CN100459563C - Identification gateway and its data treatment method - Google Patents

Identification gateway and its data treatment method Download PDF

Info

Publication number
CN100459563C
CN100459563C CNB2003101087822A CN200310108782A CN100459563C CN 100459563 C CN100459563 C CN 100459563C CN B2003101087822 A CNB2003101087822 A CN B2003101087822A CN 200310108782 A CN200310108782 A CN 200310108782A CN 100459563 C CN100459563 C CN 100459563C
Authority
CN
China
Prior art keywords
authentication
user
module
address
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2003101087822A
Other languages
Chinese (zh)
Other versions
CN1620034A (en
Inventor
陆维林
顾青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Information Safety Infrastructure Research Center
Original Assignee
SHANGHAI INFORMATION SAFETY INFRASTRUCTURE RESEARCH CENTER
WELLHOPE INFORMATION TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHANGHAI INFORMATION SAFETY INFRASTRUCTURE RESEARCH CENTER, WELLHOPE INFORMATION TECHNOLOGY Co Ltd filed Critical SHANGHAI INFORMATION SAFETY INFRASTRUCTURE RESEARCH CENTER
Priority to CNB2003101087822A priority Critical patent/CN100459563C/en
Publication of CN1620034A publication Critical patent/CN1620034A/en
Application granted granted Critical
Publication of CN100459563C publication Critical patent/CN100459563C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Abstract

A method for certificating gateway and data process thereof contains IP layer monitor control module, status certification module, route module, management configuration module, audit module and user message module. The status certification module monitors all IP data input IN port whether it a new IP address, if it is not a new address or is an address having over certification active phase, said IP package may be let going, or else it may be dropped, reporting status certification module to certificate user. Based on digital certificate and feedback result to IP monitor module for determining going or dropping, so only the IP package of user passing certificating can pass through gateway to obtain system resource.

Description

Authentication gateway and data processing method thereof
Technical field
The present invention relates to a kind of network security InterWorking Equipment with credible access control function and routing function, especially relate to a kind of can be on the IP layer authentication gateway of the monitoring of implementation data bag, authenticating user identification and routing forwarding.The invention still further relates to the data processing method of this authentication gateway.
Background technology
In the network informationization and E-Government implementation process, network security becomes the problem that presses for solution, and fundamentally, what network security need solve is the problem that concerns of people, resource and people and resource.Particularly, when an application system was accessed, the employed equipment of people and people was the visitor, and the all-network resource of application system (service, file etc.) is the interviewee, realize safe, the credible visit of people, need to solve following two problems resource:
1) how " who can come in " guarantees that promptly foreign subscriber to using the credible visit of system, only holds the user of valid certificate, be identified identity credible after, could the access application system.
2) how " what can be gone out " realizes that promptly when having only accessed resource to license to this user, the user could obtain this resource from application system to resources effective control in the application system.
At the problem of " who can come in ", that is, how to control the user effectively to using the credible visit of system, at present, there is following several gateway series products to propose technical solution, but all has the deficiency of secure context.
1. packet filter firewall
Most network security companies all produce packet filter firewall, factors such as its source address by checking each packet in the data flow, destination address, used port numbers, protocol status, or their combination determines whether to allow this packet to pass through.If fire compartment wall is set a certain IP address for dangerous, then all information of coming from this address all can be masked by fire compartment wall.The biggest advantage of packet filter firewall is that it is transparent for the user, and speed is fast and be easy to safeguard.Shortcoming is: one, the access object of its control is an equipment, rather than the user-people of equipment, in case the IP address of equipment, port numbers are set to allow to pass through,, all can pass fire compartment wall and go visit then no matter whether the active user of this equipment has the access right to a certain application; Two, the port numbers of the source address of packet, destination address and transport layer protocol all expressly identifies at the head of packet, is probably eavesdropped or palms off.
2. application level gateway
Application level gateway (Application Level Gateways) is a firewall class product of setting up protocol filtering and forwarding capability on network application layer.It uses the data designated filter logic to filter at particular network application service agreement, and when filtering, packet is carried out essential analysis, registration and statistics, forms report.Application level gateway in the reality is installed in the system of special purpose workstation usually.Application level gateway and packet filter firewall all have a common feature, are exactly whether they only rely on specific logic decision to allow packet to pass through.In case satisfy logic; then the inside and outside computer system of fire compartment wall is established direct links; whether the user of fire compartment wall outside no matter have the authority of certain application of visit, just can remove directly to visit the Internet resources of firewall protection by the equipment that is configured to allow pass through.And application level gateway lacks flexibility, need change with the difference of applied environment, just needs a kind of agent software at each service, can't realize quick deployment.
3. agency service
Agency service (Proxy Service) also claims link level gateway or TCP passage (Circuit Level Gateways or TCPTunnels), also has the people that it is ranged application level gateway.It is the firewall technology of introducing at the shortcoming of Packet Filtering and the existence of application level gateway technology, is characterized in that the network communication link of all being crossed over fire compartment walls is divided into two sections." link " of application layer realizes that by " link " on two termination acting servers the network link of outer computer can only arrive acting server between the inside and outside computer system of fire compartment wall, thereby played the effect of isolating the inside and outside computer system of fire compartment wall.In addition, agency service is also analyzed, is registered passing packet, forms to report, can give the alarm to the network manager when finding to be attacked sign simultaneously, and keep the attack vestige.
4. transparent mode gateway
The transparent mode gateway is transparent to the application system, and the systems such as telecommunications, government, medical treatment that generally are applied to are used for chargeing and network management.Existing transparent mode gateway is generally operational in the IP layer, it is a kind of network management device, functions such as often collection packets of information inflow (outflow) control, network management and charging, monitoring are one, adopt user account number, IP address, NIC address binds together or adopt the mode of one of them to realize authenticating user identification, can realize access control and network monitoring under the prerequisite that does not change user capture Internet mode.
Above-mentioned 4 series products are confined to equipment is carried out authentication at present, and the user to equipment does not carry out authentication, and the mode of authentication is not based on digital certificate.In case when not having trusting relationship between the user of equipment and the equipment, this access control mechanisms is just dangerous.
Summary of the invention
The technical problem that the present invention solves provides a kind of authentication gateway, not only equipment is carried out authentication, and this authentication gateway adopts based on the PKI authentication system of digital certificate the user of access application system is carried out authentication, make the user have only authentication to pass through just can pass authentication gateway access application system, unsanctioned user can't the access application system; For this reason, the present invention also will provide a kind of data processing method of this authentication gateway.
For solving the problems of the technologies described above, authentication gateway of the present invention comprises IP layer monitoring module, authentication module, routing module, management configuration module, audit module and user message notification module; This authentication gateway and user terminal, adaptation services device, application system realize information interaction;
Described IP layer monitoring module forms based on the data message selective system transformation of the iptables of the Netfilter framework of route software, this IP layer monitoring module is responsible for realizing that the IP layer data bag to entering the IN port resolves, monitors, whether decision allows it to pass through, and this process is transparent fully with respect to inserting the user;
Described authentication module is made up of Authentication Client and certificate server (authentication authorization and accounting server) two parts, by the proprietary authentication communication agreement of self-defining IP layer, adopt the challenge/reply certification mode, realization to user identity based on the local authentication function of certificate X.509, certificate server comprises an authenticated user tabulation, is putting down in writing authenticating identity on it and in the user's of " active period " information;
Described routing module, Bgpd submodule, management RIPv1 by management BGP-4 and BGP-4+ agreement, the ospf6d submodule of the Ospfd submodule of the Ripngd submodule of the Ripd submodule of v2 agreement, management RIPng agreement, management OSPFv2 agreement, management OSPFv3 agreement is formed, realize the repertoire of dynamic router, comprise that the IP datagram literary composition transmits, dynamically updates function based on the routing table of OSPF, bgp protocol;
Described user message notification module by after the authentication of described authentication gateway and being authorized accordingly, in time is notified to adaptation services device with user profile the user;
Described management configuration module is mainly finished the management to user, keeper's essential information and certificate, and can finish the configuration of route information and the function of the described authentication gateway of real-time monitoring;
Described audit module is finished two kinds of journal functions: based on the long-range journal function and the local journal function of syslog log protocol;
Described authentication gateway is when operation, and each module combinations is as follows:
IP layer monitoring module monitored the IP packet that is arrived authentication gateway by outer net and be intended to enter application system at the IN port, when the source IP address that detects the IP packet and user profile did not exist in " authenticated user tabulation ", IP layer monitoring module was by the combination of system call realization and authentication module;
When authentication module after the user is carried out authentication, the message call notification interface realized and the combination of user message notification module, call the daily record transmission interface simultaneously and send that log information is realized and the combination of the module of auditing;
After the user was by authentication, described authentication gateway was by the combination of system call realization and routing module, and transmitted data by routing module;
Described authentication gateway adopts the all-IP framework, and wherein: IP layer monitoring module, authentication module and routing module are operated in the IP layer, realizes the transparent and IP layer interconnecting function to the application system; Management configuration module, user message notification module, audit module are operated in application layer, provide authentication gateway management, audit and user message informing function.
The monitoring of authentication gateway of the present invention, authentication, route process step are as follows:
1) IP layer monitoring module detected at IN port-to-ip packet, when the source IP address that detects the IP packet does not exist in " authenticated user tabulation ", when promptly having source IP address unverified or that cross authentication " active period " to visit Intranet, notify authentication module to authenticate immediately, and abandon this IP packet;
2) authentication module sends " authentication request " to this IP address, requires the user at this place, address to show card, and " authentication request " comprises current authentication session number, the authentication random number information;
3) Authentication Client is received " authentication request " that service end is sent, and with the private key of oneself the authentication random number is signed, and encloses the certificate of oneself, forms " signature is responded " packet, and " signature is responded " bag is sent to certificate server;
4) certificate server receives " signature is responded " that client is sent, at first use the root certificate that the user certificate in " signature is responded " packet is verified, by what verify, just use this certificate that signature is tested label, test and sign successfully then to adding this user profile in the authenticated user tabulation, and add a cover timestamp, the message that feedback authentication is simultaneously passed through is given the IP monitoring module, send the instruction of allowing that this IP address is passed through in " active period ", allow the user by authentication gateway access application system;
5) otherwise, the message of feedback authentification failure and is forbidden this IP access application system;
When 6) certificate server be about to surpass authentication " active period " in each IP address through authentication, repeat from 2) to 5) operation, guaranteed that the timing automatic in user and the application system communication process authenticates, and do not influenced the use of Internet resources;
7) certification policy again except step 6) promptly regularly authenticates again, can also select another kind certification policy scheme again: promptly after the user is by authentication, judge according to network traffics whether the user still is in active state, flow then thinks active greater than a certain threshold values, then think inactive less than a certain threshold values, be in the IP address user of disabled state, its information then requires to authenticate again when visiting once more from deleting the authenticated user tabulation;
8) after authentication was passed through, IP layer monitoring module just transferred the disposal right of the packet of this IP address to routing module, implemented the routing forwarding of the packet of this IP address is operated by routing module.
The invention has the beneficial effects as follows: described authentication gateway is operated in the IP layer, and is transparent to using, and can realize the quick deployment of application gateway; On the IP layer, IP device and equipment user are carried out authentication based on digital certificate, guarantee safeguard protection trustable network; On the IP layer, data are transmitted, guaranteed the unobstructed of data communication; In the process of authentication, adopt authentication based on the PKI authentication system, guarantee the reliability of authentication.
Description of drawings
Below in conjunction with drawings and Examples the present invention is described in further detail.
Fig. 1 is an authentication gateway system assumption diagram of the present invention;
Fig. 2 is authentication gateway hierarchical model figure of the present invention;
Fig. 3 is an authentication gateway monitor stages workflow diagram of the present invention;
Fig. 4 is an authentication gateway authentication stage workflow diagram of the present invention;
Fig. 5 is an authentication gateway user message notification phase workflow diagram of the present invention;
Fig. 6 is an authentication gateway routing forwarding stage workflow diagram of the present invention;
Fig. 7 is the process schematic diagram that packet passes through the Netfilter system;
Fig. 8 is an authentication gateway IP layer monitoring detailed operation flow chart of the present invention;
Fig. 9 is an authentication gateway authentication detailed operation flow chart of the present invention.
Embodiment
As shown in Figure 1, authentication gateway of the present invention comprises IP layer monitoring module, authentication module, routing module, management configuration module, audit module and user message notification module; This authentication gateway and user terminal, adaptation services device, application system realize information interaction.
Described IP layer monitoring module forms based on the data message selective system transformation of the iptables of the Netfilter framework of route software, this IP layer monitoring module is responsible for realizing that the IP layer data bag to entering the IN port resolves, monitors, whether decision allows it to pass through, and this process is transparent fully with respect to inserting the user.
Described authentication module is made up of Authentication Client and certificate server (authentication authorization and accounting server) two parts, by the proprietary authentication communication agreement of self-defining IP layer, adopt the challenge/reply certification mode, realization to user identity based on the local authentication function of certificate X.509, certificate server comprises an authenticated user tabulation, is putting down in writing authenticating identity on it and in the user's of " active period " information;
Described routing module, Bgpd submodule, management RIPv1 by management BGP-4 and BGP-4+ agreement, the ospf6d submodule of the Ospfd submodule of the Ripngd submodule of the Ripd submodule of v2 agreement, management RIPng agreement, management OSPFv2 agreement, management OSPFv3 agreement is formed, realize the repertoire of dynamic router, comprise that the IP datagram literary composition transmits, dynamically updates function based on the routing table of OSPF, bgp protocol;
Described user message notification module by after the authentication of described authentication gateway and being authorized accordingly, in time is notified to adaptation services device with user profile the user;
Described management configuration module is mainly finished the management to user, keeper's essential information and certificate, and can finish the configuration of route information and the function of the described authentication gateway of real-time monitoring; To user's management, need to realize by the co-ordination of log server in the adaptation services device and authorization module;
Described audit module is finished two kinds of journal functions: based on the long-range journal function and the local journal function of syslog log protocol.
Authentication gateway of the present invention is when operation, and each module combinations is as follows:
Combination 1:IP layer monitoring module monitored the IP packet that is arrived authentication gateway by outer net and be intended to enter application system at the IN port, when the source IP address that detects the IP packet and user profile did not exist in " authenticated user tabulation ", IP layer monitoring module was by the combination of system call realization and authentication module.
Combination 2: when authentication module after the user is carried out authentication, the message call notification interface realized and the combination of user message notification module, call the daily record transmission interface simultaneously and send that log information is realized and the combination of (daily record) module of auditing.
Combination 3: after the user was by authentication, authentication gateway was by the combination of system call realization and routing module, and by routing module forwarding data.
Control during each module operation of authentication gateway of the present invention is described below: operation IP layer monitoring module, realize monitoring, parsing to the IP bag; The operation routing module is realized the routing forwarding to the IP bag; The operational management configuration module is realized management, configuration and monitoring to user profile, routing iinformation; Operation certificate server authentication authorization and accounting service end is monitored authentication protocol message; Certificate server is after the user is by authentication, and invoke user message informing module is notified application system; Certificate server calls audit (daily record) module simultaneously after the user is by authentication, send log information.
Authentication gateway hierarchical model of the present invention is followed the system model of network protocol stack layer-stepping, adopt the hybrid programming of modularization and object formula, use code re-use technique and unified modular structure, guarantee extensibility, ease for maintenance, high efficiency and the high reliability of system, its hierarchical model as shown in Figure 2.
Whole authentication gateway adopts the all-IP framework, and wherein: IP layer monitoring module, authentication module and routing module are operated in the IP layer, thereby has realized the transparent and IP layer interconnecting function to the application system; Management configuration module, user message notification module, audit (daily record) module are operated in application layer, provide authentication gateway management of the present invention, audit and user message informing function.
Authentication gateway flow chart of data processing of the present invention is described below:
In the once complete process of client by authentication gateway access application of the present invention system, the flow process that described authentication gateway is handled data experienced as the next stage: monitor stages, authentication stage, user message notification phase and routing forwarding stage.
Monitor stages: as shown in Figure 1, IP layer monitoring module is at IN port monitoring IP packet, when if the source IP address of current data packet and user profile exist in " authenticated user tabulation ", then this IP bag is let pass to routing module, carry out route by routing module; If there is no, then IP layer monitoring module starts authentication module by system call, by the ID authentication request of authentication module initiation to this IP address user, enters authentication phase.The monitor stages flow chart of data processing as shown in Figure 3.
The authentication stage: after authentication module starts, to the authentication of user's initiation based on digital certificate, detailed authentication process will be narrated in follow-up authentication detailed operation flow process, only describe the processing procedure of authentication result herein, its processing procedure following (as shown in Figure 4):
Authentication module is to IP layer monitoring module and user's return authentication result;
If authentification failure, then IP layer monitoring module refusing user's access request abandons this follow-up user's data bag;
If authentication success, then authentication module is to adding this user profile in the authenticated user tabulation, and timestamp in addition.IP layer monitoring module granted this follow-up user's data bag and passed through with reference to the information during authenticated user is tabulated.
Authentication and controlled function when monitor stages, authentication stage have finished the user capture application system, the user who only has access rights, its visit data could pass through authentication gateway, arrive application system, rather than only determine whether allowing its IP bag to pass through according to the IP address of access means.
User message notification phase: after the user is by authentication, (the adaptation services device does not belong to the building block of authentication gateway of the present invention to needs by the adaptation services device, but the operation support environment parts of described authentication gateway) the notice application system enters accordingly the user is authorized temporarily, allows the user capture application system.User message notification phase flow chart of data processing as shown in Figure 5, its flow process is described below:
The user message notification module will be notified to the adaptation services device by authenticated user information (comprise IP address, user certificate ID number etc. information); The adaptation services device is notified application system with user login information, triggers application system and authorizes action accordingly; The user is according to mandate, the application system resource in the rights of using scope; Described authentication gateway is write daily record simultaneously, writes down this user login information.
The routing forwarding stage: the data handling procedure in routing forwarding stage is followed general Routing Protocol, carries out route according to target ip address, and its workflow as shown in Figure 6.
Rights management function and routing function when user message notification phase, routing forwarding stage have realized that the user used Ying Yong Xi System resource.
Data processing work flow process to the monitoring of IP layer and two critical stages of authentication describes in further detail below.
IP layer monitor stages detailed operation flow process.
Packet process by the Netfilter system as shown in Figure 7.
Packet enters system from the left side, carries out after the IP verification, and packet is through first Hook Function NF_IP_PRE_ROUTING[1] handle; Just enter route code then, route code judges that this packet is to transmit or this machine of issuing.If this machine of issuing, then these data are passed through Hook Function NF_IP_LOCAL_IN[2] the later upper-layer protocol that passes to of processing; If this packet is transmitted, then it is by NF_IP_FORWARD[3] handle, transfer to last Hook Function NF_IP_POST_ROUTING[4 then] handle, be transferred on the network again.
The local data that produce are through Hook Function NF_IP_LOCAL_OUT[5] handle appropriate after, carry out Route Selection and handle, then via NF_IP_POST_ROUTING[4] handle, send on the network.
Authentication gateway of the present invention is at NF_IP_PRE_ROUTING[1] locate to articulate IP monitoring and handle function, realize the IP bag is monitored the function of parsing, and whether user identity need the recognition function that authenticates, its handling process as shown in Figure 8, treatment step is as follows:
The first step: judge whether it is that Routing Protocol information is promptly judged the protocol fields of UDP head, if then do not do any operation, the ip_rcv function continues operation downwards, is about to these data and lets pass; Otherwise entered for second step;
Second step: judge whether promptly to judge skb->nh.iph->protocol field, if then do not do any operation, clearance data for self-defining authentication protocol bag; Otherwise entered for the 3rd step;
The 3rd step: judge whether it is the data that arrive this machine IP, if not then entering for the 5th step; If then entered for the 4th step;
The 4th step: judge whether it is promptly to judge skb->dev->name field,, otherwise abandon this sk_buff if then let pass from the data that management port receives;
The 5th step: to source address is that skb->nh.iph->saddr field is judged, " by authentication IP chained list " of kernel state if in have this IP address just not do any operation, the ip_rcv function continues operation downwards, being about to these data lets pass, otherwise this sk_buff is abandoned, with this IP address notification authentication module, this IP address user is sent authentication request simultaneously by authentication module.
Because to have added source IP address in monitor procedure is the authentication gateway or the judgement of client, so, authentication gateway can not occur and require the situation that authenticates mutually.
Authentication stage detailed operation flow process.
After authentication module is received the notice that requirement that monitoring module transmits authenticates the client user, send authentication request to client, the beginning verification process.Its handling process as shown in Figure 9, detailed process is as follows:
The certificate server of authentication module sends the Authentication Client that authentication module is given in a request, requires Authentication Client to transmit certificate ID number of this end subscriber;
The request that Authentication Client response authentication service end is sent is given certificate server with user certificate ID number and is handled;
After certificate server is received certificate ID number, generate random number and send Authentication Client to:
After the user of Authentication Client receives the random number that is transmitted by certificate server, use the user X.509 certificate sign, and will sign and certificate is passed to certificate server together;
Certificate server is tested label, if pass through, then to adding this user profile in the authenticated user tabulation, and add a cover timestamp, the message that feedback authentication is simultaneously passed through is given Authentication Client, send the instruction of allowing that this IP address is passed through in " active period ", allow user's data by described authentication gateway access application system;
Otherwise, the message of feedback authentification failure, and forbid this IP access application system.
The monitoring of authentication gateway of the present invention, authentication, route process step are as follows:
1) IP layer monitoring module detects, when the source IP address that enters the current IP packet of IN port does not exist in " authenticated user tabulation ", when promptly having source IP address unverified or that cross authentication " active period " to visit Intranet, notify authentication module to authenticate immediately, and abandon this IP packet;
2) authentication module sends " authentication request " to this IP address, requires the user at this place, address to show card, and " authentication request " comprises current authentication session number, information such as authentication random number;
3) Authentication Client is received " authentication request " that service end is sent, and with the private key of oneself the authentication random number is signed, and encloses the certificate of oneself, forms " signature is responded " packet, and " signature is responded " bag is sent to certificate server;
4) certificate server receives " signature is responded " that client is sent, at first use the root certificate that the user certificate in " signature is responded " packet is verified, by what verify, just use this certificate that signature is tested label, test and sign successfully then to adding this user profile in the authenticated user tabulation, and add a cover timestamp, the message that feedback authentication is simultaneously passed through is given the IP monitoring module, send the instruction of allowing that this IP address is passed through in " active period ", allow the user by authentication gateway access application system;
5) otherwise, the message of feedback authentification failure and is forbidden this IP access application system;
When 6) certificate server be about to surpass authentication " active period " in each IP address through authentication, repeat from 2) to 5) operation, guaranteed that the timing automatic in user and the application system communication process authenticates, and do not influenced the use of Internet resources;
7) certification policy again except step 6) promptly regularly authenticates again, can also select another kind certification policy scheme again: promptly after the user is by authentication, judge according to network traffics whether the user still is in active state, flow then thinks active greater than a certain threshold values, then think inactive less than a certain threshold values, be in the IP address user of disabled state, its information then requires to authenticate again when visiting once more from deleting the authenticated user tabulation;
8) after authentication was passed through, IP layer monitoring module just transferred the disposal right of the IP of this IP address bag to routing module, implemented the routing forwarding of the IP bag of this IP address is operated by routing module.
Authentication gateway of the present invention is provided with user interface, external interface, internal interface.
Described user interface is mainly management interface and hardware interface, is described below respectively: management interface provides administration interface based on the IE browser model to the keeper, make administration configuration become concisely, convenient; Hardware interface outwards provides three RJ45 interfaces, is respectively the IN port that connects public network, the OUT port that connects application system is the administration configuration port with the M that is connected the adaptation services device.Wherein, IN RJ45 port: provide 100M network interface to inserting the user; OUT RJ45 port: provide 100M network interface to application system; M RJ45 port: provide administration configuration, message informing and audit port to management system.
Described external interface comprises and the client-server communication interface, is mainly user message notification module interface, and its interface definition is as follows:
●int?Build_Connection(int*sockFd,char*ip);
Function declaration: set up network and connect
Parameter: int*sockFd[OUT] the connection descriptor pointer
Char*ip[IN] the IP address pointer
●int?Send_Msg(int*sockFd,unsigned?char*pMsg,int?msgLen);
Function declaration: send datagram
Parameter: int*sockFd[IN] the connection descriptor pointer
Unsigned char*pMsg[IN] the data message pointer
Int msgLen data message length
Also comprise with the user profile data structure interface definition of authoring system communication interface and authoring system as follows:
● insert the user profile data message, it thes contents are as follows shown in the table;
Command code 4bytes Name 32bytes Certificate ID 32bytes Start Date 8bytes Close Date 8bytes Time started 6bytes Concluding time 6bytes Sign Policies 4bytes
● deletion user profile data message, it thes contents are as follows shown in the table;
Certificate ID number 1 32bytes …… Certificate ID n 32bytes
Wherein:
The command code sign has: INSERT (insertion), two kinds of signs of DELETE (deletion).
int?Rcv_User_Msg(int*sockFd,unsigned?char*pMsg,int?msgLen);
Function declaration: receiving subscriber data, and carry out corresponding operating by command code
Parameter: int*sockFd[IN] the connection descriptor pointer
Unsigned char*pMsg[IN] user data message pointer
Int msgLen user data message length
Internal interface.Because authentication gateway program module operating state of the present invention has two kinds of user's attitude and kernel states, its internal interface is mainly by system call and realizes that the authentication module that is operated in the IP layer monitoring module of kernel state and is operated in user's attitude carries out the message communication.
Described internal interface is monitoring of IP layer and authentication module system call interfaces, because authentication gateway authentication module of the present invention is operated in user's attitude, IP layer monitoring module is operated in kernel state simultaneously, when having listened to new IP, IP layer monitoring module occur, when perhaps being checked through the IP address and having crossed " active period ", to notify authentication module to authenticate by system call, its interface be described below:
asmlinkage?int?sys_rzwgSYSCALL(char*buf,int?buflen,unsigned?int?access);
Function: system call interfaces
Input: char*buf[IN/OUT] the data buffer zone pointer
Int buflen[IN/OUT] data buffer length
Unsigned int access[IN] action type
Return value: 0 success
Non-0 failure
The present invention is the authentication gateway of server form.Power module adopts the dual power supply redundancy design, and each separate unit power is 150W, for system provides 50% power redundancy.Electrical characteristic: voltage allowed band 180-240V, the electric current momentary fluctuation time is less than 1S.LCDs provides the equipment state display window.

Claims (7)

1, a kind of authentication gateway, this authentication gateway and user terminal, adaptation services device and application system realize information interaction, and it is characterized in that: it comprises IP layer monitoring module, authentication module, routing module, management configuration module, audit module and user message notification module;
Described IP layer monitoring module is to be formed by the data message selective system transformation based on the iptables of the Netfilter framework of route software, this IP layer monitoring module is resolved and is monitored the IP layer data bag that enters the IN port, whether decision allows it to pass through, and this process is transparent fully with respect to the user who inserts;
Described authentication module is made up of Authentication Client and certificate server authentication authorization and accounting server two parts, by the proprietary authentication communication agreement of self-defining IP layer, adopt the challenge/reply certification mode, realization to user identity based on the local authentication function of certificate X.509, certificate server comprises an authenticated user tabulation, is putting down in writing authenticating identity on it and in the user's of authentication " active period " information;
Described routing module, Bgpd submodule, management RIPv1 by management BGP-4 and BGP-4+ agreement, the ospf6d submodule of the Ospfd submodule of the Ripngd submodule of the Ripd submodule of v2 agreement, management RIPng agreement, management OSPFv2 agreement and management OSPFv3 agreement is formed, realize the repertoire of dynamic router, comprise that the IP datagram literary composition transmits, dynamically updates function based on the routing table of OSPF, bgp protocol;
Described user message notification module by after the authentication of described authentication gateway and being authorized accordingly, in time is notified to adaptation services device with user profile the user;
Described management configuration module is mainly finished the management to user, keeper's essential information and certificate, and can finish the configuration of route information and the function of the described authentication gateway of real-time monitoring; To user's management, need to realize by the co-ordination of log server in the adaptation services device and authorization module;
Described audit module is finished two kinds of journal functions: based on the long-range journal function and the local journal function of syslog log protocol;
Described authentication gateway is when operation, and each module combinations is as follows:
When detecting in the IN port by outer net arrival authentication gateway, IP layer monitoring module be intended to enter the IP layer data bag of application system, when its source IP address does not exist in authenticated user is tabulated, by system call notice authentication module the user of this source IP address is carried out authentication immediately, and abandon this IP layer data bag;
After authentication module is carried out authentication to the user,, call the combination that the daily record transmission interface sends log information realization and audit module simultaneously with the combination of realization of message call notification interface and user message notification module;
After the user was by authentication, described authentication gateway was by the combination of system call realization and routing module, and transmitted data by routing module;
After authentication module is received the notice that requirement that IP layer monitoring module transmit authenticates the user of Authentication Client, send authentication request to Authentication Client, begin authentication, detailed process is as follows: certificate server sends a request and gives Authentication Client, requires certificate ID number of Authentication Client transmission user; The request that Authentication Client response authentication service end is sent is given certificate server with certificate ID number of user and is handled; After certificate server is received certificate ID number of user, generate random number and send Authentication Client to; After the user of Authentication Client receives the random number that is transmitted by certificate server, use the user X.509 certificate sign, and will sign and certificate is passed to certificate server together; Certificate server is tested label, if pass through, then to adding this user profile in the authenticated user tabulation, and add a cover timestamp, the message that feedback authentication is simultaneously passed through is given Authentication Client, send the instruction of allowing that this source IP address passes through in " active period ", allow user's data by described authentication gateway access application system; Otherwise, the message of feedback authentification failure, and forbid this source IP address access application system.
2, authentication gateway as claimed in claim 1 is characterized in that: described authentication gateway adopts the all-IP framework, and wherein: IP layer monitoring module, authentication module and routing module are operated in the IP layer; Management configuration module, user message notification module and audit module are operated in application layer.
3. authentication gateway as claimed in claim 1 is characterized in that: described authentication gateway, at first Hook Function NF_IP_PRE_ROUTING[1] and locate to articulate IP monitoring processing function, described IP layer monitoring module carried out following steps:
One, judge whether it is that Routing Protocol information is promptly judged the protocol fields of UDP head, if then do not do any operation, the ip_rcv function continues operation downwards, is about to data and lets pass; Otherwise enter step 2;
Two, judge whether promptly to judge skb->nh.iph->protocol field, if then do not do any operation, clearance data for self-defining authentication protocol bag; Otherwise enter step 3;
Three, judge whether it is the data that arrive this machine source IP address, if not then entering step 5; If then enter step 4;
Four, judge whether it is promptly to judge skb->dev->name field,, otherwise abandon sk_buff if then let pass from the data that management port receives;
Five, be that skb->nh.iph->saddr field is judged to source IP address, " by authentication IP chained list " of kernel state if in have this source IP address just not do any operation, the ip_rcv function continues operation downwards, being about to these data lets pass, otherwise sk_buff is abandoned, simultaneously with source IP address that this skb->nh.iph->the saddr field is judged notice authentication module, the user of this source IP address is sent authentication request by authentication module.
4, authentication gateway as claimed in claim 1 is characterized in that: described authentication gateway is provided with user interface, the sharp internal interface of external interface.
5, authentication gateway as claimed in claim 4 is characterized in that: described user interface comprises management interface and hardware interface, and this management interface provides administration interface based on the IE browser model to the keeper; This hardware interface outwards provides three RJ45 interfaces, is respectively the IN port that connects public network, the OUT port and the M port that is connected the adaptation services device that connects application system; Wherein, IN RJ45 port provides 100M network interface to the user; OUT RJ45 port provides 100M network interface to application system; M RJ45 port provides administration configuration, message informing and audit interface to management system.
6, a kind of data processing method of authentication gateway as claimed in claim 1 is characterized in that: the monitoring of described authentication gateway, authentication and route process step are as follows:
1) detects in the IN port when arriving source IP address that authentication gateway is intended to enter the IP layer data bag of application system by outer net and in authenticated user tabulation, not existing when IP layer monitoring module, when promptly having source IP address unverified or that cross authentication " active period " to visit Intranet, by system call notice authentication module the user of this source IP address is carried out authentication immediately, and abandon this IP layer data bag;
2) after authentication module receives that requirement that IP layer monitoring module transmits is carried out the notice of authentication to the user, send authentication request to Authentication Client, require Authentication Client to transmit certificate ID number of user by certificate server;
3) after Authentication Client is received " authentication request " that certificate server sends, certificate ID number of user sent to certificate server handle;
4) after certificate server receives certificate ID number of user, generate random number and send Authentication Client to; After the user of Authentication Client receives the random number that is transmitted by certificate server, use the user X.509 certificate sign, and will sign and certificate is passed to certificate server together; Certificate server is tested label, sign successfully then in the tabulation of authenticated user, add this user profile if test, and add a cover timestamp, the message that feedback authentication is simultaneously passed through is given Authentication Client, send the instruction of allowing that this source IP address passes through in authentication " active period ", allow user's data by authentication gateway access application system; Otherwise, the message of feedback authentification failure, and forbid this source IP address access application system;
5) certificate server is when each source IP address through authentication be about to surpass authentication " active period ", repeating step 2) to 4) operation, guaranteed that the timing automatic in user and the application system communication process authenticates, and do not influenced the use of Internet resources;
6) after authentication was passed through, IP layer monitoring module just transferred the disposal right of the IP layer data bag of this source IP address to routing module, implemented the routing forwarding of the IP layer data bag of this source IP address is operated by routing module.
7, a kind of data processing method of authentication gateway as claimed in claim 1 is characterized in that: the monitoring of described authentication gateway, authentication and route process step are as follows:
1) detects in the IN port when arriving source IP address that authentication gateway is intended to enter the IP layer data bag of application system by outer net and in authenticated user tabulation, not existing when IP layer monitoring module, when promptly having source IP address unverified or that cross authentication " active period " to visit Intranet, by system call notice authentication module the user of this source IP address is carried out authentication immediately, and abandon this IP layer data bag;
2) after authentication module receives that requirement that IP layer monitoring module transmits is carried out the notice of authentication to the user, send authentication request to Authentication Client, require Authentication Client to transmit certificate ID number of user by certificate server;
3) after Authentication Client is received " authentication request " that certificate server sends, certificate ID number of user sent to certificate server handle;
4) after certificate server receives certificate ID number of user, generate random number and send Authentication Client to; After the user of Authentication Client receives the random number that is transmitted by certificate server, use the user X.509 certificate sign, and will sign and certificate is passed to certificate server together; Certificate server is tested label, sign successfully then in the tabulation of authenticated user, add this user profile if test, and add a cover timestamp, the message that feedback authentication is simultaneously passed through is given Authentication Client, send the instruction of allowing that this source IP address passes through in authentication " active period ", allow the user by authentication gateway access application system; Otherwise, the message of feedback authentification failure, and forbid this source IP address access application system;
5) after the user is by authentication, judge according to network traffics whether the user still is in active state, flow then thinks active greater than a certain threshold value, then think inactive less than a certain threshold value, be in the user of the source IP address of disabled state, its information then requires to authenticate again when visiting once more from deleting the authenticated user tabulation;
6) after authentication was passed through, IP layer monitoring module just transferred the disposal right of the IP layer data bag of this source IP address to routing module, implemented the routing forwarding of the IP layer data bag of this source IP address is operated by routing module.
CNB2003101087822A 2003-11-21 2003-11-21 Identification gateway and its data treatment method Expired - Fee Related CN100459563C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2003101087822A CN100459563C (en) 2003-11-21 2003-11-21 Identification gateway and its data treatment method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2003101087822A CN100459563C (en) 2003-11-21 2003-11-21 Identification gateway and its data treatment method

Publications (2)

Publication Number Publication Date
CN1620034A CN1620034A (en) 2005-05-25
CN100459563C true CN100459563C (en) 2009-02-04

Family

ID=34758720

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2003101087822A Expired - Fee Related CN100459563C (en) 2003-11-21 2003-11-21 Identification gateway and its data treatment method

Country Status (1)

Country Link
CN (1) CN100459563C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883106A (en) * 2010-06-30 2010-11-10 赛尔网络有限公司 Network access authentication method and server based on digital certificate

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4742144B2 (en) * 2005-06-06 2011-08-10 インターナショナル・ビジネス・マシーンズ・コーポレーション Method and computer program for identifying a device attempting to penetrate a TCP / IP protocol based network
CN1988500B (en) * 2005-12-19 2011-05-11 北京三星通信技术研究有限公司 Method for managing distributive band width
US8356171B2 (en) * 2006-04-26 2013-01-15 Cisco Technology, Inc. System and method for implementing fast reauthentication
WO2008043311A1 (en) * 2006-09-30 2008-04-17 Huawei Technologies Co., Ltd. Method, apparatus, and system for controlling resource license
CN101175321B (en) * 2006-10-30 2011-11-30 鸿富锦精密工业(深圳)有限公司 Network access equipment, internetwork connection establishing method and mobile communication system using the same
CN101192926B (en) * 2006-11-28 2011-03-30 北京握奇数据系统有限公司 Account protection method and system
CN1988447B (en) * 2006-12-22 2010-08-18 华为技术有限公司 Method and device for treating communication network service
US8136146B2 (en) * 2007-01-04 2012-03-13 International Business Machines Corporation Secure audit log access for federation compliance
CN101197679B (en) * 2008-01-04 2010-09-08 中兴通讯股份有限公司 User authentication method and system for preventing attack from refusal service
CN101217547B (en) * 2008-01-18 2012-05-09 南京邮电大学 A flood request attaching filtering method based on the stateless open source core
CN101267433B (en) * 2008-04-30 2011-12-14 华中科技大学 A central control source routing protocol adapted to isomerous network environment
CN101789930B (en) * 2009-11-10 2012-06-27 福建星网锐捷网络有限公司 Route advertising method and network equipment
US9032013B2 (en) * 2010-10-29 2015-05-12 Microsoft Technology Licensing, Llc Unified policy over heterogenous device types
CN102480472B (en) * 2010-11-22 2015-07-22 英业达股份有限公司 Application program integration login method of enterprise inner network and verification server thereof
CN102104610A (en) * 2011-03-25 2011-06-22 深圳Tcl新技术有限公司 Authentication method and authentication system
CN102148832B (en) * 2011-04-07 2013-06-12 清华大学 High-efficiency method for identifying border gateway routing protocol path
CN103873439B (en) * 2012-12-11 2018-07-06 联想(北京)有限公司 The method and electronic equipment of a kind of networking
CN103281333B (en) 2013-06-17 2016-12-28 山石网科通信技术有限公司 The retransmission method of data stream and device
CN103678654A (en) * 2013-12-23 2014-03-26 蓝盾信息安全技术股份有限公司 Method for acquiring linkage information in database safety audit
CN105207778B (en) * 2014-07-03 2019-04-16 清华大学深圳研究生院 A method of realizing packet identity and digital signature on accessing gateway equipment
CN110336807A (en) * 2019-06-28 2019-10-15 苏州浪潮智能科技有限公司 A kind of identity identifying method based on Web service, equipment and storage medium
CN113612681A (en) * 2021-08-24 2021-11-05 北银金融科技有限责任公司 Message forwarding and receiving gateway system based on multiple communication protocols of bank
CN114844672B (en) * 2022-03-22 2023-08-22 华为技术有限公司 Method, management unit and equipment for confirming application trusted identity
CN114826745A (en) * 2022-04-28 2022-07-29 成都安恒信息技术有限公司 Method for realizing user authentication in transparent scene

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5950195A (en) * 1996-09-18 1999-09-07 Secure Computing Corporation Generalized security policy management system and method
US6061650A (en) * 1996-09-10 2000-05-09 Nortel Networks Corporation Method and apparatus for transparently providing mobile network functionality
US20010028636A1 (en) * 2000-03-10 2001-10-11 Robert Skog Method and apparatus for mapping an IP address to an MSISDN number within a service network
US6317838B1 (en) * 1998-04-29 2001-11-13 Bull S.A. Method and architecture to provide a secured remote access to private resources
US6353891B1 (en) * 2000-03-20 2002-03-05 3Com Corporation Control channel security for realm specific internet protocol
CN1350255A (en) * 2001-11-29 2002-05-22 上海维豪信息安全技术有限公司 Official document circulating system based on goverment affairs trust and authorized service
US20020066029A1 (en) * 2000-11-30 2002-05-30 Yi Kyoung Hoon Method for accessing home-network using home-gateway and home-portal server and apparatus thereof
US20020174335A1 (en) * 2001-03-30 2002-11-21 Junbiao Zhang IP-based AAA scheme for wireless LAN virtual operators
CN1437114A (en) * 2002-02-08 2003-08-20 联想(北京)有限公司 Two-layer exchange type firewall package filtering method based on bridge

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061650A (en) * 1996-09-10 2000-05-09 Nortel Networks Corporation Method and apparatus for transparently providing mobile network functionality
US5950195A (en) * 1996-09-18 1999-09-07 Secure Computing Corporation Generalized security policy management system and method
US6317838B1 (en) * 1998-04-29 2001-11-13 Bull S.A. Method and architecture to provide a secured remote access to private resources
US20010028636A1 (en) * 2000-03-10 2001-10-11 Robert Skog Method and apparatus for mapping an IP address to an MSISDN number within a service network
US6353891B1 (en) * 2000-03-20 2002-03-05 3Com Corporation Control channel security for realm specific internet protocol
US20020066029A1 (en) * 2000-11-30 2002-05-30 Yi Kyoung Hoon Method for accessing home-network using home-gateway and home-portal server and apparatus thereof
US20020174335A1 (en) * 2001-03-30 2002-11-21 Junbiao Zhang IP-based AAA scheme for wireless LAN virtual operators
CN1350255A (en) * 2001-11-29 2002-05-22 上海维豪信息安全技术有限公司 Official document circulating system based on goverment affairs trust and authorized service
CN1437114A (en) * 2002-02-08 2003-08-20 联想(北京)有限公司 Two-layer exchange type firewall package filtering method based on bridge

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883106A (en) * 2010-06-30 2010-11-10 赛尔网络有限公司 Network access authentication method and server based on digital certificate

Also Published As

Publication number Publication date
CN1620034A (en) 2005-05-25

Similar Documents

Publication Publication Date Title
CN100459563C (en) Identification gateway and its data treatment method
US7386889B2 (en) System and method for intrusion prevention in a communications network
US7644436B2 (en) Intelligent firewall
US6003084A (en) Secure network proxy for connecting entities
De Vivo et al. Internet security attacks at the basic levels
US6487666B1 (en) Intrusion detection signature analysis using regular expressions and logical operators
US8191119B2 (en) Method for protecting against denial of service attacks
CN105262738A (en) Router and method for preventing ARP attacks thereof
CN102055674A (en) Internet protocol (IP) message as well as information processing method and device based on same
CA2506418C (en) Systems and apparatuses using identification data in network communication
US8406223B2 (en) Mechanism for protecting H.323 networks for call set-up functions
CN116055254A (en) Safe and trusted gateway system, control method, medium, equipment and terminal
CN110691097A (en) Industrial honey pot system based on hpfeeds protocol and working method thereof
Chopra Security issues of firewall
Estrin et al. VISA scheme for inter-organization network security
JP2001148715A (en) Network system and terminal device
US20060225141A1 (en) Unauthorized access searching method and device
Beck Dealing with Public Ethernet Jacks: Switches, Gateways, and Authentication.
CN108833395A (en) A kind of outer net access authentication system and authentication method based on hardware access card
CN101145909B (en) Method for tracking and limiting user network access share in broadband access server
Seo Network security agent DEVS simulation modeling
CN101197659B (en) Supervisor encrypting type anti-attack information communication network safety defending method and system
Atkins Design and implementation of a hardened distributed network endpoint security system for improving the security of internet protocol-based networks
Zhou et al. The Firewall Rule Authentication Method Based on 6to4 Tunnel
Lipp et al. An inter-bridge-security protocol

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: SHANGHAI INFORMATION SECURITY INFRASTRUCTURE RESEA

Free format text: FORMER OWNER: WEIHAO INFORMATION TECHNOLOGY CO., LTD.

Effective date: 20110527

Free format text: FORMER OWNER: SHANGHAI INFORMATION SECURITY INFRASTRUCTURE RESEARCH CENTER

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20110527

Address after: 201203 Shanghai Guo Shou Jing Road, Zhangjiang hi tech Park No. 498, No. seven Pudong Software Park building two floor

Patentee after: Shanghai Information Safety Infrastructure Research Center

Address before: 201203 Shanghai Guo Shou Jing Road, Zhangjiang hi tech Park No. 498, No. seven Pudong Software Park building two floor

Co-patentee before: Shanghai Information Safety Infrastructure Research Center

Patentee before: Wellhope Information Technology Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090204

Termination date: 20161121

CF01 Termination of patent right due to non-payment of annual fee