Summary of the invention
Technical assignment of the invention is to provide the device and implementation method of a kind of terminal network access control system, to solveThe problem of how guaranteeing the safety of terminal network access control system.
Technical assignment of the invention realizes that a kind of device of terminal network access control system should in the following mannerDevice includes,
Management end, for being configured to the strategy that terminal network accesses and being believed the audit log of network insertion in real timeBreath is shown;
Server-side specifically includes for the transmission of configuration strategy and audit information and is sent to the strategy of management end configurationClient and by client generate audit log be transmitted to management end;
Client, the strategy for parsing and storage service end is sent, according to pretreated configuration strategy to dataPacket performs corresponding processing, and generates corresponding audit log according to processing result, and be sent to server-side.
Preferably, the management end includes tactful configuration module and message display module;Management end passes through WEB network addressMode is realized;
Wherein, the strategy that tactful configuration module is used to access terminal network is configured in real time, and main includes adding, deletingRemove or modify different network insertion strategies;
Message display module is for being shown the audit log information of network insertion.
More preferably, the server-side includes strategy transmission module, strategy transmission module monitored for policy configuration request andAudit log reception processing;
Strategy transmission module includes that policy configuration request monitors module and audit log receiving processing module.
More preferably, the policy configuration request monitor module for monitor the order of network insertion policy configuration request and by itsIt is sent to client, policy configuration request monitors module and safeguards that a network access IP list and SOCKET are programmed to;
Audit log receiving processing module solves audit log for receiving the audit log that client is sentAnalysis processing, including inquire, check, analytical auditing log;Audit log receiving processing module is by classifying come real to audit logIt is existing.
More preferably, the client includes tactful preprocessing module, core functions module and policy feedback module;
Tactful preprocessing module is used for the strategy parsed and storage service end is sent, and in due course to kernel functionThe parameter of energy module carries out configuration modification, and tactful preprocessing module is programmed to by SOCKET;
Core functions module is for performing corresponding processing data packet according to pretreated configuration strategy, core functionsModule is run in the network subsystem of kernel;
Policy feedback module is used to generate corresponding audit log according to the processing result of core functions module, and is sent toServer-side.
More preferably, the core functions module is based on Netfilter frame and linux kernel connection follow-up mechanism is realizedThe tracking of Linux data flow connection;Netfilter frame is a standard component of Linux, in conjunction with IP protocol stack, byMultiple control points are inserted into the Message processing process of IP protocol stack, and insertion processing logic transmits the network equipment at control pointMessage handled, to realize particular safety mechanism.
More preferably, the corresponding logic of heterogeneous networks configuration strategy is loaded into Netfilter by the core functions moduleThe control point NF_IP_LOCAL_IN and NF_IP_LOCAL_OUT, the logic main process task being embedded at NF_IP_LOCAL_IN is illegalLogic at the connection of terminal, NF_IP_LOCAL_OUT is used to monitor the connection that terminal is actively initiated;
When each data packet enters network stack in linux kernel connection follow-up mechanism, it will all be connected to a structIn the connection track record item of nf_conn structure, the data packet of same flow is connected in the same entry, to same flowData packet can be used as an entirety and be handled, to be much less repetition and unnecessary processing, improve data packet processingSpeed;A structure member is added in struct nf_conn structure, which is used to record the connection category of every streamThe processing status of property and core functions module;
The basic principle of linux kernel connection follow-up mechanism: each data packet will be linked to accordingly after entering kernelIn the entry of stream, core functions module is easily found the member added in struct nf_conn, and in one stream of processingBefore data packet when processing status and result are stored in the respective field of the structure, and can determine to connect down according to these valuesBeing to abandon or let pass to the data packet, or need to continue relevant treatment, by extension Linux connection tracing machineNetwork throughput performance can be improved in the use of system, core functions module.
More preferably, the strategy of the client is used for the strategy parsed and storage service end is sent, after pretreatmentConfiguration strategy data packet is performed corresponding processing, according to processing result and generate corresponding audit log, and be sent to clothesBusiness end, the specific steps are as follows:
1., the tactful configuration order of tactful preprocessing module response server-side, by starting a SOCKET, to some endMouth is monitored;
2., when server-side is successfully connected the port, send tactful preprocessing module for corresponding configuration order;
3., tactful preprocessing module receive corresponding configuration order, corresponding configuration order is parsed;
4., according to parsing result modify subscriber policy storage organization, or modification core functions module parameter, andThe parameter of internal kernel function module carries out configuration modification when appropriate;
5., core functions module performs corresponding processing data packet according to pretreated configuration strategy;
6., policy feedback module according to the processing result of core functions module generates corresponding audit log, and is sent toServer-side.
More preferably, detailed process is as follows for the management end, server-side and client transmissions data:
(1), the tactful configuration module of management end transmits data to the strategy transmission module of server-side;
(2), tactful preprocessing module of the strategy transmission module transfer data of server-side to client;
(3), the tactful preprocessing module of client transmits data to the core functions module of client;
(4), policy feedback module of the core functions module transfer data of client to client;
(5), strategy transmission module of the policy feedback module transfer data of client to server-side;
(6), the strategy transmission module transfer data of server-side complete the exhibition of message to the message display module of management endShow.
A kind of implementation method of terminal network access control system, the method steps are as follows:
It is registered after S1, terminal installation client-side program, terminal essential information is committed to server, server will be wholeEssential information is held to be stored in database, management end carries out network insertion audit, distribution or modification network access policies to terminal, and leads toKnow server-side;
S2, server-side inquiry database generate network access control policy IP list, and IP list only includes that authorization allows to visitThe IP address of terminal and authorization white list IP address asked;
S3, server-side notice client update Network access control IP list;
Whether S4, client judge source IP address and purpose IP address in IP list:
1., if so, thening follow the steps S5;
2., if it is not, then forbid client update Network access control IP list;
S5, client update Network access control IP list to local, and are accessed according to IP list to network accessControl.
The device and implementation method of terminal network access control system of the invention have the advantage that the present invention by pairThe use for extending linux kernel connection follow-up mechanism improves core functions module network throughput performance and handles data packetPerformance guarantees terminal network access control system so that core functions module can carry out the control of network insertion based on streamThe safety of system.
Embodiment 1:
As shown in Fig. 1, the device of terminal network access control system of the invention, structure mainly include management end,Server-side and client, the strategy that management end is used to access terminal network is configured in real time and the audit to network insertionLog information is shown;Transmission of the server-side for configuration strategy and audit information, specifically includes the plan for configuring management endIt is slightly sent to client and the audit log that client generates is transmitted to management end;Client is for parsing and storage serviceThe strategy sent is held, data packet is performed corresponding processing according to pretreated configuration strategy, is generated according to processing resultCorresponding audit log, and it is sent to server-side.
Wherein, management end includes tactful configuration module and message display module;Management end is real by way of WEB network addressIt is existing;The strategy that tactful configuration module is used to access terminal network is configured in real time, and main includes adding, being deleted or modified notSame network insertion strategy;The formulation of configuration strategy is the emphasis realized;Message display module is for the audit to network insertionLog information is shown.
Server-side includes strategy transmission module, and strategy transmission module is monitored for policy configuration request and audit log receivesProcessing;Strategy transmission module includes that policy configuration request monitors module and audit log receiving processing module.Policy configuration requestModule is monitored for monitoring the order of network insertion policy configuration request and sending it to client, policy configuration request monitors mouldBlock safeguards that a network access IP list and SOCKET are programmed to;Audit log receiving processing module is for receiving clientThe audit log sent, and dissection process is carried out to audit log, including inquire, check, analytical auditing log;Audit logReceiving processing module is realized by classifying to audit log.
Client includes tactful preprocessing module, core functions module and policy feedback module;Tactful preprocessing module is usedIn the strategy that parsing and storage service end are sent, and configuration is carried out to the parameter of core functions module in due course and is repairedChange, tactful preprocessing module is programmed to by SOCKET;Core functions module is used for according to pretreated configuration strategyData packet is performed corresponding processing, core functions module is run in the network subsystem of kernel;Policy feedback module is used forCorresponding audit log is generated according to the processing result of core functions module, and is sent to server-side.Wherein, core functions moduleThe tracking of Linux data flow connection is realized based on Netfilter frame and linux kernel connection follow-up mechanism;Netfilter frameFrame is a standard component of Linux, multiple by being inserted into the Message processing process of IP protocol stack in conjunction with IP protocol stackControl point, and the message that insertion processing logic transmits the network equipment at control point is handled, to realize particular safetyMechanism.The corresponding logic of heterogeneous networks configuration strategy is loaded into the NF_IP_LOCAL_ in Netfilter by core functions moduleThe control point IN and NF_IP_LOCAL_OUT, the connection for the logic main process task illegal terminal being embedded at NF_IP_LOCAL_IN, NF_Logic at IP_LOCAL_OUT is used to monitor the connection that terminal is actively initiated;Linux kernel connects every number in follow-up mechanismWhen entering network stack according to packet, will all it be connected in the connection track record item of a struct nf_conn structure, same flowData packet be connected in the same entry, an entirety can be used as to the data packet of same flow and handle, thusIt is much less repetition and unnecessary processing, improves data packet processing speed;One is added in struct nf_conn structureStructure member, the structure member are used to record the connection attribute of every stream and the processing status of core functions module;Linux kernelConnect the basic principle of follow-up mechanism: each data packet will be linked in the entry of respective streams after entering kernel, kernelFunctional module is easily found the member added in struct nf_conn, and the handle when handling the data packet before a streamProcessing status and result store in the respective field of the structure, and can determine to be next to abandon to the data packet according to these valuesOr it lets pass, or needs to continue relevant treatment, pass through the use to extension Linux connection follow-up mechanism, core functionsNetwork throughput performance can be improved in module.The strategy of client is used for the strategy parsed and storage service end is sent, according to pre-Treated, and configuration strategy performs corresponding processing data packet, according to processing result and generates corresponding audit log, concurrentlyIt is sent to server-side, the specific steps are as follows:
1., the tactful configuration order of tactful preprocessing module response server-side, by starting a SOCKET, to some endMouth is monitored;
2., when server-side is successfully connected the port, send tactful preprocessing module for corresponding configuration order;
3., tactful preprocessing module receive corresponding configuration order, corresponding configuration order is parsed;
4., according to parsing result modify subscriber policy storage organization, or modification core functions module parameter, andThe parameter of internal kernel function module carries out configuration modification when appropriate;
5., core functions module performs corresponding processing data packet according to pretreated configuration strategy;
6., policy feedback module according to the processing result of core functions module generates corresponding audit log, and is sent toServer-side.
As shown in Fig. 1, detailed process is as follows for management end, server-side and client transmissions data:
(1), the tactful configuration module of management end transmits data to the strategy transmission module of server-side;
(2), tactful preprocessing module of the strategy transmission module transfer data of server-side to client;
(3), the tactful preprocessing module of client transmits data to the core functions module of client;
(4), policy feedback module of the core functions module transfer data of client to client;
(5), strategy transmission module of the policy feedback module transfer data of client to server-side;
(6), the strategy transmission module transfer data of server-side complete the exhibition of message to the message display module of management endShow.
Embodiment 2:
As shown in Fig. 2, the implementation method of terminal network access control system of the invention, the method steps are as follows:
It is registered after S1, terminal installation client-side program, terminal essential information is committed to server, server will be wholeEssential information is held to be stored in database, management end carries out network insertion audit, distribution or modification network access policies to terminal, and leads toKnow server-side;
S2, server-side inquiry database generate network access control policy IP list, and IP list only includes that authorization allows to visitThe IP address of terminal and authorization white list IP address asked;
S3, server-side notice client update Network access control IP list;
Whether S4, client judge source IP address and purpose IP address in IP list:
1., if so, thening follow the steps S5;
2., if it is not, then forbid client update Network access control IP list;
S5, client update Network access control IP list to local, and are accessed according to IP list to network accessControl.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extentPipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according toSo be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features intoRow equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solutionThe range of scheme.