CN1744494A - Access authentication system and method by verifying safety of accessing host - Google Patents
Access authentication system and method by verifying safety of accessing host Download PDFInfo
- Publication number
- CN1744494A CN1744494A CN 200510112524 CN200510112524A CN1744494A CN 1744494 A CN1744494 A CN 1744494A CN 200510112524 CN200510112524 CN 200510112524 CN 200510112524 A CN200510112524 A CN 200510112524A CN 1744494 A CN1744494 A CN 1744494A
- Authority
- CN
- China
- Prior art keywords
- access
- safety
- authentication
- health
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
Abstract
The system is composed of client end, access control device, authentication sever for authenticating user's ID, and securing and healthy fingerprint authentication device. The client end is an access host. Through the access control device and authentication sever, the fingerprint information of the host collected by software at the client end is sent to the authentication device. Including port for users to access and an access control module, the access control device controls access request from host after receiving the returned result of authentication: admission for access, excluding for access or admission for accessing part of services net element provides. Securing and healthy strategy base in the authentication device is in use for looking up and comparing fingerprint information, as well as evaluates security of the host based on compared result, and decides whether access to network is allowed. The method is applicable to diversified hosts for authenticating security.
Description
Technical field
The present invention relates to a kind of access authentication system and method that inserts Host Security of verifying, exactly, relate to a kind of access authentication system and method, belong to the network security technology field in the data communication based on safety and Health fingerprint authentication access Host Security.
Background technology
Along with the leak of network system or software is constantly found, network worm (Worm) is attacked and to be spread unchecked day by day, and it is a kind ofly can carry out self-replacation, the attack that utilizes system or network service leak to propagate that network worm is attacked.The main target that network worm is attacked is the main frame that has leak.Now, many main frames of leak that exist are linked on enterprise network, the Internet under the situation of not carrying out safety inspection, various potential safety hazards are diffused into whole network, have influence on other main frame, server and the network equipment on the network, cause server delay machine, whole network congestion even paralysis.
Main authentication techniques still are the authentication that traditional employing usemame/password is carried out at present, and this authentication method can only be verified user's legal identity, can't verify at the fail safe of main frame, therefore also can't prevent or reduce the outburst of network worm.
Network insertion generally has three kinds of modes: by switch with telecommunications network, other network segments or Internet links to each other, insert enterprises and institutions' internal lan and insert the Internet by BAS Broadband Access Server by VPN.These insert still all is only user identity to be verified.Carry out security verification if can dock main frame simultaneously again, then can improve the fail safe of network greatly.Therefore, how the authentication system of network insertion is transformed, carried out authentication, just become the new problem that those skilled in the art press for solution based on fail safe so that can dock into main frame.
Summary of the invention
In view of this, the purpose of this invention is to provide a kind of access authentication system and method that inserts Host Security of verifying, the present invention has changed and utilizes usemame/password to dock the conventional art that carries out authenticating user identification into main frame, a kind of brand-new access authentication system and method based on the safety and Health fingerprint are proposed, the various main frames of checking access network or the fail safe of terminal equipment have effectively guaranteed network security.
In order to achieve the above object, the invention provides a kind of access authentication system that inserts Host Security of verifying, it is characterized in that: this system adopts safety and Health finger print information to the authentication that conducts interviews of the Host Security of access network, and system's composition member comprises:
Authentication Client, the main frame that needs to verify its fail safe for access network, the client software that is used for the safety and Health finger print identifying is installed in the machine, this client software can be gathered the safety and Health finger print information of this main frame, sends to the safety and Health fingerprint certification device via access control apparatus, certificate server and verifies;
Access control apparatus, for the user provides the network equipment of access, port and the access control module that provides the user to insert is provided in its inside; After receiving the authentication result that the safety and Health fingerprint certification device returns, the access request of main control system: allow to insert, refuse to insert or only allow access portion that the network element of service is provided;
Certificate server is the traditional server that carries out authentication by usemame/password, is used for cooperating with the safety and Health fingerprint certification device, the user is carried out the double authentication of user identity and Host Security;
The safety and Health fingerprint certification device, Authentication devices for the subscriber's main station access, its inside is provided with a safety and Health policy library and an information interface, be responsible for receiving the safety and Health fingerprint of client, and search comparison at the safety and Health policy library at the information in the fingerprint, go out the safe condition rank of this main frame according to comprehensive fingerprint comparison outcome evaluation; If the safe condition rank of this main frame is lower than the setting in the strategy, then sends and do not allow to insert message or access control policy to access control apparatus; If the safe condition rank of this main frame more than or equal to the setting in the strategy, then sends access grant message to connecting system.
The safety and Health finger print information of described main frame includes but not limited to: OS Type, operating system version number, the patch situation, the file-sharing situation, open transmission control protocol tcp port, open User Datagram Protoco (UDP) udp port, the system service of operation, user password intensity, guest Guest user account operating position, the account locking strategy, the account password policy, log-on message, browser version, browser patch situation, the Email client release, Email client patch situation.
Described safety and Health finger print information is packaged into the packet of form for " type, length, content ", wherein type field is a special identifier, show that this packets need delivers the safety and Health fingerprint certification device and carry out safety certification, and define jointly by client, certificate server and safety and Health fingerprint certification device three.
The port that provides the user to insert in the described access control apparatus has two logic ports:
Controlled ports is only opened by under the state in authentication, is used for delivery network resource and service; The unconfined end mouth is in the diconnected state all the time, sends or receive authentication at any time for client.
When described access network was internal lan, for supporting the access control of this network port, the communication protocol that described client need be supported was local area network (LAN) Extensible Authentication Protocol EAPOL (Extensible AuthenticationProtocol Over LAN).
When described access network is virtual private network, for supporting the access control of this network port, the communication protocol that described client need be supported comprises following vpn tunneling agreement: Point to Point Tunnel Protocol PPTP (Point To Point Tunneling Protocol), Level 2 Tunnel Protocol L2TP (Layer 2Tunneling Protocol), Internet security protocol IPSEC (Internet Protocol security) at least.
When described access network is telecommunications access network, for supporting the access control of this network port, the communication protocol that described client need be supported is for transmitting Point-to-Point Data packet protocol PPPOE (Point ToPoint Protocol Over Ethernet) on Ethernet.
In order to achieve the above object, the present invention also provides a kind of authentication method that adopts checking to insert the access authentication system of Host Security, it is characterized in that: adopt the safety and Health finger print information to dock and verify, to take precautions against network worm and assault into the fail safe of main frame; Comprise the following steps:
(1) when client was initiated to insert request, client software extracted the safety and Health finger print information of this machine, and this information is packaged into the packet of form for " type, length, content ", sent to access control apparatus;
(2) after access control apparatus is found the authentication data packet of finger print information, directly be transmitted to certificate server; After perhaps extracting the safety and Health finger print information wherein be used to authenticate and encapsulating again, be transmitted to certificate server;
(3) certificate server is communicated by letter with the safety and Health fingerprint certification device, and the safety and Health finger print information is sent to the safety and Health fingerprint certification device;
(4) the safety and Health fingerprint certification device is compared the information in the relevant field in this finger print information and its policy library, and the comparative result and the correlated condition of every information carried out multifactorial evaluation, provide its safe condition grade, requirement with this grade point and safe access compares again, if, then sending authentication more than or equal to the access value, this grade point passes through information; Otherwise, send authentification failure or restricted access message;
(5) access control apparatus read access control command, and go into main frame according to this instruction butt joint corresponding licensing status is set: if the message that authentication is passed through is then finished the access of main frame; If authenticate unsanctioned message, then refuse the access of main frame, and on client software, provide the access failure prompting; If the message of restricted access, then by the access strategy of access control block configuration correspondence.For example allow the main frame of this infection worm-type virus patch server in can only accesses network, repair leak, reduce the possibility that infects worm once more in time stamp patch for this equipment.
The network communication protocol that uses when client software sends authentication data packet in the described step (1) includes but not limited to TCP, UDP, ICMP or EAPOL.
The agreement of the employing of communicating by letter in the described step (3) between certificate server and the safety and Health fingerprint certification device is the RADIUS of remote customer dialing authentication system.
The present invention has the following advantages:
(1) effectively prevent infections virus the host access network, guarantee network security: access authentication system of the present invention carries out access control according to the safety and Health finger print information of main frame to this main frame, stop or limit the main frame access network of infective virus, cut off it and infected the approach of other equipment, thereby effectively prevented spreading unchecked of virus such as worm in the network.The access control policy that disposes in the authentication method only allows the patch server in the host access network of infective virus, makes this equipment in time stamp patch and repairs leak, thereby reduce once more the possibility of infective virus.
(2) access registrar is with strong points, do not influence other access device: system of the present invention is based on the control that conducts interviews of port or user identity, directly a certain user's that will insert main frame or terminal equipment are isolated, and other users' access device is unaffected to the visit of network.In the safety and Health policy library, dispose the access control policy of different safety class, send different access control instructions at different access devices.
(3) system configuration is simple, soft, the hardware investment expense is few: client only need dispose can collect the healthy finger print information of this device security and automatically to set the client software that the form packing sends to the safety and Health fingerprint certification device, its function is fairly simple, realizes easily.The hardware device that whole system need be acquired has only safe fingerprint certification device, and can utilize existing certificate server hardware and software development, both can accelerate Development Schedule, also can realize the interface with the conventional authentication server easily.
In sum, the present invention is based on the safety and Health fingerprint authentication and insert the access authentication system of Host Security and the foundation that method will be conducted interviews and control this main frame by the Host Security grade conduct that the safety finger print information is drawn, through safety certification device issues the access control policy at the concrete port of the network equipment, can under the situation of other main frames or the normal accesses network of equipment, effectively stop the lower main frame access network of safe class; Simultaneously, by reasonable setting, can also make the user in time stamp patch for the main frame of infective virus.The present invention can be widely used in the Prevention-Security of corporate intranet, and effectively isolation network worm and assault greatly reduces the influence to main frame and network of network worm, assault.
Description of drawings
Fig. 1 is the composition structural representation that the present invention verifies the access authentication system that inserts Host Security.
Fig. 2 is the operating procedure flow chart of the authentication method of access authentication system of the present invention.
Fig. 3 is building block and the inside structure block diagram of first embodiment of access authentication system of the present invention.
Fig. 4 is that the structure of first embodiment of access authentication system of the present invention is formed schematic diagram.
Fig. 5 is that the structure of second embodiment of access authentication system of the present invention is formed schematic diagram.
Fig. 6 is that the structure of second embodiment of access authentication system of the present invention is formed schematic diagram.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with drawings and Examples.
Referring to Fig. 1, the present invention is a kind of access authentication system that adopts the checking of safety and Health finger print information to insert Host Security, and this system forms member and comprises:
Access control apparatus 2, for the user provides the network equipment of access, port and the access control module that provides the user to insert is provided in its inside; After receiving the authentication result that the safety and Health fingerprint certification device returns, the access request of main control system: allow to insert, refuse to insert or only allow access portion that the network element of service is provided;
Certificate server 3 is the traditional server that carries out authentication by usemame/password, is used for cooperating with the safety and Health fingerprint certification device, the user is carried out the double authentication of user identity and Host Security;
Safety and Health fingerprint certification device 4, Authentication devices for the subscriber's main station access, its inside is provided with a safety and Health policy library and an information interface, receive the safety and Health fingerprint from client, and search comparison at the safety and Health policy library at the information in the fingerprint, go out the safe condition rank of this main frame according to comprehensive fingerprint comparison outcome evaluation; According to the safe condition rank of main frame and the comparative result of the setting in the access control policy, send access grant message respectively, do not allow to insert message or access control policy again to access control apparatus.
The access registrar technology that the present invention is based on the safety and Health fingerprint can effectively be controlled the fail safe that inserts main frame, takes precautions against worm outburst and assault to greatest extent, ensures the safety and stability of main frame and network.
Referring to Fig. 2, introduce the present invention and adopt the safety and Health finger print information to dock the conduct interviews concrete operations step of authentication method of fail safe into main frame:
(1) when client is initiated to insert request, client software extracts the safety and Health finger print information of this machine, and this information is packaged into form is the authentication data packet of " type, length, content ", use to comprise that network communication protocols such as TCP, UDP, ICMP or EAPOL send to access control apparatus with packet;
(2) after access control apparatus is found the authentication data packet of finger print information, directly be transmitted to certificate server; After perhaps extracting the safety and Health finger print information wherein be used to authenticate and encapsulating again, be transmitted to certificate server;
(3) adopt radius protocol to carry out interactive communication between certificate server and the safety and Health fingerprint certification device, the safety and Health finger print information is sent to the safety and Health fingerprint certification device;
(4) the safety and Health fingerprint certification device is compared the information in the relevant field in this finger print information and its policy library, and the comparative result and the correlated condition of every information carried out multifactorial evaluation, provide its safe condition grade, requirement with this grade point and safe access compares again, if, then sending authentication more than or equal to the access value, this grade point passes through information; Otherwise, send authentification failure or restricted access message;
(5) access control apparatus read access control command, and go into main frame according to this instruction butt joint corresponding licensing status is set: if the message that authentication is passed through is then finished the access of main frame; If authenticate unsanctioned message, then refuse the access of main frame, and on client software, provide the access failure prompting; If the message of restricted access then by the access strategy of access control block configuration correspondence, sends corresponding access control instruction to access control system; For example allow the main frame of this infection worm-type virus patch server in can only accesses network, repair leak, reduce the possibility that infects worm once more in time stamp patch for this equipment.
Below in conjunction with three different access networks, three embodiment of the present invention are described respectively.
It at first is the example that inserts enterprises and institutions' internal lan at IEEE802.1x on based on the basis of the access control technology of port.Referring to Fig. 3, at this moment, system of the present invention comprises four parts: Authentication Client 1, access control apparatus 2, certificate server 3 and safety and Health fingerprint certification device 4.
In IEEE802.1x access authentication system generally with user terminal as client 1, this terminal will be installed a client software usually, the user initiates authenticating user identification by starting this client software, and access control apparatus determines according to safety and Health fingerprint certification device authentication result whether this user terminal can accesses network.
For supporting the access control based on port, client 1 needs to support the EAPOL agreement.In order to support that client 1 should be able to be collected the safety and Health finger print information of this main frame to the safety certification of the healthy fingerprint of main frame, and send to authenticate device and verify.Authentication data packet is encapsulated as " type, length, content " form, and wherein type field is a special identifier, shows that this packets need carries out the safety and Health finger print identifying.
Usually the network equipment (being access control apparatus 2) of support IEEE802.1x authentication mode has two to be used for the logic ports that the user inserts corresponding to the port (MAC Address of physical port or subscriber equipment, VLAN, IP etc.) of different user devices: controlled ports and unconfined end mouth.The unconfined end mouth is in the diconnected state all the time, is mainly used to transmit the EAPOL protocol frame, can guarantee that client can send or accept authentication at any time.Controlled ports is only just opened under the state that authentication is passed through, and is used for delivery network resource and service.If by authentication, then controlled ports is not in undelegated closed condition to the user, the service that the user can't access authentication system provides.User's controlled ports is in unauthorized state during beginning, can't visit any Internet resources; Have only through behind the authenticating user identification, controlled ports just is set as the opening of mandate.In the present embodiment, access control apparatus 2 can realize that access interface wherein is the physical port of access network device with the network equipment (being illustrated as switch) of supporting the IEEE802.1x agreement, and the access control module is the control module of access device.The access control module of this port is encapsulated as the EAPOL protocol frame again with authentication information, sends to certificate server 3 with radius protocol then.
Because the EAPOL agreement is defined by the IEEE802.1x agreement, usually support the equipment of IEEE802.1x agreement can both support the EAPOL agreement, 4 of safety and Health fingerprint certification devices of the present invention need the radius protocol and the certificate server 3 of use standard to communicate alternately, can finish authentication.In this process, certificate server 3 is as the client of RADIUS, be responsible for and extract with the finger print information in the EAPOL protocol frame of radius protocol encapsulation, again with after the encapsulation of RADIUS packet format, send to server end-safety and Health fingerprint certification device 4 of RADIUS more then.Safety and Health finger print information content then is encapsulated in the RADIUS bag with " type, length, content " form, wherein the value of type field must make the three can both understand the implication of specific fields by client 1, certificate server 3 and safety and Health fingerprint certification device 4 three's unified Definition.
Fig. 4 has showed the deployment architecture of the component devices of this embodiment system, and wherein each main frame of internal lan (being client) is by access control apparatus-switch-be connected into internal lan (going out with the rectangular broken line frame among the figure).
Referring to Fig. 5, introduce the example that the present invention inserts enterprises and institutions' internal lan on based on the basis of VPN access control technology.The structure of this system embodiment is formed identical substantially with Fig. 4, and difference is just at access control apparatus 3; Also form: Authentication Client 1, VPN access control apparatus 2, certificate server 3 and safety and Health fingerprint certification device 4 by four parts.。
In VPN access authentication system generally with user terminal as client 1, this terminal will be installed a client software usually, the user initiates authenticating user identification by starting this client software, and the VPN access control apparatus determines this user terminal to allow according to safety and Health fingerprint certification device authentication result or stops accesses network.
For supporting the access control based on VPN, client 1 needs to support various vpn tunneling agreements such as PPTP, L2TP, IPSEC.In order to support the safety certification of the healthy fingerprint of main frame, client 1 should be able to be collected the healthy finger print information of this terminal security, and sends to authenticate device and verify.Authentication data packet is with " type, length, content " form encapsulation, and wherein type field is a special identifier, shows that this packets need carries out the security access authentication of safety and Health fingerprint.
In a second embodiment, access control apparatus 2 can realize that access interface wherein is the physics or the logic port of VPN access device with the network equipment of supporting one or more vpn tunneling agreements, and the access control module is the control module of VPN access device.This access control module at first with the authentication information deciphering, extracts authentication information, sends to certificate server 3 with radius protocol then.
Certificate server 3 is responsible for the information that takes the fingerprint from the authentication bag of radius protocol encapsulation, again with after the encapsulation of RADIUS packet format, send to safety and Health fingerprint certification device 4 then.Certificate server 3 uses the radius protocol and the safety and Health fingerprint certification device 4 of standard to communicate, and in this process, certificate server 3 is the client of RADIUS, and safety and Health fingerprint certification device 4 is the server end of RADIUS.The content of safety and Health finger print information is encapsulated in the RADIUS bag with " type, length, content " form, wherein the value of type field must make the three all understand the implication of specific fields by client 1, certificate server 3 and safety and Health fingerprint certification device 4 three's unified Definition.
Fig. 5 has showed the deployment architecture of this embodiment set of systems forming apparatus, and each main frame of external network is connected into internal lan (going out with the rectangular broken line frame among the figure) by the VPN access device.
Referring to Fig. 6, introduce the example that the present invention inserts telecommunications network on based on the basis of PPPOE dial-up access access control technology.The structure composition of this system embodiment is identical substantially with Fig. 4, Fig. 5, and difference is just at access control apparatus 3; Also form: Authentication Client 1, PPPOE access control apparatus 2, certificate server 3 and safety and Health fingerprint certification device 4 by four parts.
In PPPOE access authentication system generally with user terminal as client 1, this terminal will be installed a client software usually, the user initiates authenticating user identification by starting this client software, and the PPPOE access control apparatus allows according to safety and Health fingerprint certification device authentication result or prevention user terminal access network.
For supporting the access control based on PPPOE, client 1 needs to support the PPPOE agreement.Be to support the safety certification of the healthy fingerprint of main frame, client 1 should be able to be collected the healthy finger print information of this terminal security, and sends to authenticate device and verify.Authentication data packet is encapsulated as " type, length, content " form, and wherein type field is a special identifier, shows that this packets need carries out the security access authentication of safety and Health fingerprint.
In the 3rd embodiment, access device 2 can realize that access interface wherein is the physics or the logic port of PPPOE access device with the network equipment of PPPOE agreement, and the access control module is the control module of PPPOE access device.
The PPPOE agreement provides a kind of standard on the LAC that in the network of broadcast type multiple host is connected to far-end.In this network model, the ppp protocol stack that all users' main frame all needs initialization independently to control oneself, and by some characteristics that ppp protocol itself is had is implemented in and on the broadcast type network user is chargeed and manage.
The PPPOE agreement comprises two stages altogether, i.e. the session stage of the discovery stage of PPPOE (PPPOE DiscoveryStage) and PPPOE (PPPOE Session Stage).
When a client host wishes to begin a PPPOE session, it at first can seek a LAC on the network of broadcast type, after this main frame has been selected its needed access server, just begin and this access server is set up a PPPOE session process.In this process, LAC can distribute a unique process identification (PID) ID for each PPPOE session, after session is set up, has just begun the session stage of PPPOE.The both sides that set up point-to-point connection in this stage just adopt ppp protocol to come the swap data message, thereby finish the process of a series of PPP, carry out the transmission of network layer data newspaper the most at last on this point-to-point logical channel.
The access control module of PPPOE access control apparatus 2 is at first verified the username and password that client 1 sends over by the PPPOE authentication.After authentication was passed through, the access control module sent to certificate server 3 and safety and Health fingerprint certification device 4 with the safety and Health finger print information of receiving with radius protocol.
Certificate server 3 is responsible for the information that takes the fingerprint from the authentication bag of radius protocol encapsulation, again with after the encapsulation of RADIUS packet format, send to safety and Health fingerprint certification device 4 then.Certificate server 3 uses the radius protocol and the safety and Health fingerprint certification device 4 of standard to communicate, and in this process, certificate server 3 is the client of RADIUS, and safety and Health fingerprint certification device 4 is the server end of RADIUS.The content of safety and Health finger print information is encapsulated in the RADIUS bag with " type, length, content " form, wherein the value of type field must make the three all understand the implication of specific fields by client 1, certificate server 3 and safety and Health fingerprint certification device 4 three's unified Definition.
After safety and Health fingerprint certification device 4 was assessed at the security situation of main frame, whether decision allowed this main frame access network.
Fig. 6 has showed the deployment architecture of the access authentication system component devices of the 3rd embodiment, and each dial user's main frame (being client) is connected into accessed public telecommunication network (going out with the rectangular broken line frame among the figure) by the PPPOE access device.
Claims (10)
1, a kind of access authentication system that inserts Host Security of verifying is characterized in that: this system adopts safety and Health finger print information to the authentication that conducts interviews of the Host Security of access network, and system's composition member comprises:
Authentication Client, the main frame that needs to verify its fail safe for access network, the client software that is used for the safety and Health finger print identifying is installed in the machine, this client software can be gathered the safety and Health finger print information of this main frame, sends to the safety and Health fingerprint certification device via access control apparatus, certificate server and verifies;
Access control apparatus, for the user provides the network equipment of access, port and the access control module that provides the user to insert is provided in its inside; After receiving the authentication result that the safety and Health fingerprint certification device returns, the access request of main control system: allow to insert, refuse to insert or only allow access portion that the network element of service is provided;
Certificate server is the traditional server that carries out authentication by usemame/password, is used for cooperating with the safety and Health fingerprint certification device, the user is carried out the double authentication of user identity and Host Security;
The safety and Health fingerprint certification device, Authentication devices for the subscriber's main station access, its inside is provided with a safety and Health policy library and an information interface, be responsible for receiving the safety and Health fingerprint of client, and search comparison at the safety and Health policy library at the information in the fingerprint, go out the safe condition rank of this main frame according to comprehensive fingerprint comparison outcome evaluation; If the safe condition rank of this main frame is lower than the setting in the strategy, then sends and do not allow to insert message or access control policy to access control apparatus; If the safe condition rank of this main frame more than or equal to the setting in the strategy, then sends access grant message to connecting system.
2, access authentication system according to claim 1 is characterized in that: the safety and Health finger print information of described main frame includes but not limited to: OS Type, operating system version number, the patch situation, the file-sharing situation, open transmission control protocol tcp port, open User Datagram Protoco (UDP) udp port, the system service of operation, user password intensity, guest Guest user account operating position, the account locking strategy, the account password policy, log-on message, browser version, browser patch situation, the Email client release, Email client patch situation.
3, access authentication system according to claim 1 and 2, it is characterized in that: described safety and Health finger print information is packaged into the packet of form for " type, length, content ", wherein type field is a special identifier, show that this packets need delivers the safety and Health fingerprint certification device and carry out safety certification, and define jointly by client, certificate server and safety and Health fingerprint certification device three.
4, access authentication system according to claim 1 is characterized in that: the port that provides the user to insert in the described access control apparatus has two logic ports:
Controlled ports is only opened by under the state in authentication, is used for delivery network resource and service;
The unconfined end mouth is in the diconnected state all the time, sends or receive authentication at any time for client.
5, access authentication system according to claim 1 is characterized in that: when described access network was internal lan, for supporting the access control of this network port, the communication protocol that described client need be supported was local area network (LAN) Extensible Authentication Protocol EAPOL.
6, access authentication system according to claim 1, it is characterized in that: when described access network is virtual private network, for supporting the access control of this network port, the communication protocol that described client need be supported comprises following vpn tunneling agreement at least: Point to Point Tunnel Protocol PPTP, Level 2 Tunnel Protocol L2TP, Internet security protocol IPSEC.
7, access authentication system according to claim 1, it is characterized in that: when described access network is telecommunications access network, for supporting the access control of this network port, the communication protocol that described client need be supported is for transmitting Point-to-Point Data packet protocol PPPOE on Ethernet.
8, a kind of authentication method that adopts the described checking of claim 1 to insert the access authentication system of Host Security is characterized in that: adopt the safety and Health finger print information to dock into the fail safe of main frame and verify, to take precautions against network worm and assault; Comprise the following steps:
(1) when client was initiated to insert request, client software extracted the safety and Health finger print information of this machine, and this information is packaged into the packet of form for " type, length, content ", sent to access control apparatus;
(2) after access control apparatus is found the authentication data packet of finger print information, directly be transmitted to certificate server; After perhaps extracting the safety and Health finger print information wherein be used to authenticate and encapsulating again, be transmitted to certificate server;
(3) certificate server is communicated by letter with the safety and Health fingerprint certification device, and the safety and Health finger print information is sent to the safety and Health fingerprint certification device;
(4) the safety and Health fingerprint certification device is compared the information in the relevant field in this finger print information and its policy library, and the comparative result and the correlated condition of every information carried out multifactorial evaluation, provide its safe condition grade, requirement with this grade point and safe access compares again, if, then sending authentication more than or equal to the access value, this grade point passes through information; Otherwise, send authentification failure or restricted access message;
(5) access control apparatus read access control command, and go into main frame according to this instruction butt joint corresponding licensing status is set: if the message that authentication is passed through is then finished the access of main frame; If authenticate unsanctioned message, then refuse the access of main frame, and on client software, provide the access failure prompting; If the message of restricted access, then by the access strategy of access control block configuration correspondence.
9, authentication method according to claim 8 is characterized in that: the network communication protocol that uses when client software sends authentication data packet in the described step (1) includes but not limited to TCP, UDP, ICMP or EAPOL.
10, authentication method according to claim 8 is characterized in that: the agreement of the employing of communicating by letter in the described step (3) between certificate server and the safety and Health fingerprint certification device is the RADIUS of remote customer dialing authentication system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101125240A CN100512109C (en) | 2005-09-30 | 2005-09-30 | Access authentication system and method by verifying safety of accessing host |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101125240A CN100512109C (en) | 2005-09-30 | 2005-09-30 | Access authentication system and method by verifying safety of accessing host |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1744494A true CN1744494A (en) | 2006-03-08 |
| CN100512109C CN100512109C (en) | 2009-07-08 |
Family
ID=36139715
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101125240A Active CN100512109C (en) | 2005-09-30 | 2005-09-30 | Access authentication system and method by verifying safety of accessing host |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100512109C (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009000190A1 (en) * | 2007-06-22 | 2008-12-31 | Huawei Technologies Co., Ltd. | A safety status estimate method, apparatus and system |
| WO2009140911A1 (en) * | 2008-05-19 | 2009-11-26 | Zheng Kuanyong | Method for interactive authentication |
| WO2010127578A1 (en) * | 2009-05-04 | 2010-11-11 | 华为技术有限公司 | Method, device and system for authenticating security status of telecommunication device |
| CN102171997A (en) * | 2008-10-01 | 2011-08-31 | 诺基亚公司 | Method, system, and apparatus for creating network accounts and configuring devices for use therewith |
| CN102195949A (en) * | 2010-03-16 | 2011-09-21 | 邵宇 | Fingerprint verification method for virtual private network (VPN) |
| CN101079882B (en) * | 2006-05-24 | 2012-06-27 | 育然苏咨询有限责任公司 | Posture-based data protection |
| CN102916943A (en) * | 2012-09-20 | 2013-02-06 | 无锡华御信息技术有限公司 | Management method and management system of portable storage device based on network environment |
| CN103457786A (en) * | 2012-06-05 | 2013-12-18 | ***通信集团公司 | Sensor access detection method, device and system |
| CN103942472A (en) * | 2014-04-14 | 2014-07-23 | 立德高科(北京)数码科技有限责任公司 | Method and device used for preventing unauthorized user from starting software |
| CN104618268A (en) * | 2014-12-30 | 2015-05-13 | 北京奇虎科技有限公司 | Network admission control method, authentication server and terminal |
| CN106464739A (en) * | 2014-06-19 | 2017-02-22 | 微软技术许可有限责任公司 | Securing communications with enhanced media platforms |
| CN107623665A (en) * | 2016-07-15 | 2018-01-23 | 华为技术有限公司 | A kind of authentication method, equipment and system |
| CN107944344A (en) * | 2017-10-30 | 2018-04-20 | 国网浙江省电力公司绍兴供电公司 | Power supply enterprise's construction mobile security supervision platform |
| CN109522700A (en) * | 2018-08-30 | 2019-03-26 | 深圳市国科亿道科技有限公司 | A kind of host and pedestal interface authentication encryption system |
| CN110213232A (en) * | 2019-04-26 | 2019-09-06 | 特斯联(北京)科技有限公司 | A kind of fingerprint characteristic and key double verification method and apparatus |
| CN111177692A (en) * | 2019-11-29 | 2020-05-19 | 云深互联(北京)科技有限公司 | Terminal credibility level evaluation method, device, equipment and storage medium |
| CN112672348A (en) * | 2019-09-27 | 2021-04-16 | 华为技术有限公司 | Security control method, device, equipment, system and storage medium |
| CN113342594A (en) * | 2021-05-26 | 2021-09-03 | 北京威努特技术有限公司 | Industrial control host and dynamic health degree evaluation method thereof |
| CN113572773A (en) * | 2021-07-27 | 2021-10-29 | 迈普通信技术股份有限公司 | Access equipment and terminal access control method |
| CN115150833A (en) * | 2022-09-05 | 2022-10-04 | 北京珞安科技有限责任公司 | Network access control system and method |
-
2005
- 2005-09-30 CN CNB2005101125240A patent/CN100512109C/en active Active
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101079882B (en) * | 2006-05-24 | 2012-06-27 | 育然苏咨询有限责任公司 | Posture-based data protection |
| WO2009000190A1 (en) * | 2007-06-22 | 2008-12-31 | Huawei Technologies Co., Ltd. | A safety status estimate method, apparatus and system |
| WO2009140911A1 (en) * | 2008-05-19 | 2009-11-26 | Zheng Kuanyong | Method for interactive authentication |
| CN102171997A (en) * | 2008-10-01 | 2011-08-31 | 诺基亚公司 | Method, system, and apparatus for creating network accounts and configuring devices for use therewith |
| CN102171997B (en) * | 2008-10-01 | 2014-04-16 | 诺基亚公司 | Method, system, and apparatus for creating network accounts and configuring devices for use therewith |
| WO2010127578A1 (en) * | 2009-05-04 | 2010-11-11 | 华为技术有限公司 | Method, device and system for authenticating security status of telecommunication device |
| CN102195949A (en) * | 2010-03-16 | 2011-09-21 | 邵宇 | Fingerprint verification method for virtual private network (VPN) |
| CN103457786A (en) * | 2012-06-05 | 2013-12-18 | ***通信集团公司 | Sensor access detection method, device and system |
| CN102916943A (en) * | 2012-09-20 | 2013-02-06 | 无锡华御信息技术有限公司 | Management method and management system of portable storage device based on network environment |
| CN103942472B (en) * | 2014-04-14 | 2016-09-14 | 立德高科(北京)数码科技有限责任公司 | The method and device of software is started for the person that shields unauthorized use |
| CN103942472A (en) * | 2014-04-14 | 2014-07-23 | 立德高科(北京)数码科技有限责任公司 | Method and device used for preventing unauthorized user from starting software |
| CN106464739A (en) * | 2014-06-19 | 2017-02-22 | 微软技术许可有限责任公司 | Securing communications with enhanced media platforms |
| CN106464739B (en) * | 2014-06-19 | 2019-09-17 | 微软技术许可有限责任公司 | The method and system of the communication of media platform for protecting and enhancing |
| CN104618268A (en) * | 2014-12-30 | 2015-05-13 | 北京奇虎科技有限公司 | Network admission control method, authentication server and terminal |
| CN107623665A (en) * | 2016-07-15 | 2018-01-23 | 华为技术有限公司 | A kind of authentication method, equipment and system |
| CN107944344A (en) * | 2017-10-30 | 2018-04-20 | 国网浙江省电力公司绍兴供电公司 | Power supply enterprise's construction mobile security supervision platform |
| CN109522700A (en) * | 2018-08-30 | 2019-03-26 | 深圳市国科亿道科技有限公司 | A kind of host and pedestal interface authentication encryption system |
| CN110213232A (en) * | 2019-04-26 | 2019-09-06 | 特斯联(北京)科技有限公司 | A kind of fingerprint characteristic and key double verification method and apparatus |
| CN112672348A (en) * | 2019-09-27 | 2021-04-16 | 华为技术有限公司 | Security control method, device, equipment, system and storage medium |
| CN111177692A (en) * | 2019-11-29 | 2020-05-19 | 云深互联(北京)科技有限公司 | Terminal credibility level evaluation method, device, equipment and storage medium |
| CN111177692B (en) * | 2019-11-29 | 2022-07-12 | 云深互联(北京)科技有限公司 | Terminal credibility level evaluation method, device, equipment and storage medium |
| CN113342594A (en) * | 2021-05-26 | 2021-09-03 | 北京威努特技术有限公司 | Industrial control host and dynamic health degree evaluation method thereof |
| CN113572773A (en) * | 2021-07-27 | 2021-10-29 | 迈普通信技术股份有限公司 | Access equipment and terminal access control method |
| CN115150833A (en) * | 2022-09-05 | 2022-10-04 | 北京珞安科技有限责任公司 | Network access control system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100512109C (en) | 2009-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1744494A (en) | Access authentication system and method by verifying safety of accessing host | |
| US6487598B1 (en) | Virtual dial-up protocol for network communication | |
| US6754712B1 (en) | Virtual dial-up protocol for network communication | |
| CN1845491A (en) | Access authentication method of 802.1x | |
| CN100563158C (en) | Access control method and system | |
| CN100437550C (en) | Ethernet confirming access method | |
| CN101068183A (en) | Network invitation to enter controlling method and network invitation to enter controlling system | |
| CN1744607A (en) | System and method for blocking worm attack | |
| CN1761252A (en) | Method for implementing experimental system of firewall under multiple user's remote concurrency control in large scale | |
| CN1416072A (en) | Method for realizing portal authentication based on protocols of authentication, charging and authorization | |
| CN1889430A (en) | Safety identification control method based on 802.1 X terminal wideband switching-in | |
| CN1309233C (en) | Method for supporting PPPoA on wideband switch-in equipment | |
| CN1567868A (en) | Authentication method based on Ethernet authentication system | |
| CN1142662C (en) | Authentication method for supporting network switching in based on different devices at same time | |
| CN1812340A (en) | Realizing method for preventing point-to point protocol recognization from being attacked in wideband cut-in network | |
| CN1553674A (en) | Method for wideband connection server to obtain port numbers of its uers | |
| CN1703047A (en) | Virtual private network system, communication terminal, and remote access communication method therefore | |
| US20070234418A1 (en) | Method and apparatus of remote access message differentiation in VPN endpoint routers | |
| CN1225870C (en) | Method and apparatus for VLAN based network access control | |
| CN1852222A (en) | Method and apparatus for managing wireless access-in wide-band users | |
| CN1384642A (en) | Method of adding subscriber's security confirmation to simple network management protocol | |
| CN101047502A (en) | Network authorization method | |
| CN1527557A (en) | Method of transmitting 802.1X audit message via bridging device | |
| CN101516091A (en) | Wireless local area network access control system and method based on ports | |
| CN1266889C (en) | Method for management of network access equipment based on 802.1X protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: CHINA TELECOMMUNICATION STOCK CO., LTD. Free format text: FORMER OWNER: CHINA TELECOMMUNICATION STOCK CO., LTD. GUANGDONG ACADEME Effective date: 20091113 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| C56 | Change in the name or address of the patentee |
Owner name: CHINA TELECOMMUNICATION STOCK CO., LTD. GUANGDONG Free format text: FORMER NAME: GUANGDONG PROVINCE TELECOMMUNICATION CO., LTD. RESEARCH INSTITUTE |
|
| CP03 | Change of name, title or address |
Address after: 20, building 109, West Zhongshan Avenue, Tianhe District, Guangzhou, Guangdong Patentee after: GUANGDONG RESEARCH INSTITUTE, CHINA TELECOM Co.,Ltd. Address before: No. 109, Zhongshan Avenue, Tianhe District, Guangdong, Guangzhou Patentee before: Guangdong Telecommunication Co.,Ltd. Institude |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20091113 Address after: No. 31, Finance Street, Beijing, Xicheng District Patentee after: CHINA TELECOM Corp.,Ltd. Address before: 20, building 109, West Zhongshan Avenue, Tianhe District, Guangzhou, Guangdong Patentee before: GUANGDONG RESEARCH INSTITUTE, CHINA TELECOM Co.,Ltd. |