[go: up one dir, main page]

CN1705262A - Network security protecting system and method - Google Patents

Network security protecting system and method Download PDF

Info

Publication number
CN1705262A
CN1705262A CN 200410042910 CN200410042910A CN1705262A CN 1705262 A CN1705262 A CN 1705262A CN 200410042910 CN200410042910 CN 200410042910 CN 200410042910 A CN200410042910 A CN 200410042910A CN 1705262 A CN1705262 A CN 1705262A
Authority
CN
China
Prior art keywords
security
server
user
network
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200410042910
Other languages
Chinese (zh)
Other versions
CN100525184C (en
Inventor
肖钧
肖平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2004100429102A priority Critical patent/CN100525184C/en
Publication of CN1705262A publication Critical patent/CN1705262A/en
Application granted granted Critical
Publication of CN100525184C publication Critical patent/CN100525184C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

一种网络安全防护系统及方法,其中,该防护系统包括:认证服务器,用于网络接入认证,根据含有安全性信息的认证结果决定用户是否可以接入网络;安全策略服务器,用于配置安全策略并下发安全策略,且判断用户是安全用户还是非安全用户,并把判断结果发送至所述的认证服务器;宽带接入服务器,用于用户网络接入,接收所述安全策略并根据所述的安全策略监控接入网络的用户的报文,将监控信息发送给所述的安全策略服务器以判断用户安全性,且所述的宽带接入服务器根据来自所述认证服务器的判断结果或认证结果中的安全性信息拒绝非安全用户接入网络。相应地,本发明也公开网络安全防护方法。

Figure 200410042910

A network security protection system and method, wherein the protection system includes: an authentication server, used for network access authentication, and determining whether a user can access the network according to an authentication result containing security information; a security policy server, used for configuring security policy and issue a security policy, and judge whether the user is a secure user or a non-secure user, and send the judgment result to the authentication server; the broadband access server is used for user network access, receives the security policy and according to the The security policy described above monitors the messages of the users accessing the network, and sends the monitoring information to the security policy server to determine the security of the users, and the broadband access server according to the judgment result from the authentication server or authentication The security information in the result denies access to the network for non-secure users. Correspondingly, the invention also discloses a network security protection method.

Figure 200410042910

Description

网络安全防护系统及方法Network security protection system and method

技术领域technical field

本发明涉及计算机或通信领域中的安全技术,尤指一种网络安全防护系统及方法。The invention relates to security technology in the field of computer or communication, in particular to a network security protection system and method.

背景技术Background technique

随着计算机网络尤其是互联网(INTERNET)在全球的普及和深入,企业网在证券部门、银行系统、企事业单位的大力推广和应用,使得人们越来越多的接触网络和使用网络。通过网络可以进行贸易活动,也可以进行邮件传送,但同时,病毒数量也伴随着网络迅速得以倍增,很多近乎绝迹的病毒也时有发生,宏病毒因其不分操作系统,在网络上传播更是神速。大力发展网络的同时,病毒也得到大发展。网络中的病毒有的是良性,不作任何破坏,仅影响系统的正常运行而已,但更多的病毒是恶性的,会发作,发作的现象各有千秋:有的格式化硬盘,有的删除系统文件,有的破坏数据库等等。因此,有病毒时必须要尽快医治,对网络更是如此,它对网络的破坏性远大于单机用户,损失则更不用谈了。With the popularization and deepening of computer networks, especially the Internet (INTERNET) in the world, the vigorous promotion and application of enterprise networks in securities departments, banking systems, enterprises and institutions has made more and more people contact and use the Internet. Trade activities can be carried out through the network, and mail transmission can also be carried out, but at the same time, the number of viruses is also rapidly doubling along with the network, and many viruses that are almost extinct also occur from time to time. It's super fast. While vigorously developing the network, viruses have also been greatly developed. Some viruses in the network are benign, do not do any damage, and only affect the normal operation of the system, but more viruses are vicious and will break out. Corrupting databases and more. Therefore, when there is a virus, it must be treated as soon as possible, especially for the network. Its destructiveness to the network is far greater than that of a stand-alone user, not to mention the loss.

另外网络上的网络攻击越来越多,对宽带接入服务器的冲击也很大,往往一个用户进行攻击,会导致在同一个区域的其它用户不能正常访问网络,给电信运营商带来很大的困扰。In addition, there are more and more network attacks on the network, which have a great impact on broadband access servers. Often, an attack by one user will cause other users in the same area to be unable to access the network normally, which will bring great harm to telecom operators. troubled.

现有查杀病毒的方法依然是下载补丁和杀毒软件,但是一个宽带城域网有数千上万台机器,只要有一台机器没有及时杀毒和打补丁,就会影响整个网络,甚至会导致整个网络反复中毒。The existing method of killing viruses is still to download patches and antivirus software. However, there are thousands of machines in a broadband metropolitan area network. As long as one machine is not antivirus and patched in time, it will affect the entire network, and even cause the entire network to fail. The network is repeatedly poisoned.

因此,总体来看,现有方法没有很好地解决网络病毒的隔离和反复感染问题,并且用户需要经常的更新杀毒软件和系统补丁,增加了用户操作复杂度。Therefore, generally speaking, the existing methods do not solve the problem of network virus isolation and repeated infection well, and users need to frequently update antivirus software and system patches, which increases the complexity of user operations.

发明内容Contents of the invention

本发明解决的问题是提供一种网络安全防护系统及方法,避免网络病毒造成反复感染。The problem solved by the present invention is to provide a network security protection system and method to avoid repeated infection caused by network viruses.

为解决上述问题,本发明网络安全防护系统包括:认证服务器,用于网络接入认证,根据含有安全性信息的认证结果决定用户是否可以接入网络;安全策略服务器,用于配置安全策略并下发安全策略,且判断用户是安全用户还是非安全用户,并把判断结果发送至所述的认证服务器;宽带接入服务器,用于用户网络接入,接收所述安全策略并根据所述的安全策略监控接入网络的用户的报文,将监控信息发送给所述的安全策略服务器以判断用户安全性,且所述的宽带接入服务器根据来自所述认证服务器的判断结果或认证结果中的安全性信息拒绝非安全用户接入网络。In order to solve the above problems, the network security protection system of the present invention includes: an authentication server, used for network access authentication, and determining whether a user can access the network according to the authentication result containing security information; a security policy server, used for configuring security policies and downloading Send a security policy, and judge whether the user is a safe user or a non-safe user, and send the judgment result to the authentication server; the broadband access server is used for user network access, receives the security policy and according to the security The policy monitors the messages of the users accessing the network, and sends the monitoring information to the security policy server to judge the security of the users, and the broadband access server according to the judgment result from the authentication server or the authentication result The security information denies non-secure users access to the network.

所述的认证服务器具有表示用户是否安全的安全属性;而所述的宽带接入服务器具有表示用户是否安全的用户安全属性。所述的认证服务器的安全属性值根据所述的安全策略服务器的安全性判断结果来设置,并将当前安全属性值发送给宽带接入服务器;宽带接入服务器的用户安全属性值根据接收到的安全属性值设置用户安全属性值并根据用户安全属性值拒绝非安全用户接入网。The authentication server has a security attribute indicating whether the user is safe; and the broadband access server has a user security attribute indicating whether the user is safe. The security attribute value of the authentication server is set according to the security judgment result of the security policy server, and the current security attribute value is sent to the broadband access server; the user security attribute value of the broadband access server is based on the received The security attribute value sets the user security attribute value and rejects the non-secure user from accessing the network according to the user security attribute value.

所述安全策略包括:检查项,用于指示宽带接入服务器检查的内容;触发条件,用于指示触发条件;操作,用于指示在满足触发条件时宽带接入服务器执行具体操作。所述操作指宽带接入服务器监控用户的报文并在满足触发条件时将相应报文作为监控信息复制给安全策略服务器,则安全策略服务器根据该报文来判断用户的安全性。The security policy includes: a check item, used to indicate the content to be checked by the broadband access server; a trigger condition, used to indicate the trigger condition; and an operation, used to indicate that the broadband access server performs a specific operation when the trigger condition is met. The operation refers to that the broadband access server monitors the user's message and copies the corresponding message as monitoring information to the security policy server when the trigger condition is met, and the security policy server judges the security of the user according to the message.

该系统还包括门户服务器,用于隔离非安全用户,且宽带接入服务器控制非安全用户访问该门户服务器。The system also includes a portal server for isolating non-secure users, and the broadband access server controls non-secure users to access the portal server.

相应地,本发明网络安全防护方法包括以下步骤:安全策略配置步骤,安全策略服务器下发安全策略至宽带接入服务器;认证步骤,认证时检查用户是否安全,并向宽带接入服务器返回用户的安全性信息的认证结果;监控步骤,根据认证结果,依安全策略对接入网络的用户的报文进行监控,并将监控信息反馈给安全策略服务器;判断步骤,安全策略服务器根据监控信息判断用户安全性,并将判断结果经由认证服务器;处理步骤,认证服务器下发判断结果至宽带接入服务器中,宽带服务器根据判断结果拒绝非安全用户接入网络。Correspondingly, the network security protection method of the present invention includes the following steps: a security policy configuration step, the security policy server issues a security policy to the broadband access server; an authentication step, checking whether the user is safe during authentication, and returning the user's ID to the broadband access server The authentication result of the security information; the monitoring step, according to the authentication result, monitor the message of the user accessing the network according to the security policy, and feed back the monitoring information to the security policy server; the judging step, the security policy server judges the user according to the monitoring information Security, and pass the judgment result through the authentication server; processing step, the authentication server sends the judgment result to the broadband access server, and the broadband server rejects the non-secure user to access the network according to the judgment result.

所述安全策略包括:检查项,用于指示宽带接入服务器检查的内容;触发条件,用于指示触发条件;操作,用于指示在满足触发条件时宽带接入服务器执行具体操作。监控信息指满足触发条件时,宽带接入服务器所监控的用户的报文,操作指将该报文复制给安全策略服务器。The security policy includes: a check item, used to indicate the content to be checked by the broadband access server; a trigger condition, used to indicate the trigger condition; and an operation, used to indicate that the broadband access server performs a specific operation when the trigger condition is met. The monitoring information refers to the message of the user monitored by the broadband access server when the trigger condition is met, and the operation refers to copying the message to the security policy server.

认证服务器具有用来表示用户是否安全的安全属性;而宽带接入服务器具有用来表示用户是否安全的用户安全属性。认证步骤进一步包括:宽带接入服务器向认证服务器发送认证请求;认证服务器进行认证并读取该用户的安全属性值;将包含有安全属性值的认证结果反馈给宽带接入服务器。The authentication server has a security attribute used to indicate whether the user is safe; and the broadband access server has a user security attribute used to indicate whether the user is safe. The authentication step further includes: the broadband access server sends an authentication request to the authentication server; the authentication server performs authentication and reads the security attribute value of the user; and feeds back the authentication result including the security attribute value to the broadband access server.

所述接入步骤进一步包括如下步骤:宽带接入服务器根据认证结果判断是否通过认证;如果通过认证,则根据认证结果中的安全属性值设置用户安全属性;根据用户安全属性值判断用户是否安全;如果不安全,则拒绝接入网络,如果安全接入网络并同时执行监控步骤。The access step further includes the following steps: the broadband access server judges whether to pass the authentication according to the authentication result; if the authentication is passed, then set the user security attribute according to the security attribute value in the authentication result; judge whether the user is safe according to the user security attribute value; If it is not safe, deny access to the network, if it is safe to access the network and perform monitoring steps at the same time.

所述监控步骤进一步包括:宽带接入服务器根据安全策略监控用户的报文;在满足触发条件时,将相应的报文作为监控信息复制给安全策略服务器。The monitoring step further includes: the broadband access server monitors the user's message according to the security policy; when the trigger condition is met, copy the corresponding message as monitoring information to the security policy server.

所述处理步骤进一步包括:认证服务器根据安全策略服务器的安全性判断结果,设置安全属性值,并将当前安全属性值发送给宽带接入服务器;宽带接入服务器根据接收到的安全属性值设置用户安全属性值并拒绝非安全用户接入网络;非安全用户强制访问门户服务器;门户服务器为中毒的非安全用户提供杀毒工具以杀毒,对进行网络攻击的非安全用户警告其禁止进行网络攻击;对杀过毒的用户进行安全评估,若安全则通知认证服务器设置该用户的安全属性为安全;认证服务器修改用户的安全属性为安全并下发给宽带接入服务器;宽带接入服务器修改用户安全属性为安全并转到监控步骤。The processing step further includes: the authentication server sets the security attribute value according to the security judgment result of the security policy server, and sends the current security attribute value to the broadband access server; the broadband access server sets the user security attribute value according to the received security attribute value. security attribute value and refuse non-secure users to access the network; non-secure users are forced to visit the portal server; The user who has killed the virus performs a security assessment, and if it is safe, the authentication server is notified to set the user's security attribute as safe; the authentication server modifies the user's security attribute as safe and sends it to the broadband access server; the broadband access server modifies the user's security attribute Be safe and go to the monitoring step.

与现有技术相比,本发明具有以下优点:Compared with the prior art, the present invention has the following advantages:

通过安全策略服务器下发安全策略,然后在BAS上进行资源检查以监控,很容易判断用户是否中毒或者进行网络攻击,由于通过安全策略服务器更新安全策略方便灵活,因此对于新病毒和新的网络攻击手段能够及时应变;The security policy is issued through the security policy server, and then resource checks are carried out on the BAS to monitor. It is easy to determine whether the user is poisoned or has a network attack. Since it is convenient and flexible to update the security policy through the security policy server, it is safe for new viruses and new network attacks. The means can respond in a timely manner;

将用户区分为安全用户和非安全用户,安全用户上网没有限制,而非安全用户只能访问门户服务器,从而避免非安全用户感染安全用户;Divide users into secure users and non-secure users. Secure users have no restrictions on accessing the Internet, while non-secure users can only access the portal server, thereby preventing non-secure users from infecting secure users;

安全策略服务器上安全策略可以和杀毒厂商防治黑客厂商共同合作完成,因此能够保证安全策略更新迅速及时;The security policy on the security policy server can be completed in cooperation with anti-virus vendors to prevent hackers, so it can ensure that the security policy is updated quickly and timely;

对于用户来说,不必总是关注最新的补丁和病毒信息,降低了对用户病毒知识的要求,并且减少了用户受病毒感染的风险;For users, there is no need to always pay attention to the latest patches and virus information, which reduces the requirements for users' virus knowledge and reduces the risk of users being infected by viruses;

对于运行商来说,该发明可以有效解决病毒和网络攻击造成的系统资源浪费,对于病毒问题,可以快速识别中毒用户,并进行隔离,防止中毒用户进一步传染其它正常用户,另外通过有偿提供下载杀病毒工具进行收费获得新的利润增长点;对于黑客问题,能够及时发现黑客的攻击行为,从而可以进行下一步的处理;For operators, this invention can effectively solve the waste of system resources caused by viruses and network attacks. For virus problems, it can quickly identify poisoned users and isolate them to prevent poisoned users from further infecting other normal users. Virus tools are charged to obtain new profit growth points; for hacker problems, hacker attacks can be discovered in time, so that the next step can be processed;

对于杀毒厂商防治黑客厂商来说,可以通过提供最新的病毒信息和杀毒工具进行收费,从而达到双赢的效果。For anti-virus manufacturers to prevent and control hackers, they can charge for providing the latest virus information and anti-virus tools, so as to achieve a win-win effect.

附图说明Description of drawings

图1是本发明网络安全防护系统框图。Fig. 1 is a block diagram of the network security protection system of the present invention.

图2是认证服务器的安全属性设置实施例示意图。Fig. 2 is a schematic diagram of an embodiment of setting security attributes of an authentication server.

图3本发明网络安全防护方法中安全策略配置步骤流程图。Fig. 3 is a flowchart of security policy configuration steps in the network security protection method of the present invention.

图4是本发明网络安全防护方法中认证、监控步骤流程图。Fig. 4 is a flowchart of authentication and monitoring steps in the network security protection method of the present invention.

图5是本发明网络安全防护方法中判断步骤流程图。Fig. 5 is a flow chart of judging steps in the network security protection method of the present invention.

图6是本发明网络安全防护方法中处理步骤流程图。Fig. 6 is a flowchart of processing steps in the network security protection method of the present invention.

图7是本发明网络安全防护方法中非安全用户处理流程图。Fig. 7 is a flow chart of non-secure user processing in the network security protection method of the present invention.

具体实施方式Detailed ways

本发明网络安全防护系统及方法基于现有的网络系统实现的,所述现有网络系统一般包括有:The network security protection system and method of the present invention are implemented based on the existing network system, and the existing network system generally includes:

宽带接入服务器(BAS,Broadband Access Server):主要完成用户的接入,通常有xDSL//LAN/HFC(x数字用户线/局域网/光纤/同轴混合网)等接入方式。Broadband Access Server (BAS, Broadband Access Server): It mainly completes user access, usually with access methods such as xDSL//LAN/HFC (x digital subscriber line/local area network/optical fiber/coaxial hybrid network).

认证服务器:AAA是验证、授权和计费(Authentication,Authorization andAccounting)的简称,提供一个用来对验证、授权和计费这三种安全功能进行配置的一致的框架。而AAA通常使用远程认(验)证拔号用户服务协议(Radius,Remote Authentication Dial-In User Service)来完成。认证服务器就是一台实现Radius协议的PC或者网络设备,通过和宽带接入服务器配合,完成用户的验证、授权和计费。Authentication server: AAA is the abbreviation of Authentication, Authorization and Accounting (Authentication, Authorization and Accounting), which provides a consistent framework for configuring the three security functions of authentication, authorization and accounting. And AAA usually uses Remote Authentication Dial-In User Service Protocol (Radius, Remote Authentication Dial-In User Service) to complete. The authentication server is a PC or network device that implements the Radius protocol. It cooperates with the broadband access server to complete user authentication, authorization, and billing.

门户(Portal)服务器:Portal服务是ISP提供给用户的一种新型业务,使用户可以通过访问门户服务器来灵活的选择适合用户自己的业务,或者提供相关网络资源(如HTTP连接,FTP下载等)。Portal server: Portal service is a new type of service provided by ISP to users, so that users can flexibly choose their own business by accessing the portal server, or provide related network resources (such as HTTP connection, FTP download, etc.) .

宽带接入服务器与其他服务器的关系,详述如下。The relationship between the broadband access server and other servers is described in detail as follows.

宽带接入服务器和认证服务器:当用户想要通过与宽带接入服务器建立连接从而获得访问其他网络的权利(或取得使用某些网络资源的权利)时,宽带接入服务器起到了检查用户(或这个连接)的作用。宽带接入服务器负责把用户的验证,授权,记账信息传递给认证服务器。而认证服务器接收用户的认证请求后,完成验证,并把传递给用户所需的配置信息返回给宽带接入服务器。宽带接入服务器根据认证服务器返回的结果决定用户是否可以访问以及能够访问什么资源。Broadband access server and authentication server: When a user wants to obtain the right to access other networks (or obtain the right to use certain network resources) by establishing a connection with the broadband access server, the broadband access server plays a role in checking the user (or this connection). The broadband access server is responsible for transmitting the user's verification, authorization, and accounting information to the authentication server. After receiving the authentication request from the user, the authentication server completes the authentication, and returns the configuration information required for delivery to the user to the broadband access server. The broadband access server determines whether the user can access and what resources can be accessed according to the result returned by the authentication server.

宽带接入服务器和门户服务器:目前门户服务器主要完成两种功能,第一种是用户认证通过后,门户服务器提供一个网页,用户可以在网页上访问ISP(Internet Service Provider,Internet服务提供者)提供的业务,如VOD(VideoOn Demand,视频点播),游戏,软件下载等;另外一种是用户在认证通过之前访问门户服务器页面,页面上提示用户输入用户名和密码来进行认证,然后门户服务器将用户名和密码发送给宽带接入服务器,宽带接入服务器然后和认证服务器交互来确定用户的权限,最后宽带接入服务器将认证结果通知给门户服务器。Broadband access server and portal server: At present, the portal server mainly completes two functions. The first one is that after the user is authenticated, the portal server provides a webpage, and the user can access the webpage provided by the ISP (Internet Service Provider, Internet Service Provider) on the webpage. services, such as VOD (Video On Demand, video on demand), games, software downloads, etc.; the other is that the user visits the portal server page before the authentication is passed, and the page prompts the user to enter the user name and password for authentication, and then the portal server sends the user The username and password are sent to the broadband access server, and the broadband access server then interacts with the authentication server to determine the user's authority, and finally the broadband access server notifies the portal server of the authentication result.

因此,现有宽带接入服务器一般只管理用户的认证计费,而不管用户上网执行了哪些活动。所有网络病毒对于宽带接入服务器来说是不可见的,宽带接入服务器仅仅当作是用户数据处理。而宽带接入服务器和各种服务器之间配置,能够完成用户的认证、计费功能,但是不能完成病毒防护和防治黑客功能。Therefore, the existing broadband access server generally only manages the authentication and charging of the user, regardless of the activities performed by the user on the Internet. All network viruses are invisible to the broadband access server, and the broadband access server only treats it as user data. The configuration between the broadband access server and various servers can complete user authentication and billing functions, but cannot complete virus protection and hacker prevention functions.

请参照图1所示,本发明网络安全防护系统,包括:Please refer to shown in Figure 1, the network security protection system of the present invention includes:

认证服务器1,用于网络接入认证,根据含有安全性信息的认证结果决定用户是否可以接入网络3;The authentication server 1 is used for network access authentication, and determines whether the user can access the network 3 according to the authentication result containing security information;

安全策略服务器4,用于配置安全策略(指安全策略的增加、删除、修改)并下发安全策略,且判断用户的安全性,并把判断结果发送至认证服务器1;The security policy server 4 is used to configure the security policy (referring to the increase, deletion and modification of the security policy) and issue the security policy, and judge the security of the user, and send the judgment result to the authentication server 1;

宽带接入服务器5,用于用户网络接入,接收安全策略并根据安全策略监控接入网络3的用户的报文,将监控信息发送给安全策略服务器4以判断用户安全性,且宽带接入服务器5根据来自认证服务器1的判断结果或认证结果中的安全性信息拒绝非安全用户接入网络3。The broadband access server 5 is used for user network access, receives security policies and monitors the packets of users accessing the network 3 according to the security policies, and sends the monitoring information to the security policy server 4 to judge user security, and broadband access The server 5 rejects the non-secure user from accessing the network 3 according to the judgment result from the authentication server 1 or the security information in the authentication result.

这样,通过利用宽带接入服务器5对用户的监控功能,可以很好地解决网络蠕虫病毒的隔离和查杀问题。一方面,宽带接入服务器5通过实时检查用户报文,经由安全策略服务器4判断用户是否中毒或者恶意攻击。另一方面,对上面查到的用户进行网段隔离,并引导用户进行杀毒,防止影响其它用户,从而减少交叉反复感染和破坏网络。In this way, by utilizing the monitoring function of the broadband access server 5 to users, the problem of isolating and killing network worms can be well solved. On the one hand, the broadband access server 5 checks user packets in real time, and judges whether the user is poisoned or maliciously attacked via the security policy server 4 . On the other hand, isolate the network segments of the users found above, and guide users to perform anti-virus to prevent other users from being affected, thereby reducing cross-infection and network damage.

请参照图2所示,认证服务器1具有表示用户是否安全的安全属性,在现有认证服务器上增加一项属性:安全属性,取值为“安全”或者“不安全”,所有用户的缺省安全属性为“安全”,例如,在shiva(一种Radius服务器软件)中,添加一个自定义属性:安全属性“Safety-State”,其取值为“Safe”或者“Unsafe”。认证服务器1的安全属性值根据安全策略服务器4的安全性判断结果来设置,并将当前安全属性值发送给宽带接入服务器5。Please refer to Figure 2, the authentication server 1 has a security attribute indicating whether the user is safe or not, and an attribute is added to the existing authentication server: the security attribute, the value is "safe" or "unsafe", and the default value of all users is The safety attribute is "safety", for example, in shiva (a kind of Radius server software), add a custom attribute: safety attribute "Safety-State", its value is "Safe" or "Unsafe". The security attribute value of the authentication server 1 is set according to the security judgment result of the security policy server 4 , and sends the current security attribute value to the broadband access server 5 .

宽带接入服务器5具有表示用户是否安全的用户安全属性,取值为“安全”或者“不安全”。宽带接入服务器5的用户安全属性值根据接收到的安全属性值设置用户安全属性值并根据用户安全属性值拒绝非安全用户接入网。The broadband access server 5 has a user security attribute indicating whether the user is safe, and the value is "safe" or "unsafe". The user security attribute value of the broadband access server 5 sets the user security attribute value according to the received security attribute value and rejects the non-safe user access network according to the user security attribute value.

从类型上,所述安全策略分为防病毒策略和防攻击策略;从结构上,安全策略包括:检查项,用于指示宽带接入服务器5检查的内容;触发条件,用于指示触发条件;操作,用于指示在满足触发条件时宽带接入服务器5执行具体操作。所述操作指宽带接入服务器5监控用户的报文并在满足触发条件时将相应报文作为监控信息复制给安全策略服务器4,则安全策略服务器4根据该报文来判断用户的安全性。安全策略项的配置可以使用多种方法实现,例如:可以扩展ACL(Access Control List,访问控制列表),增加操作类型。下面以检查冲击波病毒为例进行说明,冲击波病毒安全策略的检查项定义为:“检查用户报文中协议为TCP,目的端口号为135端口的报文”;触发条件定义为:“当检查报文的速率超过每秒3个时触发”,操作定义为:“发送报文的TCP头给安全策略服务器”。In terms of type, the security policy is divided into anti-virus policy and anti-attack policy; structurally, the security policy includes: check items, used to indicate the content of broadband access server 5 checks; trigger conditions, used to indicate trigger conditions; The operation is used to instruct the broadband access server 5 to perform a specific operation when the trigger condition is met. The operation refers to that the broadband access server 5 monitors the user's message and copies the corresponding message as monitoring information to the security policy server 4 when the trigger condition is met, and the security policy server 4 judges the security of the user according to the message. The configuration of security policy items can be implemented in a variety of ways, for example: ACL (Access Control List, access control list) can be extended to increase operation types. The following is an example of checking the blaster virus. The inspection item of the blaster virus security policy is defined as: "check the packets whose protocol is TCP and the destination port number is port 135 in the user packets"; the trigger condition is defined as: Triggered when the rate of packets exceeds 3 per second", the operation is defined as: "send the TCP header of the packet to the security policy server".

另外,本发明网络安全防护系统,还包括门户服务器6,用于隔离非安全用户,且宽带接入服务器5控制非安全用户访问该门户服务器6。在该Portal主页上提示用户已经中毒或者在进行网络攻击,对于中毒的情况,提示用户需要杀毒或者安全补丁,并在主页上提供补丁或者杀病毒程序供用户下载;当用户操作(安装补丁、杀毒等)完毕后,门户服务器6对用户进行安全评估,当安全评估结果为不安全时,提示用户继续杀毒;当安全评估结果为安全时门户服务器6通知认证服务器1修改该用户的安全属性为安全。对于网络攻击的情况,提示用户停止网络攻击,并可以按照一定的规则进行下一步的处理,例如:用户连续三次进行网络攻击就禁止用户上网等。诚然,对非安全用户的处理也可以不访问门户服务器6来隔离,例如直接使非安全用户下线即可,也可以达到避免网络病毒交叉、反复感染。In addition, the network security protection system of the present invention also includes a portal server 6 for isolating non-secure users, and the broadband access server 5 controls non-secure users to access the portal server 6 . Prompt on this Portal home page that the user has been poisoned or is carrying out a network attack. For the situation of poisoning, the user is prompted to need antivirus or security patch, and patch or antivirus program is provided on the homepage for the user to download; when the user operates (installs patch, antivirus etc.) after finishing, portal server 6 carries out security assessment to user, when security assessment result is unsafe, prompt user to continue killing virus; . In the case of a network attack, the user is prompted to stop the network attack, and the next step can be processed according to certain rules, for example, the user is prohibited from accessing the Internet after three consecutive network attacks. Admittedly, the processing of non-secure users can also be isolated without accessing the portal server 6, for example, the non-secure users can be directly offline, which can also avoid network virus cross-infection and repeated infection.

请参照图3至7所示,本发明网络安全防护方法包括以下步骤:Please refer to Figures 3 to 7, the network security protection method of the present invention includes the following steps:

安全策略配置步骤(见图3、4),安全策略服务器下发安全策略至宽带接入服务器,安全策略的下发可以使用多种方法,例如:安全策略服务器通过Telnet(一种用于远程联接服务的标准协议)连接到宽带接入服务器,然后执行配置命令;Security policy configuration steps (see Figures 3 and 4), the security policy server sends the security policy to the broadband access server, and the security policy can be issued in a variety of ways, for example: the security policy server uses Telnet (a method used for remote connection service standard protocol) to connect to the broadband access server, and then execute the configuration command;

认证步骤(见图4),认证时检查用户是否安全,并向宽带接入服务器返回用户的安全性信息的认证结果;Authentication step (seeing Fig. 4), check whether user is safe during authentication, and return the authentication result of the security information of user to broadband access server;

监控步骤(见图4),根据认证结果,依安全策略对接入网络的用户的报文进行监控,并将监控信息反馈给安全策略服务器;Monitoring step (seeing Fig. 4), according to authentication result, according to security policy, the message of the user of access network is monitored, and monitoring information is fed back to security policy server;

判断步骤(见图5),安全策略服务器根据监控信息判断用户安全性,并将判断结果经由认证服务器;Judging step (see Figure 5), the security policy server judges the user security according to the monitoring information, and passes the judgment result through the authentication server;

处理步骤,认证服务器下发判断结果至宽带接入服务器中,宽带服务器根据判断结果拒绝非安全用户接入网络。In the processing step, the authentication server sends the judgment result to the broadband access server, and the broadband server rejects the non-secure user to access the network according to the judgment result.

所述安全策略包括:检查项,用于指示宽带接入服务器检查的内容;触发条件,用于指示触发条件;操作,用于指示在满足触发条件时宽带接入服务器执行具体操作。The security policy includes: a check item, used to indicate the content to be checked by the broadband access server; a trigger condition, used to indicate the trigger condition; and an operation, used to indicate that the broadband access server performs a specific operation when the trigger condition is met.

所述监控信息指满足触发条件时,宽带接入服务器所监控的用户的报文,操作指将该报文复制给安全策略服务器。The monitoring information refers to the user's message monitored by the broadband access server when the trigger condition is met, and the operation refers to copying the message to the security policy server.

所述认证服务器具有用来表示用户是否安全的安全属性;而宽带接入服务器具有用来表示用户是否安全的用户安全属性。The authentication server has a security attribute used to indicate whether the user is safe; and the broadband access server has a user security attribute used to indicate whether the user is safe.

请继续参照图4所示,认证步骤进一步包括:Please continue to refer to Figure 4, the authentication steps further include:

步骤40,宽带接入服务器向认证服务器发送认证请求;Step 40, the broadband access server sends an authentication request to the authentication server;

步骤41,认证服务器进行认证并读取该用户的安全属性值;Step 41, the authentication server performs authentication and reads the security attribute value of the user;

步骤42,将包含有安全属性值的认证结果反馈给宽带接入服务器。Step 42, feeding back the authentication result including the security attribute value to the broadband access server.

所述监控步骤进一步包括:The monitoring steps further include:

步骤43,宽带接入服务器根据认证结果判断是否通过认证;Step 43, the broadband access server judges whether to pass the authentication according to the authentication result;

步骤44,如果通过认证,则根据认证结果中的安全属性值设置用户安全属性;如果没通过认证则拒绝该用户接入网络;Step 44, if the authentication is passed, the user security attribute is set according to the security attribute value in the authentication result; if the authentication is not passed, the user is denied access to the network;

步骤45,根据用户安全属性值判断用户是否安全;Step 45, judging whether the user is safe according to the user security attribute value;

步骤46,如果不安全,则拒绝接入网络,如果安全接入网络并同时执行监控步骤。Step 46, if it is not safe, deny access to the network, if it is safe to access the network and perform the monitoring step at the same time.

步骤47,宽带接入服务器根据安全策略监控用户的报文,例如:按照“冲击波病毒安全策略项”的要求,当用户建立新的TCP连接时,BAS对于用户的TCP报文的首包进行检查,统计报文协议类型为TCP,目的端口号为135端口的报文;Step 47, the broadband access server monitors the user's message according to the security policy, for example: according to the requirements of the "shock wave virus security policy item", when the user establishes a new TCP connection, the BAS checks the first packet of the user's TCP message , to count packets whose protocol type is TCP and whose destination port number is port 135;

步骤48,判断是否满足触发条件Step 48, judging whether the trigger condition is met

步骤49,在满足触发条件时,将相应的报文作为监控信息复制给安全策略服务器,例如,当每秒的报文数操作3秒一个时,BAS发送报文的TCP头给安全策略服务器,如果不满足则判断用户是否下线,如果没有下线则返回步骤45继续监控。Step 49, when the trigger condition is met, the corresponding message is copied to the security policy server as monitoring information, for example, when the number of messages per second is one for 3 seconds, the BAS sends the TCP header of the message to the security policy server, If it is not satisfied, it is judged whether the user is offline, if not, then return to step 45 to continue monitoring.

请参照图5,所述判断步骤进一步包括:Please refer to FIG. 5, the judgment step further includes:

步骤51,收到监控信息;Step 51, receiving monitoring information;

步骤52,判断用户是否安全,例如,当安全策略服务器收到BAS发过来的“目的端口号为135端口的报文”后,发现报文速率大于10pps,就认为用户中了冲击波病毒;Step 52, judging whether the user is safe, for example, after the security policy server receives "the message with the destination port number being 135 ports" sent by the BAS, and finds that the message rate is greater than 10pps, it thinks that the user has the shock wave virus;

步骤53,若安全则不进行操作,若不安全则通知认证服务器设置用户的安全属性为“不安全”。Step 53, if it is safe, no operation is performed, and if it is not safe, the authentication server is notified to set the user's security attribute as "unsafe".

请参照图6、7所示,所述处理步骤进一步包括:Please refer to Figures 6 and 7, the processing steps further include:

步骤60,收到安全策略服务器的设置请求;Step 60, receiving a setting request from the security policy server;

步骤62,认证服务器根据安全策略服务器的安全性判断结果,设置安全属性值,Step 62, the authentication server sets the security attribute value according to the security judgment result of the security policy server,

步骤63,当前安全属性值发送给宽带接入服务器;Step 63, the current security attribute value is sent to the broadband access server;

步骤64,宽带接入服务器根据接收到的安全属性值设置用户安全属性值并拒绝非安全用户接入网络,非安全用户强制(并且也只允许)访问门户服务器;Step 64, the broadband access server sets the user security attribute value according to the received security attribute value and refuses the non-secure user to access the network, and the non-secure user is forced (and only allowed) to access the portal server;

步骤65,门户服务器为中毒的非安全用户提供杀毒工具以杀毒,对进行网络攻击的非安全用户警告其禁止进行网络攻击;Step 65, the portal server provides anti-virus tools for poisoned non-secure users to remove viruses, and warns non-secure users who carry out network attacks to prohibit network attacks;

步骤66,对杀过毒的用户进行安全评估,Step 66, performing a security assessment on the user who has been killed by the virus,

步骤67,若安全则通知认证服务器设置该用户的安全属性为安全;Step 67, if it is safe, then notify the authentication server to set the user's security attribute as safe;

转到步骤61,认证服务器收到门户服务器的设置请求,修改用户的安全属性为安全并下发给宽带接入服务器;宽带接入服务器修改用户安全属性为安全并转到监控步骤。Turn to step 61, the authentication server receives the setting request from the portal server, modifies the user's security attribute to be safe and sends it to the broadband access server; the broadband access server modifies the user's security attribute to be safe and goes to the monitoring step.

综上所述,通过安全策略服务器下发安全策略,然后在BAS上进行资源检查以监控,很容易判断用户是否中毒或者进行网络攻击,因此能够迅速应变;To sum up, it is easy to determine whether a user is poisoned or conducts a network attack by issuing a security policy through the security policy server, and then performing a resource check on the BAS for monitoring, so it can respond quickly;

将用户区分为安全用户和非安全用户,安全用户上网没有限制,而非安全用户只能访问门户服务器,从而避免非安全用户感染安全用户;Divide users into secure users and non-secure users. Secure users have no restrictions on accessing the Internet, while non-secure users can only access the portal server, thereby preventing non-secure users from infecting secure users;

安全策略服务器上安全策略可以和杀毒厂商防治黑客厂商共同合作完成,因此能够保证迅速及时;The security policy on the security policy server can be completed in cooperation with anti-virus vendors and anti-hacker vendors, so it can be guaranteed to be rapid and timely;

对于用户来说,不必总是关注最新的补丁和病毒信息,降低了对用户病毒知识的要求;For users, there is no need to always pay attention to the latest patches and virus information, which reduces the requirements for user virus knowledge;

对于运行商来说,能够快速解决病毒和网络攻击造成的带宽不足问题,对于病毒问题,可以通过下载杀病毒进行收费获得新的利润增长点;对于黑客问题,能够得到黑客的相关信息,从而可以进行下一步的处理;For operators, it can quickly solve the problem of insufficient bandwidth caused by viruses and network attacks. For virus problems, they can obtain new profit growth points by charging for downloading and killing viruses; for hackers, they can get relevant information about hackers, so that they can Carry out the next step of processing;

对于杀毒厂商防治黑客厂商来说,可以通过提供最新的信息进行收费,从而达到双赢的效果。For anti-virus manufacturers to prevent and control hackers, they can charge by providing the latest information, so as to achieve a win-win effect.

Claims (14)

1.一种网络安全防护系统,其特征在于,该防护系统包括:1. A network security protection system, characterized in that the protection system comprises: 认证服务器,用于网络接入认证,根据含有安全性信息的认证结果决定用户是否可以接入网络;The authentication server is used for network access authentication, and determines whether the user can access the network according to the authentication result containing security information; 安全策略服务器,用于配置安全策略并下发安全策略,且判断用户是安全用户还是非安全用户,并把判断结果发送至所述的认证服务器;A security policy server, configured to configure a security policy and issue a security policy, and judge whether the user is a secure user or a non-secure user, and send the judgment result to the authentication server; 宽带接入服务器,用于用户网络接入,接收所述安全策略并根据所述的安全策略监控接入网络的用户的报文,将监控信息发送给所述的安全策略服务器以判断用户安全性,且所述的宽带接入服务器根据来自所述认证服务器的判断结果或认证结果中的安全性信息拒绝非安全用户接入网络。The broadband access server is used for user network access, receives the security policy and monitors the packets of users accessing the network according to the security policy, and sends the monitoring information to the security policy server to judge user security , and the broadband access server rejects the non-secure user from accessing the network according to the judgment result from the authentication server or the security information in the authentication result. 2.如权利要求1所述的网络安全防护系统,其特征在于,所述的认证服务器具有表示用户是否安全的安全属性;而所述的宽带接入服务器具有表示用户是否安全的用户安全属性。2. The network security protection system according to claim 1, wherein the authentication server has a security attribute indicating whether the user is safe; and the broadband access server has a user security attribute indicating whether the user is safe. 3.如权利要求2所述的网络安全防护系统,其特征在于,所述的认证服务器的安全属性值根据所述的安全策略服务器的安全性判断结果来设置,并将当前安全属性值发送给宽带接入服务器;宽带接入服务器的用户安全属性值根据接收到的安全属性值设置用户安全属性值并根据用户安全属性值拒绝非安全用户接入网。3. The network security protection system according to claim 2, wherein the security attribute value of the authentication server is set according to the security judgment result of the security policy server, and the current security attribute value is sent to The broadband access server; the user security attribute value of the broadband access server sets the user security attribute value according to the received security attribute value and rejects the non-safe user access network according to the user security attribute value. 4.如权利要求1所述的网络安全防护系统,其特征在于,所述安全策略包括:检查项,用于指示宽带接入服务器检查的内容;触发条件,用于指示触发条件;操作,用于指示在满足触发条件时宽带接入服务器执行具体操作。4. The network security protection system according to claim 1, wherein the security policy includes: a check item, used to indicate the content of the broadband access server check; a trigger condition, used to indicate the trigger condition; an operation, used The purpose is to instruct the broadband access server to perform a specific operation when the trigger condition is met. 5.如权利要求2所述的网络安全防护系统,其特征在于,所述操作指宽带接入服务器监控用户的报文并在满足触发条件时将相应报文作为监控信息复制给安全策略服务器,则安全策略服务器根据该报文来判断用户的安全性。5. network security protection system as claimed in claim 2, is characterized in that, described operation refers to that broadband access server monitors the message of user and when triggering condition is met, corresponding message is copied to security policy server as monitoring information, Then the security policy server judges the security of the user according to the message. 6.如权利要求1至5任意一项所述的网络安全防护系统,其特征在于,该系统还包括门户服务器,用于隔离非安全用户,且宽带接入服务器控制非安全用户访问该门户服务器。6. The network security protection system according to any one of claims 1 to 5, characterized in that the system also includes a portal server for isolating non-secure users, and the broadband access server controls non-secure users to access the portal server . 7.一种网络安全防护方法,其特征在于,该方法包括以下步骤:7. A network security protection method, characterized in that the method comprises the following steps: 安全策略配置步骤,安全策略服务器下发安全策略至宽带接入服务器;In the security policy configuration step, the security policy server sends the security policy to the broadband access server; 认证步骤,认证时检查用户是否安全,并向宽带接入服务器返回用户的安全性信息的认证结果;An authentication step, checking whether the user is safe during authentication, and returning the authentication result of the user's security information to the broadband access server; 监控步骤,根据认证结果,依安全策略对接入网络的用户的报文进行监控,并将监控信息反馈给安全策略服务器;The monitoring step is to monitor the messages of the users accessing the network according to the security policy according to the authentication result, and feed back the monitoring information to the security policy server; 判断步骤,安全策略服务器根据监控信息判断用户安全性,并将判断结果经由认证服务器;Judging step, the security policy server judges the security of the user according to the monitoring information, and passes the judgment result to the authentication server; 处理步骤,认证服务器下发判断结果至宽带接入服务器中,宽带服务器根据判断结果拒绝非安全用户接入网络。In the processing step, the authentication server sends the judgment result to the broadband access server, and the broadband server rejects the non-secure user to access the network according to the judgment result. 8.如权利要求7所述的网络安全防护方法,其特征在于,所述安全策略包括:检查项,用于指示宽带接入服务器检查的内容;触发条件,用于指示触发条件;操作,用于指示在满足触发条件时宽带接入服务器执行具体操作。8. The network security protection method according to claim 7, wherein the security policy includes: a check item, used to indicate the content of the broadband access server check; a trigger condition, used to indicate the trigger condition; an operation, used The purpose is to instruct the broadband access server to perform a specific operation when the trigger condition is met. 9.如权利要求8所述的网络安全防护方法,其特征在于,监控信息指满足触发条件时,宽带接入服务器所监控的用户的报文,操作指将该报文复制给安全策略服务器。9. The network security protection method according to claim 8, wherein the monitoring information refers to the user's message monitored by the broadband access server when the trigger condition is met, and the operation refers to copying the message to the security policy server. 10.如权利要求9所述任意一项的网络安全防护方法,其特征在于,认证服务器具有用来表示用户是否安全的安全属性;而宽带接入服务器具有用来表示用户是否安全的用户安全属性。10. The network security protection method according to any one of claim 9, wherein the authentication server has a security attribute for indicating whether the user is safe; and the broadband access server has a user security attribute for indicating whether the user is safe . 11.如权利要求10所述的网络安全防护方法,其特征在于,认证步骤进一步包括:宽带接入服务器向认证服务器发送认证请求;11. The network security protection method according to claim 10, wherein the authentication step further comprises: the broadband access server sends an authentication request to the authentication server; 认证服务器进行认证并读取该用户的安全属性值;The authentication server performs authentication and reads the security attribute value of the user; 将包含有安全属性值的认证结果反馈给宽带接入服务器。Feedback the authentication result including the security attribute value to the broadband access server. 12.如权利要求11所述的网络安全防护方法,其特征在于,所述接入步骤进一步包括如下步骤:12. The network security protection method according to claim 11, wherein said accessing step further comprises the following steps: 宽带接入服务器根据认证结果判断是否通过认证;The broadband access server judges whether to pass the authentication according to the authentication result; 如果通过认证,则根据认证结果中的安全属性值设置用户安全属性根据用户安全属性值判断用户是否安全;If the authentication is passed, set the user security attribute according to the security attribute value in the authentication result and judge whether the user is safe according to the user security attribute value; 如果不安全,则拒绝接入网络,如果安全接入网络并同时执行监控步骤。If it is not safe, deny access to the network, if it is safe to access the network and perform monitoring steps at the same time. 13.如权利要求12所述的网络安全防护方法,其特征在于,所述监控步骤进一步包括:13. The network security protection method according to claim 12, wherein the monitoring step further comprises: 宽带接入服务器根据安全策略监控用户的报文;The broadband access server monitors the user's message according to the security policy; 在满足触发条件时,将相应的报文作为监控信息复制给安全策略服务器。When the trigger condition is met, the corresponding message is copied to the security policy server as monitoring information. 14.如权利要求13所述的网络安全防护方法,其特征在于,所述处理步骤进一步包括:14. The network security protection method according to claim 13, wherein the processing step further comprises: 认证服务器根据安全策略服务器的安全性判断结果,设置安全属性值,并将当前安全属性值发送给宽带接入服务器;The authentication server sets the security attribute value according to the security judgment result of the security policy server, and sends the current security attribute value to the broadband access server; 宽带接入服务器根据接收到的安全属性值设置用户安全属性值并拒绝非安全用户接入网络;The broadband access server sets user security attribute values according to the received security attribute values and rejects non-secure users from accessing the network; 非安全用户强制访问门户服务器;Non-secure users are forced to access the portal server; 门户服务器为中毒的非安全用户提供杀毒工具以杀毒,对进行网络攻击的非安全用户警告其禁止进行网络攻击;The portal server provides anti-virus tools for poisoned non-secure users, and warns non-secure users who conduct network attacks to prohibit network attacks; 对杀过毒的用户进行安全评估,若安全则通知认证服务器设置该用户的安全属性为安全;Perform a security assessment on the user who has been killed, and if it is safe, notify the authentication server to set the user's security attribute as safe; 认证服务器修改用户的安全属性为安全并下发给宽带接入服务器;The authentication server modifies the security attribute of the user to be safe and sends it to the broadband access server; 宽带接入服务器修改用户安全属性为安全并转到监控步骤。The broadband access server modifies the user's security attribute as security and proceeds to the monitoring step.
CNB2004100429102A 2004-05-27 2004-05-27 Network security protecting system and method Expired - Fee Related CN100525184C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100429102A CN100525184C (en) 2004-05-27 2004-05-27 Network security protecting system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100429102A CN100525184C (en) 2004-05-27 2004-05-27 Network security protecting system and method

Publications (2)

Publication Number Publication Date
CN1705262A true CN1705262A (en) 2005-12-07
CN100525184C CN100525184C (en) 2009-08-05

Family

ID=35577712

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100429102A Expired - Fee Related CN100525184C (en) 2004-05-27 2004-05-27 Network security protecting system and method

Country Status (1)

Country Link
CN (1) CN100525184C (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100364280C (en) * 2005-12-15 2008-01-23 杭州华三通信技术有限公司 A method for issuing security policies
CN101483522B (en) * 2008-01-09 2012-04-04 华为技术有限公司 A method, system and device for controlling access to a trusted network
CN101277308B (en) * 2008-05-23 2012-04-18 杭州华三通信技术有限公司 Method for insulating inside and outside networks, authentication server and access switch
CN101764788B (en) * 2008-12-23 2013-01-30 迈普通信技术股份有限公司 Safe access method based on extended 802.1x authentication system
CN101621380B (en) * 2008-02-29 2015-04-08 华为技术有限公司 A terminal security state evaluation method, network equipment and system
CN105100053A (en) * 2015-05-29 2015-11-25 北京奇虎科技有限公司 Website security detection method, website security detection device and cloud monitoring system
CN105791264A (en) * 2016-01-08 2016-07-20 国家电网公司 Network security pre-warning method
CN107579948A (en) * 2016-07-05 2018-01-12 华为技术有限公司 A kind of management system of network security, method and device
CN109302382A (en) * 2018-08-29 2019-02-01 山东超越数控电子股份有限公司 A kind of construction method and system of polynary isomery storage service management platform
CN114244589A (en) * 2021-12-07 2022-03-25 国网福建省电力有限公司 Intelligent firewall and method based on AAA authentication and authorization information
CN116668557A (en) * 2023-08-02 2023-08-29 苏州浪潮智能科技有限公司 A data transmission method, system, electronic device and readable storage medium
CN117879974A (en) * 2024-03-11 2024-04-12 西昌学院 Network security protection method based on edge calculation

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100364280C (en) * 2005-12-15 2008-01-23 杭州华三通信技术有限公司 A method for issuing security policies
CN101483522B (en) * 2008-01-09 2012-04-04 华为技术有限公司 A method, system and device for controlling access to a trusted network
CN101621380B (en) * 2008-02-29 2015-04-08 华为技术有限公司 A terminal security state evaluation method, network equipment and system
CN101277308B (en) * 2008-05-23 2012-04-18 杭州华三通信技术有限公司 Method for insulating inside and outside networks, authentication server and access switch
CN101764788B (en) * 2008-12-23 2013-01-30 迈普通信技术股份有限公司 Safe access method based on extended 802.1x authentication system
CN105100053A (en) * 2015-05-29 2015-11-25 北京奇虎科技有限公司 Website security detection method, website security detection device and cloud monitoring system
CN105791264A (en) * 2016-01-08 2016-07-20 国家电网公司 Network security pre-warning method
CN107579948A (en) * 2016-07-05 2018-01-12 华为技术有限公司 A kind of management system of network security, method and device
CN107579948B (en) * 2016-07-05 2022-05-10 华为技术有限公司 A network security management system, method and device
CN109302382A (en) * 2018-08-29 2019-02-01 山东超越数控电子股份有限公司 A kind of construction method and system of polynary isomery storage service management platform
CN114244589A (en) * 2021-12-07 2022-03-25 国网福建省电力有限公司 Intelligent firewall and method based on AAA authentication and authorization information
CN116668557A (en) * 2023-08-02 2023-08-29 苏州浪潮智能科技有限公司 A data transmission method, system, electronic device and readable storage medium
CN116668557B (en) * 2023-08-02 2023-11-14 苏州浪潮智能科技有限公司 Data transmission method, system, electronic equipment and readable storage medium
CN117879974A (en) * 2024-03-11 2024-04-12 西昌学院 Network security protection method based on edge calculation
CN117879974B (en) * 2024-03-11 2024-05-14 西昌学院 A network security protection method based on edge computing

Also Published As

Publication number Publication date
CN100525184C (en) 2009-08-05

Similar Documents

Publication Publication Date Title
US12255926B2 (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
US20230071193A1 (en) System and method for providing network security to mobile devices
US10567403B2 (en) System and method for providing data and device security between external and host devices
US9516048B1 (en) Contagion isolation and inoculation via quarantine
US8065712B1 (en) Methods and devices for qualifying a client machine to access a network
US20030191966A1 (en) System and method for detecting an infective element in a network environment
CN1833228A (en) Apparatus, system, method and computer program for implementing remote client integrity verification
CN1753364A (en) Method of controlling network access and its system
CA2680231A1 (en) System and method for providing data and device security between external and host devices
CN1705262A (en) Network security protecting system and method
CN101399786A (en) Method, apparatus and system for network safe transmission
CN100459798C (en) A method and system for providing security services to mobile terminals
CN101800754A (en) Method for distributing patch
CN1808992A (en) Safety management service system and execution method thereof
CN1571361A (en) Broadband access safety and control ensuring system and method thereof
CN1859735A (en) Method and system for realizing mobile terminal safety updating by association response system
CN1722660A (en) A system and method for preventing worms from spreading to the network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090805

Termination date: 20150527

EXPY Termination of patent right or utility model