[go: up one dir, main page]

CN117834240A - Automatic access method and system for equipment - Google Patents

Automatic access method and system for equipment Download PDF

Info

Publication number
CN117834240A
CN117834240A CN202311844947.6A CN202311844947A CN117834240A CN 117834240 A CN117834240 A CN 117834240A CN 202311844947 A CN202311844947 A CN 202311844947A CN 117834240 A CN117834240 A CN 117834240A
Authority
CN
China
Prior art keywords
server
equipment
access
corresponding relation
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311844947.6A
Other languages
Chinese (zh)
Inventor
林龙
林言国
林延松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Newland Fujian Public Service Co ltd
Original Assignee
Newland Fujian Public Service Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Newland Fujian Public Service Co ltd filed Critical Newland Fujian Public Service Co ltd
Priority to CN202311844947.6A priority Critical patent/CN117834240A/en
Publication of CN117834240A publication Critical patent/CN117834240A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an equipment automatic access method, which comprises the following steps: the device requests a second server address from the first server through the Internet; the first server maintains a corresponding relation table of the equipment and the second server; the first server responds to the request to carry out identity verification on the equipment, and carries out access permission verification according to the corresponding relation table; if the authentication result and the access right authentication result are both passed, returning a second server address to the device; and the equipment establishes communication connection with the second server through the local area network according to the address of the second server.

Description

Automatic access method and system for equipment
Technical Field
The invention relates to an equipment automatic access method and system, and belongs to the field of communication.
Background
At present, the equipment is required to be connected with a service system which is privately arranged in an intranet, and the mode of initializing an internal intranet IP address is adopted in most cases. After initialization, the device is directly connected with the intranet business system for interaction. However, the device cannot clearly identify the corresponding intranet service system before being put into use, so that the intranet IP address cannot be set before leaving the factory. Only when the service system IP is about to be put into use, the service system IP deployed in the intranet is definitely privately configured manually, and if the number of the devices is large, the manual mode is low in efficiency and easy to make mistakes, so that the requirement of large-scale production of enterprises cannot be met.
CN116886522a "an automated implementation method for large-scale network equipment access and inter-network handover" discloses: collecting all host information needed to be connected with a local area network, generating a host information list, then carrying out logic integration encapsulation on each functional module by using an encapsulation tool to form a complete executable configuration package, and sending the executable configuration package to all hosts to be connected with the network; the host receives and operates the configuration package, the configuration package automatically operates and modifies the configuration information of the host until the configuration information of the host is the same as the preset configuration information in the configuration package, and finally, the host network configuration checking function module is used for checking whether the host can access the local area network, if so, the host is connected and the configuration is completed. The invention has the advantage that the user can directly click on the network configuration modification program in the host computer to enable the host computer to access the local area network.
CN115001745A (System and method for local authentication of intranet user based on government and enterprise gateway) comprises configuring a port to be authenticated on a gateway local authentication page, and sending ENABLE and equipment MAC address to a WEB push module; the user equipment is online, whether an online equipment interface exists or not is inquired in the LAN authentication management table, ENABLE corresponding to the interface is obtained, and the online equipment MAC addresses in the ENABLE and equipment management record table are sent to the WEB pushing module; after receiving the ENABLE value and the equipment MAC information, the WEB pushing module acquires the IPV4 address and the IPV6 address of the gateway LAN side, and if the ENABLE value is 1, the authentication page is pushed; if the ENABLE value is 0, not pushing the authentication page; after receiving the DNS request of the user equipment, the DNS proxy spoofing module forwards the IPV4 address and the IPV6 address of the gateway LAN side as DNS server response messages to the user equipment, and the user equipment pops up a portal authentication page when combining with the WEB pushing module.
Disclosure of Invention
In order to overcome the problems in the prior art, the invention designs an automatic access method and an automatic access system for equipment, wherein a first server website is built in the equipment, and the equipment can automatically access an intranet service system by interacting with the first server according to the first server website; the operation and maintenance personnel can uniformly maintain the corresponding relation between the modification equipment and the intranet service system by using the first server, and adapt to the change of the network configuration of the intranet service system. Meanwhile, the first server can identify and locate suspicious equipment of the intranet and defend network attacks.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
a method of device automated access comprising the steps of:
the device requests a second server address from the first server through the Internet; the first server maintains a corresponding relation table of the equipment and the second server;
the first server responds to the request to carry out identity verification on the equipment, and carries out access permission verification according to the corresponding relation table; if the authentication result and the access right authentication result are both passed, returning a second server address to the device;
and the equipment establishes communication connection with the second server through the local area network according to the address of the second server.
Further, the authentication comprises the following steps:
the device generates and transmits an encrypted data packet to a first server according to the device configuration information;
the first server maintains a device configuration information table;
the first server decrypts the encrypted data packet and verifies whether the encrypted data packet is correct or not according to the equipment configuration information table; if the identity is correct, the identity is verified.
Further, the access right verification includes the following steps:
the device sends the device identifier and the second server identifier to the first server
And the first server searches the corresponding relation between the device identifier and the second server identifier in the corresponding relation table according to the received device identifier and the second server identifier, and if the corresponding relation exists, the access authority verification is passed.
Further, the device has a first server address built-in.
Further, the method further comprises the following steps: and if the identity verification result is not passed, the device which initiates the request is listed in a malicious device list.
A device automated access system, comprising:
the device is used for requesting a second server address from the first server through the Internet and establishing communication connection with the second server through a local area network according to the second server address;
the first server maintains a corresponding relation table of the equipment and the second server, and is used for carrying out identity verification on the equipment in response to the request and carrying out access permission verification according to the corresponding relation table; and if the authentication result and the access right authentication result are both passed, returning the second server address to the equipment.
Further, the authentication comprises the following steps:
the device generates and transmits an encrypted data packet to a first server according to the device configuration information;
the first server maintains a device configuration information table;
the first server decrypts the encrypted data packet and verifies whether the encrypted data packet is correct or not according to the equipment configuration information table; if the identity is correct, the identity is verified.
Further, the access right verification includes the following steps:
the device sends the device identifier and the second server identifier to the first server
And the first server searches the corresponding relation between the device identifier and the second server identifier in the corresponding relation table according to the received device identifier and the second server identifier, and if the corresponding relation exists, the access authority verification is passed.
Further, the device has a first server address built-in.
Further, the method further comprises the following steps: and if the identity verification result is not passed, the device which initiates the request is listed in a malicious device list.
Compared with the prior art, the invention has the following characteristics and beneficial effects:
in the invention, the first server website is built in the equipment, and the equipment interacts with the first server according to the first server website, so that the equipment can automatically access an intranet service system; the operation and maintenance personnel can uniformly maintain the corresponding relation between the modification equipment and the intranet service system by using the first server, and adapt to the change of the network configuration of the intranet service system. Meanwhile, the first server can identify and locate suspicious equipment of the intranet and defend network attacks.
Drawings
Fig. 1-4 are flowcharts of the present invention.
Detailed Description
The present invention will be described in more detail with reference to examples.
As shown in fig. 1-4, a device automated access method includes the steps of:
the device is internally provided with a first server address, and a second server address is requested to the first server through the Internet according to the first server address; and the first server maintains a corresponding relation table of the equipment and the second server.
The first server responds to the request to carry out identity verification on the equipment, and carries out access permission verification according to the corresponding relation table; and if the authentication result and the access right authentication result are both passed, returning the second server address to the equipment.
The identity authentication comprises the following steps: the device generates and transmits an encrypted data packet to a first server according to the device configuration information; the first server maintains a device configuration information table; the first server decrypts the encrypted data packet; verifying whether the encrypted data packet is correct or not according to the equipment configuration information table; if the identity is correct, the identity is verified.
The access authority verification comprises the following steps:
the device sends the device identifier and the second server identifier to the first server; and the first server searches the corresponding relation between the device identifier and the second server identifier in the corresponding relation table according to the received device identifier and the second server identifier, and if the corresponding relation exists, the access authority verification is passed.
And the equipment establishes communication connection with the second server through the local area network according to the address of the second server.
The second server operates the service system, and the service system receives the service request sent by the equipment and returns the service processing result.
In one embodiment, a first server acquires and stores configuration information of each device in advance; specifically, with the device ID as a key, each configuration information item (such as a MAC address, a device serial number, a firmware version) and the second server address as key values, a device configuration information table is generated.
In one embodiment, local area network access logic is packaged as a tool kit (SDK) and issued to each device, the device runs the SDK, and the following process is performed:
generating an encrypted data packet according to the device configuration information: reading software and hardware identifiers in the equipment, such as an MAC address, an equipment serial number, a firmware version and the like, and carrying out encryption calculation by using a cryptographic algorithm to obtain an encrypted data packet; and sending the encrypted data packet to the first server according to the built-in first server address.
In one embodiment, the first server runs a device configuration management system to perform cryptography-based identity authentication trusted identification on the device. When the device accesses the device configuration management system, the request needs the encrypted data packet, and the encrypted data packet comprises: device ID, software and hardware identification, timestamp, signature information, random number, check data version number. The equipment configuration management system obtains the equipment ID through decryption and signature verification by a national encryption algorithm; comparing the decryption result with the locally stored data of the same type, and if the comparison result is consistent, passing the authentication.
In one embodiment, considering that a request without an encrypted data packet may have a risk of DDOS attack, a request with an encrypted data packet but failed in server parsing has a risk of falsifying data, tampering the data packet, and simulating a device request. The requesting device is listed in a list of malicious devices. And intercept devices that have access to malicious attacks, including but not limited to: aiming at DDOS attack IP interception, setting firewall rules, implementing access control strategies, monitoring and auditing network access behaviors of equipment to eliminate access risks, intercepting encrypted data packet analysis errors and the like.
It should be noted that, the above-mentioned device automation access system is further configured to implement the method steps corresponding to the embodiments in the method of the device automation access method shown in fig. 1, which is not described herein again.
It should be noted that, in each embodiment of the present invention, each functional unit/module may be integrated in one processing unit/module, or each unit/module may exist alone physically, or two or more units/modules may be integrated in one unit/module. The integrated units/modules described above may be implemented either in hardware or in software functional units/modules.
From the description of the embodiments above, it will be apparent to those skilled in the art that the embodiments described herein may be implemented in hardware, software, firmware, middleware, code, or any suitable combination thereof. For a hardware implementation, the processor may be implemented in one or more of the following units: an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), a Digital Signal Processing Device (DSPD), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a processor, a controller, a microcontroller, a microprocessor, other electronic units designed to perform the functions described herein, or a combination thereof. For a software implementation, some or all of the flow of an embodiment may be accomplished by a computer program to instruct the associated hardware. When implemented, the above-described programs may be stored in or transmitted as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a computer. The computer readable media can include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
Finally, it should be noted that the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the scope of the present invention, and although the present invention has been described in detail with reference to the preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.

Claims (10)

1. A method for automated access to a device, comprising the steps of:
the device requests a second server address from the first server through the Internet; the first server maintains a corresponding relation table of the equipment and the second server;
the first server responds to the request to carry out identity verification on the equipment, and carries out access permission verification according to the corresponding relation table; if the authentication result and the access right authentication result are both passed, returning a second server address to the device;
and the equipment establishes communication connection with the second server through the local area network according to the address of the second server.
2. A method of automated access to a device according to claim 1, wherein the authentication comprises the steps of:
the device generates and transmits an encrypted data packet to a first server according to the device configuration information;
the first server maintains a device configuration information table;
the first server decrypts the encrypted data packet and verifies whether the encrypted data packet is correct or not according to the equipment configuration information table; if the identity is correct, the identity is verified.
3. A device automated access method according to claim 1, wherein the access rights verification comprises the steps of:
the device sends the device identifier and the second server identifier to the first server
And the first server searches the corresponding relation between the device identifier and the second server identifier in the corresponding relation table according to the received device identifier and the second server identifier, and if the corresponding relation exists, the access authority verification is passed.
4. An automated access method for a device according to claim 1, wherein the device has a first server address built-in.
5. The device automated access method of claim 1, further comprising: and if the identity verification result is not passed, the device which initiates the request is listed in a malicious device list.
6. A device automated access system, comprising:
the device is used for requesting a second server address from the first server through the Internet and establishing communication connection with the second server through a local area network according to the second server address;
the first server maintains a corresponding relation table of the equipment and the second server, and is used for carrying out identity verification on the equipment in response to the request and carrying out access permission verification according to the corresponding relation table; and if the authentication result and the access right authentication result are both passed, returning the second server address to the equipment.
7. A method of automated access to a device according to claim 6, wherein the authentication comprises the steps of:
the device generates and transmits an encrypted data packet to a first server according to the device configuration information;
the first server maintains a device configuration information table;
the first server decrypts the encrypted data packet and verifies whether the encrypted data packet is correct or not according to the equipment configuration information table; if the identity is correct, the identity is verified.
8. The method for automated access by a device according to claim 6, wherein said access rights verification comprises the steps of:
the device sends the device identifier and the second server identifier to the first server
And the first server searches the corresponding relation between the device identifier and the second server identifier in the corresponding relation table according to the received device identifier and the second server identifier, and if the corresponding relation exists, the access authority verification is passed.
9. The method of claim 6, wherein the device has a first server address built into it.
10. The device automated access method of claim 6, further comprising: and if the identity verification result is not passed, the device which initiates the request is listed in a malicious device list.
CN202311844947.6A 2023-12-28 2023-12-28 Automatic access method and system for equipment Pending CN117834240A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311844947.6A CN117834240A (en) 2023-12-28 2023-12-28 Automatic access method and system for equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311844947.6A CN117834240A (en) 2023-12-28 2023-12-28 Automatic access method and system for equipment

Publications (1)

Publication Number Publication Date
CN117834240A true CN117834240A (en) 2024-04-05

Family

ID=90516906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311844947.6A Pending CN117834240A (en) 2023-12-28 2023-12-28 Automatic access method and system for equipment

Country Status (1)

Country Link
CN (1) CN117834240A (en)

Similar Documents

Publication Publication Date Title
US12095812B2 (en) Systems and methods for mitigating and/or preventing distributed denial-of-service attacks
US7644436B2 (en) Intelligent firewall
EP3641266A1 (en) Data processing method and apparatus, terminal, and access point computer
CN103634786B (en) A kind of method and system for security detection and repair of wireless network
EP3297248B1 (en) System and method for generating rules for attack detection feedback system
US10404472B2 (en) Systems and methods for enabling trusted communications between entities
CN111314281A (en) Method for forwarding attack traffic to honeypot
WO2014094151A1 (en) System and method for monitoring data in a client environment
WO2016202007A1 (en) Device operation and maintenance method and system
IL211823A (en) Methods and systems for securing and protecting repositories and directories
Song et al. DS‐ARP: a new detection scheme for ARP spoofing attacks based on routing trace for ubiquitous environments
Lu et al. An SDN‐based authentication mechanism for securing neighbor discovery protocol in IPv6
US20210105299A1 (en) Method and system for defending an http flood attack
CN117834240A (en) Automatic access method and system for equipment
CN104539603B (en) Safe DNS systems and DNS security analytic method based on local parsing
AU2018304187B2 (en) Systems and methods for mitigating and/or preventing distributed denial-of-service attacks
CN114189370A (en) Access method and device
Salim et al. A precise model to secure systems on Ethernet against man-in-the-middle attack
Suethanuwong An Effective Prevention Approach against ARP Cache Poisoning Attacks in MikroTik-based Networks
KR101812732B1 (en) Security device and operating method thereof
US8995271B2 (en) Communications flow analysis
Kalil Policy Creation and Bootstrapping System for Customer Edge Switching
CN111585942B (en) Device verification method
Li et al. Advanced approaches to prevent ARP attacks
CN117319080A (en) Mobile terminal and communication method for isolated secure communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination