CN113271285B - Method and device for accessing network - Google Patents
Method and device for accessing network Download PDFInfo
- Publication number
- CN113271285B CN113271285B CN202010093171.9A CN202010093171A CN113271285B CN 113271285 B CN113271285 B CN 113271285B CN 202010093171 A CN202010093171 A CN 202010093171A CN 113271285 B CN113271285 B CN 113271285B
- Authority
- CN
- China
- Prior art keywords
- terminal
- network
- network access
- detection
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for accessing a network, and relates to the technical field of computers. One embodiment of the method comprises the following steps: receiving detection information from a terminal, the detection information being generated by detecting the terminal via a proxy entity on the terminal; generating a network access policy of the terminal using the detection information via a policy service PS; and filtering data received from the terminal according to the network access policy via an IP filtering service. The implementation reduces the hardware cost and improves the security of the terminal accessing the network.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for accessing a network.
Background
An enterprise may only allow legitimate, trusted devices (e.g., PCs, servers, mobile devices) to access the network, access network resources with sensitive data, and not allow other devices to access the network or access network resources with sensitive data.
Current implementations often require modification of an existing network architecture or network equipment of an enterprise. For example, by adopting an IP-MAC real-name binding scheme, the network architecture cannot be flexibly adjusted in a scene that an enterprise does not need IP binding; for a network system that has stably operated without an IP-MAC binding scheme, a large-scale modification of the network is required. By adopting the bypass deployment scheme, the support of the switch function is required, the old switch cannot support the scheme, and the hardware equipment needs to be updated in a large range. These approaches incur high hardware retrofit costs.
Besides hardware cost, the data amount required to be processed by the network is large, and the risk is extremely high, and even becomes a system bottleneck. For example, the network access method based on NAT needs to analyze network data packets, and the processing data volume is large. Before the equipment is accessed to the network, safety check control is not carried out on the equipment, so that risk hidden danger is brought.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for accessing a network, which use a method combining Agent (Agent), policy Service (Policy Service) and IP filtering to effectively perform security check on a terminal accessing the network, implement IP-based network access management, prevent risk, reduce the amount of data to be processed, and reduce hardware cost.
To achieve the above object, according to one aspect of the embodiments of the present invention, there is provided a method for accessing a network, including:
receiving detection information from a terminal, the detection information being generated by detecting the terminal via a proxy entity on the terminal;
generating a network access policy of the terminal using the detection information via a policy service PS; and
and filtering data received from the terminal according to the network access policy via an IP filtering service.
According to an aspect of the embodiment of the present invention, there is provided a method for accessing a network, wherein the generating, by using the detection information, a network access policy of the terminal via a policy service PS includes:
the policy service determines the network access authority of the terminal based on the received detection information;
under the condition that the network access authority accords with the network access condition, determining the network access strategy according to the network access authority and sending the network access strategy to the IP filtering service entity;
and returning a reason which does not accord with the network access condition to the terminal under the condition that the network access authority does not accord with the network access condition.
According to an aspect of an embodiment of the present invention, there is provided a method for accessing a network, wherein the detecting the terminal includes one or more of:
enterprise fixed asset detection, blacklist process detection, virus library update time detection, domain account detection, terminal firewall state detection, terminal IP detection, and terminal hardware information detection.
According to an aspect of the embodiment of the present invention, there is provided a method for accessing a network, which is further characterized by comprising:
and the IP filtering service entity sets an IP access rule list for the terminal according to the received network access policy.
According to an aspect of an embodiment of the present invention, there is provided a method for accessing a network, wherein the IP access rule list includes an IP of the terminal and an IP segment that the terminal can access, and an IP segment that the terminal cannot access.
According to an aspect of the embodiment of the present invention, the detection information is sent to the PS entity through a UDP packet.
According to an aspect of an embodiment of the present invention, there is provided an apparatus for accessing a network, including:
the detection module is used for receiving detection information from a terminal, wherein the detection information is generated by detecting the terminal through an Agent entity on the terminal;
a policy module for generating a network access policy of the terminal using the detection information via a policy service PS; and
and the filtering module is used for filtering the data received from the terminal according to the network access strategy through an IP filtering service.
One embodiment of the above invention has the following advantages or benefits: because the Agent, policy Service and IP filtering method are adopted, the security check is effectively carried out on the terminal accessing the network, the network access Policy is determined, and the data is correspondingly filtered, thereby realizing the network access management based on IP, preventing risks, reducing the data quantity to be processed and reducing the hardware cost.
Further effects of the above-described non-conventional alternatives are described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1A is a schematic diagram of a prior art network access topology;
FIG. 1B is a schematic diagram of a network access topology according to an embodiment of the present invention;
fig. 2 is a schematic diagram of the main flow of a method of accessing a network according to an embodiment of the invention;
fig. 3 is a timing diagram of an access network procedure according to an embodiment of the invention
Fig. 4 is a schematic diagram of main modules of an apparatus for accessing a network according to an embodiment of the present invention;
FIG. 5 is an exemplary system architecture diagram in which embodiments of the present invention may be applied;
fig. 6 is a schematic diagram of a computer system suitable for use in implementing an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1A is a prior art network access topology system.
Existing network topologies as shown in fig. 1A, in the existing system, a terminal obtains rights to access a network through an access account and a password, or obtains rights to access the network through installing a certificate in a terminal device. After authentication by remote authentication dial-In User service (Remote Authentication Dial-In User Server, RADIUS) and Active Directory (AD), IP is obtained and the network is accessed. The actual network topology of the enterprise in the actual application may take other different settings, such as the authentication form of the account, the deployment of the device, the setting of a firewall or router, etc.
Fig. 1B is a schematic diagram of a network access topology according to an embodiment of the present invention.
The network access system according to the embodiment of the invention mainly comprises three parts, namely an Agent (Agent), a Policy Service (PS) and an IP filtering Service. In one embodiment, agent, PS, IP filtering serves three parts:
agent: the main function of the Agent entity is to detect the terminal equipment after the network equipment passes authentication and IP is obtained, and report the detection result, the information such as IP, MAC address and the like of the terminal as detection information to the PS entity.
PS (Policy Service): and the PS entity determines the network authority of the equipment according to the detection information reported by the Agent entity, and generates a network access strategy.
IP filtering service: the IP filtering service entity works on the IP layer of the network model, and forwards and intercepts data sent to IDC (Internet Data Center ) or Internet network resources by the terminal equipment according to the network access strategy set by the PS entity.
Fig. 2 is a schematic diagram of main flow of a method of accessing a network according to an embodiment of the present invention, and as shown in fig. 2, the main flow of the method of accessing a network includes steps S201, S202, and S203.
Step S201: and detecting the terminal through the Agent on the terminal to generate detection information.
As shown in fig. 1B, an Agent application is installed as an Agent entity on a terminal to be accessed to the network. When the user selects to connect to the network or starts to connect to the network automatically, the terminal equipment can interact with the network access equipment such as a switch through the 802.1x protocol to finish the authentication of account information. Fig. 1B shows a manner of MD5 authentication as a relay mode of a network access device by a switch. It should be noted that the implementation manner adopted in fig. 1B is only an example, and any relay mode and authentication manner that can be used in the embodiment of the present invention may be adopted.
RADIUS entity: may be a RADIUS server that acts as a server in an 802.1x authentication access scheme. The RADIUS server is responsible for verifying the account and password of the terminal user sent by the switch, and issuing network access rights to the switch according to the identity authentication result. For example, when a new employee arrives at a new computer, the account and password are not yet obtained from the administrator, and the office network cannot be accessed without RADIUS verification. After the terminal authentication is successful, the RADIUS server transmits a preset network access right to the switch; the terminal equipment obtains IP address information through DHCP; the end user can access the network.
It should be noted that, terminal equipment without an Agent cannot access network resources even if account and password authentication are passed.
And detecting the terminal equipment after the Agent detects that the terminal obtains the IP information. In one embodiment, for example, when the terminal is to access an enterprise network, the Agent's detection of the terminal may include, for example:
enterprise fixed asset detection: judging whether the terminal belongs to the asset of the enterprise, and if the terminal is an external terminal, possibly needing to perform additional admittance setting;
blacklist process detection: and detecting whether a blacklist process is installed on the terminal. The blacklist of enterprises may be generated from historical data;
virus library update time detection: and detecting the updating time of the virus library of the terminal. In one embodiment, a specific update time may be set before which a terminal that updates the virus library is not permitted to access the network;
domain account detection: detecting an account of the terminal, judging whether the account is in a domain which needs to be accessed, and not allowing the account which is not in the domain to access the network;
terminal firewall state detection: detecting the firewall state of the terminal, and judging whether the firewall state of the terminal meets the admission standard, for example, a firewall is not opened or the terminal which does not meet the admission standard is not permitted to access the network by the firewall;
terminal IP detection: and detecting the IP address of the terminal, and judging whether the IP address meets the admission standard. In one embodiment, for example, a terminal of a particular IP segment may be set to not grant access to the network;
and detecting terminal hardware information: and detecting the hardware information of the terminal, and judging whether the hardware information accords with the admission standard. In one embodiment, some kind of hardware device may be arranged not to grant access to the network, e.g. only allowing the computer terminal to access the network and not allowing the mobile phone to access the network.
After the Agent entity detects the terminal and obtains the detection information, the terminal sends the detection information to the PS entity. The detection information may be sent directly through the Agent entity or through any other available sending application. In one embodiment, the detection information may be sent, for example, in the form of UDP packets, or any suitable packet format may be used.
Step S202: and generating a network access strategy for the terminal according to the detection information by the strategy service PS entity.
In the step, after receiving the detection information, the PS entity determines the network access authority of the terminal, and generates a network access strategy according to the determined network access authority. After determining the network access authority of the terminal, the PS entity judges whether the equipment accords with the network access condition. In one embodiment, the PS entity may preset the network access condition according to the detection information of the terminal, for example, the terminal not installed with the latest virus library does not grant access to the network, the specific type of terminal does not grant access to the network, etc. In another embodiment, the PS entity may also set the access conditions according to the number of terminals accessing the network, e.g. only a certain number of terminals are allowed to access the network, etc.
If the PS entity judges that the equipment does not accord with the network access condition, informing the Agent entity of the error reason of not permitting the access; and if the equipment meets the network access condition, the generated network access authority strategy is sent to the IP filtering service entity.
Step S203: the IP filtering service filters the data sent by the terminal according to the network access strategy.
The IP filtering service sets the IP of the terminal and the accessible IP section and the inaccessible IP section of the terminal to an IP access rule list according to the received network access policy, and designates a rule set for filtering network communication traffic. For example, the following types of rule sets may be created: packet filtering rule sets, network address translation (Network Address Translation, NAT) rule sets, etc.
When a terminal accesses a network resource, the IP filtering service determines an operation, such as forwarding, discarding, etc., of data from the terminal according to the set IP access rule.
In addition, when communication between the Agent entity and the PS entity is interrupted, the PS entity sends an IP filtering service entity to cancel the IP access rule corresponding to the Agent.
Fig. 3 is a timing diagram of a network access procedure according to an embodiment of the present invention.
As can be seen from the figure, several entities involved in the access network procedure include agents, terminals, access devices (such as switches), RADIUS, PS, IP filtering services and firewalls. In fig. 3, steps 1-11 are terminal authentication processes, and the Agent entity, PS entity and IP filtering entity have not participated in the network access process. It should be noted that the EAP (Extensible Authentication Protocol) protocol is described herein as an example, but embodiments of the present invention may be implemented in any suitable protocol, and are not limited to EAP.
1. The terminal sends EAPOL-start (EAP Over LAN, extended authentication protocol Over LAN start) to the access device.
2. The access device returns an EAP Request/Identity (EAP Request/Identity) message to the terminal requesting the terminal to send an Identity.
3. The terminal responds to the EAP Request and returns an EAP Response/Identity message, in which a user identifier, password, etc. associated with the terminal may be included.
4. After receiving the EAP Response/Identity message, the access device encapsulates the EAP Response/Identity message into a RADIUS Access Request (RADIUS access request) message and sends the message to the RADIUS entity.
5. The RADIUS entity recognizes the user corresponding to the terminal and then returns RADIUS Access Challenge (EAP-Request/MD 5 Challenge) message as an authentication Challenge.
6. The access device returns RADIUS Access Challenge an authentication Challenge message to the terminal containing an (EAP Request/MD5 Challenge) message.
7. After receiving EAP Request/MD5 Challenge message, the terminal generates a Challenge password by MD5 algorithm and sends the Challenge password to the access device
8. The access device sends the challenge, the challenged password, and the user identity etc. together to the RADIUS entity via RADIUS Access Request (EAP Response/MD5 challenge) message (RADIUS access request (EAP request/MD5 challenge)) for authentication by the RADIUS entity.
9. The RADIUS entity determines whether the user is legitimate using the MD5 algorithm based on the user's information and then responds with a RADIUS Access Accept (RADIUS access accept) message to the access device with an authentication success/failure message. If the authentication is successful, authorizing the user corresponding to the terminal; if authentication fails, the flow ends.
10. The access device returns an EAP Success message to the terminal.
11. The terminal acquires the IP using DHCP.
Step 12 in fig. 3 starts, and an Agent entity, a PS entity and an IP filtering entity perform network access for a terminal:
12. the Agent entity on the terminal successfully acquires the IP and triggers the process of accessing the network according to the embodiment of the invention.
13. And the Agent entity transmits the detection information data generated by detecting the terminal to the PS entity by using the UDP message. Note that the UDP packet is merely an example, and a packet capable of implementing the embodiment may also be a TCP packet or the like.
14. And the PS entity determines the access authority of the terminal according to the detection information data and generates the network access strategy of the terminal according to the access authority.
15. The terminal transmits the data stream.
16. The data stream sent by the terminal is not directly sent to the firewall, but is filtered according to the network access policy via the IP filtering service entity. According to the IP filtering strategy, the data stream sent by the terminal is filtered, and the operations such as interception and discarding of the IP access data which cannot be sent to the protective wall are carried out.
17. The filtered data stream is sent to the firewall by the IP filtering service entity.
Fig. 4 is a schematic diagram of main modules of an apparatus for accessing a network according to an embodiment of the present invention, and as shown in fig. 4, the apparatus for accessing a network includes three parts, namely an Agent entity, a PS entity, and an IP filtering service entity, including modules 401, 402, 403, and 404.
Module 401: the detection module is positioned at the Agent entity and used for detecting the terminal and generating detection information data.
Module 402: and the policy module is positioned at the PS entity and is used for generating the network access policy of the terminal by utilizing the detection information data.
Module 403: and the filtering module is positioned at the IP filtering entity and used for filtering the data received from the terminal according to the network access policy.
Fig. 5 illustrates an exemplary system architecture 500 of a method of accessing a network or a device of accessing a network to which embodiments of the present invention may be applied.
As shown in fig. 5, the system architecture 500 may include terminal devices 501, 502, 503, a network 504, and a server device 505. The network 504 is used as a medium to provide communication links between the terminal devices 501, 502, 503 and the server 505. The network 504 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 505 via the network 504 using the terminal devices 501, 502, 503 to receive or send messages or the like. Various communication client applications may be installed on the terminal devices 501, 502, 503, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 501, 502, 503 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 505 may be a server providing various services, such as a background management server (by way of example only) providing support for shopping-type websites browsed by users using the terminal devices 501, 502, 503. The background management server may analyze and process the received data such as the product information query request, and feedback the processing result (e.g., the target push information, the product information—only an example) to the terminal device.
It should be noted that, the method for accessing the network according to the embodiment of the present invention is generally performed by the PS entity and the IP filtering service entity, and accordingly, the device for accessing the network is generally disposed in the server 505.
It should be understood that the number of terminal devices, networks and network devices in fig. 5 are merely illustrative. There may be any number of terminal devices, networks, and network devices, as desired for implementation.
Referring now to FIG. 6, there is illustrated a schematic diagram of a computer system 600 suitable for use in implementing an embodiment of the present invention. The terminal device shown in fig. 6 is only an example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU) 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. The above-described functions defined in the system of the present invention are performed when the computer program is executed by a Central Processing Unit (CPU) 601.
The computer readable medium shown in the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present invention may be implemented in software or in hardware. The described modules may also be provided in a processor, for example, as: a processor includes a detection module, a policy module, a filtering module, and a determination module. The names of these modules do not constitute limitations on the module itself in some cases, and for example, the detection unit may also be described as a "module that detects a terminal state".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to include:
receiving detection information from a terminal, the detection information being generated by detecting the terminal via a proxy entity on the terminal;
generating a network access policy of the terminal using the detection information via a policy service PS; and
and filtering data received from the terminal according to the network access policy via an IP filtering service.
The technical solution according to the embodiment of the present invention is characterized in that the generating, by using the detection information, the network access policy of the terminal via the policy service PS includes:
the policy service determines the network access authority of the terminal based on the received detection information;
under the condition that the network access authority accords with the network access condition, determining the network access strategy according to the network access authority and sending the network access strategy to the IP filtering service entity;
and returning a reason which does not accord with the network access condition to the terminal under the condition that the network access authority does not accord with the network access condition.
According to the technical scheme of the embodiment of the invention, the detection of the terminal is characterized by comprising one or more of the following steps:
enterprise fixed asset detection, blacklist process detection, virus library update time detection, domain account detection, terminal firewall state detection, terminal IP detection, and terminal hardware information detection.
According to the technical scheme of the embodiment of the invention, the method is characterized by further comprising the following steps:
and the IP filtering service entity sets an IP access rule list for the terminal according to the received network access policy.
According to the technical scheme of the embodiment of the invention, the IP access rule list comprises the IP of the terminal, the IP section which can be accessed by the terminal and the IP section which can not be accessed by the terminal.
The technical scheme of the embodiment of the invention is characterized in that the detection information is sent to the PS entity through a UDP message.
According to the technical scheme of the embodiment, due to the adoption of agents, policy services and IP filtering methods, the security check is effectively carried out on the terminal accessed to the network, the network access Policy is determined, the data are filtered correspondingly, risks are prevented, the data volume to be processed is reduced, and the hardware cost is reduced.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives can occur depending upon design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (9)
1. A method of accessing a network, comprising:
receiving detection information from a terminal, the detection information being generated by detecting the terminal via a proxy entity on the terminal; a terminal without an Agent can not access network resources;
generating a network access policy of the terminal using the detection information via a policy service PS; and
and filtering data received from the terminal according to the network access policy via an IP filtering service.
2. The method according to claim 1, wherein the generating a network access policy of the terminal using the detection information via a policy service PS comprises:
the policy service determines the network access authority of the terminal based on the received detection information;
under the condition that the network access authority accords with the network access condition, determining the network access strategy according to the network access authority and sending the network access strategy to the IP filtering service entity;
and returning a reason which does not accord with the network access condition to the terminal under the condition that the network access authority does not accord with the network access condition.
3. The method of claim 1, wherein the detecting the terminal comprises one or more of:
enterprise fixed asset detection, blacklist process detection, virus library update time detection, domain account detection, terminal firewall state detection, terminal IP detection, and terminal hardware information detection.
4. The method as recited in claim 1, further comprising:
and the IP filtering service entity sets an IP access rule list for the terminal according to the received network access policy.
5. The method of claim 4, wherein the list of IP access rules includes an IP of the terminal and an IP segment accessible to the terminal, and an IP segment not accessible to the terminal.
6. The method of claim 1, wherein the detection information is sent to the PS entity via a UDP message.
7. An apparatus for accessing a network, comprising:
the detection module is used for receiving detection information from a terminal, wherein the detection information is generated by detecting the terminal through an Agent entity on the terminal; a terminal without an Agent can not access network resources;
a policy module for generating a network access policy of the terminal using the detection information via a policy service PS; and
and the filtering module is used for filtering the data received from the terminal according to the network access strategy through an IP filtering service.
8. An electronic device for accessing a network, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-6.
9. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010093171.9A CN113271285B (en) | 2020-02-14 | 2020-02-14 | Method and device for accessing network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010093171.9A CN113271285B (en) | 2020-02-14 | 2020-02-14 | Method and device for accessing network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113271285A CN113271285A (en) | 2021-08-17 |
| CN113271285B true CN113271285B (en) | 2023-08-08 |
Family
ID=77227258
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010093171.9A Active CN113271285B (en) | 2020-02-14 | 2020-02-14 | Method and device for accessing network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113271285B (en) |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1705270A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | System and method for controlling network access |
| CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
| CN101309279A (en) * | 2008-07-07 | 2008-11-19 | 华为技术有限公司 | Control method, system and device for terminal access |
| CN101378358A (en) * | 2008-09-19 | 2009-03-04 | 成都市华为赛门铁克科技有限公司 | Method, system and server for safety access control |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN101582769A (en) * | 2009-07-03 | 2009-11-18 | 杭州华三通信技术有限公司 | Authority setting method of user access network and equipment |
| CN102271120A (en) * | 2010-06-02 | 2011-12-07 | 清大安科(北京)科技有限公司 | Trusted network access authentication method capable of enhancing security |
| CN102594814A (en) * | 2012-02-10 | 2012-07-18 | 福建升腾资讯有限公司 | Terminal-based network access control system |
| CN104618396A (en) * | 2015-03-04 | 2015-05-13 | 浪潮集团有限公司 | Trusted network access and access control system and method |
| CN104660523A (en) * | 2013-11-25 | 2015-05-27 | 遵义供电局 | Network access control system |
| CN104796261A (en) * | 2015-04-16 | 2015-07-22 | 长安大学 | Secure access control system and method for network terminal nodes |
| CN106411673A (en) * | 2016-11-08 | 2017-02-15 | 西安云雀软件有限公司 | Network admission control management platform and management method |
| CN106899561A (en) * | 2015-12-24 | 2017-06-27 | 北京奇虎科技有限公司 | A kind of TNC authority control methods and system based on ACL |
| CN107222433A (en) * | 2017-04-18 | 2017-09-29 | 中国科学院信息工程研究所 | A kind of access control method and system based on SDN path |
| CN107623665A (en) * | 2016-07-15 | 2018-01-23 | 华为技术有限公司 | A kind of authentication method, equipment and system |
| CN110519404A (en) * | 2019-08-02 | 2019-11-29 | 锐捷网络股份有限公司 | A kind of policy management method based on SDN, device and electronic equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040107360A1 (en) * | 2002-12-02 | 2004-06-03 | Zone Labs, Inc. | System and Methodology for Policy Enforcement |
-
2020
- 2020-02-14 CN CN202010093171.9A patent/CN113271285B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1705270A (en) * | 2004-05-26 | 2005-12-07 | 华为技术有限公司 | System and method for controlling network access |
| CN101068183A (en) * | 2007-06-28 | 2007-11-07 | 杭州华三通信技术有限公司 | Network invitation to enter controlling method and network invitation to enter controlling system |
| CN101309279A (en) * | 2008-07-07 | 2008-11-19 | 华为技术有限公司 | Control method, system and device for terminal access |
| CN101378358A (en) * | 2008-09-19 | 2009-03-04 | 成都市华为赛门铁克科技有限公司 | Method, system and server for safety access control |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN101582769A (en) * | 2009-07-03 | 2009-11-18 | 杭州华三通信技术有限公司 | Authority setting method of user access network and equipment |
| CN102271120A (en) * | 2010-06-02 | 2011-12-07 | 清大安科(北京)科技有限公司 | Trusted network access authentication method capable of enhancing security |
| CN102594814A (en) * | 2012-02-10 | 2012-07-18 | 福建升腾资讯有限公司 | Terminal-based network access control system |
| CN104660523A (en) * | 2013-11-25 | 2015-05-27 | 遵义供电局 | Network access control system |
| CN104618396A (en) * | 2015-03-04 | 2015-05-13 | 浪潮集团有限公司 | Trusted network access and access control system and method |
| CN104796261A (en) * | 2015-04-16 | 2015-07-22 | 长安大学 | Secure access control system and method for network terminal nodes |
| CN106899561A (en) * | 2015-12-24 | 2017-06-27 | 北京奇虎科技有限公司 | A kind of TNC authority control methods and system based on ACL |
| CN107623665A (en) * | 2016-07-15 | 2018-01-23 | 华为技术有限公司 | A kind of authentication method, equipment and system |
| CN106411673A (en) * | 2016-11-08 | 2017-02-15 | 西安云雀软件有限公司 | Network admission control management platform and management method |
| CN107222433A (en) * | 2017-04-18 | 2017-09-29 | 中国科学院信息工程研究所 | A kind of access control method and system based on SDN path |
| CN110519404A (en) * | 2019-08-02 | 2019-11-29 | 锐捷网络股份有限公司 | A kind of policy management method based on SDN, device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113271285A (en) | 2021-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108616490B (en) | Network access control method, device and system | |
| US10110638B2 (en) | Enabling dynamic authentication with different protocols on the same port for a switch | |
| CN110311929B (en) | Access control method and device, electronic equipment and storage medium | |
| US9356928B2 (en) | Mechanisms to use network session identifiers for software-as-a-service authentication | |
| US8387131B2 (en) | Enforcing secure internet connections for a mobile endpoint computing device | |
| US20100197293A1 (en) | Remote computer access authentication using a mobile device | |
| US11539695B2 (en) | Secure controlled access to protected resources | |
| JP2016530814A (en) | Gateway device to block a large number of VPN connections | |
| CN106059802B (en) | Terminal access authentication method and device | |
| WO2011026404A1 (en) | Session updating method for authentication, authorization and accounting and equipment and system thereof | |
| KR101310631B1 (en) | System and method for controlling access to network | |
| CN114661485A (en) | Application program interface access control system and method based on zero trust architecture | |
| CN108781367B (en) | Method for reducing Cookie injection and Cookie replay attacks | |
| US20220150703A1 (en) | Asserting user, app, and device binding in an unmanaged mobile device | |
| CN109639658B (en) | Data transmission method and device for firewall of operation and maintenance of power secondary system | |
| US20240089178A1 (en) | Network service processing method, system, and gateway device | |
| KR101628534B1 (en) | VIRTUAL 802.1x METHOD AND DEVICE FOR NETWORK ACCESS CONTROL | |
| CN113271285B (en) | Method and device for accessing network | |
| US9779222B2 (en) | Secure management of host connections | |
| CN115296866B (en) | Access method and device for edge node | |
| JP6076276B2 (en) | Communication system and communication method | |
| TW201721498A (en) | Wired area network user management system and method with security and function scalability wherein a network controller is used to control a programmable network switch, and divert a non-authenticated terminal device to an authentication server | |
| CN112565203B (en) | Centralized management platform | |
| US11736528B2 (en) | Low latency cloud-assisted network security with local cache | |
| CN113691545B (en) | Routing control method and device, electronic equipment and computer readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |