CN108616490A - A kind of method for network access control, apparatus and system - Google Patents

A kind of method for network access control, apparatus and system Download PDF

Info

Publication number
CN108616490A
CN108616490A CN201611146932.2A CN201611146932A CN108616490A CN 108616490 A CN108616490 A CN 108616490A CN 201611146932 A CN201611146932 A CN 201611146932A CN 108616490 A CN108616490 A CN 108616490A
Authority
CN
China
Prior art keywords
address information
network access
control device
proxy server
visited
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611146932.2A
Other languages
Chinese (zh)
Other versions
CN108616490B (en
Inventor
潘林锋
罗根
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201611146932.2A priority Critical patent/CN108616490B/en
Priority to PCT/CN2017/112080 priority patent/WO2018107943A1/en
Publication of CN108616490A publication Critical patent/CN108616490A/en
Application granted granted Critical
Publication of CN108616490B publication Critical patent/CN108616490B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An embodiment of the present invention provides a kind of network access control systems, including:Client, net control device, proxy server and service server, wherein, client sends network access request to net control device, net control device judges whether target address information belongs to the first white list, if belonged to, network access request is sent to proxy server corresponding with target address information by net control device.Proxy server judges whether the address information of service server to be visited belongs to the second white list, if belonged to, network access request is sent to service server to be visited by proxy server.It can be seen that, Network Access Method provided by the invention only needs address information and the port for the proxy server being set using at net control device, then address information and the port of the service server for allowing to access at proxy server are set, configuration of the enterprise network management personnel to net control device is simplified.

Description

A kind of method for network access control, apparatus and system
Technical field
The present invention relates to technical field of data processing, and in particular to a kind of method for network access control, apparatus and system.
Background technology
With the continuous development of science and technology, user is more and more common to the requirements for access of network.But enterprise is for some mesh , it needs to control the access of corporate networks.
Such as, forbid enterprise staff at work between online see news, shopping at network, play game etc., and then improve enterprise person The working efficiency of work;For another example, enterprise staff is forbidden to be let out to company's vital strategic secrets file, intra-company's document etc. using network Leakage, or the internal network of external malicious user invasion company is prevented, steal Company Confidential.
Therefore, as shown in Figure 1, enterprise network management personnel A is typically to pass through the network control in the exit of enterprise network Black and white lists are arranged to carry out the control accessed enterprise network in control equipment 1 (such as interchanger, router, fire wall).
Inventor has found that enterprise concentrates at the outlet device of enterprise network the control of extranet access, however, black and white List generally includes the much informations such as User IP, domain name, network address, these information can be with the clothes of software operation (SAAS) service provider The upgrading of business device is safeguarded and is changed frequent occurrence, once it does not notify in time to enterprise network management personnel to the network egress of enterprise The parameter of the net control device at place is reset, or by parameter setting mistake, may result in enterprise network cannot be just Frequentation is asked.As it can be seen that existing enterprise network control mode is more troublesome, it is higher to the skill set requirements of enterprise network management personnel.
Therefore, how a kind of method for network access control, apparatus and system are provided, can realize the network to enterprise staff Control, and the setting in enterprise network exit can be simplified, become those skilled in the art's problem needed to be considered.
Invention content
In view of this, a kind of method for network access control of offer of the embodiment of the present invention, apparatus and system, can realize to enterprise The network-control of industry employee, and the setting in enterprise network exit can be simplified.
To achieve the above object, the embodiment of the present invention provides the following technical solutions:
A kind of network access control system, including:Client, net control device, proxy server and business service Device,
The client sends network access request to net control device, and the network access request includes:It is to be visited Service server address information and target address information, the target address information be preconfigured proxy server Address information;
The net control device judges whether the target address information belongs to the first white list, described if belonged to The network access request is sent to proxy server corresponding with the target address information by net control device, and described One white list includes the list of the address information for the proxy server for allowing to access;
The proxy server judges whether the address information of the service server to be visited belongs to the second white list, If belonged to, the network access request is sent to the service server to be visited by the proxy server, described Two white lists include the list of the address information for the service server for allowing to access.
A kind of method for network access control, including:
The network access request that net control device is sent is received, the network access request includes:Business to be visited The address information and target address information of server, the target address information are the address of preconfigured proxy server Information;
And the network access request is that the target address information belongs to the access request of the first white list, described the One white list includes the list of the address information for the proxy server for allowing to access;
Judge whether the address information of the service server to be visited belongs to the second white list, if belonged to, by institute It states network access request and is sent to the service server to be visited, second white list includes the business clothes for allowing to access The list of the address information of business device.
A kind of network access control device, including:
First receiving module, the network access request for receiving net control device transmission, the network access request Including:The address information and target address information of service server to be visited, the target address information are to be pre-configured with Proxy server address information;
And the network access request is that the target address information belongs to the access request of the first white list, described the One white list includes the list of the address information for the proxy server for allowing to access;
Judgment module, for judging whether the address information of the service server to be visited belongs to the second white list, If belonged to, the network access request is sent to the service server to be visited, second white list includes permitting Perhaps the list of the address information of the service server accessed.
As it can be seen that network access control system provided in this embodiment, it is only necessary to be set using at net control device Then the address for the service server for allowing to access is arranged in the address information of proxy server and port at proxy server Information and port simplify configuration of the enterprise network management personnel to net control device.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is application interface schematic diagram in the prior art;
Fig. 2 is a kind of structure diagram of network access control system provided in an embodiment of the present invention;
Fig. 3 is a kind of signaling process figure of network access control system provided in an embodiment of the present invention;
Fig. 4 is the signaling process figure of another network access control system provided in an embodiment of the present invention;
Fig. 5 is the structural schematic diagram of network access control device provided in an embodiment of the present invention;
Fig. 6 is the structural schematic diagram of another network access control device provided in an embodiment of the present invention;
Fig. 7 is the structural schematic diagram of another network access control device provided in an embodiment of the present invention;
Fig. 8 is the structural schematic diagram of another network access control device provided in an embodiment of the present invention;
Fig. 9 is the structural schematic diagram of another network access control device provided in an embodiment of the present invention;
Figure 10 is the hardware block diagram of network access control device provided in an embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
An embodiment of the present invention provides a kind of network access control systems, including:Client, net control device, agency Server and service server, wherein client sends network access request to net control device, and net control device is sentenced Whether disconnected target address information belongs to the first white list, if belonged to, net control device by network access request be sent to The corresponding proxy server of target address information.Proxy server judges whether the address information of service server to be visited belongs to In the second white list, if belonged to, network access request is sent to service server to be visited by proxy server.As it can be seen that Network Access Method provided by the invention only needs the address information for the proxy server being set using at net control device And port, then address information and the port of the service server for allowing to access at proxy server are set, simplify Configuration of the enterprise network management personnel to net control device.
Referring to Fig. 2, Fig. 2 is a kind of structure diagram of network access control system provided in an embodiment of the present invention, this hair The method for network access control that bright embodiment provides can be based on system shown in Figure 2 and realize, with reference to Fig. 2, the embodiment of the present invention provides Network access control system may include:Client 2, net control device 1, proxy server 3 and service server 4.
Wherein, client 2 can be the client device that at least one enterprise staff B is used to send service request, such as pen Sheet, desktop computer, tablet computer, mobile phone etc. are remembered for the equipment of enterprise staff online, and net control device 1 can be located at enterprise The equipment of network exit, such as interchanger, router, firewall box.Proxy server can be thought as between network-control Another server between equipment 1 and service server 4.
In general, when enterprise staff browses webpage, client can remove access service server as needed, then industry After business server is connected to web access requests, the information of purpose website can be sent to client, so that user browses.
However, after having used proxy server, when enterprise staff desires access to some site resources, client Web access requests are sent to proxy server first, then proxy server go obtain the information to be accessed, and by its Return to client.It should be noted that in proxy server side, it can be identified user identity and be realized that network is visited Ask control etc..
Service server 4 can be single server, or the server farm that be made of multiple servers or It is a cloud computing service center, service server 4 is used for download of network data resource, such as obtains game data, software application Data (QQ, wechat etc.).
Specifically, being based on system shown in Figure 2, Fig. 3 shows network access control system provided in an embodiment of the present invention Signaling process figure, the network access control system include:Client 2, net control device 1, proxy server 3 and business clothes Business device 4, the signalling interactive process may include:
Step S100, client sends network access request to net control device.
Wherein, network access request may include the address information of client, service server to be visited address letter Breath, data content to be transmitted and target address information, the target address information are the address information of proxy server.It needs It is noted that in the present embodiment, enterprise staff needs to be pre-configured with the generation used when carrying out network access using client Manage the information of server.In this way, when client sends network access request, client can carry out former network access request pre- Processing, i.e., by the address information for the client for including in former access request, the address information of service server to be visited and On the basis of data content to be transmitted, increases former access request the relevant information of proxy server, such as increase agency service The address information of device.
Step S101, net control device judges whether the target address information meets the first preset condition, if full The network access request is sent to agency service corresponding with the target address information by foot, the net control device Device.
It should be noted that net control device is before use, need to carry out it by enterprise network management personnel white List configures, but the white list in this programme herein is different from white list in the prior art, and the white list in this programme only needs For allow the proxy server used address information list.And white list in the prior art needs to allow to access The data such as address information, the port information of all service servers.According to the difference of type of business, in the prior art network control The list content of the white list configured needed for control equipment be it is multinomial, as some enterprise allow client access Tencent's video, QQ with And wechat, then, white list in the prior art needs the address information of at least corresponding service server of record Tencent video And the address information and port information, wechat corresponding service server of the corresponding service server of port information, QQ Address information and port information.
Certainly, if the network access service of enterprise's permission is more, network management personnel just needs corresponding configuration that can visit In the address information for the service server asked to the white list of current network control device.Since the type of business is more, enterprise Network management personnel needs the data for the white list for managing and safeguarding also more.And from the angle of business service quotient, in order to carry For better services service, service server can update upgrading at any time, the address information of corresponding service server and Port may change, and this requires enterprise network management personnel take the corresponding business in the white list of net control device The address information of device of being engaged in and port information are modified, and no it will cause cannot normally access the service server.
And in the present embodiment, the network management personnel of enterprise need to only configure the address letter of the proxy server in white list Breath, then, net control device judge client transmission target address information whether be net control device white list in The address information of the proxy server for allowing to access of record.If belonged to, net control device asks network access It asks and lets pass, i.e., the network access request is sent into past proxy server corresponding with the target address information.If What the target address information that client is sent was not belonging to record in the white list of net control device allows the agency service accessed The address information of device, then, net control device can directly ignore the network access request, or return to a characterization The response message of access errors is to the client.It is of course also possible to other preset actions are executed, it herein, can be according to enterprise The actual demand of industry, is set.
It is noted that in this step, when net control device judges the target address information category that client is sent When the address information of the proxy server for allowing to access recorded in the white list of net control device, need the network Access request sends past proxy server corresponding with the target address information.At this point, due to be enterprise client inside The relationship that network access request is sent to enterprise external, can be substituted for network by the address information of client and port information IP address in LAN is unified into the external public IP of enterprise by the address information and port information of control device, If the IP address of client 2a is " 10.168.23.100 ", port is " 1000 ", and the IP address of client 2b is " 10.168.23.99 ", port are " 1000 ", either client 2a or client 2b, the mesh in its network access request When mark address information belongs to white list, the IP address information of the network access request is converted into the IP address of net control device Information.And tracking information is recorded simultaneously, the address information for recording client address information and net control device Mapping relations.
Step S102, it is pre- to judge whether the address information of the service server to be visited meets second for proxy server If condition, if it is satisfied, the network access request is sent to the service server to be visited by the proxy server.
Wherein, proxy server parses the network access request after receiving network access request, is described above , which may include in client-side:The address of the address information of client, service server to be visited Information, data content to be transmitted and target address information, wherein the target address information is the address of proxy server Information.However, the network access request after the net control device by enterprise, is believed the address of the client of itself Breath is converted into the address information of net control device, that is, network access request at this time includes:Believe the address of net control device Breath, the address information of service server to be visited and data content to be transmitted.
Then, proxy server, which is worked as, judges that the address information of service server to be visited belongs to the white name of proxy server Recorded in list allow access service server address information when, need by the network access request send it is past with it is described The corresponding service server of address information of service server to be visited.
If proxy server, which is worked as, judges that the address information of service server to be visited is not belonging to the white of proxy server When the address information of the service server for allowing to access recorded in list, then, proxy server can be directly by the net Network access request is ignored, or return one characterization access errors response message to the net control device, then by institute It states net control device and the response message is sent to the client.
To sum up, it is seen then that network access control system provided in this embodiment, it is only necessary to which being arranged at net control device makes The address information of proxy server and port, then setting allows the service server accessed at proxy server Address information and port simplify configuration of the enterprise network management personnel to net control device.And at proxy server Configuration allows the white list of the address information of the service server accessed, when the service server of SAAS service providers carries out upgrading dimension After shield, only white list updating replacement need to be carried out to proxy server by the professional of SAAS service providers, ensure that white list more New promptness and accuracy does any operation without enterprise network management personnel.When the net control device of multiple enterprises It, also only need to be to agency service when the address information of a certain service server changes when using same proxy server Address information corresponding with the service server carries out unified change in the white list of different enterprises in device.Such as, the network of enterprise A The corresponding proxy server of control device is proxy server A, and the corresponding proxy server of net control device of enterprise B is also It includes QQ and wechat that proxy server A, enterprise A, which need the white list safeguarded, and enterprise B needs the white list safeguarded to include QQ and rise Video is interrogated, then after the corresponding service servers of QQ carry out upgrading address information, proxy server is corresponding by QQ's The address of service server is replaced, and any operation is done without enterprise network management personnel, and, the prior art then needs The network management personnel of enterprise A carries out the address information of the service server of the QQ in the white list of net control device more It changes, meanwhile, the network management personnel of enterprise B is also required to the corresponding service servers of the QQ of the white list of net control device Address information is replaced, and operation is complex.
In another embodiment of the application, the flow of the data feedback of the network access system is introduced.Ginseng According to Fig. 4, which includes:
Step S103, the described service server to be visited is based on the data content to be transmitted, generates a feedback coefficient According to, and the feedback data is sent toward the proxy server.
Step S104, the described proxy server searches the address with the proxy server according to second mapping table The address information of the corresponding net control device of information;And the feedback data is sent to finding with the network-control The corresponding net control device of address information of equipment.
Step S105, the described net control device is searched and the net control device according to first mapping table The address information of the corresponding client of address information;And the feedback data is sent to the ground with the client found The corresponding client of location information.
It should be noted that during data feedback, it is possible to understand that at along backtracking.It is accessed again due to network In the process, net control device and proxy server have carried out white list screening to received address information, therefore, When data return, can be not repeated to compare whether current address information is address information in white list.Finally will Feedback data is sent to client.
Specifically, the present embodiment provides the examples of a use network access control system provided by the invention to carry out in detail It introduces, if net control device is interchanger, it is assumed that:
A. client is " 10.168.23.100 ", port in the address of Intranet:1000;
B. the egress network address of enterprise network is " 183.61.38.179 ", port 1001;
C.SAAS service broker's server network address is:180.149.32.47 port is:8080;Support SOCKS V5 does not need account number verification;
The network address of d.SAAS service servers 1 is:140.205.94.189 port is:443;
The domain name of e.SAAS service servers 2 is:B.qq.com, port are:80
On the basis of address above mentioned information, the network browsing process is as follows:
The 1.SAAS service providers white list that Configuration network accesses on proxy server is similar as follows:
Destination server white list:
ip:140.205.94.189, port:443;
Domain name:B.qq.com, port:80;
Concrete form can be subject to the configuration standard of practical proxy server, and above-mentioned configuration is meant that when data packet is sent Destination address be white list in wherein one when, then be legal data packet.
2. enterprise administrator enters the administration page of the enterprise switch of this enterprise, configuration white list is similar as follows:
Destination server white list:
ip:180.149.132.47 port is:8080;
3. company personnel is set using proxy server in SAAS applications clients, configuration uses proxy server, class Like as follows:
Network settings:
Type:The addresses SOCKS V5:180.149.32.47 port 8080.
4. client is needed to 1 (140.205.94.189 of SAAS service servers:443) content " Hello " is sent.It is original Can include following information (source address 10.168.23.100, port 1000, destination address 140.205.94.189, end in data packet Mouth 443, and the literary content " Hello " of packet).Because having used the configuration of agency service, all data packets in client all can One layer of encapsulation of progress is wrapped in legacy data, in addition relevant information (including the destination address of proxy server 180.149.32.47 port is:8080, agency agreement version information etc.).New data packets can be changed to be sent to agency service Network address (the 180.149.32.47 of device:8080).
5. the destination address of above-mentioned new data packets is judged on interchanger, because destination network addresses therein are (180.149.32.47:8080), the existing configuration in white list allows to let pass therefore, it is considered that data packet is legal data packet. Because of the relationship of the interior transmission data from enterprise network, it is therefore desirable to carry out NAT address translation process:By data packet In source port number (1000) and source private IP address (10.168.23.100) be converted into the port numbers (1001) of interchanger oneself With the IP address (183.61.38.179) of public network, then data packet is issued to the destination host of external network (180.149.32.47:8080), while a tracking information (10.168.23.100 in address conversion mapping table is recorded: 1000--183.61.38.179:1001).Wherein, new source address is legal and unique on the internet, can be by just True navigates to.
6. after proxy server receives request of data, real backpack body data in data packet can be parsed, including (replace New source address 183.61.38.179 afterwards, new port 1001, destination address 140.205.94.189, port 443 and Bao Wen Content " Hello ").Because of destination address therein and port combination (140.205.94.189:443) in white list, therefore It can be judged as legal data packet, can be normally forwarded to destination address.Proxy server can by the source in data packet Location replaces with 180.149.32.47, and port replaces with 1002, and records mapping relations (183.61.38.179:1001-- 180.149.32.47:1002).In new data packet, the sender information of packet is just completely replaced into proxy server.
7. after the service server of SAAS services handles above-mentioned data, need to give client returned data " Reply ", meeting Related data packets are organized, including (source address 140.205.94.189, port 443, destination address are proxy server to the following contents The literary content " Reply " of address 180.149.32.47, port 8080, and packet).
8. after proxy server receives the above-mentioned data of service server return, can be closed according to the mapping of its internal maintenance System finds realistic objective network address, and uses destination address (i.e. agency's clothes in actual target address information replacement data packet Business device address), that is, use (183.61.38.179:1001).Then one layer of encapsulation is carried out in the data that server returns, and is added The information of upper proxy server, including (source address:180.149.32.47 port 8080, agency agreement version information etc.) and will Data send the network address to target, i.e. the outlet addresses ip of enterprise.
9. the above-mentioned data packet returned by proxy server can pass through interchanger, interchanger judges the source place of data packet Location.Because source address is proxy server address, therefore can be cleared.Similar, this step is similarly needed by the addresses NAT Conversion, according to the record in mapping table, by the port numbers (1001) and public IP address of received data packet (183.61.38.179) is converted into the port numbers (1000) of destination host and the private ip address of destination host in internal network (10.168.23.100), and it is transmitted to destination host.
Include mainly (source address 10. after client receives data packet, real packet content can be parsed 140.205.94.189, port 443, and the literary content " Reply " of packet), to receive the number of the return of SAAS service servers 1 According to.
The case where client accesses the network address information allowed is described above, in conjunction with specific example, it is proposed that visitor Family end is introduced in the case for accessing non-permitted network address information, as follows:
It is assumed that the configuration of the white list of step 1 and step 2 has been completed in case 1.
1. company personnel is set using proxy server in the forbidden client of certain money such as Sina weibo, configuration makes It is similar as follows with proxy server:
Type:The addresses SOCKS V5:180.149.32.47 port 8080.
2. client is needed to 1 (100.100.10.10 of Sina weibo service server:443) content " Hello " is sent. Can include following information (source address 10.168.23.100, port 8000, destination address in raw data packets 100.100.10.10, port 443, and the literary content " Hello " of packet).Because having used the configuration of agency service, in client All data packets all can wrap one layer of encapsulation of progress in legacy data, in addition relevant information (including the target of proxy server Address 180.149.32.47, port are:8080, agency agreement version information etc.).New data packets can be changed to be sent to agency Network address (the 180.149.32.47 of server:8080).
3. similar to case 1, exchange opportunity thinks that the request target address is legal, can be normally carried out forwarding.
4. after proxy server receives request of data, actual target address 100.100.10.10, port can be parsed 443.Because of destination address therein and port combination (100.100.10.10:443) not in white list, therefore the data packet It is judged as invalid data packet, can be simply discarded.
5. client can not be normally received returning for Sina weibo and wrap, therefore the network application is successfully limited.
For another example:
It is assumed that the configuration of the white list of step 1 and step 2 has been completed in case 1.
1. company personnel is desirable for the forbidden client of certain money such as browser, but is not provided with proxy server.
2. employee uses browser access http://www.taobao.com.
3. interchanger judges that destination address therein (www.taobao.com) did not configure in white list, judgement should Request target address is illegal, can directly be abandoned.
4. client can not be normally received returning for Taobao and wrap, therefore the network application is successfully limited.
Network access control device provided in an embodiment of the present invention is introduced below, network described below accesses control Device processed can correspond reference with network described above access control system.
Fig. 5 is the structure diagram of network access control device provided in an embodiment of the present invention, and with reference to Fig. 5, which can be with Including:
First receiving module 100, the network access request for receiving net control device transmission, the network access are asked Ask including:The address information and target address information of service server to be visited, the target address information are to match in advance The address information for the proxy server set;
And the network access request is that the target address information belongs to the access request of the first white list, described the One white list includes the list of the address information for the proxy server for allowing to access;
Judgment module 200, for judging whether the address information of the service server to be visited belongs to the second white name It is single, if belonged to, the network access request is sent to the service server to be visited, second white list includes Allow the list of the address information of the service server accessed.
Optionally, as shown in fig. 6, further including:
Processing module 300, for the address information of the net control device to be replaced with the target address information, and Generate the address information of the net control device and the second mapping table of the target address information.
Optionally, as shown in fig. 7, further including:
Sending module 400, for sending the data content to be transmitted toward the service server to be visited.
Optionally, as shown in figure 8, further including:
Second receiving module 500 is based on for receiving the service server to be visited in the data to be transmitted Hold the feedback data generated.
Optionally, as shown in figure 9, further including:
Searching module 600, for according to second mapping table, searching corresponding with the address information of the proxy server Net control device address information;
And the feedback data is sent to the network corresponding with the address information of the net control device found Control device.
The embodiment of the present invention is also provided with a kind of NS software equipment, on which may include State the network access control device.
Optionally, Figure 10 shows the hardware block diagram of NS software equipment, referring to Fig.1 0, which accesses control Control equipment may include:Processor 1, communication interface 2, memory 3 and communication bus 4;
Wherein processor 1, communication interface 2, memory 3 complete mutual communication by communication bus 4;
Optionally, communication interface 2 can be the interface of communication module, such as the interface of gsm module;
Processor 1, for executing program;
Memory 3, for storing program;
Program may include program code, and said program code includes computer-managed instruction.
Processor 1 may be a central processor CPU or specific integrated circuit ASIC (Application Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention Road.
Memory 3 may include high-speed RAM memory, it is also possible to further include nonvolatile memory (non-volatile Memory), a for example, at least magnetic disk storage.
Wherein, program can be specifically used for:
The network access request that net control device is sent is received, the network access request includes:Business to be visited The address information and target address information of server, the target address information are the address of preconfigured proxy server Information;
And the network access request is that the target address information belongs to the access request of the first white list, described the One white list includes the list of the address information for the proxy server for allowing to access;
Judge whether the address information of the service server to be visited belongs to the second white list, if belonged to, by institute It states network access request and is sent to the service server to be visited, second white list includes the business clothes for allowing to access The list of the address information of business device.
In conclusion an embodiment of the present invention provides a kind of network access control systems, including:Client, network-control Equipment, proxy server and service server, wherein client sends network access request to net control device, network Control device judges whether target address information belongs to the first white list, if belonged to, net control device asks network access It asks and is sent to proxy server corresponding with target address information.Proxy server judges the address of service server to be visited Whether information belongs to the second white list, if belonged to, network access request is sent to business to be visited and taken by proxy server Business device.As it can be seen that Network Access Method provided by the invention only needs the proxy server being set using at net control device Address information and port, then at proxy server setting allow access service server address information and end Mouthful, simplify configuration of the enterprise network management personnel to net control device.
Each embodiment is described by the way of progressive in this specification, the highlights of each of the examples are with other The difference of embodiment, just to refer each other for identical similar portion between each embodiment.For device disclosed in embodiment For, since it is corresponded to the methods disclosed in the examples, so description is fairly simple, related place is said referring to method part It is bright.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These Function is implemented in hardware or software actually, depends on the specific application and design constraint of technical solution.Profession Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered Think beyond the scope of this invention.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest range caused.

Claims (17)

1. a kind of network access control system, which is characterized in that including:Client, net control device, proxy server and Service server,
The client is used for, and sends network access request to net control device, the network access request includes:It is to be visited Service server address information and target address information, the target address information be preconfigured proxy server Address information;
The net control device is used for, and judges whether the target address information belongs to the first white list, described if belonged to The network access request is sent to proxy server corresponding with the target address information by net control device, and described One white list includes the list of the address information for the proxy server for allowing to access;
The proxy server is used for, and judges whether the address information of the service server to be visited belongs to the second white name Single, if belonged to, the network access request is sent to the service server to be visited by the proxy server, described Second white list includes the list of the address information for the service server for allowing to access.
2. network access control system according to claim 1, which is characterized in that the network access request further includes: The address information of client,
The net control device is additionally operable to after judging that the target address information belongs to the first white list:By the client The address information at end is replaced with the address information of the net control device, and generate the address information of the client with it is described First mapping table of the address information of net control device.
3. network access control system according to claim 2, which is characterized in that the proxy server is described in judgement After the address information of service server to be visited belongs to the second white list, it is additionally operable to:
The address information of the net control device is replaced with the target address information, and generates the net control device Address information and the target address information the second mapping table.
4. network access control system according to claim 3, which is characterized in that the network access request further includes: Data content to be transmitted,
Correspondingly, the network access request is sent to the service server to be visited by the proxy server, including:
The proxy server sends the data content to be transmitted toward the service server to be visited.
5. network access control system according to claim 4, which is characterized in that the service server base to be visited In the data content to be transmitted, a feedback data is generated, and the feedback data is sent toward the proxy server.
6. network access control system according to claim 5, which is characterized in that the proxy server is according to described Two mapping tables search the address information of net control device corresponding with the address information of the proxy server;
And the feedback data is sent to the network-control corresponding with the address information of the net control device found Equipment.
7. network access control system according to claim 6, which is characterized in that the net control device is according to First mapping table searches the address information of client corresponding with the address information of the net control device;
And the feedback data is sent to the client corresponding with the address information of the client found.
8. a kind of method for network access control, which is characterized in that including:
The network access request that net control device is sent is received, the network access request includes:Business service to be visited The address information and target address information of device, the target address information are that the address of preconfigured proxy server is believed Breath;
And the network access request is the access request that the target address information belongs to the first white list, described first is white List includes the list of the address information for the proxy server for allowing to access;
Judge whether the address information of the service server to be visited belongs to the second white list, if belonged to, by the net Network access request is sent to the service server to be visited, and second white list includes the service server for allowing to access Address information list.
9. method for network access control according to claim 8, which is characterized in that judging the business clothes to be visited After the address information of business device belongs to the second white list, further include:
The address information of the net control device is replaced with the target address information, and generates the net control device Address information and the target address information the second mapping table.
10. method for network access control according to claim 9, which is characterized in that the network access request further includes: Data content to be transmitted,
Correspondingly, described be sent to the service server to be visited by the network access request, including:
The data content to be transmitted is sent toward the service server to be visited.
11. method for network access control according to claim 10, which is characterized in that further include:
Receive the feedback data that the service server to be visited is generated based on the data content to be transmitted.
12. method for network access control according to claim 11, which is characterized in that further include:
According to second mapping table, the address of net control device corresponding with the address information of the proxy server is searched Information;
And the feedback data is sent to the network-control corresponding with the address information of the net control device found Equipment.
13. a kind of network access control device, which is characterized in that including:
First receiving module, the network access request for receiving net control device transmission, the network access request include: The address information and target address information of service server to be visited, the target address information are preconfigured agency The address information of server;
And the network access request is the access request that the target address information belongs to the first white list, described first is white List includes the list of the address information for the proxy server for allowing to access;
Judgment module, for judging whether the address information of the service server to be visited belongs to the second white list, if Belong to, the network access request is sent to the service server to be visited, second white list includes allowing to visit The list of the address information for the service server asked.
14. network access control device according to claim 13, which is characterized in that further include:
Processing module for the address information of the net control device to be replaced with the target address information, and generates institute State the address information of net control device and the second mapping table of the target address information.
15. network access control device according to claim 14, which is characterized in that further include:
Sending module, for sending the data content to be transmitted toward the service server to be visited.
16. method for network access control according to claim 15, which is characterized in that further include:
Second receiving module, for receiving the service server to be visited based on the data content generation to be transmitted Feedback data.
17. method for network access control according to claim 16, which is characterized in that further include:
Searching module, for according to second mapping table, searching network corresponding with the address information of the proxy server The address information of control device;
And the feedback data is sent to the network-control corresponding with the address information of the net control device found Equipment.
CN201611146932.2A 2016-12-13 2016-12-13 Network access control method, device and system Active CN108616490B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201611146932.2A CN108616490B (en) 2016-12-13 2016-12-13 Network access control method, device and system
PCT/CN2017/112080 WO2018107943A1 (en) 2016-12-13 2017-11-21 Network access control method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611146932.2A CN108616490B (en) 2016-12-13 2016-12-13 Network access control method, device and system

Publications (2)

Publication Number Publication Date
CN108616490A true CN108616490A (en) 2018-10-02
CN108616490B CN108616490B (en) 2020-11-03

Family

ID=62557918

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611146932.2A Active CN108616490B (en) 2016-12-13 2016-12-13 Network access control method, device and system

Country Status (2)

Country Link
CN (1) CN108616490B (en)
WO (1) WO2018107943A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109672665A (en) * 2018-11-14 2019-04-23 北京奇艺世纪科技有限公司 A kind of access control method, device, system and computer readable storage medium
CN111064675A (en) * 2019-11-08 2020-04-24 中移(杭州)信息技术有限公司 Access flow control method, device, network equipment and storage medium
CN112422429A (en) * 2020-11-18 2021-02-26 贝壳技术有限公司 Data request processing method and device and computer readable storage medium
CN112637106A (en) * 2019-09-24 2021-04-09 成都鼎桥通信技术有限公司 Method and device for terminal to access website
CN112653759A (en) * 2020-12-22 2021-04-13 北京东方嘉禾文化发展股份有限公司 Network access device and control method thereof
CN112702319A (en) * 2020-12-11 2021-04-23 杭州安恒信息技术股份有限公司 Access request port standardization method and device, electronic equipment and storage medium
CN114124477A (en) * 2021-11-05 2022-03-01 深圳市联软科技股份有限公司 Business service system and method
CN114338809A (en) * 2021-12-28 2022-04-12 山石网科通信技术股份有限公司 Access control method, device, electronic equipment and storage medium
CN114401133A (en) * 2022-01-13 2022-04-26 中电福富信息科技有限公司 Equipment monitoring vulnerability detection system based on agent

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110858173B (en) * 2018-08-23 2024-05-28 北京搜狗科技发展有限公司 Data processing method and device for data processing
CN109842672B (en) * 2018-12-13 2022-11-11 平安普惠企业管理有限公司 Service request distribution method and device, computer equipment and storage medium
CN112527247B (en) * 2019-09-17 2024-05-14 西安诺瓦星云科技股份有限公司 LED display control system simulation method, device and system
CN110768849B (en) * 2019-11-06 2022-08-05 深信服科技股份有限公司 Network data viewing method and system
CN110941838B (en) * 2019-11-12 2024-03-01 深圳昂楷科技有限公司 Database access method and device and electronic equipment
CN111177631A (en) * 2019-12-31 2020-05-19 苏宁云计算有限公司 Method and system for accessing intranet service by extranet platform
CN111460460B (en) * 2020-04-02 2023-12-05 北京金山云网络技术有限公司 Task access method, device, proxy server and machine-readable storage medium
CN112039869B (en) * 2020-08-27 2023-01-24 建信金融科技有限责任公司 Method, device, storage medium and equipment for establishing network access relationship
CN111913732B (en) * 2020-08-28 2023-07-11 深圳赛安特技术服务有限公司 Service updating method and device, management server and storage medium
CN112087819B (en) * 2020-09-10 2022-05-10 上海连尚网络科技有限公司 Information request method, equipment and computer readable medium
CN112134866A (en) * 2020-09-15 2020-12-25 腾讯科技(深圳)有限公司 Service access control method, device, system and computer readable storage medium
CN112583845B (en) * 2020-12-24 2023-11-07 深信服科技股份有限公司 Access detection method, device, electronic equipment and computer storage medium
CN113225308B (en) * 2021-03-19 2022-11-08 深圳市网心科技有限公司 Network access control method, node equipment and server
CN113315772A (en) * 2021-05-29 2021-08-27 南京步锐捷电子科技有限公司 Network access control implementation method based on Internet of things
CN113890896A (en) * 2021-09-24 2022-01-04 中移(杭州)信息技术有限公司 Network access method, communication device, and computer-readable storage medium
CN113810504A (en) * 2021-09-30 2021-12-17 北京天融信网络安全技术有限公司 Transparent proxy service method and device
CN114024714A (en) * 2021-09-30 2022-02-08 山东云海国创云计算装备产业创新中心有限公司 Access request processing method and device, network card equipment and storage computing system
CN113938317A (en) * 2021-11-29 2022-01-14 福建瑞网科技有限公司 Network security monitoring method and computer equipment
CN114629704A (en) * 2022-03-14 2022-06-14 深圳须弥云图空间科技有限公司 Method, device, equipment and storage medium for realizing safety of collaborative design software
CN114615073A (en) * 2022-03-22 2022-06-10 广州方硅信息技术有限公司 Access flow control method, device, equipment and medium
CN114640534A (en) * 2022-03-29 2022-06-17 广州方硅信息技术有限公司 Access interception control method, device, equipment and medium
CN114598552A (en) * 2022-03-29 2022-06-07 邹瀴 Interface access control method and device, electronic equipment and storage medium
CN114915497A (en) * 2022-07-13 2022-08-16 杭州云缔盟科技有限公司 Network access blocking method, device and application for Windows process
CN117478423B (en) * 2023-11-30 2024-05-03 东方物通科技(北京)有限公司 Data security communication system and method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102118398A (en) * 2011-03-31 2011-07-06 北京星网锐捷网络技术有限公司 Access control method, device and system
CN104202307A (en) * 2014-08-15 2014-12-10 小米科技有限责任公司 Data forwarding method and device
US20150089627A1 (en) * 2013-05-03 2015-03-26 Fortinet, Inc. Securing email communications

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1152333C (en) * 2002-07-31 2004-06-02 华为技术有限公司 Method for realizing portal authentication based on protocols of authentication, charging and authorization
CN1271822C (en) * 2003-07-04 2006-08-23 华为技术有限公司 Method of interactive processing of user terminal network selection information in WLAN
KR20050097674A (en) * 2004-04-02 2005-10-10 삼성전자주식회사 Internet connection service method of mobile node and system thereof
CN100421374C (en) * 2005-06-01 2008-09-24 ***通信集团公司 Method for interacting office documents based on mobile communication network
CN101026594A (en) * 2007-01-23 2007-08-29 张志东 Mail calling system and method
CN101374044B (en) * 2007-08-21 2010-12-15 中国电信股份有限公司 Method and system for making business engine to obtain user identification
US8555365B2 (en) * 2010-05-21 2013-10-08 Barracuda Networks, Inc. Directory authentication method for policy driven web filtering

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102118398A (en) * 2011-03-31 2011-07-06 北京星网锐捷网络技术有限公司 Access control method, device and system
US20150089627A1 (en) * 2013-05-03 2015-03-26 Fortinet, Inc. Securing email communications
CN104202307A (en) * 2014-08-15 2014-12-10 小米科技有限责任公司 Data forwarding method and device

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109672665A (en) * 2018-11-14 2019-04-23 北京奇艺世纪科技有限公司 A kind of access control method, device, system and computer readable storage medium
CN109672665B (en) * 2018-11-14 2021-10-15 北京奇艺世纪科技有限公司 Access control method, device and system and computer readable storage medium
CN112637106A (en) * 2019-09-24 2021-04-09 成都鼎桥通信技术有限公司 Method and device for terminal to access website
CN111064675A (en) * 2019-11-08 2020-04-24 中移(杭州)信息技术有限公司 Access flow control method, device, network equipment and storage medium
CN112422429A (en) * 2020-11-18 2021-02-26 贝壳技术有限公司 Data request processing method and device and computer readable storage medium
CN112422429B (en) * 2020-11-18 2022-04-22 贝壳技术有限公司 Data request processing method and device, storage medium and electronic equipment
CN112702319A (en) * 2020-12-11 2021-04-23 杭州安恒信息技术股份有限公司 Access request port standardization method and device, electronic equipment and storage medium
CN112653759A (en) * 2020-12-22 2021-04-13 北京东方嘉禾文化发展股份有限公司 Network access device and control method thereof
CN114124477A (en) * 2021-11-05 2022-03-01 深圳市联软科技股份有限公司 Business service system and method
CN114124477B (en) * 2021-11-05 2024-04-05 深圳市联软科技股份有限公司 Business service system and method
CN114338809A (en) * 2021-12-28 2022-04-12 山石网科通信技术股份有限公司 Access control method, device, electronic equipment and storage medium
CN114401133A (en) * 2022-01-13 2022-04-26 中电福富信息科技有限公司 Equipment monitoring vulnerability detection system based on agent
CN114401133B (en) * 2022-01-13 2023-12-01 中电福富信息科技有限公司 Equipment monitoring vulnerability detection system based on agent

Also Published As

Publication number Publication date
WO2018107943A1 (en) 2018-06-21
CN108616490B (en) 2020-11-03

Similar Documents

Publication Publication Date Title
CN108616490A (en) A kind of method for network access control, apparatus and system
US10757126B2 (en) Rule-based network-threat detection
US9667654B2 (en) Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes
CN107251528B (en) Method and apparatus for providing data originating within a service provider network
EP3057282B1 (en) Network flow control device, and security strategy configuration method and device thereof
CN107690800A (en) Manage dynamic IP addressing distribution
CN103946834A (en) Virtual network interface objects
CN108259425A (en) The determining method, apparatus and server of query-attack
CN109617753B (en) Network platform management method, system, electronic equipment and storage medium
CN110661670A (en) Network equipment configuration management method and device
CN106169963A (en) The access method of service page and system, proxy server
KR20160075610A (en) Intelligent firewall access rules
CN104065749A (en) Method and device for accessing web through proxy
CN106411819A (en) Method and apparatus for recognizing proxy Internet protocol address
CN107249038A (en) Business datum retransmission method and system
CN103634289B (en) Communication shield device and communication screen method
CN106295366B (en) Sensitive data identification method and device
US9207953B1 (en) Method and apparatus for managing a proxy autoconfiguration in SSL VPN
Zhang et al. Ephemeral exit bridges for tor
JP2005217757A (en) Firewall management system, firewall management method, and firewall management program
CN104618469B (en) A kind of local area network access control method and supervisor based on agency network framework
JP4911412B2 (en) User trace device
CN115250234A (en) Method, device, equipment, system and storage medium for deploying network equipment
US20240113941A1 (en) Managing Cloud-Based Networks
DeJonghe et al. Application Delivery and Load Balancing in Microsoft Azure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant