CN101252474A - Method for controlling local area network data message based on network bridge mode - Google Patents
Method for controlling local area network data message based on network bridge mode Download PDFInfo
- Publication number
- CN101252474A CN101252474A CNA2008100888417A CN200810088841A CN101252474A CN 101252474 A CN101252474 A CN 101252474A CN A2008100888417 A CNA2008100888417 A CN A2008100888417A CN 200810088841 A CN200810088841 A CN 200810088841A CN 101252474 A CN101252474 A CN 101252474A
- Authority
- CN
- China
- Prior art keywords
- network
- local area
- area network
- lan
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 9
- 241000700605 Viruses Species 0.000 abstract description 2
- 238000012544 monitoring process Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 230000007812 deficiency Effects 0.000 description 2
- 239000007799 cork Substances 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention provides a date message controlling method for a local area network based on a network bridge mode. With the arriving of the information age, paperless electronic office can be an inevitable choice for enterprises and institutions to promote work efficiency, but because of factors, such as the infinity and the openness of the internet, the flood of viruses and Trojan Horse, as well as other web user human factors, a great amount of disadvantages and hidden dangers are brought to enterprises and institutions wildly, for instance, the download of P2P occupies a large number of bandwidth, has bad impact on broadband speed; employees can occupy important information and commercial secrets of the enterprise to themselves or transfer the important information and commercial secrets to the competitor through mail or FTP from to bring enormous harms to enterprises and institutions. The method adopts a way that network bridge is arranged on the network router of an enterprise, uniform and centralized supervisory control is performed on the local area network computers on the network outlet, therefore the link of the local area network computer to public network message can be grabbed, analyzed and intercepted thoroughly, and on line surfing actions of the local area network computer can be controlled.
Description
Technical field
What the present invention relates to is a kind of method that in sharing formula, interactive network environment the local network main machine public network message is managed.
Background technology
Current domestic network management system generally realizes by virtual route technology or by bypass mode the monitoring management of local host machine.Virtual route technology also is the virtual gateway technology, be by on a computer of local area network (LAN), sending ARP broadcast packet all computers to local area network (LAN), this ARP broadcast packet the inside invents the MAC Address of this computer the MAC Address of the real gateway of local area network (LAN), it is a MAC Address of sending out the computer of ARP bag that thereby the correct gateway address that makes the ARP table the inside of computer of local area network (LAN) exist is modified, make the computer of local area network (LAN) when sending public net message, can issue this computer, this computer expert crosses the deployment packet catcher message of the network interface card of this computer of process is caught and analyzed, whether decision is transmitted to real router after some filtration policies of enforcement, comes the public network visit of local area network (LAN) computer is controlled with this.But this pattern is because the computer of the dress Control Software of local area network (LAN) is equivalent to the acting server of local area network (LAN), can greatly influence the networking speed of local area network (LAN) computer by repeating process, and also the propagation for ARP virus provides convenient condition, in addition, because present various fire compartment walls all have the function of this ARP of preventing deception, so adopt the monitoring software of of this sort framework moving towards to lose efficacy, can not reach the purpose of monitoring.And by bypass mode the computer of local area network (LAN) is monitored, generally be to realize by switch, acting server or the HUB that disposes the band edge port mirror image, but because this monitoring mode is based on the http protocol of data message transmissions is realized, thereby in monitoring, can't effectively tackle and control, thereby can't effectively control the very serious various P2P softwares of local area network (LAN) influence, chat software or the like to the message of P2P agreement.Distinctive feature of the present invention is exactly a deficiency of having walked around these two kinds of monitoring modes, with Software deployment on the network bridge of local area network (LAN), just surf the Net and dispose a computer between used switch and the routing device at local area network (LAN), two network interface cards are installed on this computer, a network interface card is used for connecting the switch that the local area network (LAN) online computing is used, a computer is used for connecting the routing device that the local area network (LAN) online computing is used, then this pair network interface card bridge joint is become network bridge, and monitoring software is deployed on this network bridge monitors.Like this, because all public net messages that the computer of local area network (LAN) sends all will could finally send to public network through this network bridge, thereby make software can realize catching and analyzing easily to the data message, determine whether that by using various control laws visit is tackled and side's row to the public network of local area network (LAN) computer, thus various public networks visits that can the control area net computer.In addition, this mode can avoid sending the deficiency that ARP deception message is controlled local area network (LAN), can tackle the message transmissions of the variety of protocols such as http protocol, P2P agreement of local area network (LAN) computer again like a cork, thereby can control various P2P softwares effectively.
Summary of the invention
Along with development of internet technology, enterprise has mostly set foot on the express of the Internet, numerous and confused diverse network technology, the electronic technology of adopting to carry out work by network: but because the unlimited opening of network, and, bring great network management problem for vast enterprise and institution to the disappearance that network is effectively managed.As: employee the operating time on network with a large amount of amusement data of various P2P software downloads, these P2P instruments can exhaust the bandwidth of enterprise, have caused the normal network of enterprise to use; Simultaneously, the employee also browses a large amount of network address that have nothing to do with work, as pornographic, reaction, violence etc., has caused extremely bad influence, has wasted the operating time, also causes internet worm to spread unchecked easily, has a strong impact on the operate as normal of enterprise, has reduced operating efficiency; Simultaneously, because the convenience of Network Transmission, make data transmission at a high speed become possibility, some employee steals the trade secret of enterprise-essential, proprietary technology by modes such as mail, HTTP/FTP transmission, chats and plays one's own game, serious harm the interests of enterprise, bring heavy losses to enterprise.In sum, become the essential of enterprise network management once the effective network management system of cover.
Technical solution of the present invention is as follows: at first dispose the computer of two network interface cards between the routing device of local area network (LAN) and switch, a network interface card connects routing device, and a network interface card connects switch, then two network interface card bridge joints is become a network bridge; The information such as IP address, subnet mask, gateway, DNS of this network bridge is set, guarantees that the computer of this pair network interface card can be surfed the Net.Generally the IP address setting of this network bridge is become the IP address of local area network (LAN) default gateway, and the gateway ip address of local area network (LAN) acquiescence is changed to other IP address; Dispose monitoring software to this network bridge, because the gateway of the previous acquiescence of local area network (LAN) has been set up the IP address of network bridge for this reason, so network bridge that the public net message of local area network (LAN) computer will send, monitoring software will start the data message that packet catcher grasps this network bridge of process then, the data message of catching is analyzed according to certain controlled filter rule, to meet the packet loss of control interception rule or interrupt, and make it and to pass through, control its network behavior with this; For the data message that can let pass, monitoring software can be forwarded to the real gateway of local area network (LAN), also is routing device, its access to netwoks of letting pass; In this case, if the monitored computer of local area network (LAN) changes to self default gateway address the IP address of new routing device, because routing device still can provide routing function, also promptly allow the computer expert of local area network (LAN) to cross this routing device online, then monitored computer may directly carry out the public network visit by routing device and avoid monitoring.So we also must be provided with filtercondition on routing device, forbid that the monitored computer of local area network (LAN) is directly directly visited public network by routing device, and only allow the computer expert that monitoring software is installed to cross route device access public network.All controlled computers of local area network (LAN) all can't directly be visited public network by routing device like this, can only visit by network bridge, thereby can reach the purpose of whole monitoring.
According to the technical characterictic of this software, can realize with programming language arbitrarily.The software of writing according to present principles is owing to be to be deployed on the main line of local area network (LAN) visit public network, and enterprises and institutions are in enormous quantities, the environment of multisegment thereby can adapt to, and realizes centralized monitor; Simultaneously, owing to manage in conjunction with routing device, thereby some computer attempts that can effectively prevent local area network (LAN) are escaped monitoring by certain means; Because the public net message of the computer of local area network (LAN) at first is to mail to network bridge, be forwarded to routing device visit public network by network bridge then, thereby monitoring software just can grasp the data message of institute's protocols having and filter and transmit, and has guaranteed that like this monitoring software can all network behaviors of control area net.
Embodiment
(1) dispose the computer of two network interface cards between the routing device of local area network (LAN) and switch, a network interface card connects routing device, and a network interface card is received switch, then this pair network interface card bridge joint is become a network bridge.Wherein: routing device can be router, lead the way by the fire compartment wall of function, server of function of surfing the Net or the like can be provided; Switch can be switch, simple switch or HUB of band network management function or the like; (2) set the IP address, subnet mask, gateway address, dns address or the like of this network bridge, guarantee that the computer of this pair network interface card can normally be surfed the Net.Here, generally the IP address setting of network bridge is become the IP address of local area network (LAN) default gateway, as 192.168.0.1, generally be exactly the IP address of router, and the IP address setting of default gateway is become other IP address, as 192.168.0.10, according to its network segment dividing condition, its subnet mask is set, the IP address of the gateway address of network bridge for the routing device after changing is set, the DNS that DNS is a public network is set, the dns address that provides as Netcom, telecommunications; (3) dispose monitoring software to this network bridge, monitoring software will be a watch-dog with this network bridge automatically, the packet capturing that starts monitoring software drives, data message through this network bridge is grasped and analyzes, with the data message that grabs according to its data characteristics, as packet with the IP address, port, protocol characteristic, size or the like, using set control law mates, as forbid surfing the Net, forbidding carrying out P2P downloads, forbid chat, forbid sending responsive mail or the like, the data message that meets the interception rule, monitoring software will abandon its data message or interrupt, and for the data message that does not meet the interception rule, it directly can be forwarded to real gateway, also be routing device, its public network visit of letting pass.
Claims (1)
- A kind of based on the network bridge mode method that area network data message controls of playing a game.By at the two network interface cards of a computer deploy of local area network (LAN), a network interface card is connected on the switch of local area network (LAN) online computing, and network interface card is connected to the local area network (LAN) online computing provides the router of routing function or other and leads the way on the network equipment by function; These two network interface card bridge joints are become network bridge, then with Software deployment on network bridge, by to extracting and analysis through the data message that is transmitted of the local area network (LAN) computer of this network bridge, the diverse network behavior that comes the control area net computer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100888417A CN101252474A (en) | 2008-04-01 | 2008-04-01 | Method for controlling local area network data message based on network bridge mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100888417A CN101252474A (en) | 2008-04-01 | 2008-04-01 | Method for controlling local area network data message based on network bridge mode |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101252474A true CN101252474A (en) | 2008-08-27 |
Family
ID=39955670
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100888417A Pending CN101252474A (en) | 2008-04-01 | 2008-04-01 | Method for controlling local area network data message based on network bridge mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101252474A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746996A (en) * | 2014-01-03 | 2014-04-23 | 汉柏科技有限公司 | Packet filtering method for firewall |
| CN105681330A (en) * | 2016-02-29 | 2016-06-15 | 四川长虹电器股份有限公司 | Telecommunication internal network remote access method |
| CN106357482A (en) * | 2016-11-30 | 2017-01-25 | 四川秘无痕信息安全技术有限责任公司 | Method for implementing monitoring of webpage access based on network protocol |
| CN107454678A (en) * | 2016-05-23 | 2017-12-08 | 佳能株式会社 | Communication equipment, control method and computer-readable recording medium |
| CN114363007A (en) * | 2021-12-10 | 2022-04-15 | 包头海平面高分子工业有限公司九原分公司 | Internet surfing behavior control system and method based on single internet surfing behavior management device |
-
2008
- 2008-04-01 CN CNA2008100888417A patent/CN101252474A/en active Pending
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746996A (en) * | 2014-01-03 | 2014-04-23 | 汉柏科技有限公司 | Packet filtering method for firewall |
| CN105681330A (en) * | 2016-02-29 | 2016-06-15 | 四川长虹电器股份有限公司 | Telecommunication internal network remote access method |
| CN107454678A (en) * | 2016-05-23 | 2017-12-08 | 佳能株式会社 | Communication equipment, control method and computer-readable recording medium |
| CN106357482A (en) * | 2016-11-30 | 2017-01-25 | 四川秘无痕信息安全技术有限责任公司 | Method for implementing monitoring of webpage access based on network protocol |
| CN106357482B (en) * | 2016-11-30 | 2019-10-29 | 四川秘无痕科技有限责任公司 | A method of based on network protocol implementing monitoring web page access |
| CN114363007A (en) * | 2021-12-10 | 2022-04-15 | 包头海平面高分子工业有限公司九原分公司 | Internet surfing behavior control system and method based on single internet surfing behavior management device |
| CN114363007B (en) * | 2021-12-10 | 2024-01-09 | 包头海平面高分子工业有限公司九原分公司 | Internet surfing behavior management and control system and method based on single Internet surfing behavior management device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Fichera et al. | OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD Attacks against web servers | |
| Mahajan et al. | Controlling high bandwidth aggregates in the network | |
| US7234168B2 (en) | Hierarchy-based method and apparatus for detecting attacks on a computer system | |
| KR100796996B1 (en) | Method and apparatus for protection from overload conditions on nodes in a distributed network | |
| Mihai-Gabriel et al. | Achieving DDoS resiliency in a software defined network by intelligent risk assessment based on neural networks and danger theory | |
| CN101286850B (en) | Defensive installation for security of router, defense system and method | |
| CN107135187A (en) | Preventing control method, the apparatus and system of network attack | |
| CN101106518B (en) | Service denial method for providing load protection of central processor | |
| CN109327342B (en) | A task-driven adaptive SDN simulation system and simulation platform | |
| CN110213214B (en) | Attack protection method, system, device and storage medium | |
| CN101247346A (en) | Method for controlling local area network data message based on gateway mode | |
| CN101252474A (en) | Method for controlling local area network data message based on network bridge mode | |
| CN102857388A (en) | Cloud detection safety management auditing system | |
| Dridi et al. | A holistic approach to mitigating DoS attacks in SDN networks | |
| Huang et al. | Trend analysis and countermeasure research of DDoS attack under 5G network | |
| Zhou et al. | Mew: Enabling large-scale and dynamic link-flooding defenses on programmable switches | |
| CN111818077A (en) | An industrial control hybrid honeypot system based on SDN technology | |
| Dayal et al. | Analyzing effective mitigation of DDoS attack with software defined networking | |
| CN102045302A (en) | Network attack preventing method, service control node and access node | |
| CN102739433A (en) | Control method of local area network computer through network management software allocation based on multi-net environment of three-layer switch | |
| Chatterjee | Design and development of a framework to mitigate dos/ddos attacks using iptables firewall | |
| Kashiwa et al. | Active shaping: a countermeasure against DDoS attacks | |
| WO2007122495A2 (en) | A framework for protecting resource-constrained network devices from denial-of-service attacks | |
| Schmidt et al. | A malware detector placement game for intrusion detection | |
| Khirwadkar | Defense against network attacks using game theory |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20080827 |