CN113973303A - Method for realizing mobile terminal equipment access control gateway based on data packet analysis - Google Patents
Method for realizing mobile terminal equipment access control gateway based on data packet analysis Download PDFInfo
- Publication number
- CN113973303A CN113973303A CN202111288984.4A CN202111288984A CN113973303A CN 113973303 A CN113973303 A CN 113973303A CN 202111288984 A CN202111288984 A CN 202111288984A CN 113973303 A CN113973303 A CN 113973303A
- Authority
- CN
- China
- Prior art keywords
- terminal
- source address
- mobile terminal
- control
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000012545 processing Methods 0.000 claims description 14
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 4
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000011161 development Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for realizing the access of mobile terminal equipment to a control gateway based on data packet analysis, which comprises the following steps: configuring an interception rule for intercepting a data packet by a control gateway; when the mobile terminal equipment and the terminal management and control system establish a mutual trust relationship, the control gateway actively intercepts a data packet which accords with an interception rule, performs protocol analysis on the data packet to obtain a terminal source address, adds the terminal source address into a dynamic strategy control list, and sets timeout time; the control gateway actively intercepts heartbeat packets sent by the mobile terminal device to the terminal management and control system at regular time, and analyzes and processes the heartbeat packets; and if the control gateway does not intercept the heartbeat packet sent by the mobile terminal equipment within the overtime time, removing the corresponding terminal source address from the dynamic strategy control list. The invention effectively solves the problem that the control gateway can not accurately access and control the mobile terminal equipment in some practical scenes.
Description
Technical Field
The invention relates to the technical field of network communication information security, in particular to a method for realizing access of mobile terminal equipment to a control gateway based on data packet analysis.
Background
With the rapid development of computer networks and the rapid rise of the IOT field in recent years, various mobile terminal devices are more and more popular, and the development of network technologies brings great convenience to people and the problem of network security is more and more severe. How to accurately control access of various mobile terminal devices becomes a technical problem which needs to be solved urgently at present.
At present, the general implementation of the access control gateway of the mobile terminal device is as follows: establishing a mutual trust relationship with a terminal management and control system when the mobile terminal equipment logs in; then, the terminal management and control system synchronizes terminal information to the control gateway, wherein the terminal information comprises a terminal IP address; and the control gateway executes a strategy of forwarding or discarding the data packet based on the IP address of the terminal. More specifically, referring to fig. 1, a general implementation manner of the mobile terminal device access control gateway in the industry is shown, and the general implementation manner interacts with a terminal management and control system to passively acquire a terminal IP address from the terminal management and control system, so as to achieve the purpose of controlling access to the mobile terminal device. The basic flow is as follows:
1. the control gateway only allows the traffic of all terminal addresses to access the terminal management and control system by default, and only the terminal IP address added into the strategy control list can access the specified service;
2. the mobile terminal equipment adds the terminal IP address into a login protocol and then performs login service with a terminal management and control system;
3. the terminal management and control system acquires logged terminal information (including a terminal IP address) from a login protocol and sends the terminal information to a control gateway;
4. after receiving terminal information sent by a terminal management and control system, a control gateway adds a terminal IP address of the control gateway into a strategy control list;
5. the logged mobile terminal equipment can access the specified service through the control gateway;
6. when the mobile terminal equipment sends a logout service to the terminal management and control system, the terminal management and control system informs the terminal information to the control gateway, and the control gateway removes the logged out terminal IP address from the strategy control list;
7. the logged-out mobile terminal device will not be able to access the specified service.
However, in some practical application scenarios, as shown in fig. 2, when the mobile terminal device cannot provide a correct IP address through the login protocol, that is, the terminal management and control system processes the login service of the mobile terminal device, the terminal IP address acquired by the terminal management and control system is distorted. Therefore, the terminal IP address obtained by the access control gateway of the mobile terminal device is also distorted, and the access control gateway of the mobile terminal device cannot perform effective access control on the terminal because the distorted terminal IP address is different from the source address of the data packet when the mobile terminal device performs service.
To this end, the applicant has sought, through useful research and research, a solution to the above-mentioned problems, in the context of which the technical solutions to be described below have been made.
Disclosure of Invention
One of the technical problems to be solved by the present invention is: aiming at the defects of the prior art, the method for realizing the access of the mobile terminal equipment to the control gateway based on the data packet analysis is provided, so that the problem that the mobile terminal equipment cannot provide a real IP address for a terminal management and control system is solved.
The technical problem to be solved by the invention can be realized by adopting the following technical scheme:
a method for realizing access control gateway of mobile terminal equipment based on data packet analysis comprises the following steps:
step S10, configuring the interception rule of the control gateway for intercepting the data packet;
step S20, when the mobile terminal device and the terminal management and control system establish a mutual communication relationship, the control gateway actively intercepts the data packet according with the interception rule, performs protocol analysis on the intercepted data packet to obtain the terminal source address of the data packet, then adds the obtained terminal source address to the dynamic policy control list, and sets the timeout time for the obtained terminal source address;
step S30, the control gateway actively intercepts heartbeat packets sent by the mobile terminal device to the terminal management and control system at regular time, and analyzes and processes the intercepted heartbeat packets to determine whether the timeout time of the terminal source address needs to be reset;
step S40, if the control gateway does not intercept the heartbeat packet sent by the mobile terminal device to the terminal management and control system within the timeout period, the corresponding terminal source address is removed from the dynamic policy control list.
In a preferred embodiment of the present invention, in step S10, the configuration of the interception rule is as follows:
A. the network access control mode of the control gateway comprises an Iptables strategy and a dpdk mode;
B. configuring an access control rule that a source address is an address of all terminals, and a target address is allowed to be forwarded by a data packet of the address of the terminal management and control system at a control gateway;
C. configuring an access control rule that a source address is an address in a policy control list maintained by a control gateway, and a target address is allowed to be forwarded by a data packet of a specified service address;
D. configuring an access control rule that source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of terminal management and control system processing terminal login service ports for interception processing;
E. configuring an access control rule that source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of terminal heartbeat service ports processed by the terminal management and control system for interception processing;
F. configuring 'the timeout time of the element stored in the policy control list, namely the source address of the terminal'.
In a preferred embodiment of the present invention, in step S20, the control gateway actively intercepts a data packet that meets the interception rule, performs protocol analysis on the intercepted data packet to obtain a terminal source address of the data packet, adds the obtained terminal source address to the dynamic policy control list, and sets a timeout time for the obtained terminal source address, including the following steps:
step S21, when the mobile terminal device and the terminal management and control system establish mutual trust relationship, namely login service, the source address of the mobile terminal device must be kept unchanged during service, and NAT conversion cannot be performed;
step S22, the control gateway actively intercepts the data packet when the mobile terminal equipment logs in according to the interception rule configured in the step S10, and carries out protocol analysis on the data packet to obtain the source address of the mobile terminal equipment;
step S23, adding the obtained terminal source address into a dynamic policy control list maintained by the control gateway, and automatically setting the overtime time for the obtained terminal source address according to the interception rule configured in step S10;
in step S24, the mobile terminal device can access the service specified by the interception rule configured in step S10 within a timeout period.
In a preferred embodiment of the present invention, in step S30, the method for actively intercepting the heartbeat packet sent by the mobile terminal device to the terminal management and control system at regular time and analyzing and processing the intercepted heartbeat packet to determine whether the timeout time of the terminal source address needs to be reset includes the following steps:
step S31, the mobile terminal device sends heartbeat packets to the terminal management and control system at regular time after initiating the login service so as to keep the online state;
step S32, the control gateway actively intercepts the heartbeat packet sent by the mobile terminal device to the terminal management and control system according to the interception rule configured in the step S10, and performs protocol analysis on the intercepted data packet to obtain the terminal source address of the data packet;
step S33, checking whether the dynamic strategy control list maintained by the control gateway has the terminal source address, if yes, resetting the overtime time of the terminal source address; if the source address does not exist, the mobile terminal equipment corresponding to the terminal source address does not perform the login service, and the data packet of the terminal source address is discarded by default.
In a preferred embodiment of the present invention, in step S40, if the control gateway does not intercept the heartbeat packet sent by the mobile terminal device to the terminal management and control system within the timeout period, the control gateway removes the corresponding terminal source address from the dynamic policy control list, which includes the following steps:
step S41, the control gateway dynamically updates the terminal source address of the policy control list, if the heartbeat packet sent by the mobile terminal device to the terminal management and control system is not intercepted within the overtime, the terminal source address is actively cleared;
step S42, disallowing the mobile terminal device corresponding to the terminal source address removed from the policy control list to access the service specified by the interception rule configured in step S10; if the mobile terminal device needs to access, the mobile terminal device needs to establish a mutual trust relationship with the terminal management and control system again, that is, step S20 is repeated.
Due to the adoption of the technical scheme, the invention has the beneficial effects that: the method and the system actively acquire the terminal source address based on the data packet analysis, cooperate with the overtime keep-alive mechanism, realize the access control of the mobile equipment terminal by maintaining a dynamic strategy control list, and effectively solve the problem that the control gateway can not accurately access and control the mobile equipment due to the fact that the terminal can not provide a correct IP address for the terminal management and control system through the login protocol in some practical scenes.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a general implementation method of a conventional access control gateway for a mobile terminal device.
Fig. 2 is a flowchart of a general implementation method of an existing access control gateway of a mobile terminal device in some special scenarios.
Fig. 3 is a flow chart of the present invention.
Fig. 4 is a flow chart of an embodiment of the present invention.
FIG. 5 is a schematic diagram of a dynamic policy control list of the present invention.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further explained below by combining the specific drawings.
Referring to fig. 3, a method for implementing a mobile terminal device access control gateway based on packet analysis is shown, which includes the following steps:
step S10, configuring the interception rule of the control gateway intercepting the data packet.
Step S20, when the mobile terminal device and the terminal management and control system establish a mutual communication relationship, the control gateway actively intercepts the data packet according with the interception rule, performs protocol analysis on the intercepted data packet to obtain the terminal source address of the data packet, then adds the obtained terminal source address to the dynamic policy control list, and sets the timeout time for the obtained terminal source address.
And step S30, the control gateway actively intercepts the heartbeat packet sent by the mobile terminal device to the terminal management and control system at regular time, and analyzes and processes the intercepted heartbeat packet to determine whether the timeout time of the terminal source address needs to be reset.
Step S40, if the control gateway does not intercept the heartbeat packet sent by the mobile terminal device to the terminal management and control system within the timeout period, the corresponding terminal source address is removed from the dynamic policy control list.
In a preferred embodiment of the present invention, in step S10, the configuration of the interception rule is as follows:
A. the network access control mode of the control gateway comprises an Iptables strategy and a dpdk mode;
B. configuring an access control rule that a source address is an address of all terminals, and a target address is allowed to be forwarded by a data packet of the address of the terminal management and control system at a control gateway;
C. configuring an access control rule that a source address is an address in a policy control list maintained by a control gateway, and a target address is allowed to be forwarded by a data packet of a specified service address;
D. configuring an access control rule that source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of terminal management and control system processing terminal login service ports for interception processing;
E. configuring an access control rule that source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of terminal heartbeat service ports processed by the terminal management and control system for interception processing;
F. configuring 'the timeout time of the element stored in the policy control list, namely the source address of the terminal'.
In step S20, the control gateway actively intercepts a packet that meets the interception rule, performs protocol analysis on the intercepted packet to obtain a terminal source address of the packet, adds the obtained terminal source address to the dynamic policy control list, and sets timeout time for the obtained terminal source address, including the following steps:
step S21, when the mobile terminal device and the terminal management and control system establish mutual trust relationship, namely login service, the source address of the mobile terminal device must be kept unchanged during service, and NAT conversion cannot be performed;
step S22, the control gateway actively intercepts the data packet when the mobile terminal equipment logs in according to the interception rule configured in the step S10, and carries out protocol analysis on the data packet to obtain the source address of the mobile terminal equipment;
step S23, adding the obtained terminal source address into a dynamic policy control list maintained by the control gateway, and automatically setting the overtime time for the obtained terminal source address according to the interception rule configured in step S10;
in step S24, the mobile terminal device can access the service specified by the interception rule configured in step S10 within a timeout period.
In step S30, the method for determining whether the timeout time for resetting the source address of the terminal is required includes the following steps:
step S31, the mobile terminal device sends heartbeat packets to the terminal management and control system at regular time after initiating the login service so as to keep the online state;
step S32, the control gateway actively intercepts the heartbeat packet sent by the mobile terminal device to the terminal management and control system according to the interception rule configured in the step S10, and performs protocol analysis on the intercepted data packet to obtain the terminal source address of the data packet;
step S33, checking whether the dynamic strategy control list maintained by the control gateway has the terminal source address, if yes, resetting the overtime time of the terminal source address; if the source address does not exist, the mobile terminal equipment corresponding to the terminal source address does not perform the login service, and the data packet of the terminal source address is discarded by default.
In step S40, if the control gateway does not intercept the heartbeat packet sent by the mobile terminal device to the terminal management and control system within the timeout period, the control gateway removes the corresponding terminal source address from the dynamic policy control list, including the following steps:
step S41, the control gateway dynamically updates the terminal source address of the policy control list, if the heartbeat packet sent by the mobile terminal device to the terminal management and control system is not intercepted within the overtime, the terminal source address is actively cleared;
step S42, disallowing the mobile terminal device corresponding to the terminal source address removed from the policy control list to access the service specified by the interception rule configured in step S10; if the mobile terminal device needs to access, the mobile terminal device needs to establish a mutual trust relationship with the terminal management and control system again, that is, step S20 is repeated.
The following is a specific embodiment of the method for implementing the access control gateway of the mobile terminal equipment based on the data packet analysis, which is provided by the invention:
the access control gateway of the mobile terminal equipment based on the data packet analysis achieves the aim of controlling the access of the terminal by actively acquiring the IP address of the terminal and cooperating with an overtime keep-alive mechanism and maintaining a dynamic strategy control list at the gateway, thereby effectively solving the problem that the mobile terminal equipment can not provide a real IP for a terminal management and control system. As shown in fig. 4, the specific process is as follows:
(1) and the administrator configures specific interception rules at the control gateway. Assume that the IP address of the specified service is "192.168.60.10"; the IP address of the terminal management and control system is "192.168.10.20", the port of the terminal management and control system for processing login service is "8080", and the port for processing keep-alive service is "18080"; the IP address of terminal 1 is "192.168.60.51"; the IP address of terminal 2 is "192.168.60.52".
a. The network access control method for controlling the gateway includes, but is not limited to, using an Iptables policy, and a method such as dpdk may be used.
b. A rule of "the source address is all the terminal addresses, and the destination address is the packet permission forwarding of the IP address (i.e. 192.168.10.20) of the terminal management system" is configured.
c. A rule is configured that the source address is an address in a policy control list maintained by the mobile device access control gateway and the destination address is packet allowed forwarding for the IP address (i.e., 192.168.60.10) of the specified service.
d. The rule that the source address is all terminal addresses, the destination address is an address of a terminal management and control system (192.168.10.20), and the destination port is a rule that a packet interception program is needed to intercept a data packet of a terminal management and control system processing a terminal login service port (8080).
e. The method includes configuring rules that source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system (192.168.10.20), and target ports are data packets of terminal heartbeat service ports (18080) processed by the terminal management and control system and need to be intercepted by a packet intercepting program.
f. "the timeout time for storing an element (i.e., a terminal address) in the policy control list is set to 10 seconds".
(2) The terminal 1 performs login service with a terminal management and control system, and an IP address must be kept unchanged when the terminal performs service, so that NAT conversion cannot be performed. The mobile device access control gateway intercepts the data packet according to the rule d configured in step 1, performs protocol analysis on the data packet through a packet interception program, obtains a source address of the data packet (i.e., an IP address of the terminal 1), adds the IP address (i.e., 192.168.60.51) of the terminal 1 into a dynamic policy control list maintained by the gateway as shown in fig. 5, sets timeout time to 10 seconds according to the rule f configured in step (1), and after the processing, the gateway forwards the login data packet to the terminal management and control system according to the rule b configured in step 1.
(3) The mobile equipment access control gateway can access the service with the IP address of 192.168.60.10 after logging in the terminal 1 according to the rule c configured in the step (1); while the terminal 2 does not perform the login service, it cannot access the service having the IP address 192.168.60.10.
(4) The terminal 1 must transmit the heartbeat packet to the terminal management and control system within a timeout period (10 seconds). According to the rule e configured in the step (1), the access control gateway of the mobile equipment intercepts a heartbeat data packet sent by the terminal to a terminal management and control system, and after the heartbeat data packet is obtained by a packet interception program, whether the terminal IP address exists in a dynamic strategy control list maintained by the gateway is checked: if yes, resetting the overtime time of the IP address of the terminal; if the IP address does not exist, the terminal of the IP address does not perform the login service, and the source address is discarded as the data packet of the IP of the terminal by default.
(5) The mobile equipment access control gateway dynamically updates the terminal IP address of the strategy control list, and if the heartbeat packet sent by the terminal is not intercepted within the overtime, the IP address of the corresponding terminal is actively cleared. When the terminal 1 does not send a heartbeat packet to the terminal management and control system within the timeout period (10 seconds), the gateway will clear the IP address of the terminal 1 in the dynamic policy control list, and the terminal 1 will not be able to access the service with the IP address of 192.168.60.10, and if it is necessary to access the terminal 1, the step (2) is repeated if a mutual trust relationship needs to be established with the terminal management and control system again.
The access control method and the access control system actively acquire the IP address of the terminal based on the data packet analysis mode, cooperate with the overtime keep-alive mechanism, and realize the access control of the mobile equipment terminal by maintaining a dynamic strategy control list, thereby effectively solving the problem that the access control gateway of the mobile equipment can not accurately access and control the terminal because the terminal can not provide the correct IP address to the terminal management and control system through the login protocol in some practical scenes.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (5)
1. A method for realizing access control gateway of mobile terminal equipment based on data packet analysis is characterized by comprising the following steps:
step S10, configuring the interception rule of the control gateway for intercepting the data packet;
step S20, when the mobile terminal device and the terminal management and control system establish a mutual communication relationship, the control gateway actively intercepts the data packet according with the interception rule, performs protocol analysis on the intercepted data packet to obtain the terminal source address of the data packet, then adds the obtained terminal source address to the dynamic policy control list, and sets the timeout time for the obtained terminal source address;
step S30, the control gateway actively intercepts heartbeat packets sent by the mobile terminal device to the terminal management and control system at regular time, and analyzes and processes the intercepted heartbeat packets to determine whether the timeout time of the terminal source address needs to be reset;
step S40, if the control gateway does not intercept the heartbeat packet sent by the mobile terminal device to the terminal management and control system within the timeout period, the corresponding terminal source address is removed from the dynamic policy control list.
2. The method for implementing a gateway for controlling access to a mobile terminal device based on packet analysis as claimed in claim 1, wherein in step S10, the configuration of the interception rule is as follows:
A. the network access control mode of the control gateway comprises an Iptables strategy and a dpdk mode;
B. configuring an access control rule that a source address is an address of all terminals, and a target address is allowed to be forwarded by a data packet of the address of the terminal management and control system at a control gateway;
C. configuring an access control rule that a source address is an address in a policy control list maintained by a control gateway, and a target address is allowed to be forwarded by a data packet of a specified service address;
D. configuring an access control rule that source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of terminal management and control system processing terminal login service ports for interception processing;
E. configuring an access control rule that source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of terminal heartbeat service ports processed by the terminal management and control system for interception processing;
F. configuring 'the timeout time of the element stored in the policy control list, namely the source address of the terminal'.
3. The method for implementing a mobile terminal device access control gateway based on packet analysis according to claim 1, wherein in step S20, the control gateway actively intercepts packets conforming to the interception rule, performs protocol analysis on the intercepted packets to obtain a terminal source address of the packet, adds the obtained terminal source address to the dynamic policy control list, and sets a timeout period for the obtained terminal source address, including the following steps:
step S21, when the mobile terminal device and the terminal management and control system establish mutual trust relationship, namely login service, the source address of the mobile terminal device must be kept unchanged during service, and NAT conversion cannot be performed;
step S22, the control gateway actively intercepts the data packet when the mobile terminal equipment logs in according to the interception rule configured in the step S10, and carries out protocol analysis on the data packet to obtain the source address of the mobile terminal equipment;
step S23, adding the obtained terminal source address into a dynamic policy control list maintained by the control gateway, and automatically setting the overtime time for the obtained terminal source address according to the interception rule configured in step S10;
in step S24, the mobile terminal device can access the service specified by the interception rule configured in step S10 within a timeout period.
4. The method for implementing a mobile terminal device access control gateway based on data packet analysis as claimed in claim 1, wherein in step S30, the control gateway actively intercepts a heartbeat packet periodically sent by the mobile terminal device to the terminal management and control system, and analyzes and processes the intercepted heartbeat packet to determine whether the timeout time for resetting the terminal source address is required, including the following steps:
step S31, the mobile terminal device sends heartbeat packets to the terminal management and control system at regular time after initiating the login service so as to keep the online state;
step S32, the control gateway actively intercepts the heartbeat packet sent by the mobile terminal device to the terminal management and control system according to the interception rule configured in the step S10, and performs protocol analysis on the intercepted data packet to obtain the terminal source address of the data packet;
step S33, checking whether the dynamic strategy control list maintained by the control gateway has the terminal source address, if yes, resetting the overtime time of the terminal source address; if the source address does not exist, the mobile terminal equipment corresponding to the terminal source address does not perform the login service, and the data packet of the terminal source address is discarded by default.
5. The method for implementing a mobile terminal device access control gateway based on packet analysis as claimed in claim 1, wherein in step S40, if the control gateway does not intercept the heartbeat packet sent by the mobile terminal device to the terminal management and control system within the timeout period, the control gateway removes the corresponding terminal source address from the dynamic policy control list, including the following steps:
step S41, the control gateway dynamically updates the terminal source address of the policy control list, if the heartbeat packet sent by the mobile terminal device to the terminal management and control system is not intercepted within the overtime, the terminal source address is actively cleared;
step S42, disallowing the mobile terminal device corresponding to the terminal source address removed from the policy control list to access the service specified by the interception rule configured in step S10; if the mobile terminal device needs to access, the mobile terminal device needs to establish a mutual trust relationship with the terminal management and control system again, that is, step S20 is repeated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111288984.4A CN113973303B (en) | 2021-11-02 | 2021-11-02 | Method for realizing mobile terminal equipment access control gateway based on data packet analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111288984.4A CN113973303B (en) | 2021-11-02 | 2021-11-02 | Method for realizing mobile terminal equipment access control gateway based on data packet analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113973303A true CN113973303A (en) | 2022-01-25 |
| CN113973303B CN113973303B (en) | 2024-04-02 |
Family
ID=79589361
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111288984.4A Active CN113973303B (en) | 2021-11-02 | 2021-11-02 | Method for realizing mobile terminal equipment access control gateway based on data packet analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113973303B (en) |
Citations (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040109518A1 (en) * | 2002-06-10 | 2004-06-10 | Akonix Systems, Inc. | Systems and methods for a protocol gateway |
| US7194004B1 (en) * | 2002-01-28 | 2007-03-20 | 3Com Corporation | Method for managing network access |
| KR20070081116A (en) * | 2007-02-09 | 2007-08-14 | 주식회사 코어세스 | Alp spoof automatic blocking device and method |
| CN101119206A (en) * | 2007-09-13 | 2008-02-06 | 北京交通大学 | Identity-based integrated network terminal unified access control method |
| CN101119315A (en) * | 2007-09-17 | 2008-02-06 | 当代天启技术(北京)有限公司 | Data transmission method, system and gateway in control network |
| CN101355459A (en) * | 2008-08-29 | 2009-01-28 | 北京理工大学 | A Network Monitoring Method Based on Trusted Protocol |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN102307197A (en) * | 2011-08-29 | 2012-01-04 | 浙江中烟工业有限责任公司 | Trusted enhancement subsystem of multilevel security intercommunication platform |
| US20130316675A1 (en) * | 2012-05-24 | 2013-11-28 | Seven Networks, Inc. | Facilitation of mobile operator billing based on wireless network traffic management and tracking of destination address in conjunction with billing policies |
| CN103916424A (en) * | 2012-12-31 | 2014-07-09 | 中国移动通信集团广东有限公司 | Application program heartbeat packet control method, communication terminal and communication network |
| CN104753926A (en) * | 2015-03-11 | 2015-07-01 | 华中科技大学 | Gateway access control method |
| CN105052106A (en) * | 2013-03-15 | 2015-11-11 | 柏思科技有限公司 | Method and system for receiving and transmitting Internet Protocol (IP) data packets |
| CN105227515A (en) * | 2014-05-28 | 2016-01-06 | 腾讯科技(深圳)有限公司 | Network intrusions blocking-up method, Apparatus and system |
| CN105282157A (en) * | 2015-10-22 | 2016-01-27 | 中国人民解放军装备学院 | Secure communication control method |
| CN108337257A (en) * | 2018-01-31 | 2018-07-27 | 新华三技术有限公司 | A kind of authentication-exempt access method and gateway device |
| CN108881328A (en) * | 2018-09-29 | 2018-11-23 | 北京东土军悦科技有限公司 | Packet filtering method, device, gateway and storage medium |
| CN109088844A (en) * | 2017-06-13 | 2018-12-25 | 腾讯科技(深圳)有限公司 | Information intercepting method, terminal, server and system |
| CN110336836A (en) * | 2019-08-06 | 2019-10-15 | 郑州信大捷安信息技术股份有限公司 | A kind of Web filtering service system and method |
| CN111245858A (en) * | 2020-01-19 | 2020-06-05 | 世纪龙信息网络有限责任公司 | Network flow interception method, system, device, computer equipment and storage medium |
| CN113010911A (en) * | 2021-02-07 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data access control method and device and computer readable storage medium |
-
2021
- 2021-11-02 CN CN202111288984.4A patent/CN113973303B/en active Active
Patent Citations (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7194004B1 (en) * | 2002-01-28 | 2007-03-20 | 3Com Corporation | Method for managing network access |
| US20040109518A1 (en) * | 2002-06-10 | 2004-06-10 | Akonix Systems, Inc. | Systems and methods for a protocol gateway |
| KR20070081116A (en) * | 2007-02-09 | 2007-08-14 | 주식회사 코어세스 | Alp spoof automatic blocking device and method |
| CN101119206A (en) * | 2007-09-13 | 2008-02-06 | 北京交通大学 | Identity-based integrated network terminal unified access control method |
| CN101119315A (en) * | 2007-09-17 | 2008-02-06 | 当代天启技术(北京)有限公司 | Data transmission method, system and gateway in control network |
| CN101355459A (en) * | 2008-08-29 | 2009-01-28 | 北京理工大学 | A Network Monitoring Method Based on Trusted Protocol |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN102307197A (en) * | 2011-08-29 | 2012-01-04 | 浙江中烟工业有限责任公司 | Trusted enhancement subsystem of multilevel security intercommunication platform |
| US20130316675A1 (en) * | 2012-05-24 | 2013-11-28 | Seven Networks, Inc. | Facilitation of mobile operator billing based on wireless network traffic management and tracking of destination address in conjunction with billing policies |
| CN103916424A (en) * | 2012-12-31 | 2014-07-09 | 中国移动通信集团广东有限公司 | Application program heartbeat packet control method, communication terminal and communication network |
| CN105052106A (en) * | 2013-03-15 | 2015-11-11 | 柏思科技有限公司 | Method and system for receiving and transmitting Internet Protocol (IP) data packets |
| CN105227515A (en) * | 2014-05-28 | 2016-01-06 | 腾讯科技(深圳)有限公司 | Network intrusions blocking-up method, Apparatus and system |
| CN104753926A (en) * | 2015-03-11 | 2015-07-01 | 华中科技大学 | Gateway access control method |
| CN105282157A (en) * | 2015-10-22 | 2016-01-27 | 中国人民解放军装备学院 | Secure communication control method |
| CN109088844A (en) * | 2017-06-13 | 2018-12-25 | 腾讯科技(深圳)有限公司 | Information intercepting method, terminal, server and system |
| CN108337257A (en) * | 2018-01-31 | 2018-07-27 | 新华三技术有限公司 | A kind of authentication-exempt access method and gateway device |
| CN108881328A (en) * | 2018-09-29 | 2018-11-23 | 北京东土军悦科技有限公司 | Packet filtering method, device, gateway and storage medium |
| CN110336836A (en) * | 2019-08-06 | 2019-10-15 | 郑州信大捷安信息技术股份有限公司 | A kind of Web filtering service system and method |
| CN111245858A (en) * | 2020-01-19 | 2020-06-05 | 世纪龙信息网络有限责任公司 | Network flow interception method, system, device, computer equipment and storage medium |
| CN113010911A (en) * | 2021-02-07 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data access control method and device and computer readable storage medium |
Non-Patent Citations (3)
| Title |
|---|
| 余胜生, 周江, 周敬利: "一种跨网关传输媒体流方案的研究与实现", 计算机应用研究, no. 05 * |
| 姜熙炯, 封红旗: "一种IP控制网关的设计与实现", 江苏工业学院学报, no. 03 * |
| 马亮;: "园区网终端安全管控系统的构建", 计算机与网络, no. 22 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113973303B (en) | 2024-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10432535B2 (en) | Performing a specific action on a network packet identified as a message queuing telemetry transport (MQTT) packet | |
| US12101318B2 (en) | Adaptive multipath tunneling in cloud-based systems | |
| US10673881B2 (en) | Method and system for limiting the range of data transmissions | |
| US9467327B2 (en) | Server-mediated setup and maintenance of peer-to-peer client computer communications | |
| US20150188882A1 (en) | Method and apparatus for network address translation and firewall traversal | |
| JP2023532924A (en) | Ensuring Separation of Control and User Planes in Mobile Networks | |
| US20240187386A1 (en) | System and method for creating a secure hybrid overlay network | |
| EP3472992B1 (en) | Network path probing using available network connections | |
| US20220286425A1 (en) | Method and Apparatus for Establishing End-to-End Network Connection, and Network System | |
| US20220052850A1 (en) | Turn authentication using sip channel discovery | |
| US10547647B2 (en) | Intra-carrier and inter-carrier network security system | |
| US12273316B2 (en) | Selection of an egress IP address for egress traffic of a distributed cloud computing network | |
| US11799914B2 (en) | Cellular internet of things battery drain prevention in mobile networks | |
| Mohammadnia et al. | IoT-NETZ: Practical spoofing attack mitigation approach in SDWN network | |
| US12160407B2 (en) | Method and apparatus for dynamic outbound firewalling via domain name system (DNS) | |
| CN113973303B (en) | Method for realizing mobile terminal equipment access control gateway based on data packet analysis | |
| CN113726901A (en) | P2P communication method and system based on ICE | |
| US10505892B2 (en) | Method for transmitting at least one IP data packet, related system and computer program product | |
| CN110830419B (en) | Access control method and device for internet protocol camera | |
| US10630717B2 (en) | Mitigation of WebRTC attacks using a network edge system | |
| Trammell et al. | A new transport encapsulation for middlebox cooperation | |
| KR100932570B1 (en) | Method for maintaining large session information between application server and client in NAT equipment without burdening server and server side network | |
| US12425488B2 (en) | Method of operating a telecommunications network | |
| US20230254225A1 (en) | Generating hybrid network activity records |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Implementation method of mobile terminal device access control gateway based on packet analysis Granted publication date: 20240402 Pledgee: Chongming Sub branch of Shanghai Rural Commercial Bank Co.,Ltd. Pledgor: SHANGHAI KOAL SAFETY TECHNOLOGY CO.,LTD. Registration number: Y2024310000835 |