CN1859178A - Network safety control method and system - Google Patents
Network safety control method and system Download PDFInfo
- Publication number
- CN1859178A CN1859178A CN 200510115574 CN200510115574A CN1859178A CN 1859178 A CN1859178 A CN 1859178A CN 200510115574 CN200510115574 CN 200510115574 CN 200510115574 A CN200510115574 A CN 200510115574A CN 1859178 A CN1859178 A CN 1859178A
- Authority
- CN
- China
- Prior art keywords
- security
- network
- information
- terminal equipment
- event information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention discloses a network security control method and system. The present invention pre-sets the corresponded relation of safety message and safety strategy; at least two terminal units collecting local safety message and reporting to associated server end, server end comprehensive analyzing terminal unit safety message and obtaining relevant safety strategy, utilizing said safety strategy to proceed network access control and application services accessing control to terminal unit through network access equipment, compared with current technology, said safety strategy having improved the rationality .
Description
Technical field
The present invention relates to network security technology, relate in particular to a kind of method and system that the safety of radio data network is controlled.
Background technology
Application along with wireless data network, increasing people brings into use the service of mobile terminal device enjoy network, traditional standard 3GPP (3rd Generation Partnership Project, 3G (Third Generation) Moblie standardization body), WLAN (Wireless Local Area Network, WLAN (wireless local area network)), WiMAX (WorldwideInteroperability Microwave Access, micro-wave access to global intercommunication) security mechanism in is to access authentication of user, professional transmission security provides guarantee, but because the opening and the security breaches of application service provider and IP network itself, cause security threat from application (as virus, assault, user profile is usurped etc.) emerge in an endless stream, the security mechanism in the traditional standard is unable to cope with these security threats.
At present in the standard of ITU-T SG17 group, a kind of (CRS of safety interaction system at radio data network has been proposed, Correlative Reacting System), this system be a kind of by control dangerous portable terminal (promptly do not meet the security strategy of network settings, the terminal that security breaches or infective virus are for example arranged) access, make radio data network avoid the system of security threat, its essence is safety interaction by portable terminal and network side, network insertion to portable terminal is controlled, application service access to portable terminal limits, thereby resists virus for network provides, the ability of security threats such as network attack.
Figure 1 shows that the networking structure schematic diagram of prior art safety interaction system, this system mainly comprises the TSM Security Agent module of mobile terminal side, the Security Policy Server of network side, the network access equipment (as network insertion controller and application service access controller) related with Security Policy Server.
Wherein TSM Security Agent module and Security Policy Server have constituted the core of safety interaction system, TSM Security Agent module the security configuration information that is used to collect from portable terminal, as system safety configuration information, application safety configuration information etc., preliminary treatment and organize above-mentioned information reports Security Policy Server with it.Simultaneously the TSM Security Agent module receives the security update order and the indication of Security Policy Server, on the one hand to the security information of user report portable terminal, submits necessary information for portable terminal on the other hand and cooperates, and helps the unsafe portable terminal of reparation.Security Policy Server is used for according to the security strategy control portable terminal of customization in advance and the access of application service, and cooperates with related network device, assists portable terminal to carry out security update.
Carry out information interaction by linkage protocol between TSM Security Agent module and the Security Policy Server, Security Policy Server can get access to the security configuration information of portable terminal from the TSM Security Agent module, according to this security configuration information portable terminal is implemented corresponding security strategy, security strategy mainly comprises network insertion control strategy and application service Access Control Policy.
The network insertion control strategy be meant Security Policy Server by with the interlock of network insertion controller, utilize flow control, limiting access, QoS (Quality of Service, quality of service) technological means such as reshuffles, realization is to the restriction of the data total flow of connection of mobile terminal into network, to prevent that unsafe portable terminal from taking the unreasonable of Internet resources, stop malice virus in network, to be propagated.For from outside ASP (Application Service Provider, the application service provider) dangerous ISP's access, Security Policy Server also can by with the interlock of network insertion controller (for example network boundary gateway etc.), the flow shielding of layer Network Based is provided.
The application service control strategy be meant Security Policy Server by with the interlock of application service access controller, portable terminal is carried out service access control based on application layer.The application service access control mainly is the available service of limiting mobile terminal, guarantees that portable terminal and system only move necessary service.Based on different security service types, the method for service implementation access control also should be different.For conserve network resources, to cooperatively interact with portable terminal in the TSM Security Agent module of end side, guarantee that the terminal use can not initiate disabled service.
Security strategy is that the safety interaction system is according to the network in general demand for security, threaten the summation of the precautionary measures of definition at various particular safety, safety interaction of the prior art system is when the customization security strategy, only according to the security configuration information of single terminal equipment (as the system safety configuration information, the intrinsic information of terminal equipment such as application safety configuration information and vulnerability database and virus base version situation) provide corresponding security service for it, do not take all factors into consideration that the security configuration information of a plurality of terminal equipments customizes security strategy in the network, when the customization security strategy, do not consider that the security event information of terminal equipment is (as virus event information yet, attack information and illegal scan event information etc.), because the amount of information of the security configuration information of single mobile terminal is limited and information source is single, therefore according to the security strategy of the security configuration information customization of single mobile terminal terminal equipment is carried out network insertion control in the prior art and application service inserts restriction, its accuracy and reasonability still are left to be desired.
Summary of the invention
The invention provides a kind of network safety control method and system, prior art is carried out network insertion control according to the security strategy of the security configuration information customization of single mobile terminal to terminal equipment and application service inserts restriction, the problem that its accuracy and reasonability are relatively poor in order to solve.
Technical solution of the present invention comprises:
A kind of network safety control method comprises step:
A, the corresponding relation of security information and security strategy is set at server end;
B, at least two terminal equipments are collected local security information and are reported server end;
The security information that C, the described terminal equipment of server end analysis-by-synthesis report is obtained corresponding security strategy, adopts this security strategy by network access equipment terminal equipment to be carried out network insertion control and/or application service access control.
Also comprise among the described step C:
The security information that server end reports terminal equipment sends to the safety means in the network, and safety means are carried out corresponding security response according to the security information that receives, and network is carried out security protection.
Comprise security configuration information and/or security event information in the described security information.
Comprise system safety configuration information and application safety configuration information in the described security configuration information.
When comprising security event information in the security information that described terminal equipment is collected, terminal equipment filters the security event information of collecting according to predefined filtering rule, and remaining security event information reports server end after will filtering.
Comprise virus event information, attack information and illegal scanning information in the described security event information.
The security information that described server end adopts interrupt mode or inquiry mode receiving terminal apparatus to report.
A kind of network security control system comprises at least two terminal equipments and connected network access equipment, and the Security Policy Server with linking to each other with described network access equipment also comprises:
The TSM Security Agent module is arranged on terminal equipment side, is used for the security information of collection terminal equipment and reports Security Policy Server;
Described Security Policy Server is used to be provided with the corresponding relation of security information and security strategy, and receive and security information that the described TSM Security Agent module of analysis-by-synthesis reports, obtain corresponding security strategy, adopt this security strategy terminal equipment to be carried out network insertion control and/or application service access control by network access equipment.
Described system further comprises:
Safety means are connected with Security Policy Server, are used for obtaining security information from Security Policy Server and carry out corresponding security response, and network is carried out security protection.
Described TSM Security Agent module comprises:
Configuration information obtains submodule, is used for the security configuration information of collection terminal equipment and sends to Security Policy Server.
Comprise system safety configuration information and application safety configuration information in the described security configuration information.
Described TSM Security Agent module comprises:
Event information obtains submodule, is used for the security event information and the transmission of collection terminal equipment;
Event information filters submodule, obtains submodule with event information and is connected, and according to predefined filtering rule the security event information of collecting is filtered, and will filter the remaining security event information in back and send to Security Policy Server.
Comprise virus event information, attack information and illegal scanning information in the described security event information.
Described Security Policy Server adopts interrupt mode or inquiry mode to receive the security information that the TSM Security Agent module is sent.
Described TSM Security Agent module is the functional module that is arranged in the terminal equipment, perhaps is the standalone feature entity in the system.
Beneficial effect of the present invention is as follows:
The present invention has set in advance the corresponding relation of security information and security strategy at server end, collect local security information and report related server end by at least two terminal equipments, the corresponding security strategy of safety information acquisition of server end analysis-by-synthesis terminal equipment, utilize this security strategy terminal equipment to be carried out network insertion control and application service access control by network access equipment, since the security strategy analysis-by-synthesis that customized the security information that report of a plurality of terminal equipments, therefore compared with prior art this security strategy promotes aspect reasonability to some extent.
Further, except security configuration information, can also comprise security event information in the security information that terminal equipment of the present invention is collected, thereby make server end can from each terminal equipment, obtain more effective information, therefore can make more accurate and rational security strategy.
Description of drawings
Fig. 1 is the networking structure schematic diagram of prior art safety interaction system;
Fig. 2 is the networking structure schematic diagram of the invention process one;
Fig. 3 carries out the flow chart of network security control for the embodiment of the invention one;
The networking structure schematic diagram of Fig. 4 embodiment of the invention two;
Fig. 5 carries out the flow chart of network security control for the embodiment of the invention two;
The networking structure schematic diagram of Fig. 6 embodiment of the invention three;
Fig. 7 carries out the flow chart of network security control for the embodiment of the invention three;
The networking structure schematic diagram of Fig. 8 embodiment of the invention four;
Fig. 9 carries out the flow chart of network security control for the embodiment of the invention four;
The networking structure schematic diagram of Figure 10 embodiment of the invention five;
Figure 11 carries out the flow chart of network security control for the embodiment of the invention five;
Figure 12 is the networking structure schematic diagram of the embodiment of the invention six;
Figure 13 carries out the flow chart of network security control for the embodiment of the invention six.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Embodiment one:
Figure 2 shows that the networking structure schematic diagram of the embodiment of the invention one, as seen from the figure, it mainly comprises the TSM Security Agent module that is arranged on terminal equipment side, and is arranged on network side, the Security Policy Server that is connected with terminal equipment by network access equipment.
The TSM Security Agent module can also can be the independent function entity in the system for being arranged on the functional module in the terminal equipment, comprises in the TSM Security Agent module that configuration information obtains submodule, is used for the security configuration information of collection terminal equipment.
Security Policy Server stores the security configuration information of customization in advance and the corresponding relation of security strategy, and the security configuration information of a plurality of terminal equipments customizes this security strategy in the network by taking all factors into consideration.Security Policy Server adopts interrupt mode or inquiry mode to receive the security configuration information that the TSM Security Agent module is sent, analysis-by-synthesis and judgement by security configuration information that at least two terminal equipments are reported, determine the security strategy of coupling, utilize this security strategy terminal equipment to be carried out network insertion control and/or application service access control by network access equipment.
The flow chart that Fig. 3 carries out network security control for the embodiment of the invention one, as seen from the figure, its main implementation procedure is as follows:
Step S10, the corresponding relation of security configuration information and security strategy is set on Security Policy Server;
For example: if Security Policy Server is found to have reported the security configuration information of being distorted more than or equal to the terminal equipment of setting number, this distorting is that terminal equipment is caused by illegal scan event, other-end in network suffers identical illegal scan event, in the security strategy that is provided with on the Security Policy Server be: all terminal equipments provide the operating system patch at this illegal scan event in network, the terminal equipment that the while security configuration information is distorted is blocked, and requires it could insert behind security patch.
The security configuration information of step S11, collection terminal equipment;
Be arranged on the security configuration information that configuration information in the TSM Security Agent module of terminal equipment side obtains the communication interface collection terminal equipment between submodule utilization and terminal equipment operating system and the conventional application software, mainly comprise system configuration information and application configuration information.
Step S12, Security Policy Server adopt interrupt mode or inquiry mode to receive at least two security configuration information that terminal equipment sends.
Step S13, Security Policy Server carry out analysis-by-synthesis to the security configuration information of a plurality of terminal equipments of receiving, determine corresponding security strategy according to the corresponding relation of security configuration information that is provided with among the step S10 and security strategy, comprise network insertion strategy and/or application service access strategy in the security strategy.
The network insertion strategy comprises following aspect:
Current limliting: with on the dangerous terminal equipment/downlink traffic is limited within certain predetermined value;
Blocking-up: dangerous terminal equipment is directly blocked, forbidden its access network;
Be redirected: by network access equipment the particular flow rate of dangerous terminal equipment is redirected to other special Network Security Devices and does further processing, for example, normally surf the Net for not influencing terminal equipment, all uplink traffics of terminal equipment are redirected to an Anti Virus Gateway, remove the message that terminal equipment has infected worm-type virus, transmit the normal message of user then.
The application service access strategy limits or forbids for the available service to portable terminal.
The security strategy that step S14, Security Policy Server utilization are made is carried out network insertion control and/or application service access control by network access equipment to terminal equipment.
The security strategy analysis-by-synthesis that present embodiment customizes in Security Policy Server the security configuration information that report of a plurality of terminal equipments, compared with prior art, the security strategy that customizes in the present embodiment promotes aspect reasonability to some extent.
Embodiment two:
Figure 4 shows that the networking structure schematic diagram of the embodiment of the invention two, as seen from the figure, compare that present embodiment has increased the safety means that are connected with Security Policy Server at network side with embodiment one.
Compare with embodiment one, the security event information that Security Policy Server in the present embodiment can report terminal equipment sends to the safety means in the network, as fire compartment wall, inbreak testing apparatus, operation management center etc., these safety means carry out corresponding security response according to the security information that receives by modes such as network traffics filtration, application protocol analysis or security incident early warning, thereby reach the purpose of the mobile network being carried out security protection.
Safety means reach the purpose of the mobile network being carried out security protection by the control router in the present embodiment.
The flow chart that Fig. 5 carries out network security control for the embodiment of the invention two, as seen from the figure, its main implementation procedure is as follows:
Step S20 to S22, identical with above-mentioned steps S10 to S12.
Behind step S22, Security Policy Server is execution in step S23 and step S24 respectively.
Step S23, Security Policy Server carry out analysis-by-synthesis to the security configuration information of a plurality of terminal equipments of receiving, determine corresponding security strategy according to the corresponding relation of security configuration information that is provided with among the step S20 and security strategy, comprise network insertion strategy and/or application service access strategy in the security strategy, go to step S25.
The security configuration information that step S24, Security Policy Server report terminal equipment sends to the safety means in the network, as fire compartment wall, inbreak testing apparatus, operation management center etc., goes to step S26.
The security strategy that step S25, Security Policy Server utilization are made is carried out network insertion control and/or application service access control by network access equipment to terminal equipment.
Safety means in step S26, the network carry out corresponding security response according to the security configuration information that receives by modes such as network traffics filtration, application protocol analysis or security incident early warning, and the mobile network is carried out security protection.
Compare with embodiment one, present embodiment has increased safety means at network side, these safety means can receive the security configuration information that Security Policy Server sends, carry out corresponding security response according to the security configuration information that receives by modes such as network traffics filtration, application protocol analysis or security incident early warning, can carry out more effective security protection the mobile network.
Embodiment three:
Figure 6 shows that the networking structure schematic diagram of the embodiment of the invention three, as seen from the figure, it mainly comprises the TSM Security Agent module that is arranged on terminal equipment side, and is arranged on network side, the Security Policy Server that is connected with terminal equipment by network access equipment.
Comprise in the TSM Security Agent module that event information obtains submodule, event information filters submodule and configuration information obtains submodule, wherein event information obtains the security event information that submodule is used for collection terminal equipment; Event information filtration submodule obtains submodule with event information and is connected, be used for the security event information of collecting being filtered, will filter the remaining security event information in back and send to Security Policy Server by network access equipment according to predefined filtering rule; Configuration information obtains submodule and is used for the security configuration information of collection terminal equipment and sends to Security Policy Server.
Store the security event information of customization in advance and the corresponding relation of security strategy in the Security Policy Server, Security Policy Server adopts interrupt mode or inquiry mode to receive security event information and the security configuration information that the TSM Security Agent module is sent, by the security event information that at least two terminal equipments are reported and the analysis-by-synthesis and the judgement of security configuration information, determine the security strategy of coupling, utilize this security strategy terminal equipment to be carried out network insertion control and application service access control by network access equipment.
Figure 7 shows that embodiment three carries out the flow chart of network security control, as seen from the figure, its main implementation procedure is as follows:
The corresponding relation of step S30, the security configuration information that terminal is set on Security Policy Server and security event information and security strategy;
For example: if Security Policy Server is received when reporting same or analogous security event information (as virus event, illegal scan event etc.) more than or equal to the terminal equipment of setting number because a plurality of terminal equipments suffer same or analogous security incident may cause the paralysis of network, therefore set security strategy is: the terminal equipment that reports security event information is blocked, check the security configuration information that terminal equipment reports simultaneously, carry out security update wherein reporting the terminal equipment of not installing at the security patch of above-mentioned security incident.
The security configuration information of step S31, collection terminal equipment and security event information;
Be arranged on the security configuration information that configuration information in the TSM Security Agent module of terminal equipment side obtains the communication interface collection terminal equipment between submodule utilization and terminal equipment operating system and the conventional application software, mainly comprise system configuration information and application configuration information;
Event information in the TSM Security Agent module obtains the security event information of the communication interface collection terminal equipment between the Secure Application software on submodule utilization and the terminal equipment (as firewall software, antivirus software, vulnerability scanning software and invader-inspecting software etc.), mainly comprises virus event, attack and illegal scan event etc.
Event information in step S32, the TSM Security Agent module filters submodule and according to predefined filtering rule the security event information of collecting is filtered, and will filter the remaining key safety event information in back and send to Security Policy Server by network access equipment; Configuration information obtains submodule security configuration information is sent to Security Policy Server.
Because the number of the security event information of terminal equipment is more, if do not filter, its transmission amount of information can be very big, therefore event information should be set in the TSM Security Agent module filter submodule, according to predefined filtering rule the security event information of collecting is filtered, to form important and the little key safety event information of transmission amount of information; For example, at illegal scan event information, the port number thresholding of scanning is set, if the port number of scanning, thinks then that this scanning is the key safety incident greater than 5, this is one of filtering rule, at different Secure Application software different filtering rules can be set.
Key safety event information and configuration information that step S33, Security Policy Server adopt interrupt mode or inquiry mode reception event information filtration submodule to send obtain the security configuration information that submodule sends.
Step S34, Security Policy Server carry out analysis-by-synthesis to the security configuration information and the security event information of a plurality of terminal equipments of receiving, corresponding relation according to the security configuration information that is provided with among the step S30 and security event information and security strategy is determined corresponding security strategy, comprises network insertion strategy and/or application service access strategy in the security strategy.
The security strategy that step S35, Security Policy Server utilization are made is carried out network insertion control and/or application service access control by network access equipment to terminal equipment.
Terminal equipment provides key safety event information and security configuration information to Security Policy Server simultaneously in the present embodiment, compare with embodiment one, Security Policy Server can obtain more effective information from each terminal equipment, therefore can make more accurate and rational security strategy.
Embodiment four:
Figure 8 shows that the networking structure schematic diagram of the embodiment of the invention four, as seen from the figure, compare that present embodiment has increased the safety means that are connected with Security Policy Server at network side with embodiment three.
Compare with embodiment three, security configuration information that Security Policy Server in the present embodiment can report terminal equipment and security event information send to the safety means in the network, as fire compartment wall, inbreak testing apparatus, operation management center etc., these safety means carry out corresponding security response according to the security information that receives by modes such as network traffics filtration, application protocol analysis or security incident early warning, thereby reach the purpose of the mobile network being carried out security protection.
Safety means reach the purpose of the mobile network being carried out security protection by the control router in the present embodiment.
Fig. 9 is the flow chart of the embodiment of the invention four, and as seen from the figure, its main implementation procedure is as follows:
Step S40 to S43, identical with above-mentioned steps S30 to S33.
Behind step S43, Security Policy Server is execution in step S44 and S45 respectively.
Step S44, Security Policy Server carry out analysis-by-synthesis to the security configuration information and the security event information of a plurality of terminal equipments of receiving, corresponding relation according to the security configuration information that is provided with among the step S40 and security event information and security strategy is determined corresponding security strategy, comprise network insertion strategy and/or application service access strategy in the security strategy, go to step S46.
Security configuration information that step S45, Security Policy Server report terminal equipment and security event information send to the safety means in the network, as fire compartment wall, inbreak testing apparatus, operation management center etc., go to step S47.
The security strategy that step S46, Security Policy Server utilization are made is carried out network insertion control and/or application service access control by network access equipment to terminal equipment.
Safety means in step S47, the network carry out corresponding security response according to security configuration information that receives and security event information by modes such as network traffics filtration, application protocol analysis or security incident early warning, and the mobile network is carried out security protection.
Compare with embodiment three, present embodiment has increased safety means at network side, these safety means can receive security configuration information and the security event information that Security Policy Server sends, carry out corresponding security response according to security configuration information that receives and security event information by modes such as network traffics filtration, application protocol analysis or security incident early warning, can carry out more effective security protection the mobile network.
Embodiment five:
Figure 10 shows that the networking structure schematic diagram of the embodiment of the invention five, as seen from the figure, it mainly comprises the TSM Security Agent module that is arranged on terminal equipment side, and is arranged on network side, the Security Policy Server that is connected with terminal equipment by network access equipment.
The TSM Security Agent module can be for being arranged on the functional module in the terminal equipment, also can be the independent function entity in the system, comprise in the TSM Security Agent module that event information obtains submodule and event information filters submodule, wherein event information obtains the security event information that submodule is used for collection terminal equipment; Event information filtration submodule obtains submodule with event information and is connected, be used for the security event information of collecting being filtered, will filter the remaining security event information in back and send to Security Policy Server by network access equipment according to predefined filtering rule.
Security Policy Server stores the security event information of customization in advance and the corresponding relation of security strategy, Security Policy Server adopts interrupt mode or inquiry mode to receive the security event information that the TSM Security Agent module is sent, analysis-by-synthesis and judgement by security event information that at least two terminal equipments are reported, determine the security strategy of coupling, utilize this security strategy terminal equipment to be carried out network insertion control and application service access control by network access equipment.
The flow chart that Figure 11 carries out network security control for the embodiment of the invention five, as seen from the figure, its main implementation procedure is as follows:
Step S50, the corresponding relation of security event information and security strategy is set on Security Policy Server;
For example: if Security Policy Server is received when reporting same or analogous security event information (as virus event, illegal scan event etc.) more than or equal to the terminal equipment of setting number, because a plurality of terminal equipments suffer same or analogous security incident may cause the paralysis of network, therefore set security strategy is: when reporting same or analogous security incident more than or equal to the terminal equipment of setting number, the terminal equipment that reports security event information is blocked, simultaneously the other-end equipment in the network is carried out flow control.
The security event information of step S51, collection terminal equipment;
Be arranged on the security event information that event information in the TSM Security Agent module of terminal equipment side obtains the communication interface collection terminal equipment between the Secure Application software on submodule utilization and the terminal equipment (as firewall software, antivirus software, vulnerability scanning software and invader-inspecting software etc.), mainly comprise virus event, attack and illegal scan event etc.
Event information in step S52, the TSM Security Agent module filters submodule and according to predefined filtering rule the security event information of collecting is filtered, and will filter the remaining key safety event information in back and send to Security Policy Server by network access equipment.
Adopt interrupt mode or inquiry mode to receive at least two security event informations that terminal equipment sends in step S53, the Security Policy Server.
Step S54, Security Policy Server carry out analysis-by-synthesis to the security event information of a plurality of terminal equipments of receiving, determine corresponding security strategy according to the corresponding relation of security event information that is provided with among the step S50 and security strategy, comprise network insertion strategy and/or application service access strategy in the security strategy.
The security strategy that step S55, Security Policy Server utilization are made is carried out network insertion control and/or application service access control by network access equipment to terminal equipment.
Embodiment six:
Figure 12 shows that the networking structure schematic diagram of the embodiment of the invention six, as seen from the figure, compare that present embodiment has increased the safety means that are connected with Security Policy Server at network side with embodiment five.
Compare with embodiment five, the security event information that Security Policy Server in the present embodiment can report terminal equipment sends to the safety means in the network, as fire compartment wall, inbreak testing apparatus, operation management center etc., these safety means carry out corresponding security response according to the security event information that receives by modes such as network traffics filtration, application protocol analysis or security incident early warning, thereby reach the purpose of the mobile network being carried out security protection.
Safety means reach the purpose of the mobile network being carried out security protection by the control router in the present embodiment.
The flow chart that Figure 13 carries out network security control for the embodiment of the invention six, as seen from the figure, its main implementation procedure is as follows:
Step S60 to S63, identical with above-mentioned steps S50 to S53.
Behind the step S63, Security Policy Server is execution in step S64 and step S65 respectively.
Step S64, Security Policy Server carry out analysis-by-synthesis to the security event information of a plurality of terminal equipments of receiving, determine corresponding security strategy according to the corresponding relation of security event information that is provided with among the step S60 and security strategy, comprise network insertion strategy and/or application service access strategy in the security strategy, go to step S66.
The security event information that step S65, Security Policy Server report terminal equipment sends to the safety means in the network, as fire compartment wall, inbreak testing apparatus, operation management center etc., goes to step S67.
The security strategy that step S66, Security Policy Server utilization are made is carried out network insertion control and/or application service access control by network access equipment to terminal equipment.
Safety means in step S67, the network carry out corresponding security response according to the security event information that receives by modes such as network traffics filtration, application protocol analysis or security incident early warning, and the mobile network is carried out security protection.
Compare with embodiment five, present embodiment has increased safety means at network side, these safety means can receive the security event information that Security Policy Server sends, carry out corresponding security response according to the security event information that receives by modes such as network traffics filtration, application protocol analysis or security incident early warning, can carry out more effective security protection the mobile network.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (15)
1, a kind of network safety control method is characterized in that, comprises step:
A, the corresponding relation of security information and security strategy is set at server end;
B, at least two terminal equipments are collected local security information and are reported server end;
The security information that C, the described terminal equipment of server end analysis-by-synthesis report is obtained corresponding security strategy, adopts this security strategy by network access equipment terminal equipment to be carried out network insertion control and/or application service access control.
2, network safety control method as claimed in claim 1 is characterized in that,
Also comprise among the described step C:
The security information that server end reports terminal equipment sends to the safety means in the network, and safety means are carried out corresponding security response according to the security information that receives, and network is carried out security protection.
3, network safety control method as claimed in claim 1 is characterized in that, comprises security configuration information and/or security event information in the described security information.
4, network safety control method as claimed in claim 3 is characterized in that, comprises system safety configuration information and application safety configuration information in the described security configuration information.
5, network safety control method as claimed in claim 3, it is characterized in that, when comprising security event information in the security information that described terminal equipment is collected, terminal equipment filters the security event information of collecting according to predefined filtering rule, and remaining security event information reports server end after will filtering.
6, network safety control method as claimed in claim 3 is characterized in that, comprises virus event information, attack information and illegal scanning information in the described security event information.
7, network safety control method as claimed in claim 1 is characterized in that, the security information that described server end adopts interrupt mode or inquiry mode receiving terminal apparatus to report.
8, a kind of network security control system comprises at least two terminal equipments and connected network access equipment, and the Security Policy Server with linking to each other with described network access equipment is characterized in that, also comprises:
The TSM Security Agent module is arranged on terminal equipment side, is used for the security information of collection terminal equipment and reports Security Policy Server;
Described Security Policy Server is used to be provided with the corresponding relation of security information and security strategy, and receive and security information that the described TSM Security Agent module of analysis-by-synthesis reports, obtain corresponding security strategy, adopt this security strategy terminal equipment to be carried out network insertion control and/or application service access control by network access equipment.
9, network security control system as claimed in claim 8 is characterized in that, described system further comprises:
Safety means are connected with Security Policy Server, are used for obtaining security information from Security Policy Server and carry out corresponding security response, and network is carried out security protection.
10, network security control system as claimed in claim 8 is characterized in that, described TSM Security Agent module comprises:
Configuration information obtains submodule, is used for the security configuration information of collection terminal equipment and sends to Security Policy Server.
11, network security control system as claimed in claim 10 is characterized in that, comprises system safety configuration information and application safety configuration information in the described security configuration information.
12, as claim 8 or 10 described network security control system, it is characterized in that described TSM Security Agent module comprises:
Event information obtains submodule, is used for the security event information and the transmission of collection terminal equipment;
Event information filters submodule, obtains submodule with event information and is connected, and according to predefined filtering rule the security event information of collecting is filtered, and will filter the remaining security event information in back and send to Security Policy Server.
13, network security control system as claimed in claim 12 is characterized in that, comprises virus event information, attack information and illegal scanning information in the described security event information.
14, network security control system as claimed in claim 8 is characterized in that, described Security Policy Server adopts interrupt mode or inquiry mode to receive the security information that the TSM Security Agent module is sent.
15, network security control system as claimed in claim 8 is characterized in that, described TSM Security Agent module is the functional module that is arranged in the terminal equipment, perhaps is the standalone feature entity in the system.
Priority Applications (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101155744A CN100428689C (en) | 2005-11-07 | 2005-11-07 | Network safety control method and system |
| CN2006800122727A CN101160876B (en) | 2005-10-15 | 2006-10-08 | Network security control method and system |
| EP06791210A EP1936892A4 (en) | 2005-10-15 | 2006-10-08 | A system for controlling the security of network and a method thereof |
| PCT/CN2006/002628 WO2007045150A1 (en) | 2005-10-15 | 2006-10-08 | A system for controlling the security of network and a method thereof |
| US11/549,186 US20070089165A1 (en) | 2005-10-15 | 2006-10-13 | Method and System for Network Security Control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101155744A CN100428689C (en) | 2005-11-07 | 2005-11-07 | Network safety control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1859178A true CN1859178A (en) | 2006-11-08 |
| CN100428689C CN100428689C (en) | 2008-10-22 |
Family
ID=37298044
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101155744A Active CN100428689C (en) | 2005-10-15 | 2005-11-07 | Network safety control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100428689C (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009000190A1 (en) * | 2007-06-22 | 2008-12-31 | Huawei Technologies Co., Ltd. | A safety status estimate method, apparatus and system |
| CN101123534B (en) * | 2007-09-29 | 2010-09-01 | 华中科技大学 | Network policy architecture for legal monitoring system and its policy processing method |
| CN101969445A (en) * | 2010-11-03 | 2011-02-09 | 中国电信股份有限公司 | Method and device for defensing DDoS (Distributed Denial of Service) and CC (Connections Flood) attacks |
| CN101425920B (en) * | 2007-10-31 | 2011-02-16 | 华为技术有限公司 | Network security status acquiring method, apparatus and system |
| CN101188851B (en) * | 2006-11-17 | 2011-03-02 | 中兴通讯股份有限公司 | Access control method for mobile terminal |
| CN101335753B (en) * | 2007-12-27 | 2011-07-06 | 华为技术有限公司 | Information security processing method and apparatus |
| CN102143143A (en) * | 2010-10-15 | 2011-08-03 | 华为数字技术有限公司 | Method and device for defending network attack, and router |
| CN101123493B (en) * | 2007-09-20 | 2011-11-09 | 杭州华三通信技术有限公司 | Secure inspection method and secure policy server for network access control application system |
| CN101562541B (en) * | 2009-05-19 | 2012-05-23 | 杭州华三通信技术有限公司 | Unified management method and device thereof |
| CN103020519A (en) * | 2012-11-15 | 2013-04-03 | 百度在线网络技术(北京)有限公司 | Method and equipment for providing safety relevant information corresponding to access request |
| CN104394036A (en) * | 2014-12-05 | 2015-03-04 | 北京极科极客科技有限公司 | Method for detecting network status |
| WO2016169472A1 (en) * | 2015-04-21 | 2016-10-27 | Hangzhou H3C Technologies Co., Ltd. | Providing security service |
| CN107770125A (en) * | 2016-08-16 | 2018-03-06 | 深圳市深信服电子科技有限公司 | A kind of network security emergency response method and emergency response platform |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020131599A1 (en) * | 2001-03-15 | 2002-09-19 | International Business Machines Corporation | System for encryption of wireless transmissions from personal palm computers to world wide Web terminals |
| US20050005105A1 (en) * | 2003-06-24 | 2005-01-06 | Brown Larry Cecil | Remote access control feature for limiting access to configuration file components |
-
2005
- 2005-11-07 CN CNB2005101155744A patent/CN100428689C/en active Active
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101188851B (en) * | 2006-11-17 | 2011-03-02 | 中兴通讯股份有限公司 | Access control method for mobile terminal |
| WO2009000190A1 (en) * | 2007-06-22 | 2008-12-31 | Huawei Technologies Co., Ltd. | A safety status estimate method, apparatus and system |
| CN101123493B (en) * | 2007-09-20 | 2011-11-09 | 杭州华三通信技术有限公司 | Secure inspection method and secure policy server for network access control application system |
| CN101123534B (en) * | 2007-09-29 | 2010-09-01 | 华中科技大学 | Network policy architecture for legal monitoring system and its policy processing method |
| CN101425920B (en) * | 2007-10-31 | 2011-02-16 | 华为技术有限公司 | Network security status acquiring method, apparatus and system |
| CN101335753B (en) * | 2007-12-27 | 2011-07-06 | 华为技术有限公司 | Information security processing method and apparatus |
| CN101562541B (en) * | 2009-05-19 | 2012-05-23 | 杭州华三通信技术有限公司 | Unified management method and device thereof |
| CN102143143A (en) * | 2010-10-15 | 2011-08-03 | 华为数字技术有限公司 | Method and device for defending network attack, and router |
| CN102143143B (en) * | 2010-10-15 | 2014-11-05 | 北京华为数字技术有限公司 | Method and device for defending network attack, and router |
| CN101969445A (en) * | 2010-11-03 | 2011-02-09 | 中国电信股份有限公司 | Method and device for defensing DDoS (Distributed Denial of Service) and CC (Connections Flood) attacks |
| CN103020519A (en) * | 2012-11-15 | 2013-04-03 | 百度在线网络技术(北京)有限公司 | Method and equipment for providing safety relevant information corresponding to access request |
| CN104394036A (en) * | 2014-12-05 | 2015-03-04 | 北京极科极客科技有限公司 | Method for detecting network status |
| WO2016169472A1 (en) * | 2015-04-21 | 2016-10-27 | Hangzhou H3C Technologies Co., Ltd. | Providing security service |
| CN107770125A (en) * | 2016-08-16 | 2018-03-06 | 深圳市深信服电子科技有限公司 | A kind of network security emergency response method and emergency response platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100428689C (en) | 2008-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1859178A (en) | Network safety control method and system | |
| CN1832449A (en) | Method for implementing resource preretention of agency requir mode in next network | |
| CN1832448A (en) | Method for implementing resource preretention of inserted allocation mode in next network | |
| CN1645960A (en) | Interactive method for re-selecting operating network to wireless local network | |
| CN1889499A (en) | Method and system for realizing consulting tactical information between different network | |
| CN1832447A (en) | Method for implementing user requiring mode resource preretention in net network | |
| CN101043755A (en) | Method, system and apparatus for admittance determination in mobile communication system | |
| CN101060367A (en) | A mobile communication system for matching resource amount of core network bearer and resource amount of visited network bearer | |
| CN1798436A (en) | Method and system for ensuring safe data service in mobile communication system | |
| CN101034989A (en) | Method, system and router for originating the authentication request via the user terminal | |
| CN1889777A (en) | Business exchaging method for switching from 2G to 3G mobile communication system | |
| CN1794868A (en) | Method of providing discriminating service in radio access network | |
| CN1822700A (en) | A radio network controller, a mobile communication system, and a neighbor-cell-list filtering method | |
| CN101047950A (en) | Method for allocating default load in 3GPP evolution network | |
| CN1812417A (en) | Method for testing safety switch-in protocol conformity of turn-on point and system thereof | |
| CN1968280A (en) | System and method for detecting and filtering invalid header field | |
| CN101060712A (en) | Wireless connecting establishment method | |
| CN1618248A (en) | Station apparatus, method for resource allocation in station apparatus and mobile communication system | |
| CN101047930A (en) | Method and system for transmitting ICR information measuring report in gradual mobile network | |
| CN1859736A (en) | Method and system for providing safety service to mobile terminal | |
| CN1913701A (en) | Method for providing different safety class service to different user in mobile communication system | |
| CN1866840A (en) | Charging method and system in wireless access network | |
| CN1859335A (en) | Radio local network connecting gateway strategy loading method in radio local network | |
| CN1893716A (en) | Method and corresponding device for realizing network service providing trader's discover | |
| CN101069440A (en) | Network selection in GAN environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |