Method for controlling network access based on identification in IP (Internet Protocol) protocol

Abstract

The invention discloses a method for controlling network access based on identification in an IP protocol. The method comprises the following steps: encrypting the identification in the IP protocol in a legal terminal computer network data packet; and deciphering the identification in the IP protocol in the network data packet received by a network safety control server, so that the network safety controller can accurately and quickly identify the legality of the terminal computer, thereby solving a problem that the network safety control server cannot judge the legality of the terminal computer when an NAT (Network Address Translator) is arranged between the terminal computer and the network safety control server and the source IP address of the TCP (Transmission Control Protocol) data packet sent by the terminal computer is converted. The method can be widely applied to various network structures.

Description

technical field [0001] The invention relates to the technical field of network management, in particular to the technical field of control and management of a network security control server, in particular to a method for controlling network access based on an identifier in the IP protocol. Background technique [0002] With the continuous improvement of social informatization and the continuous expansion of enterprise scale, the number of computers in enterprises is increasing, and the requirements for terminal computer management are also getting higher and higher. In order to effectively manage terminal computers, a network security control server needs to be installed in the local area network, and the network security control server can be used to judge whether the terminal computers entering the network are legal. [0003] In the prior art, the network security control server judges whether the terminal computer is legal by identifying the IP address of the terminal co...

AI Technical Summary

Problems solved by technology

However, this technique has two obvious disadvantages. One is that the discrimination time is longer.

The method of this technology to judge the legitimacy of the terminal computer is realized by comparing the IP addresses in the legal list. The larger the scale of the LAN, the more content in the legal list and the more times of comparison. Second, when a NAT address translation device (network address translation device) is set between the terminal computer and the network security control server, the network security control server cannot identify whether the terminal computer is legal or not.

After the TCP data packet sent by the terminal computer to the designated network passes through the NAT address translation device, the source IP address of the TCP data packet (that is, the IP address of the terminal computer) is converted into a NATIP address (that is, the IP address specified by the NAT address translation device), The source port of the TCP data packet (that is, the port of the terminal computer) is converted into a NAT port. After the network security control server receives the TCP data packet, it cannot distinguish which terminal computer sent it by identifying the IP address of the terminal computer, so it cannot Identify whether the terminal computer is legitimate

Images