CN103560996A - Access permission control method and device - Google Patents
Access permission control method and device Download PDFInfo
- Publication number
- CN103560996A CN103560996A CN201310467021.XA CN201310467021A CN103560996A CN 103560996 A CN103560996 A CN 103560996A CN 201310467021 A CN201310467021 A CN 201310467021A CN 103560996 A CN103560996 A CN 103560996A
- Authority
- CN
- China
- Prior art keywords
- equipment
- network
- access control
- access
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000009434 installation Methods 0.000 claims description 20
- 230000005540 biological transmission Effects 0.000 claims description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 150000001875 compounds Chemical class 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000001846 repelling effect Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an access permission control method and device. The access permission control method includes the steps that first equipment judges whether second equipment has permission to access a first network when the second equipment has access to the first network through an internet gateway device; the first equipment receives a data package which is sent by the internet gateway device and should have been sent to the second equipment originally when the second equipment does not have the permission to access the first network; the first equipment replaces at least part of content in the received data package into preset content, and transmits the data package with the replaced content to the second equipment. For example, when the second equipment does not have the permission to access the first network, any website, accessed by the second equipment, in the first network will be re-directed to a designated webpage, and therefore a network manager can carry out access permission control on terminal equipment in the networks, and the safety of the networks is improved effectively.
Description
Technical field
The invention belongs to field of computer technology, relate in particular to method and device that a kind of access rights are controlled.
Background technology
After network security management software is arranged on service end, also need to be on terminal equipment installation and deployment client.The current installation and deployment of the client of network security management software are mainly that the user by terminal equipment initiatively initiates request, the then client of installation and deployment network security management software on terminal equipment.
Yet, in existing network security management software installation and deployment mode, need network manager to issue the installation kit etc. of relevant link, network security management software, but also need the user of terminal equipment to participate in coordinating, can carry out the deployment of the client of network security management software.If terminal equipment is not installed the client of network security management software, the network access authority that the service end of network security management software just can not management terminal device, causes reducing the fail safe of whole network.
Summary of the invention
In view of the above problems, the present invention has been proposed so that method and the device that provides a kind of access rights that overcome the problems referred to above or address the above problem at least in part to control.
According to one aspect of the present invention, a kind of method that provides access rights to control, first equipment that is applicable to is controlled at least one second equipment be arranged in second network and is accessed first network by gateway device, described method comprises: when described the second equipment is accessed described first network by described gateway device, described the first equipment judges whether described the second equipment has the authority of the described first network of access; When if described the second equipment is not accessed the authority of described first network, described the first equipment receives packet described gateway device transmission, that will send to described the second equipment originally; Described the first equipment is default content by least part of content replacement in the packet receiving, and gives described the second equipment by the package forward after content replacement.
Alternatively, described the first equipment judges whether described the second equipment has the step of authority of the described first network of access to comprise: described the first equipment, according to the deployable state of the state of the access control of described the second equipment and/or the predetermined application program of described the second deployed with devices, judges whether described the second equipment has the authority of the described first network of access.
Alternatively, the state of described access control comprises: access control is opened, access control has been closed and access, and described deployable state comprises: disposed and do not disposed; If the state of described access control is access control, open, and described deployable state is not dispose, described the second equipment is not accessed the authority of described first network; If the state of described access control is access control, close, described the second equipment is not accessed the authority of described first network; If the state of described access control is access, described the second equipment has the authority of the described first network of access.
Alternatively, described the first equipment is before the step of default content by least part of content replacement in the packet receiving, and described method also comprises: described the first equipment judges whether the state of described access control is that access control is opened; If the state of described access control is access control, open, carrying out described the first equipment is the step of default content by least part of content replacement in the packet receiving; If the state of described access control is access control, close, described the first equipment is forbidden the packet of its access first network to described the second device forwards.
Alternatively, described method also comprises: described the first equipment obtains the deployable state of the state of access control of described the second equipment and the predetermined application program of described the second deployed with devices; The state of the described access control of obtaining and described deployable state are recorded to access control database.
Alternatively, when described the second equipment is not accessed the authority of described first network, described method also comprises: described the first equipment is revised as the first address by the address of described the second equipment on described gateway device by the second address, wherein said the second address is the address of described the second equipment in described second network, and described the first address is the address of described the first equipment in described second network.
Alternatively, in the time need to closing the access control of described the second equipment, described method also comprises: described the first equipment has been opened the state of the access control of described the second equipment and has been revised as access control and closes by access control; Described the first equipment is revised as described the second address by the address of described the second equipment on described gateway device by described the first address.
Alternatively, described the first equipment is before the step of default content by least part of content replacement in the packet receiving, and described method also comprises: described the first equipment judges that described packet is from described first network or from described second network; If it is the step of default content by least part of content replacement in the packet receiving that described packet from described first network, is carried out described the first equipment; If described packet is from described second network, described the first equipment is given described the second equipment by described package forward.
Alternatively, the step that described the first equipment is default content by least part of content replacement in described packet comprises: described the first equipment is the address of installation kit of the predetermined application program of described the first deployed with devices by the HTTP content replacement in described packet.
Alternatively, after described the second equipment is installed described predetermined application program according to the address of described installation kit, described method also comprises: described the first equipment is disposed the deployable state of described the second equipment by not disposing to be revised as, the state of the access control of described the second equipment has been opened and has been revised as access by access control.
According to another aspect of the present invention, the device that also provides a kind of access rights to control, be applicable to control at least one terminal equipment be arranged in second network and access first network by gateway device, described device comprises: authority judge module, for when described terminal equipment is accessed described first network by described gateway device, judge whether described terminal equipment has the authority of the described first network of access; Receiver module, for when described terminal equipment is not accessed the authority of described first network, receives that described gateway device sends, will to send to described terminal equipment originally packet; Replacement module, for being default content by least part of content replacement of the packet receiving, and gives described terminal equipment by the package forward after content replacement.
Alternatively, described authority judge module is further used for disposing the deployable state of predetermined application program according to the state of the access control of described terminal equipment and described terminal equipment, judges whether described terminal equipment has the authority of the described first network of access.
Alternatively, the state of described access control comprises: access control is opened, access control has been closed and access, and described deployable state comprises: disposed and do not disposed; If the state of described access control is access control have been opened or access control is closed, and described deployable state is not dispose, and described terminal equipment is not accessed the authority of described first network; If the state of described access control is access, and described deployable state is for disposing, and described terminal equipment has the authority of the described first network of access.
Alternatively, described device also comprises: access judge module, for judging whether the state of described access control is that access control is opened, opens if the state of described access control is access control, triggers described replacement module; If the state of described access control is access control, close, to described terminal equipment, send the message of forbidding its access first network.
Alternatively, described device also comprises: acquisition module, for obtaining state and the described terminal equipment of the access control of described terminal equipment, dispose the deployable state of predetermined application program; Logging modle, for being recorded to access control database by the state of the described access control of obtaining and described deployable state.
Alternatively, when described the second equipment is not accessed the authority of described first network, described device also comprises: address modified module, for the first address is revised as to by the second address in the address of the described terminal equipment on described gateway device, wherein said the second address is the address of described terminal equipment in described second network, and described the first address is the address of described device in described second network.
Alternatively, described device also comprises: source judge module, for judging that described packet is from described first network or from described second network; If described packet, from described first network, triggers described replacement module; If described packet, from described second network, is given described terminal equipment by described package forward.
Alternatively, to be further used for the HTTP content replacement in described packet be the address of installation kit of the predetermined application program of described the first deployed with devices to described replacement module.
Alternatively, described device also comprises: module is set, for after described terminal equipment is installed described predetermined application program according to the address of described installation kit, the deployable state of described terminal equipment is disposed by not disposing to be revised as, the state of the access control of described terminal equipment has been opened and has been revised as access by access control.The device that the method for controlling according to access rights of the present invention and access rights are controlled, when the second equipment is accessed first network by gateway device, if the second equipment is not accessed the authority of first network, gateway device can be given the first equipment by the package forward producing based on this access request, by the first equipment, at least part of content replacement in this packet is become to default content, for example, when the second equipment is not accessed the authority of first network, any one website in the second device access first network, be redirected on the page of appointment in capital, realize thus network manager's control of authority that can conduct interviews to the terminal equipment in network, effectively improve the fail safe of network.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Accompanying drawing explanation
By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, by identical reference symbol, represent identical parts.In the accompanying drawings:
Fig. 1 shows the flow chart of the method 100 that access rights are controlled according to an embodiment of the invention;
Fig. 2 shows according to the schematic diagram of the shown page after redirect in one embodiment of the invention; And
Fig. 3 shows the structure chart of the device 300 that access rights are controlled in accordance with another embodiment of the present invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can by the scope of the present disclosure complete convey to those skilled in the art.
The method that the access rights that the present invention proposes are controlled is mainly, when the second equipment is accessed first network by gateway device, if the second equipment is not accessed the authority of first network, gateway device can will will send to the package forward of the second equipment to the first equipment originally, the first equipment can be default content by least part of content replacement in packet, and give the second equipment by the package forward after content replacement, make the second equipment when access first network, capital receives the packet after content replacement, network manager can effectively control the authority of the second device access first network thus.Below in conjunction with Fig. 1, illustrate according to an embodiment of the invention, be applicable to the first equipment and control at least one second equipment be arranged in second network access the access rights control of the first network flow chart of method 100 by gateway device.
As shown in Figure 1, method 100 of the present invention starts from step S110, and in step S110, when the second equipment is accessed first network by gateway device, the first equipment judges whether the second equipment has the authority of access first network.This gateway device can be computer system or the equipment that DTS is provided between first network and second network.
Alternatively, the first equipment judges whether the second equipment has the step of authority of access first network to comprise: the first equipment, according to the deployable state of the state of the access control of the second equipment and/or the predetermined application program of the second deployed with devices, judges whether the second equipment has the authority of access first network.
Above-mentioned access control represents the second equipment of access first network to carry out compliance inspection, the state of this access control comprises: access control is opened, access control has been closed and access, wherein access control has been opened expression when the second device access first network, can check the compliance of the second equipment, compliance inspection in the present embodiment can be the deployable state of the predetermined application program of digital examination the second equipment; Access control has been closed expression when the second device access first network, can no longer to the compliance of the second equipment, check, forbids the second device access first network; Access represents, when the second device access first network, can no longer to the compliance of the second equipment, check, allows the second device access first network.
The deployable state of above-mentioned predetermined application program represents the deployment scenario of application program predetermined on the second equipment, this deployable state comprises: disposed and do not disposed, wherein disposed and represented that there is predetermined application program in the second its upper side administration, do not dispose and represent not dispose predetermined application program on the second equipment, wherein predetermined application program can be the client of network security management software, for example the client of 360 enterprise versions.Certainly can understand, this predetermined application program can be also the software of other types in an embodiment of the present invention.
If the state of access control is access control, open, and deployable state is not when disposing, and can judge the authority that the second equipment is not accessed first network; If the state of access control is access control, close, the second equipment is not accessed the authority of first network; If the state of access control is during for access, second equipment of can judging has the authority of access first network.
For example, in the first its upper side administration access control program, this access control program can be used for controlling the access rights of the second equipment, by this access control program, obtain the deployable state of the predetermined application program of the state of access control of the second equipment and the second deployed with devices, and the state of the access control of obtaining and deployable state are recorded in the access control database on the first equipment.
Take first network as the Internet, second network is that local area network (LAN) is example, in order to control the authority of the second device access the Internet, the access control program of the first its upper side administration can be obtained the two IP address of all the second equipment in the Internet and the second MAC Address in local area network (LAN), for example the first equipment sends ARP request protocol bags to all the second equipment, and the arp reply bag returning from the second equipment obtains the two IP address of the second equipment the Internet and the second MAC Address in local area network (LAN).
The address of the first equipment is joined in multicast address list, the second equipment that is deployed with predetermined application program can regularly send message to this multicast address list, access control program on the first equipment can receive the message sending from the second equipment, once the access control program on the first equipment receives message, the access control program on the first equipment will send return messages to this second equipment.The first equipment can inquire the situation of the second equipment of having disposed and not disposed predetermined application program thus, the relevant information of the second equipment inquiring is recorded in the access control database of the first equipment, sees table.
| IP address | Mac address | The IP address of the first equipment | Deployable state access control |
| 172.17.3.51 | 00-0c-29-da-a1-5b | 0.0.0.0 | Do not dispose and close |
| 192.168.15.101 | 18-03-73-44-97-d1 | 0.0.0.0 | Do not dispose and close |
| 192.168.15.103 | 18-03-73-44-2f-b0 | 192.168.15.122 | Do not dispose and open |
| 192.168.15.104 | d0-67-e5-24-53-b5 | 0.0.0.0 | Do not dispose and close |
| 192.168.15.105 | 70-71-bc-6b-ba-32 | 0.0.0.0 | Do not dispose and close |
| 192.168.15.106 | 18-03-73-44-79-a7 | 0.0.0.0 | Do not dispose and close |
| 192.168.15.107 | d0-67-e5-28-8c-26 | 192.168.15.107 | Disposed access |
| 192.168.15.108 | 84-8f-69-f0-b2-6c | 192.168.15.108 | Disposed access |
| 192.168.15.110 | 84-8f-69-f0-59-e8 | 0.0.0.0 | Do not dispose and close |
| 192.168.15.116 | 44-37-e6-a3-9e-3e | 0.0.0.0 | Do not dispose and close |
| 192.168.15.117 | 18-03-73-44-79-12 | 0.0.0.0 | Do not dispose and close |
| 192.168.15.118 | e0-69-95-d7-88-c4 | 0.0.0.0 | Do not dispose and close |
| 192.168.15.119 | e0-69-95-72-a5-36 | 0.0.0.0 | Do not dispose and close |
| 192.168.15.120 | 18-03-73-44-a5-93 | 0.0.0.0 | Do not dispose and close |
| 192.168.15.122 | 24-b6-fd-fa-8d-87 | 192.168.15.122 | Disposed access |
| 192.168.15.134 | 18-03-73-44-79-1b | 0.0.0.0 | Do not dispose and close |
| 192.168.15.249 | aa-00-00-a7-90-87 | 0.0.0.0 | Do not dispose and close |
Alternatively, in an embodiment of the present invention, when if the second equipment does not have the authority of access first network, in order to guide the second equipment to go, dispose predetermined application program, can be that access control is when opened at the state of the access control of the second equipment, the first equipment is revised as the first address by the address of the second equipment on gateway device by the second address, and wherein the second address is the address of the second equipment in second network, and the first address is the address of the first equipment in second network.When the second equipment is accessed first network by gateway device, gateway device will will send to package forward to the first equipment of the second equipment originally.
Take first network as the Internet, and second network is that local area network (LAN) is example, and above-mentioned the second address is second MAC Address of the second equipment in local area network (LAN), and above-mentioned the first address is first MAC Address of the first equipment in local area network (LAN).Alternatively, the first equipment, by gateway device corresponding to arp reply notice of settlement the second equipment, is revised as the second MAC Address of the second equipment on this gateway device the first MAC Address of the first equipment.
Get back in the flow process of method 100, when if the second equipment has the authority of access first network, flow process that can ending method 100, gateway device by from the Packet Generation of first network give the second equipment, carry out the flow process of existing terminal equipment accesses network, at this, no longer apply and state.
When if the second equipment is not accessed the authority of first network, enter step S130, in step S130, the first equipment receives packet gateway device transmission, that will send to the second equipment originally.
Alternatively, state in the access control of the second equipment is that access control is opened, and the deployable state of the predetermined application program of the second equipment is not when disposing, if any one website in the second device access first network, the Packet Generation that gateway device can not return to this website is given the second equipment, but the Packet Generation that website is returned is given the first equipment, or, at the state of the access control of the second equipment, be that access control is when closed, if any one website in the second device access first network, gateway device can not given the second equipment by the Packet Generation producing based on this access, but to this packet of the first equipment.
Subsequently, in step S150, the first equipment is default content by least part of content replacement in the packet receiving, and gives the second equipment by the package forward after content replacement.
In an embodiment of the present invention, at the second equipment, by gateway device, access after first network, because the second equipment does not have the authority of accessing first network, gateway device can be by originally will sending to the second equipment, from the Packet Generation of first network to the first equipment, the first equipment can be default content by least part of content replacement in packet, then the packet after content replacement is transmitted to the second equipment again.
For example the second equipment is accessed 360 official websites (network address http://www.360.cn/) in the Internet by gateway device, the authority of not accessing the Internet due to the second equipment, the second equipment can not receive the packet from 360 official websites, gateway device can be given the first equipment by the package forward from 360 official websites, the first equipment becomes default content by least part of content replacement in this packet, then the packet after content replacement is transmitted to the second equipment again.
Alternatively, the first equipment is the presumptive address for page jump by the HTTP content replacement in packet, and this presumptive address is the address (HTTP for example: the // the first device IP: 80) of installation kit of the predetermined application program of the first deployed with devices.When the second equipment receives after the packet after content replacement, can be at the page of its access websites of demonstration screen display of the second equipment, and can show the page of the installation kit of downloading predetermined application program, the user of the second equipment can download and install this predetermined application program according to the address showing on this page.
Referring to Fig. 3, for showing the schematic diagram of the prompting page of the installation kit of predetermined application program, the address (http: // 192.168.88.66/install/360EntInst (192.168.88.66_80) .exe) that shows the installation kit of 360 enterprise version clients on this page, the user of the second equipment can, by clicking this address, download and install 360 enterprise version clients.
Alternatively, after step S130, before step S150, can be introduced into step S145.In step S145, the first equipment judges that this packet is from first network or from second network.If packet, from first network, can enter step S150.If packet, from second network, enters step S147, in step S147, the first equipment is given the second equipment by package forward.
Take first network as the Internet, second network is that local area network (LAN) is example, and wherein the first equipment has an IP address in the Internet, has the first MAC Address in local area network (LAN), the second equipment has the 2nd IP address in the Internet, has the second MAC Address in local area network (LAN).Specifically in step S145, the packet that the first equipment interconnection is received is analyzed, first filter out the packet of non-IP, then to the destination address of packet, not an IP address of the first equipment, but identical with the first MAC Address of the first equipment, and the source address of packet is that the packet of the address of gateway device further detects, if packet is tcp data bag, or the source port of packet is http port 80, or at least part of content in packet comprise http protocol acknowledgement field time, can judge that this packet is from the Internet, if do not meet above-mentioned condition, can not judge that this packet is from local area network (LAN), without the content in packet being replaced by Packet Generation to the second equipment.
Alternatively, after step S145, before step S150, enter step S149.In step S149, the first equipment judges whether the state of the access control of the second equipment is that access control is opened.If the state of access control is access control, open, enter step S150.If the state of access control is access control, close, enter step S147.In step S147, the first equipment is given the second equipment by package forward.
In an embodiment of the present invention, the state of the access control of the second equipment is that access control is when opened, when the second equipment is accessed first network by gateway device, the page returning can be jumped on the page of presumptive address, for example, point out the predetermined application program of user installation of the second equipment.If the state of the access control of the second equipment is access control while having closed, when the second equipment is accessed first network by gateway device, gateway device can will be forbidden the second device access first network, gateway device sends the packet of forbidding the second device access first network to the first equipment, then the first equipment is given the second equipment by this package forward.
Subsequently, in step S170, after the second equipment is installed predetermined application program according to the address of installation kit, the first equipment is disposed the deployable state of the second equipment by not disposing to be revised as, the state of the access control of the second equipment has been opened and has been revised as access by access control.
In an embodiment of the present invention, in the time need to closing the access control of the second equipment, the method 100 also comprises: the first equipment has been opened the state of the access control of the second equipment and has been revised as access control and closes by access control; The first equipment is revised as the second address by the address of the second equipment on gateway device by the first address.Now, the second equipment can directly receive the packet of forbidding the second device access first network that gateway device sends.For example: in the time need to closing the access control of the second equipment, the first equipment, according to using gateway device corresponding to arp reply notice of settlement the second equipment predetermined interval time (every 3 seconds once), is revised back the MAC Address of this second equipment the second MAC Address of this second equipment by the first MAC Address of the first equipment.
In embodiments of the invention, after described the second equipment is installed described predetermined application program according to the address of described installation kit, described method also comprises:
Described the first equipment is disposed the deployable state of described the second equipment by not disposing to be revised as, the state of the access control of described the second equipment has been opened and has been revised as access by access control.
It should be noted that, method shown in Fig. 1 do not limit by shown in the order of each step carry out, can adjust as required the sequencing of each step, in addition, described step is also not limited to above-mentioned steps and divides, and above-mentioned steps can further split into more multi-step also can be merged into still less step.
The device 300 that a kind of access rights that illustrate according to an embodiment of the invention, are suitable for addressing the above problem below in conjunction with Fig. 3 are controlled.
As shown in Figure 3, the device 300 that this access rights are controlled, is applicable to control at least one terminal equipment that is arranged in second network and accesses first network by gateway device, comprising: authority judge module 301, receiver module 303 and replacement module 305, wherein
Authority judge module 301, for when terminal equipment is accessed first network by gateway device, judges whether terminal equipment has the authority of access first network;
Receiver module 303, for when terminal equipment is not accessed the authority of first network, receives that gateway device sends, will to send to terminal equipment originally packet;
Replacement module 305 is for being default content by least part of content replacement of the packet receiving, and gives described terminal equipment by the package forward after content replacement.
Alternatively, authority judge module 301 is further used for disposing the deployable state of predetermined application program according to the state of the access control of terminal equipment and/or terminal equipment, judges whether terminal equipment has the authority of access first network.Alternatively, wherein the state of access control comprises: access control is opened, access control has been closed and access, and deployable state comprises: disposed and do not disposed; If the state of access control is access control have been opened or access control is closed, and deployable state is not dispose, and terminal equipment is not accessed the authority of first network; If the state of access control is access, and deployable state is for disposing, and terminal equipment has the authority of access first network.
Alternatively, install 300 and also comprise: access judge module, for judging whether the state of access control is that access control is opened, opens if the state of access control is access control, triggers replacement module 305; If the state of access control is access control, close, to terminal equipment, send the message of forbidding its access first network.
Alternatively, install 300 and also comprise: acquisition module and logging modle, wherein acquisition module is disposed the deployable state of predetermined application program for obtaining state and the terminal equipment of the access control of terminal equipment; Logging modle is for being recorded to access control database by the state of the access control of obtaining and deployable state.
Alternatively, when the second equipment is not accessed the authority of first network, device 300 also comprises: address modified module is for being revised as the first address by the address of the terminal equipment on gateway device by the second address, wherein the second address is the address of terminal equipment in second network, and the first address is the address of described device in described second network.
Alternatively, install 300 and also comprise: source judge module, for judging that packet is from first network or from second network; If packet, from first network, triggers replacement module 305; If packet is from second network, by package forward to terminal equipment.
Alternatively, to be further used for the HTTP content replacement in described packet be the address of installation kit of the predetermined application program of described the first deployed with devices to replacement module 305.
Alternatively, device 305 also comprises: module is set, for after terminal equipment is installed predetermined application program according to the address of installation kit, the deployable state of terminal equipment is disposed by not disposing to be revised as, the state of the access control of terminal equipment has been opened and has been revised as access by access control.
The device that the method for controlling according to access rights of the present invention and access rights are controlled, when the second equipment is accessed first network by gateway device, if the second equipment is not accessed the authority of first network, gateway device can be given the first equipment by the package forward producing based on this access request, by the first equipment, at least part of content replacement in this packet is become to default content, for example, when the second equipment is not accessed the authority of first network, any one website in the second device access first network, be redirected on the page of appointment in capital, realize thus network manager's control of authority that can conduct interviews to the terminal equipment in network, effectively improve the fail safe of network.
In embodiments of the invention, described authority judge module is further used for disposing the deployable state of predetermined application program according to the state of the access control of described terminal equipment and described terminal equipment, judges whether described terminal equipment has the authority of the described first network of access.
In embodiments of the invention, the state of wherein said access control comprises: access control is opened, access control has been closed and access, and described deployable state comprises: disposed and do not disposed;
If the state of described access control is access control have been opened or access control is closed, and described deployable state is not dispose, and described terminal equipment is not accessed the authority of described first network;
If the state of described access control is access, and described deployable state is for disposing, and described terminal equipment has the authority of the described first network of access.
In embodiments of the invention, described device also comprises:
Access judge module, for judging whether the state of described access control is that access control is opened, opens if the state of described access control is access control, triggers described replacement module; If the state of described access control is access control, close, to described terminal equipment, send the message of forbidding its access first network.
In embodiments of the invention, described device also comprises:
Acquisition module, disposes the deployable state of predetermined application program for obtaining state and the described terminal equipment of the access control of described terminal equipment;
Logging modle, for being recorded to access control database by the state of the described access control of obtaining and described deployable state.
In embodiments of the invention, when described the second equipment is not accessed the authority of described first network, described device also comprises:
Address modified module, for the first address is revised as to by the second address in the address of the described terminal equipment on described gateway device, wherein said the second address is the address of described terminal equipment in described second network, and described the first address is the address of described device in described second network.
In embodiments of the invention, described device also comprises:
Source judge module, for judging that described packet is from described first network or from described second network; If described packet, from described first network, triggers described replacement module; If described packet, from described second network, is given described terminal equipment by described package forward.
In embodiments of the invention, it is the address of installation kit of the predetermined application program of described the first deployed with devices that described replacement module is further used for the HTTP content replacement in described packet.
In embodiments of the invention, described device also comprises:
Module is set, for after described terminal equipment is installed described predetermined application program according to the address of described installation kit, the deployable state of described terminal equipment is disposed by not disposing to be revised as, the state of the access control of described terminal equipment has been opened and has been revised as access by access control.
The algorithm providing at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration.Various general-purpose systems also can with based on using together with this teaching.According to description above, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.It should be understood that and can utilize various programming languages to realize content of the present invention described here, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.
In the specification that provided herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can not put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.Yet, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this specification (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this specification (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or similar object alternative features replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with compound mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module moved on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that can use in practice microprocessor or digital signal processor (DSP) to realize the some or all parts in the device of controlling according to the access rights of the embodiment of the present invention.The present invention for example can also be embodied as, for carrying out part or all equipment or device program (, computer program and computer program) of method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not depart from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
Claims (10)
1. the method that access rights are controlled, is characterized in that, first equipment that is applicable to is controlled at least one second equipment that is arranged in second network and accessed first network by gateway device, and described method comprises:
When described the second equipment is accessed described first network by described gateway device, described the first equipment judges whether described the second equipment has the authority of the described first network of access;
When if described the second equipment is not accessed the authority of described first network, described the first equipment receives packet described gateway device transmission, that will send to described the second equipment originally;
Described the first equipment is default content by least part of content replacement in the packet receiving, and gives described the second equipment by the package forward after content replacement.
2. method according to claim 1, is characterized in that, described the first equipment judges whether described the second equipment has the step of the authority of the described first network of access to comprise:
Described the first equipment, according to the deployable state of the state of the access control of described the second equipment and/or the predetermined application program of described the second deployed with devices, judges whether described the second equipment has the authority of the described first network of access.
3. method according to claim 2, is characterized in that, the state of wherein said access control comprises: access control is opened, access control has been closed and access, and described deployable state comprises: disposed and do not disposed;
If the state of described access control is access control, open, and described deployable state is not dispose, described the second equipment is not accessed the authority of described first network;
If the state of described access control is access control, close, described the second equipment is not accessed the authority of described first network;
If the state of described access control is access, described the second equipment has the authority of the described first network of access.
4. method according to claim 3, is characterized in that, described the first equipment is before the step of default content by least part of content replacement in the packet receiving, and described method also comprises:
Described the first equipment judges whether the state of described access control is that access control is opened;
If the state of described access control is access control, open, carrying out described the first equipment is the step of default content by least part of content replacement in the packet receiving;
If the state of described access control is access control, close, described the first equipment is forbidden the packet of its access first network to described the second device forwards.
5. according to the arbitrary described method of claim 2~4, it is characterized in that, described method also comprises:
Described the first equipment obtains the deployable state of the state of access control of described the second equipment and the predetermined application program of described the second deployed with devices;
The state of the described access control of obtaining and described deployable state are recorded to access control database.
6. method according to claim 3, is characterized in that, when described the second equipment is not accessed the authority of described first network, described method also comprises:
Described the first equipment is revised as the first address by the address of described the second equipment on described gateway device by the second address, wherein said the second address is the address of described the second equipment in described second network, and described the first address is the address of described the first equipment in described second network.
7. method according to claim 6, is characterized in that, in the time need to closing the access control of described the second equipment, described method also comprises:
Described the first equipment has been opened the state of the access control of described the second equipment and has been revised as access control and closes by access control;
Described the first equipment is revised as described the second address by the address of described the second equipment on described gateway device by described the first address.
8. according to the arbitrary described method of claim 1~7, it is characterized in that, described the first equipment is before the step of default content by least part of content replacement in the packet receiving, and described method also comprises:
Described the first equipment judges that described packet is from described first network or from described second network;
If it is the step of default content by least part of content replacement in the packet receiving that described packet from described first network, is carried out described the first equipment;
If described packet is from described second network, described the first equipment is given described the second equipment by described package forward.
9. according to the arbitrary described method of claim 1~8, it is characterized in that, the step that described the first equipment is default content by least part of content replacement in described packet comprises:
Described the first equipment is the address of installation kit of the predetermined application program of described the first deployed with devices by the HTTP content replacement in described packet.
10. the device that access rights are controlled, is characterized in that, is applicable to control at least one terminal equipment that is arranged in second network and accesses first network by gateway device, and described device comprises:
Authority judge module, for when described terminal equipment is accessed described first network by described gateway device, judges whether described terminal equipment has the authority of the described first network of access;
Receiver module, for when described terminal equipment is not accessed the authority of described first network, receives that described gateway device sends, will to send to described terminal equipment originally packet;
Replacement module, for being default content by least part of content replacement of the packet receiving, and gives described terminal equipment by the package forward after content replacement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310467021.XA CN103560996B (en) | 2013-10-09 | 2013-10-09 | access permission control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310467021.XA CN103560996B (en) | 2013-10-09 | 2013-10-09 | access permission control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103560996A true CN103560996A (en) | 2014-02-05 |
| CN103560996B CN103560996B (en) | 2017-01-25 |
Family
ID=50015146
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310467021.XA Active CN103560996B (en) | 2013-10-09 | 2013-10-09 | access permission control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103560996B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104158767A (en) * | 2014-09-03 | 2014-11-19 | 吕书健 | Network access device and network access method |
| CN113724410A (en) * | 2021-08-30 | 2021-11-30 | 长江大学 | Classroom attendance system based on openwrt |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1968094A (en) * | 2006-11-23 | 2007-05-23 | 华为技术有限公司 | Method, system and server for prompting the cause for user terminal authentication failure |
| CN101197711A (en) * | 2007-12-06 | 2008-06-11 | 华为技术有限公司 | Method, device and system for implementing unified authentication management |
| CN102833212A (en) * | 2011-06-14 | 2012-12-19 | 阿里巴巴集团控股有限公司 | Webpage visitor identity identification method and system |
| CN103188295A (en) * | 2011-12-28 | 2013-07-03 | 上海格尔软件股份有限公司 | WEB single sign-on method completely transparent to user and application |
-
2013
- 2013-10-09 CN CN201310467021.XA patent/CN103560996B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1968094A (en) * | 2006-11-23 | 2007-05-23 | 华为技术有限公司 | Method, system and server for prompting the cause for user terminal authentication failure |
| CN101197711A (en) * | 2007-12-06 | 2008-06-11 | 华为技术有限公司 | Method, device and system for implementing unified authentication management |
| CN102833212A (en) * | 2011-06-14 | 2012-12-19 | 阿里巴巴集团控股有限公司 | Webpage visitor identity identification method and system |
| CN103188295A (en) * | 2011-12-28 | 2013-07-03 | 上海格尔软件股份有限公司 | WEB single sign-on method completely transparent to user and application |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104158767A (en) * | 2014-09-03 | 2014-11-19 | 吕书健 | Network access device and network access method |
| CN113724410A (en) * | 2021-08-30 | 2021-11-30 | 长江大学 | Classroom attendance system based on openwrt |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103560996B (en) | 2017-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11153091B2 (en) | Untrusted code distribution | |
| US10534913B2 (en) | Blockchain state reliability determination | |
| EP3716108A1 (en) | Cloud-based web content processing system providing client threat isolation and data integrity | |
| US9264435B2 (en) | Apparatus and methods for access solutions to wireless and wired networks | |
| JP6441957B2 (en) | Systems, devices, and methods that automatically validate exploits on suspicious objects and highlight display information associated with the proven exploits | |
| US9344426B2 (en) | Accessing enterprise resources while providing denial-of-service attack protection | |
| US10250714B2 (en) | Page redirection method, routing device, terminal device and system | |
| CN104268479B (en) | A kind of method of text maninulation isolation, device and mobile terminal | |
| KR20040108568A (en) | Architecture for connecting a remote client to a local client desktop | |
| CN104092792A (en) | Method, system and client-side for achieving flow optimization based on domain name resolution request | |
| US8904483B1 (en) | Serving approved resources | |
| CN103973704A (en) | Domain name resolution method, device and system based on WIFI device | |
| CN103747010A (en) | Method, system and device for controlling PC (personal computer) by mobile terminal | |
| US20230198987A1 (en) | Systems and methods for controlling accessing and storing objects between on-prem data center and cloud | |
| CN103560997A (en) | Application program download management method and device and download server | |
| CN101136834A (en) | SSL VPN based link rewriting method and apparatus | |
| US20200228498A1 (en) | Message Processing Method, Electronic Device, and Readable Storage Medium | |
| CN115189897A (en) | Access processing method and device for zero trust network, electronic equipment and storage medium | |
| US12015594B2 (en) | Policy integration for cloud-based explicit proxy | |
| CN103560996A (en) | Access permission control method and device | |
| US9729551B1 (en) | Virtual mailbox | |
| US7650392B1 (en) | Dynamic content processing in a reverse proxy service | |
| WO2013180255A1 (en) | Communication devices and method | |
| EP2630750B1 (en) | Quality of service monitoring device and method of monitoring quality of service | |
| CN103501334A (en) | Data transmission method, data transmission equipment and network system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20161222 Address after: 100015 Jiuxianqiao Chaoyang District Beijing Road No. 10, building 15, floor 17, layer 1701-26, 3 Applicant after: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant before: Qizhi software (Beijing) Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 100032 NO.332, 3rd floor, Building 102, 28 xinjiekouwai street, Xicheng District, Beijing Patentee after: QAX Technology Group Inc. Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |