技术领域technical field
本发明涉及数据处理技术领域,具体涉及一种网络访问控制方法、装置及系统。The invention relates to the technical field of data processing, in particular to a network access control method, device and system.
背景技术Background technique
随着科技的不断发展,用户对网络的访问需求越来越普遍。但,企业出于一些目的,需要对公司网络的访问进行控制。With the continuous development of science and technology, users' demand for accessing the network is becoming more and more common. However, for some purposes, enterprises need to control access to the corporate network.
如,禁止企业员工在工作时间上网看新闻、网络购物、玩游戏等,进而提高企业员工的工作效率;又如,禁止企业员工利用网络对公司核心机密文件、公司内部文档等进行泄漏,或者防止外部恶意用户入侵公司的内部网络,盗取公司机密。For example, employees are prohibited from watching news, online shopping, and playing games online during working hours, thereby improving the work efficiency of employees; External malicious users invade the company's internal network and steal company secrets.
因此,如图1所示,企业网络管理人员A通常是通过在企业网络的出口处的网络控制设备1(如交换机、路由器、防火墙等)设置黑白名单来进行对企业网络访问的控制。Therefore, as shown in FIG. 1 , the enterprise network administrator A usually controls access to the enterprise network by setting a black and white list on the network control device 1 (such as a switch, router, firewall, etc.) at the exit of the enterprise network.
发明人发现,企业对外网访问的控制均集中在企业网络的出口设备处,然而,黑白名单通常包括用户IP、域名、网址等多种信息,这些信息会随着软件运营(SAAS)服务商的服务器升级或维护而经常发生变化,一旦未及时通知给企业网络管理人员对企业的网络出口处的网络控制设备的参数进行重新设置,或者将参数设置错误,就会导致企业网络不能正常访问。可见,现有的企业网络控制方式较为麻烦,对企业网络管理人员的技能要求较高。The inventor found that the control of enterprise external network access is concentrated at the egress device of the enterprise network. However, the black and white list usually includes various information such as user IP, domain name, and website address. Server upgrades or maintenance often change. Once the enterprise network management personnel are not notified in time to reset the parameters of the network control equipment at the enterprise's network exit, or set the parameters incorrectly, the enterprise network will not be able to access normally. It can be seen that the existing enterprise network control methods are relatively cumbersome and require relatively high skills for enterprise network managers.
因此,如何提供一种网络访问控制方法、装置及系统,既能实现对企业员工的网络控制,又能简化企业网络出口处的设置,成为了本领域技术人员需要考虑的问题。Therefore, how to provide a network access control method, device and system, which can not only realize the network control of enterprise employees, but also simplify the setting of enterprise network egress, has become a problem to be considered by those skilled in the art.
发明内容Contents of the invention
有鉴于此,本发明实施例提供一种网络访问控制方法、装置及系统,既能实现对企业员工的网络控制,又能简化企业网络出口处的设置。In view of this, the embodiments of the present invention provide a network access control method, device and system, which can not only realize the network control of enterprise employees, but also simplify the setting of enterprise network egress.
为实现上述目的,本发明实施例提供如下技术方案:In order to achieve the above purpose, embodiments of the present invention provide the following technical solutions:
一种网络访问控制系统,包括:客户端、网络控制设备、代理服务器以及业务服务器,A network access control system, including: a client, a network control device, a proxy server and a service server,
所述客户端发送网络访问请求至网络控制设备,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;The client sends a network access request to the network control device, the network access request includes: address information of the service server to be accessed and target address information, the target address information is address information of a pre-configured proxy server;
所述网络控制设备判断所述目标地址信息是否属于第一白名单,如果属于,所述网络控制设备将所述网络访问请求发送至与所述目标地址信息对应的代理服务器,所述第一白名单包括允许访问的代理服务器的地址信息的列表;The network control device determines whether the target address information belongs to a first white list, and if so, the network control device sends the network access request to a proxy server corresponding to the target address information, and the first white list The list includes a list of the address information of the proxy servers that are allowed to access;
所述代理服务器判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,所述代理服务器将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。The proxy server judges whether the address information of the service server to be accessed belongs to the second white list, and if so, the proxy server sends the network access request to the service server to be accessed, and the second white list The list includes a list of address information of service servers that are allowed to be accessed.
一种网络访问控制方法,包括:A network access control method, comprising:
接收网络控制设备发送的网络访问请求,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;receiving a network access request sent by a network control device, where the network access request includes: address information of a service server to be accessed and target address information, where the target address information is address information of a pre-configured proxy server;
且,所述网络访问请求为所述目标地址信息属于第一白名单的访问请求,所述第一白名单包括允许访问的代理服务器的地址信息的列表;Moreover, the network access request is an access request in which the target address information belongs to a first white list, and the first white list includes a list of address information of proxy servers that are allowed to access;
判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。judging whether the address information of the service server to be accessed belongs to the second white list, and if so, sending the network access request to the service server to be accessed, and the second white list includes the address information of the service server that is allowed to access A list of address information.
一种网络访问控制装置,包括:A network access control device, comprising:
第一接收模块,用于接收网络控制设备发送的网络访问请求,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;The first receiving module is configured to receive the network access request sent by the network control device, the network access request includes: address information of the service server to be accessed and target address information, the target address information is the address of a pre-configured proxy server information;
且,所述网络访问请求为所述目标地址信息属于第一白名单的访问请求,所述第一白名单包括允许访问的代理服务器的地址信息的列表;Moreover, the network access request is an access request in which the target address information belongs to a first white list, and the first white list includes a list of address information of proxy servers that are allowed to access;
判断模块,用于判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。A judging module, configured to judge whether the address information of the service server to be accessed belongs to a second white list, and if so, send the network access request to the service server to be accessed, and the second white list includes permission A list of address information of accessed business servers.
可见,本实施例提供的网络访问控制系统,只需要在网络控制设备处设置使用的代理服务器的地址信息以及端口,然后在代理服务器处设置允许访问的业务服务器的地址信息以及端口,简化了企业网络管理人员对网络控制设备的配置。It can be seen that the network access control system provided by this embodiment only needs to set the address information and port of the proxy server used at the network control device, and then set the address information and port of the service server that is allowed to access at the proxy server, which simplifies the enterprise Network administrators configure network control devices.
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.
图1为现有技术中的应用界面示意图;FIG. 1 is a schematic diagram of an application interface in the prior art;
图2为本发明实施例提供的一种网络访问控制系统的结构框图;FIG. 2 is a structural block diagram of a network access control system provided by an embodiment of the present invention;
图3为本发明实施例提供的一种网络访问控制系统的信令流程图;FIG. 3 is a signaling flowchart of a network access control system provided by an embodiment of the present invention;
图4为本发明实施例提供的又一网络访问控制系统的信令流程图;FIG. 4 is a signaling flowchart of another network access control system provided by an embodiment of the present invention;
图5为本发明实施例提供的网络访问控制装置的结构示意图;FIG. 5 is a schematic structural diagram of a network access control device provided by an embodiment of the present invention;
图6为本发明实施例提供的又一网络访问控制装置的结构示意图;FIG. 6 is a schematic structural diagram of another network access control device provided by an embodiment of the present invention;
图7为本发明实施例提供的又一网络访问控制装置的结构示意图;FIG. 7 is a schematic structural diagram of another network access control device provided by an embodiment of the present invention;
图8为本发明实施例提供的又一网络访问控制装置的结构示意图;FIG. 8 is a schematic structural diagram of another network access control device provided by an embodiment of the present invention;
图9为本发明实施例提供的又一网络访问控制装置的结构示意图;FIG. 9 is a schematic structural diagram of another network access control device provided by an embodiment of the present invention;
图10为本发明实施例提供的网络访问控制装置的硬件结构框图。Fig. 10 is a block diagram of the hardware structure of the network access control device provided by the embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
本发明实施例提供了一种网络访问控制系统,包括:客户端、网络控制设备、代理服务器以及业务服务器,其中,客户端发送网络访问请求至网络控制设备,网络控制设备判断目标地址信息是否属于第一白名单,如果属于,网络控制设备将网络访问请求发送至与目标地址信息对应的代理服务器。代理服务器判断待访问的业务服务器的地址信息是否属于第二白名单,如果属于,代理服务器将网络访问请求发送至待访问的业务服务器。可见,本发明提供的网络访问方法只需要在网络控制设备处设置使用的代理服务器的地址信息以及端口,然后在代理服务器处设置允许访问的业务服务器的地址信息以及端口,简化了企业网络管理人员对网络控制设备的配置。An embodiment of the present invention provides a network access control system, including: a client, a network control device, a proxy server, and a service server, wherein the client sends a network access request to the network control device, and the network control device determines whether the target address information belongs to If it belongs to the first white list, the network control device sends the network access request to the proxy server corresponding to the target address information. The proxy server judges whether the address information of the service server to be accessed belongs to the second white list, and if so, the proxy server sends a network access request to the service server to be accessed. It can be seen that the network access method provided by the present invention only needs to set the address information and port of the proxy server used at the network control device, and then set the address information and port of the service server that is allowed to access at the proxy server, which simplifies the network management personnel of the enterprise. Configuration of network control devices.
请参阅图2,图2为本发明实施例提供的一种网络访问控制系统的结构框图,本发明实施例提供的网络访问控制方法可基于图2所示系统实现,参照图2,本发明实施例提供的网络访问控制系统可以包括:客户端2、网络控制设备1、代理服务器3以及业务服务器4。Please refer to FIG. 2. FIG. 2 is a structural block diagram of a network access control system provided by an embodiment of the present invention. The network access control method provided by an embodiment of the present invention can be implemented based on the system shown in FIG. 2. Referring to FIG. 2, the implementation of the present invention The network access control system provided by the example may include: a client 2 , a network control device 1 , a proxy server 3 and a service server 4 .
其中,客户端2可以为至少一个企业员工B用于发送业务请求的客户端设备,如笔记本、台式机、平板电脑、手机等可供企业员工上网的设备,网络控制设备1可以是位于企业网络出口处的设备,如交换机、路由器、防火墙设备等。代理服务器可以为是介于网络控制设备1和业务服务器4之间的另一台服务器。Wherein, the client 2 can be at least one client device used by enterprise employees B to send business requests, such as notebooks, desktop computers, tablet computers, mobile phones and other devices that can be used by enterprise employees to access the Internet, and the network control device 1 can be located in the enterprise network Devices at the egress, such as switches, routers, firewalls, etc. The proxy server can be another server between the network control device 1 and the service server 4 .
通常,当企业员工浏览网页的时候,客户端会根据需要去访问业务服务器,然后业务服务器接到网页访问请求后,会将目的站点的信息传送给客户端,以供用户浏览。Usually, when an enterprise employee browses the webpage, the client will visit the business server as needed, and then the business server will transmit the information of the destination site to the client after receiving the webpage access request for the user to browse.
然而,在使用了代理服务器后,当企业员工想要访问一些站点资源的时候,客户端首先将网页访问请求发送至代理服务器,然后代理服务器去获取要访问的信息,并且将其返回给客户端。需要说明的是,在代理服务器侧,可以对用户身份进行鉴定以及实现网络访问控制等。However, after using a proxy server, when an enterprise employee wants to access some site resources, the client first sends a webpage access request to the proxy server, and then the proxy server obtains the information to be accessed and returns it to the client . It should be noted that, on the side of the proxy server, user identity authentication and network access control can be realized.
业务服务器4可以为单台服务器,也可以为由多台服务器组成的服务器群组或者是一个云计算服务中心,业务服务器4用于下载网络数据资源,如获取游戏数据、软件应用数据(QQ、微信等)。Business server 4 can be single server, also can be the server group that is formed by a plurality of servers or a cloud computing service center, and business server 4 is used for downloading network data resources, as obtaining game data, software application data (QQ, WeChat, etc.).
具体的,基于图2所示系统,图3示出了本发明实施例提供的网络访问控制系统的信令流程图,该网络访问控制系统包括:客户端2、网络控制设备1、代理服务器3以及业务服务器4,该信令交互过程可以包括:Specifically, based on the system shown in FIG. 2 , FIG. 3 shows a signaling flowchart of a network access control system provided by an embodiment of the present invention. The network access control system includes: a client 2, a network control device 1, and a proxy server 3 As well as the service server 4, the signaling interaction process may include:
步骤S100、客户端发送网络访问请求至网络控制设备。Step S100, the client sends a network access request to the network control device.
其中,网络访问请求可以包括客户端的地址信息、待访问的业务服务器的地址信息、待传输的数据内容以及目标地址信息,所述目标地址信息为代理服务器的地址信息。需要说明的是,本实施例中,企业员工在使用客户端进行网络访问时,需要预先配置使用的代理服务器的信息。这样,当客户端发送网络访问请求时,客户端会将原网络访问请求进行预处理,即将原访问请求中包含的客户端的地址信息、待访问的业务服务器的地址信息以及待传输的数据内容的基础上,对原访问请求增加代理服务器的相关信息,如增加代理服务器的地址信息。Wherein, the network access request may include the address information of the client, the address information of the service server to be accessed, the data content to be transmitted, and the target address information, and the target address information is the address information of the proxy server. It should be noted that, in this embodiment, when enterprise employees use the client to access the network, they need to pre-configure the information of the proxy server used. In this way, when the client sends a network access request, the client will preprocess the original network access request, that is, the address information of the client contained in the original access request, the address information of the service server to be accessed, and the content of the data to be transmitted Based on this, relevant information about the proxy server is added to the original access request, such as address information of the proxy server.
步骤S101、网络控制设备判断所述目标地址信息是否满足第一预设条件,如果满足,所述网络控制设备将所述网络访问请求发送至与所述目标地址信息对应的代理服务器。Step S101, the network control device judges whether the target address information satisfies a first preset condition, and if so, the network control device sends the network access request to a proxy server corresponding to the target address information.
需要说明的是,网络控制设备在使用前,需要通过企业网络管理人员对其进行白名单配置,但本方案中此处的白名单不同于现有技术中的白名单,本方案中的白名单只需为允许使用的代理服务器的地址信息的列表即可。而现有技术中的白名单需要为允许访问的所有业务服务器的地址信息、端口信息等数据。根据业务种类的不同,现有技术中网络控制设备所需配置的白名单的列表内容为多项,如某个企业允许客户端访问腾讯视频、QQ以及微信,那么,现有技术中的白名单需要至少记录腾讯视频对应的业务服务器的地址信息以及端口信息、QQ对应的业务服务器的地址信息以及端口信息、微信对应的业务服务器的地址信息以及端口信息。It should be noted that before using the network control device, it needs to be configured with a whitelist by the enterprise network management personnel, but the whitelist here in this solution is different from the whitelist in the prior art. The whitelist in this solution Just a list of the address information of the proxy servers that are allowed to be used. However, the white list in the prior art needs data such as address information and port information of all service servers that are allowed to be accessed. According to the different business types, the list content of the white list that needs to be configured by the network control device in the prior art is multiple. For example, if an enterprise allows the client to access Tencent Video, QQ and WeChat, then the white list in the prior art It is necessary to record at least the address information and port information of the service server corresponding to Tencent Video, the address information and port information of the service server corresponding to QQ, and the address information and port information of the service server corresponding to WeChat.
当然,如果企业允许的网络访问业务越多,其网络管理人员就需要对应配置可访问的业务服务器的地址信息到当前网络控制设备的白名单中。由于业务的种类较多,企业网络管理人员需要管理和维护的白名单的数据也越多。而站在业务服务商的角度,为了提供更好的业务服务,其业务服务器会随时更新升级,相对应的业务服务器的地址信息以及端口可能改变,这就要求,企业网络管理人员对网络控制设备的白名单中的对应的业务服务器的地址信息以及端口信息进行更改,否则会造成不能正常访问该业务服务器。Of course, if the enterprise allows more network access services, its network management personnel need to correspondingly configure the address information of the accessible service servers into the white list of the current network control device. Due to the variety of services, enterprise network administrators need to manage and maintain more whitelist data. From the perspective of a business service provider, in order to provide better business services, its business servers will be updated and upgraded at any time, and the address information and ports of the corresponding business servers may change. Change the address information and port information of the corresponding business server in the whitelist, otherwise the business server cannot be accessed normally.
而,本实施例中,企业的网络管理人员只需配置白名单中的代理服务器的地址信息,然后,网络控制设备判断客户端发送的目标地址信息是否为网络控制设备的白名单中记录的允许访问的代理服务器的地址信息。如果属于,则网络控制设备将所述网络访问请求进行放行,即将所述网络访问请求发送往与所述目标地址信息对应的代理服务器。如果客户端发送的目标地址信息不属于网络控制设备的白名单中记录的允许访问的代理服务器的地址信息,那么,网络控制设备可以直接将所述网络访问请求忽略,或者返回一个表征访问错误的响应信息至所述客户端。当然,也可以执行其他预设的动作,此处,可以根据企业的实际需求,进行设定。However, in this embodiment, the network administrators of the enterprise only need to configure the address information of the proxy server in the whitelist, and then the network control device judges whether the target address information sent by the client is the permitted one recorded in the whitelist of the network control device. Address information of the proxy server accessed. If so, the network control device releases the network access request, that is, sends the network access request to the proxy server corresponding to the target address information. If the target address information sent by the client does not belong to the address information of the access-allowed proxy server recorded in the white list of the network control device, then the network control device can directly ignore the network access request, or return an access error Response information to the client. Of course, other preset actions can also be performed, and here, settings can be made according to the actual needs of the enterprise.
值得一提的是,在此步骤中,当网络控制设备判断客户端发送的目标地址信息属于网络控制设备的白名单中记录的允许访问的代理服务器的地址信息时,需要将所述网络访问请求发送往与所述目标地址信息对应的代理服务器。此时,由于是企业客户端的内部向企业外部发送网络访问请求的关系,可以将客户端的地址信息以及端口信息替换成网络控制设备的地址信息以及端口信息,即将局域网中的IP地址统一成企业对外的一公共IP,如客户端2a的IP地址为“10.168.23.100”,端口为“1000”,客户端2b的IP地址为“10.168.23.99”,端口为“1000”,无论是客户端2a还是客户端2b,当其网络访问请求中的目标地址信息属于白名单时,将该网络访问请求的IP地址信息转换成网络控制设备的IP地址信息。并同时记录一条跟踪信息,用于记录客户端地址信息和网络控制设备的地址信息的映射关系。It is worth mentioning that in this step, when the network control device judges that the target address information sent by the client belongs to the address information of the proxy server that is allowed to access recorded in the white list of the network control device, it needs to forward the network access request to Send to the proxy server corresponding to the target address information. At this time, since the enterprise client sends the network access request to the outside of the enterprise, the address information and port information of the client can be replaced with the address information and port information of the network control device, that is, the IP address in the LAN is unified into the enterprise external For example, the IP address of client 2a is "10.168.23.100", the port is "1000", the IP address of client 2b is "10.168.23.99", and the port is "1000", whether it is client 2a or The client 2b, when the target address information in its network access request belongs to the white list, converts the IP address information of the network access request into the IP address information of the network control device. At the same time, a piece of tracking information is recorded, which is used to record the mapping relationship between the address information of the client and the address information of the network control device.
步骤S102、代理服务器判断所述待访问的业务服务器的地址信息是否满足第二预设条件,如果满足,所述代理服务器将所述网络访问请求发送至所述待访问的业务服务器。Step S102, the proxy server judges whether the address information of the service server to be accessed satisfies a second preset condition, and if so, the proxy server sends the network access request to the service server to be accessed.
其中,代理服务器在接收到网络访问请求后,解析所述网络访问请求,上文介绍了,该网络访问请求在客户端侧可以包括:客户端的地址信息、待访问的业务服务器的地址信息、待传输的数据内容以及目标地址信息,其中,所述目标地址信息为代理服务器的地址信息。然而,该网络访问请求在经过企业的网络控制设备后,已经将自身的客户端的地址信息转换成网络控制设备的地址信息,即,此时的网络访问请求包括:网络控制设备的地址信息、待访问的业务服务器的地址信息以及待传输的数据内容。Wherein, after receiving the network access request, the proxy server parses the network access request. As mentioned above, the network access request may include: the address information of the client, the address information of the service server to be accessed, and the address information of the service server to be accessed. The transmitted data content and target address information, wherein the target address information is the address information of the proxy server. However, after the network access request passes through the network control device of the enterprise, the address information of its own client has been converted into the address information of the network control device, that is, the network access request at this time includes: the address information of the network control device, the The address information of the accessed business server and the content of the data to be transmitted.
然后,代理服务器当判断待访问的业务服务器的地址信息属于代理服务器的白名单中记录的允许访问的业务服务器的地址信息时,需要将所述网络访问请求发送往与所述待访问的业务服务器的地址信息对应的业务服务器。Then, when the proxy server judges that the address information of the service server to be accessed belongs to the address information of the service server that is allowed to be accessed recorded in the white list of the proxy server, it needs to send the network access request to the service server that is related to the service server to be accessed. The service server corresponding to the address information.
如果代理服务器当判断待访问的业务服务器的地址信息不属于代理服务器的白名单中记录的允许访问的业务服务器的地址信息时,那么,代理服务器可以直接将所述网络访问请求忽略,或者返回一个表征访问错误的响应信息至所述网络控制设备,然后由所述网络控制设备将所述响应信息发送至所述客户端。If the proxy server judges that the address information of the service server to be accessed does not belong to the address information of the service server allowed to be accessed recorded in the white list of the proxy server, then the proxy server can directly ignore the network access request, or return a Response information representing an access error is sent to the network control device, and then the network control device sends the response information to the client.
综上,可见,本实施例提供的网络访问控制系统,只需要在网络控制设备处设置使用的代理服务器的地址信息以及端口,然后在代理服务器处设置允许访问的业务服务器的地址信息以及端口,简化了企业网络管理人员对网络控制设备的配置。而在代理服务器处配置允许访问的业务服务器的地址信息的白名单,当SAAS服务商的业务服务器进行升级维护后,只需由SAAS服务商的专业人员对代理服务器进行白名单更新替换,保证了白名单更新的及时性和准确性,而无需企业网络管理人员做任何操作。当多个企业的网络控制设备均使用同一代理服务器时,在某一业务服务器的地址信息发生改变时,也只需对代理服务器中不同企业的白名单中与该业务服务器对应的地址信息进行统一更改。如,企业A的网络控制设备对应的代理服务器为代理服务器A,企业B的网络控制设备对应的代理服务器也为代理服务器A,企业A需要维护的白名单包括QQ和微信,企业B需要维护的白名单包括QQ和腾讯视频,那么当QQ对应的业务服务器进行升级更换地址信息后,代理服务器对应的将QQ的业务服务器的地址进行更换即可,无需企业网络管理人员做任何操作,而,现有技术则需要企业A的网络管理人员将网络控制设备的白名单中的QQ的业务服务器的地址信息进行更换,同时,企业B的网络管理人员也需要将网络控制设备的白名单的QQ对应的业务服务器的地址信息进行更换,操作较为复杂。In summary, it can be seen that the network access control system provided by this embodiment only needs to set the address information and port of the proxy server used at the network control device, and then set the address information and port of the service server that is allowed to access at the proxy server. It simplifies the configuration of network control equipment by enterprise network administrators. And configure the white list of the address information of the business server that is allowed to be accessed at the proxy server. After the business server of the SAAS service provider is upgraded and maintained, only the professionals of the SAAS service provider need to update and replace the white list of the proxy server, ensuring The timeliness and accuracy of the whitelist update without requiring any operations by the enterprise network administrators. When the network control devices of multiple enterprises all use the same proxy server, when the address information of a service server changes, it is only necessary to unify the address information corresponding to the service server in the white lists of different companies in the proxy server Change. For example, the proxy server corresponding to the network control device of enterprise A is proxy server A, and the proxy server corresponding to the network control device of enterprise B is also proxy server A. The white list that enterprise A needs to maintain includes QQ and WeChat, and the white list that enterprise B needs to maintain The white list includes QQ and Tencent Video, so when the business server corresponding to QQ upgrades and replaces the address information, the proxy server can replace the address of the QQ business server correspondingly, without any operation by the enterprise network administrator. If there is technology, the network management personnel of enterprise A need to replace the address information of the QQ business server in the white list of the network control device, and at the same time, the network management personnel of enterprise B also need to replace the address information The address information of the business server needs to be replaced, and the operation is more complicated.
在本申请的另一个实施例中,对该网络访问系统的数据反馈的流程进行介绍。参照图4,该信令交互过程包括:In another embodiment of the present application, the data feedback flow of the network access system is introduced. Referring to Figure 4, the signaling interaction process includes:
步骤S103、所述待访问的业务服务器基于所述待传输的数据内容,生成一反馈数据,并将所述反馈数据发送往所述代理服务器。Step S103, the service server to be accessed generates feedback data based on the content of the data to be transmitted, and sends the feedback data to the proxy server.
步骤S104、所述代理服务器根据所述第二映射表,查找与所述代理服务器的地址信息对应的网络控制设备的地址信息;并将所述反馈数据发送至查找到的与所述网络控制设备的地址信息对应的网络控制设备。Step S104, the proxy server looks up the address information of the network control device corresponding to the address information of the proxy server according to the second mapping table; and sends the feedback data to the found network control device The address information corresponding to the network control device.
步骤S105、所述网络控制设备根据所述第一映射表,查找与所述网络控制设备的地址信息对应的客户端的地址信息;并将所述反馈数据发送至查找到的与所述客户端的地址信息对应的客户端。Step S105, the network control device looks up the address information of the client corresponding to the address information of the network control device according to the first mapping table; and sends the feedback data to the found address of the client The client corresponding to the information.
需要说明的是,在数据反馈的过程中,可以理解成沿原路返回。又由于网络访问的过程中,网络控制设备以及代理服务器均对其接收到的地址信息进行了白名单筛选,因此,在数据返回时,可以不再重复去对比当前的地址信息是否为白名单内的地址信息。最终将反馈数据发送到客户端。It should be noted that in the process of data feedback, it can be understood as returning along the original path. In the process of network access, both the network control device and the proxy server have whitelisted the received address information. Therefore, when the data is returned, it is no longer necessary to repeatedly compare whether the current address information is in the whitelist. address information. Finally send the feedback data to the client.
具体的,本实施例提供一个采用本发明提供的网络访问控制系统的实例进行详细介绍,如网络控制设备为交换机,假定:Specifically, this embodiment provides an example of using the network access control system provided by the present invention for detailed introduction. For example, the network control device is a switch, assuming:
a.客户端在企业内部网络的地址为“10.168.23.100”,端口:1000;a. The address of the client in the internal network of the enterprise is "10.168.23.100", port: 1000;
b.企业网络的出口网络地址为“183.61.38.179”,端口1001;b. The export network address of the enterprise network is "183.61.38.179", port 1001;
c.SAAS服务代理服务器网络地址为:180.149.32.47,端口为:8080;支持SOCKSV5,不需要帐号验证;c. The network address of the SAAS service proxy server is: 180.149.32.47, and the port is: 8080; it supports SOCKSV5 and does not require account verification;
d.SAAS业务服务器1的网络地址为:140.205.94.189,端口为:443;d. The network address of SAAS business server 1 is: 140.205.94.189, and the port is: 443;
e.SAAS业务服务器2的域名为:b.qq.com,端口为:80e. The domain name of SAAS business server 2 is: b.qq.com, and the port is: 80
在上述地址信息的基础上,该网络访问流程如下:Based on the above address information, the network access process is as follows:
1.SAAS服务商在代理服务器上配置网络访问的白名单类似如下:1. The SAAS service provider configures the white list of network access on the proxy server as follows:
目标服务器白名单:Target server whitelist:
ip:140.205.94.189,端口:443;ip: 140.205.94.189, port: 443;
域名:b.qq.com,端口:80;Domain name: b.qq.com, port: 80;
具体形式可以实际代理服务器的配置标准为准,上述配置的含义是当数据包发送的目标地址为白名单中的其中一条时,则为合法数据包。The specific form can be based on the configuration standard of the actual proxy server. The meaning of the above configuration is that when the destination address of the data packet is one of the white list, it is a legal data packet.
2.企业管理员进入本企业的企业交换机的管理页面,配置白名单类似如下:2. The enterprise administrator enters the management page of the enterprise switch of the enterprise, and configures the white list as follows:
目标服务器白名单:Target server whitelist:
ip:180.149.132.47,端口为:8080;ip: 180.149.132.47, port: 8080;
3.公司员工在SAAS应用客户端上设置使用代理服务器,配置使用代理服务器,类似如下:3. The employees of the company set up and use the proxy server on the SAAS application client, and configure the use of the proxy server, similar to the following:
网络设置:Network settings:
类型:SOCKS V5地址:180.149.32.47端口8080。Type: SOCKS V5 Address: 180.149.32.47 port 8080.
4.客户端需要向SAAS业务服务器1(140.205.94.189:443)发送内容“Hello”。原始数据包中会包含下述信息(源地址10.168.23.100,端口1000,目标地址140.205.94.189,端口443,以及包文内容“Hello”)。因为使用了代理服务的配置,客户端上的所有数据包都会在原有数据包上进行一层封装,加上代理服务器的相关信息(包括目标地址180.149.32.47,端口为:8080,代理协议版本信息等)。新数据包会被改为发送到代理服务器的网络地址(180.149.32.47:8080)。4. The client needs to send the content "Hello" to the SAAS service server 1 (140.205.94.189:443). The original data packet will contain the following information (source address 10.168.23.100, port 1000, destination address 140.205.94.189, port 443, and packet content "Hello"). Because the configuration of the proxy service is used, all data packets on the client will be encapsulated on the original data packet, plus the relevant information of the proxy server (including the target address 180.149.32.47, port: 8080, proxy protocol version information Wait). New packets are instead sent to the proxy server's network address (180.149.32.47:8080).
5.交换机上判断上述新数据包的目标地址,因为其中的目标网络地址为(180.149.32.47:8080),在白名单中已有配置,因此认为数据包是合法数据包,允许放行。因为从企业网络的内部向外部发送数据的关系,因此需要进行NAT地址转换过程:将数据包中的源端口号(1000)和源私有IP地址(10.168.23.100)转换成交换机自己的端口号(1001)和公网的IP地址(183.61.38.179),然后将数据包发给外部网络的目的主机(180.149.32.47:8080),同时记录一条跟踪信息在地址转换映像表中(10.168.23.100:1000--183.61.38.179:1001)。其中,新的源地址在因特网上是合法的并唯一的,可以被正确的定位到。5. Judge the destination address of the above-mentioned new data packet on the switchboard, because the destination network address wherein is (180.149.32.47:8080), already configured in the white list, therefore think that the data packet is a legal data packet, allow release. Because of the relationship between sending data from the inside of the enterprise network to the outside, the NAT address translation process is required: the source port number (1000) and source private IP address (10.168.23.100) in the data packet are converted into the switch's own port number ( 1001) and the IP address of the public network (183.61.38.179), and then send the data packet to the destination host of the external network (180.149.32.47:8080), and record a tracking information in the address translation mapping table (10.168.23.100:1000 --183.61.38.179:1001). Wherein, the new source address is legal and unique on the Internet, and can be correctly located.
6.代理服务器接受到数据请求后,会解析出数据包中真正的包体数据,包括(替换后的新源地址183.61.38.179,新端口1001,目标地址140.205.94.189,端口443,以及包文内容“Hello”)。因为其中的目标地址和端口组合(140.205.94.189:443)在白名单中,因此会被判断为合法的数据包,可以被正常转发到目标地址。代理服务器会将数据包中的源地址替换为180.149.32.47,端口替换为1002,并记录映射关系(183.61.38.179:1001--180.149.32.47:1002)。新的数据包中,包的发送者信息就被完全替换成代理服务器。6. After the proxy server receives the data request, it will parse out the real packet body data in the data packet, including (replaced new source address 183.61.38.179, new port 1001, destination address 140.205.94.189, port 443, and packet text content "Hello"). Because the destination address and port combination (140.205.94.189:443) is in the whitelist, it will be judged as a legitimate data packet and can be normally forwarded to the destination address. The proxy server will replace the source address in the data packet with 180.149.32.47, the port with 1002, and record the mapping relationship (183.61.38.179:1001--180.149.32.47:1002). In the new data packet, the sender information of the packet is completely replaced with the proxy server.
7.当SAAS服务的业务服务器处理上述数据后,需要给客户端返回数据“Reply”,会组织相关数据包,包括以下内容(源地址140.205.94.189,端口443,目标地址为代理服务器地址180.149.32.47,端口8080,以及包文内容“Reply”)。7. After the business server of the SAAS service processes the above data, it needs to return the data "Reply" to the client, and will organize related data packets, including the following content (source address 140.205.94.189, port 443, destination address is the proxy server address 180.149. 32.47, port 8080, and the packet content "Reply").
8.当代理服务器收到业务服务器返回的上述数据后,会根据其内部维护的映射关系,找到实际目标网络地址,并使用实际目标地址信息替换数据包中的目标地址(即代理服务器地址),即使用(183.61.38.179:1001)。然后在服务器返回的数据上进行一层封装,加上代理服务器的信息,包括(源地址:180.149.32.47,端口8080,代理协议版本信息等)并将数据发送向目标的网络地址,即企业的出口ip地址。8. After the proxy server receives the above data returned by the business server, it will find the actual target network address according to the mapping relationship maintained internally, and replace the target address in the data packet (that is, the proxy server address) with the actual target address information. That is, use (183.61.38.179:1001). Then perform a layer of encapsulation on the data returned by the server, add the information of the proxy server, including (source address: 180.149.32.47, port 8080, proxy protocol version information, etc.) and send the data to the target network address, that is, the enterprise Export ip address.
9.上述由代理服务器返回的数据包会经过交换机,交换机判断数据包的来源地址。因为源地址为代理服务器地址,因此会被放行。类似的,这一步也同样需要经过NAT地址转换,根据映像表中的记录,将所收到数据包的端口号(1001)和公用IP地址(183.61.38.179)转换成目标主机的端口号(1000)和内部网络中目标主机的专用IP地址(10.168.23.100),并转发给目标主机。9. The data packet returned by the proxy server will pass through the switch, and the switch determines the source address of the data packet. Because the source address is a proxy server address, it will be allowed. Similarly, this step also needs to go through NAT address translation. According to the records in the mapping table, the port number (1001) and public IP address (183.61.38.179) of the received data packet are converted into the port number of the target host (1000 ) and the private IP address (10.168.23.100) of the target host in the internal network and forwarded to the target host.
10.客户端收到数据包后,会解析出真正的数据包内容,主要包括(源地址140.205.94.189,端口443,以及包文内容“Reply”),从而接收到SAAS业务服务器1返回的数据。10. After the client receives the data packet, it will analyze the real data packet content, mainly including (source address 140.205.94.189, port 443, and packet content "Reply"), thus receiving the data returned by SAAS business server 1 .
上面介绍了客户端访问允许的网络地址信息的情况,现结合具体实例,提出了客户端在访问非允许的网络地址信息的案例进行介绍,如下:The above describes the situation of the client accessing the allowed network address information. Now, combined with specific examples, the case of the client accessing the non-allowed network address information is proposed and introduced, as follows:
假定案例1中步骤1和步骤2的白名单配置已经完成。Assume that the whitelist configurations in Step 1 and Step 2 in Case 1 have been completed.
1.公司员工在某款被禁用的客户端比如新浪微博上设置使用代理服务器,配置使用代理服务器,类似如下:1. The employees of the company set up a proxy server on a disabled client such as Sina Weibo, and configure the proxy server, similar to the following:
类型:SOCKS V5地址:180.149.32.47端口8080。Type: SOCKS V5 Address: 180.149.32.47 port 8080.
2.客户端需要向新浪微博业务服务器1(100.100.10.10:443)发送内容“Hello”。原始数据包中会包含下述信息(源地址10.168.23.100,端口8000,目标地址100.100.10.10,端口443,以及包文内容“Hello”)。因为使用了代理服务的配置,客户端上的所有数据包都会在原有数据包上进行一层封装,加上代理服务器的相关信息(包括目标地址180.149.32.47,端口为:8080,代理协议版本信息等)。新数据包会被改为发送到代理服务器的网络地址(180.149.32.47:8080)。2. The client needs to send the content "Hello" to Sina Weibo business server 1 (100.100.10.10:443). The original data packet will contain the following information (source address 10.168.23.100, port 8000, destination address 100.100.10.10, port 443, and packet content "Hello"). Because the configuration of the proxy service is used, all data packets on the client will be encapsulated on the original data packet, plus the relevant information of the proxy server (including the target address 180.149.32.47, port: 8080, proxy protocol version information Wait). New packets are instead sent to the proxy server's network address (180.149.32.47:8080).
3.类似案例1,交换机会认为该请求目标地址是合法的,会正常进行转发。3. Similar to case 1, the switch will consider the request destination address to be legal and forward it normally.
4.代理服务器接受到数据请求后,会解析出实际目标地址100.100.10.10,端口443。因为其中的目标地址和端口组合(100.100.10.10:443)不在白名单中,因此该数据包被判定为非法数据包,会被直接丢弃。4. After receiving the data request, the proxy server will resolve the actual target address 100.100.10.10 and port 443. Because the destination address and port combination (100.100.10.10:443) is not in the whitelist, the data packet is judged as an illegal data packet and will be discarded directly.
5.客户端无法正常收到新浪微博的回包,因此该网络应用被成功限制住。5. The client cannot normally receive the reply packet from Sina Weibo, so the network application is successfully restricted.
又如:Another example:
假定案例1中步骤1和步骤2的白名单配置已经完成。Assume that the whitelist configurations in Step 1 and Step 2 in Case 1 have been completed.
1.公司员工希望使用某款被禁用的客户端比如浏览器,但没有设置代理服务器。1. Employees of the company want to use a disabled client such as a browser, but no proxy server is set.
2.员工使用浏览器访问http://www.taobao.com。2. Employees use a browser to visit http://www.taobao.com.
3.交换机判断其中的目标地址(www.taobao.com)没有在白名单中配置过,判定该请求目标地址是非法的,会直接进行丢弃。3. The switch judges that the destination address (www.taobao.com) has not been configured in the white list, and judges that the request destination address is illegal, and will directly discard it.
4.客户端无法正常收到淘宝的回包,因此该网络应用被成功限制住。4. The client cannot normally receive the Taobao reply packet, so the network application is successfully restricted.
下面对本发明实施例提供的网络访问控制装置进行介绍,下文描述的网络访问控制装置可与上文描述的网络访问控制系统相互对应参照。The network access control device provided by the embodiment of the present invention is introduced below, and the network access control device described below may be referred to in correspondence with the network access control system described above.
图5为本发明实施例提供的网络访问控制装置的结构框图,参照图5,该装置可以包括:Fig. 5 is a structural block diagram of a network access control device provided by an embodiment of the present invention. Referring to Fig. 5, the device may include:
第一接收模块100,用于接收网络控制设备发送的网络访问请求,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;The first receiving module 100 is configured to receive the network access request sent by the network control device, the network access request includes: address information of the service server to be accessed and target address information, the target address information is the pre-configured proxy server Address information;
且,所述网络访问请求为所述目标地址信息属于第一白名单的访问请求,所述第一白名单包括允许访问的代理服务器的地址信息的列表;Moreover, the network access request is an access request in which the target address information belongs to a first white list, and the first white list includes a list of address information of proxy servers that are allowed to access;
判断模块200,用于判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。A judging module 200, configured to judge whether the address information of the service server to be accessed belongs to a second white list, and if so, send the network access request to the service server to be accessed, and the second white list includes A list of address information of business servers that are allowed to be accessed.
可选的,如图6所示,还包括:Optionally, as shown in Figure 6, it also includes:
处理模块300,用于将所述网络控制设备的地址信息更换成所述目标地址信息,并生成所述网络控制设备的地址信息与所述目标地址信息的第二映射表。The processing module 300 is configured to replace the address information of the network control device with the target address information, and generate a second mapping table between the address information of the network control device and the target address information.
可选的,如图7所示,还包括:Optionally, as shown in Figure 7, also include:
发送模块400,用于将所述待传输的数据内容发送往所述待访问的业务服务器。The sending module 400 is configured to send the data content to be transmitted to the service server to be accessed.
可选的,如图8所示,还包括:Optionally, as shown in Figure 8, also include:
第二接收模块500,用于接收所述待访问的业务服务器基于所述待传输的数据内容生成的反馈数据。The second receiving module 500 is configured to receive feedback data generated by the service server to be accessed based on the data content to be transmitted.
可选的,如图9所示,还包括:Optionally, as shown in Figure 9, it also includes:
查找模块600,用于根据所述第二映射表,查找与所述代理服务器的地址信息对应的网络控制设备的地址信息;A search module 600, configured to search for the address information of the network control device corresponding to the address information of the proxy server according to the second mapping table;
并将所述反馈数据发送至查找到的与所述网络控制设备的地址信息对应的网络控制设备。and sending the feedback data to the found network control device corresponding to the address information of the network control device.
本发明实施例还提供有一种网络访问控制设备,该网络访问控制设备可以包括上述所述的网络访问控制装置。An embodiment of the present invention also provides a network access control device, which may include the above-mentioned network access control device.
可选的,图10示出了网络访问控制设备的硬件结构框图,参照图10,该网络访问控制设备可以包括:处理器1,通信接口2,存储器3和通信总线4;Optionally, FIG. 10 shows a block diagram of a hardware structure of a network access control device. Referring to FIG. 10 , the network access control device may include: a processor 1, a communication interface 2, a memory 3 and a communication bus 4;
其中处理器1、通信接口2、存储器3通过通信总线4完成相互间的通信;Wherein the processor 1, the communication interface 2, and the memory 3 complete the mutual communication through the communication bus 4;
可选的,通信接口2可以为通信模块的接口,如GSM模块的接口;Optionally, the communication interface 2 can be an interface of a communication module, such as an interface of a GSM module;
处理器1,用于执行程序;Processor 1, configured to execute a program;
存储器3,用于存放程序;Memory 3, used to store programs;
程序可以包括程序代码,所述程序代码包括计算机操作指令。A program may include program code including computer operation instructions.
处理器1可能是一个中央处理器CPU,或者是特定集成电路ASIC(ApplicationSpecific Integrated Circuit),或者是被配置成实施本发明实施例的一个或多个集成电路。The processor 1 may be a central processing unit CPU, or an ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement the embodiments of the present invention.
存储器3可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatilememory),例如至少一个磁盘存储器。The memory 3 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory.
其中,程序可具体用于:Among other things, the program can be used specifically for:
接收网络控制设备发送的网络访问请求,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;receiving a network access request sent by a network control device, where the network access request includes: address information of a service server to be accessed and target address information, where the target address information is address information of a pre-configured proxy server;
且,所述网络访问请求为所述目标地址信息属于第一白名单的访问请求,所述第一白名单包括允许访问的代理服务器的地址信息的列表;Moreover, the network access request is an access request in which the target address information belongs to a first white list, and the first white list includes a list of address information of proxy servers that are allowed to access;
判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。judging whether the address information of the service server to be accessed belongs to the second white list, and if so, sending the network access request to the service server to be accessed, and the second white list includes the address information of the service server that is allowed to access A list of address information.
综上所述,本发明实施例提供了一种网络访问控制系统,包括:客户端、网络控制设备、代理服务器以及业务服务器,其中,客户端发送网络访问请求至网络控制设备,网络控制设备判断目标地址信息是否属于第一白名单,如果属于,网络控制设备将网络访问请求发送至与目标地址信息对应的代理服务器。代理服务器判断待访问的业务服务器的地址信息是否属于第二白名单,如果属于,代理服务器将网络访问请求发送至待访问的业务服务器。可见,本发明提供的网络访问方法只需要在网络控制设备处设置使用的代理服务器的地址信息以及端口,然后在代理服务器处设置允许访问的业务服务器的地址信息以及端口,简化了企业网络管理人员对网络控制设备的配置。To sum up, the embodiment of the present invention provides a network access control system, including: a client, a network control device, a proxy server, and a service server, wherein the client sends a network access request to the network control device, and the network control device determines Whether the target address information belongs to the first white list, and if so, the network control device sends the network access request to the proxy server corresponding to the target address information. The proxy server judges whether the address information of the service server to be accessed belongs to the second white list, and if so, the proxy server sends a network access request to the service server to be accessed. It can be seen that the network access method provided by the present invention only needs to set the address information and port of the proxy server used at the network control device, and then set the address information and port of the service server that is allowed to access at the proxy server, which simplifies the network management personnel of the enterprise. Configuration of network control devices.
本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for the related information, please refer to the description of the method part.
专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Professionals can further realize that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, computer software or a combination of the two. In order to clearly illustrate the possible For interchangeability, in the above description, the composition and steps of each example have been generally described according to their functions. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present invention.
结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the methods or algorithms described in connection with the embodiments disclosed herein may be directly implemented by hardware, software modules executed by a processor, or a combination of both. Software modules can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other Any other known storage medium.
对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the present invention will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611146932.2ACN108616490B (en) | 2016-12-13 | 2016-12-13 | Network access control method, device and system |
| PCT/CN2017/112080WO2018107943A1 (en) | 2016-12-13 | 2017-11-21 | Network access control method, apparatus and system |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611146932.2ACN108616490B (en) | 2016-12-13 | 2016-12-13 | Network access control method, device and system |
| Publication Number | Publication Date |
|---|---|
| CN108616490Atrue CN108616490A (en) | 2018-10-02 |
| CN108616490B CN108616490B (en) | 2020-11-03 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611146932.2AActiveCN108616490B (en) | 2016-12-13 | 2016-12-13 | Network access control method, device and system |
| Country | Link |
|---|---|
| CN (1) | CN108616490B (en) |
| WO (1) | WO2018107943A1 (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109672665A (en)* | 2018-11-14 | 2019-04-23 | 北京奇艺世纪科技有限公司 | A kind of access control method, device, system and computer readable storage medium |
| CN111064675A (en)* | 2019-11-08 | 2020-04-24 | 中移(杭州)信息技术有限公司 | Access flow control method, device, network equipment and storage medium |
| CN112422429A (en)* | 2020-11-18 | 2021-02-26 | 贝壳技术有限公司 | Data request processing method and device and computer readable storage medium |
| CN112637106A (en)* | 2019-09-24 | 2021-04-09 | 成都鼎桥通信技术有限公司 | Method and device for terminal to access website |
| CN112653759A (en)* | 2020-12-22 | 2021-04-13 | 北京东方嘉禾文化发展股份有限公司 | Network access device and control method thereof |
| CN112702319A (en)* | 2020-12-11 | 2021-04-23 | 杭州安恒信息技术股份有限公司 | Access request port standardization method and device, electronic equipment and storage medium |
| CN114124477A (en)* | 2021-11-05 | 2022-03-01 | 深圳市联软科技股份有限公司 | Business service system and method |
| CN114338809A (en)* | 2021-12-28 | 2022-04-12 | 山石网科通信技术股份有限公司 | Access control method, device, electronic equipment and storage medium |
| CN114401133A (en)* | 2022-01-13 | 2022-04-26 | 中电福富信息科技有限公司 | Equipment monitoring vulnerability detection system based on agent |
| CN115694882A (en)* | 2022-09-09 | 2023-02-03 | 中国电信股份有限公司 | Communication method, device, electronic device and readable medium applied to telecommuting |
| CN115766260A (en)* | 2022-11-23 | 2023-03-07 | 上海浦东发展银行股份有限公司 | Method, device, equipment and storage medium for generating network access white list |
| CN115801868A (en)* | 2022-11-29 | 2023-03-14 | 企查查科技有限公司 | Data access method and device |
| CN116633617A (en)* | 2023-05-23 | 2023-08-22 | 中国电信股份有限公司上海研究院 | Micro-isolation protection method and related hardware |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110858173B (en)* | 2018-08-23 | 2024-05-28 | 北京搜狗科技发展有限公司 | A data processing method, a data processing device and a data processing device |
| CN109842672B (en)* | 2018-12-13 | 2022-11-11 | 平安普惠企业管理有限公司 | Service request distribution method and device, computer equipment and storage medium |
| CN112527247B (en)* | 2019-09-17 | 2024-05-14 | 西安诺瓦星云科技股份有限公司 | LED display control system simulation method, device and system |
| CN110768849B (en)* | 2019-11-06 | 2022-08-05 | 深信服科技股份有限公司 | Network data viewing method and system |
| CN110941838B (en)* | 2019-11-12 | 2024-03-01 | 深圳昂楷科技有限公司 | Database access method and device and electronic equipment |
| CN111177631A (en)* | 2019-12-31 | 2020-05-19 | 苏宁云计算有限公司 | Method and system for accessing intranet service by extranet platform |
| CN111460460B (en)* | 2020-04-02 | 2023-12-05 | 北京金山云网络技术有限公司 | Task access method, device, proxy server and machine-readable storage medium |
| CN112039869B (en)* | 2020-08-27 | 2023-01-24 | 建信金融科技有限责任公司 | Method, device, storage medium and equipment for establishing network access relationship |
| CN111913732B (en)* | 2020-08-28 | 2023-07-11 | 深圳赛安特技术服务有限公司 | Service updating method and device, management server and storage medium |
| CN112087819B (en)* | 2020-09-10 | 2022-05-10 | 上海连尚网络科技有限公司 | Information request method, equipment and computer readable medium |
| CN112134866B (en)* | 2020-09-15 | 2024-06-14 | 腾讯云计算(北京)有限责任公司 | Service access control method, device and system and computer readable storage medium |
| CN112231120B (en)* | 2020-10-17 | 2025-02-14 | 广州祈阳科技有限公司 | Service access method and device |
| CN112583845B (en)* | 2020-12-24 | 2023-11-07 | 深信服科技股份有限公司 | Access detection method, device, electronic equipment and computer storage medium |
| CN113225308B (en)* | 2021-03-19 | 2022-11-08 | 深圳市网心科技有限公司 | Network access control method, node equipment and server |
| CN113315772A (en)* | 2021-05-29 | 2021-08-27 | 南京步锐捷电子科技有限公司 | Network access control implementation method based on Internet of things |
| CN115913583B (en)* | 2021-08-09 | 2025-08-22 | 腾讯科技(深圳)有限公司 | Business data access method, device and equipment and computer storage medium |
| CN113890896A (en)* | 2021-09-24 | 2022-01-04 | 中移(杭州)信息技术有限公司 | Network access method, communication device, and computer-readable storage medium |
| CN114024714A (en)* | 2021-09-30 | 2022-02-08 | 山东云海国创云计算装备产业创新中心有限公司 | Access request processing method and device, network card equipment and storage computing system |
| CN113810504A (en)* | 2021-09-30 | 2021-12-17 | 北京天融信网络安全技术有限公司 | Transparent proxy service method and device |
| CN116032500B (en)* | 2021-10-25 | 2025-08-08 | 腾讯科技(深圳)有限公司 | Service access traffic control method, device, equipment and medium |
| CN113938317A (en)* | 2021-11-29 | 2022-01-14 | 福建瑞网科技有限公司 | A network security monitoring method and computer equipment |
| CN114629704B (en)* | 2022-03-14 | 2024-11-12 | 深圳须弥云图空间科技有限公司 | Security implementation method, device, equipment and storage medium for collaborative design software |
| CN114615073B (en)* | 2022-03-22 | 2024-07-26 | 广州方硅信息技术有限公司 | Access flow control method and device, equipment and medium thereof |
| CN114640534B (en)* | 2022-03-29 | 2024-07-12 | 广州方硅信息技术有限公司 | Access interception control method, device, equipment and medium thereof |
| CN114598552A (en)* | 2022-03-29 | 2022-06-07 | 邹瀴 | Interface access control method, apparatus, electronic device and storage medium |
| CN114915497A (en)* | 2022-07-13 | 2022-08-16 | 杭州云缔盟科技有限公司 | Network access blocking method, device and application for Windows process |
| CN115835210A (en)* | 2022-11-09 | 2023-03-21 | 南京畅索软件科技有限公司 | Network restriction method, device, electronic equipment and storage medium of intelligent terminal |
| CN120034347A (en)* | 2023-11-21 | 2025-05-23 | 华为云计算技术有限公司 | Message transmission method and device |
| CN117478423B (en)* | 2023-11-30 | 2024-05-03 | 东方物通科技(北京)有限公司 | Data security communication system and method |
| CN119520148A (en)* | 2024-12-04 | 2025-02-25 | 中国农业银行股份有限公司天津市分行 | A verification method and related device for network access control |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102118398A (en)* | 2011-03-31 | 2011-07-06 | 北京星网锐捷网络技术有限公司 | Access control method, device and system |
| CN104202307A (en)* | 2014-08-15 | 2014-12-10 | 小米科技有限责任公司 | Data forwarding method and device |
| US20150089627A1 (en)* | 2013-05-03 | 2015-03-26 | Fortinet, Inc. | Securing email communications |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1152333C (en)* | 2002-07-31 | 2004-06-02 | 华为技术有限公司 | Method for realizing portal authentication based on protocols of authentication, charging and authorization |
| CN1271822C (en)* | 2003-07-04 | 2006-08-23 | 华为技术有限公司 | Method of interactive processing of user terminal network selection information in WLAN |
| KR20050097674A (en)* | 2004-04-02 | 2005-10-10 | 삼성전자주식회사 | Internet connection service method of mobile node and system thereof |
| CN100421374C (en)* | 2005-06-01 | 2008-09-24 | 中国移动通信集团公司 | Method of Office File Interaction Based on Mobile Communication Network |
| CN101026594A (en)* | 2007-01-23 | 2007-08-29 | 张志东 | Mail calling system and method |
| CN101374044B (en)* | 2007-08-21 | 2010-12-15 | 中国电信股份有限公司 | Method and system for making business engine to obtain user identification |
| US8555365B2 (en)* | 2010-05-21 | 2013-10-08 | Barracuda Networks, Inc. | Directory authentication method for policy driven web filtering |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102118398A (en)* | 2011-03-31 | 2011-07-06 | 北京星网锐捷网络技术有限公司 | Access control method, device and system |
| US20150089627A1 (en)* | 2013-05-03 | 2015-03-26 | Fortinet, Inc. | Securing email communications |
| CN104202307A (en)* | 2014-08-15 | 2014-12-10 | 小米科技有限责任公司 | Data forwarding method and device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109672665B (en)* | 2018-11-14 | 2021-10-15 | 北京奇艺世纪科技有限公司 | Access control method, device and system and computer readable storage medium |
| CN109672665A (en)* | 2018-11-14 | 2019-04-23 | 北京奇艺世纪科技有限公司 | A kind of access control method, device, system and computer readable storage medium |
| CN112637106A (en)* | 2019-09-24 | 2021-04-09 | 成都鼎桥通信技术有限公司 | Method and device for terminal to access website |
| CN111064675A (en)* | 2019-11-08 | 2020-04-24 | 中移(杭州)信息技术有限公司 | Access flow control method, device, network equipment and storage medium |
| CN112422429A (en)* | 2020-11-18 | 2021-02-26 | 贝壳技术有限公司 | Data request processing method and device and computer readable storage medium |
| CN112422429B (en)* | 2020-11-18 | 2022-04-22 | 贝壳技术有限公司 | Data request processing method and device, storage medium and electronic equipment |
| CN112702319A (en)* | 2020-12-11 | 2021-04-23 | 杭州安恒信息技术股份有限公司 | Access request port standardization method and device, electronic equipment and storage medium |
| CN112653759A (en)* | 2020-12-22 | 2021-04-13 | 北京东方嘉禾文化发展股份有限公司 | Network access device and control method thereof |
| CN114124477B (en)* | 2021-11-05 | 2024-04-05 | 深圳市联软科技股份有限公司 | Business service system and method |
| CN114124477A (en)* | 2021-11-05 | 2022-03-01 | 深圳市联软科技股份有限公司 | Business service system and method |
| CN114338809A (en)* | 2021-12-28 | 2022-04-12 | 山石网科通信技术股份有限公司 | Access control method, device, electronic equipment and storage medium |
| CN114401133B (en)* | 2022-01-13 | 2023-12-01 | 中电福富信息科技有限公司 | Equipment monitoring vulnerability detection system based on agent |
| CN114401133A (en)* | 2022-01-13 | 2022-04-26 | 中电福富信息科技有限公司 | Equipment monitoring vulnerability detection system based on agent |
| CN115694882A (en)* | 2022-09-09 | 2023-02-03 | 中国电信股份有限公司 | Communication method, device, electronic device and readable medium applied to telecommuting |
| CN115766260A (en)* | 2022-11-23 | 2023-03-07 | 上海浦东发展银行股份有限公司 | Method, device, equipment and storage medium for generating network access white list |
| CN115801868A (en)* | 2022-11-29 | 2023-03-14 | 企查查科技有限公司 | Data access method and device |
| CN116633617A (en)* | 2023-05-23 | 2023-08-22 | 中国电信股份有限公司上海研究院 | Micro-isolation protection method and related hardware |
| Publication number | Publication date |
|---|---|
| CN108616490B (en) | 2020-11-03 |
| WO2018107943A1 (en) | 2018-06-21 |
| Publication | Publication Date | Title |
|---|---|---|
| CN108616490B (en) | Network access control method, device and system | |
| US11711399B2 (en) | Policy enforcement for secure domain name services | |
| US11023378B2 (en) | Distributed cloud-based dynamic name server surrogation systems and methods | |
| CN110311929B (en) | Access control method and device, electronic equipment and storage medium | |
| US10263958B2 (en) | Internet mediation | |
| US11297058B2 (en) | Systems and methods using a cloud proxy for mobile device management and policy | |
| US9356928B2 (en) | Mechanisms to use network session identifiers for software-as-a-service authentication | |
| CN104580496B (en) | A kind of virtual machine based on locum accesses system and server | |
| US9401962B2 (en) | Traffic steering system | |
| US9942130B2 (en) | Selective routing of network traffic for remote inspection in computer networks | |
| US9986279B2 (en) | Discovery, access control, and communication with networked services | |
| US9973590B2 (en) | User identity differentiated DNS resolution | |
| US20080082662A1 (en) | Method and apparatus for controlling access to network resources based on reputation | |
| US20150295882A1 (en) | Computer-implemented method, apparatus, and computer-readable medium for processing named entity queries using a cached functionality in a domain name system | |
| WO2013154532A1 (en) | Techniques to monitor connection paths on networked devices | |
| CN102082775A (en) | Method, device and system for managing subscriber identity | |
| US20120173727A1 (en) | Internet Access Control Apparatus, Method and Gateway Thereof | |
| CN111786969A (en) | Single sign-on method, device and system | |
| US8122129B2 (en) | Hash-based resource matching | |
| CN114466054B (en) | Data processing method, device, equipment and computer readable storage medium | |
| CN107332813A (en) | A kind of ACL collocation methods, ACL configuration equipment and server | |
| CN118802438A (en) | Router web management page access method, device and storage medium | |
| CN113381978B (en) | Safe login method and device | |
| CN116260600A (en) | Network address identification method, device and system | |
| CN104980329A (en) | Address book management method address book management device and mobile agent server |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |