Summary of the invention
Technical problem to be solved by this invention provides a kind of method, certificate server and access switch of isolating internal-external network, isolates and reduce the cost of realization intranet and extranet isolation in order to realize intranet and extranet simply, efficiently.
For solving the problems of the technologies described above, the present invention provides scheme following:
A kind of method of isolating internal-external network, the terminal is connected with first port on the access switch, and access switch connects Intranet and connects outer net through the outlet gateway, comprises step:
The ID authentication request of the visit outer net that S11, said certificate server initiate through said outlet gateway according to said terminal is to the conduct interviews authentication of outer net of said terminal;
S12; After the authentication of said terminal access outer net is passed through; Said certificate server issues first strategy to said outlet gateway; And according to the related information between said terminal, said access switch and said first port preserved in advance; Confirm said access switch and said first port that said terminal is corresponding, and issue second strategy, wherein to said first port to said access switch; Said first strategy is used to notify said outlet gateway to allow said terminal and outer net to communicate, and the message that said second strategy is used to notify said access switch to receive for said first port only transmits wherein that destination address is the message of said outlet gateway.
Above-mentioned method wherein, also comprises after step S12:
S13, said certificate server receive the intranet and extranet visit handoff request that send through said outlet gateway at said terminal;
S14; Said certificate server is according to said intranet and extranet visit handoff request; Issue the 3rd strategy to said outlet gateway; And search said related information, confirm said access switch and said first port that said terminal is corresponding, and issue the 4th strategy to said first port to said access switch; Said the 3rd strategy is used to notify said outlet gateway to stop said terminal and outer net to communicate, and said the 4th strategy is used to notify said access switch all to transmit for the message that said first port receives.
Above-mentioned method wherein, also comprises before the said step S11:
Said certificate server receives the ID authentication request of the visit Intranet of sending through said access switch at said terminal, and receives the sign of the said access switch that said access switch sends and the port number information of said first port;
The user name at the terminal of carrying in the ID authentication request of said certificate server according to said visit Intranet and Intranet access code information are to the conduct interviews authentication of Intranet of said terminal; And, set up and preserve said related information according to the sign of the user name at said terminal, said access switch and the port number information of said first port;
Said certificate server returns first response message of the said terminal of indication through the authentication of visit Intranet to said access switch after the authentication of said terminal access Intranet is passed through.
Above-mentioned method, wherein, among the said step S11, the user name and the extranet access encrypted message at the said terminal that said certificate server further carries in the ID authentication request according to said visit outer net carry out the authentication of said visit outer net.
Above-mentioned method, wherein, the ID authentication request of said visit Intranet is the 802.1x authentication request, the ID authentication request of said visit outer net is a door Portal authentication request.
The present invention also provides other a kind of method of isolating internal-external network, and the terminal is connected with first port on the access switch, and access switch connects Intranet and connects outer net through the outlet gateway, comprises step:
S21, when said terminal access outer net, the message that said access switch receives for said first port only transmits wherein that destination address is the message of said outlet gateway, and said outlet gateway allows said terminal and outer net to communicate;
S22, when Intranet need be visited in said terminal, said certificate server received the intranet and extranet visit handoff request that send through said outlet gateway at said terminal,
S23; Said certificate server is according to said intranet and extranet visit handoff request; Issue the 3rd strategy to said outlet gateway; And search the related information between said terminal, said access switch and said first port of preserving in advance, confirm said access switch and said first port that said terminal is corresponding, and issue the 4th strategy to said first port to said access switch; Said the 3rd strategy is used to notify said outlet gateway to stop said terminal and outer net to communicate, and said the 4th strategy is used to notify said access switch all to transmit for the message that said first port receives.
Above-mentioned method wherein, also comprises after step S23:
S24, said certificate server receive the ID authentication request of the visit outer net of initiating through said outlet gateway at said terminal, to the conduct interviews authentication of outer net of said terminal;
S25; After the authentication of said terminal access outer net is passed through; Said certificate server issues first strategy to said outlet gateway, and according to said related information, confirms said access switch and said first port that said terminal is corresponding; And issue second strategy to said first port to said access switch; Wherein, said first strategy is used to notify said outlet gateway to allow said terminal and outer net to communicate, and the message that said second strategy is used to notify said access switch to receive for said first port only transmits wherein that destination address is the message of said outlet gateway.
Above-mentioned method, wherein, among the said step S24, the user name and the extranet access encrypted message at the said terminal that said certificate server further carries in the ID authentication request according to said visit outer net carry out the authentication of said visit outer net.
Accordingly, the present invention also provides a kind of certificate server, comprising:
The related information unit is used for preserving the related information between the port that connects this terminal on the terminal of Intranet, the access switch that connects this terminal and this access switch;
Authentication ' unit, the ID authentication request of the visit outer net that is used for sending through the outlet gateway according to first terminal is to the conduct interviews authentication of outer net of said first terminal;
The policy distribution unit; Be used for after of the authentication of said first terminal, sending first strategy to said outlet gateway through the visit outer net of said authentication ' unit, and according to said related information; Confirm first access switch and first port that said first terminal is corresponding; And issue second strategy to said first port to said first access switch, wherein, said first strategy is used to notify said outlet gateway to allow said first terminal and outer net to communicate; Said second strategy is used to notify the message of said first access switch for said first port receives, and only transmitting wherein, destination address is the message of said outlet gateway.
Certificate server of the present invention; Wherein, said policy distribution unit also is used to receive the intranet and extranet visit handoff request that send through said outlet gateway at said first terminal; And issue the 3rd strategy to said outlet gateway; And according to said related information, the first corresponding access switch issues the 4th strategy to said first port to said first terminal, wherein; Said the 3rd strategy is used to notify said outlet gateway to stop said first terminal and outer net to communicate, and said the 4th strategy is used to notify said first access switch all to transmit for the message that said first port receives.
Certificate server of the present invention; Wherein, Said authentication ' unit; The ID authentication request of the visit Intranet that also is used for sending through said first access switch according to said first terminal, to the conduct interviews authentication of Intranet of first terminal, and authentication through the time return first response message of the said terminal of indication to said access switch through the authentication of visit Intranet;
Said related information unit is further used for sign, the user name at said first terminal and the port number information of said first port according to said first access switch of said first access switch transmission, sets up and preserve said related information.
Certificate server of the present invention; Wherein, Said authentication ' unit; The user name and the extranet access encrypted message at the said terminal that is further used for carrying in the ID authentication request according to said visit outer net carry out the authentication of said visit outer net, and the user name at the terminal of carrying in the ID authentication request according to said visit Intranet and Intranet access code information are carried out the authentication of said visit Intranet.
The present invention also provides a kind of access switch to comprise:
Receiving element; Be used to receive second strategy that certificate server sends to first port on this access switch; Said second strategy is after first terminal that said first port connects is passed through by said certificate server through the authentication of the visit outer net of outlet gateway initiation; By the related information between first terminal, this access switch and first port of the preservation in advance of said certificate server basis, to the strategy to first port of corresponding this access switch transmission in said first terminal;
The port controlling unit is used for based on said second strategy, and for the message that said first port receives, only transmitting wherein, destination address is the message of said outlet gateway.
Access switch of the present invention; Wherein, Said receiving element; Be further used for receiving the 4th strategy that said certificate server sends to said first port, said the 4th strategy be said certificate server after receiving the intranet and extranet visit handoff request of sending through said outlet gateway at said first terminal, the strategy that is directed against said first port that issues to this corresponding access switch of said first terminal according to said related information;
Said port controlling unit is further used for all transmitting for the message that said first port receives based on said the 4th strategy.
Access switch of the present invention wherein, also comprises:
The authentication request unit; Be used to receive the ID authentication request of the visit Intranet of sending at said first terminal; The username and password information request of sending said terminal to certificate server is to the conduct interviews authentication of Intranet of said first terminal, and sends the sign of this access switch and the port number information of said first port to said certificate server;
Said port controlling unit, first response message of the authentication of visit Intranet is passed through at said first terminal of indication that also is used for returning according to said certificate server, opens said first port.
Can find out from the above; The method of isolation internal-external network provided by the invention, certificate server and access switch; Through certificate server according to the related information of preserving in advance; Pairing access switch issues the strategy that is used to control these terminal access intranet and extranet to the terminal, has realized isolating the purpose of intranet and extranet visit.With respect to prior art, the present invention through smooth upgrade, just can realize isolating the purpose of intranet and extranet on the basis of existing network.The present invention need not on the terminal, to install two network card equipments and two network interface card isolation software, thereby can reduce equipment cost.And network topology of the present invention is simple, has advantages such as low, the easy expansion of management maintenance difficulty.
Embodiment
Access switch is connected with the terminal through himself port, the message of the inside and outside net of terminal access this port of all need flowing through.The present invention need not on the terminal, to install two network interface cards and two network interface card isolation software, and the present invention transmits the message on the said port through certificate server and controls, and then realizes the isolation of inside and outside net.The present invention is described further through specific embodiment below in conjunction with accompanying drawing.
< embodiment 1 >
Fig. 2 is the applied environment sketch map of the method for the said isolation internal-external network of present embodiment.Among Fig. 2, the terminal is connected to Intranet through access switch, and is concrete, and the terminal is a port that is connected on this access switch.Simultaneously, access switch also is connected to the internet through the outlet gateway.Between access switch and outlet gateway, can also be connected with convergence switch, this convergence switch is connected with a certificate server.This concrete certificate server can be remote authentication dialing user service (RADIUS; RemoteAuthentication Dial-In User Service) server or terminal access controller access control system (TACACS, Terminal Access Controller Access Control System) server.Be that example describes with the radius server in the present embodiment, for the certificate server based on other agreement, it realizes that principle is identical.In order to guarantee the safety of certificate server, the terminal in the Intranet is the address of not knowing this certificate server, and access switch and outlet gateway place have disposed the relevant information of certificate server usually.Therefore, communicating by letter between terminal and the certificate server normally realized through access switch or outlet gateway forwards association message.
In the present embodiment, behind the starting terminal, after the authentication through the visit Intranet, Intranet can be inserted in this terminal.IEEE 802.1x authentication mode is adopted in the authentication of visit Intranet in the present embodiment.802.1x agreement as a kind of local area network (LAN) access control and authentication techniques based on port, can limit unwarranted user capture intranet network.Before terminal authentication passes through, the port that connects this terminal on the access switch will keep shut, and the 802.1x message identifying that this moment, the 802.1x agreement only allowed the user is through this port; After authentication was passed through, port was opened, and the normal datagram literary talent in terminal can be passed through this port.Authentication techniques based on 802.1x are used the Extensible Authentication Protocol (EAPoL based on local area network (LAN) between terminal and access switch; Extensible Authentication Protocol over LAN) transmits authentication information, and transmit authentication information through radius protocol or TACACS agreement between access switch and the certificate server.
As shown in Figure 3, the flow process that Intranet is inserted at the terminal in the present embodiment after startup may further comprise the steps:
Step 31 behind the starting terminal, is sent the 802.1x authentication request to access switch.
Step 32; After access switch receives above-mentioned 802.1x authentication request; To radius server request authentication user identity, and the port information (like the port numbers of this port) that is connected said terminal on the sign (ID) of this access switch and this access switch sent to said radius server.
Step 33, radius server to the terminal authentication of Intranet that conducts interviews, and are returned the whether response message through authentication of indicating terminal according to information such as the user name at the said terminal of sending on the access switch, Intranet access code; Simultaneously, the ID and the port numbers of access switch are noted, and preserved the related information between ID, port numbers and the said terminal (for example, and the user name at said terminal) of this access switch.
Here; Can on radius server, preserve an Intranet access rights table; Include the terminal table entries that can visit Intranet in this Intranet access rights table, preserve in each list item the terminal user name and with the corresponding Intranet access code of this terminal user name.When carrying out the authentication of above-mentioned visit Intranet, through search at Intranet access rights table whether exist with access switch on the on all four list item of username and password that send, judge whether authentication is passed through.
Step 34, access switch are received the response message of radius server, judge according to this response message whether said terminal has passed through authentication: if authentication success is then opened the port that connects said terminal, otherwise, continue to keep closing of this port; Return 802.1x authentication back message using to the terminal then, whether successful in order to the notice terminal authentication.
Like this, after authentication had successfully been passed through in the terminal, this terminal can be through access switch visit Intranet resource.Can also communicate with outer net when the visit Intranet for fear of this terminal; At this moment; Can stop the flow between this terminal and the outer net through the outlet gateway, for example, for a new terminal that starts; The default treatment mode that the outlet gateway is set is all messages that abandon this terminal, to stop this terminal access outer net; Only after outlet was provided with permission on the gateway and passes through from the message at this terminal, this terminal just can communicate with outer net.Therefore, through above step, can reach the terminal can not be visited outer net simultaneously when the visit Intranet purpose.Certainly; Here can also be in above-mentioned steps 33, after said terminal was through authentication, said radius server issued a strategy to the outlet fire compartment wall; The flow that stops this terminal access outer net in order to notice outlet fire compartment wall; Thereby the outlet fire compartment wall can abandon all messages of this terminal access outer net according to this strategy.Therefore; Above scheme is transmitted the message that receives on the said port through said access switch; And stop communicating by letter between said terminal and the outer net through said outlet gateway, and the terminal access Intranet can be realized but the purpose of outer net can not be visited, realized the isolation between the intranet and extranet.
Because in the 802.1x verification process; Access switch has sent to certificate server with said terminal and the port information that connects said terminal; Thereby; The related information between the port that connects said terminal on said terminal, the access switch that is connected with said terminal and this access switch set up and preserved to certificate server can according to above-mentioned information; And then certificate server can issue the strategy to corresponding port to the access switch of correspondence according to this related information, transmits in order to the message of controlling this port, and this will be described below.
In the present embodiment, Intranet can be visited through above step in said terminal, but can not visit outer net.When outer net need be visited in said terminal, need authentication through the visit outer net, adopt the conduct interviews authentication of outer net of the mode of door (Portal) authentication in the present embodiment.Wherein, the outlet gateway is as the Portal gateway, and the Portal authentication is initiated to the outlet gateway in said terminal: if authentication is passed through, the outlet fire compartment wall then is set allows said terminal access outer net; Certificate server is to the corresponding access switch dynamic download ACL (ACL in said terminal simultaneously; Access Control List) strategy; Message to require said terminal to send can only be visited the outlet fire compartment wall; Other message all abandons, thus guarantee said terminal the visit outer net in, can't visit Intranet.As shown in Figure 4, when outer net need be visited in said terminal, the method for the said isolation internal-external network of present embodiment may further comprise the steps when the visit Intranet switches to the visit outer net at said terminal:
Step 41, in the time of need visiting outer net at said terminal, the Portal authentication request is sent to the outlet gateway in said terminal.Normally the user initiates the Portal authentication request through inputing user name and extranet access password in the web page on the terminal.
Step 42 is after the outlet gateway receives above-mentioned Portal authentication request, to radius server request authentication user identity.
Step 43; Radius server carries out authentication according to user name, the extranet access password at the terminal of sending on the outlet gateway to said terminal: if the authentication at said terminal is passed through; Then radius server issues one to the outlet gateway and is used in reference to first strategy that mouthful gateway allows said terminal access outer net is shown; Simultaneously; Search the said related information of preserving in advance according to the username information at terminal, confirm the ID and the corresponding port of the access switch that this terminal is corresponding, and issue ACL strategy to this correspondence port to this corresponding switch.
Here; Can also on radius server, preserve an extranet access authority list; Include the terminal table entries that can visit outer net in this extranet access authority list, preserve in each list item the terminal user name and with the corresponding extranet access password of this terminal user name.When carrying out the authentication of above-mentioned visit outer net, through search at outer net access rights table whether exist with access switch on the on all four list item of username and password that send, judge whether authentication is passed through.For same user name, the pairing Intranet access code of this user name can be identical with the pairing extranet access password of this user name, also can be inequality.In inside and outside net access code not simultaneously; Different access rights can be set for the different users at same terminal; For example; When the user only knew the Intranet access code at certain terminal, then this user can't also just can't remove to visit outer net through this terminal through the authentication of extranet access.
Step 44, the outlet gateway allows said terminal and outer net to communicate after receiving above-mentioned first strategy; This corresponding switch is after receiving an above-mentioned ACL strategy; On this correspondence port, enable above-mentioned ACL strategy; The one ACL strategy requires this corresponding switch for the message that gets into from this correspondence port; Except the message of outlet gateway was pointed in purpose IP address, other message all abandoned.
Like this, through above step, the message of outer net can be visited in said terminal, will be forwarded to the outlet gateway by access switch, send to outer net through the outlet gateway then, thereby said terminal can the normal access outer net; And, then will be dropped, thereby also just prevented terminal visit Intranet in the visit outer net at the access switch place for the message of said terminal access Intranet.
When outer net can be visited in said terminal,, need after breaking off outer net, just allow this terminal access Intranet if said terminal wants to visit Intranet again.At this moment, as shown in Figure 5, the method for the said isolation internal-external network of present embodiment, when Intranet is asked in the switching return visit of said terminal, further comprising the steps of:
When step 51, said terminal need be recovered the visit of Intranet, send intranet and extranet visit handoff request to the outlet gateway, concrete can be interruption Portal request, in order to require to interrupt extranet access, switches the state of asking Intranet of paying a return visit;
Step 52, outlet gateway are notified radius server with this request after receiving above-mentioned interruption Portal request.
Step 53, radius server returns response message to the outlet gateway after the interruption Portal request that receives the said terminal of sending on the outlet gateway; Simultaneously, search said related information, confirm access switch ID and corresponding port that this terminal is corresponding, and issue the 2nd ACL strategy to this correspondence port to this corresponding switch according to the username information at said terminal.
Step 54, the outlet gateway stops said terminal and outer net to communicate after receiving above-mentioned response message; Access switch issues the 2nd ACL strategy receiving radius server; And enable the 2nd ACL strategy; The 2nd ACL strategy is used to delete the ACL strategy that before on this correspondence port, enables, and makes that access switch recovers the message that this correspondence port gets into is normally transmitted.
Like this, through above-mentioned steps, the terminal again can the normal access Intranet, and all can be abandoned by the outlet gateway for the message of this terminal access outer net, thereby has just prevented that also the terminal from can also visit outer net in the visit Intranet.
In the present embodiment; Stop or allow communicating by letter between this terminal and the outer net through the outlet gateway; And transmit through the message of the access switch that the terminal inserted by certificate server and to control; During Intranet, the port that connects this terminal on the control access switch normally E-Packets on this terminal needs; During outer net, the port that connects this terminal on the control access switch is only transmitted the message of destination address for the outlet gateway, and abandons other message, thereby has realized the isolation of intranet and extranet on this terminal needs.
In the present embodiment; In the 802.1x verification process of behind starting terminal, initiating, report the port information of self ID and connecting terminal by access switch, the related information between terminal, access switch and the port is set up and preserved to radius server in view of the above; Thereby in subsequent P ortal verification process; Certificate server can be searched the related information of previous preservation according to end message (like the user name at terminal), obtains pairing access switch in this terminal and corresponding port information that this terminal connected; And then; Issue ACL strategy to this corresponding access switch, transmit, realize isolating the purpose of intranet and extranet in order to the message of controlling this correspondence port to corresponding port.
Certainly; Can also confirm access switch that each terminal is inserted and the port information that is inserted according to the topological structure of Intranet in advance in the present embodiment; Pre-configured and preserve above-mentioned related information at the radius server place in view of the above; Thereby, offer on need not in the 802.1x verification process through access switch and set up and preserve above-mentioned related information.In subsequent P ortal verification process; Can be according to pre-configured related information; Confirm corresponding access switch and corresponding port; And then issue strategy to corresponding port to the access switch of correspondence, and realize message forwarding control, also can reach the purpose of isolation intranet and extranet of the present invention.
Can find out that from the above present embodiment need not done any change to the physical topology of existing network, can on the basis of existing network, pass through smooth upgrade, just can realize isolating the purpose of intranet and extranet.With respect to prior art, the network topology of the said method of present embodiment is simple, has advantages such as low, the easy expansion of management difficulty.Simultaneously, present embodiment need not on the terminal, to install two network card equipments and two network interface card isolation software, thereby can practice thrift the terminal cost.
Based on the method for above-mentioned isolation intranet and extranet, present embodiment also correspondingly provides a kind of certificate server and access switch.As shown in Figure 6, said certificate server 60 comprises:
Related information unit 61 is used for preserving the related information between the port that connects this terminal on the terminal of Intranet, the access switch that connects this terminal and this access switch;
Authentication ' unit 62, the ID authentication request of the visit outer net that is used for sending through the outlet gateway according to first terminal is to the conduct interviews authentication of outer net of said first terminal;
Policy distribution unit 63; Be used for after of the authentication of said first terminal, sending first strategy to said outlet gateway through the visit outer net of said authentication ' unit 62, and according to said related information; Confirm first access switch and first port that said first terminal is corresponding; And issue second strategy to said first port to said first access switch, wherein, said first strategy is used to notify said outlet gateway to allow said first terminal and outer net to communicate; Said second strategy is used to notify the message of said first access switch for said first port receives, and only transmitting wherein, destination address is the message of said outlet gateway.Said policy distribution unit 63; Also be used to receive the intranet and extranet visit handoff request that send through said outlet gateway at said first terminal; And issue the 3rd strategy to said outlet gateway; And according to said related information, the first corresponding access switch issues the 4th strategy to said first port to said first terminal, wherein; Said the 3rd strategy is used to notify said outlet gateway to stop said first terminal and outer net to communicate, and said the 4th strategy is used to notify said first access switch all to transmit for the message that said first port receives.
Here; Said authentication ' unit 62; Also be used for according to the ID authentication request of said first terminal through the visit Intranet of said first access switch transmission; To the conduct interviews authentication of Intranet of first terminal, and authentication through the time return first response message of the said terminal of indication to said access switch through the authentication of visit Intranet; Concrete; The user name and the extranet access encrypted message at the said terminal of carrying in the ID authentication request of said authentication ' unit 62 according to said visit outer net; Carry out the authentication of said visit outer net; And the user name at the terminal of carrying in the ID authentication request according to said visit Intranet and Intranet access code information carries out the authentication of said visit Intranet, and said extranet access password and said Intranet access code can be inequality, also can be identical.
Said related information unit 61 is further used for sign, the user name at said first terminal and the port number information of said first port according to said first access switch of said first access switch transmission, sets up and preserve said related information.Certainly, the related information in the said related information unit 61 can also be the topological structure according to Intranet, and is pre-configured and preservation.
As shown in Figure 7, said access switch 70 comprises:
Receiving element 71; Be used to receive second strategy that certificate server sends to first port on this access switch; Said second strategy is after first terminal that said first port connects is passed through by said certificate server through the authentication of the visit outer net of outlet gateway initiation; By the related information between first terminal, this access switch and first port of the preservation in advance of said certificate server basis, to the strategy to first port of corresponding this access switch transmission in said first terminal;
Port controlling unit 72 is used for based on said second strategy, for the message that said first port receives, only transmits wherein that destination address is the message of said outlet gateway, to limit the first terminal access Intranet, allows the first terminal access outer net.
Here; Said receiving element 71; Can also be further used for receiving the 4th strategy that said certificate server sends to said first port; Said the 4th strategy is said certificate server after receiving the extranet access interrupt requests of sending through said outlet gateway at said first terminal, the strategy to said first port that issues to this corresponding access switch of said first terminal according to said related information; Said port controlling unit 72 can also all be transmitted for the message that said first port receives further based on said the 4th strategy, and concrete can be to delete second strategy that had before issued to transmit to recover normal message.
Among Fig. 7, said access switch 70 also comprises:
Authentication request unit 73; Be used to receive the ID authentication request of the visit Intranet of sending at said first terminal; And the username and password information request of sending said terminal to certificate server is to the conduct interviews authentication of Intranet of said first terminal, and sends the sign of this access switch and the port number information of said first port to said certificate server;
Said port controlling unit; First response message of the authentication of visit Intranet is passed through at said first terminal of indication that can also be used for returning according to said certificate server; Open said first port; So that said first port can normally receive the message that send at first terminal, thereby this access switch is realized the first terminal access Intranet through transmitting the message that send at first terminal.
< embodiment 2 >
Among the embodiment 1, the terminal access Intranet need be passed through the 802.1x authentication, can improve the fail safe of Intranet visit like this, prevents unwarranted terminal access Intranet resource.The terminal access outer net need pass through the Portal authentication, to forbid unwarranted user capture outer net.The terminal access Intranet is not carried out authentication in the present embodiment, promptly behind starting terminal, can insert and visit Intranet, similar for the visit outer net with embodiment 1, need carry out the Portal authentication.
The method of the said isolation intranet and extranet of present embodiment still is applied in the environment shown in Figure 2.Said method specifically may further comprise the steps:
Step S81, the related information between the port at this terminal of connection on terminal, the access switch that is connected with this terminal and this access switch in configuration of certificate server place and preservation Intranet in advance; The default treatment mode of outlet gateway is set simultaneously: for the default treatment at a new terminal that starts is to stop communicating by letter of this terminal and outer net.
Step S82, not needing authentication behind the starting terminal is addressable Intranet, the normal message of transmitting from this terminal of the access switch that this terminal is inserted; And, then be dropped, thereby guarantee that the terminal can not visit outer net in the visit Intranet at outlet gateway place for the message of this terminal access outer net.
Step S83, when outer net need be visited in this terminal, the Portal authentication request was sent to the outlet gateway in this terminal.Normally the user initiates the Portal authentication request through importing username and password in the web page on this terminal.
Step S84 is after the outlet gateway receives above-mentioned Portal authentication request, to radius server request authentication user identity.
Step S85; Radius server carries out authentication according to user name, the password at the terminal of sending on the outlet gateway to said terminal: if the authentication at said terminal is passed through; Then radius server issues one to the outlet gateway and is used in reference to the strategy that mouthful gateway allows said terminal access outer net is shown; Simultaneously; Search the said related information of preserving in advance according to the username information at terminal, find the ID and the corresponding port of the corresponding access switch in this terminal, and issue ACL strategy to this correspondence port to this corresponding switch.
Step S86, the outlet gateway allows said terminal and outer net to communicate according to the strategy that certificate server sends; This corresponding switch is after receiving above-mentioned ACL strategy; On this correspondence port, enable above-mentioned ACL strategy; This ACL strategy requires this corresponding switch for the message that gets into from this correspondence port, and except the message of outlet gateway was pointed in purpose IP address, other message all abandoned.Thereby outer net can be visited in the terminal, but can not visit Intranet simultaneously.
After this, if Intranet also need be visited in the terminal, then the method for the said isolation intranet and extranet of present embodiment can also comprise like the step 51 among the embodiment 1 to step 54, to ask Intranet with this terminal from visit outer net switching return visit.
In sum; Method, certificate server and the access switch of the said isolation internal-external network of the embodiment of the invention; Through certificate server according to the related information of preserving in advance; Thereby pairing access switch issues the strategy that is used to control these terminal access intranet and extranet to the terminal, has realized isolating the purpose of intranet and extranet visit.
The method of isolation internal-external network according to the invention, certificate server and access switch; Be not restricted to listed utilization in specification and the execution mode; It can be applied to various suitable the present invention's field fully; For being familiar with those skilled in the art, can easily realize additional advantage and make amendment; Therefore under the situation of the spirit of the universal that does not deviate from claim and equivalency range and limited and scope, the examples shown that the present invention is not limited to specific details, representational equipment and illustrates here and describe.