CN1571361A - Broadband access safety and control ensuring system and method thereof - Google Patents
Broadband access safety and control ensuring system and method thereof Download PDFInfo
- Publication number
- CN1571361A CN1571361A CN 200410009067 CN200410009067A CN1571361A CN 1571361 A CN1571361 A CN 1571361A CN 200410009067 CN200410009067 CN 200410009067 CN 200410009067 A CN200410009067 A CN 200410009067A CN 1571361 A CN1571361 A CN 1571361A
- Authority
- CN
- China
- Prior art keywords
- network
- user
- service
- control
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a wideband access safety and control assuring system and method, able to realize safety management and control of specific user in the wideband operator network, including service management module and safety service module, where the former receives service type and binds the service type with network IP corresponding to the user, and the latter is situated at safety service gateway of the wideband operator and makes safety check on up-going and down-going data flow of the user network according to the service type, so as to realize providing real-time safety protection on the convergence layer network boundary.
Description
Technical field
The present invention relates to a kind of broadband access safeguards system and method, particularly a kind of broadband access safety and control safeguards system and method.
Background technology
Current, be that the broadband access technology of representative develops like a raging firely with ADSL.Broadband access technology brings high bandwidth simultaneously easily to the user, the serious threat that has also brought the information security aspect for the user, and especially those use the user or the frequent on-fixed IP user with the long-time networking of computer of fixedly IP online.
With ADSL user is example, their network security problem is much more serious than the user who uses common Modem to dial up on the telephone, reason just is the high bandwidth of ADSL---network attack person (for example hacker, virus) (for example adopt TCP, password are exhaustive, DDOS/DOS attack) when attacking common Modem dial-up user, the connection speed that common Modem is slower can reduce saboteur's efficient, thereby improved the fail safe of subscriber computer relatively, and in this case the user than the variation that is easier to perceive network speed, thereby enhance your vigilance.
Because the ADSL bandwidth is very high, network attack person's intrusion behavior efficient is higher, and the higher bandwidth of ADSL also makes the user be not easy to perceive intrusion behavior simultaneously.
In order to solve the secure broadband problem, prior art is install software fire compartment wall, hardware firewall or other safety product on subscriber computer.This method can be alleviated user's network security threats to a certain extent, but coefficient of safety is not high.Because domestic consumer does not often possess enough abundant network security knowledge, they tend to leave security breaches when carrying out operation such as edition upgrading, load regulation, parameter configuration for the said goods of being installed on the own computer.
Even the user can stop the network attack on the computer of oneself person, but because the limited bandwidth (for example 512Kbps, 2Mbps) that present most of broadband service providers provide to the user, that have or even according to flow charging, if just carry out safety precaution in client, still can cause a large amount of invalid informations (for example dos attack, TCP) to tie up the used bandwidth of user, this is a serious problem for the user that Video Applications demand or big file download demand are arranged.
Summary of the invention
In view of this, the present invention is for a kind of broadband access safety and control safeguards system and the method thereof of providing is provided, main purpose is network security is effectively monitored, fundamentally solve the secure broadband problem, improve broadband user's coefficient of safety, avoid a large amount of invalid informations to tie up user bandwidth simultaneously.
Another object of the present invention provides a kind of broadband access safety and control safeguards system and method thereof, makes the mode of user by service binding, obtains the qualification of the service of acceptance, makes the broadband access of oneself obtain better safety guarantee.
The invention provides a kind of broadband access safety and control safeguards system; it can realize safety management and control to the specific user in the bandwidth operator network; comprise service management module and security service module; service management module is in order to receive COS; and with this COS and relative users network IP binding; security service module is positioned at the security service gateway of this bandwidth operator; according to this COS the up-downgoing data flow of this user network is carried out safety inspection, provide real-time safeguard protection to be implemented in the network boundary place.
Described service management module also comprises customer data base, it is in order to storaging user data, the authentication service module, it is in order to authenticating user identity, thus its spendable network service of determining, and the service binding module, it is according to this authentication result, to be mapped to corresponding IP address by authenticated user ID sign, with corresponding network service and this IP address binding, serve to this user network IP thereby open corresponding network according to this IP address.
Described service management module also comprises the charging service module, the consumption of its recording user network service, and according to this network service consumption calculating cost of use.
Described IP address comprises the IP address and the static ip address of dynamic assignment.
Described security service module comprises that virus detects and clearing cell, it is in order to detect and to remove the virus in the network, attack protection security service unit, it is positioned at user network node place, in order to concentrate guarding network attack, the Spam filtering unit, it is in shutoff spammer source, on mail reception user's circuit, filter, URL/ information filtering unit, it can filter the network information according to parameter of user, time control unit, in order to formulating corresponding safety control strategy according to the user time demand for control, and the firewall services unit; It provides the information security service according to the information flow of user's safety policy control discrepancy network, ensures the network information security.
Described security service module comprises that also the upstream to this user network carries out safety inspection, to realize that carrier network is carried out safeguard protection.
Described broadband network is the ADSL network, and this security service module is positioned between the BAS Broadband Access Server (BRAS) and border route network of this broadband network.(this system can be used for multiple broadband networks such as ADSL, WLAN, and this sentences ADSL is that example is introduced.)
Described broadband network is the ADSL network, and this security service module is positioned between BAS Broadband Access Server (BRAS) and the ADSL local side apparatus.(this system can be used for multiple broadband networks such as ADSL, WLAN, and this sentences ADSL is that example is introduced.)
Described service management module also comprises the unbind module, in order to the Network Security Service of releasing with this user binding.
The invention also discloses a kind of broadband access security control support method, realize safety management and control to the specific user in the bandwidth operator network, this method comprises:
The step of one service management module is set, receiving COS, and with this COS with should bind by user network mutually;
The step of one security service module is set, and it is positioned at the security service gateway of this bandwidth operator, according to this COS the downstream data flow of this user network is carried out safety inspection and control, so that real-time safeguard protection and control to be provided at the network boundary place.
The described step that a service management module is set also comprises:
The step of one customer data base is set, and it is in order to storaging user data;
The step of one authentication service module is set, and it is in order to authenticating user identity, thus its spendable network service of determining; And
The step of one service binding module is set, it is according to this authentication result, to be mapped to corresponding IP address by authenticated user ID sign, with corresponding network service and this IP address binding, serve to this user network thereby open corresponding network according to this IP address.
The described step that a service binding module is set comprises the steps:
Step 1: accept the user ID sign of input, user identity is authenticated, determine the Network Security Service type of its customization;
Step 2: this user ID sign is mapped to corresponding IP address, and, is sent to the security service gateway of this bandwidth operator jointly with after this IP address and the binding of this COS; And
Step 3: upgrade the configuration of current this security service gateway, at the security service gateway of this bandwidth operator the downstream data flow of this user network is carried out safety inspection and control in real time according to this security service type.
The described step that a service management module is set also comprises the step that a charging service module is set, the consumption of its recording user network service, and according to this network service consumption calculating cost of use.
The described step that a security service module is set comprises:
The step of one virus detection and clearing cell is set, and it is in order to detect and to remove the virus in the network;
The step of one attack protection security service unit is set, and it is positioned at user network node place, in order to concentrate guarding network attack;
The step of one Spam filtering unit is set, and it filters on mail reception user's circuit in shutoff spammer source;
The step of one URL/ information filtering unit is set, and it can filter the network information according to parameter of user;
The step of one time control unit is set, in order to formulate corresponding safety control strategy according to the user time demand for control; And
The step of one firewall services unit is set; It provides the information security service according to the information flow of user's safety policy control discrepancy network, ensures the network information security.
Described broadband access security control support method also comprises the up-downgoing data flow of this user network being carried out the step of safety inspection at the security service gateway of this bandwidth operator.
Described security service type comprises: viral detection and removing, attack protection security service, Spam filtering, URL/ information filtering, time control, firewall services, network service quality control and flow control.
The described step that a service management module is set also comprises the step that a unbind module is set, in order to the Network Security Service of releasing with this user binding.
The step that one unbind module is set comprises the steps:
Step 1: the user profile bag of accepting to withdraw from broadband system;
Step 2: resolve this user profile bag, determine user ID sign with and the Network Security Service type of binding; And
Step 3: the service that will be bundled on this IP user is removed.
According to broadband access safety of the present invention and control safeguards system and method; improved the coefficient of safety of broadband inserting service; when the protection carrier network is avoided attack, virus infections etc. from its broadband user and is disturbed, with the IP address for distinguishing that being designated the specific user who uses broadband network provides specific safety and control service.Safeguarded the network security of broadband user and bandwidth operator simultaneously.The present invention can keep out bad behaviors such as spam, TCP, network attack on the network of bandwidth operator, makes that the suffered interference of user is as far as possible little.Use system user of the present invention and need not to buy voluntarily fire compartment wall, Anti Virus Gateway, antivirus software etc. by at carrier server end administration's safety and certification policy, are realized the Internet access security.The user can customize the Spam filtering service, and system defines the spam content according to the user with asking, thereby continues to reduce the quantity of user's spam.Customize the url filtering service simultaneously, propagate with the URL content blocking-up the Internet virus of asking definition, enter and export in server end interception virus according to the user.The present invention can also customize regular virus checking and virus killing service according to customer requirements, and customizes at domestic consumer's online period and internet content.
Description of drawings
Fig. 1 is the module rack composition of the embodiment of the invention;
Fig. 2 is the general frame figure that the present invention is applied to the ADSL system;
Fig. 3 is an embodiment of the invention security service gateway structural representation;
Fig. 4 is a service binding schematic diagram of the present invention;
Fig. 5 is that the present invention removes the service binding schematic diagram; And
Fig. 6 is the system architecture diagram that the present invention is applied to WLAN.
Embodiment
The present invention upgrades the service authentication/binding and the unbind of security service gateway configuration automatically by policy control, carries out the service authentication/binding of dynamic real-time and removes.The user signs in to Access Network, and the Service Management unit can form according to service, the IP of customization and send to the security service gateway after the corresponding strategy, the configuration that these strategies can immediate updating security service gateway.When the user withdrawed from the Internet, the pairing strategy of this user can be deleted from the security service gateway in the Service Management unit.The Service Management unit sends strategy by IP communication to the security service gateway, and the strategy that the security service gateway receives correct format can carry out policy update afterwards.
The present invention can be used for any broadband access network, and this broadband access network adopts ICP/IP protocol to communicate, and each gets final product with having IP per family.As xDSL (comprising ADSL, SDSL, HDSL, G.SHDSL, IDSL and developing VDSL, ADSL2+ etc.) and Radio Access Network (WLAN) etc.
Broadband access safety of the present invention and control safeguards system are positioned at broadband access network and the interface that converges net, are generally near the border router, and it is made of two parts: security service module and service management module.Wherein security service module is positioned on this bandwidth operator network, comprises the security service gateway, provides real-time safeguard protection at the network boundary place.Service management module connects with this security service module by IP communication, and this security service module is controlled.
Be example with ADSL below, the present invention is described in detail.See also Fig. 1, be embodiment of the invention module rack composition.As shown in the figure, security service module 110 links to each other with service management module 200.The core of security service module is a security service gateway 110.Security service module can be deployed between BRAS and the border route network, also can be installed between BRAS and the DSLAM, it possesses the 100/1000M interface, can adopt route pattern or transparent mode, and supports plurality of access modes: optical fiber or copper cable etc.
Service management module is deployed in network management center, passes through IP telecommunication management security service module with the security service gateway.By management modes such as HTTP, HTTPS, Telnet, SNMP, service management module is upgraded the configuration of security service module automatically by policy control.Service management module is communicated by letter with certificate server, accounting server, guarantees authentication and safety increase output service charge to the user.Service management module 200 comprises customer data base 210, authentication service module 220, service binding module 230 and charging service module 240.Wherein customer data base 210 is in order to storaging user data, comprises the COS of its customization and charge information etc.Authentication service module 220 is in order to carry out authentication to the user, thereby its spendable network service of determining, service binding module 230 is according to this authentication result, to be mapped to corresponding IP address in real time by the ID of authenticated user, according to this IP address, will serve accordingly and this IP address binding, thereby open corresponding network is served to relative users, and charging service module 240 recording users are to the consumption of various network services, and calculate cost of use according to this network service consumption.
See also Fig. 2, it is applied to the system architecture diagram of ADSL broadband network for the present invention, as shown in the figure, security service module 100 of the present invention and service management module 200 are between border router 10 and BAS Broadband Access Server 20, the BAS Broadband Access Server of operator is connected with one or more DSLAM30, and DSLAM30 is connected to the user by telephone wire.
See also Fig. 3, security service gateway 110 is a hardware product, and it can provide real-time protection at the network boundary place---detect harmful virus, worm and other content-based security threats under the network performance situation not influencing.The security service gateway is integrated fire compartment wall, intrusion detection, information filtering and flow control function comprises as lower unit:
1, virus detects and clearing cell 111, and it can detect and remove the virus in the network.Most of viruses, spam, network attack come from the Internet, and they are one of risks of information security maximum for the broadband user.The present invention can filter out virus, spam and the network attack of automatic network.According to statistics, the virus of most (almost 99.99%) is from computer network.Therefore can protect the broadband user to avoid virus effectively disturbs.
On the basis of user's standalone version anti-virus measure, the built-in virus of security service module of disposing at the bandwidth operator gateway detects and clearing cell, can be in gateway place centralized detecting, remove virus, thus alleviate the pressure of user terminal anti-virus greatly; Simultaneously, processing can filter out viruliferous junk traffic like this, guarantees the normal service efficiency of user network flow.
In addition, consider that user's computer may run into the virus of walking around the approach infection of network by floppy disk, portable hard drive etc., access security of the present invention and control system can also provide a cover Anti-Virus for the user.This system can be installed on the subscriber computer, also can not be installed on the subscriber computer and (call from carrier server when the user needs anti-virus service).Charging mode can be the monthly payment charge, also can be to charge by access times.
2, attack protection security service unit 112, it is positioned at user network node place, in order to concentrate guarding network attack; Activities of hacker on the Internet is frequent day by day at present, and the hacker destroys scale, destruction frequency and consequence of failure more and more allows people to terrified sense in the Internet and sense of insecurity.Though the awareness of safety of public users increases to some extent, allow a lot of users be exposed in the danger of assault to the shortage of safe practice and security protection instrument.The present invention concentrates at the network node place that is connected to the user to take precautions against and attacks by disposing attack protection security service unit, can guarantee that the user avoids threatening from the assault of the Internet.
Attack protection security service unit mainly is to utilize intrusion prevention to take precautions against conventional assault behavior, if cooperate the firewall security service module again, can at utmost protect user's network security.By intrusion detection and intrusion prevention function, the present invention can prevent the DDOS/DOS attack, prevents the attack of IP layer (sum>1300), set up customization attack tabulation.Attack protection security service unit can upgrade attack database automatically, guarantees to possess the strongest attack protection effect.
3, the Spam filtering unit 113, and it filters on mail reception user's circuit in envelope gambling spammer source; At present, spam has become after the virus email problem and makes the user feel the difficult problem of headache, puzzlement most.Spam has been wasted a large amount of time and efforts of user, has occupied network bandwidth resources again.
In shutoff spammer source, the bandwidth operator most important work is to filter on spam recipient's circuit, by disposing the Anti-Spam security service module at user side network (generally at gateway), the present invention can filter out spam as much as possible, thereby alleviates user's pressure greatly.
4, URL/ information filtering unit 114, it can filter the network information according to parameter of user; Increasing porn site, reaction website, the positive safety that is constantly threatening the user in malice illegal website, the user of a lot of IT technology shortages, awareness of safety weakness is in browsing page, and its computer has been mounted wooden horse, control system, middle virus even has stolen, destroys user's significant data and data under the unwitting situation of user.The invention provides the URL/ information filtering, can utilize its content filtering function filtering eroticism website, reaction website, malice illegal website.The information filtering security service module mainly adopts based on technological means such as policy control, url filtering and shielding, keyword/phrase shielding, obstruction Java small routine, URL masked list, Cookie and Activex and realizes that the user can be according to s own situation flexible customization information filtering table.This URL/ information filtering unit further realizes father and mother's controlled function, for a lot of ADSL users, they are for the free demand for control of children's broadband access network, and the present invention can provide the time controlled function, to satisfy the network demand of user in different time sections.The present invention can also control the access rights of URL, IP and application program.By close friend's the interface that is provided with, father and mother can stop children to browse objectionable website, stop children to indulge in online game or Internet chat.
5, time control unit 115, in order to formulate corresponding safety control strategy according to the user time demand for control.Realize father and mother's controlled function, can control date, time that children use the broadband.
6, the firewall services unit 116, and it provides the information security service according to the information flow of user's safety policy control discrepancy network, ensures the network information security.Fire compartment wall is as the first line of defence of network security, be the ad hoc network interconnect equipment of in-house network and public network separation, can be used for network user's access control, authentication service, data filter etc., utilize fire compartment wall to divide respective secure areas according to level of security.The firewall services unit, the user can enjoy corresponding firewall security service.Fire compartment wall carries out safe isolation to user's computer and the Internet, hide user's personal information, the application program and the user that only allow the user to need communicate, on the basis of the normal internet usage related application that guarantees the user, prevent network attack from the Internet, filter out junk traffic, to guarantee user network fail safe, high efficiency.
Except above-mentioned functions, system of the present invention is with good expansibility, security service project that can be new according to operator, user's increase in demand.For example Control Network service quality (quality ofservice is called for short QoS), flow control etc.So long as can be suitable for the present invention according to the service of User IP enforcement.
The security service gateway provides than high performance-price ratio, has detected, stoped attack with strong solution easily, prevents the undesired service of using and improving the key network application.It can be easily installed in the existing network environment that only uses anti-virus and information filtering.The security service gateway provides the support of high availability and redundant heat exchange power supply, and it guarantees the continual operation of carrier network.By fine-grained security strategy is provided, the security service gateway is supported independently safety zone and the strategy that is mapped to VLAN, can upgrade attack database in real time automatically.Security service gateway real-time response server provides lasting attack storehouse to upgrade with protecting network and not attacked by virus, worm, wooden horse and other, makes network obtain safeguard protection whenever and wherever possible.
The present invention provides the service of customization according to authentication information to the user.It is that service management module is passed through management modes such as HTTP, HTTPS, Telnet, SNMP that this service method is provided, and upgrades the security service gateway configuration automatically by policy control.
With ADSL user is example; all ADSL users' upstream is (from ADSL user; flow to the Internet); the security service gateway is defaulted as " all carrying out safety inspection "; so farthest protect the bandwidth operator network; avoid destruction to the bandwidth operator network from ADSL user, also can prevent the hacker, virus ADSL user be used as the agency, springboard is attacked.Therefore, the acquiescence of the security service module strategy of going out is that all ADSL users' the data flow of going out all will be accepted safety inspection.
The security service gateway is free for all ADSL users' the acquiescence strategy of going out, and purpose mainly is in order to protect the network of operator.But the ADSL user who has only security service customized just has " entering security strategy ", accepts the protection of security service gateway; Simultaneously, service management module cooperates the charge of the user being carried out the safety increase output service according to entering security strategy and accounting server.
Different classes of according to ADSL user, the security service gateway can be used corresponding different security strategy and realize the security service function, reaches different safe effects.Service management module can be mapped to corresponding IP address with the user's of customize services ID.Obtain after the IP address, can from database, extract service that this user customizes and these service bindings on user's IP address.
For downstream data flow (from Internet streaming to ADSL user), the security service gateway can be discerned different broadband users according to user's IP address, and then the service strategy that produces according to the service that he customized is handled its data flow.Certainly, for the user who does not have customize services, the security service gateway is not handle its network data flow.
For the ADSL user of customized security service, up and downlink traffic all carries out safety inspection to it, each security service that the user is customized, and the security service gateway all works, can the general protection user.According to the ADSL user's of customized security service different access waies, the security service gateway has different concrete control strategies with service management module.
All based on the current IP address that is assigned to of user, these IP addresses can be static ip address to each security strategy, also can be the IP addresses of dynamic assignment.Service management module can be bound the service that each user customized with service strategy, these service strategies can be added the security service gateway to when the user logins the ADSL broadband access system, when the user withdrawed from the ADSL broadband access system, unit notice security service gateway deletion respective service strategy was removed in the service in the service management module.ADSL user for static ip address, service management module is directly according to ADSL user's IP address and the concrete customized security service module of ADSL user, the Comprehensive Control instruction forms and enters safety control strategy accordingly, directly send the corresponding safety control strategy that enters to security service module, upgrade it and enter safety control strategy (security service module is only upgraded this time), like this ADSL user of fixed ip address enter and the flow of going out all carries out safety inspection, the user is among the strongest security protection.Logging in network again at every turn for DHCP dynamic IP addressing ADSL user, service management module all needs to communicate with certificate server, after the legal identity of determining the user, according to the user IP address that obtains of DHCP this time, customized according to the user again security service module, the Comprehensive Control instruction forms and enters safety control strategy accordingly, send the corresponding safety control strategy that enters then to security service module, upgrade it and enter safety control strategy, if ADSL user lands network and obtains different IP addresses at every turn, entering safety control strategy just needs to upgrade, adjust once, like this ADSL user of dynamic IP addressing enter and the flow of going out all carries out safety inspection, the user is among the strongest security protection.
The service binding process of service binding module 230 as shown in Figure 4, after the user lands the broadband request by user interface 10 transmissions, submit to user ID and password to BAS Broadband Access Server (BRAS) 20, the authentication of request BRAS, after BRAS obtained user ID and password, request Raduis server 30 carried out authentication request.The legitimacy of Raduis authenticated user ID and password behind the authentication success, sends to BRAS to authentication success message, if authentification failure then failure information is sent to the user.After BRAS obtains the authentication success message of Raduis server, be user's distributing IP address, and send to charge to Raduis server 30 and begin bag, after Raduis server 30 obtains chargeing and begins bag, (packets of information comprises user ID to send the user profile bag to SSM processor 50, the IP address, BrasID, BrasPortNum, user type etc.), the user profile bag that 50 pairs of Raduis servers 30 of SSM processor send is resolved, and inquires about the information on services of this user's needs binding then in customer data base 60 according to this user ID.If retrieve the information on services that needs binding, then relevant information is sent to SSM processor 50, SSM processor 50 is by resolving BrasID, BrasPortNum finds concrete server to select gateway (SSG) 40, with on the employed IP of this user of concrete service binding, bind then thereby realize serving successfully.
Service unbind flow process as shown in Figure 5, when the user withdraws from broadband system, BAS Broadband Access Server 20 sends the charging end packet to Raduis server 30, the Raduis server obtains user that BRAS sends and charges behind the end packet, (packets of information comprises user ID to send the user log off packets of information to SSM processor 50, the IP address, BrasId, BrasPortNum, user type etc.), the user profile bag that 50 pairs of Raduis servers of SSM processor send is resolved, and inquires about the information on services that this user has bound according to this user ID then.If retrieve the information on services that the user has bound, then relevant information is sent to SSM processor 50, SSM processor 50 is by resolving BrasId, BrasPortNum finds concrete service selection gateway (SSG) 40, with on the employed IP of this user of concrete service binding, bind then thereby realize serving successfully.If do not retrieve the information on services of having bound, then withdraw from automatically.
For the ADSL user who does not customize security service module, system only carries out the default policy (strategy of promptly going out) of security service module, and the flow of going out that ADSL user is all is all accepted safety inspection, but does not carry out safety inspection for entering flow.Therefore, the ADSL user who does not customize security service module does not possess the protection of security service module, is faced with the security threat from the Internet at any time.Different is that security service module can avoid these users security threat to be infected, propagates into the network of operator.
Broadband access safety of the present invention and control safeguards system can also can " be pressed the number of times charge " according to " monthly payment charge ".After the service that our system of customization provides, they can select following charging way voluntarily:
1. monthly payment charge: if the user selects this charging mode, system can begin monthly to charge after required service is set.
2. press the number of times charge: if the user selects by the service times charge, system only just begins charge when the user uses its service that has customized, for example user's type, access times at respective service after using the mail virus killing, defending against DDOS attack charge.
Security service module is taked the safe handling measure at specific user's flow, and it will send a notice to service management module.Like this, service management module will be corresponding charge record under this user record in database journal.When chargeing, record just can obtain their amount of money of should paying the fees as long as each user that " charges by number of times " of statistics charges accordingly.
Security service module is to be configured in above the network of operator, network attack, spam and virus that it can stop broadband user's computer to send.Like this, security service module can be protected the Internet resources of operator, makes the network of operator more effectively for the user provides service, thereby enhances competitiveness, obtains more profits.
The present invention can be used for any broadband access, sees also Fig. 6 for WLAN, and security service module 100 of the present invention and Service Management unit 200 are between border router 620 and wireless access gateway 610.Communicate by IP local area network (LAN) 630 and the Internet 640.
Claims (18)
1, a kind of broadband access safety and control safeguards system is characterized in that, realize safety management and control to the specific user in the bandwidth operator network, comprising:
Service management module, it is in order to receiving COS, and with this COS with should bind by user network IP mutually;
Security service module, it is positioned at the security service gateway of this bandwidth operator, according to this COS the downstream data flow of this user network is carried out safety inspection and control, so that real-time safeguard protection and control to be provided at the network boundary place.
2, broadband access safety as claimed in claim 1 and control safeguards system is characterized in that described service management module also comprises:
Customer data base, it is in order to storaging user data;
The authentication service module, it is in order to authenticating user identity, thus its spendable network service of determining; And
The service binding module, it will be mapped to corresponding IP address by authenticated user ID sign according to this authentication result,, serve to this user network thereby open corresponding network corresponding network service and this IP address binding according to this IP address.
3, broadband access safety as claimed in claim 1 or 2 and control safeguards system is characterized in that described service management module also comprises the charging service module, the consumption of its recording user network service, and according to this network service consumption calculating cost of use.
4, broadband access safety as claimed in claim 2 and control safeguards system is characterized in that described IP address comprises the IP address and the static ip address of dynamic assignment.
5, broadband access safety as claimed in claim 1 and control safeguards system is characterized in that described security service module comprises:
Virus detects and clearing cell, and it is in order to detect and to remove the virus in the network;
Attack protection security service unit, it is positioned at user network node place, in order to concentrate guarding network attack;
The Spam filtering unit, it filters on mail reception user's circuit in envelope gambling spammer source;
URL/ information filtering unit, it can filter the network information according to parameter of user;
Time control unit is in order to formulate corresponding safety control strategy according to the user time demand for control; And
The firewall services unit; It provides the information security service according to the information flow of user's safety policy control discrepancy network, ensures the network information security.
6, broadband access safety as claimed in claim 1 and control safeguards system is characterized in that described security service module comprises that also the upstream to this user network carries out safety inspection, to realize that carrier network is carried out safeguard protection.
7, broadband access safety as claimed in claim 1 and control safeguards system is characterized in that described broadband network is the ADSL network, and this security service module is between the BAS Broadband Access Server and border route network of this broadband network.
8, broadband access safety as claimed in claim 1 and control safeguards system is characterized in that described broadband network is the ADSL network, and this security service module is between BAS Broadband Access Server and ADSL local side apparatus.
9, broadband access safety as claimed in claim 1 and control safeguards system is characterized in that described service management module also comprises the unbind module, in order to the Network Security Service of releasing with this user binding.
10, broadband access safety as claimed in claim 1 and control safeguards system is characterized in that, described control comprises time control, network service quality control, flow control.
11, a kind of broadband access safety and control support method is characterized in that, realize safety management and control to the specific user in the bandwidth operator network, and this method comprises:
The step of one service management module is set, receiving COS, and with this COS with should bind by user network mutually;
The step of one security service module is set, and it is positioned at the security service gateway of this bandwidth operator, according to this COS the downstream data flow of this user network is carried out safety inspection and control, so that real-time safeguard protection and control to be provided at the network boundary place.
12, broadband access safety as claimed in claim 11 and control support method is characterized in that the described step that a service management module is set also comprises:
The step of one customer data base is set, and it is in order to storaging user data;
The step of one authentication service module is set, and it is in order to authenticating user identity, thus its spendable network service of determining; And
The step of one service binding module is set, it is according to this authentication result, to be mapped to corresponding IP address by authenticated user ID sign, with corresponding network service and this IP address binding, serve to this user network thereby open corresponding network according to this IP address.
13, broadband access safety as claimed in claim 11 and control support method is characterized in that the described step that a service binding module is set comprises the steps:
Step 1: accept the user ID sign of input, user identity is authenticated, determine the Network Security Service type of its customization;
Step 2: this user ID sign is mapped to corresponding IP address, and, is sent to the security service gateway of this bandwidth operator jointly with after this IP address and the binding of this COS; And
Step 3: upgrade the configuration of current this security service gateway, at the security service gateway of this bandwidth operator the downstream data flow of this user network is carried out safety inspection and control in real time according to this security service type.
14, as claim 11 or 12 described broadband access safety and control support method, it is characterized in that, the described step that a service management module is set also comprises the step that a charging service module is set, the consumption of its recording user network service, and according to this network service consumption calculating cost of use.
15, as claim 11 or 12 described broadband access safety and control support method, it is characterized in that the described step that a security service module is set comprises:
The step of one virus detection and clearing cell is set, and it is in order to detect and to remove the virus in the network;
The step of one attack protection security service unit is set, and it is positioned at user network node place, in order to concentrate guarding network attack;
The step of one Spam filtering unit is set, and it filters on mail reception user's circuit in envelope gambling spammer source;
The step of one URL/ information filtering unit is set, and it can filter the network information according to parameter of user;
The step of one time control unit is set, in order to formulate corresponding safety control strategy according to the user time demand for control; And
The step of one firewall services unit is set; It provides the information security service according to the information flow of user's safety policy control discrepancy network, ensures the network information security.
16, broadband access safety as claimed in claim 11 and control support method, it is characterized in that described security service type comprises: viral detection and removing, attack protection security service, Spam filtering, URL/ information filtering, time control, firewall services, network service quality control and flow control.
17, broadband access safety as claimed in claim 13 and control support method is characterized in that the described step that a service management module is set also comprises the step that a unbind module is set, in order to the Network Security Service of releasing with this user binding.
18, broadband access safety as claimed in claim 17 and control support method is characterized in that the step of described unbind module comprises the steps:
Step 1: the user profile bag of accepting to withdraw from broadband system;
Step 2: resolve this user profile bag, determine user ID sign with and the Network Security Service type of binding; And
Step 3: the service that will be bundled on this User IP is removed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410009067 CN1571361A (en) | 2004-05-09 | 2004-05-09 | Broadband access safety and control ensuring system and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410009067 CN1571361A (en) | 2004-05-09 | 2004-05-09 | Broadband access safety and control ensuring system and method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1571361A true CN1571361A (en) | 2005-01-26 |
Family
ID=34477794
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410009067 Pending CN1571361A (en) | 2004-05-09 | 2004-05-09 | Broadband access safety and control ensuring system and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1571361A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101854349A (en) * | 2009-03-31 | 2010-10-06 | 日立软件工程株式会社 | Login process apparatus, login process method and program |
| CN102412986A (en) * | 2011-11-07 | 2012-04-11 | 北京交通大学 | Operator unification service platform system based on integration identification network and method thereof |
| CN102480437A (en) * | 2010-11-23 | 2012-05-30 | 中兴通讯股份有限公司 | Method and device for controlling internet surfing data of home gateway |
| CN105162780A (en) * | 2015-08-21 | 2015-12-16 | 上海斐讯数据通信技术有限公司 | URL (Uniform Resource Locator) filter address setting method and URL filter address setting system |
| CN106452998A (en) * | 2016-09-30 | 2017-02-22 | 北京邦天信息技术有限公司 | Method and device of providing service |
| CN106937165A (en) * | 2007-03-22 | 2017-07-07 | 乐威指南公司 | The method and apparatus of equipment content being automatically assigned in the media network of user |
| CN112291215A (en) * | 2020-10-19 | 2021-01-29 | 李贝贝 | Intelligent home network security monitoring system |
-
2004
- 2004-05-09 CN CN 200410009067 patent/CN1571361A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106937165A (en) * | 2007-03-22 | 2017-07-07 | 乐威指南公司 | The method and apparatus of equipment content being automatically assigned in the media network of user |
| CN101854349A (en) * | 2009-03-31 | 2010-10-06 | 日立软件工程株式会社 | Login process apparatus, login process method and program |
| US8448225B2 (en) | 2009-03-31 | 2013-05-21 | Hitachi Solutions, Ltd. | Login process apparatus, login process method, and program |
| CN102480437A (en) * | 2010-11-23 | 2012-05-30 | 中兴通讯股份有限公司 | Method and device for controlling internet surfing data of home gateway |
| CN102412986A (en) * | 2011-11-07 | 2012-04-11 | 北京交通大学 | Operator unification service platform system based on integration identification network and method thereof |
| CN102412986B (en) * | 2011-11-07 | 2014-07-02 | 北京交通大学 | Operator unification service platform system based on integration identification network and method thereof |
| CN105162780A (en) * | 2015-08-21 | 2015-12-16 | 上海斐讯数据通信技术有限公司 | URL (Uniform Resource Locator) filter address setting method and URL filter address setting system |
| CN105162780B (en) * | 2015-08-21 | 2018-04-06 | 上海斐讯数据通信技术有限公司 | A kind of url filtering address setting method and system |
| CN106452998A (en) * | 2016-09-30 | 2017-02-22 | 北京邦天信息技术有限公司 | Method and device of providing service |
| CN112291215A (en) * | 2020-10-19 | 2021-01-29 | 李贝贝 | Intelligent home network security monitoring system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11822653B2 (en) | System and method for providing network security to mobile devices | |
| US10951659B2 (en) | System and method for providing network and computer firewall protection with dynamic address isolation to a device | |
| US9516048B1 (en) | Contagion isolation and inoculation via quarantine | |
| US20120272331A1 (en) | Method and system for abuse route aggregation and distribution | |
| US20070039053A1 (en) | Security server in the cloud | |
| US20100162399A1 (en) | Methods, apparatus, and computer program products that monitor and protect home and small office networks from botnet and malware activity | |
| CN1416072A (en) | Method for realizing portal authentication based on protocols of authentication, charging and authorization | |
| US7299297B2 (en) | Method and apparatus for protecting electronic commerce from distributed denial-of-service attacks | |
| KR100926456B1 (en) | Apparatus and method for intrusion detection using client terminal, system and method for network security of the same | |
| RU2373656C2 (en) | Moderator for providing of contents and proofing in system of mobile communication | |
| CN1571361A (en) | Broadband access safety and control ensuring system and method thereof | |
| CN101155055B (en) | User management method and system for next-generation network | |
| JP2009048574A (en) | Communication terminal, firewall system, and firewall method | |
| KR100722720B1 (en) | A secure gateway system and method with internal network user authentication and packet control function | |
| CN101569136B (en) | Administration portal | |
| Feroz et al. | Security and Risk Analysis of VoIP Networks | |
| Nijnik | Small business network security 101 | |
| Mason | Cisco Firewall Technologies (Digital Short Cut) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |