CN104506528A - Integrated network safety access method - Google Patents
Integrated network safety access method Download PDFInfo
- Publication number
- CN104506528A CN104506528A CN201410810878.1A CN201410810878A CN104506528A CN 104506528 A CN104506528 A CN 104506528A CN 201410810878 A CN201410810878 A CN 201410810878A CN 104506528 A CN104506528 A CN 104506528A
- Authority
- CN
- China
- Prior art keywords
- network equipment
- network
- user property
- integral
- safety cut
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
- H04L12/2858—Access network architectures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
Abstract
The invention discloses an integrated network safety access method. The method comprises the following steps: determining a first user attribute corresponding to first network equipment; determining a second user attribute of the first network equipment in the first user attribute; assigning first-class authority corresponding to the first user attribute to the first network equipment and assigning second-class authority corresponding to the second user attribute; judging whether the second user attribute of the first network equipment is consistent with the second user attribute of the second network equipment; if the second user attribute of the first network equipment is inconsistent with the second user attribute of the second network equipment, shielding the first network equipment and the second network equipment. The first user attribute and the second user attribute of the network equipment are determined, and authorities of different classes are assigned according to the attributes of the network equipment. Meanwhile, the pieces of network equipment with different attributes are shielded to realize the purpose of mutual isolation of hierarchical authorization of the network equipment and the network equipment with the different attributes.
Description
Technical field
The present invention relates to network safety filed, particularly relate to a kind of integral network safety cut-in method.
Background technology
Under the background of China's network information technology development, electric power system also relies on information network to carry out the business such as normal production, management, operation, maintenance more and more.Information network has become the critical facility of electric power system.Meanwhile, information network can safe and stable operation, and the normal operation for electric power system is also very important.
At present, the information network system of electric power system carries out often by AAA (certification Authentication authorizes Authorization, record keeping Accounting) authentication mode the access of the equipment of network of relation.Concrete, this network equipment, can be authorized by after certification, removes the mandate of this network equipment after licensing term terminates again.But existing access way to mandate classification, does not carry out necessary isolation between the network equipment also not to access, can not meet the demand of integral network safety access.
Summary of the invention
The object of this invention is to provide a kind of integral network safety cut-in method, to solve not to mandate classification when conventional network equipment accesses, also not to the problem of carrying out necessary isolation between the network equipment accessed.
A kind of integral network safety cut-in method, comprising:
Determine the first user attribute that first network equipment is corresponding;
Determine second user property of described first network equipment in described first user attribute;
Adopt minimum right principle, distribute the one-level authority corresponding with its first user attribute to described first network equipment;
Adopt described minimum right principle, distribute the secondary authority corresponding with its second user property to described first network equipment;
Judge that whether the second user property of described first network equipment is consistent with the second user property of second network equipment;
If the second user property of the second user property of described first network equipment and described second network equipment is inconsistent, then described first network equipment and described second network equipment are shielded.
Preferably, also comprise:
Judge that whether the second user property of the 3rd network equipment is consistent with the second user property of described first network equipment;
If consistent, described 3rd network equipment is added into described first network equipment;
If inconsistent, described first network equipment and described 3rd network equipment are shielded.
Preferably, also comprise:
Dynamic authentication password is sent to described first network equipment;
If the correct password of described first network device replied, then to described first network equipment batch operation authority.
Preferably, describedly also to comprise after described first network equipment batch operation authority:
Detect described first network equipment and whether complete the content that described operating right specifies;
If complete the content that described operating right specifies, then regain described operating right.
Preferably, describedly also to comprise after described first network equipment batch operation authority:
Whether detect the operating time of described first network equipment more than the two ticket times of list;
If the described operating time is single two ticket times more than one, then regain described operating right.
Preferably, whether described detection described first network equipment completes the content that described operating right specifies and is: detect and whether receive single two tickets that described first network equipment sends and sign and issue successful data.
Preferably, the send mode that successful data signed and issued by described one single two tickets is:
Described first network equipment receives described one single two tickets and signs and issues successful data;
Judge whether described data receive;
If described data receiver is complete, then sends described one single two tickets and sign and issue successful data.
Preferably, described single two tickets of described transmission are signed and issued successful data and are:
Send described one single two tickets in data-pushing mode and sign and issue successful data.
Therefore, the present invention has following beneficial effect:
The invention provides a kind of integral network safety cut-in method, comprise the first user attribute determining that first network equipment is corresponding; Determine second user property of described first network equipment in described first user attribute; Adopt minimum right principle, distribute the one-level authority corresponding with its first user attribute to described first network equipment; Adopt described minimum right principle, distribute the secondary authority corresponding with its second user property to described first network equipment; Judge that whether the second user property of described first network equipment is consistent with the second user property of second network equipment; If the second user property of the second user property of described first network equipment and described second network equipment is inconsistent, then described first network equipment and described second network equipment are shielded.
The present invention is by determining first user attribute and second user property of the network equipment, and the authority of attribute assignment different stage according to this network equipment.Meanwhile, this network equipment and other network equipment attributes are contrasted, the network equipment different to attribute shields, to realize the object that the network equipment is grading authorized and the different attribute network equipment is mutually isolated.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of a kind of integral network safety cut-in method provided by the invention;
Fig. 2 is the schematic flow sheet of another kind of integral network safety cut-in method provided by the invention;
Fig. 3 is in integral network safety cut-in method provided by the invention, to the schematic flow sheet authorized with regain of the operating right of the network equipment;
Fig. 4 is in integral network safety cut-in method provided by the invention, to the method schematic diagram that the operating right of the network equipment is regained.
Embodiment
Core of the present invention is to provide a kind of integral network safety cut-in method.
In order to make those skilled in the art person understand the solution of the present invention better, below in conjunction with the drawings and specific embodiments, the present invention is described in further detail.
Set forth detail in the following description so that fully understand the present invention.But the present invention can be different from alternate manner described here to implement with multiple, those skilled in the art can when without prejudice to doing similar popularization when intension of the present invention.Therefore the present invention is not by the restriction of following public concrete enforcement.
In integral network safety cut-in method provided by the invention, see Fig. 1, this embodiment comprises the following steps:
S101, determine the first user attribute that first network equipment is corresponding.
S102, determine second user property of described first network equipment in described first user attribute.
Concrete, many enterprises of China, for the management of the fail safe of network insertion, all adopt the mode of aaa authentication.In electric power system, the safe and reliable most important thing especially of network insertion, therefore, to the equipment needs cut-in method more targetedly needing access network.Therefore, first the present invention determines first user attribute and the second user property.Concrete, in embodiment provided by the invention, the user property that equipment is corresponding refers to its administrative hierarchy attribute.First user attribute refers to provincial administrative hierarchy.Second user property is districts and cities' administrative hierarchies.
Here, it should be noted that, described first network equipment is a certain the equipment that general reference needs access, instead of specificly refers to.
S103, employing minimum right principle, distribute the one-level authority corresponding with its first user attribute to described first network equipment.
S104, adopt described minimum right principle, distribute the secondary authority corresponding with its second user property to described first network equipment.
Here, the user right of equipment is divided into one-level authority and secondary authority.Concrete, provincial user property then distributes one-level authority, and prefecture-level user property distributes secondary authority.Certainly, in the present embodiment, the allocative decision of a concrete one-level authority and secondary authority is merely provided.Under other scene, also can join one-level authority and secondary authority according to actual conditions according to other Attribute transposition.
S105, judge that whether the second user property of described first network equipment is consistent with the second user property of second network equipment.
If the second user property of S106 described first network equipment and the second user property of described second network equipment inconsistent, then described first network equipment and described second network equipment are shielded.
When first network equipment is consistent with the second user property of second network equipment, mutually visible; And attribute inconsistent time, then mutually invisible, to guarantee safety.
The present invention is by determining first user attribute and second user property of the network equipment, and the authority of attribute assignment different stage according to this network equipment.Meanwhile, this network equipment and other network equipment attributes are contrasted, the network equipment different to attribute shields, to realize the object that the network equipment is grading authorized and the different attribute network equipment is mutually isolated.
On the basis of the embodiment of above-mentioned integral network safety cut-in method provided by the invention, see Fig. 2, further comprising the steps of:
S201, judge that whether the second user property of the 3rd network equipment is consistent with the second user property of described first network equipment.
If S202 is consistent, described 3rd network equipment is added into described first network equipment.
If S203 is inconsistent, described first network equipment and described 3rd network equipment are shielded.
It is pointed out that in the present embodiment, just give a concrete implementation method, can not think that method provided by the invention is also carried out according to this execution sequence in the other cases.Concrete, also after carrying out S201 step, first can carry out S203 step.
Concrete, after first network equipment is connected into enterprise network, during with other the 3rd network equipment exchange messages at this network or information sharing, need the second user property first judging the two whether consistent.Time inconsistent, illustrate that first network equipment and the 3rd network equipment be not in same geographic area.Concrete, in one scenario, when being the dividing unit of the second user property with districts and cities, the second user property of first network equipment is Hangzhou, and the second user property of the 3rd network equipment is Jinhua, then do not allow to add the 3rd network equipment at first network equipment.In scheme provided by the invention, concrete method is, shielding first network equipment and the 3rd network equipment, and both realizations isolation in a network improves internet security.Certainly, if first network equipment and the 3rd network equipment are same second user property, then the two are not shielded, can add, so that the equipment in the same area realizes information and resource-sharing.
On the basis of the embodiment of above-mentioned integral network safety cut-in method provided by the invention, see Fig. 3, further comprising the steps of, to realize authorizing and withdrawal the operating right of the network equipment:
S301, dynamic authentication password is sent to described first network equipment.
In a concrete scene, enterprise network adopts the mode of two-factor authentication.The user of first network equipment is used to receive the dynamic authentication password of network transmission by mobile terminal.This authenticate password is inputed to first network equipment by user.Certainly, when selecting the mode of concrete two-factor authentication, can select suitable auth type according to actual conditions, the present invention does not limit at this.
If the correct password of S302 described first network device replied, then to described first network equipment batch operation authority.
After user inputs dynamic authentication password, first network equipment using this authenticate password as reply content, to network replies.The authenticate password of the authenticate password of transmission with first network device replied mates by network, if coupling is correct, then distributes corresponding operating right.
S303, detect operating time whether single two ticket times more than one of described first network equipment.
If the S304 described operating time is single two ticket times more than one, then regain described operating right.
One single two tickets, i.e. work ticket, operation order and job order.Concrete, can arrange the single two ticket times according to actual conditions, the present invention does not do concrete restriction at this.
On the basis of the embodiment of above-mentioned integral network safety cut-in method provided by the invention, see Fig. 4, to can also recovery operation authority by the following method after described first network equipment batch operation authority:
S401, detect described first network equipment and whether complete the content that described operating right specifies.
In a specific embodiment, can be detect single two tickets whether receiving the transmission of described first network equipment to sign and issue successful data.
In a specific embodiment, the send mode that successful data signed and issued by described one single two tickets comprises:
Described first network equipment receives described one single two tickets and signs and issues successful data.
Judge whether described data receive.
If described data receiver is complete, then sends described one single two tickets and sign and issue successful data.
Concrete, in one embodiment, send described one single two tickets in data-pushing mode and sign and issue successful data.
Under an actual scene, user uses first network equipment to input corresponding data, and characterization operations completes.After completing, this network equipment, according to result, carries out closed loop to single two tickets and sends data.After data receiver success, i.e. recovery operation authority, operation terminates.
If S402 completes the content that described operating right specifies, then regain described operating right.
In sum, integral network safety cut-in method provided by the invention is distributed by classify and grading user right, can meet information network equipment integrated management demand, what meet again between the user's group of different regions is mutually isolated, increases the fail safe of system operation.Further, operating right provided by the invention is authorized and is adopted data-pushing mode with the method regained, and carries out intensive management to whole network system, decreases multistage deployment and unnecessary investment, saves resource, improve efficiency.
In this specification, each embodiment adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiment, between each embodiment same or similar part mutually see.
Above a kind of integral network safety cut-in method provided by the present invention is described in detail.Apply specific case herein to set forth principle of the present invention and execution mode, the explanation of above embodiment just understands principle of the present invention and core concept thereof for helping.It should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention, can also carry out some improvement and modification to the present invention, these improve and modify and also fall in the protection range of the claims in the present invention.
Claims (8)
1. an integral network safety cut-in method, is characterized in that, comprising:
Determine the first user attribute that first network equipment is corresponding;
Determine second user property of described first network equipment in described first user attribute;
Adopt minimum right principle, distribute the one-level authority corresponding with its first user attribute to described first network equipment;
Adopt described minimum right principle, distribute the secondary authority corresponding with its second user property to described first network equipment;
Judge that whether the second user property of described first network equipment is consistent with the second user property of second network equipment;
If the second user property of the second user property of described first network equipment and described second network equipment is inconsistent, then described first network equipment and described second network equipment are shielded.
2. integral network safety cut-in method according to claim 1, is characterized in that, also comprise:
Judge that whether the second user property of the 3rd network equipment is consistent with the second user property of described first network equipment;
If consistent, described 3rd network equipment is added into described first network equipment;
If inconsistent, described first network equipment and described 3rd network equipment are shielded.
3. integral network safety cut-in method according to claim 1, is characterized in that, also comprise:
Dynamic authentication password is sent to described first network equipment;
If the correct password of described first network device replied, then to described first network equipment batch operation authority.
4. integral network safety cut-in method according to claim 3, is characterized in that, describedly also comprises after described first network equipment batch operation authority:
Detect described first network equipment and whether complete the content that described operating right specifies;
If complete the content that described operating right specifies, then regain described operating right.
5. integral network safety cut-in method according to claim 3, is characterized in that, describedly also comprises after described first network equipment batch operation authority:
Whether detect the operating time of described first network equipment more than the two ticket times of list;
If the described operating time is single two ticket times more than one, then regain described operating right.
6. integral network safety cut-in method according to claim 4, it is characterized in that, whether described detection described first network equipment completes the content that described operating right specifies is: detect and whether receive single two tickets that described first network equipment sends and sign and issue successful data.
7. integral network safety cut-in method according to claim 6, is characterized in that, the send mode that successful data signed and issued by described one single two tickets is:
Described first network equipment receives described one single two tickets and signs and issues successful data;
Judge whether described data receive;
If described data receiver is complete, then sends described one single two tickets and sign and issue successful data.
8. integral network safety cut-in method according to claim 7, is characterized in that, single two tickets of described transmission described are signed and issued successful data and are:
Send described one single two tickets in data-pushing mode and sign and issue successful data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410810878.1A CN104506528B (en) | 2014-12-23 | 2014-12-23 | A kind of integral network safety cut-in method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410810878.1A CN104506528B (en) | 2014-12-23 | 2014-12-23 | A kind of integral network safety cut-in method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104506528A true CN104506528A (en) | 2015-04-08 |
| CN104506528B CN104506528B (en) | 2018-02-23 |
Family
ID=52948243
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410810878.1A Active CN104506528B (en) | 2014-12-23 | 2014-12-23 | A kind of integral network safety cut-in method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104506528B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120212411A1 (en) * | 2005-11-10 | 2012-08-23 | Oh Eui-Jin | Character inputting device |
| CN202503546U (en) * | 2011-12-26 | 2012-10-24 | 浙江省电力公司 | Virtual storage system for video monitoring images |
| CN103346909A (en) * | 2013-06-19 | 2013-10-09 | 贵州电网公司电力调度控制中心 | Electric power telecommunication out-of-band network managing system |
| CN104050541A (en) * | 2014-06-27 | 2014-09-17 | 国家电网公司 | Maintenance cycle management system for grid equipment |
| CN104168268A (en) * | 2014-07-24 | 2014-11-26 | 广东电网公司电力科学研究院 | Power grid object access control device capable of realizing safety configuration and access of power grid model data |
-
2014
- 2014-12-23 CN CN201410810878.1A patent/CN104506528B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120212411A1 (en) * | 2005-11-10 | 2012-08-23 | Oh Eui-Jin | Character inputting device |
| CN202503546U (en) * | 2011-12-26 | 2012-10-24 | 浙江省电力公司 | Virtual storage system for video monitoring images |
| CN103346909A (en) * | 2013-06-19 | 2013-10-09 | 贵州电网公司电力调度控制中心 | Electric power telecommunication out-of-band network managing system |
| CN104050541A (en) * | 2014-06-27 | 2014-09-17 | 国家电网公司 | Maintenance cycle management system for grid equipment |
| CN104168268A (en) * | 2014-07-24 | 2014-11-26 | 广东电网公司电力科学研究院 | Power grid object access control device capable of realizing safety configuration and access of power grid model data |
Non-Patent Citations (1)
| Title |
|---|
| 黄炜等: "《调度集控一体化系统责任区管理和告警解决方案》", 《电网技术》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104506528B (en) | 2018-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101582769B (en) | Authority setting method of user access network and equipment | |
| CN106471514B (en) | Secure wireless charging | |
| CN102750760B (en) | Information transmission method of entrance guard system, and entrance guard system | |
| CN102404706B (en) | Method for managing tariff safety and mobile terminal | |
| CN103281752A (en) | WIFI (wireless fidelity) network access method and device, electronic equipment and communication system | |
| CN103281759A (en) | WIFI (wireless fidelity) network access method and device, electronic equipment and communication system | |
| CN104158824A (en) | Method and system of network real name authentication | |
| CN105577757B (en) | Multi-level management system and authentication method of intelligent power terminal based on load balancing | |
| CN102571792A (en) | Identity authentication method allowing intelligent mobile wireless terminal to access cloud server | |
| Marksteiner et al. | Cyber security requirements engineering for low-voltage distribution smart grid architectures using threat modeling | |
| Metere et al. | Securing the electric vehicle charging infrastructure | |
| CN106254323A (en) | The exchange method of a kind of TA and SE, TA, SE and TSM platform | |
| CN104270250A (en) | WiFi Internet surfing connecting authentication method and system based on asymmetric full-process encryption | |
| CN105357224B (en) | A kind of registration of intelligent domestic gateway, removing method and system | |
| CN106341369A (en) | Security control method and device | |
| CN105681345B (en) | CA certificate signs and issues safe Prior Control method in a kind of reinforcement RPKI | |
| CN102045310B (en) | Industrial Internet intrusion detection as well as defense method and device | |
| CN102281189A (en) | Service implementation method and device based on private attribute of third-party equipment | |
| CN104869142A (en) | Link sharing method based on social platform, system and device | |
| Alcaraz et al. | OCPP in the spotlight: threats and countermeasures for electric vehicle charging infrastructures 4.0 | |
| CN106713228A (en) | Cloud platform key management method and system | |
| CN103888435A (en) | Service admission control method, device and system | |
| CN108133142A (en) | A kind of mobile device remote connection and the method for manipulation PC machine | |
| CN104506528A (en) | Integrated network safety access method | |
| Karthick et al. | Formalization and analysis of a resource allocation security protocol for secure service migration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |