CN2013100653319A patent/CN103166960A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6070243A (en) * | 1997-06-13 | 2000-05-30 | Xylan Corporation | Deterministic user authentication service for communication network |
| CN101060454A (en) * | 2007-05-16 | 2007-10-24 | 杭州华三通信技术有限公司 | Proxy access method, control network equipment and proxy access system |
| CN101277308A (en) * | 2008-05-23 | 2008-10-01 | 杭州华三通信技术有限公司 | Method for insulating inside and outside networks, authentication server and access switch |
| CN101808013A (en) * | 2010-04-02 | 2010-08-18 | 杭州华三通信技术有限公司 | Method and device for improving reliability of EAD system |
| CN102571729A (en) * | 2010-12-27 | 2012-07-11 | 方正宽带网络服务股份有限公司 | Internet protocol version (IPV)6 network access authentication method, device and system |
| CN102158487A (en) * | 2011-04-01 | 2011-08-17 | 福建星网锐捷网络有限公司 | Network access control method, system and device |
| CN102857515A (en) * | 2012-09-21 | 2013-01-02 | 北京神州绿盟信息安全科技股份有限公司 | Network access control method and network access control device |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753962A (en) * | 2015-04-23 | 2015-07-01 | 厦门雅迅网络股份有限公司 | OBD (On-board diagnostics) safety management method and system |
| CN105049431A (en) * | 2015-06-30 | 2015-11-11 | 深圳市深信服电子科技有限公司 | Data access control method and device |
| CN105577674A (en) * | 2015-12-30 | 2016-05-11 | 深圳市深信服电子科技有限公司 | Network access control method and admission equipment |
| CN105577674B (en) * | 2015-12-30 | 2019-01-22 | 深信服科技股份有限公司 | Method for network access control and access equipment |
| CN105847234A (en) * | 2016-03-11 | 2016-08-10 | 中国联合网络通信集团有限公司 | Suspicious terminal access pre-warning method, gateway management platform and gateway device |
| CN105847234B (en) * | 2016-03-11 | 2018-11-20 | 中国联合网络通信集团有限公司 | Suspicious terminal access method for early warning, gateway management platform and gateway |
| CN108234405A (en) * | 2016-12-15 | 2018-06-29 | 上海仪电(集团)有限公司中央研究院 | A kind of terminal device automatic identification authentication method based on intelligent gateway |
| CN108600214A (en) * | 2018-04-19 | 2018-09-28 | 深圳市联软科技股份有限公司 | A kind of network admittance method and system based on NAT |
| CN111918361A (en) * | 2018-06-22 | 2020-11-10 | 维沃移动通信有限公司 | Processing method, terminal and network element |
| CN109120599A (en) * | 2018-07-23 | 2019-01-01 | 国网河南省电力公司商丘供电公司 | A kind of external connection managing and control system |
| CN111107078A (en) * | 2019-12-16 | 2020-05-05 | 深圳前海达闼云端智能科技有限公司 | Application access method, robot control unit, server and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103166960A (en) | Access control method and access control device | |
| Jero et al. | Identifier binding attacks and defenses in {Software-Defined} networks | |
| US11425202B2 (en) | Session processing method and device | |
| CN105635084B (en) | Terminal authentication apparatus and method | |
| US7480933B2 (en) | Method and apparatus for ensuring address information of a wireless terminal device in communications network | |
| CN102438028B (en) | A kind of prevent Dynamic Host Configuration Protocol server from cheating method, Apparatus and system | |
| JP2008165796A (en) | Network security element utilizing end point resource | |
| US8275878B2 (en) | Router analysis system | |
| JPWO2007007546A1 (en) | Terminal, security setting method, and program thereof | |
| JP2013073631A (en) | Methods, apparatus, and articles of manufacture to provide firewalls for process control systems | |
| CN113472758B (en) | Access control method, device, terminal, connector and storage medium | |
| EP2677716A1 (en) | Access control method, access device and system | |
| JP2008271242A (en) | Network monitor, program for monitoring network, and network monitor system | |
| KR101039092B1 (en) | Method for protecting and isolating host in internet protocol version 6 network | |
| US9686311B2 (en) | Interdicting undesired service | |
| Rahman et al. | Holistic approach to arp poisoning and countermeasures by using practical examples and paradigm | |
| CN103812859A (en) | Network admission method, terminal admission method, network admission device and terminal | |
| JP2006099590A (en) | Access controller, access control method and access control program | |
| US10015179B2 (en) | Interrogating malware | |
| CN110392129B (en) | IPv6 client and method for IPv6 client to communicate with server | |
| CN108391269B (en) | Method for preventing AP equipment attack in wireless local area network | |
| CN116015876B (en) | Access control method, device, electronic equipment and storage medium | |
| CN114363083B (en) | Security protection method, device and equipment of intelligent gateway | |
| CN107733931A (en) | Portal authentication method, device and portal server | |
| CN104009967A (en) | Method for preventing attack of untrusted servers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130619 |