阅读说明：本技术 一种网络访问控制方法 (Network access control method ) 是由 石悌君 于 2018-06-28 设计创作，主要内容包括：本发明提供一种网络访问控制方法,应用于包括终端和网络控制设备的系统中,其中终端的报文需要经过网络控制设备处理后才能进入internet网络,路由器收到终端报文后根据终端及报文的协议类型/目的IP/目的端口号确定网络权限,同时给用户提供简单的网络权限生成方法。通过上述方式,终端数据需要用户充分授权后才能上传到internet从而有效保护用户个人隐私。(The invention provides a network access control method, which is applied to a system comprising a terminal and a network control device, wherein a message of the terminal can enter an internet network after being processed by the network control device, a router determines network authority according to the protocol type/destination IP/destination port number of the terminal and the message after receiving the terminal message, and simultaneously provides a simple network authority generation method for a user. Through the mode, the terminal data can be uploaded to the internet only after the user is fully authorized, so that the personal privacy of the user is effectively protected.)

1. A network access control method is applied to a system comprising a terminal and a router, wherein a message of the terminal can enter an internet network after being processed by the router, and the router controls the network authority of the terminal by discarding or forwarding the message.

2. The method according to claim 1, wherein the router searches a terminal information table according to a terminal address of the message to obtain a terminal name after receiving the terminal message, and further obtains a network authority table of the terminal according to the terminal name.

3. The method according to claim 1, wherein the router searches an address authority table according to a terminal address of the message after receiving the terminal message, and the address authority table is generated according to a terminal information table and a network authority table of the terminal.

4. The method according to claim 1, wherein the network permission table of the terminal is generated according to a configuration message of the terminal, and the configuration message must carry a terminal identifier and may carry zero or more of three information, i.e. a protocol type, a destination IP address, and a destination port.

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a network access control method.

Background

Fig. 1 is a current common home network logical networking diagram, and various terminal devices (terminals for short) such as a personal computer, a mobile phone, a camera and the like access the internet through a home router.

The network also increases the potential safety hazard in making things convenient for everybody life, for example the intelligence camera uploads the image to internet and leads to individual privacy to reveal, uploads privacy data etc. after the PC is attacked. Currently, there are several control methods available for home router manufacturers:

1. when the wireless access mode is used, a router is configured to prohibit a specific terminal from accessing a wireless network, and the mode causes that a user cannot access the monitoring equipment through the network;

2. some routers (such as a home router of TP-LINK company) provide firewall configuration, and specify that network rights are controlled according to MAC (Media Access Control, MAC for short) addresses or IP (Internet Protocol ) addresses, and the like, which is relatively complex in configuration, and needs to search for the MAC or IP address of the terminal according to the terminal name, and then enter the firewall configuration to add Control entries; and all network access is prevented, and the internet access and the safety can not be considered for the terminal with the network access requirement.

Disclosure of Invention

The invention provides a network access control method, which can control the network access authority of a terminal on a router.

In view of this, the embodiment of the present invention provides:

a network access control method is applied to a system comprising a terminal and a router, wherein a message of the terminal can enter an internet network after being processed by the router, the router searches a corresponding terminal according to a terminal address of the message after receiving the terminal message, and determines a message processing method according to network authority of the corresponding terminal and a network operation type of the message.

The invention can ensure that the data transmitted to the internet by the terminal needs to be fully authorized by the user, has simple user configuration and can more effectively protect the personal privacy of the user.

Drawings

Fig. 1 is a diagram of a home network logical networking.

Fig. 2 is a flow chart of router network access control.

Fig. 3 is a flow diagram of another embodiment of router network access control.

Detailed Description

The invention is mainly applied to the logic networking shown in fig. 1, and the process of the router for allocating the private network IP address to the terminal equipment is irrelevant to the invention and is not described any more. The embodiment of the invention mainly describes a configuration method and a network access control method of a router for the network authority of terminal equipment after the terminal equipment is accessed into the router.

The embodiment of the invention defines two network operation types and three network authorities:

the message sent by the terminal is divided into two network operation types of uploading data and downloading data: the data uploading refers to that a message sent by a terminal is used for sending local data to a network (such as HTTP PUT/POST operation), the data downloading refers to that the message sent by the terminal is used for requesting to acquire data from the network (such as HTTP GET operation), and whether the message is uploaded or downloaded needs to be specifically analyzed according to a protocol;

the router classifies the messages according to the quadruplet of the terminal name, the protocol type, the destination IP and the destination port number of the sent message and generates a network authority list entry, and the same type of message has one of the following three network authorities:

no authority: the message is not allowed to be forwarded to the internet;

low authority: there is a limit condition for forwarding this type of message to the internet. For example, the processing method is determined according to the network operation type: the message for uploading data is not allowed to be forwarded to the internet, and the message for downloading data is allowed to be forwarded to the internet; the amount of data transmitted or the frequency of transmission per time/day, etc. can be controlled more strictly; or to customize other constraints;

high authority: the message is forwarded to the internet without limitation.

The terminal can generate default authority (such as low authority) after accessing the router, the router provides a configuration interface to modify the authority based on the terminal name, and the router provides four network authority configuration items of no authority, low authority, high authority and equipment self-definition.

After configuring the terminal user-defined authority, the router can receive the network authority configuration message sent by the corresponding terminal and generate a corresponding network authority table; the configuration message must contain the terminal identification (terminal name or terminal MAC address or terminal IP address), and the optional information in the configuration message includes network authority (no authority/low authority/high authority), protocol type (e.g. TCP/UDP …), destination IP address, destination port number.

When the terminal is configured to be a terminal self-defined right, the terminal can realize network right control based on application program granularity through software; the software may specifically operate as follows:

1. the user adds other application programs (such as an IE browser) with network access right on the terminal through a configuration interface provided by the software, and can configure the network right of the application program (the default network right can be a low right); at this time, the software starts to monitor the communication port (protocol type/destination IP/port number) opened by the target application program (such as an IE browser);

2. when monitoring a communication port opened by a target application program, the software sends the terminal name, the configured network authority, the protocol type, the destination IP address and the destination port number of the terminal to the router according to the message format defined by the router;

3. and when the software monitoring target application program closes the communication port, the terminal name, the default network authority, the protocol type, the destination IP address and the destination port number of the terminal are sent to the router according to the message format defined by the router.

The following describes the terminal network authority information stored in the router by using a specific example; suppose that:

1. four terminals access to the router, wherein one is that a personal computer named PC is provided with a wireless network card and an Ethernet card, wherein the MAC address of the wireless network card is E0-CE-C3-F9-82-23, and the MAC address of the Ethernet card is 74-2B-62-6E-06-17; two network cards of the PC are both accessed to the router; the second is an intelligent Camera named Camera, which is accessed to the router through a wireless network card, and the MAC address of the intelligent Camera is D0-5B-A8-32-43-62; thirdly, a Mobile phone named Mobile accesses the router through a wireless network card, and the MAC address of the Mobile phone is 80-AD-16-5D-E6-80; and the fourth is an intelligent sound box named Echo, which is accessed to the router through a wireless network card, and the MAC address of the intelligent sound box is 14-CF-92-C7-17-83. After the terminal is accessed, the router generates a terminal information table (table 1), wherein the MAC address and the IP address are collectively called as a terminal address; the generation of table 1 is not related to the present invention, and the generation process is not described again;

terminal name	MAC address	IP address
			PC	74-2B-62-6E-06-17	192.168.1.101
PC	E0-CE-C3-F9-82-23	192.168.1.111
			Camera	D0-5B-A8-32-43-62	192.168.1.102
Mobile	80-AD-16-5D-E6-80	192.168.1.103
			Echo	14-CF-92-C7-17-83	192.168.1.104

TABLE 1

2. The router has the following configuration authority for four terminals: the PC is configured as a terminal self-definition, the Camera is configured as a no-permission, the Mobile is configured as a high-permission, and the Echo is configured as a low-permission. The router generates a terminal network authority table (table 2);

terminal name	Type of protocol	Destination IP	Destination port number	Network privileges
					PC	All of	All of	All of	Low privilege
Camera	All of	All of	All of	Without permission
					Mobile	All of	All of	All of	High authority
Echo	All of	All of	All of	Low privilege

TABLE 2

If the processing efficiency is considered, the terminal information table can be searched according to the terminal name in the network authority table to obtain all the MAC addresses of the terminal (for example, two network cards of a PC are both accessed to the network, and the MAC addresses corresponding to the two network cards need to generate table entry items); then, the MAC address replaces the terminal name to generate an address authority table (table 3);

MAC address	Type of protocol	Destination IP	Destination port number	Network privileges
					74-2B-62-6E-06-17	All of	All of	All of	Low privilege
E0-CE-C3-F9-82-23	All of	All of	All of	Low privilege
					D0-5B-A8-32-43-62	All of	All of	All of	Without permission
80-AD-16-5D-E6-80	All of	All of	All of	High authority
					14-CF-92-C7-17-83	All of	All of	All of	Low privilege

TABLE 3

The address authority table shown in table 3 uses the MAC address as a key, and may also use the IP address as an entry key;

3. the PC is provided with software matched with the router and configures the IE browser to be high-authority through the software. When the IE browser accesses http://192.144.149.48, the router receives a network authority configuration message sent by PC software and generates a network authority table entry; the network authority table of the whole router is referred to table 4;

terminal name	Type of protocol	Destination IP	Destination port number	Network privileges
					PC	TCP	192.144.148.48	80	High authority
PC	All of	All of	All of	Low privilege
					Camera	All of	All of	All of	Without permission
Mobile	All of	All of	All of	High authority
					Echo	All of	All of	All of	Low privilege

TABLE 4

The address authority table of the whole router is not described in detail.

Fig. 2 illustrates an implementation flow of a network access control flow when a router receives a terminal device packet, which is specifically described as follows:

201. analyzing a source MAC address, a protocol type, a destination IP and a destination port of the message, and analyzing whether the message uploads data or downloads data;

202. searching a terminal information table according to the source MAC address to obtain a terminal name;

203. judging whether the terminal exists or not, if not, directly discarding the message, otherwise, entering step 204;

204. searching a matching entry in a network authority table according to the terminal name, the protocol type, the destination IP and the destination port: when the protocol type/destination IP/destination port number is 'all', any value of the corresponding field of the message can be matched with the entry; if a plurality of matching entries exist, the entry with the most matching elements in the four-tuple is preferred;

205. if the network authority of the matched entry is no authority, discarding the message, otherwise, entering step 206;

206. if the network authority of the matched entry is the low authority, the step 207 is entered; otherwise, the authority is considered to be high, and the forwarding is carried out normally;

207. if the data is uploaded, the message is discarded, and the data is normally forwarded after being downloaded.

Fig. 3 is another embodiment of the network access control process when the router receives the terminal device packet, which is specifically described as follows:

301. analyzing a source MAC address, a protocol type, a destination IP and a destination port of the message, and analyzing whether the message uploads data or downloads data;

302. searching a matching entry in the network authority table according to the MAC address, the protocol type, the destination IP and the destination port: when the protocol type/destination IP/destination port number is 'all', any value of the corresponding field of the message can be matched with the entry; if a plurality of matching entries exist, the entry with the most matching elements in the four-tuple is preferred;

303. if the network authority of the matched entry is no authority, discarding the message, otherwise, entering step 304;

304. if the network authority of the matched entry is low, go to step 305; otherwise, the authority is considered to be high, and the forwarding is carried out normally;

305. if the data is uploaded, the message is discarded, and the data is normally forwarded after being downloaded.

In the invention, the authority is configured and the network authority table is generated based on the terminal name, so that the user configuration can be simplified compared with the authority configured based on the MAC address/IP address, if a PC has two network cards, if the authority configured based on the MAC address needs to be configured twice, the same configuration needs to be performed only once based on the terminal name. If a plurality of terminals are grouped into a set and configured with authority so as to be indirectly based on the terminal configuration authority, if a security group concept is introduced on a router, a PC and a Mobile join the same security group, the network authority only needs to be configured based on the security group, and a message forwarding flow on the router can correspondingly find the configuration of the security group to which the network authority belongs according to the terminal name to determine the network authority, the method is considered as the protection scope of the invention.

The above description of the embodiments is only for the purpose of helping understanding the method of the present invention and the core idea thereof, and for those skilled in the art, the specific implementation and the application range may be changed according to the idea of the present invention; in view of the above, the present disclosure should not be construed as limiting the invention.