CN111131143A - Network access control method, device and system - Google Patents
Network access control method, device and system Download PDFInfo
- Publication number
- CN111131143A CN111131143A CN201911018686.6A CN201911018686A CN111131143A CN 111131143 A CN111131143 A CN 111131143A CN 201911018686 A CN201911018686 A CN 201911018686A CN 111131143 A CN111131143 A CN 111131143A
- Authority
- CN
- China
- Prior art keywords
- access
- data
- instruction data
- access instruction
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a network access control method, a device and a system, wherein the method comprises the following steps: the current external network card receives the first access instruction data and sends the first access instruction data to the first protocol analysis unit; the first protocol analysis unit converts the data format of the first access instruction data into a special protocol to obtain second access instruction data, and transmits the second access instruction data to the identification unit; the authentication unit verifies authentication data in the second access instruction data, and transmits the second access instruction data to the data access control unit after the authentication data passes the authentication data; the data access control unit judges whether an accessor has authority to execute operation instructed by the operation instruction on the operation object; if yes, transmitting the second access instruction data to a second protocol analysis unit; and the second protocol analysis unit converts the data format of the second access instruction data into a network protocol to obtain third access instruction data, and sends the third access instruction data to the intranet server through the intranet network card to execute corresponding operation. Therefore, the isolation of the internal network and the external network is realized and the safety of access is ensured.
Description
Technical Field
The present invention relates to the field of electronic technologies, and in particular, to a method, an apparatus, and a system for controlling network access.
Background
In the intranet of the office environment, a large amount of file data resources exist, with the continuous popularization and development of computer networks, the threat of network attack is more and more serious, and in the face of various threats, the safety efficiency of the traditional network defense technology is declining, and in order to ensure the data safety of the intranet, a solution which not only meets the physical isolation safety requirement but also can carry out data exchange needs to be established between the intranet and the extranet.
Disclosure of Invention
The present invention is directed to solving one of the problems set forth above.
The invention mainly aims to provide a network access control device.
Another object of the present invention is to provide a network access control system.
Another object of the present invention is to provide a network access control method.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
one aspect of the present invention provides a network access control method, including: s1, the current extranet card receives first access instruction data sent by the visitor terminal, and sends the first access instruction data to the scheduling unit, where the first access instruction data includes: visitor identity, operating instructions, operands and authentication data; s2, the scheduling unit receives the first access instruction data and sends the first access instruction data to a first protocol analysis unit; s3, the first protocol parsing unit receives the first access instruction data, parses the first access instruction data to obtain content in the first access instruction data, and converts a network protocol data format of the first access instruction data into a data format of a dedicated protocol to obtain second access instruction data, where the network protocol is different from the dedicated protocol, and the second access instruction data includes the visitor identity, the operation instruction, the operation object, and the authentication data; s4, the first protocol analysis unit transmits the second access instruction data to an authentication unit; s5, the authentication unit receives the second access instruction data and verifies the authentication data in the second access instruction data; s6, after the verification is passed, the authentication unit transmits the second access instruction data to a data access control unit; s7, the data access control unit receives the second access instruction data, acquires a local preset access flag mapping table, and judges whether the visitor has the right to execute the operation indicated by the operation instruction on the operation object according to the access flag mapping table and the visitor identity, the operation instruction and the operation object in the second access instruction data, wherein the access flag mapping table indicates whether different visitor identities have the right to execute the operation indicated by the corresponding operation instruction on different operation objects; s8, when the visitor has the authority to execute the operation indicated by the operation instruction on the operation object, the data access control unit transmits the second access instruction data to a second protocol analysis unit; s9, the second protocol parsing unit receives the second access instruction data, and converts the data format of the proprietary protocol of the second access instruction data into the data format of the network protocol to obtain third access instruction data, where elements in the third access instruction data include the visitor identity, the operation instruction, and the operation object; s10, the second protocol analysis unit sends the third access instruction data to an intranet card; and S11, the intranet card receives the third access instruction data and sends the third access instruction data to an intranet server to execute the operation indicated by the operation instruction in the third access instruction data.
Optionally, before the current extranet card receives the first access instruction data sent by the visitor terminal, the method further includes: the scheduling unit detects that a previous external network card is subjected to blocking type attack, selects the current external network card from a plurality of external network cards according to a preset strategy, disables the previous external network card, and switches to the current external network card, wherein the previous external network card is the external network card selected by the scheduling unit before the current external network card.
Optionally, before the current extranet card receives the first access instruction data sent by the visitor terminal, the method further includes: the current external network card receives an access request sent by the visitor terminal and sends the access request to the scheduling unit, wherein the access request comprises information to be authenticated; the scheduling unit receives the access request and transmits the access request to an access authentication unit; the access authentication unit receives the access request, authenticates the information to be authenticated, and sends an access response to the scheduling unit after the authentication is passed, wherein the access response comprises a result of the access passing; and the scheduling unit receives the access response and sends the access response to the current external network card.
Optionally, the method further includes: after receiving the third access instruction data, the intranet server executes the operation indicated by the operation instruction in the third access instruction data to obtain first operation result data, and sends the first operation result data to the intranet card; the intranet card sends the first operation result data to the second protocol analysis unit; the second protocol analysis unit converts the data format of the network protocol of the first operation result data into the data format of a special protocol to obtain second operation result data, and sends the second operation result data to the first protocol analysis unit; the first protocol analysis unit receives the second operation result data, converts the data format of the special protocol of the second operation result data into the data format of the network protocol to obtain third operation result data, and sends the third operation result data to the scheduling unit; the scheduling unit sends the third operation result data to the current extranet network card; and the current extranet network card sends the third operation result data to the visitor terminal.
Optionally, the method further includes: the data access management and control unit generates and stores an operation log, wherein the operation log includes: the visitor identity, the operation instruction, the operation object and the time for executing the operation corresponding to the operation instruction.
Another aspect of the present invention provides a network access control apparatus, including:
the current extranet network card is used for receiving first access instruction data sent by a visitor terminal and sending the first access instruction data to a scheduling unit, wherein the first access instruction data comprises: visitor identity, operating instructions, operands and authentication data; the scheduling unit is used for receiving the first access instruction data and sending the first access instruction data to the first protocol analysis unit; the first protocol analysis unit is configured to receive the first access instruction data, analyze the first access instruction data to obtain content in the first access instruction data, convert a network protocol data format of the first access instruction data into a data format of a dedicated protocol, and obtain second access instruction data, where the second access instruction data includes the visitor identity, the operation instruction, the operation object, and the authentication data; transmitting the second access instruction data to the authentication unit; the authentication unit is used for receiving the second access instruction data and verifying the authentication data in the second access instruction data; after the verification is passed, transmitting the second access instruction data to a data access control unit; the data access control unit is configured to receive the second access instruction data, obtain a local preset access flag mapping table, and determine, according to the access flag mapping table and the identity of the visitor in the second access instruction data, the operation instruction, and the operation object, whether the visitor has a right to execute the operation indicated by the operation instruction on the operation object, where the access flag mapping table indicates whether different identities of the visitors have rights to execute the operation indicated by the operation instruction on different operation objects; under the condition that the visitor has the authority to execute the operation indicated by the operation instruction on the operation object, sending the second access instruction data to a second protocol analysis unit; the second protocol analysis unit is configured to receive the second access instruction data, convert a data format of a dedicated protocol of the second access instruction data into a data format of a network protocol, and obtain third access instruction data, where an element in the third access instruction data includes the visitor identity, the operation instruction, and the operation object; sending the third access instruction data to an intranet card; and the intranet card is used for receiving the third access instruction data and sending the third access instruction data to the intranet server to execute the operation indicated by the operation instruction.
Optionally, the scheduling unit is further configured to detect that a previous external network card is attacked in a blocking manner, select the current external network card from the multiple external network cards according to a preset policy, disable the previous external network card, and switch to the current external network card, where the previous external network card is the external network card selected by the scheduling unit before the current external network card.
Optionally, the apparatus further comprises: an access authentication unit, wherein: the current extranet network card is further configured to receive an access request sent by the visitor terminal before receiving first access instruction data sent by the visitor terminal, and send the access request to the scheduling unit, where the access request includes information to be authenticated; the scheduling unit is further configured to receive the access request and transmit the access request to the access authentication unit; the access authentication unit is used for receiving the access request, authenticating the information to be authenticated, and sending an access response to the scheduling unit after the authentication is passed, wherein the access response comprises a result of the access passing; and the scheduling unit is also used for receiving the access response and sending the access response to the current external network card.
Optionally, the data access control unit is further configured to generate and store an operation log, where the operation log includes: the visitor identity, the operation instruction, the operation object and the time for executing the operation corresponding to the operation instruction.
Another aspect of the present invention provides a network access control system, including: the network access control device and the intranet server as described above, wherein: and the intranet server is used for receiving the third access instruction data, executing the operation indicated by the operation instruction in the third access instruction data, acquiring first operation result data, and sending the first operation result data to the intranet card.
It can be seen from the above technical solutions that the present invention provides a method, an apparatus, and a system for controlling network access, which can implement exchange and access of intranet and extranet data, but separate direct access interaction between the intranet and extranet through intermediate translation, thereby implementing isolation of the intranet and extranet. By establishing an access mark mapping table, the access authority of the external to the internal data is controlled, and illegal access is prevented.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a network access control apparatus according to embodiment 1 of the present invention;
fig. 2 is a schematic structural diagram of a network access control system according to embodiment 1 of the present invention;
fig. 3 is a flowchart of a network access control method according to embodiment 1 of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or quantity or location.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
Example 1
The embodiment provides a network access control device. Fig. 1 is a configuration of a network access control apparatus according to this embodiment. As shown in fig. 1, the network access control apparatus 100 includes: a plurality of external network cards (wherein, the currently used external network card is referred to as a current external network card 10), a first protocol analysis unit 20, a scheduling unit 30, an authentication unit 40, a data access control unit 50, an access authentication unit 60, a second analysis unit 70 and an internal network card 80.
In this embodiment, the data format of the data transmitted between the first protocol parsing unit 20 and the scheduling unit 30 and the currently used current external network card 10 is a data format of a network protocol (TCP/IP), and the first protocol parsing unit 20 performs data format conversion on the received access instruction data to convert the received access instruction data into a data format of a dedicated protocol, where the dedicated protocol is different from the network protocol, and the dedicated protocol may include, but is not limited to, one of the following: a serial port protocol, a USB protocol, a 2.4G protocol, an optical communication protocol and a modified TCP/IP protocol. Before transmitting to the intranet card 80, data transmission is performed between the units by using a data format of a dedicated protocol. Before transmitting the received access instruction data to the intranet card, the second protocol analysis unit 70 converts the data format of the dedicated protocol into the data format of the network protocol, the data transmitted between the second protocol analysis unit 70 and the intranet card adopts the data format of the network protocol, a network access control system which not only meets the physical isolation safety requirement but also can exchange data is established between the internal network and the external network, and the isolation between the networks is realized by adopting a physical transmission mode.
In addition, after receiving the access instruction data of the external network, the network access control device provided in this embodiment converts the network format of the access instruction data into the data format of the dedicated protocol by using the first protocol analysis unit 20, analyzes the access instruction data, then determines the access authority by using the data access control unit 50, and after determining that the access authority is provided, outputs the access instruction data to the internal network card 80 by using the second protocol analysis unit 70, thereby really realizing the combination of physical isolation and logical isolation.
The respective components of the net access control device will be described in detail below.
The network access control device in this embodiment is provided with a plurality of external network cards, and data backup can be performed among the plurality of external network cards in real time, the scheduling unit 30 implements scheduling of the external network cards, and selects the currently used external network card according to a preset policy. The scheduling unit 30 selects a current extranet card 10 to communicate with the extranet visitor terminal.
The current extranet card 10 is configured to receive first access instruction data sent by a visitor terminal, and send the first access instruction data to the scheduling unit 30, where the content of the first access instruction data may specifically refer to table 1.
TABLE 1
| Visitor identity | Operation instruction | Operation object | Time (can)Selecting) | Authentication data |
As shown in table 1, the first access instruction data includes: visitor identity, operating instructions, operands, and authentication data. Optionally, the current access time may also be included. The visitor identity may include, for example: administrator, general visitor, registered user, etc., the operation instructions include: read only, modify, add, delete, etc., the operation object refers to the data to be executed with corresponding operation, such as data of file, etc. The authentication data is a check value of the instruction message, for example, a MAC check value, and the authentication data can be used to verify the identity validity of the visitor.
The scheduling unit 30 is configured to receive the first access instruction data and transmit the first access instruction data to the first protocol parsing unit 20;
a first protocol parsing unit 20, configured to receive first access instruction data, parse the first access instruction data to obtain content in the first access instruction data, and convert a network protocol data format of the first access instruction data into a data format of a dedicated protocol to obtain second access instruction data, where the second access instruction data includes an identity of a visitor, an operation instruction, an operation object, and authentication data (see table 1); and transmits the second access instruction data to the authentication unit 40;
in the application, the network protocol data format is a TCP/IP protocol, and the serial port protocol may include RS-232, RS-422, RS-485, and the like. After the first protocol analysis unit 20 converts the data format of the external network data, the converted data format is adopted to transmit the second access instruction data among the functional units in the network access control device, the content of the second access instruction data is the same as that of the first access instruction data, and the direct access interaction between the internal network and the external network is separated through the intermediate translation, so that the isolation of the internal network and the external network is realized.
An authentication unit 40, configured to receive the second access instruction data and verify authentication data in the second access instruction data; after the verification is passed, transmitting the second access instruction data to the data access control unit 50;
the second access instruction data includes authentication data, where the authentication data is a check value of the instruction packet, for example, an MAC value, and the authentication unit 40 verifies the check value, and after the verification is passed, confirms that the identity of the visitor is legal.
And the data access control unit 50 is configured to receive the second access instruction data, obtain a local preset access flag mapping table, and determine whether the visitor has permission to perform an operation indicated by the operation instruction on the operation object according to the access flag mapping table and the visitor identity, the operation instruction, and the operation object in the second access instruction data, where the data access control unit 50 establishes the access flag mapping table in advance. The access flag mapping table indicates whether different visitor identities have rights to execute the operation indicated by the corresponding operation instruction on different operation objects, which may be specifically referred to in the schematic diagram of table 2. The access rights of the visitor identity to different operands A, B, C, D are illustrated in Table 2, where R represents read only, C represents modify, A represents add, and D represents delete. Person 1, person 2 and person 3 represent visitors of 3 different identities, e.g. the administrator is person 1, with the highest access Rights (RCAD), person 2 and person 3 being ordinary visitors. As can be seen in the access flag mapping table, the access rights of person 2 to the operation objects a and B include: r (read only) and C (modified), and the access right to the operand C, D is R (read only). The access rights of the person 3 to the operation object a include: r (read only), C (modify), a (add), D (delete), and the access right to the operation object B, C, D is only R (read only). When the visitor has the authority to execute the operation instructed by the operation instruction to the operation target, the second access instruction data is transmitted to the second protocol analyzing unit 70.
TABLE 2
A second protocol parsing unit 70, configured to receive the second access instruction data, and convert the data format of the proprietary protocol of the second access instruction data into the data format of the network protocol to obtain third access instruction data, where elements in the third access instruction data include an identity of a visitor, an operation instruction, and an operation object; sending the third access instruction data to the intranet card;
in the application, before the third access instruction data is sent to the intranet card, data format conversion is carried out, data output from the network access control device is converted into a data format of a network protocol, the content of the third access instruction data is the same as that of the second access instruction data, and direct access interaction between the internal network and the external network is separated through intermediate translation, so that the isolation of the internal network and the external network is realized.
And the intranet card 80 is configured to receive the third access instruction data, and send the third access instruction data to the intranet server to execute the operation indicated by the operation instruction.
The network access control device provided by the embodiment can realize the exchange and access of the internal and external network data, but direct access interaction between the internal and external networks is separated through intermediate translation, so that the isolation of the internal and external networks is realized. By establishing an access mark mapping table, the access authority of the external to the internal data is controlled, and illegal access is prevented.
As an optional implementation manner in this embodiment, the scheduling unit 30 is further configured to detect that a previous external network card is under a blocking attack, select the current external network card 10 from the multiple external network cards according to a preset policy, disable the previous external network card, and switch to the current external network card 10; the prior external network card is the external network card selected by the scheduling unit 30 before the current external network card.
In the handshaking process before the network connection is established, a client forges a large number of nonexistent IP addresses in a short time, continuously sends network establishment request packets to a server, the server replies confirmation packets and waits for confirmation of the client, and because the source address does not exist, the server needs to continuously resend until overtime, and the forged request packets occupy an unconnected queue for a long time, so that normal connection requests are discarded due to the full queue, and network congestion and even system paralysis are caused. Specifically, when there are a large number of half-connection states on the scheduling unit 30 and the source IP address is random, it can be determined that the previous external network card is under congestion attack, the scheduling unit 30 disables the previous external network card currently used, and selects an external network card that is idle or queued up ahead from among a plurality of external network cards and enables the external network card.
In this embodiment, in order to implement isolation between the internal network and the external network, the converted data format is adopted in the network access control device, and thus the data format of the network card switching instruction is a dedicated protocol format. Specifically, the scheduling unit 30 disables the previous extranet card and switches to the current extranet card in the following manner: the scheduling unit 30 disables the port connected to the previous external network card and enables the port connected to the current external network card 10. In this embodiment, the network access control device has a plurality of external network cards, and the external network cards are backed up in real time, and the IP of the external network cards is different, so that data transmission and reception can temporarily switch the network communication channel to other network cards, thereby ensuring that the network can still be used, and avoiding network paralysis caused by blocking attack.
As an optional implementation manner in this embodiment, the current extranet card 10 is further configured to receive an access request sent by the visitor terminal before receiving the first access instruction data sent by the visitor terminal, and send the access request to the scheduling unit 30, where the access request includes information to be authenticated; the scheduling unit 30 is further configured to receive an access request and transmit the access request to the access authentication unit 60; the access authentication unit 60 is configured to receive the access request, authenticate the information to be authenticated, and send an access response to the scheduling unit 30 after the authentication is passed, where the access response includes a result of the access passing; the scheduling unit 30 is further configured to receive an access response, and send the access response to the current extranet network card 10. The method and the device authenticate the access of the external network access connection, verify whether the access is legal access or not, and can ensure the legality of the visitor terminal requesting the access.
In specific implementation, an access request sent by an accessor terminal is received, authentication is carried out on information to be authenticated carried in the access request, and an access response is returned after the authentication is passed, wherein the method comprises the following conditions:
in case one, the information to be authenticated includes: the SSL (Secure Sockets Layer) protocol version number, encryption algorithm type, random number and other information of the visitor terminal, the access authentication unit 60 verifies the information to be authenticated and generates an access response after confirming the SSL protocol version number and the encryption algorithm, wherein the access response comprises the locally supported information of the SSL protocol version number, the encryption algorithm type, the random number and the like and a digital certificate of the network access control device, namely a public key certificate, and the access response carries the digital certificate so that the visitor terminal can verify the certificate of the network access control device.
The second situation, the information to be authenticated comprises the digital certificate and the encryption mode of the visitor terminal, the access authentication unit 60 verifies the digital certificate, after verification, the public key of the visitor terminal is obtained from the digital certificate of the visitor terminal, the highest encryption mode is selected in the encryption scheme provided by the visitor terminal, and the public key of the visitor terminal is used for encrypting the highest encryption mode to obtain the encrypted encryption mode which is carried in the access response; the access authentication unit 60 ensures the validity of the visitor terminal by verifying the digital certificate of the visitor terminal. The encryption method comprises the following steps: the encryption algorithm and the encryption key are used for encrypting the transmission ciphertext by adopting the corresponding encryption algorithm and the corresponding encryption key during subsequent communication between two parties, so that the safety of information in the communication process is ensured.
As an optional implementation manner in this embodiment, the data access management and control unit 50 is further configured to generate and store an operation log, where the operation log includes: the visitor identity, the operation instruction, the operation object and the time for executing the operation corresponding to the operation instruction. Thus, the data access management and control unit 50 can also perform subsequent audit management.
In this embodiment, after receiving the external network access data, the network access control device converts the network format of the external network access data into the data format of the dedicated protocol by using the protocol parsing unit, parses the external network access data, determines the access right, and outputs the access data to the internal network card only after determining that the access right is provided, thereby really realizing the combination of physical isolation and logical isolation.
The network access control device provided by the embodiment can realize the exchange and access of the internal and external network data, but direct access interaction between the internal and external networks is separated through intermediate translation, so that the isolation of the internal and external networks is realized. By establishing an access mark mapping table, the access authority of the external to the internal data is controlled, and illegal access is prevented.
Example 2
The embodiment provides a network access control system. As shown in fig. 2, the network access control system includes network access control device 100, intranet server 200, and visitor terminal 300 in embodiment 1. The visitor terminal 300 is configured to send the access instruction data to the network access control apparatus 100, and the specific structure and function of the network access control apparatus 100 may refer to the description in embodiment 1, which is not described herein again.
The intranet server 200 is configured to receive third access instruction data sent by the network access control device 100, execute an operation indicated by an operation instruction in the third access instruction data, acquire first operation result data, and send the first operation result data to the intranet card 80.
An intranet card 80 for sending the first operation result data to the second protocol analysis unit 70;
the second protocol analyzing unit 70 is configured to convert the data format of the network protocol of the first operation result data into the data format of the dedicated protocol to obtain second operation result data, and send the second operation result data to the first protocol analyzing unit 20;
the first protocol parsing unit 20 is configured to receive the second operation result data, convert a data format of a dedicated protocol of the second operation result data into a data format of a network protocol, obtain third operation result data, and send the third operation result data to the scheduling unit 30;
the scheduling unit 30 is configured to send the third operation result data to the current extranet network card 10;
the current extranet card 10 is configured to send the third operation result data to the visitor terminal.
In the network access control system provided in this embodiment, after receiving the external network access data, the network access control device converts the network format of the external network access data into the data format of the dedicated protocol by using the protocol parsing unit, and after parsing the external network access data, performs access right determination, and determines that the external network access data has the corresponding access right, the access data can be output to the internal network card, so that the combination of physical isolation and logical isolation is really realized. The intranet server executes corresponding operation after receiving the extranet access data to generate operation result data, a protocol analysis unit is used for converting a data format of a network protocol of the operation result data into a data format of a special protocol, the converted data format of the special protocol of the operation result data is converted into the network format before being sent to the extranet, and direct access interaction between the extranet and the extranet is separated through further intermediate translation, so that isolation of the extranet and the extranet is achieved.
Example 3
The embodiment provides a network access control method. The method can be implemented using the network access control apparatus provided in embodiment 1. Fig. 3 is a flowchart of a network access control method provided in this embodiment. As shown in fig. 3, the network access control method includes the following steps (S1-S11):
s1, the current extranet network card receives first access instruction data sent by the visitor terminal, and sends the first access instruction data to the scheduling unit, where the first access instruction data includes: for the identity of the visitor, the operation instruction, the operation object, and the authentication data, please refer to table 1 specifically, and for the specific description, refer to the description related to embodiment 1, which is not described herein again.
S2, the scheduling unit receives the first access instruction data, and transmits the first access instruction data to the first protocol parsing unit.
S3, the first protocol analysis unit receives the first access instruction data, analyzes the first access instruction data to obtain the content in the first access instruction data, and converts the network protocol data format of the first access instruction data into the data format of the special protocol to obtain the second access instruction data, wherein the second access instruction data comprises the visitor identity, the operation instruction, the operation object and the identification data.
In this application, the dedicated protocol is different from the network protocol, the data format of the network protocol is a TCP/IP protocol, and the dedicated protocol may include but is not limited to one of the following: a serial port protocol, a USB protocol, a 2.4G protocol, an optical communication protocol and a modified TCP/IP protocol. The serial port protocol may include, for example, RS-232, RS-422, RS-485, and the like. After the first protocol analysis unit converts the data format of the external network data, the converted data format is adopted between functional units in the network access control device to transmit second access instruction data, the content of the second access instruction data is the same as that of the first access instruction data, and direct access interaction between the internal network and the external network is separated through intermediate translation, so that the isolation of the internal network and the external network is realized.
S4, the first protocol parsing unit transmits the second access instruction data to the authentication unit.
S5, the authentication unit receives the second access instruction data and verifies the authentication data in the second access instruction data.
The second access instruction data comprises authentication data, the authentication data is a check value of the instruction message, such as an MAC value, and the authentication unit verifies the check value and confirms that the identity of the visitor is legal after the verification.
And S6, after the verification is passed, the authentication unit transmits the second access instruction data to the data access control unit.
And S7, the data access control unit receives the second access instruction data, acquires a local preset access mark mapping table, and judges whether the visitor has the authority to execute the operation indicated by the operation instruction on the operation object according to the access mark mapping table and the visitor identity, the operation instruction and the operation object in the second access instruction data.
The data access control unit establishes an access flag mapping table in advance, which can be referred to as table 2 specifically. The access flag mapping table indicates whether different visitor identities have rights to execute the operation indicated by the corresponding operation instruction on different operation objects, which may be specifically referred to in the schematic diagram of table 2. For the description of table 2, refer to the description of embodiment 1, and the description is omitted here.
S8, under the condition that the visitor has the authority to execute the operation indicated by the operation instruction on the operation object, the data access control unit transmits the second access instruction data to the second protocol analysis unit;
s9, the second protocol analysis unit receives the second access instruction data, and converts the data format of the special protocol of the second access instruction data into the data format of the network protocol to obtain third access instruction data, wherein elements in the third access instruction data comprise an accessor identity, an operation instruction and an operation object;
in the application, before the third access instruction data is sent to the intranet card, data format conversion is carried out, data output from the network access control device is converted into a data format of a network protocol, the content of the third access instruction data is the same as that of the second access instruction data, and direct access interaction between the internal network and the external network is separated through intermediate translation, so that the isolation of the internal network and the external network is realized.
S10, the second protocol analysis unit sends the third access instruction data to the intranet card;
and S11, the intranet card receives the third access instruction data and sends the third access instruction data to the intranet server to execute the operation indicated by the operation instruction in the third access instruction data.
As an optional implementation manner in this embodiment, before the current extranet card receives the first access instruction data sent by the visitor terminal, the method provided in this embodiment further includes: the method comprises the steps that a scheduling unit detects that a prior external network card is subjected to blocking attack, selects a current external network card from a plurality of external network cards according to a preset strategy, disables the prior external network card and switches to the current external network card; the prior external network card is the external network card selected by the scheduling unit before the current external network card.
In the handshaking process before the network connection is established, a client forges a large number of nonexistent IP addresses in a short time, continuously sends network establishment request packets to a server, the server replies confirmation packets and waits for confirmation of the client, and because the source address does not exist, the server needs to continuously resend until overtime, and the forged request packets occupy an unconnected queue for a long time, so that normal connection requests are discarded due to the full queue, and network congestion and even system paralysis are caused. Specifically, when the scheduling unit has a large number of half-connection states and the source IP address is random, it can be determined that the prior external network card is under blocking attack, the scheduling unit disables the prior external network card currently used, and selects and enables an external network card that is idle or queued up ahead from among the plurality of external network cards.
In this embodiment, in order to implement isolation between the internal network and the external network, the converted data format is adopted in the network access control device, and thus the data format of the network card switching instruction is a dedicated protocol format. Specifically, the scheduling unit disables the previous extranet card and switches to the current extranet card in the following manner: and the scheduling unit disables the port connected with the prior external network card and enables the port connected with the current external network card. In this embodiment, the network access control device has a plurality of external network cards, and the external network cards are backed up in real time, and the IP of the external network cards is different, so that data transmission and reception can temporarily switch the network communication channel to other network cards, thereby ensuring that the network can still be used, and avoiding network paralysis caused by blocking attack.
As an optional implementation manner in this embodiment, before the current extranet card receives the first access instruction data sent by the visitor terminal, the method provided in this embodiment further includes: the current external network card receives an access request sent by an accessor terminal and sends the access request to a scheduling unit, wherein the access request comprises information to be authenticated; scheduling and receiving an access request, and transmitting the access request to an access authentication unit; the access authentication unit receives the access request, authenticates the information to be authenticated, and sends an access response to the scheduling unit after the authentication is passed, wherein the access response comprises a result of the access passing; and the scheduling unit receives the access response and sends the access response to the current external network card.
In specific implementation, an access request sent by an accessor terminal is received, authentication is carried out on information to be authenticated carried in the access request, and an access response is returned after the authentication is passed, wherein the method comprises the following conditions:
the first condition is that the information to be authenticated comprises information such as SSL protocol version number, encryption algorithm type, random number and the like of the visitor terminal; the access authentication unit verifies the information to be authenticated and generates an access response after confirming the SSL protocol version number and the encryption algorithm, wherein the access response comprises: the locally supported SSL protocol version number, encryption algorithm type, random number and other information and a digital certificate of the network access control device, namely a public key certificate; the access response carries the digital certificate, so that the visitor terminal can verify the certificate of the network access control device.
The second situation, the information to be authenticated includes the digital certificate and the encryption scheme of the visitor terminal, the access authentication unit 60 verifies the digital certificate, after verification, the public key of the visitor terminal is obtained from the digital certificate of the visitor terminal, the highest encryption mode is selected in the encryption scheme provided by the visitor terminal, and the public key of the visitor terminal is used for encrypting the highest encryption mode to obtain the encrypted encryption mode which is carried in the access response; the access authentication unit ensures the validity of the visitor terminal by verifying the digital certificate of the visitor terminal. The encryption method comprises the following steps: the encryption algorithm and the encryption key are used for encrypting the transmission ciphertext by adopting the corresponding encryption algorithm and the corresponding encryption key during subsequent communication between two parties, so that the safety of information in the communication process is ensured.
As an optional implementation manner in this embodiment, the method provided in this embodiment further includes:
after receiving the third access instruction data, the intranet server executes the operation indicated by the operation instruction in the third access instruction data, acquires first operation result data, and sends the first operation result data to the intranet card; the intranet card sends the first operation result data to the second protocol analysis unit; the second protocol analysis unit converts the data format of the network protocol of the first operation result data into the data format of the special protocol to obtain second operation result data, and sends the second operation result data to the first protocol analysis unit; the first protocol analysis unit receives the second operation result data, converts the data format of the special protocol of the second operation result data into the data format of the network protocol to obtain third operation result data, and sends the third operation result data to the scheduling unit; the scheduling unit sends the third operation result data to the current external network card; and the current external network card sends the third operation result data to the visitor terminal.
As an optional implementation manner in this embodiment, the method provided in this embodiment further includes: the data access management and control unit generates and stores an operation log, wherein the operation log includes: the visitor identity, the operation instruction, the operation object and the time for executing the operation corresponding to the operation instruction. Therefore, the data access control unit can also perform subsequent audit management.
In this embodiment, after receiving the external network access data, the network access control device converts the network format of the external network access data into the data format of the dedicated protocol by using the protocol parsing unit, parses the external network access data, determines the access right, and outputs the access data to the internal network card only after determining that the access right is provided, thereby really realizing the combination of physical isolation and logical isolation.
The network access control method provided by the embodiment can realize the exchange and access of the internal and external network data, but direct access interaction between the internal and external networks is separated through intermediate translation, so that the isolation of the internal and external networks is realized. By establishing an access mark mapping table, the access authority of the external to the internal data is controlled, and illegal access is prevented.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (10)
1. A network access control method, comprising:
s1, the current extranet card receives first access instruction data sent by the visitor terminal, and sends the first access instruction data to the scheduling unit, where the first access instruction data includes: visitor identity, operating instructions, operands and authentication data;
s2, the scheduling unit receives the first access instruction data and sends the first access instruction data to a first protocol analysis unit;
s3, the first protocol parsing unit receives the first access instruction data, parses the first access instruction data to obtain content in the first access instruction data, and converts a network protocol data format of the first access instruction data into a data format of a dedicated protocol to obtain second access instruction data, where the network protocol is different from the dedicated protocol, and the second access instruction data includes the visitor identity, the operation instruction, the operation object, and the authentication data;
s4, the first protocol analysis unit transmits the second access instruction data to an authentication unit;
s5, the authentication unit receives the second access instruction data and verifies the authentication data in the second access instruction data;
s6, after the verification is passed, the authentication unit transmits the second access instruction data to a data access control unit;
s7, the data access control unit receives the second access instruction data, acquires a local preset access flag mapping table, and judges whether the visitor has the right to execute the operation indicated by the operation instruction on the operation object according to the access flag mapping table and the visitor identity, the operation instruction and the operation object in the second access instruction data, wherein the access flag mapping table indicates whether different visitor identities have the right to execute the operation indicated by the corresponding operation instruction on different operation objects;
s8, when the visitor has the authority to execute the operation indicated by the operation instruction on the operation object, the data access control unit transmits the second access instruction data to a second protocol analysis unit;
s9, the second protocol parsing unit receives the second access instruction data, and converts the data format of the proprietary protocol of the second access instruction data into the data format of the network protocol to obtain third access instruction data, where elements in the third access instruction data include the visitor identity, the operation instruction, and the operation object;
s10, the second protocol analysis unit sends the third access instruction data to an intranet card;
and S11, the intranet card receives the third access instruction data and sends the third access instruction data to an intranet server to execute the operation indicated by the operation instruction in the third access instruction data.
2. The method of claim 1, wherein: before the current extranet card receives first access instruction data sent by the visitor terminal, the method further comprises the following steps:
the scheduling unit detects that a previous external network card is subjected to blocking type attack, selects the current external network card from a plurality of external network cards according to a preset strategy, disables the previous external network card, and switches to the current external network card, wherein the previous external network card is the external network card selected by the scheduling unit before the current external network card.
3. The method of claim 1, wherein: before the current extranet card receives first access instruction data sent by the visitor terminal, the method further comprises the following steps:
the current external network card receives an access request sent by the visitor terminal and sends the access request to the scheduling unit, wherein the access request comprises information to be authenticated;
the scheduling unit receives the access request and transmits the access request to an access authentication unit;
the access authentication unit receives the access request, authenticates the information to be authenticated, and sends an access response to the scheduling unit after the authentication is passed, wherein the access response comprises a result of the access passing;
and the scheduling unit receives the access response and sends the access response to the current external network card.
4. The method of claim 1, wherein: the method further comprises the following steps:
after receiving the third access instruction data, the intranet server executes the operation indicated by the operation instruction in the third access instruction data to obtain first operation result data, and sends the first operation result data to the intranet card;
the intranet card sends the first operation result data to the second protocol analysis unit;
the second protocol analysis unit converts the data format of the network protocol of the first operation result data into the data format of a special protocol to obtain second operation result data, and sends the second operation result data to the first protocol analysis unit;
the first protocol analysis unit receives the second operation result data, converts the data format of the special protocol of the second operation result data into the data format of the network protocol to obtain third operation result data, and sends the third operation result data to the scheduling unit;
the scheduling unit sends the third operation result data to the current extranet network card;
and the current extranet network card sends the third operation result data to the visitor terminal.
5. The method of claim 1, wherein: the method further comprises the following steps:
the data access management and control unit generates and stores an operation log, wherein the operation log includes: the visitor identity, the operation instruction, the operation object and the time for executing the operation corresponding to the operation instruction.
6. A network access control apparatus, comprising:
the current extranet network card is used for receiving first access instruction data sent by a visitor terminal and sending the first access instruction data to a scheduling unit, wherein the first access instruction data comprises: visitor identity, operating instructions, operands and authentication data;
the scheduling unit is used for receiving the first access instruction data and sending the first access instruction data to the first protocol analysis unit;
the first protocol analysis unit is configured to receive the first access instruction data, analyze the first access instruction data to obtain content in the first access instruction data, convert a network protocol data format of the first access instruction data into a data format of a dedicated protocol, and obtain second access instruction data, where the second access instruction data includes the visitor identity, the operation instruction, the operation object, and the authentication data; transmitting the second access instruction data to the authentication unit;
the authentication unit is used for receiving the second access instruction data and verifying the authentication data in the second access instruction data; after the verification is passed, transmitting the second access instruction data to a data access control unit;
the data access control unit is configured to receive the second access instruction data, obtain a local preset access flag mapping table, and determine, according to the access flag mapping table and the identity of the visitor in the second access instruction data, the operation instruction, and the operation object, whether the visitor has a right to execute the operation indicated by the operation instruction on the operation object, where the access flag mapping table indicates whether different identities of the visitors have rights to execute the operation indicated by the operation instruction on different operation objects; under the condition that the visitor has the authority to execute the operation indicated by the operation instruction on the operation object, sending the second access instruction data to a second protocol analysis unit;
the second protocol analysis unit is configured to receive the second access instruction data, convert a data format of a dedicated protocol of the second access instruction data into a data format of a network protocol, and obtain third access instruction data, where an element in the third access instruction data includes the visitor identity, the operation instruction, and the operation object; sending the third access instruction data to an intranet card;
and the intranet card is used for receiving the third access instruction data and sending the third access instruction data to the intranet server to execute the operation indicated by the operation instruction.
7. The apparatus of claim 6, wherein:
the scheduling unit is further configured to detect that a previous external network card is attacked in a blocking manner, select the current external network card from the multiple external network cards according to a preset policy, disable the previous external network card, and switch to the current external network card, where the previous external network card is the external network card selected by the scheduling unit before the current external network card.
8. The apparatus of claim 6, wherein: further comprising: an access authentication unit, wherein:
the current extranet network card is further configured to receive an access request sent by the visitor terminal before receiving first access instruction data sent by the visitor terminal, and send the access request to the scheduling unit, where the access request includes information to be authenticated;
the scheduling unit is further configured to receive the access request and transmit the access request to the access authentication unit;
the access authentication unit is used for receiving the access request, authenticating the information to be authenticated, and sending an access response to the scheduling unit after the authentication is passed, wherein the access response comprises a result of the access passing;
and the scheduling unit is also used for receiving the access response and sending the access response to the current external network card.
9. The apparatus of claim 6, wherein:
the data access control unit is further configured to generate and store an operation log, where the operation log includes: the visitor identity, the operation instruction, the operation object and the time for executing the operation corresponding to the operation instruction.
10. A network access control system, comprising: visitor terminal, network access control device and intranet server according to claims 6 to 9 wherein:
and the intranet server is used for receiving the third access instruction data, executing the operation indicated by the operation instruction in the third access instruction data, acquiring first operation result data, and sending the first operation result data to the intranet card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911018686.6A CN111131143A (en) | 2019-10-24 | 2019-10-24 | Network access control method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911018686.6A CN111131143A (en) | 2019-10-24 | 2019-10-24 | Network access control method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111131143A true CN111131143A (en) | 2020-05-08 |
Family
ID=70495385
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911018686.6A Pending CN111131143A (en) | 2019-10-24 | 2019-10-24 | Network access control method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131143A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111741017A (en) * | 2020-07-23 | 2020-10-02 | 平安国际智慧城市科技股份有限公司 | Data transmission method between internal network and external network and related equipment |
| CN112637348A (en) * | 2020-12-23 | 2021-04-09 | 北京金山云网络技术有限公司 | Connection establishing method, device and system and electronic equipment |
| CN115118776A (en) * | 2022-06-23 | 2022-09-27 | 北京字跳网络技术有限公司 | Application access method, local connector deployment method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127761A (en) * | 2006-08-16 | 2008-02-20 | 北京城市学院 | Unidirectional protocol isolation method and device in network |
| US20100131616A1 (en) * | 2008-11-24 | 2010-05-27 | Sap Ag | DMZ Framework |
| CN102006246A (en) * | 2010-11-26 | 2011-04-06 | 中国航天科工集团第二研究院七○六所 | Trusted separate gateway |
| CN102438026A (en) * | 2012-01-12 | 2012-05-02 | 冶金自动化研究设计院 | Industrial control network security protection method and system |
| CN103828414A (en) * | 2011-07-20 | 2014-05-28 | 维萨国际服务协会 | Security gateway communication |
| CN104767752A (en) * | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN108810011A (en) * | 2018-06-29 | 2018-11-13 | 南京南瑞继保电气有限公司 | A kind of universal network secure accessing sound zone system and message processing method suitable for power private network |
-
2019
- 2019-10-24 CN CN201911018686.6A patent/CN111131143A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127761A (en) * | 2006-08-16 | 2008-02-20 | 北京城市学院 | Unidirectional protocol isolation method and device in network |
| US20100131616A1 (en) * | 2008-11-24 | 2010-05-27 | Sap Ag | DMZ Framework |
| CN102006246A (en) * | 2010-11-26 | 2011-04-06 | 中国航天科工集团第二研究院七○六所 | Trusted separate gateway |
| CN103828414A (en) * | 2011-07-20 | 2014-05-28 | 维萨国际服务协会 | Security gateway communication |
| CN102438026A (en) * | 2012-01-12 | 2012-05-02 | 冶金自动化研究设计院 | Industrial control network security protection method and system |
| CN104767752A (en) * | 2015-04-07 | 2015-07-08 | 西安汇景倬元信息技术有限公司 | Distributed network isolating system and method |
| CN108810011A (en) * | 2018-06-29 | 2018-11-13 | 南京南瑞继保电气有限公司 | A kind of universal network secure accessing sound zone system and message processing method suitable for power private network |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111741017A (en) * | 2020-07-23 | 2020-10-02 | 平安国际智慧城市科技股份有限公司 | Data transmission method between internal network and external network and related equipment |
| CN111741017B (en) * | 2020-07-23 | 2020-12-08 | 平安国际智慧城市科技股份有限公司 | Data transmission method between internal network and external network and related equipment |
| CN112637348A (en) * | 2020-12-23 | 2021-04-09 | 北京金山云网络技术有限公司 | Connection establishing method, device and system and electronic equipment |
| CN112637348B (en) * | 2020-12-23 | 2022-05-10 | 北京金山云网络技术有限公司 | Connection establishing method, device and system and electronic equipment |
| CN115118776A (en) * | 2022-06-23 | 2022-09-27 | 北京字跳网络技术有限公司 | Application access method, local connector deployment method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112260995B (en) | Access authentication method, device and server | |
| CN111586025B (en) | SDN-based SDP security group implementation method and security system | |
| CN106789841B (en) | Service processing method, terminal, server and system | |
| EP3633949B1 (en) | Method and system for performing ssl handshake | |
| US20130174239A1 (en) | Reinforced authentication system and method using context information at the time of access to mobile cloud service | |
| EP2974118B1 (en) | System and method for mitigation of denial of service attacks in networked computing systems | |
| US20060156398A1 (en) | System security event notification aggregation and non-repudiation | |
| CN111131143A (en) | Network access control method, device and system | |
| US8274401B2 (en) | Secure data transfer in a communication system including portable meters | |
| WO2024114747A1 (en) | Data transmission method and system, first end, intermediate network device, and control device | |
| Sani et al. | Xyreum: A high-performance and scalable blockchain for iiot security and privacy | |
| Henze et al. | Distributed configuration, authorization and management in the cloud-based internet of things | |
| CN112615866B (en) | Pre-authentication method, device and system for TCP connection | |
| WO2023174143A1 (en) | Data transmission method, device, medium and product | |
| CN113746788A (en) | Data processing method and device | |
| CN113056759A (en) | Method and system for network devices to obtain a trusted status representation of the status of a distributed ledger technology network | |
| CN115603932A (en) | Access control method, access control system and related equipment | |
| EP2239883B1 (en) | Method, device, system, client node, peer node and convergent point for preventing node from forging identity | |
| EP4236137A1 (en) | Data transmission method and apparatus, device, system, and storage medium | |
| WO2023212051A1 (en) | Methods, architectures, apparatuses and systems for decentralized data control and access management | |
| EP3618396B1 (en) | Protection method and system for http flood attack | |
| CN111586017A (en) | Method and device for authenticating communication user | |
| CN116074028A (en) | Access control method, device and system for encrypted traffic | |
| CN108494731A (en) | A kind of anti-network scanning method based on bidirectional identity authentication | |
| CN117201042B (en) | Automatic equipment verification method based on node information credibility metering |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200508 |