CN111385285B - Method and device for preventing illegal external connection - Google Patents

Method and device for preventing illegal external connection Download PDF

Info

Publication number
CN111385285B
CN111385285B CN201911403940.4A CN201911403940A CN111385285B CN 111385285 B CN111385285 B CN 111385285B CN 201911403940 A CN201911403940 A CN 201911403940A CN 111385285 B CN111385285 B CN 111385285B
Authority
CN
China
Prior art keywords
user host
external connection
user
internal network
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911403940.4A
Other languages
Chinese (zh)
Other versions
CN111385285A (en
Inventor
张文鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201911403940.4A priority Critical patent/CN111385285B/en
Publication of CN111385285A publication Critical patent/CN111385285A/en
Application granted granted Critical
Publication of CN111385285B publication Critical patent/CN111385285B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The application provides a method and a device for preventing illegal external connection.A login authentication component on a user host receives an illegal external connection message carrying an address and a user name of the user host sent by the login authentication component when confirming the illegal external connection of the user host through authentication equipment, wherein the login authentication component is pushed to the user host by the authentication equipment when the user host logs in an internal network; and judging whether the user host still accesses the internal network, if so, deleting the authentication information which is locally recorded when the user host logs in the internal network and corresponds to the address and the user name of the user host so as to disconnect the user host from the internal network. Therefore, whether the user host is subjected to illegal external connection or not can be detected through the login authentication component, and the authentication equipment is informed to disconnect the connection between the user host and the internal network when the user host is confirmed to be subjected to illegal external connection, so that the safety problem of the internal network caused by the illegal external connection of the user host is avoided, and the safety of the internal network is improved.

Description

Method and device for preventing illegal external connection
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for preventing an illegal external connection.
Background
Some internal networks with higher security (such as networks of government departments and military departments) often adopt a method of implementing physical isolation from external networks (such as the Internet) to ensure the security of the networks. Although physical isolation ensures that no possible physical link exists between the external network and the internal network, due to the incompleteness of the management system or the lack of an effective terminal monitoring technology, individual users in the internal network can still use the internet access equipment of telephone dialing and plug-and-play to carry out the access operation of the external network by the external internet, so that the physical isolation environment is damaged, which is called as 'illegal external connection' behavior.
The illegal external connection causes a hidden channel to be formed between the originally closed internal system environment and the external network, so that the internal network faces various security threats such as viruses, trojans, unauthorized access, data eavesdropping, brute force cracking and the like, information such as a network structure, server deployment, security protection measures and the like is leaked, and even cross-security domain and cross-network damage is carried out.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for preventing illegal external connection, so as to solve the problem of illegal external connection of an intranet user.
Specifically, the method is realized through the following technical scheme:
in a first aspect, the present application provides a method for preventing illegal external connection, where the method is applied to an authentication device, and the method includes:
receiving an illegal external connection message carrying a user host address and a user name and sent by a login authentication component on a user host when the user host is confirmed to be illegally externally connected, wherein the login authentication component is pushed to the user host by the authentication equipment when the user host logs in an internal network;
and judging whether the user host still accesses the internal network, if so, deleting the authentication information which is locally recorded when the user host logs in the internal network and corresponds to the address and the user name of the user host so as to disconnect the user host from the internal network.
As an embodiment, before receiving the illegitimate external connection message, the method further comprises:
when a user host logs in an internal network, address information and a user name of the host are recorded, a login authentication component is pushed to the user host, and a specified external network address is configured in the login authentication component in advance, so that the login authentication component can access the specified external network address through a browser of the user host periodically, and illegal external connection of the user host is confirmed when the specified external network address is successfully accessed.
As an embodiment, before receiving the illegitimate external connection message, the method further comprises:
and configuring a designated address in the login authentication component in advance, wherein the designated address belongs to the address range of the intranet server, so that when the login authentication component confirms that the user host is illegally connected externally, the login authentication component forwards the illegal externally connected message to the authentication equipment through the routing of the intranet server in the user host according to the designated address.
As an embodiment, the determining whether the subscriber host is still accessing an internal network includes:
judging whether a heartbeat message sent by the login authentication component is received or not, and if so, determining that the user host still accesses an internal network; if not, determining that the user host does not access the internal network.
As an embodiment, after receiving the illegal external connection message, the method further comprises:
and generating an illegal external connection log according to the illegal external connection message, wherein the illegal external connection log at least comprises a user host address and a user name in the illegal external connection message and state information for identifying that the user host is in an illegal external connection state, and storing the illegal external connection log to a log server in an internal network.
In a second aspect, the present application provides an apparatus for preventing illegal external connection, the apparatus being applied to an authentication device, the apparatus comprising:
a receiving unit, configured to receive an illegal external connection message carrying an address and a user name of a user host sent by a login authentication component on the user host when the user host confirms that the user host is illegally externally connected, where the login authentication component is pushed by the authentication device to the user host when the user host logs in an internal network;
and the deleting unit is used for judging whether the user host still accesses the internal network, and if so, deleting the authentication information which is locally recorded when the user host logs in the internal network and corresponds to the address and the user name of the user host so as to disconnect the user host from the internal network.
As an embodiment, the apparatus further comprises:
and the pushing unit is used for recording the address information and the user name of the host when the user host logs in the internal network before receiving the illegal external connection message, pushing the login authentication component to the user host, wherein the login authentication component is provided with a specified external network address in advance so as to enable the login authentication component to access the specified external network address through a browser of the user host periodically, and confirming the illegal external connection of the user host when the specified external network address is successfully accessed.
As an embodiment, the apparatus further comprises:
and the configuration unit is used for configuring a designated address in the login authentication component in advance before receiving the illegal external connection message, wherein the designated address belongs to the address range of the intranet server, so that when the login authentication component confirms the illegal external connection of the user host, the illegal external connection message is forwarded to the authentication equipment through the route of the intranet server in the user host according to the designated address.
As an embodiment, the deleting unit is specifically configured to determine whether a heartbeat message sent by the login authentication component is received, and if so, determine that the user host is still accessing an internal network; if not, determining that the user host does not access the internal network.
As an embodiment, the apparatus further comprises:
and the storage unit is used for generating an illegal external connection log according to the illegal external connection message after receiving the illegal external connection message, wherein the illegal external connection log at least comprises a user host address and a user name in the illegal external connection message and state information for identifying that the user host is in an illegal external connection state, and the illegal external connection log is stored in a log server in an internal network.
In a third aspect, the present application further provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements any one of the steps of the above method for preventing illegal external connection.
In a fourth aspect, the present application further provides a network device, which includes a memory, a processor, a communication interface, and a communication bus; the memory, the processor and the communication interface are communicated with each other through the communication bus;
the memory is used for storing a computer program;
the processor is used for executing the computer program stored in the memory, and when the processor executes the computer program, any step of the method for preventing illegal external connection is realized.
Therefore, the illegal external connection message carrying the address and the user name of the user host and sent by the login authentication component on the user host when the user host is confirmed to be illegally externally connected can be received through the authentication equipment, and the login authentication component is pushed to the user host by the authentication equipment when the user host logs in the internal network; and judging whether the user host still accesses the internal network, if so, deleting the authentication information corresponding to the user host address and the user name, which is locally recorded when the user host logs in the internal network, so as to disconnect the user host from the internal network. Therefore, whether the user host carries out illegal external connection or not can be detected through the login authentication component, and the authentication equipment is informed to disconnect the user host from the internal network when the user host is confirmed to be illegally externally connected, so that the safety problem of the internal network caused by the illegal external connection of the user host is avoided, and the safety of the internal network is improved.
Drawings
FIG. 1 is a process flow diagram of a method of preventing illegal external connections in an exemplary embodiment of the present application;
FIG. 2 is a diagram illustrating an illegal extranet networking architecture in an exemplary embodiment of the present application;
FIG. 3 is an interaction flow diagram for preventing illegal external connections in an exemplary embodiment of the present application;
FIG. 4 is a logical block diagram of an apparatus for preventing illegal external connection in an exemplary embodiment of the present application;
fig. 5 is a hardware block diagram of a network device in an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if," as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination," depending on the context.
Referring to fig. 1, a flowchart of a method for preventing illegal external connection in an exemplary embodiment of the present application is shown, where the method is applied to an authentication device, and the method includes:
step 101, receiving an illegal external connection message carrying a user host address and a user name and sent by a login authentication component on a user host when the user host is confirmed to be illegally externally connected, wherein the login authentication component is pushed to the user host by authentication equipment when the user host logs in an internal network;
in this embodiment, the authentication device in the internal network may receive an illegal external connection message carrying an address and a user name of the user host sent by a login authentication component on the user host when confirming that the user host is illegally externally connected, where the login authentication component is pushed to the user host by the authentication device when the user host logs in the internal network.
Specifically, when the user host logs in the internal network, login authentication is inevitably performed on the authentication device, and when the user host successfully logs in the internal network through authentication, the authentication device can record address information and a user name of the host, and push the login authentication component to the user host, wherein the login authentication component is provided with a specified external network address in advance, so that the login authentication component periodically requests to access the specified external network address through a browser of the user host, and when the specified external network address is successfully accessed, the user host is confirmed to be illegally connected externally.
It should be noted that the login authentication in this embodiment may be based on Portal authentication, which is a Web authentication technology, and when a user requests to access an internal network, the authentication request is sent to an authentication device, and the authentication device forces the user to enter a specific page, that is, a login authentication page corresponding to a login authentication component, that is, a Portal authentication success page, and inputs a user name and a password for authentication, and after the authentication is passed, the intranet server may be accessed to use an internal network resource.
For example, if the user is authenticated based on Portal, the browser of the user host may pop up a Portal authentication page first, and after the user is authenticated successfully, the browser pops up a Portal authentication success page, where the Portal authentication success page is a browser page corresponding to a login authentication component pushed by the authentication device for the user host. The authentication device may pre-configure a specified extranet address in the login authentication component, and control the user host to actively request data from the extranet address according to a preset time interval, where the specified extranet address, such as the extranet URL, is a URL accessible to the internet, for example: https:// www.***.com. The time interval can be set according to the detection requirement, and the shorter the time, the higher the detection frequency is, the more accurate the detection result is. If the user host is connected with the Internet through a private wireless network card or other modes, the user host can actively send a request message to a specified external network address according to the instruction in the login authentication component at the moment, and the request message is sent out through the wireless network card by default. Once the user host is connected to the internet (external network), the request message sent by the user host can also obtain the response from the specified external network address, and the login authentication component can receive the response message of the specified external network address, so that the login authentication component can consider that the user host has illegal external connection behaviors. When the login authentication component confirms that the user host is illegally connected externally, the login authentication component sends an illegal external connection message carrying the address and the user name of the user host to authentication equipment.
In one embodiment, the authentication device may configure a designated address in the login authentication component in advance, where the designated address belongs to an address range of an intranet server, so that when the login authentication component confirms that the subscriber host is illegally connected externally, the login authentication component forwards the illegal externally connected message to the authentication device through a route of the intranet server in the subscriber host according to the designated address. Since the user host accesses the intranet server resource at this time, a route pointing to the intranet server is inevitably configured on the user host, and the route pointing to the intranet server passes through the authentication device, the embodiment may use the route accessing the intranet server to send the illegal external connection message of the user host to the authentication device.
And 102, judging whether the user host still accesses the internal network, and if so, deleting the authentication information which is locally recorded when the user host logs in the internal network and corresponds to the address and the user name of the user host so as to disconnect the user host from the internal network.
In this embodiment, when the authentication device receives the illegal external connection message, it may first determine whether the user host is still accessing the internal network. Specifically, the authentication device may configure instructions in the login authentication component instructing the login authentication component to periodically send a heartbeat message to the authentication device during the period when the user host accesses the internal network, so that the authentication device may determine whether the heartbeat message sent by the login authentication component is received, and if so, determine that the user host is still accessing the internal network; if not, determining that the user host does not access the internal network.
When the user host is still accessing the internal network, the authentication device can delete the authentication information corresponding to the address and the user name of the user host which is locally recorded when the user host logs in the internal network, so that the message of the user host accessing the internal network can not pass the authentication, thereby disconnecting the connection between the user host and the internal network.
In an embodiment, after receiving the illegal external connection message, the authentication device may further generate an illegal external connection log according to the illegal external connection message, where the illegal external connection log at least includes the address and the user name of the user host in the illegal external connection message and state information identifying that the user host is in an illegal external connection state, and the authentication device sends the illegal external connection log to a log server in an internal network to store the illegal external connection log to the log server, so as to facilitate monitoring and processing of an illegal external connection behavior of the user host by an administrator.
Therefore, whether the user host carries out illegal external connection or not can be detected through the login authentication component, the authentication equipment is informed to disconnect the user host from the internal network when the user host is confirmed to be illegally externally connected, and the illegal external connection log can be sent to the log server, so that the safety problem of the internal network caused by illegal external connection of the user host is avoided, and the safety of the internal network is improved.
In order to make the objects, technical solutions and advantages of the present application more apparent, the solution of the present application is further described in detail below with reference to fig. 2 and 3.
Referring to fig. 2, the illegal extranet networking architecture in an exemplary embodiment of the present application includes a user host, an external network (i.e., the internet), and an internal network, where the internal network includes an intranet server, a log server, and an authentication device, and a gateway 1 between the user and the authentication device, and a gateway 2 between the authentication device and the intranet server. In the three-layer network environment, an interaction flow chart of the authentication device when preventing the user host from illegal external connection is shown in fig. 3, which includes:
step 301, when a user host logs in an internal network, requesting authentication from authentication equipment through Portal authentication;
at the moment, the user host carries out an authentication request through an authentication page in the browser, authentication information such as a user name, a password and the like is input into the authentication page, the authentication equipment receives the user name and the password input by the user, authentication is carried out based on the user name and the password, and if the user name and the password are matched with the authentication information recorded in a local authentication list item, the user host is confirmed to be successfully authenticated.
Step 302, after the user host is successfully authenticated, the authentication equipment pushes a login authentication component to the user host;
the login authentication component may be a Portal login authentication page, such that the Portal login authentication page may pop up in a browser of the user host. The login authentication component is preset with a first control instruction for controlling the user host to actively request data from the external network address according to a preset time interval, for example: access every 1 second https:// www.***.com; the login authentication component is also provided with a designated address belonging to the address range of the intranet server; and a second control instruction instructing the login authentication component to periodically send heartbeat messages to the authentication device according to a preset time period during the period that the user host accesses the internal network, for example, sending heartbeat messages every 10 seconds for 1 time.
Step 303, the login authentication component on the user host periodically sends a heartbeat message to the authentication device during the period that the user host accesses the internal network according to the second control instruction;
step 304, the authentication device judges whether the heartbeat message is received within the preset time, if so, the step 305 is executed; if not, go to step 309;
305, the login authentication component on the user host actively requests data from the external network address according to a first control instruction configured in advance and according to a preset time interval, if the data request is successful, the user host is proved to be illegally externally connected, and the step 306 is carried out;
assuming that the user host is connected with the internet (illegal external connection) through a private wireless network card or other modes, at this time, the three-layer message of the user host accessing the external network address can be sent out through the wireless network card by default. If the user host is connected with the Internet, the login authentication component requests that the message of the specified external network address can also be responded, and then the user host is considered to have illegal external connection behavior.
Step 306, when the login authentication component on the user host confirms that the user host is illegally connected externally, forwarding the illegal external connection message to the authentication device through the route of the intranet server in the user host according to the specified address, wherein the illegal external connection message at least comprises the address information and the user name of the user host;
as shown in fig. 2, when the user host accesses the intranet server, a route R for accessing the intranet server (4.4.4.1/16) may be configured, and the next hop points to 1.1.1.2/16 (gateway 1). If the login authentication component detects an illegal external connection, an illegal external connection message may be sent to the authentication device, for example: sending an HTTP GET request through ajax, wherein a destination IP and a port of the illegal external connection message are configured in a login authentication component in advance by authentication equipment, the destination IP is an address reachable by a route R, namely an address belonging to an intranet server address range (4.4.4.1/16), such as 4.4.4.1.
Step 307, when the authentication device can receive the illegal external connection message, confirming that the user host is still accessing the internal network, deleting the authentication information which is locally recorded when the user host logs in the internal network and corresponds to the address and the user name of the user host, and turning to step 308;
after the authentication information of the user host is deleted, the message of the user host accessing the internal network can not pass the authentication, so that the connection between the user host and the internal network is disconnected, and the illegal external connection of the user host under the condition of accessing the internal network is avoided.
And 308, generating an illegal external connection log according to the illegal external connection message, wherein the illegal external connection log at least comprises the address and the user name of the user host in the illegal external connection message and state information for identifying that the user host is in an illegal external connection state, sending the illegal external connection log to a log server in an internal network, and ending.
The illegal external log is sent to a log server (5.5.51/16) through a gateway 2 (3.3.3.2/16) by the authentication device.
And 309, deleting the authentication information corresponding to the user host recorded in the authentication device, aging the user host off line, and ending when the user host cannot continuously access the intranet server.
Compared with the prior art, the method and the system have the advantages that the illegal external connection behavior of the user can be detected under the cross-three-layer networking environment based on the Portal authentication technology, the authentication equipment forces the user to be offline, and the illegal external connection log of the user is sent to the log server, so that intranet resources can be protected.
Corresponding to the embodiment of the method for preventing the illegal external connection, the application also provides an embodiment of a device for preventing the illegal external connection.
Referring to fig. 4, a schematic structural diagram of an apparatus for preventing illegal external connection in an exemplary embodiment of the present application is shown, where the apparatus is applied to an authentication device, and the apparatus 40 includes:
a receiving unit 401, configured to receive an illegal external connection message carrying an address and a user name of a user host sent by a login authentication component on the user host when the user host confirms that the user host is illegally externally connected, where the login authentication component is pushed by the authentication device to the user host when the user host logs in an internal network;
a deleting unit 402, configured to determine whether the user host still accesses the internal network, and if so, delete the authentication information corresponding to the address and the user name of the user host that is locally recorded when the user host logs in the internal network, so as to disconnect the user host from the internal network.
As an embodiment, the apparatus further comprises:
a pushing unit 403, configured to, before receiving the illegal external connection message, record address information and a user name of a host when the host logs in an internal network, and push the login authentication component to the host, where the login authentication component has a pre-configured specified external network address, so that the login authentication component accesses the specified external network address through a periodic request of a browser of the host, and when the access to the specified external network address is successful, confirm the illegal external connection of the host.
As an embodiment, the apparatus further comprises:
a configuration unit 404, configured to, before receiving the illegal external connection message, configure a specific address in the login authentication component in advance, where the specific address belongs to an address range of an intranet server, so that when the login authentication component confirms that the subscriber host is illegally connected externally, the login authentication component forwards the illegal external connection message to the authentication device through a route of the intranet server in the subscriber host according to the specific address.
As an example of the way in which the device may be used,
the deleting unit 402 is specifically configured to determine whether a heartbeat message sent by the login authentication component is received, and if so, determine that the user host is still accessing an internal network; if not, determining that the user host does not access the internal network.
As an embodiment, the apparatus further comprises:
a storage unit 405, configured to generate an illegal external connection log according to the illegal external connection message after receiving the illegal external connection message, where the illegal external connection log at least includes a user host address and a user name in the illegal external connection message, and state information identifying that the user host is in an illegal external connection state, and store the illegal external connection log in a log server in an internal network.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
Corresponding to the embodiment of the method for preventing the illegal external connection, the application also provides an embodiment of the network equipment for realizing the method for preventing the illegal external connection.
As shown in fig. 5, the network device includes a memory 51, a processor 52, a communication interface 53, and a communication bus 54; wherein, the memory 51, the processor 52 and the communication interface 53 communicate with each other through the communication bus 54;
the memory 51 is used for storing computer programs;
the processor 52 is configured to execute the computer program stored in the memory 51, and when the processor 52 executes the computer program, any step of the method for preventing illegal external connection provided in the embodiment of the present application is implemented.
The present application further provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements any step of the method for preventing illegal external connection provided by the embodiments of the present application.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on differences from other embodiments. In particular, for embodiments of the network device and the computer-readable storage medium, since they are substantially similar to the method embodiments, the description is relatively simple, and reference may be made to the partial description of the method embodiments for relevant points.
To sum up, the method and the device can receive an illegal external connection message carrying a user host address and a user name and sent by a login authentication component on a user host when the user host is confirmed to be illegally externally connected through authentication equipment, wherein the login authentication component is pushed to the user host by the authentication equipment when the user host logs in an internal network; and judging whether the user host still accesses the internal network, if so, deleting the authentication information which is locally recorded when the user host logs in the internal network and corresponds to the address and the user name of the user host so as to disconnect the user host from the internal network. Therefore, whether the user host carries out illegal external connection or not can be detected through the login authentication component, and the authentication equipment is informed to disconnect the user host from the internal network when the user host is confirmed to be illegally externally connected, so that the safety problem of the internal network caused by the illegal external connection of the user host is avoided, and the safety of the internal network is improved.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (8)

1. A method for preventing illegal external connection, wherein the method is applied to an authentication device, and the method comprises:
when a user host logs in an internal network, recording address information and a user name of the host, and pushing a login authentication component to the user host, wherein a specified external network address is pre-configured in the login authentication component so that the login authentication component can access the specified external network address through a browser of the user host periodically, and when the specified external network address is successfully accessed, the illegal external connection of the user host is confirmed;
receiving an illegal external connection message carrying a user host address and a user name and sent by a login authentication component on a user host when the user host is confirmed to be illegally externally connected, wherein the login authentication component is pushed to the user host by authentication equipment when the user host logs in an internal network, and the login authentication component is a login authentication page when the user host logs in the internal network;
and judging whether the user host still accesses the internal network, if so, deleting the authentication information which is locally recorded when the user host logs in the internal network and corresponds to the address and the user name of the user host so as to disconnect the user host from the internal network.
2. The method of claim 1, wherein prior to receiving the illegitimate external connection message, the method further comprises:
and configuring a designated address in the login authentication component in advance, wherein the designated address belongs to the address range of the intranet server, so that when the login authentication component confirms that the user host is illegally connected externally, the login authentication component forwards the illegal externally connected message to the authentication equipment through the routing of the intranet server in the user host according to the designated address.
3. The method of claim 1, wherein determining whether the subscriber host is still accessing an internal network comprises:
judging whether a heartbeat message sent by the login authentication component is received or not, and if so, determining that the user host still accesses an internal network; if not, determining that the user host does not access the internal network.
4. The method of claim 1, wherein after receiving the illegitimate external connection message, the method further comprises:
and generating an illegal external connection log according to the illegal external connection message, wherein the illegal external connection log at least comprises a user host address and a user name in the illegal external connection message and state information for identifying that the user host is in an illegal external connection state, and storing the illegal external connection log to a log server in an internal network.
5. An apparatus for preventing illegal external connection, the apparatus being applied to an authentication device, the apparatus comprising:
the push unit is used for recording the address information and the user name of a host when the user host logs in an internal network, and pushing a login authentication component to the user host, wherein the login authentication component is pre-configured with a specified external network address so that the login authentication component can access the specified external network address through a browser of the user host periodically, and when the specified external network address is successfully accessed, the illegal external connection of the user host is confirmed;
the system comprises a receiving unit, a login authentication component and a processing unit, wherein the receiving unit is used for receiving an illegal external connection message which is sent by the login authentication component on a user host and carries a user host address and a user name when the user host is confirmed to be illegally externally connected, the login authentication component is pushed to the user host by the authentication equipment when the user host logs in an internal network, and the login authentication component is a login authentication page when the user host logs in the internal network;
and the deleting unit is used for judging whether the user host still accesses the internal network, and if so, deleting the authentication information which is locally recorded when the user host logs in the internal network and corresponds to the address and the user name of the user host so as to disconnect the user host from the internal network.
6. The apparatus of claim 5, further comprising:
and the configuration unit is used for configuring a specified address in the login authentication component in advance before receiving the illegal external connection message, wherein the specified address belongs to the address range of an intranet server, so that when the login authentication component confirms the illegal external connection of the user host, the illegal external connection message is forwarded to the authentication equipment through the route of the intranet server in the user host according to the specified address.
7. The apparatus of claim 5,
the deleting unit is specifically configured to determine whether a heartbeat message sent by the login authentication component is received, and if the heartbeat message is received, determine that the user host still accesses the internal network; if not, determining that the user host does not access the internal network.
8. The apparatus of claim 5, further comprising:
and the storage unit is used for generating an illegal external connection log according to the illegal external connection message after receiving the illegal external connection message, wherein the illegal external connection log at least comprises a user host address and a user name in the illegal external connection message and state information for identifying that the user host is in an illegal external connection state, and the illegal external connection log is stored in a log server in an internal network.
CN201911403940.4A 2019-12-30 2019-12-30 Method and device for preventing illegal external connection Active CN111385285B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911403940.4A CN111385285B (en) 2019-12-30 2019-12-30 Method and device for preventing illegal external connection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911403940.4A CN111385285B (en) 2019-12-30 2019-12-30 Method and device for preventing illegal external connection

Publications (2)

Publication Number Publication Date
CN111385285A CN111385285A (en) 2020-07-07
CN111385285B true CN111385285B (en) 2022-11-01

Family

ID=71218526

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911403940.4A Active CN111385285B (en) 2019-12-30 2019-12-30 Method and device for preventing illegal external connection

Country Status (1)

Country Link
CN (1) CN111385285B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257407B (en) * 2021-11-17 2023-09-19 广东电网有限责任公司 Equipment connection control method and device based on white list and computer equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141245A (en) * 2007-08-29 2008-03-12 深圳市同强信息技术有限责任公司 Movable medium external connection monitoring system and method
CN109120599A (en) * 2018-07-23 2019-01-01 国网河南省电力公司商丘供电公司 A kind of external connection managing and control system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491081B (en) * 2013-09-16 2017-01-04 北京星网锐捷网络技术有限公司 The method and apparatus of detection DHCP attack source
CN108092936A (en) * 2016-11-22 2018-05-29 北京计算机技术及应用研究所 A kind of Host Supervision System based on plug-in architecture
US11816171B2 (en) * 2017-12-19 2023-11-14 Ibm Corporation Online outreach-based reward model generation for user information search
CN109587175A (en) * 2019-01-11 2019-04-05 杭州迪普科技股份有限公司 A kind of illegal external connection processing method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141245A (en) * 2007-08-29 2008-03-12 深圳市同强信息技术有限责任公司 Movable medium external connection monitoring system and method
CN109120599A (en) * 2018-07-23 2019-01-01 国网河南省电力公司商丘供电公司 A kind of external connection managing and control system

Also Published As

Publication number Publication date
CN111385285A (en) 2020-07-07

Similar Documents

Publication Publication Date Title
US20220045990A1 (en) Methods and systems for api deception environment and api traffic control and security
US11533295B2 (en) Techniques for securely detecting compromises of enterprise end stations utilizing tunnel tokens
US8904532B2 (en) Method, apparatus and system for detecting botnet
US10157280B2 (en) System and method for identifying security breach attempts of a website
US9948662B2 (en) Providing security in a communication network
US8935742B2 (en) Authentication in a globally distributed infrastructure for secure content management
US8561177B1 (en) Systems and methods for detecting communication channels of bots
US10798061B2 (en) Automated learning of externally defined network assets by a network security device
US20120255022A1 (en) Systems and methods for determining vulnerability to session stealing
CN109271776A (en) Micro services system single-point logging method, server and computer readable storage medium
KR20220028102A (en) Methods and systems for effective cyber protection of mobile devices
CN106878135B (en) Connection method and device
GB2512954A (en) Detecting and marking client devices
CN105939326A (en) Message processing method and device
US20150188931A1 (en) Detecting malicious circumvention of virtual private network
US20070011744A1 (en) Methods and systems for providing security from malicious software
Livingood et al. Recommendations for the Remediation of Bots in ISP Networks
CN110557358A (en) Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device
CN113434836A (en) Identity authentication method, device, equipment and medium
US10855704B1 (en) Neutralizing malicious locators
CN102118313B (en) Method and device for detecting internet protocol (IP) address
CN111385285B (en) Method and device for preventing illegal external connection
Rahman et al. Holistic approach to arp poisoning and countermeasures by using practical examples and paradigm
CN104426864A (en) Cross-domain remote command realization method and system
CN111865876B (en) Network access control method and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant