CN108616490A - A kind of method for network access control, apparatus and system - Google Patents
A kind of method for network access control, apparatus and system Download PDFInfo
- Publication number
- CN108616490A CN108616490A CN201611146932.2A CN201611146932A CN108616490A CN 108616490 A CN108616490 A CN 108616490A CN 201611146932 A CN201611146932 A CN 201611146932A CN 108616490 A CN108616490 A CN 108616490A
- Authority
- CN
- China
- Prior art keywords
- address information
- network access
- control device
- proxy server
- visited
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An embodiment of the present invention provides a kind of network access control systems, including:Client, net control device, proxy server and service server, wherein, client sends network access request to net control device, net control device judges whether target address information belongs to the first white list, if belonged to, network access request is sent to proxy server corresponding with target address information by net control device.Proxy server judges whether the address information of service server to be visited belongs to the second white list, if belonged to, network access request is sent to service server to be visited by proxy server.It can be seen that, Network Access Method provided by the invention only needs address information and the port for the proxy server being set using at net control device, then address information and the port of the service server for allowing to access at proxy server are set, configuration of the enterprise network management personnel to net control device is simplified.
Description
Technical field
The present invention relates to technical field of data processing, and in particular to a kind of method for network access control, apparatus and system.
Background technology
With the continuous development of science and technology, user is more and more common to the requirements for access of network.But enterprise is for some mesh
, it needs to control the access of corporate networks.
Such as, forbid enterprise staff at work between online see news, shopping at network, play game etc., and then improve enterprise person
The working efficiency of work;For another example, enterprise staff is forbidden to be let out to company's vital strategic secrets file, intra-company's document etc. using network
Leakage, or the internal network of external malicious user invasion company is prevented, steal Company Confidential.
Therefore, as shown in Figure 1, enterprise network management personnel A is typically to pass through the network control in the exit of enterprise network
Black and white lists are arranged to carry out the control accessed enterprise network in control equipment 1 (such as interchanger, router, fire wall).
Inventor has found that enterprise concentrates at the outlet device of enterprise network the control of extranet access, however, black and white
List generally includes the much informations such as User IP, domain name, network address, these information can be with the clothes of software operation (SAAS) service provider
The upgrading of business device is safeguarded and is changed frequent occurrence, once it does not notify in time to enterprise network management personnel to the network egress of enterprise
The parameter of the net control device at place is reset, or by parameter setting mistake, may result in enterprise network cannot be just
Frequentation is asked.As it can be seen that existing enterprise network control mode is more troublesome, it is higher to the skill set requirements of enterprise network management personnel.
Therefore, how a kind of method for network access control, apparatus and system are provided, can realize the network to enterprise staff
Control, and the setting in enterprise network exit can be simplified, become those skilled in the art's problem needed to be considered.
Invention content
In view of this, a kind of method for network access control of offer of the embodiment of the present invention, apparatus and system, can realize to enterprise
The network-control of industry employee, and the setting in enterprise network exit can be simplified.
To achieve the above object, the embodiment of the present invention provides the following technical solutions:
A kind of network access control system, including:Client, net control device, proxy server and business service
Device,
The client sends network access request to net control device, and the network access request includes:It is to be visited
Service server address information and target address information, the target address information be preconfigured proxy server
Address information;
The net control device judges whether the target address information belongs to the first white list, described if belonged to
The network access request is sent to proxy server corresponding with the target address information by net control device, and described
One white list includes the list of the address information for the proxy server for allowing to access;
The proxy server judges whether the address information of the service server to be visited belongs to the second white list,
If belonged to, the network access request is sent to the service server to be visited by the proxy server, described
Two white lists include the list of the address information for the service server for allowing to access.
A kind of method for network access control, including:
The network access request that net control device is sent is received, the network access request includes:Business to be visited
The address information and target address information of server, the target address information are the address of preconfigured proxy server
Information;
And the network access request is that the target address information belongs to the access request of the first white list, described the
One white list includes the list of the address information for the proxy server for allowing to access;
Judge whether the address information of the service server to be visited belongs to the second white list, if belonged to, by institute
It states network access request and is sent to the service server to be visited, second white list includes the business clothes for allowing to access
The list of the address information of business device.
A kind of network access control device, including:
First receiving module, the network access request for receiving net control device transmission, the network access request
Including:The address information and target address information of service server to be visited, the target address information are to be pre-configured with
Proxy server address information;
And the network access request is that the target address information belongs to the access request of the first white list, described the
One white list includes the list of the address information for the proxy server for allowing to access;
Judgment module, for judging whether the address information of the service server to be visited belongs to the second white list,
If belonged to, the network access request is sent to the service server to be visited, second white list includes permitting
Perhaps the list of the address information of the service server accessed.
As it can be seen that network access control system provided in this embodiment, it is only necessary to be set using at net control device
Then the address for the service server for allowing to access is arranged in the address information of proxy server and port at proxy server
Information and port simplify configuration of the enterprise network management personnel to net control device.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is application interface schematic diagram in the prior art;
Fig. 2 is a kind of structure diagram of network access control system provided in an embodiment of the present invention;
Fig. 3 is a kind of signaling process figure of network access control system provided in an embodiment of the present invention;
Fig. 4 is the signaling process figure of another network access control system provided in an embodiment of the present invention;
Fig. 5 is the structural schematic diagram of network access control device provided in an embodiment of the present invention;
Fig. 6 is the structural schematic diagram of another network access control device provided in an embodiment of the present invention;
Fig. 7 is the structural schematic diagram of another network access control device provided in an embodiment of the present invention;
Fig. 8 is the structural schematic diagram of another network access control device provided in an embodiment of the present invention;
Fig. 9 is the structural schematic diagram of another network access control device provided in an embodiment of the present invention;
Figure 10 is the hardware block diagram of network access control device provided in an embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
An embodiment of the present invention provides a kind of network access control systems, including:Client, net control device, agency
Server and service server, wherein client sends network access request to net control device, and net control device is sentenced
Whether disconnected target address information belongs to the first white list, if belonged to, net control device by network access request be sent to
The corresponding proxy server of target address information.Proxy server judges whether the address information of service server to be visited belongs to
In the second white list, if belonged to, network access request is sent to service server to be visited by proxy server.As it can be seen that
Network Access Method provided by the invention only needs the address information for the proxy server being set using at net control device
And port, then address information and the port of the service server for allowing to access at proxy server are set, simplify
Configuration of the enterprise network management personnel to net control device.
Referring to Fig. 2, Fig. 2 is a kind of structure diagram of network access control system provided in an embodiment of the present invention, this hair
The method for network access control that bright embodiment provides can be based on system shown in Figure 2 and realize, with reference to Fig. 2, the embodiment of the present invention provides
Network access control system may include:Client 2, net control device 1, proxy server 3 and service server 4.
Wherein, client 2 can be the client device that at least one enterprise staff B is used to send service request, such as pen
Sheet, desktop computer, tablet computer, mobile phone etc. are remembered for the equipment of enterprise staff online, and net control device 1 can be located at enterprise
The equipment of network exit, such as interchanger, router, firewall box.Proxy server can be thought as between network-control
Another server between equipment 1 and service server 4.
In general, when enterprise staff browses webpage, client can remove access service server as needed, then industry
After business server is connected to web access requests, the information of purpose website can be sent to client, so that user browses.
However, after having used proxy server, when enterprise staff desires access to some site resources, client
Web access requests are sent to proxy server first, then proxy server go obtain the information to be accessed, and by its
Return to client.It should be noted that in proxy server side, it can be identified user identity and be realized that network is visited
Ask control etc..
Service server 4 can be single server, or the server farm that be made of multiple servers or
It is a cloud computing service center, service server 4 is used for download of network data resource, such as obtains game data, software application
Data (QQ, wechat etc.).
Specifically, being based on system shown in Figure 2, Fig. 3 shows network access control system provided in an embodiment of the present invention
Signaling process figure, the network access control system include:Client 2, net control device 1, proxy server 3 and business clothes
Business device 4, the signalling interactive process may include:
Step S100, client sends network access request to net control device.
Wherein, network access request may include the address information of client, service server to be visited address letter
Breath, data content to be transmitted and target address information, the target address information are the address information of proxy server.It needs
It is noted that in the present embodiment, enterprise staff needs to be pre-configured with the generation used when carrying out network access using client
Manage the information of server.In this way, when client sends network access request, client can carry out former network access request pre-
Processing, i.e., by the address information for the client for including in former access request, the address information of service server to be visited and
On the basis of data content to be transmitted, increases former access request the relevant information of proxy server, such as increase agency service
The address information of device.
Step S101, net control device judges whether the target address information meets the first preset condition, if full
The network access request is sent to agency service corresponding with the target address information by foot, the net control device
Device.
It should be noted that net control device is before use, need to carry out it by enterprise network management personnel white
List configures, but the white list in this programme herein is different from white list in the prior art, and the white list in this programme only needs
For allow the proxy server used address information list.And white list in the prior art needs to allow to access
The data such as address information, the port information of all service servers.According to the difference of type of business, in the prior art network control
The list content of the white list configured needed for control equipment be it is multinomial, as some enterprise allow client access Tencent's video, QQ with
And wechat, then, white list in the prior art needs the address information of at least corresponding service server of record Tencent video
And the address information and port information, wechat corresponding service server of the corresponding service server of port information, QQ
Address information and port information.
Certainly, if the network access service of enterprise's permission is more, network management personnel just needs corresponding configuration that can visit
In the address information for the service server asked to the white list of current network control device.Since the type of business is more, enterprise
Network management personnel needs the data for the white list for managing and safeguarding also more.And from the angle of business service quotient, in order to carry
For better services service, service server can update upgrading at any time, the address information of corresponding service server and
Port may change, and this requires enterprise network management personnel take the corresponding business in the white list of net control device
The address information of device of being engaged in and port information are modified, and no it will cause cannot normally access the service server.
And in the present embodiment, the network management personnel of enterprise need to only configure the address letter of the proxy server in white list
Breath, then, net control device judge client transmission target address information whether be net control device white list in
The address information of the proxy server for allowing to access of record.If belonged to, net control device asks network access
It asks and lets pass, i.e., the network access request is sent into past proxy server corresponding with the target address information.If
What the target address information that client is sent was not belonging to record in the white list of net control device allows the agency service accessed
The address information of device, then, net control device can directly ignore the network access request, or return to a characterization
The response message of access errors is to the client.It is of course also possible to other preset actions are executed, it herein, can be according to enterprise
The actual demand of industry, is set.
It is noted that in this step, when net control device judges the target address information category that client is sent
When the address information of the proxy server for allowing to access recorded in the white list of net control device, need the network
Access request sends past proxy server corresponding with the target address information.At this point, due to be enterprise client inside
The relationship that network access request is sent to enterprise external, can be substituted for network by the address information of client and port information
IP address in LAN is unified into the external public IP of enterprise by the address information and port information of control device,
If the IP address of client 2a is " 10.168.23.100 ", port is " 1000 ", and the IP address of client 2b is
" 10.168.23.99 ", port are " 1000 ", either client 2a or client 2b, the mesh in its network access request
When mark address information belongs to white list, the IP address information of the network access request is converted into the IP address of net control device
Information.And tracking information is recorded simultaneously, the address information for recording client address information and net control device
Mapping relations.
Step S102, it is pre- to judge whether the address information of the service server to be visited meets second for proxy server
If condition, if it is satisfied, the network access request is sent to the service server to be visited by the proxy server.
Wherein, proxy server parses the network access request after receiving network access request, is described above
, which may include in client-side:The address of the address information of client, service server to be visited
Information, data content to be transmitted and target address information, wherein the target address information is the address of proxy server
Information.However, the network access request after the net control device by enterprise, is believed the address of the client of itself
Breath is converted into the address information of net control device, that is, network access request at this time includes:Believe the address of net control device
Breath, the address information of service server to be visited and data content to be transmitted.
Then, proxy server, which is worked as, judges that the address information of service server to be visited belongs to the white name of proxy server
Recorded in list allow access service server address information when, need by the network access request send it is past with it is described
The corresponding service server of address information of service server to be visited.
If proxy server, which is worked as, judges that the address information of service server to be visited is not belonging to the white of proxy server
When the address information of the service server for allowing to access recorded in list, then, proxy server can be directly by the net
Network access request is ignored, or return one characterization access errors response message to the net control device, then by institute
It states net control device and the response message is sent to the client.
To sum up, it is seen then that network access control system provided in this embodiment, it is only necessary to which being arranged at net control device makes
The address information of proxy server and port, then setting allows the service server accessed at proxy server
Address information and port simplify configuration of the enterprise network management personnel to net control device.And at proxy server
Configuration allows the white list of the address information of the service server accessed, when the service server of SAAS service providers carries out upgrading dimension
After shield, only white list updating replacement need to be carried out to proxy server by the professional of SAAS service providers, ensure that white list more
New promptness and accuracy does any operation without enterprise network management personnel.When the net control device of multiple enterprises
It, also only need to be to agency service when the address information of a certain service server changes when using same proxy server
Address information corresponding with the service server carries out unified change in the white list of different enterprises in device.Such as, the network of enterprise A
The corresponding proxy server of control device is proxy server A, and the corresponding proxy server of net control device of enterprise B is also
It includes QQ and wechat that proxy server A, enterprise A, which need the white list safeguarded, and enterprise B needs the white list safeguarded to include QQ and rise
Video is interrogated, then after the corresponding service servers of QQ carry out upgrading address information, proxy server is corresponding by QQ's
The address of service server is replaced, and any operation is done without enterprise network management personnel, and, the prior art then needs
The network management personnel of enterprise A carries out the address information of the service server of the QQ in the white list of net control device more
It changes, meanwhile, the network management personnel of enterprise B is also required to the corresponding service servers of the QQ of the white list of net control device
Address information is replaced, and operation is complex.
In another embodiment of the application, the flow of the data feedback of the network access system is introduced.Ginseng
According to Fig. 4, which includes:
Step S103, the described service server to be visited is based on the data content to be transmitted, generates a feedback coefficient
According to, and the feedback data is sent toward the proxy server.
Step S104, the described proxy server searches the address with the proxy server according to second mapping table
The address information of the corresponding net control device of information;And the feedback data is sent to finding with the network-control
The corresponding net control device of address information of equipment.
Step S105, the described net control device is searched and the net control device according to first mapping table
The address information of the corresponding client of address information;And the feedback data is sent to the ground with the client found
The corresponding client of location information.
It should be noted that during data feedback, it is possible to understand that at along backtracking.It is accessed again due to network
In the process, net control device and proxy server have carried out white list screening to received address information, therefore,
When data return, can be not repeated to compare whether current address information is address information in white list.Finally will
Feedback data is sent to client.
Specifically, the present embodiment provides the examples of a use network access control system provided by the invention to carry out in detail
It introduces, if net control device is interchanger, it is assumed that:
A. client is " 10.168.23.100 ", port in the address of Intranet:1000;
B. the egress network address of enterprise network is " 183.61.38.179 ", port 1001;
C.SAAS service broker's server network address is:180.149.32.47 port is:8080;Support SOCKS
V5 does not need account number verification;
The network address of d.SAAS service servers 1 is:140.205.94.189 port is:443;
The domain name of e.SAAS service servers 2 is:B.qq.com, port are:80
On the basis of address above mentioned information, the network browsing process is as follows:
The 1.SAAS service providers white list that Configuration network accesses on proxy server is similar as follows:
Destination server white list:
ip:140.205.94.189, port:443;
Domain name:B.qq.com, port:80;
Concrete form can be subject to the configuration standard of practical proxy server, and above-mentioned configuration is meant that when data packet is sent
Destination address be white list in wherein one when, then be legal data packet.
2. enterprise administrator enters the administration page of the enterprise switch of this enterprise, configuration white list is similar as follows:
Destination server white list:
ip:180.149.132.47 port is:8080;
3. company personnel is set using proxy server in SAAS applications clients, configuration uses proxy server, class
Like as follows:
Network settings:
Type:The addresses SOCKS V5:180.149.32.47 port 8080.
4. client is needed to 1 (140.205.94.189 of SAAS service servers:443) content " Hello " is sent.It is original
Can include following information (source address 10.168.23.100, port 1000, destination address 140.205.94.189, end in data packet
Mouth 443, and the literary content " Hello " of packet).Because having used the configuration of agency service, all data packets in client all can
One layer of encapsulation of progress is wrapped in legacy data, in addition relevant information (including the destination address of proxy server
180.149.32.47 port is:8080, agency agreement version information etc.).New data packets can be changed to be sent to agency service
Network address (the 180.149.32.47 of device:8080).
5. the destination address of above-mentioned new data packets is judged on interchanger, because destination network addresses therein are
(180.149.32.47:8080), the existing configuration in white list allows to let pass therefore, it is considered that data packet is legal data packet.
Because of the relationship of the interior transmission data from enterprise network, it is therefore desirable to carry out NAT address translation process:By data packet
In source port number (1000) and source private IP address (10.168.23.100) be converted into the port numbers (1001) of interchanger oneself
With the IP address (183.61.38.179) of public network, then data packet is issued to the destination host of external network
(180.149.32.47:8080), while a tracking information (10.168.23.100 in address conversion mapping table is recorded:
1000--183.61.38.179:1001).Wherein, new source address is legal and unique on the internet, can be by just
True navigates to.
6. after proxy server receives request of data, real backpack body data in data packet can be parsed, including (replace
New source address 183.61.38.179 afterwards, new port 1001, destination address 140.205.94.189, port 443 and Bao Wen
Content " Hello ").Because of destination address therein and port combination (140.205.94.189:443) in white list, therefore
It can be judged as legal data packet, can be normally forwarded to destination address.Proxy server can by the source in data packet
Location replaces with 180.149.32.47, and port replaces with 1002, and records mapping relations (183.61.38.179:1001--
180.149.32.47:1002).In new data packet, the sender information of packet is just completely replaced into proxy server.
7. after the service server of SAAS services handles above-mentioned data, need to give client returned data " Reply ", meeting
Related data packets are organized, including (source address 140.205.94.189, port 443, destination address are proxy server to the following contents
The literary content " Reply " of address 180.149.32.47, port 8080, and packet).
8. after proxy server receives the above-mentioned data of service server return, can be closed according to the mapping of its internal maintenance
System finds realistic objective network address, and uses destination address (i.e. agency's clothes in actual target address information replacement data packet
Business device address), that is, use (183.61.38.179:1001).Then one layer of encapsulation is carried out in the data that server returns, and is added
The information of upper proxy server, including (source address:180.149.32.47 port 8080, agency agreement version information etc.) and will
Data send the network address to target, i.e. the outlet addresses ip of enterprise.
9. the above-mentioned data packet returned by proxy server can pass through interchanger, interchanger judges the source place of data packet
Location.Because source address is proxy server address, therefore can be cleared.Similar, this step is similarly needed by the addresses NAT
Conversion, according to the record in mapping table, by the port numbers (1001) and public IP address of received data packet
(183.61.38.179) is converted into the port numbers (1000) of destination host and the private ip address of destination host in internal network
(10.168.23.100), and it is transmitted to destination host.
Include mainly (source address 10. after client receives data packet, real packet content can be parsed
140.205.94.189, port 443, and the literary content " Reply " of packet), to receive the number of the return of SAAS service servers 1
According to.
The case where client accesses the network address information allowed is described above, in conjunction with specific example, it is proposed that visitor
Family end is introduced in the case for accessing non-permitted network address information, as follows:
It is assumed that the configuration of the white list of step 1 and step 2 has been completed in case 1.
1. company personnel is set using proxy server in the forbidden client of certain money such as Sina weibo, configuration makes
It is similar as follows with proxy server:
Type:The addresses SOCKS V5:180.149.32.47 port 8080.
2. client is needed to 1 (100.100.10.10 of Sina weibo service server:443) content " Hello " is sent.
Can include following information (source address 10.168.23.100, port 8000, destination address in raw data packets
100.100.10.10, port 443, and the literary content " Hello " of packet).Because having used the configuration of agency service, in client
All data packets all can wrap one layer of encapsulation of progress in legacy data, in addition relevant information (including the target of proxy server
Address 180.149.32.47, port are:8080, agency agreement version information etc.).New data packets can be changed to be sent to agency
Network address (the 180.149.32.47 of server:8080).
3. similar to case 1, exchange opportunity thinks that the request target address is legal, can be normally carried out forwarding.
4. after proxy server receives request of data, actual target address 100.100.10.10, port can be parsed
443.Because of destination address therein and port combination (100.100.10.10:443) not in white list, therefore the data packet
It is judged as invalid data packet, can be simply discarded.
5. client can not be normally received returning for Sina weibo and wrap, therefore the network application is successfully limited.
For another example:
It is assumed that the configuration of the white list of step 1 and step 2 has been completed in case 1.
1. company personnel is desirable for the forbidden client of certain money such as browser, but is not provided with proxy server.
2. employee uses browser access http://www.taobao.com.
3. interchanger judges that destination address therein (www.taobao.com) did not configure in white list, judgement should
Request target address is illegal, can directly be abandoned.
4. client can not be normally received returning for Taobao and wrap, therefore the network application is successfully limited.
Network access control device provided in an embodiment of the present invention is introduced below, network described below accesses control
Device processed can correspond reference with network described above access control system.
Fig. 5 is the structure diagram of network access control device provided in an embodiment of the present invention, and with reference to Fig. 5, which can be with
Including:
First receiving module 100, the network access request for receiving net control device transmission, the network access are asked
Ask including:The address information and target address information of service server to be visited, the target address information are to match in advance
The address information for the proxy server set;
And the network access request is that the target address information belongs to the access request of the first white list, described the
One white list includes the list of the address information for the proxy server for allowing to access;
Judgment module 200, for judging whether the address information of the service server to be visited belongs to the second white name
It is single, if belonged to, the network access request is sent to the service server to be visited, second white list includes
Allow the list of the address information of the service server accessed.
Optionally, as shown in fig. 6, further including:
Processing module 300, for the address information of the net control device to be replaced with the target address information, and
Generate the address information of the net control device and the second mapping table of the target address information.
Optionally, as shown in fig. 7, further including:
Sending module 400, for sending the data content to be transmitted toward the service server to be visited.
Optionally, as shown in figure 8, further including:
Second receiving module 500 is based on for receiving the service server to be visited in the data to be transmitted
Hold the feedback data generated.
Optionally, as shown in figure 9, further including:
Searching module 600, for according to second mapping table, searching corresponding with the address information of the proxy server
Net control device address information;
And the feedback data is sent to the network corresponding with the address information of the net control device found
Control device.
The embodiment of the present invention is also provided with a kind of NS software equipment, on which may include
State the network access control device.
Optionally, Figure 10 shows the hardware block diagram of NS software equipment, referring to Fig.1 0, which accesses control
Control equipment may include:Processor 1, communication interface 2, memory 3 and communication bus 4;
Wherein processor 1, communication interface 2, memory 3 complete mutual communication by communication bus 4;
Optionally, communication interface 2 can be the interface of communication module, such as the interface of gsm module;
Processor 1, for executing program;
Memory 3, for storing program;
Program may include program code, and said program code includes computer-managed instruction.
Processor 1 may be a central processor CPU or specific integrated circuit ASIC (Application
Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention
Road.
Memory 3 may include high-speed RAM memory, it is also possible to further include nonvolatile memory (non-volatile
Memory), a for example, at least magnetic disk storage.
Wherein, program can be specifically used for:
The network access request that net control device is sent is received, the network access request includes:Business to be visited
The address information and target address information of server, the target address information are the address of preconfigured proxy server
Information;
And the network access request is that the target address information belongs to the access request of the first white list, described the
One white list includes the list of the address information for the proxy server for allowing to access;
Judge whether the address information of the service server to be visited belongs to the second white list, if belonged to, by institute
It states network access request and is sent to the service server to be visited, second white list includes the business clothes for allowing to access
The list of the address information of business device.
In conclusion an embodiment of the present invention provides a kind of network access control systems, including:Client, network-control
Equipment, proxy server and service server, wherein client sends network access request to net control device, network
Control device judges whether target address information belongs to the first white list, if belonged to, net control device asks network access
It asks and is sent to proxy server corresponding with target address information.Proxy server judges the address of service server to be visited
Whether information belongs to the second white list, if belonged to, network access request is sent to business to be visited and taken by proxy server
Business device.As it can be seen that Network Access Method provided by the invention only needs the proxy server being set using at net control device
Address information and port, then at proxy server setting allow access service server address information and end
Mouthful, simplify configuration of the enterprise network management personnel to net control device.
Each embodiment is described by the way of progressive in this specification, the highlights of each of the examples are with other
The difference of embodiment, just to refer each other for identical similar portion between each embodiment.For device disclosed in embodiment
For, since it is corresponded to the methods disclosed in the examples, so description is fairly simple, related place is said referring to method part
It is bright.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure
And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is implemented in hardware or software actually, depends on the specific application and design constraint of technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond the scope of this invention.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor
The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest range caused.
Claims (17)
1. a kind of network access control system, which is characterized in that including:Client, net control device, proxy server and
Service server,
The client is used for, and sends network access request to net control device, the network access request includes:It is to be visited
Service server address information and target address information, the target address information be preconfigured proxy server
Address information;
The net control device is used for, and judges whether the target address information belongs to the first white list, described if belonged to
The network access request is sent to proxy server corresponding with the target address information by net control device, and described
One white list includes the list of the address information for the proxy server for allowing to access;
The proxy server is used for, and judges whether the address information of the service server to be visited belongs to the second white name
Single, if belonged to, the network access request is sent to the service server to be visited by the proxy server, described
Second white list includes the list of the address information for the service server for allowing to access.
2. network access control system according to claim 1, which is characterized in that the network access request further includes:
The address information of client,
The net control device is additionally operable to after judging that the target address information belongs to the first white list:By the client
The address information at end is replaced with the address information of the net control device, and generate the address information of the client with it is described
First mapping table of the address information of net control device.
3. network access control system according to claim 2, which is characterized in that the proxy server is described in judgement
After the address information of service server to be visited belongs to the second white list, it is additionally operable to:
The address information of the net control device is replaced with the target address information, and generates the net control device
Address information and the target address information the second mapping table.
4. network access control system according to claim 3, which is characterized in that the network access request further includes:
Data content to be transmitted,
Correspondingly, the network access request is sent to the service server to be visited by the proxy server, including:
The proxy server sends the data content to be transmitted toward the service server to be visited.
5. network access control system according to claim 4, which is characterized in that the service server base to be visited
In the data content to be transmitted, a feedback data is generated, and the feedback data is sent toward the proxy server.
6. network access control system according to claim 5, which is characterized in that the proxy server is according to described
Two mapping tables search the address information of net control device corresponding with the address information of the proxy server;
And the feedback data is sent to the network-control corresponding with the address information of the net control device found
Equipment.
7. network access control system according to claim 6, which is characterized in that the net control device is according to
First mapping table searches the address information of client corresponding with the address information of the net control device;
And the feedback data is sent to the client corresponding with the address information of the client found.
8. a kind of method for network access control, which is characterized in that including:
The network access request that net control device is sent is received, the network access request includes:Business service to be visited
The address information and target address information of device, the target address information are that the address of preconfigured proxy server is believed
Breath;
And the network access request is the access request that the target address information belongs to the first white list, described first is white
List includes the list of the address information for the proxy server for allowing to access;
Judge whether the address information of the service server to be visited belongs to the second white list, if belonged to, by the net
Network access request is sent to the service server to be visited, and second white list includes the service server for allowing to access
Address information list.
9. method for network access control according to claim 8, which is characterized in that judging the business clothes to be visited
After the address information of business device belongs to the second white list, further include:
The address information of the net control device is replaced with the target address information, and generates the net control device
Address information and the target address information the second mapping table.
10. method for network access control according to claim 9, which is characterized in that the network access request further includes:
Data content to be transmitted,
Correspondingly, described be sent to the service server to be visited by the network access request, including:
The data content to be transmitted is sent toward the service server to be visited.
11. method for network access control according to claim 10, which is characterized in that further include:
Receive the feedback data that the service server to be visited is generated based on the data content to be transmitted.
12. method for network access control according to claim 11, which is characterized in that further include:
According to second mapping table, the address of net control device corresponding with the address information of the proxy server is searched
Information;
And the feedback data is sent to the network-control corresponding with the address information of the net control device found
Equipment.
13. a kind of network access control device, which is characterized in that including:
First receiving module, the network access request for receiving net control device transmission, the network access request include:
The address information and target address information of service server to be visited, the target address information are preconfigured agency
The address information of server;
And the network access request is the access request that the target address information belongs to the first white list, described first is white
List includes the list of the address information for the proxy server for allowing to access;
Judgment module, for judging whether the address information of the service server to be visited belongs to the second white list, if
Belong to, the network access request is sent to the service server to be visited, second white list includes allowing to visit
The list of the address information for the service server asked.
14. network access control device according to claim 13, which is characterized in that further include:
Processing module for the address information of the net control device to be replaced with the target address information, and generates institute
State the address information of net control device and the second mapping table of the target address information.
15. network access control device according to claim 14, which is characterized in that further include:
Sending module, for sending the data content to be transmitted toward the service server to be visited.
16. method for network access control according to claim 15, which is characterized in that further include:
Second receiving module, for receiving the service server to be visited based on the data content generation to be transmitted
Feedback data.
17. method for network access control according to claim 16, which is characterized in that further include:
Searching module, for according to second mapping table, searching network corresponding with the address information of the proxy server
The address information of control device;
And the feedback data is sent to the network-control corresponding with the address information of the net control device found
Equipment.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611146932.2A CN108616490B (en) | 2016-12-13 | 2016-12-13 | Network access control method, device and system |
PCT/CN2017/112080 WO2018107943A1 (en) | 2016-12-13 | 2017-11-21 | Network access control method, apparatus and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611146932.2A CN108616490B (en) | 2016-12-13 | 2016-12-13 | Network access control method, device and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108616490A true CN108616490A (en) | 2018-10-02 |
CN108616490B CN108616490B (en) | 2020-11-03 |
Family
ID=62557918
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611146932.2A Active CN108616490B (en) | 2016-12-13 | 2016-12-13 | Network access control method, device and system |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN108616490B (en) |
WO (1) | WO2018107943A1 (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109672665A (en) * | 2018-11-14 | 2019-04-23 | 北京奇艺世纪科技有限公司 | A kind of access control method, device, system and computer readable storage medium |
CN111064675A (en) * | 2019-11-08 | 2020-04-24 | 中移(杭州)信息技术有限公司 | Access flow control method, device, network equipment and storage medium |
CN112422429A (en) * | 2020-11-18 | 2021-02-26 | 贝壳技术有限公司 | Data request processing method and device and computer readable storage medium |
CN112637106A (en) * | 2019-09-24 | 2021-04-09 | 成都鼎桥通信技术有限公司 | Method and device for terminal to access website |
CN112653759A (en) * | 2020-12-22 | 2021-04-13 | 北京东方嘉禾文化发展股份有限公司 | Network access device and control method thereof |
CN112702319A (en) * | 2020-12-11 | 2021-04-23 | 杭州安恒信息技术股份有限公司 | Access request port standardization method and device, electronic equipment and storage medium |
CN114124477A (en) * | 2021-11-05 | 2022-03-01 | 深圳市联软科技股份有限公司 | Business service system and method |
CN114338809A (en) * | 2021-12-28 | 2022-04-12 | 山石网科通信技术股份有限公司 | Access control method, device, electronic equipment and storage medium |
CN114401133A (en) * | 2022-01-13 | 2022-04-26 | 中电福富信息科技有限公司 | Equipment monitoring vulnerability detection system based on agent |
Families Citing this family (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110858173B (en) * | 2018-08-23 | 2024-05-28 | 北京搜狗科技发展有限公司 | Data processing method and device for data processing |
CN109842672B (en) * | 2018-12-13 | 2022-11-11 | 平安普惠企业管理有限公司 | Service request distribution method and device, computer equipment and storage medium |
CN112527247B (en) * | 2019-09-17 | 2024-05-14 | 西安诺瓦星云科技股份有限公司 | LED display control system simulation method, device and system |
CN110768849B (en) * | 2019-11-06 | 2022-08-05 | 深信服科技股份有限公司 | Network data viewing method and system |
CN110941838B (en) * | 2019-11-12 | 2024-03-01 | 深圳昂楷科技有限公司 | Database access method and device and electronic equipment |
CN111177631A (en) * | 2019-12-31 | 2020-05-19 | 苏宁云计算有限公司 | Method and system for accessing intranet service by extranet platform |
CN111460460B (en) * | 2020-04-02 | 2023-12-05 | 北京金山云网络技术有限公司 | Task access method, device, proxy server and machine-readable storage medium |
CN112039869B (en) * | 2020-08-27 | 2023-01-24 | 建信金融科技有限责任公司 | Method, device, storage medium and equipment for establishing network access relationship |
CN111913732B (en) * | 2020-08-28 | 2023-07-11 | 深圳赛安特技术服务有限公司 | Service updating method and device, management server and storage medium |
CN112087819B (en) * | 2020-09-10 | 2022-05-10 | 上海连尚网络科技有限公司 | Information request method, equipment and computer readable medium |
CN112134866A (en) * | 2020-09-15 | 2020-12-25 | 腾讯科技(深圳)有限公司 | Service access control method, device, system and computer readable storage medium |
CN112583845B (en) * | 2020-12-24 | 2023-11-07 | 深信服科技股份有限公司 | Access detection method, device, electronic equipment and computer storage medium |
CN113225308B (en) * | 2021-03-19 | 2022-11-08 | 深圳市网心科技有限公司 | Network access control method, node equipment and server |
CN113315772A (en) * | 2021-05-29 | 2021-08-27 | 南京步锐捷电子科技有限公司 | Network access control implementation method based on Internet of things |
CN113890896A (en) * | 2021-09-24 | 2022-01-04 | 中移(杭州)信息技术有限公司 | Network access method, communication device, and computer-readable storage medium |
CN113810504A (en) * | 2021-09-30 | 2021-12-17 | 北京天融信网络安全技术有限公司 | Transparent proxy service method and device |
CN114024714A (en) * | 2021-09-30 | 2022-02-08 | 山东云海国创云计算装备产业创新中心有限公司 | Access request processing method and device, network card equipment and storage computing system |
CN113938317A (en) * | 2021-11-29 | 2022-01-14 | 福建瑞网科技有限公司 | Network security monitoring method and computer equipment |
CN114629704A (en) * | 2022-03-14 | 2022-06-14 | 深圳须弥云图空间科技有限公司 | Method, device, equipment and storage medium for realizing safety of collaborative design software |
CN114615073A (en) * | 2022-03-22 | 2022-06-10 | 广州方硅信息技术有限公司 | Access flow control method, device, equipment and medium |
CN114640534A (en) * | 2022-03-29 | 2022-06-17 | 广州方硅信息技术有限公司 | Access interception control method, device, equipment and medium |
CN114598552A (en) * | 2022-03-29 | 2022-06-07 | 邹瀴 | Interface access control method and device, electronic equipment and storage medium |
CN114915497A (en) * | 2022-07-13 | 2022-08-16 | 杭州云缔盟科技有限公司 | Network access blocking method, device and application for Windows process |
CN117478423B (en) * | 2023-11-30 | 2024-05-03 | 东方物通科技(北京)有限公司 | Data security communication system and method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102118398A (en) * | 2011-03-31 | 2011-07-06 | 北京星网锐捷网络技术有限公司 | Access control method, device and system |
CN104202307A (en) * | 2014-08-15 | 2014-12-10 | 小米科技有限责任公司 | Data forwarding method and device |
US20150089627A1 (en) * | 2013-05-03 | 2015-03-26 | Fortinet, Inc. | Securing email communications |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1152333C (en) * | 2002-07-31 | 2004-06-02 | 华为技术有限公司 | Method for realizing portal authentication based on protocols of authentication, charging and authorization |
CN1271822C (en) * | 2003-07-04 | 2006-08-23 | 华为技术有限公司 | Method of interactive processing of user terminal network selection information in WLAN |
KR20050097674A (en) * | 2004-04-02 | 2005-10-10 | 삼성전자주식회사 | Internet connection service method of mobile node and system thereof |
CN100421374C (en) * | 2005-06-01 | 2008-09-24 | ***通信集团公司 | Method for interacting office documents based on mobile communication network |
CN101026594A (en) * | 2007-01-23 | 2007-08-29 | 张志东 | Mail calling system and method |
CN101374044B (en) * | 2007-08-21 | 2010-12-15 | 中国电信股份有限公司 | Method and system for making business engine to obtain user identification |
US8555365B2 (en) * | 2010-05-21 | 2013-10-08 | Barracuda Networks, Inc. | Directory authentication method for policy driven web filtering |
-
2016
- 2016-12-13 CN CN201611146932.2A patent/CN108616490B/en active Active
-
2017
- 2017-11-21 WO PCT/CN2017/112080 patent/WO2018107943A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102118398A (en) * | 2011-03-31 | 2011-07-06 | 北京星网锐捷网络技术有限公司 | Access control method, device and system |
US20150089627A1 (en) * | 2013-05-03 | 2015-03-26 | Fortinet, Inc. | Securing email communications |
CN104202307A (en) * | 2014-08-15 | 2014-12-10 | 小米科技有限责任公司 | Data forwarding method and device |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109672665A (en) * | 2018-11-14 | 2019-04-23 | 北京奇艺世纪科技有限公司 | A kind of access control method, device, system and computer readable storage medium |
CN109672665B (en) * | 2018-11-14 | 2021-10-15 | 北京奇艺世纪科技有限公司 | Access control method, device and system and computer readable storage medium |
CN112637106A (en) * | 2019-09-24 | 2021-04-09 | 成都鼎桥通信技术有限公司 | Method and device for terminal to access website |
CN111064675A (en) * | 2019-11-08 | 2020-04-24 | 中移(杭州)信息技术有限公司 | Access flow control method, device, network equipment and storage medium |
CN112422429A (en) * | 2020-11-18 | 2021-02-26 | 贝壳技术有限公司 | Data request processing method and device and computer readable storage medium |
CN112422429B (en) * | 2020-11-18 | 2022-04-22 | 贝壳技术有限公司 | Data request processing method and device, storage medium and electronic equipment |
CN112702319A (en) * | 2020-12-11 | 2021-04-23 | 杭州安恒信息技术股份有限公司 | Access request port standardization method and device, electronic equipment and storage medium |
CN112653759A (en) * | 2020-12-22 | 2021-04-13 | 北京东方嘉禾文化发展股份有限公司 | Network access device and control method thereof |
CN114124477A (en) * | 2021-11-05 | 2022-03-01 | 深圳市联软科技股份有限公司 | Business service system and method |
CN114124477B (en) * | 2021-11-05 | 2024-04-05 | 深圳市联软科技股份有限公司 | Business service system and method |
CN114338809A (en) * | 2021-12-28 | 2022-04-12 | 山石网科通信技术股份有限公司 | Access control method, device, electronic equipment and storage medium |
CN114401133A (en) * | 2022-01-13 | 2022-04-26 | 中电福富信息科技有限公司 | Equipment monitoring vulnerability detection system based on agent |
CN114401133B (en) * | 2022-01-13 | 2023-12-01 | 中电福富信息科技有限公司 | Equipment monitoring vulnerability detection system based on agent |
Also Published As
Publication number | Publication date |
---|---|
WO2018107943A1 (en) | 2018-06-21 |
CN108616490B (en) | 2020-11-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108616490A (en) | A kind of method for network access control, apparatus and system | |
US10757126B2 (en) | Rule-based network-threat detection | |
US9667654B2 (en) | Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes | |
CN107251528B (en) | Method and apparatus for providing data originating within a service provider network | |
EP3057282B1 (en) | Network flow control device, and security strategy configuration method and device thereof | |
CN107690800A (en) | Manage dynamic IP addressing distribution | |
CN103946834A (en) | Virtual network interface objects | |
CN108259425A (en) | The determining method, apparatus and server of query-attack | |
CN109617753B (en) | Network platform management method, system, electronic equipment and storage medium | |
CN110661670A (en) | Network equipment configuration management method and device | |
CN106169963A (en) | The access method of service page and system, proxy server | |
KR20160075610A (en) | Intelligent firewall access rules | |
CN104065749A (en) | Method and device for accessing web through proxy | |
CN106411819A (en) | Method and apparatus for recognizing proxy Internet protocol address | |
CN107249038A (en) | Business datum retransmission method and system | |
CN103634289B (en) | Communication shield device and communication screen method | |
CN106295366B (en) | Sensitive data identification method and device | |
US9207953B1 (en) | Method and apparatus for managing a proxy autoconfiguration in SSL VPN | |
Zhang et al. | Ephemeral exit bridges for tor | |
JP2005217757A (en) | Firewall management system, firewall management method, and firewall management program | |
CN104618469B (en) | A kind of local area network access control method and supervisor based on agency network framework | |
JP4911412B2 (en) | User trace device | |
CN115250234A (en) | Method, device, equipment, system and storage medium for deploying network equipment | |
US20240113941A1 (en) | Managing Cloud-Based Networks | |
DeJonghe et al. | Application Delivery and Load Balancing in Microsoft Azure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |