[go: up one dir, main page]

CN108616490B - Network access control method, device and system - Google Patents

Network access control method, device and system Download PDF

Info

Publication number
CN108616490B
CN108616490B CN201611146932.2A CN201611146932A CN108616490B CN 108616490 B CN108616490 B CN 108616490B CN 201611146932 A CN201611146932 A CN 201611146932A CN 108616490 B CN108616490 B CN 108616490B
Authority
CN
China
Prior art keywords
address information
control device
network
network access
accessed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611146932.2A
Other languages
Chinese (zh)
Other versions
CN108616490A (en
Inventor
潘林锋
罗根
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201611146932.2A priority Critical patent/CN108616490B/en
Priority to PCT/CN2017/112080 priority patent/WO2018107943A1/en
Publication of CN108616490A publication Critical patent/CN108616490A/en
Application granted granted Critical
Publication of CN108616490B publication Critical patent/CN108616490B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例提供了一种网络访问控制系统,包括:客户端、网络控制设备、代理服务器以及业务服务器,其中,客户端发送网络访问请求至网络控制设备,网络控制设备判断目标地址信息是否属于第一白名单,如果属于,网络控制设备将网络访问请求发送至与目标地址信息对应的代理服务器。代理服务器判断待访问的业务服务器的地址信息是否属于第二白名单,如果属于,代理服务器将网络访问请求发送至待访问的业务服务器。可见,本发明提供的网络访问方法只需要在网络控制设备处设置使用的代理服务器的地址信息以及端口,然后在代理服务器处设置允许访问的业务服务器的地址信息以及端口,简化了企业网络管理人员对网络控制设备的配置。

Figure 201611146932

An embodiment of the present invention provides a network access control system, including: a client, a network control device, a proxy server, and a service server, wherein the client sends a network access request to the network control device, and the network control device determines whether the target address information belongs to If it belongs to the first white list, the network control device sends the network access request to the proxy server corresponding to the target address information. The proxy server determines whether the address information of the service server to be accessed belongs to the second white list, and if so, the proxy server sends a network access request to the service server to be accessed. It can be seen that the network access method provided by the present invention only needs to set the address information and port of the proxy server used at the network control device, and then set the address information and port of the service server that allows access at the proxy server, which simplifies the enterprise network management personnel. Configuration of network control devices.

Figure 201611146932

Description

一种网络访问控制方法、装置及系统A network access control method, device and system

技术领域technical field

本发明涉及数据处理技术领域,具体涉及一种网络访问控制方法、装置及系统。The present invention relates to the technical field of data processing, in particular to a network access control method, device and system.

背景技术Background technique

随着科技的不断发展,用户对网络的访问需求越来越普遍。但,企业出于一些目的,需要对公司网络的访问进行控制。With the continuous development of science and technology, users' access needs to the network are becoming more and more common. However, enterprises need to control access to the corporate network for some purposes.

如,禁止企业员工在工作时间上网看新闻、网络购物、玩游戏等,进而提高企业员工的工作效率;又如,禁止企业员工利用网络对公司核心机密文件、公司内部文档等进行泄漏,或者防止外部恶意用户入侵公司的内部网络,盗取公司机密。For example, corporate employees are prohibited from reading news, online shopping, playing games, etc. online during working hours, thereby improving the work efficiency of corporate employees; another example, corporate employees are prohibited from using the Internet to leak the company's core confidential documents, internal company documents, etc., or prevent External malicious users invade the company's internal network and steal company secrets.

因此,如图1所示,企业网络管理人员A通常是通过在企业网络的出口处的网络控制设备1(如交换机、路由器、防火墙等)设置黑白名单来进行对企业网络访问的控制。Therefore, as shown in FIG. 1 , the enterprise network administrator A usually controls the access to the enterprise network by setting a black and white list on the network control device 1 (such as a switch, router, firewall, etc.) at the exit of the enterprise network.

发明人发现,企业对外网访问的控制均集中在企业网络的出口设备处,然而,黑白名单通常包括用户IP、域名、网址等多种信息,这些信息会随着软件运营(SAAS)服务商的服务器升级或维护而经常发生变化,一旦未及时通知给企业网络管理人员对企业的网络出口处的网络控制设备的参数进行重新设置,或者将参数设置错误,就会导致企业网络不能正常访问。可见,现有的企业网络控制方式较为麻烦,对企业网络管理人员的技能要求较高。The inventor found that the control of enterprise external network access is concentrated at the exit device of the enterprise network. However, the black and white list usually includes various information such as user IP, domain name, and website address. The server is frequently changed due to upgrade or maintenance. Once the network management personnel of the enterprise are not notified in time to reset the parameters of the network control device at the network exit of the enterprise, or the parameters are set incorrectly, the enterprise network cannot be accessed normally. It can be seen that the existing enterprise network control method is relatively troublesome, and requires higher skills for enterprise network administrators.

因此,如何提供一种网络访问控制方法、装置及系统,既能实现对企业员工的网络控制,又能简化企业网络出口处的设置,成为了本领域技术人员需要考虑的问题。Therefore, how to provide a network access control method, device and system, which can not only realize the network control of enterprise employees, but also simplify the setting of the enterprise network exit has become a problem to be considered by those skilled in the art.

发明内容SUMMARY OF THE INVENTION

有鉴于此,本发明实施例提供一种网络访问控制方法、装置及系统,既能实现对企业员工的网络控制,又能简化企业网络出口处的设置。In view of this, the embodiments of the present invention provide a network access control method, device and system, which can not only realize network control of enterprise employees, but also simplify the settings at the enterprise network exit.

为实现上述目的,本发明实施例提供如下技术方案:To achieve the above purpose, the embodiments of the present invention provide the following technical solutions:

一种网络访问控制系统,包括:客户端、网络控制设备、代理服务器以及业务服务器,A network access control system includes: a client, a network control device, a proxy server and a service server,

所述客户端发送网络访问请求至网络控制设备,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;The client sends a network access request to the network control device, where the network access request includes: address information of the service server to be accessed and target address information, where the target address information is the address information of the pre-configured proxy server;

所述网络控制设备判断所述目标地址信息是否属于第一白名单,如果属于,所述网络控制设备将所述网络访问请求发送至与所述目标地址信息对应的代理服务器,所述第一白名单包括允许访问的代理服务器的地址信息的列表;The network control device determines whether the target address information belongs to the first whitelist, and if so, the network control device sends the network access request to the proxy server corresponding to the target address information, and the first whitelist The list includes a list of address information of proxy servers that are allowed to be accessed;

所述代理服务器判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,所述代理服务器将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。The proxy server determines whether the address information of the service server to be accessed belongs to the second white list, and if so, the proxy server sends the network access request to the service server to be accessed, and the second white list The list includes a list of address information of business servers that are allowed to be accessed.

一种网络访问控制方法,包括:A network access control method, comprising:

接收网络控制设备发送的网络访问请求,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;receiving a network access request sent by a network control device, where the network access request includes: address information of a service server to be accessed and target address information, where the target address information is the address information of a preconfigured proxy server;

且,所述网络访问请求为所述目标地址信息属于第一白名单的访问请求,所述第一白名单包括允许访问的代理服务器的地址信息的列表;Moreover, the network access request is an access request in which the target address information belongs to a first whitelist, and the first whitelist includes a list of address information of proxy servers that are allowed to be accessed;

判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。Determine whether the address information of the service server to be accessed belongs to the second whitelist, and if so, send the network access request to the service server to be accessed, and the second whitelist includes the service server's address information that is allowed to be accessed. A list of address information.

一种网络访问控制装置,包括:A network access control device, comprising:

第一接收模块,用于接收网络控制设备发送的网络访问请求,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;The first receiving module is configured to receive a network access request sent by a network control device, where the network access request includes: address information of a service server to be accessed and target address information, where the target address information is the address of a preconfigured proxy server information;

且,所述网络访问请求为所述目标地址信息属于第一白名单的访问请求,所述第一白名单包括允许访问的代理服务器的地址信息的列表;Moreover, the network access request is an access request in which the target address information belongs to a first whitelist, and the first whitelist includes a list of address information of proxy servers that are allowed to be accessed;

判断模块,用于判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。The judgment module is used for judging whether the address information of the service server to be accessed belongs to a second whitelist, and if so, sending the network access request to the service server to be accessed, and the second whitelist includes allowing A list of address information for accessed business servers.

可见,本实施例提供的网络访问控制系统,只需要在网络控制设备处设置使用的代理服务器的地址信息以及端口,然后在代理服务器处设置允许访问的业务服务器的地址信息以及端口,简化了企业网络管理人员对网络控制设备的配置。It can be seen that the network access control system provided in this embodiment only needs to set the address information and port of the proxy server used at the network control device, and then set the address information and port of the service server that is allowed to be accessed at the proxy server, which simplifies the enterprise The configuration of network control equipment by network administrators.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to the provided drawings without creative work.

图1为现有技术中的应用界面示意图;1 is a schematic diagram of an application interface in the prior art;

图2为本发明实施例提供的一种网络访问控制系统的结构框图;2 is a structural block diagram of a network access control system provided by an embodiment of the present invention;

图3为本发明实施例提供的一种网络访问控制系统的信令流程图;3 is a signaling flowchart of a network access control system provided by an embodiment of the present invention;

图4为本发明实施例提供的又一网络访问控制系统的信令流程图;4 is a signaling flowchart of another network access control system provided by an embodiment of the present invention;

图5为本发明实施例提供的网络访问控制装置的结构示意图;5 is a schematic structural diagram of an apparatus for network access control provided by an embodiment of the present invention;

图6为本发明实施例提供的又一网络访问控制装置的结构示意图;FIG. 6 is a schematic structural diagram of another network access control apparatus provided by an embodiment of the present invention;

图7为本发明实施例提供的又一网络访问控制装置的结构示意图;FIG. 7 is a schematic structural diagram of another network access control apparatus provided by an embodiment of the present invention;

图8为本发明实施例提供的又一网络访问控制装置的结构示意图;FIG. 8 is a schematic structural diagram of another network access control apparatus provided by an embodiment of the present invention;

图9为本发明实施例提供的又一网络访问控制装置的结构示意图;FIG. 9 is a schematic structural diagram of another network access control apparatus provided by an embodiment of the present invention;

图10为本发明实施例提供的网络访问控制装置的硬件结构框图。FIG. 10 is a block diagram of a hardware structure of a network access control apparatus according to an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

本发明实施例提供了一种网络访问控制系统,包括:客户端、网络控制设备、代理服务器以及业务服务器,其中,客户端发送网络访问请求至网络控制设备,网络控制设备判断目标地址信息是否属于第一白名单,如果属于,网络控制设备将网络访问请求发送至与目标地址信息对应的代理服务器。代理服务器判断待访问的业务服务器的地址信息是否属于第二白名单,如果属于,代理服务器将网络访问请求发送至待访问的业务服务器。可见,本发明提供的网络访问方法只需要在网络控制设备处设置使用的代理服务器的地址信息以及端口,然后在代理服务器处设置允许访问的业务服务器的地址信息以及端口,简化了企业网络管理人员对网络控制设备的配置。An embodiment of the present invention provides a network access control system, including: a client, a network control device, a proxy server, and a service server, wherein the client sends a network access request to the network control device, and the network control device determines whether the target address information belongs to If it belongs to the first white list, the network control device sends the network access request to the proxy server corresponding to the target address information. The proxy server determines whether the address information of the service server to be accessed belongs to the second white list, and if so, the proxy server sends a network access request to the service server to be accessed. It can be seen that the network access method provided by the present invention only needs to set the address information and port of the proxy server used at the network control device, and then set the address information and port of the service server that allows access at the proxy server, which simplifies the enterprise network management personnel. Configuration of network control devices.

请参阅图2,图2为本发明实施例提供的一种网络访问控制系统的结构框图,本发明实施例提供的网络访问控制方法可基于图2所示系统实现,参照图2,本发明实施例提供的网络访问控制系统可以包括:客户端2、网络控制设备1、代理服务器3以及业务服务器4。Please refer to FIG. 2. FIG. 2 is a structural block diagram of a network access control system provided by an embodiment of the present invention. The network access control method provided by the embodiment of the present invention can be implemented based on the system shown in FIG. 2. Referring to FIG. 2, the present invention is implemented The network access control system provided by the example may include: a client 2 , a network control device 1 , a proxy server 3 and a service server 4 .

其中,客户端2可以为至少一个企业员工B用于发送业务请求的客户端设备,如笔记本、台式机、平板电脑、手机等可供企业员工上网的设备,网络控制设备1可以是位于企业网络出口处的设备,如交换机、路由器、防火墙设备等。代理服务器可以为是介于网络控制设备1和业务服务器4之间的另一台服务器。Wherein, the client 2 can be at least one client device used by the enterprise employee B to send service requests, such as laptops, desktops, tablet computers, mobile phones and other devices that can be used by enterprise employees to access the Internet, and the network control device 1 can be located on the enterprise network. Devices at the egress, such as switches, routers, firewall devices, etc. The proxy server may be another server between the network control device 1 and the service server 4 .

通常,当企业员工浏览网页的时候,客户端会根据需要去访问业务服务器,然后业务服务器接到网页访问请求后,会将目的站点的信息传送给客户端,以供用户浏览。Usually, when an enterprise employee browses a web page, the client will access the service server as needed, and then the service server will transmit the information of the destination site to the client after receiving the web page access request for the user to browse.

然而,在使用了代理服务器后,当企业员工想要访问一些站点资源的时候,客户端首先将网页访问请求发送至代理服务器,然后代理服务器去获取要访问的信息,并且将其返回给客户端。需要说明的是,在代理服务器侧,可以对用户身份进行鉴定以及实现网络访问控制等。However, after using a proxy server, when an enterprise employee wants to access some site resources, the client first sends a web page access request to the proxy server, and then the proxy server obtains the information to be accessed and returns it to the client . It should be noted that, on the proxy server side, the user identity can be authenticated and network access control can be implemented.

业务服务器4可以为单台服务器,也可以为由多台服务器组成的服务器群组或者是一个云计算服务中心,业务服务器4用于下载网络数据资源,如获取游戏数据、软件应用数据(QQ、微信等)。The business server 4 can be a single server, a server group composed of multiple servers, or a cloud computing service center. The business server 4 is used to download network data resources, such as acquiring game data, software application data (QQ, WeChat, etc.).

具体的,基于图2所示系统,图3示出了本发明实施例提供的网络访问控制系统的信令流程图,该网络访问控制系统包括:客户端2、网络控制设备1、代理服务器3以及业务服务器4,该信令交互过程可以包括:Specifically, based on the system shown in FIG. 2 , FIG. 3 shows a signaling flow chart of a network access control system provided by an embodiment of the present invention. The network access control system includes: a client 2 , a network control device 1 , and a proxy server 3 And the service server 4, the signaling interaction process may include:

步骤S100、客户端发送网络访问请求至网络控制设备。Step S100, the client sends a network access request to the network control device.

其中,网络访问请求可以包括客户端的地址信息、待访问的业务服务器的地址信息、待传输的数据内容以及目标地址信息,所述目标地址信息为代理服务器的地址信息。需要说明的是,本实施例中,企业员工在使用客户端进行网络访问时,需要预先配置使用的代理服务器的信息。这样,当客户端发送网络访问请求时,客户端会将原网络访问请求进行预处理,即将原访问请求中包含的客户端的地址信息、待访问的业务服务器的地址信息以及待传输的数据内容的基础上,对原访问请求增加代理服务器的相关信息,如增加代理服务器的地址信息。The network access request may include address information of the client, address information of the service server to be accessed, data content to be transmitted, and target address information, where the target address information is the address information of the proxy server. It should be noted that, in this embodiment, when the employee of the enterprise uses the client to access the network, the information of the proxy server to be used needs to be pre-configured. In this way, when the client sends a network access request, the client will preprocess the original network access request, that is, the address information of the client, the address information of the service server to be accessed, and the content of the data to be transmitted contained in the original access request. On the basis, the relevant information of the proxy server is added to the original access request, for example, the address information of the proxy server is added.

步骤S101、网络控制设备判断所述目标地址信息是否满足第一预设条件,如果满足,所述网络控制设备将所述网络访问请求发送至与所述目标地址信息对应的代理服务器。Step S101: The network control device determines whether the target address information satisfies a first preset condition, and if so, the network control device sends the network access request to a proxy server corresponding to the target address information.

需要说明的是,网络控制设备在使用前,需要通过企业网络管理人员对其进行白名单配置,但本方案中此处的白名单不同于现有技术中的白名单,本方案中的白名单只需为允许使用的代理服务器的地址信息的列表即可。而现有技术中的白名单需要为允许访问的所有业务服务器的地址信息、端口信息等数据。根据业务种类的不同,现有技术中网络控制设备所需配置的白名单的列表内容为多项,如某个企业允许客户端访问腾讯视频、QQ以及微信,那么,现有技术中的白名单需要至少记录腾讯视频对应的业务服务器的地址信息以及端口信息、QQ对应的业务服务器的地址信息以及端口信息、微信对应的业务服务器的地址信息以及端口信息。It should be noted that before the network control device is used, it needs to be configured with a whitelist by the enterprise network administrator. However, the whitelist in this solution is different from the whitelist in the prior art. The whitelist in this solution Just a list of address information for allowed proxy servers. However, the whitelist in the prior art needs to be data such as address information and port information of all service servers that are allowed to be accessed. According to different types of services, there are multiple whitelists that need to be configured on network control devices in the prior art. For example, if an enterprise allows clients to access Tencent Video, QQ, and WeChat, then the whitelists in the prior art It is necessary to record at least the address information and port information of the service server corresponding to Tencent Video, the address information and port information of the service server corresponding to QQ, and the address information and port information of the service server corresponding to WeChat.

当然,如果企业允许的网络访问业务越多,其网络管理人员就需要对应配置可访问的业务服务器的地址信息到当前网络控制设备的白名单中。由于业务的种类较多,企业网络管理人员需要管理和维护的白名单的数据也越多。而站在业务服务商的角度,为了提供更好的业务服务,其业务服务器会随时更新升级,相对应的业务服务器的地址信息以及端口可能改变,这就要求,企业网络管理人员对网络控制设备的白名单中的对应的业务服务器的地址信息以及端口信息进行更改,否则会造成不能正常访问该业务服务器。Of course, if the enterprise allows more network access services, its network administrator needs to configure the address information of the accessible service servers into the whitelist of the current network control device. Due to the variety of services, enterprise network administrators need to manage and maintain more whitelist data. From the perspective of business service providers, in order to provide better business services, their business servers will be updated and upgraded at any time, and the address information and ports of the corresponding business servers may change. This requires enterprise network managers to control network equipment. Change the address information and port information of the corresponding service server in the whitelist of the server, otherwise the service server cannot be accessed normally.

而,本实施例中,企业的网络管理人员只需配置白名单中的代理服务器的地址信息,然后,网络控制设备判断客户端发送的目标地址信息是否为网络控制设备的白名单中记录的允许访问的代理服务器的地址信息。如果属于,则网络控制设备将所述网络访问请求进行放行,即将所述网络访问请求发送往与所述目标地址信息对应的代理服务器。如果客户端发送的目标地址信息不属于网络控制设备的白名单中记录的允许访问的代理服务器的地址信息,那么,网络控制设备可以直接将所述网络访问请求忽略,或者返回一个表征访问错误的响应信息至所述客户端。当然,也可以执行其他预设的动作,此处,可以根据企业的实际需求,进行设定。However, in this embodiment, the network administrator of the enterprise only needs to configure the address information of the proxy server in the whitelist, and then the network control device determines whether the target address information sent by the client is the permission recorded in the whitelist of the network control device. The address information of the accessed proxy server. If yes, the network control device will release the network access request, that is, send the network access request to the proxy server corresponding to the target address information. If the target address information sent by the client does not belong to the address information of the proxy server that is recorded in the whitelist of the network control device, the network control device can directly ignore the network access request, or return a message indicating an access error. response information to the client. Of course, other preset actions can also be performed, and here, settings can be made according to the actual needs of the enterprise.

值得一提的是,在此步骤中,当网络控制设备判断客户端发送的目标地址信息属于网络控制设备的白名单中记录的允许访问的代理服务器的地址信息时,需要将所述网络访问请求发送往与所述目标地址信息对应的代理服务器。此时,由于是企业客户端的内部向企业外部发送网络访问请求的关系,可以将客户端的地址信息以及端口信息替换成网络控制设备的地址信息以及端口信息,即将局域网中的IP地址统一成企业对外的一公共IP,如客户端2a的IP地址为“10.168.23.100”,端口为“1000”,客户端2b的IP地址为“10.168.23.99”,端口为“1000”,无论是客户端2a还是客户端2b,当其网络访问请求中的目标地址信息属于白名单时,将该网络访问请求的IP地址信息转换成网络控制设备的IP地址信息。并同时记录一条跟踪信息,用于记录客户端地址信息和网络控制设备的地址信息的映射关系。It is worth mentioning that in this step, when the network control device determines that the target address information sent by the client belongs to the address information of the proxy server that is allowed to be accessed and recorded in the whitelist of the network control device, the network access request needs to be Send to the proxy server corresponding to the target address information. At this time, since the enterprise client sends the network access request to the outside of the enterprise, the address information and port information of the client can be replaced with the address information and port information of the network control device, that is, the IP addresses in the local area network are unified into the enterprise external For example, the IP address of client 2a is "10.168.23.100", the port is "1000", the IP address of client 2b is "10.168.23.99", and the port is "1000", whether it is client 2a or The client 2b, when the target address information in the network access request belongs to the white list, converts the IP address information of the network access request into the IP address information of the network control device. At the same time, a piece of tracking information is recorded for recording the mapping relationship between the client address information and the address information of the network control device.

步骤S102、代理服务器判断所述待访问的业务服务器的地址信息是否满足第二预设条件,如果满足,所述代理服务器将所述网络访问请求发送至所述待访问的业务服务器。Step S102: The proxy server determines whether the address information of the service server to be accessed satisfies a second preset condition, and if so, the proxy server sends the network access request to the service server to be accessed.

其中,代理服务器在接收到网络访问请求后,解析所述网络访问请求,上文介绍了,该网络访问请求在客户端侧可以包括:客户端的地址信息、待访问的业务服务器的地址信息、待传输的数据内容以及目标地址信息,其中,所述目标地址信息为代理服务器的地址信息。然而,该网络访问请求在经过企业的网络控制设备后,已经将自身的客户端的地址信息转换成网络控制设备的地址信息,即,此时的网络访问请求包括:网络控制设备的地址信息、待访问的业务服务器的地址信息以及待传输的数据内容。The proxy server parses the network access request after receiving the network access request. As described above, the network access request on the client side may include: address information of the client, address information of the service server to be accessed, and address information of the service server to be accessed. The transmitted data content and target address information, wherein the target address information is the address information of the proxy server. However, after the network access request has passed through the network control device of the enterprise, the address information of its own client has been converted into the address information of the network control device, that is, the network access request at this time includes: the address information of the network control device, the address information to be The address information of the accessed service server and the data content to be transmitted.

然后,代理服务器当判断待访问的业务服务器的地址信息属于代理服务器的白名单中记录的允许访问的业务服务器的地址信息时,需要将所述网络访问请求发送往与所述待访问的业务服务器的地址信息对应的业务服务器。Then, when the proxy server determines that the address information of the service server to be accessed belongs to the address information of the access-allowed service server recorded in the whitelist of the proxy server, it needs to send the network access request to the service server to be accessed. The service server corresponding to the address information.

如果代理服务器当判断待访问的业务服务器的地址信息不属于代理服务器的白名单中记录的允许访问的业务服务器的地址信息时,那么,代理服务器可以直接将所述网络访问请求忽略,或者返回一个表征访问错误的响应信息至所述网络控制设备,然后由所述网络控制设备将所述响应信息发送至所述客户端。If the proxy server determines that the address information of the service server to be accessed does not belong to the address information of the access-allowed service server recorded in the proxy server's whitelist, the proxy server can directly ignore the network access request, or return a Response information representing the access error is sent to the network control device, and then the network control device sends the response information to the client.

综上,可见,本实施例提供的网络访问控制系统,只需要在网络控制设备处设置使用的代理服务器的地址信息以及端口,然后在代理服务器处设置允许访问的业务服务器的地址信息以及端口,简化了企业网络管理人员对网络控制设备的配置。而在代理服务器处配置允许访问的业务服务器的地址信息的白名单,当SAAS服务商的业务服务器进行升级维护后,只需由SAAS服务商的专业人员对代理服务器进行白名单更新替换,保证了白名单更新的及时性和准确性,而无需企业网络管理人员做任何操作。当多个企业的网络控制设备均使用同一代理服务器时,在某一业务服务器的地址信息发生改变时,也只需对代理服务器中不同企业的白名单中与该业务服务器对应的地址信息进行统一更改。如,企业A的网络控制设备对应的代理服务器为代理服务器A,企业B的网络控制设备对应的代理服务器也为代理服务器A,企业A需要维护的白名单包括QQ和微信,企业B需要维护的白名单包括QQ和腾讯视频,那么当QQ对应的业务服务器进行升级更换地址信息后,代理服务器对应的将QQ的业务服务器的地址进行更换即可,无需企业网络管理人员做任何操作,而,现有技术则需要企业A的网络管理人员将网络控制设备的白名单中的QQ的业务服务器的地址信息进行更换,同时,企业B的网络管理人员也需要将网络控制设备的白名单的QQ对应的业务服务器的地址信息进行更换,操作较为复杂。To sum up, it can be seen that the network access control system provided by this embodiment only needs to set the address information and port of the proxy server used at the network control device, and then set the address information and port of the service server that allows access at the proxy server, It simplifies the configuration of network control equipment by enterprise network managers. The proxy server is configured with a whitelist of address information of the service servers that are allowed to be accessed. When the service server of the SAAS service provider is upgraded and maintained, it is only necessary for the professionals of the SAAS service provider to update and replace the whitelist of the proxy server, ensuring that The timeliness and accuracy of whitelist updates without any action by the enterprise network administrator. When the network control devices of multiple enterprises use the same proxy server, when the address information of a service server changes, it is only necessary to unify the address information corresponding to the service server in the whitelists of different enterprises in the proxy server. Change. For example, the proxy server corresponding to the network control device of enterprise A is proxy server A, and the proxy server corresponding to the network control device of enterprise B is also proxy server A. The whitelist that enterprise A needs to maintain includes QQ and WeChat, and the whitelist that enterprise B needs to maintain The whitelist includes QQ and Tencent Video, then when the service server corresponding to QQ is upgraded to replace the address information, the proxy server can change the address of the service server corresponding to QQ without any operation by the enterprise network administrator. If there is technology, the network administrator of enterprise A needs to replace the address information of the QQ service server in the whitelist of the network control device. It is more complicated to replace the address information of the service server.

在本申请的另一个实施例中,对该网络访问系统的数据反馈的流程进行介绍。参照图4,该信令交互过程包括:In another embodiment of the present application, a data feedback process of the network access system is introduced. Referring to Figure 4, the signaling interaction process includes:

步骤S103、所述待访问的业务服务器基于所述待传输的数据内容,生成一反馈数据,并将所述反馈数据发送往所述代理服务器。Step S103: The service server to be accessed generates feedback data based on the content of the data to be transmitted, and sends the feedback data to the proxy server.

步骤S104、所述代理服务器根据所述第二映射表,查找与所述代理服务器的地址信息对应的网络控制设备的地址信息;并将所述反馈数据发送至查找到的与所述网络控制设备的地址信息对应的网络控制设备。Step S104, the proxy server searches the address information of the network control device corresponding to the address information of the proxy server according to the second mapping table; and sends the feedback data to the network control device that has been found. The address information corresponding to the network control device.

步骤S105、所述网络控制设备根据所述第一映射表,查找与所述网络控制设备的地址信息对应的客户端的地址信息;并将所述反馈数据发送至查找到的与所述客户端的地址信息对应的客户端。Step S105, the network control device searches the address information of the client corresponding to the address information of the network control device according to the first mapping table; and sends the feedback data to the found address corresponding to the client Information corresponding to the client.

需要说明的是,在数据反馈的过程中,可以理解成沿原路返回。又由于网络访问的过程中,网络控制设备以及代理服务器均对其接收到的地址信息进行了白名单筛选,因此,在数据返回时,可以不再重复去对比当前的地址信息是否为白名单内的地址信息。最终将反馈数据发送到客户端。It should be noted that in the process of data feedback, it can be understood as returning along the original path. In the process of network access, the network control device and the proxy server have whitelisted the received address information. Therefore, when the data is returned, it is no longer necessary to repeatedly compare whether the current address information is in the whitelist. address information. Finally send the feedback data to the client.

具体的,本实施例提供一个采用本发明提供的网络访问控制系统的实例进行详细介绍,如网络控制设备为交换机,假定:Specifically, this embodiment provides an example of using the network access control system provided by the present invention for detailed introduction. For example, if the network control device is a switch, it is assumed that:

a.客户端在企业内部网络的地址为“10.168.23.100”,端口:1000;a. The address of the client in the internal network of the enterprise is "10.168.23.100", the port: 1000;

b.企业网络的出口网络地址为“183.61.38.179”,端口1001;b. The egress network address of the enterprise network is "183.61.38.179" and port 1001;

c.SAAS服务代理服务器网络地址为:180.149.32.47,端口为:8080;支持SOCKSV5,不需要帐号验证;c. The network address of the SAAS service proxy server is: 180.149.32.47, the port is: 8080; SOCKSV5 is supported, and account verification is not required;

d.SAAS业务服务器1的网络地址为:140.205.94.189,端口为:443;d. The network address of SAAS service server 1 is: 140.205.94.189, and the port is: 443;

e.SAAS业务服务器2的域名为:b.qq.com,端口为:80The domain name of e.SAAS service server 2 is: b.qq.com, and the port is: 80

在上述地址信息的基础上,该网络访问流程如下:Based on the above address information, the network access process is as follows:

1.SAAS服务商在代理服务器上配置网络访问的白名单类似如下:1. The whitelist of network access configured by SAAS service providers on the proxy server is similar to the following:

目标服务器白名单:Target server whitelist:

ip:140.205.94.189,端口:443;ip: 140.205.94.189, port: 443;

域名:b.qq.com,端口:80;Domain name: b.qq.com, port: 80;

具体形式可以实际代理服务器的配置标准为准,上述配置的含义是当数据包发送的目标地址为白名单中的其中一条时,则为合法数据包。The specific form can be based on the configuration standard of the actual proxy server. The meaning of the above configuration is that when the destination address of the data packet is one of the whitelists, it is a legal data packet.

2.企业管理员进入本企业的企业交换机的管理页面,配置白名单类似如下:2. The enterprise administrator enters the management page of the enterprise's enterprise switch and configures the whitelist as follows:

目标服务器白名单:Target server whitelist:

ip:180.149.132.47,端口为:8080;ip: 180.149.132.47, port: 8080;

3.公司员工在SAAS应用客户端上设置使用代理服务器,配置使用代理服务器,类似如下:3. The company employees set up the proxy server on the SAAS application client, and configure the proxy server, similar to the following:

网络设置:Network settings:

类型:SOCKS V5地址:180.149.32.47端口8080。Type: SOCKS V5 Address: 180.149.32.47 Port 8080.

4.客户端需要向SAAS业务服务器1(140.205.94.189:443)发送内容“Hello”。原始数据包中会包含下述信息(源地址10.168.23.100,端口1000,目标地址140.205.94.189,端口443,以及包文内容“Hello”)。因为使用了代理服务的配置,客户端上的所有数据包都会在原有数据包上进行一层封装,加上代理服务器的相关信息(包括目标地址180.149.32.47,端口为:8080,代理协议版本信息等)。新数据包会被改为发送到代理服务器的网络地址(180.149.32.47:8080)。4. The client needs to send the content "Hello" to the SAAS service server 1 (140.205.94.189:443). The original data packet will contain the following information (source address 10.168.23.100, port 1000, destination address 140.205.94.189, port 443, and the content of the packet "Hello"). Because the configuration of the proxy service is used, all data packets on the client will be encapsulated on the original data packets, plus the relevant information of the proxy server (including the target address 180.149.32.47, port: 8080, proxy protocol version information Wait). New packets are instead sent to the proxy server's network address (180.149.32.47:8080).

5.交换机上判断上述新数据包的目标地址,因为其中的目标网络地址为(180.149.32.47:8080),在白名单中已有配置,因此认为数据包是合法数据包,允许放行。因为从企业网络的内部向外部发送数据的关系,因此需要进行NAT地址转换过程:将数据包中的源端口号(1000)和源私有IP地址(10.168.23.100)转换成交换机自己的端口号(1001)和公网的IP地址(183.61.38.179),然后将数据包发给外部网络的目的主机(180.149.32.47:8080),同时记录一条跟踪信息在地址转换映像表中(10.168.23.100:1000--183.61.38.179:1001)。其中,新的源地址在因特网上是合法的并唯一的,可以被正确的定位到。5. The switch judges the destination address of the above new data packet, because the destination network address is (180.149.32.47:8080), which has been configured in the whitelist, so the data packet is considered to be a legitimate data packet and is allowed to pass. Because the data is sent from the inside of the enterprise network to the outside, the NAT address translation process is required: the source port number (1000) and the source private IP address (10.168.23.100) in the data packet are converted into the switch's own port number ( 1001) and the IP address of the public network (183.61.38.179), then send the data packet to the destination host of the external network (180.149.32.47:8080), and record a trace information in the address translation mapping table (10.168.23.100:1000 --183.61.38.179:1001). Among them, the new source address is legal and unique on the Internet, and can be located correctly.

6.代理服务器接受到数据请求后,会解析出数据包中真正的包体数据,包括(替换后的新源地址183.61.38.179,新端口1001,目标地址140.205.94.189,端口443,以及包文内容“Hello”)。因为其中的目标地址和端口组合(140.205.94.189:443)在白名单中,因此会被判断为合法的数据包,可以被正常转发到目标地址。代理服务器会将数据包中的源地址替换为180.149.32.47,端口替换为1002,并记录映射关系(183.61.38.179:1001--180.149.32.47:1002)。新的数据包中,包的发送者信息就被完全替换成代理服务器。6. After the proxy server receives the data request, it will parse out the real packet body data in the packet, including (replaced new source address 183.61.38.179, new port 1001, destination address 140.205.94.189, port 443, and packet text) content "Hello"). Because the destination address and port combination (140.205.94.189:443) is in the whitelist, it will be judged as a legitimate data packet and can be forwarded to the destination address normally. The proxy server will replace the source address in the packet with 180.149.32.47, the port with 1002, and record the mapping relationship (183.61.38.179:1001--180.149.32.47:1002). In the new data packet, the sender information of the packet is completely replaced by the proxy server.

7.当SAAS服务的业务服务器处理上述数据后,需要给客户端返回数据“Reply”,会组织相关数据包,包括以下内容(源地址140.205.94.189,端口443,目标地址为代理服务器地址180.149.32.47,端口8080,以及包文内容“Reply”)。7. When the business server of the SAAS service processes the above data, it needs to return the data "Reply" to the client, and will organize the relevant data packets, including the following content (source address 140.205.94.189, port 443, destination address is the proxy server address 180.149. 32.47, port 8080, and the package text "Reply").

8.当代理服务器收到业务服务器返回的上述数据后,会根据其内部维护的映射关系,找到实际目标网络地址,并使用实际目标地址信息替换数据包中的目标地址(即代理服务器地址),即使用(183.61.38.179:1001)。然后在服务器返回的数据上进行一层封装,加上代理服务器的信息,包括(源地址:180.149.32.47,端口8080,代理协议版本信息等)并将数据发送向目标的网络地址,即企业的出口ip地址。8. After the proxy server receives the above data returned by the business server, it will find the actual target network address according to the mapping relationship maintained internally, and replace the target address (ie the proxy server address) in the data packet with the actual target address information, i.e. use (183.61.38.179:1001). Then perform a layer of encapsulation on the data returned by the server, add the information of the proxy server, including (source address: 180.149.32.47, port 8080, proxy protocol version information, etc.) and send the data to the target network address, that is, the enterprise's network address. Outgoing ip address.

9.上述由代理服务器返回的数据包会经过交换机,交换机判断数据包的来源地址。因为源地址为代理服务器地址,因此会被放行。类似的,这一步也同样需要经过NAT地址转换,根据映像表中的记录,将所收到数据包的端口号(1001)和公用IP地址(183.61.38.179)转换成目标主机的端口号(1000)和内部网络中目标主机的专用IP地址(10.168.23.100),并转发给目标主机。9. The above-mentioned data packets returned by the proxy server will pass through the switch, and the switch will determine the source address of the data packets. Because the source address is the proxy server address, it will be released. Similarly, this step also requires NAT address translation. According to the records in the mapping table, the port number (1001) and public IP address (183.61.38.179) of the received data packet are converted into the port number (1000) of the target host. ) and the private IP address (10.168.23.100) of the target host in the internal network, and forward to the target host.

10.客户端收到数据包后,会解析出真正的数据包内容,主要包括(源地址140.205.94.189,端口443,以及包文内容“Reply”),从而接收到SAAS业务服务器1返回的数据。10. After the client receives the data packet, it will parse out the real data packet content, mainly including (source address 140.205.94.189, port 443, and the content of the packet text "Reply"), thereby receiving the data returned by SAAS service server 1 .

上面介绍了客户端访问允许的网络地址信息的情况,现结合具体实例,提出了客户端在访问非允许的网络地址信息的案例进行介绍,如下:The above describes the situation where the client accesses the allowed network address information. Now, combined with specific examples, a case where the client is accessing the non-allowed network address information is introduced, as follows:

假定案例1中步骤1和步骤2的白名单配置已经完成。It is assumed that the whitelist configuration of steps 1 and 2 in case 1 has been completed.

1.公司员工在某款被禁用的客户端比如新浪微博上设置使用代理服务器,配置使用代理服务器,类似如下:1. Company employees set up a proxy server on a disabled client such as Sina Weibo, and configure a proxy server, similar to the following:

类型:SOCKS V5地址:180.149.32.47端口8080。Type: SOCKS V5 Address: 180.149.32.47 Port 8080.

2.客户端需要向新浪微博业务服务器1(100.100.10.10:443)发送内容“Hello”。原始数据包中会包含下述信息(源地址10.168.23.100,端口8000,目标地址100.100.10.10,端口443,以及包文内容“Hello”)。因为使用了代理服务的配置,客户端上的所有数据包都会在原有数据包上进行一层封装,加上代理服务器的相关信息(包括目标地址180.149.32.47,端口为:8080,代理协议版本信息等)。新数据包会被改为发送到代理服务器的网络地址(180.149.32.47:8080)。2. The client needs to send the content "Hello" to Sina Weibo service server 1 (100.100.10.10:443). The original data packet will contain the following information (source address 10.168.23.100, port 8000, destination address 100.100.10.10, port 443, and the content of the packet "Hello"). Because the configuration of the proxy service is used, all data packets on the client will be encapsulated on the original data packets, plus the relevant information of the proxy server (including the target address 180.149.32.47, port: 8080, proxy protocol version information Wait). New packets are instead sent to the proxy server's network address (180.149.32.47:8080).

3.类似案例1,交换机会认为该请求目标地址是合法的,会正常进行转发。3. Similar to case 1, the switch will consider the request destination address to be legal and will forward it normally.

4.代理服务器接受到数据请求后,会解析出实际目标地址100.100.10.10,端口443。因为其中的目标地址和端口组合(100.100.10.10:443)不在白名单中,因此该数据包被判定为非法数据包,会被直接丢弃。4. After the proxy server receives the data request, it will resolve the actual target address 100.100.10.10 and port 443. Because the destination address and port combination (100.100.10.10:443) is not in the whitelist, the packet is judged as an illegal packet and will be discarded directly.

5.客户端无法正常收到新浪微博的回包,因此该网络应用被成功限制住。5. The client cannot receive the reply packets from Sina Weibo normally, so the network application is successfully restricted.

又如:Another example:

假定案例1中步骤1和步骤2的白名单配置已经完成。It is assumed that the whitelist configuration of steps 1 and 2 in case 1 has been completed.

1.公司员工希望使用某款被禁用的客户端比如浏览器,但没有设置代理服务器。1. Company employees want to use a disabled client such as a browser, but no proxy server is set.

2.员工使用浏览器访问http://www.taobao.com。2. Employees use a browser to access http://www.taobao.com.

3.交换机判断其中的目标地址(www.taobao.com)没有在白名单中配置过,判定该请求目标地址是非法的,会直接进行丢弃。3. The switch determines that the destination address (www.taobao.com) has not been configured in the whitelist, and determines that the requested destination address is illegal, and will directly discard it.

4.客户端无法正常收到淘宝的回包,因此该网络应用被成功限制住。4. The client cannot receive Taobao's return packets normally, so the network application is successfully restricted.

下面对本发明实施例提供的网络访问控制装置进行介绍,下文描述的网络访问控制装置可与上文描述的网络访问控制系统相互对应参照。The following describes the network access control apparatus provided by the embodiments of the present invention. The network access control apparatus described below may refer to the network access control system described above in correspondence with each other.

图5为本发明实施例提供的网络访问控制装置的结构框图,参照图5,该装置可以包括:FIG. 5 is a structural block diagram of an apparatus for network access control provided by an embodiment of the present invention. Referring to FIG. 5, the apparatus may include:

第一接收模块100,用于接收网络控制设备发送的网络访问请求,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;The first receiving module 100 is configured to receive a network access request sent by a network control device, where the network access request includes: address information of a service server to be accessed and target address information, where the target address information is the information of a preconfigured proxy server. Address information;

且,所述网络访问请求为所述目标地址信息属于第一白名单的访问请求,所述第一白名单包括允许访问的代理服务器的地址信息的列表;Moreover, the network access request is an access request in which the target address information belongs to a first whitelist, and the first whitelist includes a list of address information of proxy servers that are allowed to be accessed;

判断模块200,用于判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。The judgment module 200 is used for judging whether the address information of the service server to be accessed belongs to a second whitelist, and if so, sending the network access request to the service server to be accessed, and the second whitelist includes A list of address information for business servers that are allowed to be accessed.

可选的,如图6所示,还包括:Optionally, as shown in Figure 6, it also includes:

处理模块300,用于将所述网络控制设备的地址信息更换成所述目标地址信息,并生成所述网络控制设备的地址信息与所述目标地址信息的第二映射表。The processing module 300 is configured to replace the address information of the network control device with the target address information, and generate a second mapping table between the address information of the network control device and the target address information.

可选的,如图7所示,还包括:Optionally, as shown in Figure 7, it also includes:

发送模块400,用于将所述待传输的数据内容发送往所述待访问的业务服务器。The sending module 400 is configured to send the data content to be transmitted to the service server to be accessed.

可选的,如图8所示,还包括:Optionally, as shown in Figure 8, it also includes:

第二接收模块500,用于接收所述待访问的业务服务器基于所述待传输的数据内容生成的反馈数据。The second receiving module 500 is configured to receive feedback data generated by the service server to be accessed based on the content of the data to be transmitted.

可选的,如图9所示,还包括:Optionally, as shown in Figure 9, it also includes:

查找模块600,用于根据所述第二映射表,查找与所述代理服务器的地址信息对应的网络控制设备的地址信息;A search module 600, configured to search for the address information of the network control device corresponding to the address information of the proxy server according to the second mapping table;

并将所述反馈数据发送至查找到的与所述网络控制设备的地址信息对应的网络控制设备。and sending the feedback data to the found network control device corresponding to the address information of the network control device.

本发明实施例还提供有一种网络访问控制设备,该网络访问控制设备可以包括上述所述的网络访问控制装置。An embodiment of the present invention further provides a network access control device, and the network access control device may include the network access control apparatus described above.

可选的,图10示出了网络访问控制设备的硬件结构框图,参照图10,该网络访问控制设备可以包括:处理器1,通信接口2,存储器3和通信总线4;Optionally, FIG. 10 shows a block diagram of the hardware structure of the network access control device. Referring to FIG. 10 , the network access control device may include: a processor 1, a communication interface 2, a memory 3 and a communication bus 4;

其中处理器1、通信接口2、存储器3通过通信总线4完成相互间的通信;The processor 1, the communication interface 2, and the memory 3 complete the communication with each other through the communication bus 4;

可选的,通信接口2可以为通信模块的接口,如GSM模块的接口;Optionally, the communication interface 2 can be an interface of a communication module, such as an interface of a GSM module;

处理器1,用于执行程序;processor 1 for executing programs;

存储器3,用于存放程序;The memory 3 is used to store the program;

程序可以包括程序代码,所述程序代码包括计算机操作指令。A program may include program code including computer operating instructions.

处理器1可能是一个中央处理器CPU,或者是特定集成电路ASIC(ApplicationSpecific Integrated Circuit),或者是被配置成实施本发明实施例的一个或多个集成电路。The processor 1 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement the embodiments of the present invention.

存储器3可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatilememory),例如至少一个磁盘存储器。The memory 3 may include high-speed RAM memory, and may also include non-volatile memory, such as at least one disk memory.

其中,程序可具体用于:Among them, the program can be specifically used for:

接收网络控制设备发送的网络访问请求,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;receiving a network access request sent by a network control device, where the network access request includes: address information of a service server to be accessed and target address information, where the target address information is the address information of a preconfigured proxy server;

且,所述网络访问请求为所述目标地址信息属于第一白名单的访问请求,所述第一白名单包括允许访问的代理服务器的地址信息的列表;Moreover, the network access request is an access request in which the target address information belongs to a first whitelist, and the first whitelist includes a list of address information of proxy servers that are allowed to be accessed;

判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。Determine whether the address information of the service server to be accessed belongs to the second whitelist, and if so, send the network access request to the service server to be accessed, and the second whitelist includes the service server's address information that is allowed to be accessed. A list of address information.

综上所述,本发明实施例提供了一种网络访问控制系统,包括:客户端、网络控制设备、代理服务器以及业务服务器,其中,客户端发送网络访问请求至网络控制设备,网络控制设备判断目标地址信息是否属于第一白名单,如果属于,网络控制设备将网络访问请求发送至与目标地址信息对应的代理服务器。代理服务器判断待访问的业务服务器的地址信息是否属于第二白名单,如果属于,代理服务器将网络访问请求发送至待访问的业务服务器。可见,本发明提供的网络访问方法只需要在网络控制设备处设置使用的代理服务器的地址信息以及端口,然后在代理服务器处设置允许访问的业务服务器的地址信息以及端口,简化了企业网络管理人员对网络控制设备的配置。To sum up, an embodiment of the present invention provides a network access control system, including: a client, a network control device, a proxy server, and a service server, wherein the client sends a network access request to the network control device, and the network control device determines Whether the target address information belongs to the first whitelist, if so, the network control device sends the network access request to the proxy server corresponding to the target address information. The proxy server determines whether the address information of the service server to be accessed belongs to the second white list, and if so, the proxy server sends a network access request to the service server to be accessed. It can be seen that the network access method provided by the present invention only needs to set the address information and port of the proxy server used at the network control device, and then set the address information and port of the service server that allows access at the proxy server, which simplifies the enterprise network management personnel. Configuration of network control devices.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments can be referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant part can be referred to the description of the method.

专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Professionals may further realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of the two, in order to clearly illustrate the possibilities of hardware and software. Interchangeability, the above description has generally described the components and steps of each example in terms of function. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of the present invention.

结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of a method or algorithm described in conjunction with the embodiments disclosed herein may be directly implemented in hardware, a software module executed by a processor, or a combination of the two. A software module can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other in the technical field. in any other known form of storage medium.

对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其它实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments enables any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (18)

1.一种网络访问控制系统,其特征在于,包括:客户端、网络控制设备、代理服务器以及业务服务器,1. a network access control system is characterized in that, comprising: client, network control device, proxy server and service server, 所述客户端用于,发送网络访问请求至网络控制设备,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;The client is used to send a network access request to the network control device, where the network access request includes: address information of the service server to be accessed and target address information, where the target address information is the address information of the pre-configured proxy server ; 所述网络控制设备用于,判断所述目标地址信息是否属于第一白名单,如果属于,所述网络控制设备将所述网络访问请求的IP地址信息转换成网络控制设备的IP地址信息,将IP地址信息转换后的网络访问请求发送至与所述目标地址信息对应的代理服务器,所述第一白名单包括允许访问的代理服务器的地址信息的列表;The network control device is used to determine whether the target address information belongs to the first whitelist, and if so, the network control device converts the IP address information of the network access request into the IP address information of the network control device, and converts the target address information into the IP address information of the network control device. The network access request converted from the IP address information is sent to the proxy server corresponding to the target address information, and the first whitelist includes a list of address information of the proxy servers that are allowed to access; 所述代理服务器用于,判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,所述代理服务器将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。The proxy server is used to determine whether the address information of the service server to be accessed belongs to the second whitelist, and if so, the proxy server sends the network access request to the service server to be accessed, and the proxy server sends the network access request to the service server to be accessed. The second whitelist includes a list of address information of service servers that are allowed to be accessed. 2.根据权利要求1所述的网络访问控制系统,其特征在于,所述网络访问请求还包括:客户端的地址信息,2. The network access control system according to claim 1, wherein the network access request further comprises: address information of the client, 所述网络控制设备在判断所述目标地址信息属于第一白名单后,还用于:将所述客户端的地址信息更换成所述网络控制设备的地址信息,并生成所述客户端的地址信息与所述网络控制设备的地址信息的第一映射表。After judging that the target address information belongs to the first white list, the network control device is further configured to: replace the address information of the client with the address information of the network control device, and generate the address information of the client and the address information of the client. A first mapping table of address information of the network control device. 3.根据权利要求2所述的网络访问控制系统,其特征在于,所述代理服务器在判断所述待访问的业务服务器的地址信息属于第二白名单后,还用于:3. The network access control system according to claim 2, wherein after judging that the address information of the service server to be accessed belongs to the second white list, the proxy server is also used for: 将所述网络控制设备的地址信息更换成所述目标地址信息,并生成所述网络控制设备的地址信息与所述目标地址信息的第二映射表。The address information of the network control device is replaced with the target address information, and a second mapping table between the address information of the network control device and the target address information is generated. 4.根据权利要求3所述的网络访问控制系统,其特征在于,所述网络访问请求还包括:待传输的数据内容,4. The network access control system according to claim 3, wherein the network access request further comprises: data content to be transmitted, 相应的,所述代理服务器将所述网络访问请求发送至所述待访问的业务服务器,包括:Correspondingly, the proxy server sends the network access request to the service server to be accessed, including: 所述代理服务器将所述待传输的数据内容发送往所述待访问的业务服务器。The proxy server sends the data content to be transmitted to the service server to be accessed. 5.根据权利要求4所述的网络访问控制系统,其特征在于,所述待访问的业务服务器基于所述待传输的数据内容,生成一反馈数据,并将所述反馈数据发送往所述代理服务器。5 . The network access control system according to claim 4 , wherein the service server to be accessed generates feedback data based on the content of the data to be transmitted, and sends the feedback data to the agent. 6 . server. 6.根据权利要求5所述的网络访问控制系统,其特征在于,所述代理服务器根据所述第二映射表,查找与所述代理服务器的地址信息对应的网络控制设备的地址信息;6. The network access control system according to claim 5, wherein the proxy server searches the address information of the network control device corresponding to the address information of the proxy server according to the second mapping table; 并将所述反馈数据发送至查找到的与所述网络控制设备的地址信息对应的网络控制设备。and sending the feedback data to the found network control device corresponding to the address information of the network control device. 7.根据权利要求6所述的网络访问控制系统,其特征在于,所述网络控制设备根据所述第一映射表,查找与所述网络控制设备的地址信息对应的客户端的地址信息;7. The network access control system according to claim 6, wherein the network control device searches the address information of the client corresponding to the address information of the network control device according to the first mapping table; 并将所述反馈数据发送至查找到的与所述客户端的地址信息对应的客户端。and sending the feedback data to the found client that corresponds to the address information of the client. 8.一种网络访问控制方法,其特征在于,包括:8. A network access control method, comprising: 接收网络控制设备将所述网络访问请求的IP地址信息转换成网络控制设备的IP地址信息之后,发送的IP地址信息转换后的网络访问请求,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;After the network control device converts the IP address information of the network access request into the IP address information of the network control device, the network access request after the IP address information conversion sent by the network control device is received, and the network access request includes: the service server to be accessed. address information and target address information, where the target address information is the address information of a preconfigured proxy server; 且,所述网络访问请求为所述目标地址信息属于第一白名单的访问请求,所述第一白名单包括允许访问的代理服务器的地址信息的列表;Moreover, the network access request is an access request in which the target address information belongs to a first whitelist, and the first whitelist includes a list of address information of proxy servers that are allowed to be accessed; 判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。Determine whether the address information of the service server to be accessed belongs to the second whitelist, and if so, send the network access request to the service server to be accessed, and the second whitelist includes the service server's address information that is allowed to be accessed. A list of address information. 9.根据权利要求8所述的网络访问控制方法,其特征在于,在判断所述待访问的业务服务器的地址信息属于第二白名单后,还包括:9. The network access control method according to claim 8, wherein after judging that the address information of the service server to be accessed belongs to the second white list, the method further comprises: 将所述网络控制设备的地址信息更换成所述目标地址信息,并生成所述网络控制设备的地址信息与所述目标地址信息的第二映射表。The address information of the network control device is replaced with the target address information, and a second mapping table between the address information of the network control device and the target address information is generated. 10.根据权利要求9所述的网络访问控制方法,其特征在于,所述网络访问请求还包括:待传输的数据内容,10. The network access control method according to claim 9, wherein the network access request further comprises: data content to be transmitted, 相应的,所述将所述网络访问请求发送至所述待访问的业务服务器,包括:Correspondingly, the sending the network access request to the service server to be accessed includes: 将所述待传输的数据内容发送往所述待访问的业务服务器。Send the data content to be transmitted to the service server to be accessed. 11.根据权利要求10所述的网络访问控制方法,其特征在于,还包括:11. The network access control method according to claim 10, further comprising: 接收所述待访问的业务服务器基于所述待传输的数据内容生成的反馈数据。Feedback data generated by the service server to be accessed based on the content of the data to be transmitted is received. 12.根据权利要求11所述的网络访问控制方法,其特征在于,还包括:12. The network access control method according to claim 11, further comprising: 根据所述第二映射表,查找与所述代理服务器的地址信息对应的网络控制设备的地址信息;According to the second mapping table, look up the address information of the network control device corresponding to the address information of the proxy server; 并将所述反馈数据发送至查找到的与所述网络控制设备的地址信息对应的网络控制设备。and sending the feedback data to the found network control device corresponding to the address information of the network control device. 13.一种网络访问控制装置,其特征在于,包括:13. A network access control device, comprising: 第一接收模块,用于接收网络控制设备将所述网络访问请求的IP地址信息转换成网络控制设备的IP地址信息之后,发送的IP地址信息转换后的网络访问请求,所述网络访问请求包括:待访问的业务服务器的地址信息以及目标地址信息,所述目标地址信息为预先配置的代理服务器的地址信息;The first receiving module is configured to receive the network access request after the IP address information converted by the network control device after the IP address information of the network access request is converted into the IP address information of the network control device, and the network access request includes : address information and target address information of the service server to be accessed, where the target address information is the address information of the preconfigured proxy server; 且,所述网络访问请求为所述目标地址信息属于第一白名单的访问请求,所述第一白名单包括允许访问的代理服务器的地址信息的列表;Moreover, the network access request is an access request in which the target address information belongs to a first whitelist, and the first whitelist includes a list of address information of proxy servers that are allowed to be accessed; 判断模块,用于判断所述待访问的业务服务器的地址信息是否属于第二白名单,如果属于,将所述网络访问请求发送至所述待访问的业务服务器,所述第二白名单包括允许访问的业务服务器的地址信息的列表。The judgment module is used for judging whether the address information of the service server to be accessed belongs to a second whitelist, and if so, sending the network access request to the service server to be accessed, and the second whitelist includes allowing A list of address information for accessed business servers. 14.根据权利要求13所述的网络访问控制装置,其特征在于,还包括:14. The network access control device according to claim 13, further comprising: 处理模块,用于将所述网络控制设备的地址信息更换成所述目标地址信息,并生成所述网络控制设备的地址信息与所述目标地址信息的第二映射表。The processing module is configured to replace the address information of the network control device with the target address information, and generate a second mapping table between the address information of the network control device and the target address information. 15.根据权利要求14所述的网络访问控制装置,其特征在于,还包括:15. The network access control device according to claim 14, further comprising: 发送模块,用于将待传输的数据内容发送往所述待访问的业务服务器。The sending module is configured to send the data content to be transmitted to the service server to be accessed. 16.根据权利要求15所述的网络访问控制装置,其特征在于,还包括:16. The network access control device according to claim 15, further comprising: 第二接收模块,用于接收所述待访问的业务服务器基于所述待传输的数据内容生成的反馈数据。The second receiving module is configured to receive feedback data generated by the service server to be accessed based on the content of the data to be transmitted. 17.根据权利要求16所述的网络访问控制装置,其特征在于,还包括:17. The network access control device according to claim 16, further comprising: 查找模块,用于根据所述第二映射表,查找与所述代理服务器的地址信息对应的网络控制设备的地址信息;a search module, configured to search for the address information of the network control device corresponding to the address information of the proxy server according to the second mapping table; 并将所述反馈数据发送至查找到的与所述网络控制设备的地址信息对应的网络控制设备。and sending the feedback data to the found network control device corresponding to the address information of the network control device. 18.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机可执行程序,所述计算机可执行程序被处理器加载并执行时,实现权利要求8-12任一项所述的网络访问控制方法。18. A computer-readable storage medium, characterized in that, a computer-executable program is stored in the computer-readable storage medium, and when the computer-executable program is loaded and executed by a processor, any one of claims 8-12 is realized. A network access control method as described.
CN201611146932.2A 2016-12-13 2016-12-13 Network access control method, device and system Active CN108616490B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201611146932.2A CN108616490B (en) 2016-12-13 2016-12-13 Network access control method, device and system
PCT/CN2017/112080 WO2018107943A1 (en) 2016-12-13 2017-11-21 Network access control method, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611146932.2A CN108616490B (en) 2016-12-13 2016-12-13 Network access control method, device and system

Publications (2)

Publication Number Publication Date
CN108616490A CN108616490A (en) 2018-10-02
CN108616490B true CN108616490B (en) 2020-11-03

Family

ID=62557918

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611146932.2A Active CN108616490B (en) 2016-12-13 2016-12-13 Network access control method, device and system

Country Status (2)

Country Link
CN (1) CN108616490B (en)
WO (1) WO2018107943A1 (en)

Families Citing this family (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110858173B (en) * 2018-08-23 2024-05-28 北京搜狗科技发展有限公司 A data processing method, a data processing device and a data processing device
CN109672665B (en) * 2018-11-14 2021-10-15 北京奇艺世纪科技有限公司 Access control method, device and system and computer readable storage medium
CN109842672B (en) * 2018-12-13 2022-11-11 平安普惠企业管理有限公司 Service request distribution method and device, computer equipment and storage medium
CN112527247B (en) * 2019-09-17 2024-05-14 西安诺瓦星云科技股份有限公司 LED display control system simulation method, device and system
CN112637106B (en) * 2019-09-24 2023-01-31 成都鼎桥通信技术有限公司 Method and device for terminal to access website
CN110768849B (en) * 2019-11-06 2022-08-05 深信服科技股份有限公司 Network data viewing method and system
CN111064675B (en) * 2019-11-08 2023-04-28 中移(杭州)信息技术有限公司 Access flow control method, device, network equipment and storage medium
CN110941838B (en) * 2019-11-12 2024-03-01 深圳昂楷科技有限公司 Database access method and device and electronic equipment
CN111177631A (en) * 2019-12-31 2020-05-19 苏宁云计算有限公司 Method and system for accessing intranet service by extranet platform
CN111460460B (en) * 2020-04-02 2023-12-05 北京金山云网络技术有限公司 Task access method, device, proxy server and machine-readable storage medium
CN112039869B (en) * 2020-08-27 2023-01-24 建信金融科技有限责任公司 Method, device, storage medium and equipment for establishing network access relationship
CN111913732B (en) * 2020-08-28 2023-07-11 深圳赛安特技术服务有限公司 Service updating method and device, management server and storage medium
CN112087819B (en) * 2020-09-10 2022-05-10 上海连尚网络科技有限公司 Information request method, equipment and computer readable medium
CN112134866B (en) * 2020-09-15 2024-06-14 腾讯云计算(北京)有限责任公司 Service access control method, device and system and computer readable storage medium
CN112231120B (en) * 2020-10-17 2025-02-14 广州祈阳科技有限公司 Service access method and device
CN112422429B (en) * 2020-11-18 2022-04-22 贝壳技术有限公司 Data request processing method and device, storage medium and electronic equipment
CN112702319B (en) * 2020-12-11 2023-03-24 杭州安恒信息技术股份有限公司 Access request port standardization method and device, electronic equipment and storage medium
CN112653759A (en) * 2020-12-22 2021-04-13 北京东方嘉禾文化发展股份有限公司 Network access device and control method thereof
CN112583845B (en) * 2020-12-24 2023-11-07 深信服科技股份有限公司 Access detection method, device, electronic equipment and computer storage medium
CN113225308B (en) * 2021-03-19 2022-11-08 深圳市网心科技有限公司 Network access control method, node equipment and server
CN113315772A (en) * 2021-05-29 2021-08-27 南京步锐捷电子科技有限公司 Network access control implementation method based on Internet of things
CN115913583B (en) * 2021-08-09 2025-08-22 腾讯科技(深圳)有限公司 Business data access method, device and equipment and computer storage medium
CN113890896A (en) * 2021-09-24 2022-01-04 中移(杭州)信息技术有限公司 Network access method, communication device, and computer-readable storage medium
CN113810504A (en) * 2021-09-30 2021-12-17 北京天融信网络安全技术有限公司 Transparent proxy service method and device
CN114024714A (en) * 2021-09-30 2022-02-08 山东云海国创云计算装备产业创新中心有限公司 Access request processing method and device, network card equipment and storage computing system
CN116032500B (en) * 2021-10-25 2025-08-08 腾讯科技(深圳)有限公司 Service access traffic control method, device, equipment and medium
CN114124477B (en) * 2021-11-05 2024-04-05 深圳市联软科技股份有限公司 Business service system and method
CN113938317A (en) * 2021-11-29 2022-01-14 福建瑞网科技有限公司 A network security monitoring method and computer equipment
CN114338809B (en) * 2021-12-28 2024-06-25 山石网科通信技术股份有限公司 Access control method, device, electronic equipment and storage medium
CN114401133B (en) * 2022-01-13 2023-12-01 中电福富信息科技有限公司 Equipment monitoring vulnerability detection system based on agent
CN114629704B (en) * 2022-03-14 2024-11-12 深圳须弥云图空间科技有限公司 Security implementation method, device, equipment and storage medium for collaborative design software
CN114615073B (en) * 2022-03-22 2024-07-26 广州方硅信息技术有限公司 Access flow control method and device, equipment and medium thereof
CN114598552A (en) * 2022-03-29 2022-06-07 邹瀴 Interface access control method, apparatus, electronic device and storage medium
CN114640534B (en) * 2022-03-29 2024-07-12 广州方硅信息技术有限公司 Access interception control method, device, equipment and medium thereof
CN114915497A (en) * 2022-07-13 2022-08-16 杭州云缔盟科技有限公司 Network access blocking method, device and application for Windows process
CN115694882A (en) * 2022-09-09 2023-02-03 中国电信股份有限公司 Communication method, device, electronic device and readable medium applied to telecommuting
CN115835210A (en) * 2022-11-09 2023-03-21 南京畅索软件科技有限公司 Network restriction method, device, electronic equipment and storage medium of intelligent terminal
CN115766260A (en) * 2022-11-23 2023-03-07 上海浦东发展银行股份有限公司 Method, device, equipment and storage medium for generating network access white list
CN115801868B (en) * 2022-11-29 2025-01-28 企查查科技股份有限公司 Data access method and device
CN116633617B (en) * 2023-05-23 2025-09-26 中国电信股份有限公司上海研究院 Micro-isolation protection methods and related hardware
CN120034347A (en) * 2023-11-21 2025-05-23 华为云计算技术有限公司 Message transmission method and device
CN117478423B (en) * 2023-11-30 2024-05-03 东方物通科技(北京)有限公司 Data security communication system and method
CN119520148A (en) * 2024-12-04 2025-02-25 中国农业银行股份有限公司天津市分行 A verification method and related device for network access control

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1152333C (en) * 2002-07-31 2004-06-02 华为技术有限公司 Method for realizing portal authentication based on protocols of authentication, charging and authorization
CN1271822C (en) * 2003-07-04 2006-08-23 华为技术有限公司 Method of interactive processing of user terminal network selection information in WLAN
KR20050097674A (en) * 2004-04-02 2005-10-10 삼성전자주식회사 Internet connection service method of mobile node and system thereof
CN100421374C (en) * 2005-06-01 2008-09-24 中国移动通信集团公司 Method of Office File Interaction Based on Mobile Communication Network
CN101026594A (en) * 2007-01-23 2007-08-29 张志东 Mail calling system and method
CN101374044B (en) * 2007-08-21 2010-12-15 中国电信股份有限公司 Method and system for making business engine to obtain user identification
US8555365B2 (en) * 2010-05-21 2013-10-08 Barracuda Networks, Inc. Directory authentication method for policy driven web filtering
CN102118398B (en) * 2011-03-31 2014-04-23 北京星网锐捷网络技术有限公司 Access control method, device and system
US8914883B2 (en) * 2013-05-03 2014-12-16 Fortinet, Inc. Securing email communications
CN104202307B (en) * 2014-08-15 2018-06-08 小米科技有限责任公司 Data forwarding method and device

Also Published As

Publication number Publication date
CN108616490A (en) 2018-10-02
WO2018107943A1 (en) 2018-06-21

Similar Documents

Publication Publication Date Title
CN108616490B (en) Network access control method, device and system
US11711399B2 (en) Policy enforcement for secure domain name services
CN110311929B (en) Access control method and device, electronic equipment and storage medium
US10263958B2 (en) Internet mediation
US9356928B2 (en) Mechanisms to use network session identifiers for software-as-a-service authentication
US9401962B2 (en) Traffic steering system
US9307039B2 (en) Method, system, push client, and user equipment for service communication
US8875220B2 (en) Proxy-based network access protection
US9986279B2 (en) Discovery, access control, and communication with networked services
US9973590B2 (en) User identity differentiated DNS resolution
US20170331692A1 (en) Dsitributing a Network Access Policy
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
US20100064353A1 (en) User Mapping Mechanisms
US20120173727A1 (en) Internet Access Control Apparatus, Method and Gateway Thereof
WO2022214019A1 (en) Method and apparatus for deploying network device, and device, system and storage medium
US10122828B1 (en) Geographic-aware virtual desktops
CN117118741A (en) Method and system for solving DNS hijacking based on httpDS
CN107332813A (en) A kind of ACL collocation methods, ACL configuration equipment and server
CN110913011A (en) Session keeping method, session keeping device, readable storage medium and electronic equipment
CN118802438A (en) Router web management page access method, device and storage medium
CN113381978B (en) Safe login method and device
JP7383145B2 (en) Network service processing methods, systems and gateway devices
CN116260600A (en) Network address identification method, device and system
CN104980329A (en) Address book management method address book management device and mobile agent server
US12335351B1 (en) Edge networks for surrogate browsing and direct traffic via proxy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant