CN105939401A - Method and device for processing message - Google Patents
Method and device for processing message Download PDFInfo
- Publication number
- CN105939401A CN105939401A CN201610072814.5A CN201610072814A CN105939401A CN 105939401 A CN105939401 A CN 105939401A CN 201610072814 A CN201610072814 A CN 201610072814A CN 105939401 A CN105939401 A CN 105939401A
- Authority
- CN
- China
- Prior art keywords
- message
- session
- state
- labelling
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2521—Translation architectures other than single NAT servers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for processing a message. The method comprises the steps of obtaining a signal mark of a session corresponding to a data message when sending the data message; and if the signal mark indicates that a terminal authentication state corresponding to the session changes, sending a state notification message which corresponds to the session and is used for notifying the terminal authentication state to a safety linkage device, so as to enable the safety linkage device to process the data message of the session based on the terminal authentication state. By applying the embodiment, the safety linkage device still can identify safety of a message sending terminal in an NAT (Network Address Translation) framework.
Description
Technical field
The application relates to network communication technology field, particularly relates to process the method and device of message.
Background technology
Along with the development of network technology, the safe and reliable problem of terminal becomes increasingly conspicuous, such as, and some terminals
Antivirus software, virus base of not upgrading, abuse software etc. are not installed.When there is safety problem in terminal self,
Once this terminal accesses enterprise network, it will have influence on the normal use of enterprise network.Therefore, relevant skill
In art, in order to ensure the safety of the associated server in enterprise network, can by with security linkage network equipment
Coordinate, the terminal attempting accessing enterprise network is carried out safety detection, at the base ensureing terminal security
On plinth, then the message sending terminal carries out forward process, if terminal itself dangerous, then safety
Interlocking equipment can directly abandon its message sent, to cut off enterprise network in time and to have potential safety hazard
Connection between terminal.Terminal whether safety can be represented by certification, such as, by certification with whether
Terminal be security terminal.
In prior art, security linkage network equipment, can be by the source IP of this message for the message received
It is which terminal sends that Address Recognition goes out this message, then according to the authentication state of this terminal, determines and is
No this message that continues with, such as determines how this message of forwarding according to the security strategy preset.But,
Nowadays NAT (Network Address Translation, network address translation) technology is the most commonly used
In the networking mode of enterprise network, the message that different terminals sends to enterprise's associated server is passing through
Identical source IP address will be had after the conversion of NAT address, then, security linkage network equipment will be unable to pass through
It is which terminal is sent that the source IP address of message identifies this message, also cannot determine this message of transmission
Terminal whether be security terminal, thus cannot know and how process this message.If taking to add in messages
Adding the mode auxiliary security interlocking equipment identification terminal of terminal iidentification field, not only processing procedure is relatively complicated,
And this field is it would be possible to affect the security linkage network equipment identification to message, causes processing mistakenly message,
The safety of enterprise network is threatened.
Summary of the invention
In view of this, the application provides a kind of method and device processing message, it is therefore an objective to make safe
Dynamic equipment remains able to identify the Terminal security sending message in NAT framework.
Specifically, the application is achieved by the following technical solution:
First aspect according to the embodiment of the present application, it is provided that the method processing message, may include that
When sending datagram, obtain the signal labelling of the session corresponding with described data message;
If described signal labelling represents described session, corresponding terminal authentication state changes, then to safety
Interlocking equipment sends the state notifying message corresponding with described session, and described state notifying message is for by institute
State terminal authentication state notifying extremely described security linkage network equipment, so that described security linkage network equipment is according to institute
State the data message of session described in terminal authentication state processing.
In one embodiment, the signal labelling of the session that described acquisition is corresponding with described data message, including:
Obtaining overall signal's labelling of counterpart terminal, described overall signal labelling is used for representing described terminal pair
The terminal authentication state whether having session in the session answered changes;
If described overall signal labelling represents that there is terminal authentication state occurs the session of change, then continue to obtain
Take the signal labelling of the session corresponding with described data message.
In one embodiment, described method also includes:
When the signal labelling that all sessions are corresponding all represents that terminal authentication state does not occurs change, by described
Overall signal's labelling is changed to the first mark value, and described first mark value represents and there is not terminal authentication state
There is the session of change;
When described terminal authentication state occurs change, described overall signal labelling is changed to the second labelling
Value, described second mark value represents that there is terminal authentication state occurs the session of change.
In one embodiment, the described state notifying report corresponding with described session to security linkage network equipment transmission
Literary composition, including:
Construct the state notifying message corresponding with described session, and send described state to security linkage network equipment
Notice message, described state notifying message carried terminal authentication state labelling and signal message labelling, described
Terminal authentication status indication is used for representing whether terminal passes through certification, and described signal message labelling is used for making peace
The state notifying message that full interlocking equipment receives according to described signal message marker recognition.
In one embodiment, the described state notifying report corresponding with described session to security linkage network equipment transmission
Literary composition, including:
If the terminal authentication state after Bian Geng is by authentication state, then replicate described data message, and to
Security linkage network equipment sends the data message of described duplication.
In one embodiment, if described signal labelling represents the terminal authentication state that described session is corresponding
Change, then send the state notifying message corresponding with described session to security linkage network equipment, including:
When described signal labelling represents that terminal authentication state occurs change, and the value of described signal labelling is
N, then send, to security linkage network equipment, the state notifying message that n times are corresponding with described session, and N is the least
In the natural number of 1;
Often send, to security linkage network equipment, the state notifying message that the most described session is corresponding, by described session
Corresponding signal mark value subtracts 1, until being 0.
Second aspect according to the embodiment of the present application, it is provided that the method processing message, may include that
When receiving the state notifying message that terminal sends, according to described state notifying message accounting
The terminal authentication state that the place session of state notifying message is corresponding;
According to described terminal authentication state, the data message of the described session that processing terminal sends.
The third aspect according to the embodiment of the present application, it is provided that process the device of message, may include that
Acquiring unit, for when sending datagram, obtains the session corresponding with described data message
Signal labelling;
Transmitting element, for representing, at described signal labelling, the terminal authentication state generation that described session is corresponding
During change, sending the state notifying message corresponding with described session to security linkage network equipment, described state is led to
Know message for by described terminal authentication state notifying to described security linkage network equipment so that described safety
Interlocking equipment is according to the data message of session described in described terminal authentication state processing.
In one embodiment, described acquiring unit includes:
First obtains subelement, and for obtaining overall signal's labelling of counterpart terminal, described overall signal marks
Note is for representing that the terminal authentication state whether having session in the session that described terminal is corresponding changes;
Second obtains subelement, for representing that there is terminal authentication state occurs at described overall signal labelling
During the session changed, continue to obtain the signal labelling of the session corresponding with described data message.
In one embodiment, described device also includes:
Change indexing unit, for all representing terminal authentication state not when the signal labelling that all sessions are corresponding
When there is change, described overall signal labelling being changed to the first mark value, described first mark value represents
There is not terminal authentication state and the session of change occurs;
When described terminal authentication state occurs change, described overall signal labelling is changed to the second labelling
Value, described second mark value represents that there is terminal authentication state occurs the session of change.
In one embodiment, described transmitting element includes:
Structure sends subelement, for the state notifying message that structure is corresponding with described session, and to safety
Interlocking equipment sends described state notifying message, described state notifying message carried terminal authentication state labelling
With signal message labelling, described terminal authentication status indication is used for representing whether terminal passes through certification, described
The state that signal message labelling receives according to described signal message marker recognition for making security linkage network equipment
Notice message.
In one embodiment, described transmitting element includes:
Replicate and send subelement, for terminal authentication state after change be by authentication state time, answer
Make described data message, and send the data message of described duplication to security linkage network equipment.
In one embodiment, described transmitting element includes:
Send subelement, be used for when described signal labelling represents that terminal authentication state occurs change, and institute
The value stating signal labelling is N, then send the n times state corresponding with described session to security linkage network equipment and lead to
Knowing message, N is the natural number not less than 1;
Update subelement, for often sending, to security linkage network equipment, the state notifying that the most described session is corresponding
Message, subtracts 1 by signal mark value corresponding for described session, until being 0.
Fourth aspect according to the embodiment of the present application, it is provided that the method processing message, may include that
Record unit, for when receiving the state notifying message that terminal sends, leads to according to described state
Know the terminal authentication state that state notifying message place session described in message accounting is corresponding;
Processing unit, for according to described terminal authentication state, the number of the described session that processing terminal sends
According to message.
The present embodiment processes the method for message, by sending state notifying message, by each session of terminal
Corresponding terminal authentication state notifying is to security linkage network equipment so that security linkage network equipment can be according to terminal
Authentication state processes the data message of each session.The application of this mode so that in NAT framework,
Even if the IP address of different terminals is identical through NAT translated addresses, but the difference meeting of different terminals
Words, at the session information behind NAT address, such as IP address and port numbers are different, safety
Interlocking equipment passes through recording conversation information, and records the terminal authentication state that each session is corresponding, actually
Also achieve the effect of the session identification to different terminals, and by the terminal authentication state of recording conversation
Identify the authentication state that different terminals is corresponding, send out so that remain able to identification in NAT framework
Deliver newspaper literary composition Terminal security, it is to avoid unsafe terminal access enterprise network, the safety of enterprise network is caused
Threaten.
Additionally, the present embodiment is to use state notifying message when the state of notice, this message is independently of end
Message outside the data message that end sends, uses state notifying message to perform the shape to security linkage network equipment
State notifies, can reach to notify the purpose of the SOT state of termination, but also will not change legacy data message
Dynamic and impact, it is convenient to implement, and effect is more preferable, it is to avoid the mistake that the former data message of amendment is likely to result in.
Accompanying drawing explanation
Fig. 1 shows that a kind of the embodiment of the present application realization processes the application scenarios schematic diagram of the method for message.
Fig. 2 is an embodiment flow chart according to the method processing message shown in an exemplary embodiment.
Fig. 3 is another embodiment flow process according to the method processing message shown in an exemplary embodiment
Figure.
Fig. 4 shows that another kind of the embodiment of the present application realization processes the Organization Chart of the method for message.
Fig. 5 A is another embodiment stream according to the method processing message shown in an exemplary embodiment
Cheng Tu.
Fig. 5 B shows the structure chart of a kind of state notifying message in the embodiment of the present application.
Fig. 6 is a kind of hardware structure diagram that the application processes the device place equipment of message.
Fig. 7 is the embodiment block diagram that the application processes the device of message.
Fig. 8 is another embodiment block diagram that the application processes the device of message.
Fig. 9 is another embodiment block diagram that the application processes the device of message.
Figure 10 is another embodiment block diagram that the application processes the device of message.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Following
When description relates to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous
Key element.Embodiment described in following exemplary embodiment does not represent the institute consistent with the application
There is embodiment.On the contrary, they only with as appended claims describes in detail, the one of the application
The example of the apparatus and method that a little aspects are consistent.
It is only merely for describing the purpose of specific embodiment at term used in this application, and is not intended to be limiting
The application." a kind of " of singulative used in the application and appended claims, " institute
State " and " being somebody's turn to do " be also intended to include most form, unless context clearly shows that other implications.Also should
Work as understanding, term "and/or" used herein refer to and comprise one or more be associated list item
Any or all possible combination of purpose.
Although should be appreciated that may use term first, second, third, etc. various to describe in the application
Information, but these information should not necessarily be limited by these terms.These terms only be used for by same type of information that
This distinguishes.Such as, in the case of without departing from the application scope, the first information can also be referred to as
Two information, similarly, the second information can also be referred to as the first information.Depend on linguistic context, as in this institute
Use word " if " can be construed to " and ... ... time " or " when ... ... time " or " response
In determining ".
NAT framework is a kind of networking mode commonly used in current enterprise network, sees the example of Fig. 1,
Figure 1 show the application scenarios schematic diagram that a kind of the embodiment of the present application realization processes the method for message, should
Application scenarios applies NAT framework.Wherein, terminal 11 and terminal 12 are respectively positioned on private network Intranet
In, and be connected with NAT device 13 respectively, enterprise servers 15 are positioned in enterprise network, safety interaction
Equipment 14 is between private network Intranet and enterprise network.When terminal 11 or terminal 12 are to enterprise servers
During 15 transmission message, this message transmissions to NAT device 14, by NAT device 14 by the source of this message
IP changes address, and afterwards, this message will be transmitted to security linkage network equipment 14, security linkage network equipment
This message can be identified, with really by 14 by performing the method processing message in the embodiment of the present application
Surely send the safety of the terminal of this message, process this message according to recognition result, to avoid not by recognizing
The dangerous terminal of card accesses enterprise network, threatens the safety of enterprise network.
It is understood that terminal 11 and terminal 12 in Fig. 1 only illustrate as a example by computer, real
Terminal in the application of border can be panel computer, mobile phone etc. other possess the terminal of network resource accession function.
As a example by the application scenarios shown in Fig. 1, terminal 11 therein or terminal 12 can perform Fig. 2
Shown flow process, this Fig. 2 is a reality according to the method processing message shown in an exemplary embodiment
Execute example flow chart, may include that
Step S201: when sending datagram, obtains the signal labelling of the session corresponding with data message.
Step S202: corresponding terminal authentication state changes if described signal labelling represents described session,
Then send the state notifying message corresponding with described session, described state notifying message to security linkage network equipment
For by described terminal authentication state notifying to described security linkage network equipment, so that described safety interaction sets
The standby data message according to session described in described terminal authentication state processing.
As a example by the application scenarios shown in Fig. 1, security linkage network equipment 14 therein can perform Fig. 3
Shown flow process, this Fig. 3 is another of the method according to the process message shown in an exemplary embodiment
Embodiment flow chart, may include that
Step S301: when receiving the state notifying message that terminal sends, according to described state notifying report
Literary composition records the terminal authentication state that described state notifying message place session is corresponding.
Step S302: according to described terminal authentication state, the data message of the session that processing terminal sends.
Following Fig. 4, it is shown that a kind of the embodiment of the present application realization processes the Organization Chart of the method for message,
This Fig. 4, based on the application scenarios figure shown in Fig. 1, performs with terminal 11 and security linkage network equipment 14
As a example by the application processes the method for message, this Fig. 4 includes terminal 11 and security linkage network equipment 14, eventually
The session tokens of all sessions and corresponding signal labelling is preserved, on security linkage network equipment 14 on end 11
Preserve session tokens and corresponding terminal authentication state, about in terminal 11 and security linkage network equipment 14
The detailed description of the information preserved can be found in described below, is first not detailed at this.
The method processing message to illustrate in greater detail the application how to realize, in conjunction with the frame shown in Fig. 4
Composition, is described in detail the flow process shown in Fig. 2 and Fig. 3.
In the embodiment of the present application, terminal can obtain the authentication state of oneself, such as, permissible in terminal 11
Pre-set terminal authentication status indication, represent terminal authentication state, terminal authentication by this labelling
State can include not authenticated and pass through certification, is security terminal by the terminal of certification.This terminal
Authentication state labelling can be stored on the fixed position of internal memory, such as, takies two byte of memorys.Eventually
End authentication state labelling can be such as " 00 " or " 11 ", and " 00 " represents that terminal is not by recognizing
Card, " 11 " represent that terminal, by certification, is not limited to this representation in being certainly embodied as.
The quantity that can there is multiple session, i.e. session in terminal 11 can be with more than one.The application's
In example, terminal authentication status indication described above can be an overall authentication state labelling, i.e.
Terminal authentication state corresponding to all sessions can be consistent, such as, when terminal is by certification, and institute
The terminal authentication status indication having session corresponding is all " 11 ", and Subsequent secure interlocking equipment gets terminal
During by certification, it is believed that the data message of all sessions of this terminal is all safe;When terminal not
During by certification, the terminal authentication status indication of all sessions is all " 00 ", Subsequent secure interlocking equipment
Get terminal not authenticated time, it is believed that the data message of all sessions of this terminal is all uneasy
Complete, thus directly abandon.
Terminal 11 can see the example of table 1 below with preserving session state labelling mapping table, this table 1
A kind of example for session status labelling mapping table.This session status labelling mapping table includes terminal 11
The session tokens of upper all sessions, this session tokens can uniquely represent a session;Each session is equal
A corresponding signal labelling, this signal labelling is for representing whether terminal authentication state corresponding to session occurs
Change, such as, terminal authentication state never goes through certification and is changed to by certification.Such as, session tokens
Source IP address, source port number, purpose IP address, destination slogan can be included, by these information
One session of unique expression;This signal labelling can be 0 or 1 with value, and presets, and works as signal post
The value of note is when being 0, represents that terminal authentication state corresponding to session changes, when the value of signal labelling
When being 1, represent that terminal authentication state corresponding to session changes.
Table 1
Session tokens (SID:session identify) | Signal labelling (TTS:time to signal) |
10.0.1.1:11->30.0.0.2:80 | 0 |
10.0.1.1:12->30.0.0.2:80 | 1 |
… | … |
As above table 1, signal post corresponding to each session is designated as " 0 " or " 1 ", can understand as follows:
Such as, when the authentication state of terminal changes, such as, not authenticated it is changed to by certification,
Or it is not authenticated by being changed to by certification, then in above-mentioned table 1, all sessions of this terminal are corresponding
Signal labelling will be changed to " 1 ", i.e. represents that the terminal authentication state of all sessions all changes, that
, each session can notify the up-to-date authentication state of once safety this terminal of interlocking equipment again;When
Session is after security linkage network equipment notice authentication state, and the signal labelling of this session rechanges as " 0 ".Again
For example, it is assumed that this terminal adds a new session, then the signal labelling that this new session is corresponding is permissible
It is set to " 1 ", i.e. represents and can notify that security linkage network equipment goes to record the terminal authentication that this new session is corresponding
State (certainly, the terminal authentication state corresponding with other sessions is identical), and other notified
The signal labelling of the session of authentication state remains as " 0 ", because terminal authentication state notifying being crossed peace
Full interlocking equipment, need not be notified of again.
Concrete, may refer to step S201, when terminal 11 sends datagram, can obtain with
The signal labelling of this data message respective session.For example, it is possible to according to the source IP carried in this data message
The session status exemplified by above-mentioned table 1 searched in address, source port number, purpose IP address, destination slogan
Labelling mapping table, determines the session tokens of the session corresponding with this data message, then obtains this session mark
The signal labelling that note is corresponding.Such as, the source IP address that carries in this data message, source port number, purpose
IP address, destination slogan be respectively 10.0.1.1,12,30.0.0.2,80, it is investigated according to this 4 item number
Looking for table 1, the signal post that can obtain session corresponding to this data message is designated as 1.
If the signal labelling of session represents described session, corresponding terminal authentication state changes, such as
Described in above-mentioned example, signal labelling corresponding for session 10.0.1.1:12-> 30.0.0.2:80 is 1, and representing should
The terminal authentication state of session there occurs change, and such as, this session is probably newly-built session, and currently
Terminal authentication state is by certification.Then in step S202, terminal 11 is to security linkage network equipment 14
Sending the state notifying message corresponding with described session, described state notifying message is for by after described change
Up-to-date terminal authentication state notifying to described security linkage network equipment 14 so that described security linkage network equipment
14 according to the data message of session described in described terminal authentication state processing.Such as, can be by session
10.0.1.1:12-> corresponding for 30.0.0.2:80 terminal authentication state notifying is to security linkage network equipment 14 so that
This security linkage network equipment is according to this terminal authentication state processing subsequent session 10.0.1.1:12-> 30.0.0.2:80
In data message.
Security linkage network equipment 14, will be according to described when receiving the state notifying message that terminal 11 sends
The terminal authentication state that state notifying message place session described in state notifying message accounting is corresponding.The application
In embodiment, can be with preserving session state control table in security linkage network equipment 14, this session status control table
Corresponding relation including session tokens Yu terminal authentication state.That is, security linkage network equipment 14 can record end
The terminal authentication state that all sessions on end are corresponding.
Seeing the example of table 2 below, this table 2 is a kind of example of session status control table:
Table 2
Session tokens (SID:session identify) | Terminal authentication state |
10.0.1.1:11->30.0.0.2:80 | 00 |
10.0.1.1:12->30.0.0.2:80 | 00 |
… | … |
As above table 2, for example, it is possible to represent that terminal has passed through certification with " 00 ", example in table 2
Two sessions in some terminal, terminal authentication state corresponding to the two session can be identical,
Such as, terminal has passed through certification.In other scene, if the authentication state of terminal is not pass through
Certification, then can represent with " 11 " in table 2.
In step s 302, security linkage network equipment 14, can be according to respectively after record terminal authentication state
The terminal authentication state of individual session, the data message of the described session that processing terminal sends.
For example, it is assumed that security linkage network equipment 14 have received a data message, security linkage network equipment 14
Can believe according to the source IP address of data message, source port number, purpose IP address, destination slogan etc.
Breath, searches above-mentioned table 2, obtains the session that this data message is corresponding, and can be somebody's turn to do by table 2
The terminal authentication state that session is corresponding.
Such as, if in table 2, the terminal authentication state of data message place session is the most logical for representing terminal
When crossing certification, this terminal is security terminal, the safe plan that security linkage network equipment 14 can preserve according to self
Slightly continue to forward the data message of this session;When terminal authentication state is not authenticated, this terminal is
Dangerous terminal, the data message of this session can be blocked, thus avoid this not by security linkage network equipment 14
The safety of enterprise network is threatened by the terminal of safety.
The present embodiment processes the method for message, by sending state notifying message, by each session of terminal
Corresponding terminal authentication state notifying is to security linkage network equipment so that security linkage network equipment can be according to terminal
Authentication state processes the data message of each session.The application of this mode so that in NAT framework,
Even if the IP address of different terminals is identical through NAT translated addresses, but the difference meeting of different terminals
Words, at the session information behind NAT address, such as IP address and port numbers are different, safety
Interlocking equipment passes through recording conversation information, and records the terminal authentication state that each session is corresponding, actually
Also achieve the effect of the session identification to different terminals, and by the terminal authentication state of recording conversation
Identify the authentication state that different terminals is corresponding, send out so that remain able to identification in NAT framework
Deliver newspaper literary composition Terminal security, it is to avoid unsafe terminal access enterprise network, the safety of enterprise network is caused
Threaten.
Additionally, the present embodiment is to use state notifying message when the state of notice, this message is independently of end
Message outside the data message that end sends, uses state notifying message to perform the shape to security linkage network equipment
State notifies, can reach to notify the purpose of the SOT state of termination, but also will not change legacy data message
Dynamic and impact, it is convenient to implement, and effect is more preferable, it is to avoid the mistake that the former data message of amendment is likely to result in.
On the basis of the process message shown in above-mentioned Fig. 2 and Fig. 3, in order to more efficiently confirm that terminal is recognized
Whether card state changes, it is also possible to arrange overall signal's labelling, for representing all sessions of terminal
In whether have the terminal authentication state of session to change.Following Fig. 5 A, is according to an exemplary enforcement
Another embodiment flow chart of the method processing message exemplified, may include that
Step S501: terminal, when sending datagram, obtains corresponding overall signal's labelling.
In the present embodiment, terminal can be provided with overall signal's labelling, for representing all sessions of terminal
In whether have the terminal authentication state of session to change.Such as, this overall signal's labelling be " 0 " or
" 1 ", " 0 " represents that there is not terminal authentication state occurs the session of change, " 1 " expression to there is terminal
There is the session of change in authentication state.As a example by the session status labelling mapping table shown in above-mentioned table 1, table
There is signal post in 1 and be designated as the session of 1, i.e. there is terminal authentication state and the session of change occurs, then,
Now overall signal is labeled as " 1 ";If all of signal labelling is 0 in session status labelling mapping table,
I.e. represent that the terminal authentication state of all sessions changes, then overall signal is labeled as " 0 ".
According to foregoing description, in the present embodiment, can be according to signal labelling in session status labelling mapping table
Value safeguard overall signal's labelling.Such as, equal when all signal labellings in session status labelling mapping table
When being changed to 0, overall signal's labelling can be changed to 0, " 0 " the first mark value should be properly termed as,
In all sessions represent this terminal, there is not terminal authentication state the session of change occurs.The most such as,
When terminal authentication state occurs change, (such as, terminal authentication state never goes through certification and is changed to pass through
Certification), according to foregoing description, the signal labelling of all sessions in this terminal also will be changed to 1, thus,
Overall signal's labelling also can be changed to 1, " 1 " the second mark value should be properly termed as.The most such as, when
When producing new session in terminal, the signal post of this new session is designated as 1, then can be by overall signal's labelling
Rechange is 1.Thus, by safeguarding overall signal's labelling so that overall signal's labelling represents exactly
Whether there is the session that terminal authentication state changes.
Step S502: if described overall signal labelling represents that there is terminal authentication state occurs the session of change,
Then terminal continues to obtain the signal labelling of the session corresponding with described data message.
When being determined that by overall signal's labelling there is terminal authentication state occurs the session changed, terminal 11
Can further confirm that whether the terminal authentication state of the session that this data message is corresponding changes, i.e. continue
How the continuous signal labelling obtaining the session corresponding with this data message, in this step, obtain this signal post
Note may refer to the associated description in above-described embodiment step S201, and in this not go into detail.
Additionally, in the present embodiment, when being determined that by overall signal's labelling there is not terminal authentication state occurs
During the session of change, then terminal 11 can directly determine the terminal authentication shape of session that this data message is corresponding
State changes, then the signal post that can perform to obtain session corresponding to this data message again is recorded a demerit
Journey, thus whether the terminal authentication state accelerating the session confirming that data message is corresponding there is the speed of change
Degree.
Step S503: corresponding terminal authentication state changes if described signal labelling represents described session,
The state notifying message that then terminal constructions is corresponding with described session, and send described shape to security linkage network equipment
State notice message.
Described in above-described embodiment, when signal labelling represents that terminal authentication state corresponding to this session there occurs
During change, terminal sends the state notifying message corresponding with this session to security linkage network equipment, for becoming
Up-to-date terminal authentication state notifying after more is to security linkage network equipment.
In one optional implementation of embodiment, terminal can construct a state notifying message, should
State notifying message carries signal message labelling and terminal authentication status indication, wherein, signal message labelling
In order to represent that this message is state notifying message so that security linkage network equipment can root when receiving message
Go out received for state notifying message according to this signal message marker recognition.Such as, following Fig. 5 B
Shown in, it is shown that the structure chart of a kind of state notifying message in the embodiment of the present application.
The form of the state notifying message shown in Fig. 5 B based on UDP message format, signal message labelling and
Terminal authentication status indication is positioned in the data field of this state notifying message.
Additionally, by described in above example, when the signal post of session is designated as 1, terminal can be to safety
Interlocking equipment send a session state notifying message after, can in session status labelling mapping table,
The signal labelling of this session is changed to 0, in order to represent the state notifying report that need not again send this session
Wen Liao.If due to some abnormal conditions, this state notifying message does not arrives security linkage network equipment, then,
Security linkage network equipment does not receives state notifying message, then cannot record the terminal authentication shape that this session is corresponding
State.In order to avoid the generation of this situation as far as possible, reduce state notifying message and the most normally arrive safety interaction
The probability of equipment, can repeatedly send state notifying message.Specifically, signal post can be set and be designated as 0
Time, represent that terminal authentication state does not changes, and when signal labelling is not 0, represent that terminal authentication state is sent out
Change more, such as, when newly generated session in terminal, the signal post of this new session is designated as N, and (N is big
In the natural number of 1), when after the state notifying message sending once this new session, signal labelling is subtracted 1,
If now signal labelling is not the most 0, then retransmit once the state notifying message of this new session, until should
Signal post is designated as 0.Such as, N is 5, then, as described above, terminal can send 5 times altogether should
The state notifying message of new session.
Step S504: security linkage network equipment is when receiving the state notifying message that terminal sends, according to institute
State the terminal authentication state that state notifying message place session described in state notifying message accounting is corresponding.
Security linkage network equipment when receiving this state notifying message, the terminal authentication state of recording conversation
Execution process may refer to the associated description in above-described embodiment, and in this not go into detail.
Step S505: security linkage network equipment is according to described terminal authentication state, and it is described that processing terminal sends
The data message of session.
The description of this step may refer to the associated description of above-mentioned steps S301 and step S302, at this not
Repeat again.
Additionally, in the embodiment of the present application, state notifying message can use in above-mentioned example and construct one
Comprise the message of terminal authentication state, it is also possible to be other modes, such as, when execution of step S502,
When determining that terminal authentication state occurs change by the signal labelling got, continue the end after confirming change
Whether end authentication state is by certification, the most then can be replicated data message to be sent,
The data message of duplication and former data message are sent in the lump to security linkage network equipment, or in the default time
Successively send to security linkage network equipment in interval.In this case, the data message of duplication is equivalent to shape
State notice message.
If this state notifying message is the data message replicated, then security linkage network equipment is simultaneously, or in advance
If time interval in, in such as 1 second, receive two identical data messages, i.e. state notifying report
During civilian and former data message, then it is believed that the terminal authentication state of session corresponding to this data message is logical
Cross certification, then security linkage network equipment can continue to forward this data message according to the security strategy self preserved;
If in the same time, or in the time interval preset, receive only a data message, then can recognize
Terminal authentication state for session corresponding to this data message is not authenticated, then security linkage network equipment can
To abandon this data message.
The present embodiment processes the method for message, can accelerate to determine the terminal of session by overall signal's labelling
Whether authentication state there is the speed of change, after the terminal authentication state determining session changes, also
Terminal can be controlled by the value of signal labelling and repeatedly send state notifying message to security linkage network equipment, by
In repeatedly sending state notifying message so that security linkage network equipment leads to because abnormal conditions cannot receive state
Know that the probability of message reduces, so that security linkage network equipment can be according to the state notifying message received
The terminal authentication state of recording conversation, according to the data message of this terminal authentication each session of state processing.
The application of this mode so that in NAT framework, remains able to identify the terminal security sending message
Property, it is to avoid unsafe terminal accesses enterprise network, threatens the safety of enterprise network.
Additionally, the state notifying message that the present embodiment uses when the state of notice can be terminal neotectonics
Message, it is also possible to be the data message of terminal duplication, no matter this state notifying message uses which kind of side above-mentioned
Formula, this message is all independently of the message outside the data message that terminal sends, and uses state notifying message
Perform state notifying to security linkage network equipment, can reach to notify the purpose of the SOT state of termination, but also not
Can be modified legacy data message and affect, it is convenient to implement, and effect is more preferable, it is to avoid the former number of amendment
The mistake being likely to result according to message.
Corresponding with the embodiment of the method for aforementioned processing message, present invention also provides the dress processing message
The embodiment put.
The application processes the embodiment of the device of message and can apply respectively in terminal and security linkage network equipment,
Can also apply on other equipment, the application is without limitation.Device embodiment can pass through software
Realize, it is also possible to realize by the way of hardware or software and hardware combining.As a example by implemented in software, as
Device on one logical meaning, is that the processor by its place equipment is by right in nonvolatile memory
The computer program instructions answered reads and runs formation in internal memory.For hardware view, such as Fig. 6 institute
Show, process a kind of hardware structure diagram of the device place equipment of message for the application, shown in Fig. 6
Outside processor 61, internal memory 63, network interface 62 and nonvolatile memory 64, in embodiment
The equipment at device place is generally according to the actual functional capability of this equipment, it is also possible to include other hardware, to this not
Repeat again.
Refer to Fig. 7, process an embodiment block diagram of the device of message for the application, may include that
Acquiring unit 71, transmitting element 72.
Wherein, acquiring unit 71, may be used for when sending datagram, obtain and described data message
The signal labelling of corresponding session;
Transmitting element 72, may be used for representing, at described signal labelling, the terminal authentication shape that described session is corresponding
When state occurs change, send the state notifying message corresponding with described session to security linkage network equipment, described
State notifying message is used for described terminal authentication state notifying to described security linkage network equipment, so that institute
State the security linkage network equipment data message according to session described in described terminal authentication state processing.
Refer to Fig. 8, process another embodiment block diagram of the device of message for the application, such as Fig. 8 institute
Showing, on the basis of the device processing message shown in above-mentioned Fig. 7, described acquiring unit 71 may include that
First obtains subelement 711, second obtains subelement 712.
Wherein, described first obtains subelement 711, may be used for obtaining overall signal's mark of counterpart terminal
Note, described overall signal labelling is for representing whether have the terminal of session to recognize in the session that described terminal is corresponding
Card state changes;
Described second obtains subelement 712, may be used for representing at described overall signal labelling and there is terminal
When authentication state occurs the session of change, continue to obtain the signal post of the session corresponding with described data message
Note.
Described device can also include: change indexing unit 73.
Described change indexing unit 73, may be used for the signal labelling when all sessions are corresponding and all represents terminal
When authentication state does not occurs change, described overall signal labelling is changed to the first mark value, described first
Mark value represents that there is not terminal authentication state occurs the session of change;
When described terminal authentication state occurs change, described overall signal labelling is changed to the second labelling
Value, described second mark value represents that there is terminal authentication state occurs the session of change.
Described transmitting element 72 may include that structure sends subelement 721, sends subelement 722, more
New subelement 723.
Wherein, described structure sends subelement 721, may be used for constructing the state corresponding with described session
Notice message, and send described state notifying message to security linkage network equipment, described state notifying message is taken
Tape terminal authentication state labelling and signal message labelling, described terminal authentication status indication is used for representing terminal
Whether by certification, described signal message labelling is used for making security linkage network equipment according to described signal message mark
Note identifies the state notifying message received.
Described transmission subelement 722, may be used for when described signal labelling represents that terminal authentication state occurs
During change, and the value of described signal labelling is N, then send n times and described session to security linkage network equipment
Corresponding state notifying message, N is the natural number not less than 1;
Described renewal subelement 723, may be used for often sending the most described session pair to security linkage network equipment
The state notifying message answered, subtracts 1 by signal mark value corresponding for described session, until being 0.
Refer to Fig. 9, process another embodiment block diagram of the device of message for the application, as it is shown in figure 9,
On the basis of the device processing message shown in above-mentioned Fig. 7, with the dress processing message shown in above-mentioned Fig. 8
Putting difference to exist, described transmitting element 72 does not include constructor unit 721, and it is single to include replicating transmission
Unit 724.
Described duplication sends subelement 724, for terminal authentication state after change be by authentication state time,
Replicate described data message, and send the data message of described duplication to security linkage network equipment.
Refer to Figure 10, process another embodiment block diagram of the device of message for the application, note can be included
Record unit 101, processing unit 102.
Wherein, described record unit 101, may be used for when receiving the state notifying message that terminal sends,
According to the terminal authentication state that state notifying message place session described in described state notifying message accounting is corresponding;
Described processing unit 102, may be used for according to described terminal authentication state, and it is described that processing terminal sends
The data message of session.
In said apparatus, the function of unit and the process that realizes of effect specifically refer in said method corresponding
Step realize process, do not repeat them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part ginseng
See that the part of embodiment of the method illustrates.Device embodiment described above is only schematically,
The wherein said unit illustrated as separating component can be or may not be physically separate, makees
The parts shown for unit can be or may not be physical location, i.e. may be located at a place,
Or can also be distributed on multiple NE.Can select according to the actual needs part therein or
The whole module of person realizes the purpose of the application scheme.Those of ordinary skill in the art are not paying creativeness
In the case of work, i.e. it is appreciated that and implements.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all at this
Within the spirit of application and principle, any modification, equivalent substitution and improvement etc. done, should be included in
Within the scope of the application protection.
Claims (14)
1. the method processing message, it is characterised in that described method includes:
When sending datagram, obtain the signal labelling of the session corresponding with described data message;
If described signal labelling represents described session, corresponding terminal authentication state changes, then to safety
Interlocking equipment sends the state notifying message corresponding with described session, and described state notifying message is for by institute
State terminal authentication state notifying extremely described security linkage network equipment, so that described security linkage network equipment is according to institute
State the data message of session described in terminal authentication state processing.
Method the most according to claim 1, it is characterised in that described acquisition and described data message
The signal labelling of corresponding session, including:
Obtaining overall signal's labelling of counterpart terminal, described overall signal labelling is used for representing described terminal pair
The terminal authentication state whether having session in the session answered changes;
If described overall signal labelling represents that there is terminal authentication state occurs the session of change, then continue to obtain
Take the signal labelling of the session corresponding with described data message.
Method the most according to claim 2, it is characterised in that described method also includes:
When the signal labelling that all sessions are corresponding all represents that terminal authentication state does not occurs change, by described
Overall signal's labelling is changed to the first mark value, and described first mark value represents and there is not terminal authentication state
There is the session of change;
When described terminal authentication state occurs change, described overall signal labelling is changed to the second labelling
Value, described second mark value represents that there is terminal authentication state occurs the session of change.
Method the most according to claim 1, it is characterised in that described to security linkage network equipment transmission
The state notifying message corresponding with described session, including:
Construct the state notifying message corresponding with described session, and send described state to security linkage network equipment
Notice message, described state notifying message carried terminal authentication state labelling and signal message labelling, described
Terminal authentication status indication is used for representing whether terminal passes through certification, and described signal message labelling is used for making peace
The state notifying message that full interlocking equipment receives according to described signal message marker recognition.
Method the most according to claim 1, it is characterised in that described to security linkage network equipment transmission
The state notifying message corresponding with described session, including:
If the terminal authentication state after Bian Geng is by authentication state, then replicate described data message, and to
Security linkage network equipment sends the data message of described duplication.
Method the most according to claim 1, it is characterised in that if described signal labelling represents
Terminal authentication state corresponding to described session changes, then send and described session to security linkage network equipment
Corresponding state notifying message, including:
When described signal labelling represents that terminal authentication state occurs change, and the value of described signal labelling is
N, then send, to security linkage network equipment, the state notifying message that n times are corresponding with described session, and N is the least
In the natural number of 1;
Often send, to security linkage network equipment, the state notifying message that the most described session is corresponding, by described session
Corresponding signal mark value subtracts 1, until being 0.
7. the method processing message, it is characterised in that described method includes:
When receiving the state notifying message that terminal sends, according to described state notifying message accounting
The terminal authentication state that the place session of state notifying message is corresponding;
According to described terminal authentication state, the data message of the described session that processing terminal sends.
8. the device processing message, it is characterised in that described device includes:
Acquiring unit, for when sending datagram, obtains the session corresponding with described data message
Signal labelling;
Transmitting element, for representing, at described signal labelling, the terminal authentication state generation that described session is corresponding
During change, sending the state notifying message corresponding with described session to security linkage network equipment, described state is led to
Know message for by described terminal authentication state notifying to described security linkage network equipment so that described safety
Interlocking equipment is according to the data message of session described in described terminal authentication state processing.
Device the most according to claim 8, it is characterised in that described acquiring unit includes:
First obtains subelement, and for obtaining overall signal's labelling of counterpart terminal, described overall signal marks
Note is for representing that the terminal authentication state whether having session in the session that described terminal is corresponding changes;
Second obtains subelement, for representing that there is terminal authentication state occurs at described overall signal labelling
During the session changed, continue to obtain the signal labelling of the session corresponding with described data message.
Device the most according to claim 9, it is characterised in that described device also includes:
Change indexing unit, for all representing terminal authentication state not when the signal labelling that all sessions are corresponding
When there is change, described overall signal labelling being changed to the first mark value, described first mark value represents
There is not terminal authentication state and the session of change occurs;
When described terminal authentication state occurs change, described overall signal labelling is changed to the second labelling
Value, described second mark value represents that there is terminal authentication state occurs the session of change.
11. devices according to claim 8, it is characterised in that described transmitting element includes:
Structure sends subelement, for the state notifying message that structure is corresponding with described session, and to safety
Interlocking equipment sends described state notifying message, described state notifying message carried terminal authentication state labelling
With signal message labelling, described terminal authentication status indication is used for representing whether terminal passes through certification, described
The state that signal message labelling receives according to described signal message marker recognition for making security linkage network equipment
Notice message.
12. devices according to claim 8, it is characterised in that described transmitting element includes:
Replicate and send subelement, for terminal authentication state after change be by authentication state time, answer
Make described data message, and send the data message of described duplication to security linkage network equipment.
13. devices according to claim 8, it is characterised in that described transmitting element includes:
Send subelement, be used for when described signal labelling represents that terminal authentication state occurs change, and institute
The value stating signal labelling is N, then send the n times state corresponding with described session to security linkage network equipment and lead to
Knowing message, N is the natural number not less than 1;
Update subelement, for often sending, to security linkage network equipment, the state notifying that the most described session is corresponding
Message, subtracts 1 by signal mark value corresponding for described session, until being 0.
14. 1 kinds of devices processing message, it is characterised in that described device includes:
Record unit, for when receiving the state notifying message that terminal sends, leads to according to described state
Know the terminal authentication state that state notifying message place session described in message accounting is corresponding;
Processing unit, for according to described terminal authentication state, the number of the described session that processing terminal sends
According to message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610072814.5A CN105939401B (en) | 2016-02-02 | 2016-02-02 | Handle the method and device of message |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610072814.5A CN105939401B (en) | 2016-02-02 | 2016-02-02 | Handle the method and device of message |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105939401A true CN105939401A (en) | 2016-09-14 |
CN105939401B CN105939401B (en) | 2019-11-08 |
Family
ID=57152912
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610072814.5A Active CN105939401B (en) | 2016-02-02 | 2016-02-02 | Handle the method and device of message |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105939401B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107872446A (en) * | 2016-09-28 | 2018-04-03 | 腾讯科技(深圳)有限公司 | A kind of management method, device and the server of the account number that communicates |
CN114221814A (en) * | 2021-12-16 | 2022-03-22 | 上海市共进通信技术有限公司 | System, method, device, processor and computer readable storage medium for realizing terminal equipment safe opening of special service |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1716869A (en) * | 2004-06-30 | 2006-01-04 | 联想(北京)有限公司 | Network safety equipment synchronizing method under cluster mode |
CN1753364A (en) * | 2005-10-26 | 2006-03-29 | 杭州华为三康技术有限公司 | Method of controlling network access and its system |
CN101188851A (en) * | 2006-11-17 | 2008-05-28 | 中兴通讯股份有限公司 | Access control method for mobile terminal |
CN101631078A (en) * | 2009-08-24 | 2010-01-20 | 杭州华三通信技术有限公司 | Message control method and access equipment in endpoint admission defense |
CN104618522A (en) * | 2014-12-22 | 2015-05-13 | 迈普通信技术股份有限公司 | Automatic updating method for IP address of terminal and Ethernet access device |
-
2016
- 2016-02-02 CN CN201610072814.5A patent/CN105939401B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1716869A (en) * | 2004-06-30 | 2006-01-04 | 联想(北京)有限公司 | Network safety equipment synchronizing method under cluster mode |
CN1753364A (en) * | 2005-10-26 | 2006-03-29 | 杭州华为三康技术有限公司 | Method of controlling network access and its system |
CN101188851A (en) * | 2006-11-17 | 2008-05-28 | 中兴通讯股份有限公司 | Access control method for mobile terminal |
CN101631078A (en) * | 2009-08-24 | 2010-01-20 | 杭州华三通信技术有限公司 | Message control method and access equipment in endpoint admission defense |
CN104618522A (en) * | 2014-12-22 | 2015-05-13 | 迈普通信技术股份有限公司 | Automatic updating method for IP address of terminal and Ethernet access device |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107872446A (en) * | 2016-09-28 | 2018-04-03 | 腾讯科技(深圳)有限公司 | A kind of management method, device and the server of the account number that communicates |
CN107872446B (en) * | 2016-09-28 | 2020-07-24 | 腾讯科技(深圳)有限公司 | Communication account management method and device and server |
CN114221814A (en) * | 2021-12-16 | 2022-03-22 | 上海市共进通信技术有限公司 | System, method, device, processor and computer readable storage medium for realizing terminal equipment safe opening of special service |
CN114221814B (en) * | 2021-12-16 | 2023-10-27 | 上海市共进通信技术有限公司 | System, method, device, processor and computer readable storage medium for realizing terminal equipment safety starting special service |
Also Published As
Publication number | Publication date |
---|---|
CN105939401B (en) | 2019-11-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8200798B2 (en) | Address security in a routed access network | |
CN104901955B (en) | A kind of method for early warning, device and processing server | |
CN112347485B (en) | Processing method for acquiring loopholes and automatically penetrating multiple engines | |
CN106034104A (en) | Verification method, verification device and verification system for network application accessing | |
CN105939326A (en) | Message processing method and device | |
CN102227115B (en) | Method and device for limiting user access | |
CN105939239A (en) | Data transmission method and device of virtual network interface card | |
CN104935551B (en) | A kind of webpage tamper protective device and method | |
CN109067784A (en) | The method and apparatus of anti-fraud in a kind of VXLAN | |
CN106060097B (en) | A kind of management system and management method of information security contest | |
CN105959282A (en) | Protection method and device for DHCP attack | |
CN106506726A (en) | A kind of method of verification DNS real users | |
CN108092976A (en) | Device-fingerprint building method and device | |
CN107995321A (en) | A kind of VPN client acts on behalf of the method and device of DNS | |
CN104410642B (en) | Equipment access cognitive method based on ARP protocol | |
CN108574673A (en) | ARP message aggression detection method and device applied to gateway | |
CN109413017A (en) | A kind of method and system managing isomery firewall | |
CN105939401A (en) | Method and device for processing message | |
CN110912898A (en) | Method and device for disguising equipment assets, electronic equipment and storage medium | |
US9678772B2 (en) | System, method, and computer-readable medium | |
CN104683497B (en) | A kind of community network addressing of address method and device | |
CN114070624B (en) | Message monitoring method, device, electronic equipment and medium | |
CN115883574A (en) | Access equipment identification method and device in industrial control network | |
CN109587134A (en) | Method, apparatus, equipment and the medium of the safety certification of interface bus | |
CN104243254B (en) | A kind of PPPoE cut-in methods and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |