CN101277308B - Method for insulating inside and outside networks, authentication server and access switch - Google Patents
Method for insulating inside and outside networks, authentication server and access switch Download PDFInfo
- Publication number
- CN101277308B CN101277308B CN2008101124839A CN200810112483A CN101277308B CN 101277308 B CN101277308 B CN 101277308B CN 2008101124839 A CN2008101124839 A CN 2008101124839A CN 200810112483 A CN200810112483 A CN 200810112483A CN 101277308 B CN101277308 B CN 101277308B
- Authority
- CN
- China
- Prior art keywords
- terminal
- port
- access switch
- strategy
- intranet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention provides a method for separating an internal network from an external network, an authentication server and an access exchanger, wherein the method comprises the steps that: A, the authentication server authenticates the identity of a terminal according to an identity authentication request of the terminal for accessing the external network; B, after identity authentication request of the terminal for accessing the external network is passed, the authentication server sends a first policy to the exit gateway, determines the access exchanger and a first port corresponding to the terminal according to the pre-stored associated information, and sends the access exchanger a second policy aiming at the first port, the first policy is used for notifying the exit gateway to permit the communication between the terminal and the external network, the second policy is used for notifying the access exchanger to just transmit the target address as the message of the exit gateway forthe messages received by the first port. The invention can conveniently and efficiently realize the separation between the internal network and the external network and reduce the cost for realizing the separation between the internal network and the external network.
Description
Technical field
The present invention relates to access to netwoks control technology field, be specifically related to a kind of method, certificate server and access switch of isolating internal-external network.
Background technology
Along with the maturation and the high speed development of network technology and technique of internet, increasing enterprises and institutions begin the information that building network is realized office automation and shared internet.Internal network (Intranet abbreviates Intranet as among this paper) is safe comparatively speaking, neither can receive the assault from outer net (Internet abbreviates outer net as, like the Internet among this paper), also can not divulge a secret.But outer net is to be flooded with unsafe factor: hacker, malicious attack, virus or the like, the moment is threatening the safety of Intranet.If the user in internet usage, needs the visit Intranet, then may cause the unsafe factor on the Internet to transmit bridge through user's terminal (like PC) conduct, get into corporate intranet, the information security of direct threats enterprise.
Fig. 1 is the structural representation that a kind of typical terminal connects intranet and extranet.As shown in Figure 1, the terminal is connected to Intranet through access switch, and is concrete, and the terminal is a port that is connected on this access switch, transmits the message of self terminal through this access switch, realizes communicating by letter of terminal and miscellaneous equipment.Among Fig. 1, access switch can also be connected to outer net through the outlet gateway, like the internet.Only show a terminal among Fig. 1, can connect a plurality of terminals under the access switch certainly.Between access switch and outlet gateway, also be connected with convergence switch.Enterprise customer (terminal) connects the Internet and Intranet simultaneously, and this possibly cause the malicious attack of the Internet to be forwarded to the interior network server in the Intranet through the terminal, brings security threat.
For solving above-mentioned safety problem; A solution of prior art is: for enterprise sets up the physically-isolated network of two covers; One of them network (being called first network here) connects internet, and another network (being called second network here) connects the enterprise network server.Both visited Intranet at each needs and also need visit on the terminal of outer net, two network interface cards are installed, one of them network interface card is connected to above-mentioned first network, and another network interface card is connected to above-mentioned second network.Two network interface card isolation software are installed simultaneously, and this software is used to guarantee that these two network interface cards can not work simultaneously, guarantees the physical isolation of inside and outside net with this.
Above-mentioned solution is through isolating inside and outside network physical, and its coefficient of safety is high.But; Respectively build a cover network owing to need be respectively Intranet and outer net, and two network physicals isolation, this causes network topology complicated; Network equipment cost doubles; Maintenance workload doubles, owing to need can support two network interface card systems of isolation method and two network card equipments are installed for host configuration, also can cause the increase of terminal cost simultaneously.And such scheme also requires two network interface card isolation software are installed on the terminal, and this has also increased user's operation easier and network management complexity.
Summary of the invention
Technical problem to be solved by this invention provides a kind of method, certificate server and access switch of isolating internal-external network, isolates and reduce the cost of realization intranet and extranet isolation in order to realize intranet and extranet simply, efficiently.
For solving the problems of the technologies described above, the present invention provides scheme following:
A kind of method of isolating internal-external network, the terminal is connected with first port on the access switch, and access switch connects Intranet and connects outer net through the outlet gateway, comprises step:
The ID authentication request of the visit outer net that S11, said certificate server initiate through said outlet gateway according to said terminal is to the conduct interviews authentication of outer net of said terminal;
S12; After the authentication of said terminal access outer net is passed through; Said certificate server issues first strategy to said outlet gateway; And according to the related information between said terminal, said access switch and said first port preserved in advance; Confirm said access switch and said first port that said terminal is corresponding, and issue second strategy, wherein to said first port to said access switch; Said first strategy is used to notify said outlet gateway to allow said terminal and outer net to communicate, and the message that said second strategy is used to notify said access switch to receive for said first port only transmits wherein that destination address is the message of said outlet gateway.
Above-mentioned method wherein, also comprises after step S12:
S13, said certificate server receive the intranet and extranet visit handoff request that send through said outlet gateway at said terminal;
S14; Said certificate server is according to said intranet and extranet visit handoff request; Issue the 3rd strategy to said outlet gateway; And search said related information, confirm said access switch and said first port that said terminal is corresponding, and issue the 4th strategy to said first port to said access switch; Said the 3rd strategy is used to notify said outlet gateway to stop said terminal and outer net to communicate, and said the 4th strategy is used to notify said access switch all to transmit for the message that said first port receives.
Above-mentioned method wherein, also comprises before the said step S11:
Said certificate server receives the ID authentication request of the visit Intranet of sending through said access switch at said terminal, and receives the sign of the said access switch that said access switch sends and the port number information of said first port;
The user name at the terminal of carrying in the ID authentication request of said certificate server according to said visit Intranet and Intranet access code information are to the conduct interviews authentication of Intranet of said terminal; And, set up and preserve said related information according to the sign of the user name at said terminal, said access switch and the port number information of said first port;
Said certificate server returns first response message of the said terminal of indication through the authentication of visit Intranet to said access switch after the authentication of said terminal access Intranet is passed through.
Above-mentioned method, wherein, among the said step S11, the user name and the extranet access encrypted message at the said terminal that said certificate server further carries in the ID authentication request according to said visit outer net carry out the authentication of said visit outer net.
Above-mentioned method, wherein, the ID authentication request of said visit Intranet is the 802.1x authentication request, the ID authentication request of said visit outer net is a door Portal authentication request.
The present invention also provides other a kind of method of isolating internal-external network, and the terminal is connected with first port on the access switch, and access switch connects Intranet and connects outer net through the outlet gateway, comprises step:
S21, when said terminal access outer net, the message that said access switch receives for said first port only transmits wherein that destination address is the message of said outlet gateway, and said outlet gateway allows said terminal and outer net to communicate;
S22, when Intranet need be visited in said terminal, said certificate server received the intranet and extranet visit handoff request that send through said outlet gateway at said terminal,
S23; Said certificate server is according to said intranet and extranet visit handoff request; Issue the 3rd strategy to said outlet gateway; And search the related information between said terminal, said access switch and said first port of preserving in advance, confirm said access switch and said first port that said terminal is corresponding, and issue the 4th strategy to said first port to said access switch; Said the 3rd strategy is used to notify said outlet gateway to stop said terminal and outer net to communicate, and said the 4th strategy is used to notify said access switch all to transmit for the message that said first port receives.
Above-mentioned method wherein, also comprises after step S23:
S24, said certificate server receive the ID authentication request of the visit outer net of initiating through said outlet gateway at said terminal, to the conduct interviews authentication of outer net of said terminal;
S25; After the authentication of said terminal access outer net is passed through; Said certificate server issues first strategy to said outlet gateway, and according to said related information, confirms said access switch and said first port that said terminal is corresponding; And issue second strategy to said first port to said access switch; Wherein, said first strategy is used to notify said outlet gateway to allow said terminal and outer net to communicate, and the message that said second strategy is used to notify said access switch to receive for said first port only transmits wherein that destination address is the message of said outlet gateway.
Above-mentioned method, wherein, among the said step S24, the user name and the extranet access encrypted message at the said terminal that said certificate server further carries in the ID authentication request according to said visit outer net carry out the authentication of said visit outer net.
Accordingly, the present invention also provides a kind of certificate server, comprising:
The related information unit is used for preserving the related information between the port that connects this terminal on the terminal of Intranet, the access switch that connects this terminal and this access switch;
Authentication ' unit, the ID authentication request of the visit outer net that is used for sending through the outlet gateway according to first terminal is to the conduct interviews authentication of outer net of said first terminal;
The policy distribution unit; Be used for after of the authentication of said first terminal, sending first strategy to said outlet gateway through the visit outer net of said authentication ' unit, and according to said related information; Confirm first access switch and first port that said first terminal is corresponding; And issue second strategy to said first port to said first access switch, wherein, said first strategy is used to notify said outlet gateway to allow said first terminal and outer net to communicate; Said second strategy is used to notify the message of said first access switch for said first port receives, and only transmitting wherein, destination address is the message of said outlet gateway.
Certificate server of the present invention; Wherein, said policy distribution unit also is used to receive the intranet and extranet visit handoff request that send through said outlet gateway at said first terminal; And issue the 3rd strategy to said outlet gateway; And according to said related information, the first corresponding access switch issues the 4th strategy to said first port to said first terminal, wherein; Said the 3rd strategy is used to notify said outlet gateway to stop said first terminal and outer net to communicate, and said the 4th strategy is used to notify said first access switch all to transmit for the message that said first port receives.
Certificate server of the present invention; Wherein, Said authentication ' unit; The ID authentication request of the visit Intranet that also is used for sending through said first access switch according to said first terminal, to the conduct interviews authentication of Intranet of first terminal, and authentication through the time return first response message of the said terminal of indication to said access switch through the authentication of visit Intranet;
Said related information unit is further used for sign, the user name at said first terminal and the port number information of said first port according to said first access switch of said first access switch transmission, sets up and preserve said related information.
Certificate server of the present invention; Wherein, Said authentication ' unit; The user name and the extranet access encrypted message at the said terminal that is further used for carrying in the ID authentication request according to said visit outer net carry out the authentication of said visit outer net, and the user name at the terminal of carrying in the ID authentication request according to said visit Intranet and Intranet access code information are carried out the authentication of said visit Intranet.
The present invention also provides a kind of access switch to comprise:
Receiving element; Be used to receive second strategy that certificate server sends to first port on this access switch; Said second strategy is after first terminal that said first port connects is passed through by said certificate server through the authentication of the visit outer net of outlet gateway initiation; By the related information between first terminal, this access switch and first port of the preservation in advance of said certificate server basis, to the strategy to first port of corresponding this access switch transmission in said first terminal;
The port controlling unit is used for based on said second strategy, and for the message that said first port receives, only transmitting wherein, destination address is the message of said outlet gateway.
Access switch of the present invention; Wherein, Said receiving element; Be further used for receiving the 4th strategy that said certificate server sends to said first port, said the 4th strategy be said certificate server after receiving the intranet and extranet visit handoff request of sending through said outlet gateway at said first terminal, the strategy that is directed against said first port that issues to this corresponding access switch of said first terminal according to said related information;
Said port controlling unit is further used for all transmitting for the message that said first port receives based on said the 4th strategy.
Access switch of the present invention wherein, also comprises:
The authentication request unit; Be used to receive the ID authentication request of the visit Intranet of sending at said first terminal; The username and password information request of sending said terminal to certificate server is to the conduct interviews authentication of Intranet of said first terminal, and sends the sign of this access switch and the port number information of said first port to said certificate server;
Said port controlling unit, first response message of the authentication of visit Intranet is passed through at said first terminal of indication that also is used for returning according to said certificate server, opens said first port.
Can find out from the above; The method of isolation internal-external network provided by the invention, certificate server and access switch; Through certificate server according to the related information of preserving in advance; Pairing access switch issues the strategy that is used to control these terminal access intranet and extranet to the terminal, has realized isolating the purpose of intranet and extranet visit.With respect to prior art, the present invention through smooth upgrade, just can realize isolating the purpose of intranet and extranet on the basis of existing network.The present invention need not on the terminal, to install two network card equipments and two network interface card isolation software, thereby can reduce equipment cost.And network topology of the present invention is simple, has advantages such as low, the easy expansion of management maintenance difficulty.
Description of drawings
Fig. 1 is the structural representation that a kind of typical terminal of prior art connects intranet and extranet;
Fig. 2 is the applied environment sketch map of the method for the embodiment of the invention 1 said isolation internal-external network;
Fig. 3 is the flow chart that inserts Intranet in the embodiment of the invention 1 behind the starting terminal;
Fig. 4 switches to the flow chart of visit outer net from the visit Intranet for terminal in the embodiment of the invention 1;
Fig. 5 switches the flow chart that Intranet is asked in return visit for terminal in the embodiment of the invention 1 from the visit outer net;
Fig. 6 is the structural representation of certificate server described in the embodiment of the invention 1;
Fig. 7 is the structural representation of access switch described in the embodiment of the invention 1.
Embodiment
Access switch is connected with the terminal through himself port, the message of the inside and outside net of terminal access this port of all need flowing through.The present invention need not on the terminal, to install two network interface cards and two network interface card isolation software, and the present invention transmits the message on the said port through certificate server and controls, and then realizes the isolation of inside and outside net.The present invention is described further through specific embodiment below in conjunction with accompanying drawing.
< embodiment 1 >
Fig. 2 is the applied environment sketch map of the method for the said isolation internal-external network of present embodiment.Among Fig. 2, the terminal is connected to Intranet through access switch, and is concrete, and the terminal is a port that is connected on this access switch.Simultaneously, access switch also is connected to the internet through the outlet gateway.Between access switch and outlet gateway, can also be connected with convergence switch, this convergence switch is connected with a certificate server.This concrete certificate server can be remote authentication dialing user service (RADIUS; RemoteAuthentication Dial-In User Service) server or terminal access controller access control system (TACACS, Terminal Access Controller Access Control System) server.Be that example describes with the radius server in the present embodiment, for the certificate server based on other agreement, it realizes that principle is identical.In order to guarantee the safety of certificate server, the terminal in the Intranet is the address of not knowing this certificate server, and access switch and outlet gateway place have disposed the relevant information of certificate server usually.Therefore, communicating by letter between terminal and the certificate server normally realized through access switch or outlet gateway forwards association message.
In the present embodiment, behind the starting terminal, after the authentication through the visit Intranet, Intranet can be inserted in this terminal.IEEE 802.1x authentication mode is adopted in the authentication of visit Intranet in the present embodiment.802.1x agreement as a kind of local area network (LAN) access control and authentication techniques based on port, can limit unwarranted user capture intranet network.Before terminal authentication passes through, the port that connects this terminal on the access switch will keep shut, and the 802.1x message identifying that this moment, the 802.1x agreement only allowed the user is through this port; After authentication was passed through, port was opened, and the normal datagram literary talent in terminal can be passed through this port.Authentication techniques based on 802.1x are used the Extensible Authentication Protocol (EAPoL based on local area network (LAN) between terminal and access switch; Extensible Authentication Protocol over LAN) transmits authentication information, and transmit authentication information through radius protocol or TACACS agreement between access switch and the certificate server.
As shown in Figure 3, the flow process that Intranet is inserted at the terminal in the present embodiment after startup may further comprise the steps:
Step 31 behind the starting terminal, is sent the 802.1x authentication request to access switch.
Step 32; After access switch receives above-mentioned 802.1x authentication request; To radius server request authentication user identity, and the port information (like the port numbers of this port) that is connected said terminal on the sign (ID) of this access switch and this access switch sent to said radius server.
Step 33, radius server to the terminal authentication of Intranet that conducts interviews, and are returned the whether response message through authentication of indicating terminal according to information such as the user name at the said terminal of sending on the access switch, Intranet access code; Simultaneously, the ID and the port numbers of access switch are noted, and preserved the related information between ID, port numbers and the said terminal (for example, and the user name at said terminal) of this access switch.
Here; Can on radius server, preserve an Intranet access rights table; Include the terminal table entries that can visit Intranet in this Intranet access rights table, preserve in each list item the terminal user name and with the corresponding Intranet access code of this terminal user name.When carrying out the authentication of above-mentioned visit Intranet, through search at Intranet access rights table whether exist with access switch on the on all four list item of username and password that send, judge whether authentication is passed through.
Step 34, access switch are received the response message of radius server, judge according to this response message whether said terminal has passed through authentication: if authentication success is then opened the port that connects said terminal, otherwise, continue to keep closing of this port; Return 802.1x authentication back message using to the terminal then, whether successful in order to the notice terminal authentication.
Like this, after authentication had successfully been passed through in the terminal, this terminal can be through access switch visit Intranet resource.Can also communicate with outer net when the visit Intranet for fear of this terminal; At this moment; Can stop the flow between this terminal and the outer net through the outlet gateway, for example, for a new terminal that starts; The default treatment mode that the outlet gateway is set is all messages that abandon this terminal, to stop this terminal access outer net; Only after outlet was provided with permission on the gateway and passes through from the message at this terminal, this terminal just can communicate with outer net.Therefore, through above step, can reach the terminal can not be visited outer net simultaneously when the visit Intranet purpose.Certainly; Here can also be in above-mentioned steps 33, after said terminal was through authentication, said radius server issued a strategy to the outlet fire compartment wall; The flow that stops this terminal access outer net in order to notice outlet fire compartment wall; Thereby the outlet fire compartment wall can abandon all messages of this terminal access outer net according to this strategy.Therefore; Above scheme is transmitted the message that receives on the said port through said access switch; And stop communicating by letter between said terminal and the outer net through said outlet gateway, and the terminal access Intranet can be realized but the purpose of outer net can not be visited, realized the isolation between the intranet and extranet.
Because in the 802.1x verification process; Access switch has sent to certificate server with said terminal and the port information that connects said terminal; Thereby; The related information between the port that connects said terminal on said terminal, the access switch that is connected with said terminal and this access switch set up and preserved to certificate server can according to above-mentioned information; And then certificate server can issue the strategy to corresponding port to the access switch of correspondence according to this related information, transmits in order to the message of controlling this port, and this will be described below.
In the present embodiment, Intranet can be visited through above step in said terminal, but can not visit outer net.When outer net need be visited in said terminal, need authentication through the visit outer net, adopt the conduct interviews authentication of outer net of the mode of door (Portal) authentication in the present embodiment.Wherein, the outlet gateway is as the Portal gateway, and the Portal authentication is initiated to the outlet gateway in said terminal: if authentication is passed through, the outlet fire compartment wall then is set allows said terminal access outer net; Certificate server is to the corresponding access switch dynamic download ACL (ACL in said terminal simultaneously; Access Control List) strategy; Message to require said terminal to send can only be visited the outlet fire compartment wall; Other message all abandons, thus guarantee said terminal the visit outer net in, can't visit Intranet.As shown in Figure 4, when outer net need be visited in said terminal, the method for the said isolation internal-external network of present embodiment may further comprise the steps when the visit Intranet switches to the visit outer net at said terminal:
Here; Can also on radius server, preserve an extranet access authority list; Include the terminal table entries that can visit outer net in this extranet access authority list, preserve in each list item the terminal user name and with the corresponding extranet access password of this terminal user name.When carrying out the authentication of above-mentioned visit outer net, through search at outer net access rights table whether exist with access switch on the on all four list item of username and password that send, judge whether authentication is passed through.For same user name, the pairing Intranet access code of this user name can be identical with the pairing extranet access password of this user name, also can be inequality.In inside and outside net access code not simultaneously; Different access rights can be set for the different users at same terminal; For example; When the user only knew the Intranet access code at certain terminal, then this user can't also just can't remove to visit outer net through this terminal through the authentication of extranet access.
Like this, through above step, the message of outer net can be visited in said terminal, will be forwarded to the outlet gateway by access switch, send to outer net through the outlet gateway then, thereby said terminal can the normal access outer net; And, then will be dropped, thereby also just prevented terminal visit Intranet in the visit outer net at the access switch place for the message of said terminal access Intranet.
When outer net can be visited in said terminal,, need after breaking off outer net, just allow this terminal access Intranet if said terminal wants to visit Intranet again.At this moment, as shown in Figure 5, the method for the said isolation internal-external network of present embodiment, when Intranet is asked in the switching return visit of said terminal, further comprising the steps of:
When step 51, said terminal need be recovered the visit of Intranet, send intranet and extranet visit handoff request to the outlet gateway, concrete can be interruption Portal request, in order to require to interrupt extranet access, switches the state of asking Intranet of paying a return visit;
Step 52, outlet gateway are notified radius server with this request after receiving above-mentioned interruption Portal request.
Like this, through above-mentioned steps, the terminal again can the normal access Intranet, and all can be abandoned by the outlet gateway for the message of this terminal access outer net, thereby has just prevented that also the terminal from can also visit outer net in the visit Intranet.
In the present embodiment; Stop or allow communicating by letter between this terminal and the outer net through the outlet gateway; And transmit through the message of the access switch that the terminal inserted by certificate server and to control; During Intranet, the port that connects this terminal on the control access switch normally E-Packets on this terminal needs; During outer net, the port that connects this terminal on the control access switch is only transmitted the message of destination address for the outlet gateway, and abandons other message, thereby has realized the isolation of intranet and extranet on this terminal needs.
In the present embodiment; In the 802.1x verification process of behind starting terminal, initiating, report the port information of self ID and connecting terminal by access switch, the related information between terminal, access switch and the port is set up and preserved to radius server in view of the above; Thereby in subsequent P ortal verification process; Certificate server can be searched the related information of previous preservation according to end message (like the user name at terminal), obtains pairing access switch in this terminal and corresponding port information that this terminal connected; And then; Issue ACL strategy to this corresponding access switch, transmit, realize isolating the purpose of intranet and extranet in order to the message of controlling this correspondence port to corresponding port.
Certainly; Can also confirm access switch that each terminal is inserted and the port information that is inserted according to the topological structure of Intranet in advance in the present embodiment; Pre-configured and preserve above-mentioned related information at the radius server place in view of the above; Thereby, offer on need not in the 802.1x verification process through access switch and set up and preserve above-mentioned related information.In subsequent P ortal verification process; Can be according to pre-configured related information; Confirm corresponding access switch and corresponding port; And then issue strategy to corresponding port to the access switch of correspondence, and realize message forwarding control, also can reach the purpose of isolation intranet and extranet of the present invention.
Can find out that from the above present embodiment need not done any change to the physical topology of existing network, can on the basis of existing network, pass through smooth upgrade, just can realize isolating the purpose of intranet and extranet.With respect to prior art, the network topology of the said method of present embodiment is simple, has advantages such as low, the easy expansion of management difficulty.Simultaneously, present embodiment need not on the terminal, to install two network card equipments and two network interface card isolation software, thereby can practice thrift the terminal cost.
Based on the method for above-mentioned isolation intranet and extranet, present embodiment also correspondingly provides a kind of certificate server and access switch.As shown in Figure 6, said certificate server 60 comprises:
Authentication ' unit 62, the ID authentication request of the visit outer net that is used for sending through the outlet gateway according to first terminal is to the conduct interviews authentication of outer net of said first terminal;
Here; Said authentication ' unit 62; Also be used for according to the ID authentication request of said first terminal through the visit Intranet of said first access switch transmission; To the conduct interviews authentication of Intranet of first terminal, and authentication through the time return first response message of the said terminal of indication to said access switch through the authentication of visit Intranet; Concrete; The user name and the extranet access encrypted message at the said terminal of carrying in the ID authentication request of said authentication ' unit 62 according to said visit outer net; Carry out the authentication of said visit outer net; And the user name at the terminal of carrying in the ID authentication request according to said visit Intranet and Intranet access code information carries out the authentication of said visit Intranet, and said extranet access password and said Intranet access code can be inequality, also can be identical.
Said related information unit 61 is further used for sign, the user name at said first terminal and the port number information of said first port according to said first access switch of said first access switch transmission, sets up and preserve said related information.Certainly, the related information in the said related information unit 61 can also be the topological structure according to Intranet, and is pre-configured and preservation.
As shown in Figure 7, said access switch 70 comprises:
Receiving element 71; Be used to receive second strategy that certificate server sends to first port on this access switch; Said second strategy is after first terminal that said first port connects is passed through by said certificate server through the authentication of the visit outer net of outlet gateway initiation; By the related information between first terminal, this access switch and first port of the preservation in advance of said certificate server basis, to the strategy to first port of corresponding this access switch transmission in said first terminal;
Port controlling unit 72 is used for based on said second strategy, for the message that said first port receives, only transmits wherein that destination address is the message of said outlet gateway, to limit the first terminal access Intranet, allows the first terminal access outer net.
Here; Said receiving element 71; Can also be further used for receiving the 4th strategy that said certificate server sends to said first port; Said the 4th strategy is said certificate server after receiving the extranet access interrupt requests of sending through said outlet gateway at said first terminal, the strategy to said first port that issues to this corresponding access switch of said first terminal according to said related information; Said port controlling unit 72 can also all be transmitted for the message that said first port receives further based on said the 4th strategy, and concrete can be to delete second strategy that had before issued to transmit to recover normal message.
Among Fig. 7, said access switch 70 also comprises:
Said port controlling unit; First response message of the authentication of visit Intranet is passed through at said first terminal of indication that can also be used for returning according to said certificate server; Open said first port; So that said first port can normally receive the message that send at first terminal, thereby this access switch is realized the first terminal access Intranet through transmitting the message that send at first terminal.
< embodiment 2 >
Among the embodiment 1, the terminal access Intranet need be passed through the 802.1x authentication, can improve the fail safe of Intranet visit like this, prevents unwarranted terminal access Intranet resource.The terminal access outer net need pass through the Portal authentication, to forbid unwarranted user capture outer net.The terminal access Intranet is not carried out authentication in the present embodiment, promptly behind starting terminal, can insert and visit Intranet, similar for the visit outer net with embodiment 1, need carry out the Portal authentication.
The method of the said isolation intranet and extranet of present embodiment still is applied in the environment shown in Figure 2.Said method specifically may further comprise the steps:
Step S81, the related information between the port at this terminal of connection on terminal, the access switch that is connected with this terminal and this access switch in configuration of certificate server place and preservation Intranet in advance; The default treatment mode of outlet gateway is set simultaneously: for the default treatment at a new terminal that starts is to stop communicating by letter of this terminal and outer net.
Step S82, not needing authentication behind the starting terminal is addressable Intranet, the normal message of transmitting from this terminal of the access switch that this terminal is inserted; And, then be dropped, thereby guarantee that the terminal can not visit outer net in the visit Intranet at outlet gateway place for the message of this terminal access outer net.
Step S83, when outer net need be visited in this terminal, the Portal authentication request was sent to the outlet gateway in this terminal.Normally the user initiates the Portal authentication request through importing username and password in the web page on this terminal.
Step S84 is after the outlet gateway receives above-mentioned Portal authentication request, to radius server request authentication user identity.
Step S85; Radius server carries out authentication according to user name, the password at the terminal of sending on the outlet gateway to said terminal: if the authentication at said terminal is passed through; Then radius server issues one to the outlet gateway and is used in reference to the strategy that mouthful gateway allows said terminal access outer net is shown; Simultaneously; Search the said related information of preserving in advance according to the username information at terminal, find the ID and the corresponding port of the corresponding access switch in this terminal, and issue ACL strategy to this correspondence port to this corresponding switch.
Step S86, the outlet gateway allows said terminal and outer net to communicate according to the strategy that certificate server sends; This corresponding switch is after receiving above-mentioned ACL strategy; On this correspondence port, enable above-mentioned ACL strategy; This ACL strategy requires this corresponding switch for the message that gets into from this correspondence port, and except the message of outlet gateway was pointed in purpose IP address, other message all abandoned.Thereby outer net can be visited in the terminal, but can not visit Intranet simultaneously.
After this, if Intranet also need be visited in the terminal, then the method for the said isolation intranet and extranet of present embodiment can also comprise like the step 51 among the embodiment 1 to step 54, to ask Intranet with this terminal from visit outer net switching return visit.
In sum; Method, certificate server and the access switch of the said isolation internal-external network of the embodiment of the invention; Through certificate server according to the related information of preserving in advance; Thereby pairing access switch issues the strategy that is used to control these terminal access intranet and extranet to the terminal, has realized isolating the purpose of intranet and extranet visit.
The method of isolation internal-external network according to the invention, certificate server and access switch; Be not restricted to listed utilization in specification and the execution mode; It can be applied to various suitable the present invention's field fully; For being familiar with those skilled in the art, can easily realize additional advantage and make amendment; Therefore under the situation of the spirit of the universal that does not deviate from claim and equivalency range and limited and scope, the examples shown that the present invention is not limited to specific details, representational equipment and illustrates here and describe.
Claims (15)
1. method of isolating internal-external network, the terminal is connected with first port on the access switch, and access switch connects Intranet and connects outer net through the outlet gateway, it is characterized in that, comprises step:
The ID authentication request of the visit outer net that S11, certificate server initiate through said outlet gateway according to said terminal is to the conduct interviews authentication of outer net of said terminal;
S12; After the authentication of said terminal access outer net is passed through; Said certificate server issues first strategy to said outlet gateway; And according to the related information between said terminal, said access switch and said first port preserved in advance; Confirm said access switch and said first port that said terminal is corresponding, and issue second strategy, wherein to said first port to said access switch; Said first strategy is used to notify said outlet gateway to allow said terminal and outer net to communicate, and the message that said second strategy is used to notify said access switch to receive for said first port only transmits wherein that destination address is the message of said outlet gateway.
2. the method for claim 1 is characterized in that, after step S12, also comprises:
S13, said certificate server receive the intranet and extranet visit handoff request that send through said outlet gateway at said terminal;
S14; Said certificate server is according to said intranet and extranet visit handoff request; Issue the 3rd strategy to said outlet gateway; And search said related information, confirm said access switch and said first port that said terminal is corresponding, and issue the 4th strategy to said first port to said access switch; Said the 3rd strategy is used to notify said outlet gateway to stop said terminal and outer net to communicate, and said the 4th strategy is used to notify said access switch all to transmit for the message that said first port receives.
3. the method for claim 1 is characterized in that, also comprises before the said step S11:
Said certificate server receives the ID authentication request of the visit Intranet of sending through said access switch at said terminal, and receives the sign of the said access switch that said access switch sends and the port number information of said first port;
The user name at the terminal of carrying in the ID authentication request of said certificate server according to said visit Intranet and Intranet access code information are to the conduct interviews authentication of Intranet of said terminal; And, set up and preserve said related information according to the sign of the user name at said terminal, said access switch and the port number information of said first port;
Said certificate server returns first response message of the said terminal of indication through the authentication of visit Intranet to said access switch after the authentication of said terminal access Intranet is passed through.
4. method as claimed in claim 3 is characterized in that,
Among the said step S11, the user name and the extranet access encrypted message at the said terminal that said certificate server further carries in the ID authentication request according to said visit outer net, the identity of carrying out said visit outer net is recognized and is levied.
5. method as claimed in claim 4 is characterized in that, the ID authentication request of said visit Intranet is the 802.1x authentication request, and the ID authentication request of said visit outer net is a door Portal authentication request.
6. method of isolating internal-external network, the terminal is connected with first port on the access switch, and access switch connects Intranet and connects outer net through the outlet gateway, it is characterized in that, comprises step:
S21, when said terminal access outer net, the message that said access switch receives for said first port only transmits wherein that destination address is the message of said outlet gateway, and said outlet gateway allows said terminal and outer net to communicate;
S22, when Intranet need be visited in said terminal, certificate server received the intranet and extranet visit handoff request that send through said outlet gateway at said terminal,
S23; Said certificate server is according to said intranet and extranet visit handoff request; Issue the 3rd strategy to said outlet gateway; And search the related information between said terminal, said access switch and said first port of preserving in advance, confirm said access switch and said first port that said terminal is corresponding, and issue the 4th strategy to said first port to said access switch; Said the 3rd strategy is used to notify said outlet gateway to stop said terminal and outer net to communicate, and said the 4th strategy is used to notify said access switch all to transmit for the message that said first port receives.
7. method as claimed in claim 6 is characterized in that, after step S23, also comprises:
S24, said certificate server receive the ID authentication request of the visit outer net of initiating through said outlet gateway at said terminal, to the conduct interviews authentication of outer net of said terminal;
S25; After the authentication of said terminal access outer net is passed through; Said certificate server issues first strategy to said outlet gateway, and according to said related information, confirms said access switch and said first port that said terminal is corresponding; And issue second strategy to said first port to said access switch; Wherein, said first strategy is used to notify said outlet gateway to allow said terminal and outer net to communicate, and the message that said second strategy is used to notify said access switch to receive for said first port only transmits wherein that destination address is the message of said outlet gateway.
8. method as claimed in claim 7 is characterized in that,
Among the said step S24, the user name and the extranet access encrypted message at the said terminal that said certificate server further carries in the ID authentication request according to said visit outer net, the identity of carrying out said visit outer net is recognized and is levied.
9. a certificate server is characterized in that, comprising:
The related information unit is used for preserving the related information between the port that connects this terminal on the terminal of Intranet, the access switch that connects this terminal and this access switch;
Authentication ' unit, the ID authentication request of the visit outer net that is used for sending through the outlet gateway according to the terminal is to the conduct interviews authentication of outer net of said terminal;
The policy distribution unit; Be used for after of the authentication of said terminal, sending first strategy to said outlet gateway through the visit outer net of said authentication ' unit, and according to said related information; Confirm the access switch and first port that said terminal is corresponding; And issue second strategy to said first port to said access switch, wherein, said first strategy is used to notify said outlet gateway to allow said terminal and outer net to communicate; Said second strategy is used to notify the message of said access switch for said first port receives, and only transmitting wherein, destination address is the message of said outlet gateway.
10. certificate server as claimed in claim 9 is characterized in that,
Said policy distribution unit; Also be used to receive the intranet and extranet visit handoff request that send through said outlet gateway at said terminal; And issue the 3rd strategy to said outlet gateway; And according to said related information, corresponding access switch issues the 4th strategy to said first port to said terminal, wherein; Said the 3rd strategy is used to notify said outlet gateway to stop said terminal and outer net to communicate, and said the 4th strategy is used to notify said access switch all to transmit for the message that said first port receives.
11. certificate server as claimed in claim 9 is characterized in that,
Said authentication ' unit; Also be used for according to the ID authentication request of said terminal through the visit Intranet of said access switch transmission; To the conduct interviews authentication of Intranet of terminal, and authentication through the time return first response message of the said terminal of indication to said access switch through the authentication of visit Intranet;
Said related information unit is further used for sign, the user name at said terminal and the port number information of said first port according to the said access switch of said access switch transmission, sets up and preserve said related information.
12. certificate server as claimed in claim 11 is characterized in that,
Said authentication ' unit; The user name and the extranet access encrypted message at the said terminal that is further used for carrying in the ID authentication request according to said visit outer net; Carry out the authentication of said visit outer net, and the user name at the terminal of carrying in the ID authentication request according to said visit Intranet and Intranet access code information are carried out the authentication of said visit Intranet.
13. an access switch is characterized in that, comprising:
Receiving element; Be used to receive second strategy that certificate server sends to first port on this access switch; Said second strategy is after the terminal that said first port connects is passed through by said certificate server through the authentication of the visit outer net of outlet gateway initiation; By the related information between terminal, this access switch and first port of the preservation in advance of said certificate server basis, to the strategy to first port of corresponding this access switch transmission in said terminal;
The port controlling unit is used for based on said second strategy, and for the message that said first port receives, only transmitting wherein, destination address is the message of said outlet gateway.
14. access switch as claimed in claim 13 is characterized in that,
Said receiving element; Be further used for receiving the 4th strategy that said certificate server sends to said first port; Said the 4th strategy is said certificate server after receiving the intranet and extranet visit handoff request of sending through said outlet gateway at said terminal, the strategy to said first port that issues to this corresponding access switch of said terminal according to said related information;
Said port controlling unit is further used for all transmitting for the message that said first port receives based on said the 4th strategy.
15. access switch as claimed in claim 13 is characterized in that, also comprises:
The authentication request unit; Be used to receive the ID authentication request of the visit Intranet of sending at said terminal; The username and password information request of sending said terminal to certificate server is to the conduct interviews authentication of Intranet of said terminal, and sends the sign of this access switch and the port number information of said first port to said certificate server;
Said port controlling unit, first response message of the authentication of visit Intranet is passed through at the said terminal of indication that also is used for returning according to said certificate server, opens said first port.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101124839A CN101277308B (en) | 2008-05-23 | 2008-05-23 | Method for insulating inside and outside networks, authentication server and access switch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101124839A CN101277308B (en) | 2008-05-23 | 2008-05-23 | Method for insulating inside and outside networks, authentication server and access switch |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101277308A CN101277308A (en) | 2008-10-01 |
| CN101277308B true CN101277308B (en) | 2012-04-18 |
Family
ID=39996320
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101124839A Active CN101277308B (en) | 2008-05-23 | 2008-05-23 | Method for insulating inside and outside networks, authentication server and access switch |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101277308B (en) |
Families Citing this family (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065067B (en) * | 2009-11-11 | 2014-06-25 | 杭州华三通信技术有限公司 | Method and device for preventing replay attack between portal server and client |
| CN101860534B (en) * | 2010-05-20 | 2014-07-30 | 北京星网锐捷网络技术有限公司 | Method and system for switching network, access equipment and authentication server |
| CN102469078B (en) * | 2010-11-08 | 2015-05-27 | 中国移动通信集团公司 | Method and system for accessing campus network to external network |
| CN102480460B (en) * | 2010-11-22 | 2016-08-31 | 上海宝信软件股份有限公司 | The method realizing switching equipment port level access authentication |
| CN102208982A (en) * | 2011-04-28 | 2011-10-05 | 广州汇智通信技术有限公司 | Isolation gateway |
| CN102752286A (en) * | 2012-06-05 | 2012-10-24 | 东莞市博晟电子科技有限公司 | Network isolation system |
| CN102932363A (en) * | 2012-11-08 | 2013-02-13 | 杭州迪普科技有限公司 | Control method and device of intranet computer (PC) to access outer net |
| CN103036810B (en) * | 2012-12-06 | 2016-02-03 | 杭州华三通信技术有限公司 | The extranet access control method exported based on many outer nets and access device |
| CN103166960A (en) * | 2013-03-01 | 2013-06-19 | 北京神州绿盟信息安全科技股份有限公司 | Access control method and access control device |
| CN103369531B (en) * | 2013-07-02 | 2017-07-04 | 新华三技术有限公司 | A kind of method and device that control of authority is carried out based on end message |
| CN103532715B (en) * | 2013-10-09 | 2016-11-23 | 北京奇虎科技有限公司 | Based on without password or the mthods, systems and devices of the arbitrarily network authorization of password |
| CN103825901B (en) * | 2014-03-04 | 2017-11-10 | 新华三技术有限公司 | A kind of method for network access control and equipment |
| CN106332078B (en) * | 2015-06-26 | 2020-05-05 | 中兴通讯股份有限公司 | dot1x user authentication system, method and device |
| CN105915561A (en) * | 2016-07-04 | 2016-08-31 | 安徽天达网络科技有限公司 | Double authenticated network security system |
| CN107769948A (en) * | 2016-08-19 | 2018-03-06 | 华为技术有限公司 | A kind of network collocating method and access switch |
| CN106502946A (en) * | 2016-10-21 | 2017-03-15 | 国网黑龙江省电力有限公司信息通信公司 | There is intranet and extranet mian engine changeover device and the intranet and extranet mian engine changeover method of authentication functions |
| CN106354466A (en) * | 2016-10-21 | 2017-01-25 | 国网黑龙江省电力有限公司信息通信公司 | Inner network host and outer network host switching device sharing same display device, and inner network host and outer network host switching method |
| CN106506540A (en) * | 2016-12-15 | 2017-03-15 | 北京三未信安科技发展有限公司 | A kind of intranet data transmission method of attack resistance and system |
| CN108243413B (en) * | 2016-12-23 | 2020-12-18 | 中国铁路总公司 | Method and system for wireless access to railway information network |
| CN108667832B (en) * | 2018-04-28 | 2022-11-01 | 北京东土军悦科技有限公司 | Authentication method based on configuration information, server, switch and storage medium |
| CN109067729B (en) * | 2018-07-26 | 2021-12-24 | 新华三技术有限公司 | Authentication method and device |
| CN109587175A (en) * | 2019-01-11 | 2019-04-05 | 杭州迪普科技股份有限公司 | A kind of illegal external connection processing method and system |
| CN110430179A (en) * | 2019-07-26 | 2019-11-08 | 西安交通大学 | A kind of control method and system for intranet and extranet secure access |
| CN110708331B (en) * | 2019-10-17 | 2021-10-26 | 辽宁机电职业技术学院 | Document management system based on artificial intelligence |
| CN110881038B (en) * | 2019-11-21 | 2022-03-22 | 深信服科技股份有限公司 | Communication authentication method, system, equipment and storage medium |
| CN112291192B (en) * | 2020-09-10 | 2022-07-26 | 国网浙江慈溪市供电有限公司 | Switching control system and method for safely accessing internal network |
| CN113746835A (en) * | 2021-08-31 | 2021-12-03 | 浙江惠瀜网络科技有限公司 | Data transmission method, device, equipment and storage medium |
| CN114070590A (en) * | 2021-11-03 | 2022-02-18 | 中电科鹏跃电子科技有限公司 | Zero trust protection method and system based on IBC |
| CN114499976B (en) * | 2021-12-28 | 2022-11-04 | 航天科工智慧产业发展有限公司 | Data exchange method for realizing cross-network exchange |
| CN115001804B (en) * | 2022-05-30 | 2023-11-10 | 广东电网有限责任公司 | Bypass access control system, method and storage medium applied to field station |
| CN115001906B (en) * | 2022-06-02 | 2024-03-29 | 广东电网有限责任公司 | Security gateway |
| CN115996380B (en) * | 2023-03-22 | 2023-06-20 | 北京首信科技股份有限公司 | Method and equipment for flexibly controlling network |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6253327B1 (en) * | 1998-12-02 | 2001-06-26 | Cisco Technology, Inc. | Single step network logon based on point to point protocol |
| CN1571398A (en) * | 2004-04-29 | 2005-01-26 | 上海交通大学 | Network safety isolating and information exchanging system and method based on proxy mapping |
| CN1705262A (en) * | 2004-05-27 | 2005-12-07 | 华为技术有限公司 | Network security protecting system and method |
| CN101072108A (en) * | 2007-07-17 | 2007-11-14 | 杭州华三通信技术有限公司 | SSL VPN client end safety inspection method, system and device |
| CN101083669A (en) * | 2007-07-10 | 2007-12-05 | 梁雁文 | Computer network isolated system and its control and switch method |
-
2008
- 2008-05-23 CN CN2008101124839A patent/CN101277308B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6253327B1 (en) * | 1998-12-02 | 2001-06-26 | Cisco Technology, Inc. | Single step network logon based on point to point protocol |
| CN1571398A (en) * | 2004-04-29 | 2005-01-26 | 上海交通大学 | Network safety isolating and information exchanging system and method based on proxy mapping |
| CN1705262A (en) * | 2004-05-27 | 2005-12-07 | 华为技术有限公司 | Network security protecting system and method |
| CN101083669A (en) * | 2007-07-10 | 2007-12-05 | 梁雁文 | Computer network isolated system and its control and switch method |
| CN101072108A (en) * | 2007-07-17 | 2007-11-14 | 杭州华三通信技术有限公司 | SSL VPN client end safety inspection method, system and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101277308A (en) | 2008-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101277308B (en) | Method for insulating inside and outside networks, authentication server and access switch | |
| CN101455041B (en) | Detection of network environment | |
| CN101340444B (en) | Fireproof wall and server policy synchronization method, system and apparatus | |
| US8065402B2 (en) | Network management using short message service | |
| CN104753887B (en) | Security management and control implementation method, system and cloud desktop system | |
| CN101378395B (en) | Method and apparatus for preventing reject access aggression | |
| US9438630B2 (en) | Network access control using subnet addressing | |
| KR101910605B1 (en) | System and method for controlling network access of wireless terminal | |
| US9319429B2 (en) | Network quarantine system, network quarantine method and program therefor | |
| EP1661358B1 (en) | Preventing unauthorized access of computer network resources | |
| EP2790354B1 (en) | Security management system having multiple relay servers, and security management method | |
| CN101436934A (en) | Method, system and equipment for controlling user upper wire | |
| CN105706455B (en) | Electronic device and method for controlling electronic device | |
| CN101335692A (en) | Method for negotiating security capability between PCC and PCE and network system thereof | |
| CN102377740A (en) | Industrial access control method and device | |
| CN101984693A (en) | Monitoring method and monitoring device for access of terminal to local area network (LAN) | |
| Kim et al. | Trustworthy gateway system providing IoT trust domain of smart home | |
| CN101188558B (en) | Access control method, unit and network device | |
| CN102185867A (en) | Method for realizing network security and star network | |
| KR101993860B1 (en) | System and method for controlling network access | |
| US20060168239A1 (en) | Secure client/server data transmission system | |
| KR20180081965A (en) | Apparatus and methdo for providing network service | |
| JP4965499B2 (en) | Authentication system, authentication device, communication setting device, and authentication method | |
| CN108737445B (en) | Security policy sharing method and security policy sharing system | |
| WO2010002381A1 (en) | Automatic firewall configuration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230816 Address after: 24th Floor, Block B, Zhizhen Building, No. 7 Zhichun Road, Haidian District, Beijing, 100088 Patentee after: Beijing Ziguang Communication Technology Group Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |