CN106789486B

Movatterモバイル変換

Info

Publication number: CN106789486B
Application number: CN201710161589.7A
Authority: CN
Inventors: 魏方征
Original assignee: Hangzhou DPTech Technologies Co Ltd
Current assignee: Hangzhou DPtech Information Technology Co Ltd
Priority date: 2017-03-17
Filing date: 2017-03-17
Publication date: 2020-08-04
Anticipated expiration: 2037-03-17
Also published as: CN106789486A

Abstract

The application provides a method for detecting shared access, which can be applied to gateway equipment of a local area network and comprises the following steps: collecting an HTTP message from a user terminal, and acquiring a preset identification field carried by the HTTP message; judging the terminal type of the user terminal based on the preset identification field; if the user terminal is a mobile terminal, matching the IP address of the user terminal with a strategy in a preset strategy group, and performing access control on the user terminal based on the matched strategy; wherein the policy group comprises a plurality of different types of policies; the different types of policies differ in the type of IP list that is preconfigured. By using the method provided by the application, the accessed user terminal can be managed and controlled through the preconfigured strategy group, so that the safety of the intranet of the company is improved.

Description

Method and device for detecting shared access, electronic equipment and computer readable storage medium

Technical Field

The present application relates to the field of computer communications, and in particular, to a method and an apparatus for detecting a shared access.

Background

The Network shared access refers to a behavior that a plurality of user terminals share one public Network IP to surf the internet through NAT (Network Address Translation), HTTP proxy and the like.

However, in practical applications, many employees use a shared access mode to surf the internet through the company intranet environment, for example, a private wireless hotspot is established in the company network environment to surf the internet, thereby greatly reducing the intranet security of the company.

Disclosure of Invention

In view of this, the present application provides a method and an apparatus for detecting shared access, so as to manage and control an accessed user terminal through a preconfigured policy group, so as to improve security of an intranet of a company.

Specifically, the method is realized through the following technical scheme:

according to a first aspect of the present application, a method for detecting shared access is provided, where the method is applied to a gateway device of a local area network, and the method includes:

collecting an HTTP message from a user terminal, and acquiring a preset identification field carried by the HTTP message;

judging the terminal type of the user terminal based on the preset identification field;

if the user terminal is a mobile terminal, matching the IP address of the user terminal with a strategy in a preset strategy group, and performing access control on the user terminal based on the matched strategy; wherein the policy group comprises a plurality of different types of policies; the different types of policies differ in the type of IP list that is preconfigured.

According to a second aspect of the present application, there is provided an apparatus for detecting shared access, where the apparatus is applied to a gateway device of a local area network, and the apparatus includes:

the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for collecting an HTTP message from a user terminal and acquiring a preset identification field carried by the HTTP message;

the judging unit is used for judging the terminal type of the user terminal based on the preset identification field;

a matching unit, configured to match the IP address of the user terminal with a policy in a preset policy group if the user terminal is a mobile terminal, and perform access control on the user terminal based on the matched policy; wherein the policy group comprises a plurality of different types of policies; the different types of policies differ in the type of IP list that is preconfigured.

The application provides a detection method of shared access, which is characterized in that a gateway device is used for collecting an HTTP message from a user terminal, acquiring a preset identification field carried by the HTTP message, and judging the terminal type of the user terminal based on the preset identification field. If the user terminal is a mobile terminal, the gateway device can match the IP address of the user terminal with the strategy in the preset strategy group and carry out access control on the user terminal based on the matched strategy; wherein the policy group comprises a plurality of different types of policies; the different types of policies differ in the type of IP list that is preconfigured.

Because the strategy group comprises a plurality of strategies of different types, and the matching items of the strategies of different types are different in types corresponding to the IP list, the gateway equipment can search the strategy matched with the IP address based on the IP address of the user terminal and carry out access control on the user terminal based on the matched strategy, thereby effectively improving the security of the network environment.

Drawings

Fig. 1 is a flowchart illustrating a method for detecting shared access according to an exemplary embodiment of the present application;

fig. 2 is a hardware structure diagram of a device where a detection apparatus for shared access is located according to an exemplary embodiment of the present application;

fig. 3 is a block diagram illustrating an apparatus for detecting shared access according to an exemplary embodiment of the present application.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.

It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.

With the rapid development of the internet, especially wireless networks, there are increasing numbers of mobile devices that rely primarily on wireless networks, and are an integral part of people's lives.

However, in practical applications, especially in applications with high requirements on intranet security, such as an intranet of a company, many employees surf the internet through an intranet environment of the company in a shared access manner, for example, surf the internet by establishing a private wireless hotspot in the intranet environment of the company, and due to lack of management control over terminal devices with shared access, intranet security of the company is greatly reduced.

The application provides a detection method of shared access, which is characterized in that a gateway device is used for collecting an HTTP message from a user terminal, acquiring a preset identification field carried by the HTTP message, and judging the terminal type of the user terminal based on the preset identification field. If the user terminal is a mobile terminal, the gateway device can match the IP address of the user terminal with the strategy in the preset strategy group and carry out access control on the user terminal based on the matched strategy; wherein the policy group comprises a plurality of different types of policies; the different types of policies correspond to different types of preconfigured IP lists.

Referring to fig. 1, fig. 1 is a flowchart illustrating a method for detecting shared access according to an exemplary embodiment of the present application, where the method for detecting shared access may include the following steps.

Step 101: the method comprises the steps that gateway equipment collects an HTTP message from a user terminal and obtains a preset identification field carried by the HTTP message;

step 102: the gateway equipment judges the terminal type of the user terminal based on the preset identification field;

step 103: if the user terminal is a mobile terminal, the gateway equipment matches the IP address of the user terminal with the strategy in a preset strategy group, and performs access control on the user terminal based on the matched strategy; wherein the policy group comprises a plurality of different types of policies; the different types of policies differ corresponding to the preconfigured IP list type.

The identification field is mainly used for identifying the terminal type of the user terminal, such as a mobile user terminal, a PC terminal, and the like. The identification field may be a UA (User-Agent) field in the HTTP message. Generally, the UA field may carry information such as an operating system and version thereof, a CPU type, a browser and version thereof, a browser rendering engine, a browser language, a browser plug-in, and the like of the user terminal. The gateway device can identify the terminal type of the user terminal through the information carried by the UA field. Of course, the identification field may also be a field added by a developer, and the identification field is only illustrated by way of example and is not specifically limited.

The preset policy group may include a plurality of different types of policies. Each policy may include a matching item for policy matching and an execution action for performing corresponding processing on a matching object, such as a user terminal, based on the matched policy. For example, assuming that the policy is a white list policy, the matching items of the white list policy may be several trusted IP addresses, and the execution action may be forwarding the interactive packet of the user terminal, and the like.

In this embodiment of the present application, the matching items of the policies in the policy group may be IP address lists, and the IP address lists corresponding to the matching items of each type of policy are different. For example, the policy group may include a whitelist policy, and the matching items of the whitelist policy may be a number of pre-configured trusted IPs. The strategy group may further include an alarm strategy, and the matching item of the alarm strategy may be a preset first network segment.

The policy group, the policies and their matching items and execution actions are only exemplary illustrations, and are not limited in particular.

In the embodiment of the application, the policy group comprises a plurality of policies of different types, and the types of the matching items of the policies of different types corresponding to the IP lists are different, so that the gateway device can search the policy matched with the IP address based on the IP address of the user terminal, and perform access control on the user terminal based on the matched policy, thereby effectively improving the security of the network environment.

When the method is implemented, the gateway equipment can collect the HTTP message from the user terminal and can acquire the preset identification field carried by the HTTP message. The gateway device may determine the terminal type of the user terminal based on the preset identification field.

In an optional implementation manner, the identification field may be a UA field, and the gateway device may parse an HTTP message from the user terminal based on an HTTP protocol, and extract the UA field of the HTTP message. The gateway device can judge the terminal type of the user terminal through the information such as the operating system and the terminal model carried by the UA field.

For example, the procedure for the gateway device to obtain the UA field may be:

GET/portal.php？wifiname＝T_T&url＝http％3A％2F％2F192.168.253.1％3A808 7％2Fgoto HTTP/1.1

User-Agent:Dalvik/2.1.0(Linux；U；Android 5.1；m2note Build/LMY47D)

Host:freewifi.360.cn

Connection:Keep-Alive

Accept-Encoding:gzip

the User-Agent is a UA field, Android 5.1 may be an operating system of the User terminal and a version number of the operating system, and m2note may be a terminal model of the User terminal. The gateway device can determine that the operating system of the user terminal is an android 5.1 system and the user terminal is a charm 2note mobile terminal by executing the program.

In this embodiment of the present application, if the gateway device determines that the user terminal is a PC terminal, the user terminal does not perform any processing.

If the gateway device determines that the user terminal is a mobile terminal, the gateway device may obtain the IP address of the user terminal carried in the HTTP message, and match the IP address of the user terminal with a policy in a preset policy group.

If the IP address of the user terminal is matched with any policy in the policy group, the gateway device may perform access control corresponding to the matched policy on the user terminal based on the policy matched with the IP address of the user terminal.

In an optional implementation manner, the preset policy group may include a white list policy, and the priority of the white list policy is higher than that of other policies in the preset policy group. The matching item of the white list policy may include a trusted IP address pre-configured by the developer, and the performing action may include a forwarding action, such as forwarding an interactive packet of the user terminal having an IP address as the trusted IP address.

When the policy matching is implemented, the gateway device may match the IP address of the user terminal with the white list policy in the preset policy group. If the IP address of the user terminal is matched with any trusted IP address in the white list strategy matching item, the interactive message of the user terminal can be forwarded. If the IP address of the user terminal does not match all trusted IP addresses in the whitelist policy matching entry, the IP address of the user terminal may be further matched with other policies in the policy group.

In an alternative implementation, the other policies in the policy group may be an alarm policy and a blocking policy. The matching item of the alarm strategy can comprise a first network segment pre-configured by a network manager, and the execution action can comprise an alarm action. The matching item of the blocking policy may include a second network segment preconfigured by the network administrator, and the executing action may include an action of blocking forwarding of the interactive packet of the user terminal.

If the IP address of the user terminal is not matched with all the trusted IP addresses in the white list strategy matching item, the gateway equipment can match the IP address of the user terminal with the alarm strategy and the blocking strategy.

If the IP address of the user terminal belongs to the preset first network segment in the alarm strategy matching item, the network management equipment can determine that the IP address of the user terminal is matched with the alarm strategy and carry out alarm action. For example, the network administrator is sent alarm information through a Web access control page or an access control client facing the network administrator.

If the IP address of the user terminal belongs to the preset second network segment of the blocking strategy matching item, the gateway equipment can determine that the IP address of the user terminal is matched with the blocking strategy. The gateway device can block the message forwarding of the user terminal within a preset time length.

It should be noted that, in order to facilitate the network administrator to manage and control the access terminal, the network administrator may configure the policy, check the status information of the user terminal corresponding to each online IP address, manage each online IP address, and the like through an access control client or an interactive interface provided by an access control Web page.

When configuring the policy, the network manager may configure the policy according to actual requirements, for example, configure a white list policy matching item including a plurality of trusted IP addresses, configure the alarm policy matching item including a first network segment, and configure the blocking policy matching item including a second network segment.

During configuration, network management personnel can set the trusted IP address, the first network segment and the second network segment according to actual requirements. For example, the network manager may set the IP address of the mobile terminal approved by the company as the trusted IP address, and may set a network segment such as a research and development department that has a strict requirement on the security of the internal network as the second network segment. The trusted IP address may belong to the first network segment or the second network segment, or may not belong to the first network segment or the second network segment.

Of course, the gateway device may also identify and determine the suspicious network segment from the host according to the collected traffic of each network segment and the historical trend of the traffic of each network segment, and set the identified suspicious network segment as the first network segment or the second network segment.

Of course, the setting of the policy and the matching item IP list thereof is only exemplarily described here, and is not particularly limited.

In addition, the network manager can set a certain time length for the execution action of the blocking policy through the access control client or the access control Web page, so as to prevent the permanent execution of the blocking action.

In this embodiment, after the IP address of the user terminal is matched with any policy in the policy group, the gateway device may add the IP address of the user terminal to the online list, so as to facilitate a network administrator to manage and control the IP addresses in the online list. Wherein, the online list may include the IP address of the online user terminal.

The network administrator may manage and control the IP addresses in the online list through the access control client or the access control Web page, for example, freeze a certain IP address in the online list, prohibit the IP address from performing message interaction, unfreeze the frozen certain IP address, set a certain IP address in the online list as a trusted IP address, add the trusted IP address to a trusted IP list, and the like. Meanwhile, network management personnel can also check information such as the online state of each user terminal from the online list, and the accessed user terminals can be better managed and controlled.

In this embodiment of the application, in order to facilitate a manager to check a detection processing result of the gateway device on an accessed user terminal, the gateway device may generate a log file corresponding to an execution action after processing an HTTP message of the user terminal based on the execution action in the matched policy, and may display and output the generated log file through the access control client or a visual interface of the access control Web page.

The following describes the detection method of the shared access in detail by using a specific example.

It is assumed that the preset policy group may include a white list policy, an alarm policy, and a blocking policy, and the white list policy has a higher priority than the alarm policy and the blocking policy. Wherein the matching item of the white list policy can comprise a trusted IP address pre-configured by a developer, and the executing action can comprise a forwarding action. The matching item of the alarm strategy can comprise a first network segment pre-configured by a network manager, and the executing action can comprise an alarm action. The matching item of the blocking policy may include a second network segment preconfigured by the network administrator, and the executing action may include an action of blocking forwarding of the interactive message of the user terminal.

According to actual requirements, network management personnel can set the first network segment of the matching item of the alarm strategy to be 168.192.1.0-168.192.1.127, set the second network segment of the matching item of the blocking strategy to be 168.192.2.0-168.192.1.63, set the blocking duration to be 60 minutes, and set a plurality of trusted IP addresses to be 168.192.1.5, 168.192.1.8 and the like.

Suppose there are 4 ues, which are ue a-ue D. The terminal type of the user terminal A is a PC terminal, and the IP address is 168.192.1.220; the terminal type of the user terminal B is a mobile terminal, and the IP address is 168.192.1.5; the terminal type of the user terminal C is a mobile terminal, and the IP address is 168.192.1.125; the terminal type of the user terminal D is a mobile terminal and the IP address is 168.192.2.32.

The gateway device can collect the HTTP message from the user terminal, and determine the 4 user terminals and the terminal types of the 4 user terminals through the UA field of the HTTP message.

The gateway device can determine that the terminal type of the user terminal A is a PC terminal and the terminal types of the user terminals B-C are mobile terminals. At this time, the gateway device may match the IP addresses of the user terminals B-C with the policies in the preset policy group, respectively, without performing any processing on the user terminal a.

In implementation, the gateway device may match the IP address of the user terminal B with the whitelist policies in the policy group, and through the matching operation, the gateway device determines that the trusted IP address 168.192.1.5 in the whitelist policy matching entry of the user terminal B matches. The gateway device may forward the interaction message of the user terminal B.

The gateway device may match the IP address of user terminal C with the white list policy. When it is determined that the IP address of the user terminal C does not match any trusted IP address in the white list policy matching entry, the gateway device may further match the IP address of the user terminal C with the alarm policy and the blocking policy.

When the IP address of the user terminal C is determined to be matched with the alarm strategy, the gateway equipment can send alarm information to network management personnel.

The gateway device may match the IP address of user terminal D with the white list policy. When it is determined that the IP address of the user terminal D does not match any trusted IP address in the white list policy matching entry, the gateway device may further match the IP address of the user terminal D with the alarm policy and the blocking policy.

When the IP address of the user terminal D is determined to be matched with the blocking strategy, the gateway equipment can block and intercept the forwarding of the interactive message of the user terminal D, and the blocking time is 60 minutes.

Corresponding to the foregoing embodiment of the method for detecting shared access, the present application also provides an embodiment of a device for detecting shared access.

The embodiment of the detection method and the detection device for the shared access can be applied to gateway equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a logical device, the device is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for running through the processor of the gateway device where the device is located. In terms of hardware, as shown in fig. 2, a hardware structure diagram of a gateway device in which the detection method and apparatus for shared access are located according to the present application is shown, except for the processor, the memory, the network output interface, and the nonvolatile memory shown in fig. 2, the gateway device in which the apparatus is located in the embodiment may also include other hardware according to the actual function of the gateway device, which is not described again.

Referring to fig. 3, fig. 3 is a block diagram illustrating a device for detecting shared access according to an exemplary embodiment of the present application. The device is applied to the gateway equipment and can comprise: anacquisition unit 310, ajudgment unit 320 and amatching unit 330.

An obtainingunit 310, configured to collect an HTTP message from a user terminal, and obtain a preset identification field carried in the HTTP message;

a determiningunit 320, configured to determine a terminal type of the ue based on the preset identifier field;

amatching unit 330, configured to match, if the user terminal is a mobile terminal, an IP address of the user terminal with a policy in a preset policy group, and perform access control on the user terminal based on the matched policy; wherein the policy group comprises a plurality of different types of policies; the different types of policies differ in the type of IP list that is preconfigured.

In an optional implementation manner, the preset policy group includes a white list policy; the matching items of the white list strategy comprise a plurality of trusted IP addresses, and the execution action comprises a forwarding action; the whitelist policy has a higher priority than other policies in the policy group;

thematching unit 330 is specifically configured to match the IP address of the user terminal with the white list policy; and if the IP address of the user terminal is matched with any trusted IP address in the white list strategy matching item, forwarding the interactive message of the user terminal.

In another optional implementation manner, the policy group further includes an alarm policy and a blocking policy; the alarm strategy comprises a preset first network segment and an execution action, wherein the execution action comprises an alarm action; the matching item of the blocking strategy comprises a preset second network segment, and the executing action comprises a blocking forwarding action;

thematching unit 330 is further specifically configured to, if the IP address of the user terminal does not match all trusted IP addresses in the white list policy matching entry, further match the IP address of the user terminal with the alarm policy and the blocking policy; if the IP address of the user terminal belongs to the preset first network segment of the alarm strategy matching item, alarming; and if the IP address of the user terminal belongs to the preset second network segment of the blocking strategy matching item, blocking the message forwarding of the user terminal within a preset time length.

In another optional implementation manner, the apparatus further includes:

agenerating unit 340, configured to generate a log file corresponding to an execution action after processing the packet based on the execution action in the matched policy; and outputting the generated log file through a preset visual interface.

In another optional implementation manner, the preset identification field is a UA field.

The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.

For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.

The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims

1. A method for detecting shared access, which is applied to a gateway device of a local area network, the method comprising:

if the user terminal is a PC terminal, the user terminal is not processed; if the user terminal is a mobile terminal, matching the IP address of the user terminal with a strategy in a preset strategy group, and performing access control on the user terminal based on the matched strategy; the policy group comprises a plurality of policies of different types, the policy group comprises a white list policy, matching items of the white list policy comprise a plurality of trusted IP addresses, and the priority of the white list policy is higher than that of other policies in the policy group; the different types of policies differ in the type of IP list that is preconfigured.

2. The method of claim 1, wherein performing access control for the ue based on the matched policy comprises:

matching the IP address of the user terminal with the white list strategy;

and if the IP address of the user terminal is matched with any trusted IP address in the white list strategy matching item, forwarding the interactive message of the user terminal.

3. The method of claim 2, wherein the policy group further comprises an alarm policy and a blocking policy; the alarm strategy comprises a preset first network segment and an execution action, wherein the execution action comprises an alarm action; the matching item of the blocking strategy comprises a preset second network segment, and the executing action comprises a blocking forwarding action;

the performing access control on the user terminal based on the matched strategy further comprises:

if the IP address of the user terminal is not matched with all the trusted IP addresses in the white list strategy matching item, further matching the IP address of the user terminal with the alarm strategy and the blocking strategy;

if the IP address of the user terminal belongs to the preset first network segment of the alarm strategy matching item, alarming;

and if the IP address of the user terminal belongs to the preset second network segment of the blocking strategy matching item, blocking the message forwarding of the user terminal within a preset time length.

4. The method of claim 1, further comprising:

processing the message based on the execution action in the matched strategy, and then generating a log file corresponding to the execution action;

and outputting the generated log file through a preset visual interface.

5. The method of claim 1, wherein the predetermined identification field is a UA field.

6. An apparatus for detecting shared access, the apparatus being applied to a gateway device of a local area network, the apparatus comprising:

a matching unit, configured to not perform any processing on the user terminal if the user terminal is a PC terminal; if the user terminal is a mobile terminal, matching the IP address of the user terminal with a strategy in a preset strategy group, and performing access control on the user terminal based on the matched strategy; the policy group comprises a plurality of policies of different types, the policy group comprises a white list policy, matching items of the white list policy comprise a plurality of trusted IP addresses, and the priority of the white list policy is higher than that of other policies in the policy group; the different types of policies differ in the type of IP list that is preconfigured.

7. The apparatus according to claim 6, wherein the matching unit is specifically configured to:

matching the IP address of the user terminal with the white list strategy; and if the IP address of the user terminal is matched with any trusted IP address in the white list strategy matching item, forwarding the interactive message of the user terminal.

8. The apparatus of claim 7, wherein the policy group further comprises an alarm policy and a blocking policy; the alarm strategy comprises a preset first network segment and an execution action, wherein the execution action comprises an alarm action; the matching item of the blocking strategy comprises a preset second network segment, and the executing action comprises a blocking forwarding action;

the matching unit is further specifically configured to match the IP address of the user terminal with the alarm policy and the blocking policy if the IP address of the user terminal does not match with all the trusted IP addresses in the white list policy matching entry; if the IP address of the user terminal belongs to the preset first network segment of the alarm strategy matching item, alarming; and if the IP address of the user terminal belongs to the preset second network segment of the blocking strategy matching item, blocking the message forwarding of the user terminal within a preset time length.

9. The apparatus of claim 6, further comprising:

the generating unit is used for generating a log file corresponding to the executing action after the message is processed based on the executing action in the matched strategy; and outputting the generated log file through a preset visual interface.

10. The apparatus of claim 6, wherein the predetermined identification field is a UA field.

11. An electronic device, comprising:

a processor;

a memory for storing a processor executable program;

wherein the processor implements the method of any one of claims 1-5 by running the executable program.

12. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 5.