[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN115426139A - Access control method based on SIM card information and communication device - Google Patents

Access control method based on SIM card information and communication device Download PDF

Info

Publication number
CN115426139A
CN115426139A CN202210975253.5A CN202210975253A CN115426139A CN 115426139 A CN115426139 A CN 115426139A CN 202210975253 A CN202210975253 A CN 202210975253A CN 115426139 A CN115426139 A CN 115426139A
Authority
CN
China
Prior art keywords
sim card
card information
address
charging
firewall
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210975253.5A
Other languages
Chinese (zh)
Other versions
CN115426139B (en
Inventor
潘巍
易平平
杨海
沈懿华
范昱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN115426139A publication Critical patent/CN115426139A/en
Application granted granted Critical
Publication of CN115426139B publication Critical patent/CN115426139B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides an access control method and a communication device based on SIM card information, wherein the method comprises the following steps: a firewall in the enterprise private network receives an access request from terminal equipment, wherein the access request comprises an IP address of the terminal equipment; and the firewall determines the SIM card information corresponding to the IP address, and then performs access control on the access request according to the access control strategy associated with the SIM card information. Because the SIM card information is bound with each terminal device, the terminal devices in the enterprise private network can be subjected to differentiated and refined access control based on the SIM card information.

Description

一种基于SIM卡信息的访问控制方法及通信装置An access control method and communication device based on SIM card information

相关申请的交叉引用Cross References to Related Applications

本申请要求在2021年11月19日提交中华人民共和国国家知识产权局、申请号为202111375766.4、发明名称为“一种基于IMSI信息的访问控制方法及通信装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application submitted to the State Intellectual Property Office of the People's Republic of China on November 19, 2021, with the application number 202111375766.4 and the title of the invention "An access control method and communication device based on IMSI information". The entire contents are incorporated by reference in this application.

技术领域technical field

本申请涉及无线通信技术领域,尤其涉及一种基于用户身份识别(subscriberidentity module,SIM)卡信息的访问控制方法及通信装置。The present application relates to the technical field of wireless communication, and in particular to an access control method and a communication device based on subscriber identity module (SIM) card information.

背景技术Background technique

为应对更高的带宽、更低的时延、更灵活和快速的业务部署、海量的连接等网络需求,多址边缘计算(multi-access edge computing,MEC)技术应运而生。MEC技术可以将计算和存储资源移动到更靠近用户的网络边缘,通过部署边缘用户面功能网元进行本地分流,从而实现更低时延。In response to network requirements such as higher bandwidth, lower latency, more flexible and rapid service deployment, and massive connections, multi-access edge computing (MEC) technology emerged as the times require. MEC technology can move computing and storage resources to the edge of the network closer to users, and deploy edge user plane functional network elements for local offloading, thereby achieving lower latency.

针对MEC企业专网场景,企业通常需要在企业专网的入口处,部署防火墙进行网络访问控制。由于接入企业专网的终端设备有各种类型(如工业控制中的终端、摄像头等),需要访问企业专网内的不同的应用服务,因此企业需要实现基于终端设备的类型的访问控制策略。For MEC enterprise private network scenarios, enterprises usually need to deploy a firewall at the entrance of the enterprise private network for network access control. Since there are various types of terminal devices connected to the enterprise private network (such as terminals in industrial control, cameras, etc.), they need to access different application services in the enterprise private network, so enterprises need to implement access control policies based on the type of terminal devices .

如要实现上述目的,现有技术中的一种解决方案为给每个终端设备申请静态网际互联协议(internet protocol,IP)地址,这种方案费用昂贵,配置方案不容易更改,管理难度较大,而且随着企业专网的应用范围的扩大,会导致运营商的IP地址大量消耗。另一种解决方案为在企业专网的防火墙上启用用户认证,通过让用户输入用户名和密码的方式获取访问权限。这种方案,无论采用哪种认证方式,一般都需要终端设备主动输入用户名和密码,在一些物联网环境下,终端设备一般是专用设备,可能不具有主动输入用户名和密码的条件,因此导致该方案的应用比较受限。To achieve the above purpose, a solution in the prior art is to apply for a static Internet protocol (internet protocol, IP) address for each terminal device. This solution is expensive, the configuration solution is not easy to change, and the management is difficult. , and with the expansion of the application scope of enterprise private networks, it will lead to a large consumption of IP addresses of operators. Another solution is to enable user authentication on the firewall of the enterprise private network, and obtain access rights by asking users to enter their user names and passwords. This scheme, no matter which authentication method is adopted, generally requires the terminal device to actively enter the user name and password. The application of the program is relatively limited.

发明内容Contents of the invention

本申请提供一种基于SIM卡信息的访问控制方法及通信装置,用以对企业专网内的终端设备实现区别化、精细化的访问控制。The present application provides an access control method and communication device based on SIM card information, which are used to implement differentiated and fine-grained access control for terminal equipment in an enterprise private network.

第一方面,本申请实施例提供一种基于SIM卡信息的访问控制方法,该方法可以由企业专网中的防火墙执行,也可以由配置于防火墙的部件(例如芯片或者电路)执行,该防火墙可基于SIM卡信息对终端设备访问企业专网中应用服务的访问请求进行访问控制,从而保护企业专网的安全。In the first aspect, the embodiment of the present application provides an access control method based on SIM card information. The method can be executed by a firewall in the enterprise private network, or can be executed by a component (such as a chip or circuit) configured in the firewall. The firewall Based on the SIM card information, access control can be performed on the terminal device's access request to the application service in the enterprise private network, so as to protect the security of the enterprise private network.

该方法包括:企业专网中的防火墙接收来自终端设备的访问请求,该访问请求中包括所述终端设备的IP地址;防火墙确定所述IP地址对应的SIM卡信息;防火墙根据所述SIM 卡信息关联的访问控制策略,对所述访问请求进行访问控制。The method includes: a firewall in the enterprise private network receives an access request from a terminal device, and the access request includes the IP address of the terminal device; the firewall determines the SIM card information corresponding to the IP address; the firewall determines the SIM card information corresponding to the SIM card information; The associated access control policy implements access control on the access request.

上述技术方案中,企业专网中的防火墙可根据SIM卡信息,对终端设备发起的请求访问企业专网中应用服务的访问请求进行有效的访问控制。其中,当防火墙接收到终端设备的访问请求后,可将访问请求中的IP地址转换为对应的SIM卡信息,进而执行访问控制。In the above technical solution, the firewall in the enterprise private network can perform effective access control on the access request initiated by the terminal device to access the application service in the enterprise private network according to the SIM card information. Wherein, after receiving the access request of the terminal device, the firewall may convert the IP address in the access request into corresponding SIM card information, and then perform access control.

其中,SIM卡是移动通信系统的移动用户所持有的IC卡,称为用户识别卡。因此,一个SIM信息与一台终端设备是可以一一绑定的(SIM卡可以更换到不同设备上)。鉴于此,在实际应用中,根据SIM卡信息可以识别一台终端设备的身份,也可间接获知一台终端设备的类型。而IP地址在实际应用中则是可能根据需要进行动态分配的,也即IP地址可能是动态IP地址,该动态IP地址与终端设备的一个协议数据单元PDU会话绑定,但是根据该动态IP地址可能无法获知终端设备的身份、类型等固有的属性信息。如此,本申请中先将访问请求中的IP地址转换为终端设备的SIM卡信息,进而执行访问控制,有助于根据终端设备的身份、类型等信息实现区别化、精细化的访问控制,从而保护企业专网中的信息安全。Wherein, the SIM card is an IC card held by a mobile user of the mobile communication system, and is called a subscriber identification card. Therefore, one SIM information and one terminal device can be bound one by one (the SIM card can be changed to different devices). In view of this, in practical applications, the identity of a terminal device can be identified according to the SIM card information, and the type of a terminal device can also be indirectly known. In practical applications, IP addresses may be dynamically allocated according to needs, that is, the IP address may be a dynamic IP address, and the dynamic IP address is bound to a protocol data unit PDU session of the terminal device, but according to the dynamic IP address It may not be possible to obtain inherent attribute information such as the identity and type of the terminal device. In this way, in this application, the IP address in the access request is first converted into the SIM card information of the terminal device, and then access control is performed, which helps to achieve differentiated and refined access control based on the identity, type and other information of the terminal device, thereby Protect information security in the enterprise private network.

在一种可能的设计中,该方法还包括:防火墙接收来自企业专网中的计费转发装置或者会话管理功能网元的所述终端设备的SIM卡信息和所述IP地址;防火墙建立所述SIM卡信息与所述IP地址之间的映射关系,进而防火墙可根据该映射关系,确定所述IP地址对应的SIM卡信息。In a possible design, the method further includes: the firewall receives the SIM card information and the IP address of the terminal device from the charging forwarding device or session management function network element in the enterprise private network; the firewall establishes the The mapping relationship between the SIM card information and the IP address, and then the firewall can determine the SIM card information corresponding to the IP address according to the mapping relationship.

上述技术方案中,终端设备的SIM卡信息和IP地址,可以是企业专网中的计费转发装置,例如认证鉴权计费AAA服务器在该终端设备通过运营商认证后,发送给防火墙的,防火墙可以根据接收到的新建立二者间的映射关系,进而在收到来自该终端设备的访问请求时,可根据该映射关系进行从IP地址到SIM卡信息的转换,从而支持后续的访问控制。In the above technical solution, the SIM card information and IP address of the terminal device may be the billing forwarding device in the private network of the enterprise, for example, the authentication, authentication and billing AAA server sends the terminal device to the firewall after the terminal device is authenticated by the operator. The firewall can establish a mapping relationship between the two based on the received information, and then when receiving an access request from the terminal device, it can convert from the IP address to the SIM card information according to the mapping relationship, thereby supporting subsequent access control .

在一种可能的设计中,所述访问请求中包括请求访问的应用服务;所述访问控制策略中包括允许所述SIM卡信息对应的终端设备访问的所述企业专网内的应用服务,和/或,不允许所述SIM卡信息对应的终端设备访问的所述企业专网内的应用服务;如此,防火墙根据所述SIM卡信息关联的访问控制策略,对所述访问请求进行访问控制,包括:若所述请求访问的应用服务为允许所述SIM卡信息对应的终端设备访问的企业专网内的应用服务,则允许所述访问请求,否则阻断所述访问请求。In a possible design, the access request includes the application service that is requested to be accessed; the access control policy includes the application service in the private enterprise network that is allowed to be accessed by the terminal device corresponding to the SIM card information, and /or, not allowing the terminal device corresponding to the SIM card information to access the application service in the enterprise private network; in this way, the firewall performs access control on the access request according to the access control policy associated with the SIM card information, The method includes: if the application service requesting access is an application service in the enterprise private network that allows the terminal device corresponding to the SIM card information to access, then allow the access request; otherwise, block the access request.

上述技术方案中,防火墙可根据对应的访问控制策略及时放行合理的访问请求,阻断不合理的访问请求,从而保护企业专网中的信息安全。In the above technical solution, the firewall can timely release reasonable access requests and block unreasonable access requests according to corresponding access control policies, thereby protecting the information security in the enterprise private network.

在一种可能的设计中,该方法还包括:防火墙中存储有关联配置信息,该关联配置信息包括所述企业专网内的每个SIM卡信息关联的访问控制策略。In a possible design, the method further includes: association configuration information is stored in the firewall, and the association configuration information includes an access control policy associated with information of each SIM card in the enterprise private network.

上述技术方案中,可以针对企业专网内的每个SIM卡信息设置关联的访问控制策略,例如根据SIM卡信息绑定的终端设备的类型或角色等进行设置,从而有效提高访问控制的精度。In the above technical solution, an associated access control policy can be set for each SIM card information in the enterprise private network, for example, set according to the type or role of the terminal device bound to the SIM card information, thereby effectively improving the accuracy of access control.

第二方面,本申请实施例提供一种基于SIM卡信息的访问控制方法,该方法可以由企业专网中的计费转发装置执行,也可以由配置于计费转发装置的部件(例如芯片或者电路) 执行,该计费转发装置可用于对接入企业专网的终端设备进行认证鉴权计费,以及支持企业专网中的防火墙进行访问控制。In the second aspect, the embodiment of the present application provides an access control method based on SIM card information. The method can be executed by the billing forwarding device in the private network of the enterprise, or can be implemented by a component configured on the billing forwarding device (such as a chip or circuit), the billing and forwarding device can be used to perform authentication, authentication and billing for terminal equipment accessing the enterprise private network, and to support the access control of the firewall in the enterprise private network.

该方法包括:企业专网中计费转发装置在终端设备通过运营商认证后,接收来自会话管理功能网元的计费信息;计费转发装置向所述企业专网中的防火墙发送所述终端设备的 SIM卡信息和IP地址,所述SIM卡信息和所述IP地址根据所述计费信息得到。The method includes: after the terminal equipment in the private network of the enterprise is authenticated by the operator, the charging and forwarding device receives the charging information from the network element with the session management function; the charging and forwarding device sends the terminal to the firewall in the private network of the enterprise The SIM card information and IP address of the device, the SIM card information and the IP address are obtained according to the charging information.

在一种可能的设计中,所述计费转发装置向所述企业专网中的防火墙发送所述终端设备的SIM卡信息和IP地址可以为:所述计费转发装置对计费信息中的SIM卡信息和IP地址的格式进行转换,并向所述防火墙发送经过格式转换后的计费信息,其中,所述经过格式转换后的计费信息中所述SIM卡信息可以位于用户名字段。In a possible design, the sending of the SIM card information and IP address of the terminal device by the charging forwarding device to the firewall in the enterprise private network may be as follows: the charging forwarding device in the charging information The format of the SIM card information and the IP address is converted, and the billing information after the format conversion is sent to the firewall, wherein the SIM card information in the billing information after the format conversion can be located in the user name field.

在一种可能的设计中,所述企业专网中的计费转发装置通过计费协议接收来自会话管理功能网元的计费信息,所述计费协议为远程用户拨号认证服务RADIUS协议或直径DIAMETER协议。In a possible design, the charging forwarding device in the enterprise private network receives the charging information from the session management function network element through a charging protocol, and the charging protocol is the remote user dial-up authentication service RADIUS protocol or Diameter DIAMETER protocol.

第三方面,本申请实施例提供一种通信装置,该通信装置可以具有实现上述第一方面中防火墙的功能,或者,也可以具有实现上述第二方面中计费转发装置的功能。该通信装置可以为网络设备,也可以为网络设备中包括的芯片。In the third aspect, the embodiment of the present application provides a communication device. The communication device may have the function of implementing the firewall in the first aspect above, or may also have the function of implementing the billing and forwarding device in the second aspect above. The communication device may be a network device, or a chip included in the network device.

该通信装置的功能可以通过硬件实现,也可以通过硬件执行相应的软件实现,所述硬件或软件包括一个或多个与上述功能相对应的模块或单元或手段(means)。The functions of the communication device may be realized by hardware, or may be realized by executing corresponding software by hardware, and the hardware or software includes one or more modules or units or means corresponding to the above functions.

在一种可能的设计中,该通信装置的结构中包括处理模块和收发模块,其中,处理模块被配置为支持该通信装置执行上述第一方面中防火墙相应的功能。收发模块用于支持该通信装置与其他通信设备之间的通信,例如当该通信装置为防火墙时,收发模块可接收来自终端设备的访问请求。该通信装置还可以包括存储模块,存储模块与处理模块耦合,该存储模块中保存有通信装置必要的程序指令和数据。作为一种示例,处理模块可以为处理器,通信模块可以为收发器,存储模块可以为存储器,存储器可以和处理器集成在一起,也可以和处理器分离设置。In a possible design, the structure of the communication device includes a processing module and a transceiver module, wherein the processing module is configured to support the communication device to perform the function corresponding to the firewall in the first aspect above. The transceiver module is used to support communication between the communication device and other communication devices. For example, when the communication device is a firewall, the transceiver module can receive an access request from a terminal device. The communication device may further include a storage module coupled to the processing module, and the storage module stores necessary program instructions and data of the communication device. As an example, the processing module may be a processor, the communication module may be a transceiver, and the storage module may be a memory, and the memory may be integrated with the processor or configured separately from the processor.

在另一种可能的设计中,该通信装置的结构中包括处理器,还可以包括存储器。处理器与存储器耦合,可用于执行存储器中存储的计算机程序指令,以使通信装置执行上述第一方面或第二方面中任一种可能的设计中的方法。可选地,该通信装置还包括通信接口,处理器与通信接口耦合。当通信装置为网络设备时,该通信接口可以是收发器或输入/输出接口;当该通信装置为网络设备中包含的芯片时,该通信接口可以是芯片的输入/输出接口。可选地,收发器可以为收发电路,输入/输出接口可以是输入/输出电路。In another possible design, the structure of the communication device includes a processor, and may also include a memory. The processor is coupled with the memory, and can be used to execute the computer program instructions stored in the memory, so that the communication device executes the method in any possible design of the first aspect or the second aspect above. Optionally, the communication device further includes a communication interface, and the processor is coupled to the communication interface. When the communication device is a network device, the communication interface may be a transceiver or an input/output interface; when the communication device is a chip included in the network device, the communication interface may be an input/output interface of the chip. Optionally, the transceiver may be a transceiver circuit, and the input/output interface may be an input/output circuit.

第四方面,本申请实施例提供一种芯片系统,包括:处理器,所述处理器与存储器耦合,所述存储器用于存储程序或指令,当所述程序或指令被所述处理器执行时,使得该芯片系统实现上述第一方面或第二方面中任一种可能的设计中的方法。In a fourth aspect, an embodiment of the present application provides a chip system, including: a processor, the processor is coupled to a memory, and the memory is used to store programs or instructions, and when the programs or instructions are executed by the processor , so that the chip system implements the method in any possible design of the first aspect or the second aspect above.

可选地,该芯片系统还可以包括接口电路,该接口电路用于从存储器交互代码指令至所述处理器。Optionally, the chip system may further include an interface circuit for exchanging code instructions from the memory to the processor.

可选地,该芯片系统中的处理器可以为一个或多个,该处理器可以通过硬件实现也可以通过软件实现。当通过硬件实现时,该处理器可以是逻辑电路、集成电路等。当通过软件实现时,该处理器可以是一个通用处理器,通过读取存储器中存储的软件代码来实现。Optionally, there may be one or more processors in the chip system, and the processors may be implemented by hardware or by software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented by software, the processor may be a general-purpose processor implemented by reading software codes stored in a memory.

可选地,该芯片系统中的存储器也可以为一个或多个。该存储器可以与处理器集成在一起,也可以和处理器分离设置。示例性的,存储器可以是非瞬时性处理器,例如只读存储器ROM,其可以与处理器集成在同一块芯片上,也可以分别设置在不同的芯片上。Optionally, there may be one or more memories in the chip system. The memory can be integrated with the processor, or can be set separately from the processor. Exemplarily, the memory may be a non-transitory processor, such as a read-only memory ROM, which may be integrated with the processor on the same chip, or may be respectively provided on different chips.

第五方面,本申请实施例提供一种计算机可读存储介质,其上存储有计算机程序或指令,当该计算机程序或指令被执行时,使得上述第一方面或第二方面的任一种可能的设计中的方法被执行。In the fifth aspect, the embodiment of the present application provides a computer-readable storage medium, on which a computer program or instruction is stored, and when the computer program or instruction is executed, any one of the above-mentioned first aspect or the second aspect is possible The method in the design is executed.

第六方面,本申请实施例提供一种计算机程序产品,当通信装置执行所述计算机程序产品时,使得通信装置执行上述第一方面或第二方面的任一种可能的设计中的方法。In a sixth aspect, an embodiment of the present application provides a computer program product. When the communication device executes the computer program product, the communication device executes the method in any possible design of the first aspect or the second aspect above.

第七方面,本申请实施例提供一种通信系统,该通信系统包括企业专网中的防火墙和计费转发装置。该通信系统还可包括终端设备。可选的,该通信系统还可包括公共网络中的会话管理功能网元、接入与移动性管理功能网元、用户面功能网元和无线接入网设备。终端设备可以接入公共网络,也可以接入上述企业专网,例如请求访问企业专网中的某些应用服务。In a seventh aspect, the embodiment of the present application provides a communication system, where the communication system includes a firewall and a billing and forwarding device in an enterprise private network. The communication system may also include terminal equipment. Optionally, the communication system may further include session management functional network elements, access and mobility management functional network elements, user plane functional network elements and radio access network equipment in the public network. The terminal device can access the public network or the above-mentioned enterprise private network, for example, to request access to certain application services in the enterprise private network.

具体的,所述计费转发装置,用于在终端设备通过运营商认证后,接收来自会话管理功能网元的计费信息,以及向所述防火墙发送所述终端设备的用户身份识别SIM卡信息和 IP地址,所述SIM卡信息和所述IP地址根据所述计费信息得到;Specifically, the billing forwarding device is configured to receive billing information from the session management function network element after the terminal device is authenticated by the operator, and send the user identification SIM card information of the terminal device to the firewall and IP address, the SIM card information and the IP address are obtained according to the billing information;

所述防火墙,用于接收来自所述计费转发装置的所述终端设备的SIM卡信息和所述IP 地址,并建立所述SIM卡信息与所述IP地址之间的映射关系;The firewall is configured to receive the SIM card information and the IP address of the terminal equipment from the charging forwarding device, and establish a mapping relationship between the SIM card information and the IP address;

所述防火墙,还用于接收来自所述终端设备的访问请求,所述访问请求中包括所述终端设备的IP地址,以及根据所述映射关系,确定所述IP地址对应的SIM卡信息,根据所述SIM卡信息关联的访问控制策略,对所述访问请求进行访问控制。The firewall is further configured to receive an access request from the terminal device, the access request includes the IP address of the terminal device, and according to the mapping relationship, determine the SIM card information corresponding to the IP address, according to The access control policy associated with the SIM card information performs access control on the access request.

在一种可能的设计中,所述访问请求中包括请求访问的应用服务;所述访问控制策略中包括允许所述SIM卡信息对应的终端设备访问的所述企业专网内的应用服务,和/或,不允许所述SIM卡信息对应的终端设备访问的所述企业专网内的应用服务;所述防火墙具体用于:若所述请求访问的应用服务为允许所述SIM卡信息对应的终端设备访问的应用服务,则允许所述访问请求,否则阻断所述访问请求。In a possible design, the access request includes the application service that is requested to be accessed; the access control policy includes the application service in the private enterprise network that is allowed to be accessed by the terminal device corresponding to the SIM card information, and /or, the application service in the enterprise private network that is not allowed to be accessed by the terminal device corresponding to the SIM card information; the firewall is specifically used for: if the application service that requests access is allowed If the application service accessed by the terminal device allows the access request, otherwise blocks the access request.

在一种可能的设计中,所述防火墙中存储有关联配置信息,所述关联配置信息包括所述企业专网内的每个SIM卡信息关联的访问控制策略。In a possible design, association configuration information is stored in the firewall, and the association configuration information includes an access control policy associated with information of each SIM card in the enterprise private network.

在一种可能的设计中,所述计费转发装置具体用于:通过计费协议接收来自所述会话管理功能网元的所述计费信息,所述计费协议为远程用户拨号认证服务RADIUS协议或直径DIAMETER协议。In a possible design, the charging forwarding device is specifically configured to: receive the charging information from the session management function network element through a charging protocol, and the charging protocol is a remote user dial-up authentication service RADIUS protocol or DIAMETER protocol.

上述第二方面至第六方面中任一方面可以达到的技术效果,可以参照上述第一方面中任一种可能设计或第二方面中任一种可能设计可以达到的技术效果,重复之处不予论述。For the technical effects that can be achieved by any one of the above-mentioned second to sixth aspects, you can refer to the technical effects that can be achieved by any possible design in the first aspect or any possible design in the second aspect. to discuss.

附图说明Description of drawings

图1为本申请实施例适用的一种通信系统的网络架构示意图;FIG. 1 is a schematic diagram of a network architecture of a communication system applicable to an embodiment of the present application;

图2为本申请实施例适用的一种应用场景;FIG. 2 is an application scenario applicable to the embodiment of the present application;

图3为本申请实施例提供的一种基于SIM卡信息的访问控制方法的流程示意图;FIG. 3 is a schematic flow diagram of an access control method based on SIM card information provided by an embodiment of the present application;

图4为本申请实施例提供的一种通信装置的结构示意图;FIG. 4 is a schematic structural diagram of a communication device provided in an embodiment of the present application;

图5为本申请实施例提供的一种通信装置的结构示意图。FIG. 5 is a schematic structural diagram of a communication device provided by an embodiment of the present application.

具体实施方式detailed description

下面将结合附图对本申请实施例作进一步地详细描述。The embodiments of the present application will be further described in detail below in conjunction with the accompanying drawings.

图1示例性示出了本申请实施例适用的一种通信系统的网络架构,如图1所示,该网络架构包括终端设备、运营商核心网和下沉到企业园区的MEC网络(运营商核心网包括会话管理功能(session management function,SMF)网元,该SMF网元用于负责企业终端接入企业专网的会话控制功能,如用户的协议数据单元(protocol data unit,PDU)会话的建立、释放和更新等。MEC网络可包括无线接入网设备和用户面功能(user plane function,UPF)网元,无线接入网设备用于负责企业终端连接到运营商网络,UPF网元用于负责企业终端接入企业专网的连接功能,该UPF网元下沉部署到企业园区,归属运营商管理)、防火墙(firewall,FW)和用于实现一个或多个企业应用(如图示中的企业应用1、2、N)部署的服务器设备等。还可包括计费转发装置,其中,计费转发装置可以为企业认证鉴权计费(authentication、authorization、accounting,AAA)服务器,企业AAA服务器可用于负责对企业终端进行认证,以及将终端设备的相关信息转发给企业专网中部署的防火墙。防火墙用于负责对接入企业专网的终端设备进行角色化、精细化的访问控制。Fig. 1 exemplarily shows the network architecture of a communication system applicable to the embodiment of the present application. As shown in Fig. 1, the network architecture includes terminal equipment, an operator's core The core network includes a session management function (session management function, SMF) network element, and the SMF network element is used to be responsible for the session control function of the enterprise terminal accessing the enterprise private network, such as the protocol data unit (protocol data unit, PDU) session of the user Establishment, release and update, etc. The MEC network may include radio access network equipment and user plane function (user plane function, UPF) network elements. It is responsible for the connection function of enterprise terminals accessing the enterprise private network. The UPF network element is deployed downward to the enterprise campus and is managed by the operator), firewall (firewall, FW) and is used to implement one or more enterprise applications (as shown in the figure) Enterprise applications in 1, 2, N) deployed server equipment, etc. It may also include an accounting forwarding device, wherein the accounting forwarding device may be an enterprise authentication, authorization, accounting (AAA) server, and the enterprise AAA server may be used to be responsible for authenticating the enterprise terminal and transferring the terminal device's Relevant information is forwarded to the firewall deployed in the enterprise private network. The firewall is responsible for role-based and fine-grained access control on terminal devices connected to the enterprise private network.

上述的SMF可以与计费转发装置整合成一个模块执行对应的操作,计费转发装置还可与防火墙整合成一个模块执行对应的操作,UPF可与防火墙整合成一个模块执行对应的操作。另外,上述的运营商核心网以及MEC网络可以设置在运营商侧网络,计费转发装置、防火墙以及企业应用可以设置在企业侧网络中,当然在实际应用时,计费转发装置和防火墙还可设置在运营商侧网络中,本申请在此不具体限定。The above SMF can be integrated with the billing and forwarding device into a module to perform corresponding operations, the billing and forwarding device can also be integrated with a firewall into a module to perform corresponding operations, and the UPF can be integrated with the firewall into a module to perform corresponding operations. In addition, the above-mentioned operator core network and MEC network can be set on the operator-side network, and the billing forwarding device, firewall, and enterprise application can be set up on the enterprise-side network. Of course, in practical applications, the billing forwarding device and firewall can also It is set in the operator-side network, which is not specifically limited in this application.

其中,运营商侧网络又可称为运营商网络或公共网络,企业侧网络又可称为企业专网、企业私网、园区网络或非公共网络。Among them, the operator-side network may also be referred to as an operator network or a public network, and the enterprise-side network may also be referred to as an enterprise private network, enterprise private network, campus network, or non-public network.

其中,终端设备也可称为用户设备(user equipment,UE)、移动台、移动终端等。终端设备可以广泛应用于各种场景,例如,设备到设备(device-to-device,D2D)、车物(vehicle to everything,V2X)通信、机器类通信(machine-type communication,MTC)、物联网(internet of things,IOT)、虚拟现实、增强现实、工业控制、自动驾驶、远程医疗、智能电网、智能家具、智能办公、智能穿戴、智能交通、智慧城市等。终端设备可以是手机、平板电脑、带无线收发功能的电脑、可穿戴设备、车辆、无人机、直升机、飞机、轮船、机器人、机械臂、智能家居设备等。本申请对终端设备所采用的具体技术和具体设备形态不做限定。Wherein, the terminal equipment may also be called user equipment (user equipment, UE), mobile station, mobile terminal, and so on. Terminal devices can be widely used in various scenarios, such as device-to-device (D2D), vehicle-to-everything (V2X) communication, machine-type communication (MTC), Internet of Things (internet of things, IOT), virtual reality, augmented reality, industrial control, autonomous driving, telemedicine, smart grid, smart furniture, smart office, smart wear, smart transportation, smart city, etc. Terminal devices can be mobile phones, tablet computers, computers with wireless transceiver functions, wearable devices, vehicles, drones, helicopters, airplanes, ships, robots, robotic arms, smart home devices, etc. This application does not limit the specific technology and specific equipment form adopted by the terminal equipment.

无线接入网设备可以是基站(base station)、演进型基站(evolved NodeB,eNodeB)、发送接收点(transmission reception point,TRP)、5G移动通信系统中的下一代基站(next generation NodeB,gNB)、6G移动通信系统中的下一代基站、未来移动通信系统中的基站或无线保真(wireless fidelity,WiFi)系统中的接入节点等;也可以是完成基站部分功能的模块或单元,例如,可以是集中式单元(central unit,CU),也可以是分布式单元(distributed unit,DU)。无线接入网设备可以是宏基站,也可以是微基站或室内站,还可以是中继节点或施主节点等。本申请对无线接入网设备所采用的具体技术和具体设备形态不做限定。The wireless access network equipment can be a base station (base station), an evolved base station (evolved NodeB, eNodeB), a transmission reception point (transmission reception point, TRP), and a next generation base station (next generation NodeB, gNB) in a 5G mobile communication system , a next-generation base station in a 6G mobile communication system, a base station in a future mobile communication system, or an access node in a wireless fidelity (WiFi) system, etc.; it can also be a module or unit that completes some functions of the base station, for example, It can be a centralized unit (central unit, CU) or a distributed unit (distributed unit, DU). The radio access network equipment may be a macro base station, a micro base station or an indoor station, or a relay node or a donor node. This application does not limit the specific technology and specific equipment form adopted by the radio access network equipment.

需要说明的是,上述网元或者功能既可以是硬件设备中的网络元件,也可以是在专用硬件上运行软件功能,或者是平台(例如,云平台)上实例化的虚拟化功能。可选的,上述网元或者功能可以由一个设备实现,也可以由多个设备共同实现,还可以是一个设备内的一个功能模块,本申请对此不作具体限定。It should be noted that the above-mentioned network element or function may be a network element in a hardware device, or a software function running on dedicated hardware, or a virtualization function instantiated on a platform (for example, a cloud platform). Optionally, the foregoing network element or function may be implemented by one device, or jointly implemented by multiple devices, or may be a functional module in one device, which is not specifically limited in this application.

还应理解,本申请中的会话管理功能网元、用户面功能网元可以分别是图1中的SMF、 UPF,也可以是未来通信如6G网络中具有上述SMF、UPF的功能的网元,本申请对此不限定。为了便于描述,在本申请的实施例中,将以SMF、UPF分别作为会话管理功能网元、用户面功能网元的一个举例来介绍本申请提供的技术方案。It should also be understood that the session management function network element and the user plane function network element in this application may be the SMF and UPF in FIG. This application is not limited to this. For ease of description, in the embodiments of the present application, SMF and UPF will be used as an example of the session management functional network element and the user plane functional network element respectively to introduce the technical solution provided by the present application.

图2示例性示出了本申请实施例可能的一种应用场景,如图2所示,接入企业专网的终端设备具有不同类型,承担不同角色,并且可能需要访问企业专网内不同的应用服务(application)。例如,终端设备可以包括摄像头、工业控制终端、虚拟现实终端、无人驾驶终端、物联网终端等等。企业往往需要对这些访问设定不同的访问控制策略。例如,对于终端设备1(比如摄像头),只允许访问App1(视频服务器),不能访问App2(生产服务器)。Fig. 2 exemplarily shows a possible application scenario of the embodiment of the present application. As shown in Fig. 2 , terminal devices accessing the enterprise private network are of different types, assume different roles, and may need to access different Application service (application). For example, terminal devices may include cameras, industrial control terminals, virtual reality terminals, unmanned driving terminals, Internet of Things terminals, and so on. Enterprises often need to set different access control policies for these accesses. For example, for terminal device 1 (such as a camera), only App1 (video server) is allowed to be accessed, and App2 (production server) cannot be accessed.

图3示例性示出了本申请实施例提供的一种基于SIM卡信息的访问控制方法。该方法可通过终端设备、SMF以及防火墙之间的数据交互来执行,当然在实际应用时,当有多台防火墙时,还可通过与计费转发装置的数据交互来执行,如图3所示,该方法包括:FIG. 3 exemplarily shows an access control method based on SIM card information provided by an embodiment of the present application. This method can be executed through data interaction between terminal equipment, SMF, and firewall. Of course, in actual application, when there are multiple firewalls, it can also be executed through data interaction with the billing and forwarding device, as shown in Figure 3 , the method includes:

步骤301,计费转发装置在终端设备通过运营商认证后,接收来自SMF网元的计费信息。In step 301, the charging forwarding device receives charging information from the SMF network element after the terminal equipment is authenticated by the operator.

步骤302,计费转发装置向企业专网中的防火墙发送终端设备的SIM卡信息和IP地址,该SIM卡信息和IP地址根据计费信息得到。Step 302, the billing and forwarding device sends the SIM card information and IP address of the terminal device to the firewall in the enterprise private network, and the SIM card information and IP address are obtained according to the billing information.

相应的,防火墙接收来自计费转发装置的终端设备的SIM卡信息和IP地址。Correspondingly, the firewall receives the SIM card information and IP address of the terminal equipment from the charging forwarding device.

以5G网络中利用MEC技术构建企业专网的场景为例,终端设备可在接入5G网络后,发起接入企业专网的请求。5G网络中的SMF网元可接收该请求,并对终端设备进行认证,确认终端设备能否接入企业网络。Taking the scenario of using MEC technology to build an enterprise private network in a 5G network as an example, the terminal device can initiate a request to access the enterprise private network after connecting to the 5G network. The SMF network element in the 5G network can receive the request and authenticate the terminal device to confirm whether the terminal device can access the enterprise network.

进一步地,SMF网元可基于计费协议向计费转发装置或者防火墙发送计费信息,该计费信息用于对终端设备进行计费,以及满足其他统计需求。该计费协议可以是远程用户拨号认证服务RADIUS协议或直径DIAMETER协议,并不限定。该计费信息中可包括该终端设备的SIM卡信息和IP地址。该SIM卡信息是指终端设备中安装的SIM卡的标识信息,不同的终端设备(或者说不同的SIM卡)具有不同的SIM卡信息。该IP地址是指上文中提到的SMF网元在终端设备的认证通过后为终端设备分配的IP地址。Further, the SMF network element can send charging information to the charging forwarding device or the firewall based on the charging protocol, and the charging information is used for charging the terminal equipment and meeting other statistical requirements. The accounting protocol may be the RADIUS protocol or the DIAMETER protocol, which is not limited. The charging information may include the SIM card information and IP address of the terminal device. The SIM card information refers to identification information of a SIM card installed in a terminal device, and different terminal devices (or different SIM cards) have different SIM card information. The IP address refers to the IP address allocated to the terminal device by the SMF network element mentioned above after the terminal device is authenticated.

后续,计费转发装置可将计费信息中的终端设备的SIM卡信息和IP地址转发至防火墙。需要注意的是,SMF与计费转发装置进行信息交互时信息的格式和要求并不能直接被防火墙识别,如果计费转发装置直接将从SMF网元接收到的计费信息透明转发至防火墙,可能会导致防火墙无法对计费信息中的SIM卡信息和IP地址进行正确解读,进而无法进行有效的网络访问控制。因此,为了便于防火墙进行信息解读,计费转发装置可对计费信息中的SIM卡信息和IP地址的格式和要求做转换处理,变成防火墙可以解读的格式和要求,然后再转发给防火墙。例如,计费转发装置可将SIM卡信息填写到计费信息的用户名字。Subsequently, the charging forwarding device may forward the SIM card information and IP address of the terminal equipment in the charging information to the firewall. It should be noted that the format and requirements of the information exchanged between the SMF and the charging forwarding device cannot be directly recognized by the firewall. If the charging forwarding device transparently forwards the charging information received from the SMF network element to the firewall, it may As a result, the firewall cannot correctly interpret the SIM card information and IP address in the billing information, and thus cannot perform effective network access control. Therefore, in order to facilitate the interpretation of information by the firewall, the billing forwarding device can convert the format and requirements of the SIM card information and IP address in the billing information into a format and requirements that can be interpreted by the firewall, and then forward it to the firewall. For example, the charging forwarding device may fill in the SIM card information into the user name of the charging information.

步骤303,防火墙建立终端设备的SIM卡信息与IP地址之间的映射关系。In step 303, the firewall establishes a mapping relationship between the SIM card information and the IP address of the terminal device.

本申请中,防火墙中可存储有关联配置信息,该关联配置信息中包括企业专网内每个 SIM卡信息关联的访问控制策略。也即,本申请可以针对企业专网内每个SIM卡信息设置关联的访问控制策略,并生成相应的关联配置信息。应注意,该关联配置信息可以是防火墙生成并配置在防火墙中的,也可以是其他网元(例如企业专网中的计费转发装置、管理面OAM网元等)生成然后通知给防火墙的,本申请不作具体限定。In this application, associated configuration information may be stored in the firewall, and the associated configuration information includes the access control policy associated with each SIM card information in the enterprise private network. That is, the present application can set an associated access control policy for each SIM card information in the enterprise private network, and generate corresponding associated configuration information. It should be noted that the associated configuration information may be generated by the firewall and configured in the firewall, or may be generated by other network elements (such as the charging forwarding device in the enterprise private network, the OAM network element of the management plane, etc.) and then notified to the firewall. This application does not make specific limitations.

需要说明的是,本申请在设置SIM卡信息关联的访问控制策略时,可考虑SIM卡信息对应的终端设备的类型或角色。例如,控制某些类型的终端设备允许访问某一类应用服务,其他类型的终端设备不允许访问该类应用服务,从而实现基于终端类型或角色的精细化的访问控制。如此,当防火墙接收到终端设备针对企业专网内的某个应用服务的访问请求时,防火墙可根据该映射关系,将该访问请求中携带的IP地址映射到SIM卡信息,然后根据 SIM卡信息关联的访问控制策略对此次访问进行访问控制。这一过程将通过下述步骤304 至306进行详细描述。It should be noted that, when the present application sets the access control policy associated with the SIM card information, the type or role of the terminal device corresponding to the SIM card information may be considered. For example, control certain types of terminal devices to allow access to a certain type of application services, while other types of terminal devices are not allowed to access this type of application services, so as to achieve fine-grained access control based on terminal types or roles. In this way, when the firewall receives an access request from a terminal device for an application service in the enterprise private network, the firewall can map the IP address carried in the access request to the SIM card information according to the mapping relationship, and then according to the SIM card information The associated access control policy performs access control on this access. This process will be described in detail through steps 304 to 306 described below.

步骤304,防火墙接收来自终端设备的访问请求,该访问请求中包括终端设备的IP地址。Step 304, the firewall receives an access request from the terminal device, where the access request includes the IP address of the terminal device.

示例性地,该访问请求中包括源IP地址、目的IP地址、源端口号、目的端口号、协议类型等信息,所述终端设备的IP地址是指访问请求中的源IP地址。Exemplarily, the access request includes information such as source IP address, destination IP address, source port number, destination port number, and protocol type, and the IP address of the terminal device refers to the source IP address in the access request.

步骤305,防火墙根据上述映射关系,确定访问请求中终端设备的IP地址对应的SIM 卡信息。Step 305, the firewall determines the SIM card information corresponding to the IP address of the terminal device in the access request according to the above mapping relationship.

步骤306,防火墙根据所述SIM卡信息关联的访问控制策略,对访问请求进行访问控制。Step 306, the firewall performs access control on the access request according to the access control policy associated with the SIM card information.

示例性地,访问请求中可以包括终端设备请求访问的应用服务,例如访问请求中可以携带一些与终端设备请求访问的应用服务相关的信息(如协议类型、目的IP地址、目的端口号等),如此,防火墙可以根据访问请求中携带的协议类型、目的IP地址、目的端口号等信息来判断终端设备请求访问哪些应用服务。SIM卡信息关联的访问控制策略可以包括:允许该SIM卡信息对应的终端设备访问的企业专网内的一个或多个应用服务,和/或,不允许该SIM卡信息对应的终端设备访问的企业专网内的一个或多个应用服务。如此,防火墙根据SIM卡信息关联的访问控制策略,对终端设备的访问请求进行访问控制,可以为:如果终端设备请求访问的应用服务为允许该SIM卡信息对应的终端设备访问的企业内网中的应用服务,则允许该访问请求(例如将该访问请求继续转发至对应的应用服务器),否则阻断该访问请求。Exemplarily, the access request may include the application service that the terminal device requests to access, for example, the access request may carry some information related to the application service that the terminal device requests to access (such as protocol type, destination IP address, destination port number, etc.), In this way, the firewall can determine which application services the terminal device requests to access according to information such as the protocol type, destination IP address, and destination port number carried in the access request. The access control policy associated with the SIM card information may include: allowing the terminal device corresponding to the SIM card information to access one or more application services in the enterprise private network, and/or not allowing the terminal device corresponding to the SIM card information to access One or more application services in the enterprise private network. In this way, the firewall performs access control on the access request of the terminal device according to the access control policy associated with the SIM card information. If the application service is used, the access request is allowed (for example, the access request is forwarded to the corresponding application server), otherwise the access request is blocked.

在基于MEC的企业专网场景下,上述技术方案中,企业可以根据终端设备的类型或角色在防火墙中为终端设备对应的SIM卡信息设置合理的访问控制策略,SMF可在终端设备完成认证后,将终端设备的IP地址和SIM卡信息的映射关系传递至防火墙,使得防火墙可以基于SIM卡信息和预先设置的访问控制策略,对终端设备访问企业专网进行精细化的访问控制。In the MEC-based enterprise private network scenario, in the above technical solution, the enterprise can set a reasonable access control policy for the SIM card information corresponding to the terminal device in the firewall according to the type or role of the terminal device. , and transmit the mapping relationship between the IP address of the terminal device and the SIM card information to the firewall, so that the firewall can perform refined access control on the terminal device's access to the enterprise private network based on the SIM card information and the preset access control policy.

上述技术方案还具有以下有益效果:一,无需将终端设备与静态IP地址绑定,减少了运营商的IP地址消耗。二,无需终端设备输入用户名和密码,适用场景更加广泛,尤其是终端设备能力受限的物联网场景。三,可以降低运营商和企业之间协调配合的复杂度。The above technical solution also has the following beneficial effects: First, there is no need to bind the terminal device with a static IP address, which reduces the consumption of IP addresses for operators. Second, there is no need for terminal devices to enter user names and passwords, and the applicable scenarios are more extensive, especially IoT scenarios where the capabilities of terminal devices are limited. Third, it can reduce the complexity of coordination and cooperation between operators and enterprises.

本申请实施例还提供一种通信装置,请参考图4,为本申请实施例提供的一种通信装置的结构示意图,该通信装置400包括:收发模块410和处理模块420。该通信装置可用于实现上述方法实施例中企业专网中的防火墙的功能,或者可用于实现上述方法实施例中企业专网中的认证鉴权计费AAA服务器的功能。该通信装置可以是网络设备,或者能够支持网络设备实现上述方法实施例中对应功能的装置(例如网络设备中包括的芯片)等。The embodiment of the present application also provides a communication device. Please refer to FIG. 4 , which is a schematic structural diagram of a communication device provided in the embodiment of the present application. The communication device 400 includes: a transceiver module 410 and a processing module 420 . The communication device can be used to realize the function of the firewall in the enterprise private network in the above method embodiment, or can be used to realize the function of the authentication, authentication and accounting AAA server in the enterprise private network in the above method embodiment. The communication device may be a network device, or a device capable of supporting the network device to implement the corresponding functions in the foregoing method embodiments (for example, a chip included in the network device), or the like.

示例性地,当该通信装置执行图3中所示的方法实施例中对应企业专网中的防火墙的操作或者步骤时,收发模块410,用于接收来自终端设备的访问请求,该访问请求中包括所述终端设备的IP地址;处理模块420,用于确定所述IP地址对应的国际移动用户识别码SIM 卡信息,以及根据所述SIM卡信息关联的访问控制策略,对所述访问请求进行访问控制。Exemplarily, when the communication device executes the operations or steps corresponding to the firewall in the enterprise private network in the method embodiment shown in FIG. Including the IP address of the terminal equipment; processing module 420, used to determine the International Mobile Subscriber Identity code SIM card information corresponding to the IP address, and according to the access control policy associated with the SIM card information, perform the access request Access control.

在一种可能的设计中,所述收发模块410还用于:接收来自企业专网中的计费转发装置的所述终端设备的SIM卡信息和所述IP地址;所述处理模块420,还用于建立所述SIM卡信息与所述IP地址之间的映射关系,根据该映射关系,确定所述IP地址对应的SIM卡信息。In a possible design, the transceiving module 410 is also configured to: receive the SIM card information and the IP address of the terminal device from the charging forwarding device in the enterprise private network; the processing module 420 is also configured to: It is used to establish a mapping relationship between the SIM card information and the IP address, and determine the SIM card information corresponding to the IP address according to the mapping relationship.

在一种可能的设计中,所述访问请求中包括请求访问的应用服务;所述访问控制策略中包括允许所述SIM卡信息对应的终端设备访问的所述企业专网内的应用服务,和/或,不允许所述SIM卡信息对应的终端设备访问的所述企业专网内的应用服务;所述处理模块420 具体用于:根据所述SIM卡信息关联的访问控制策略,对所述访问请求进行访问控制,包括:若所述请求访问的应用服务为允许所述SIM卡信息对应的终端设备访问的企业专网内的应用服务,则允许所述访问请求,否则阻断所述访问请求。In a possible design, the access request includes the application service that is requested to be accessed; the access control policy includes the application service in the private enterprise network that is allowed to be accessed by the terminal device corresponding to the SIM card information, and /or, not allowing the terminal device corresponding to the SIM card information to access the application service in the enterprise private network; the processing module 420 is specifically configured to: according to the access control policy associated with the SIM card information, Perform access control on access requests, including: if the application service requesting access is an application service in the enterprise private network that allows the terminal device corresponding to the SIM card information to access, then allow the access request, otherwise block the access ask.

在一种可能的设计中,所述处理模块中存储有关联配置信息,该关联配置信息包括所述企业专网内的每个SIM卡信息关联的访问控制策略。In a possible design, association configuration information is stored in the processing module, and the association configuration information includes an access control policy associated with information of each SIM card in the enterprise private network.

示例性地,当该通信装置执行图3中所示的方法实施例中对应企业专网中的计费转发装置的操作或者步骤时,收发模块410,用于在终端设备通过认证后,接收来自会话管理功能网元的计费信息;处理模块420,用于通过所述收发模块410向所述企业专网中的防火墙发送所述终端设备的国际移动用户识别码SIM卡信息和IP地址,所述SIM卡信息和所述IP地址根据所述计费信息得到。Exemplarily, when the communication device executes the operations or steps corresponding to the billing and forwarding device in the enterprise private network in the method embodiment shown in FIG. The charging information of the session management function network element; the processing module 420 is used to send the international mobile subscriber identity code SIM card information and IP address of the terminal device to the firewall in the enterprise private network through the transceiver module 410, so The SIM card information and the IP address are obtained according to the billing information.

在一种可能的设计中,所述收发模块410具体用于,通过计费协议接收来自所述会话管理功能网元的所述计费信息,该计费协议为远程用户拨号认证服务RADIUS协议或直径DIAMETER协议。In a possible design, the transceiver module 410 is specifically configured to receive the charging information from the session management function network element through a charging protocol, where the charging protocol is the Remote User Dialing Authentication Service RADIUS protocol or DIAMETER protocol.

该通信装置中涉及的处理模块420可以由至少一个处理器或处理器相关电路组件实现,收发模块410可以由至少一个收发器或收发器相关电路组件或通信接口实现。该通信装置中的各个模块的操作和/或功能分别为了实现图3中所示方法的相应流程,为了简洁,在此不再赘述。可选的,该通信装置中还可以包括存储模块,该存储模块可以用于存储数据和/ 或指令,收发模块410和/或处理模块420可以读取存取模块中的数据和/或指令,从而使得通信装置实现相应的方法。该存储模块例如可以通过至少一个存储器实现。The processing module 420 involved in the communication device may be implemented by at least one processor or processor-related circuit components, and the transceiver module 410 may be implemented by at least one transceiver or transceiver-related circuit components or a communication interface. The operations and/or functions of the modules in the communication device are respectively for realizing the corresponding flow of the method shown in FIG. 3 , and for the sake of brevity, details are not repeated here. Optionally, the communication device may further include a storage module, which may be used to store data and/or instructions, and the transceiver module 410 and/or processing module 420 may read the data and/or instructions in the access module, Thus, the communication device implements the corresponding method. The storage module can be implemented, for example, by at least one memory.

上述存储模块、处理模块和收发模块可以分离存在,也可以全部或者部分模块集成,例如存储模块和处理模块集成,或者处理模块和收发模块集成等。The above-mentioned storage module, processing module and transceiver module may exist separately, or may be integrated in whole or in part, such as integration of a storage module and a processing module, or integration of a processing module and a transceiver module.

请参考图5,为本申请实施例中提供的一种通信装置的另一结构示意图。该通信装置可用于实现上述方法实施例中企业专网中的防火墙对应的功能,或者可用于实现上述方法实施例中企业专网中的计费转发装置的功能。该通信装置可以是网络设备或者能够支持网络设备实现上述方法实施例中对应功能的装置(例如网络设备中包括的芯片)等。Please refer to FIG. 5 , which is another schematic structural diagram of a communication device provided in an embodiment of the present application. The communication device can be used to implement the corresponding function of the firewall in the enterprise private network in the above method embodiment, or can be used to realize the function of the billing and forwarding device in the enterprise private network in the above method embodiment. The communication device may be a network device or a device capable of supporting the network device to implement the corresponding functions in the foregoing method embodiments (for example, a chip included in the network device), or the like.

该通信装置500可以包括处理器501和存储器502。其中,存储器502用于存储程序指令和/或数据,处理器501用于执行存储器502中存储的程序指令,从而实现上述方法实施例中的方法。The communication device 500 may include a processor 501 and a memory 502 . Wherein, the memory 502 is used to store program instructions and/or data, and the processor 501 is used to execute the program instructions stored in the memory 502, so as to implement the methods in the above method embodiments.

可选的,存储器502和处理器501耦合,所述耦合是装置、单元或模块之间的间接耦合或通信连接,可以是电性,机械或其它的形式,用于装置、单元或模块之间的信息交互。Optionally, the memory 502 is coupled to the processor 501, and the coupling is an indirect coupling or a communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used between devices, units or modules information interaction.

可选地,该通信装置500还可以包括通信接口503,通信接口503用于通过传输介质与其它设备进行通信,例如将接收到的来自其他通信装置的信号传输至处理器501,或者来自处理器501的信号传输至其他通信装置。该通信接口503可以是收发器,也可以为接口电路,如收发电路、收发芯片等。Optionally, the communication device 500 may further include a communication interface 503. The communication interface 503 is used to communicate with other devices through a transmission medium, for example, to transmit signals received from other communication devices to the processor 501, or from the processor The signal at 501 is transmitted to other communication devices. The communication interface 503 may be a transceiver, or an interface circuit, such as a transceiver circuit, a transceiver chip, and the like.

在一个实施例中,通信接口503可具体用于执行上述收发模块410的动作,处理器501 可具体用于执行上述处理模块420的动作,本申请在此不再赘述。In one embodiment, the communication interface 503 may be specifically used to execute the actions of the above-mentioned transceiver module 410, and the processor 501 may be specifically used to execute the above-mentioned actions of the processing module 420, which will not be repeated in this application.

本申请实施例中不限定上述处理器501、存储器502以及通信接口503之间的具体连接介质。本申请实施例在图5中以处理器501、存储器502以及通信接口503之间通过总线504连接,总线在图5中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图5中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The specific connection medium among the processor 501, the memory 502, and the communication interface 503 is not limited in the embodiment of the present application. In the embodiment of the present application, in FIG. 5, the processor 501, the memory 502, and the communication interface 503 are connected through a bus 504. The bus is represented by a thick line in FIG. 5, and the connection mode between other components is only for schematic illustration. , is not limited. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 5 , but it does not mean that there is only one bus or one type of bus.

本申请实施例还提供一种芯片系统,包括:处理器,所述处理器与存储器耦合,所述存储器用于存储程序或指令,当所述程序或指令被所述处理器执行时,使得该芯片系统实现上述方法实施例中企业专网中的防火墙对应的方法,或者实现上述方法实施例中企业专网中的计费转发装置对应的方法。The embodiment of the present application also provides a chip system, including: a processor, the processor is coupled with a memory, and the memory is used to store programs or instructions, and when the programs or instructions are executed by the processor, the The chip system implements the method corresponding to the firewall in the enterprise private network in the above method embodiment, or implements the method corresponding to the charging forwarding device in the enterprise private network in the above method embodiment.

可选地,该芯片系统中的处理器可以为一个或多个。该处理器可以通过硬件实现也可以通过软件实现。当通过硬件实现时,该处理器可以是逻辑电路、集成电路等。当通过软件实现时,该处理器可以是一个通用处理器,通过读取存储器中存储的软件代码来实现。Optionally, there may be one or more processors in the chip system. The processor can be realized by hardware or by software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented by software, the processor may be a general-purpose processor implemented by reading software codes stored in a memory.

可选地,该芯片系统中的存储器也可以为一个或多个。该存储器可以与处理器集成在一起,也可以和处理器分离设置,本申请并不限定。示例性的,存储器可以是非瞬时性处理器,例如只读存储器(read-only memory,ROM),其可以与处理器集成在同一块芯片上,也可以分别设置在不同的芯片上,本申请对存储器的类型,以及存储器与处理器的设置方式不作具体限定。Optionally, there may be one or more memories in the chip system. The memory can be integrated with the processor, or can be set separately from the processor, which is not limited in this application. Exemplarily, the memory can be a non-transitory processor, such as a read-only memory (read-only memory, ROM), which can be integrated with the processor on the same chip, or can be respectively arranged on different chips. The type of the memory, and the arrangement of the memory and the processor are not specifically limited.

示例性的,该芯片系统可以是现场可编程门阵列(field programmable gatearray,FPGA),可以是专用集成芯片(application specific integrated circuit,ASIC),还可以是系统芯片(system on chip,SoC),还可以是中央处理器(central processorunit,CPU),还可以是网络处理器 (network processor,NP),还可以是数字信号处理电路(digital signal processor,DSP),还可以是微控制器(micro controller unit,MCU),还可以是可编程控制器(programmable logic device,PLD)或其他集成芯片。Exemplarily, the chip system may be a field programmable gate array (field programmable gate array, FPGA), an application specific integrated circuit (ASIC), or a system chip (system on chip, SoC), or It can be a central processor unit (CPU), a network processor (network processor, NP), a digital signal processing circuit (digital signal processor, DSP), or a microcontroller (micro controller unit) , MCU), and may also be a programmable controller (programmable logic device, PLD) or other integrated chips.

应理解,上述方法实施例中的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。结合本申请实施例所公开的方法步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。It should be understood that each step in the foregoing method embodiments may be implemented by an integrated logic circuit of hardware in a processor or instructions in the form of software. The method steps disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.

本申请实施例还提供一种计算机可读存储介质,所述计算机存储介质中存储有计算机程序或指令,当该计算机程序或指令被执行时,使得通信装置执行上述方法实施例中的方法。The embodiment of the present application also provides a computer-readable storage medium, where a computer program or instruction is stored in the computer storage medium, and when the computer program or instruction is executed, the communication device executes the method in the foregoing method embodiment.

本申请实施例还提供一种计算机程序产品,当通信装置读取并执行所述计算机程序产品时,使得通信装置执行上述方法实施例中的方法。The embodiment of the present application further provides a computer program product, which enables the communication device to execute the method in the foregoing method embodiments when the communication device reads and executes the computer program product.

本申请实施例还提供一种通信系统,该通信系统包括企业专网中的防火墙和认证鉴权计费AAA服务器。该通信系统还可包括终端设备。可选的,该通信系统还可包括公共网络中的会话管理功能网元、接入与移动性管理功能网元、用户面功能网元和无线接入网设备。终端设备可以接入公共网络,也可以接入上述企业专网,例如请求访问企业专网中的某些应用服务。上述各网元或功能实体可相互配合实现上述方法实施例中的方法。The embodiment of the present application also provides a communication system, which includes a firewall in an enterprise private network and an AAA server for authentication, authentication and accounting. The communication system may also include terminal equipment. Optionally, the communication system may further include session management functional network elements, access and mobility management functional network elements, user plane functional network elements and radio access network equipment in the public network. The terminal device can access the public network or the above-mentioned enterprise private network, for example, to request access to certain application services in the enterprise private network. The foregoing network elements or functional entities may cooperate with each other to implement the methods in the foregoing method embodiments.

应理解,本申请实施例中提及的处理器可以是CPU,还可以是其他通用处理器、DSP、 ASIC、FPGA或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that the processor mentioned in the embodiment of the present application may be a CPU, or other general-purpose processors, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.

还应理解,本申请实施例中提及的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是ROM、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(dynamic RAM,DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DRRAM)。It should also be understood that the memory mentioned in the embodiments of the present application may be a volatile memory or a nonvolatile memory, or may include both volatile and nonvolatile memories. Wherein, the non-volatile memory can be ROM, programmable read-only memory (programmable ROM, PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically erasable programmable read-only memory (electrically EPROM) , EEPROM) or flash memory. Volatile memory can be random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, many forms of RAM are available, such as static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM ) and direct memory bus random access memory (direct rambus RAM, DRRAM).

需要说明的是,当处理器为通用处理器、DSP、ASIC、FPGA或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件时,存储器(存储模块)集成在处理器中。It should be noted that when the processor is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components, the memory (storage module) is integrated in the processor.

应注意,本文描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It should be noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.

应理解,在本申请的各种实施例中涉及的各种数字编号仅为描述方便进行的区分,上述各过程或步骤的序号的大小并不意味着执行顺序的先后,各过程或步骤的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that the various numbers involved in the various embodiments of the present application are only for the convenience of description, and the size of the serial numbers of the above-mentioned processes or steps does not mean the sequence of execution, the execution of each process or steps The order should be determined by its functions and internal logic, and should not constitute any limitation to the implementation process of the embodiment of the present invention.

本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。If the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: various media capable of storing program codes such as U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk.

在本申请的各个实施例中,如果没有特殊说明以及逻辑冲突,不同的实施例之间的术语和/或描述具有一致性、且可以相互引用,不同的实施例中的技术特征根据其内在的逻辑关系可以组合形成新的实施例。In each embodiment of the present application, if there is no special explanation and logical conflict, the terms and/or descriptions between different embodiments are consistent and can be referred to each other, and the technical features in different embodiments are based on their inherent Logical relationships can be combined to form new embodiments.

Claims (19)

1. An access control method based on SIM card information, the method comprising:
a firewall in an enterprise private network receives an access request from terminal equipment, wherein the access request comprises an Internet Protocol (IP) address of the terminal equipment;
the firewall determines the SIM card information of the user identity corresponding to the IP address;
and the firewall performs access control on the access request according to the access control strategy associated with the SIM card information.
2. The method of claim 1, further comprising:
the firewall receives SIM card information and the IP address of the terminal equipment from a charging forwarding device or a session management function network element in the enterprise private network;
the firewall establishes a mapping relation between the SIM card information and the IP address;
the firewall determines the SIM card information corresponding to the IP address, and the method comprises the following steps:
and the firewall determines the SIM card information corresponding to the IP address according to the mapping relation.
3. The method according to claim 1 or 2, wherein the access request includes an application service requesting access;
the access control strategy comprises application services in the enterprise private network which are allowed to be accessed by the terminal equipment corresponding to the SIM card information, and/or application services in the enterprise private network which are not allowed to be accessed by the terminal equipment corresponding to the SIM card information;
the firewall performs access control on the access request according to the access control policy associated with the SIM card information, and the access control method comprises the following steps:
and if the application service requested to be accessed is the application service in the enterprise private network which allows the terminal equipment corresponding to the SIM card information to access, allowing the access request by the firewall, and otherwise blocking the access request.
4. The method according to any one of claims 1 to 3, further comprising:
and storing associated configuration information in the firewall, wherein the associated configuration information comprises an access control strategy associated with each SIM card information in the private network of the enterprise.
5. A method for controlling access to SIM card information, the method comprising:
after the terminal equipment passes the operator authentication, a charging forwarding device in the enterprise private network receives charging information from a session management function network element;
the charging forwarding device in the private enterprise network sends user identity identification (SIM) card information and an Internet Protocol (IP) address of a terminal device to a plurality of firewalls in the private enterprise network, wherein the SIM card information and the IP address are obtained according to the charging information.
6. The method of claim 5, wherein the receiving the charging information from the session management function network element by the charging forwarding device in the private enterprise network comprises:
and the charging forwarding device in the enterprise private network receives charging information from a session management function network element through a charging protocol, wherein the charging protocol is a Remote Authentication Dial In User Service (RADIUS) protocol or a DIAMETER protocol.
7. A communication device deployed in a private enterprise network, the communication device comprising:
a transceiver module, configured to receive an access request from a terminal device, where the access request includes an internet protocol IP address of the terminal device;
the processing module is used for determining the information of the subscriber identity module SIM card corresponding to the IP address;
and the processing module is further used for performing access control on the access request according to the access control strategy associated with the SIM card information.
8. The apparatus of claim 7, wherein the transceiver module is further configured to:
receiving SIM card information and the IP address of the terminal equipment from a charging forwarding device or a session management function network element in the enterprise private network;
the processing module is further configured to: and establishing a mapping relation between the SIM card information and the IP address, and determining the SIM card information corresponding to the IP address according to the mapping relation.
9. The apparatus according to claim 7 or 8, wherein the access request includes an application service requesting access;
the access control strategy comprises application services in the enterprise private network which are allowed to be accessed by the terminal equipment corresponding to the SIM card information, and/or application services in the enterprise private network which are not allowed to be accessed by the terminal equipment corresponding to the SIM card information;
the processing module is specifically configured to:
and if the application service requested to be accessed is the application service in the enterprise private network which allows the terminal equipment corresponding to the SIM card information to access, allowing the access request, otherwise blocking the access request.
10. The apparatus according to any of claims 7 to 9, wherein the communication apparatus stores therein associated configuration information, the associated configuration information comprising an access control policy associated with each SIM card information within the private enterprise network.
11. A communication device deployed in a private enterprise network, the communication device comprising:
the receiving and sending module is used for receiving the charging information from the session management function network element after the terminal equipment passes the operator authentication;
and the processing module is used for sending the subscriber identity identification SIM card information and the IP address of the terminal equipment to a firewall in the enterprise private network through the transceiving module, and the SIM card information and the IP address are obtained according to the charging information.
12. The apparatus of claim 11, wherein the transceiver module is specifically configured to:
and receiving the charging information from the session management function network element through a charging protocol, wherein the charging protocol is a Remote Authentication Dial In User Service (RADIUS) protocol or a DIAMETER protocol.
13. A communications device comprising a processor and a memory, the processor and the memory coupled, the memory storing computer program instructions, the processor implementing the method of any of claims 1 to 4 by executing the computer program instructions.
14. A communications device comprising a processor and a memory, the processor and the memory coupled, the memory storing computer program instructions, the processor implementing the method of any of claims 5 to 6 by executing the computer program instructions.
15. A communication system, characterized in that the communication system comprises a firewall and a charging forwarding apparatus in a private enterprise network; wherein,
the charging forwarding device is used for receiving charging information from a session management function network element after the terminal equipment passes operator authentication, and sending user identity identification (SIM) card information and an IP address of the terminal equipment to the firewall, wherein the SIM card information and the IP address are obtained according to the charging information;
the firewall is configured to receive SIM card information and the IP address of the terminal device from the charging forwarding apparatus, and establish a mapping relationship between the SIM card information and the IP address;
the firewall is further configured to receive an access request from the terminal device, where the access request includes an IP address of the terminal device, determine, according to the mapping relationship, SIM card information corresponding to the IP address, and perform access control on the access request according to an access control policy associated with the SIM card information.
16. The system of claim 15, wherein the access request includes an application service requesting access;
the access control strategy comprises application services in the enterprise private network which are allowed to be accessed by the terminal equipment corresponding to the SIM card information, and/or application services in the enterprise private network which are not allowed to be accessed by the terminal equipment corresponding to the SIM card information;
the firewall is specifically configured to:
and if the application service requested to be accessed is the application service in the enterprise intranet which allows the terminal equipment corresponding to the SIM card information to access, allowing the access request, otherwise blocking the access request.
17. The system according to claim 15 or 16, wherein the firewall stores therein associated configuration information, the associated configuration information including access control policies associated with each SIM card information in the private network of the enterprise.
18. The system according to any one of claims 15 to 17, wherein the charging forwarding device is specifically configured to:
and receiving the charging information from the session management function network element through a charging protocol, wherein the charging protocol is a Remote Authentication Dial In User Service (RADIUS) protocol or a DIAMETER (DIAMETER) protocol.
19. A computer-readable storage medium, having stored therein program instructions, which when executed by a communication apparatus, cause the method of any one of claims 1 to 6 to be implemented.
CN202210975253.5A 2021-11-19 2022-08-15 Access control method and communication device based on SIM card information Active CN115426139B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2021113757664 2021-11-19
CN202111375766 2021-11-19

Publications (2)

Publication Number Publication Date
CN115426139A true CN115426139A (en) 2022-12-02
CN115426139B CN115426139B (en) 2025-06-24

Family

ID=84198580

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210975253.5A Active CN115426139B (en) 2021-11-19 2022-08-15 Access control method and communication device based on SIM card information

Country Status (1)

Country Link
CN (1) CN115426139B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116566682A (en) * 2023-05-16 2023-08-08 赛姆科技(广东)有限公司 Distributed information network security protection method, system and readable storage medium thereof

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388828A (en) * 2007-09-10 2009-03-18 大唐移动通信设备有限公司 Method and device for bearing activation by evolution packet switching system
CN104113930A (en) * 2013-04-16 2014-10-22 中兴通讯股份有限公司 Method of realizing termination connection, and system of realizing termination connection
CN109413640A (en) * 2017-08-18 2019-03-01 中国移动通信有限公司研究院 Session information querying method, network element and computer storage medium
CN112492602A (en) * 2020-11-19 2021-03-12 武汉武钢绿色城市技术发展有限公司 5G terminal safety access device, system and equipment
CN113286010A (en) * 2021-03-29 2021-08-20 深圳艾灵网络有限公司 PLC communication method, device and storage medium based on local area network
CN113473417A (en) * 2021-06-01 2021-10-01 中国电信股份有限公司 Processing method and device for access service, storage medium and electronic equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388828A (en) * 2007-09-10 2009-03-18 大唐移动通信设备有限公司 Method and device for bearing activation by evolution packet switching system
CN104113930A (en) * 2013-04-16 2014-10-22 中兴通讯股份有限公司 Method of realizing termination connection, and system of realizing termination connection
CN109413640A (en) * 2017-08-18 2019-03-01 中国移动通信有限公司研究院 Session information querying method, network element and computer storage medium
CN112492602A (en) * 2020-11-19 2021-03-12 武汉武钢绿色城市技术发展有限公司 5G terminal safety access device, system and equipment
CN113286010A (en) * 2021-03-29 2021-08-20 深圳艾灵网络有限公司 PLC communication method, device and storage medium based on local area network
CN113473417A (en) * 2021-06-01 2021-10-01 中国电信股份有限公司 Processing method and device for access service, storage medium and electronic equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116566682A (en) * 2023-05-16 2023-08-08 赛姆科技(广东)有限公司 Distributed information network security protection method, system and readable storage medium thereof
CN116566682B (en) * 2023-05-16 2023-12-08 赛姆科技(广东)有限公司 Distributed information network security protection method, system and readable storage medium thereof

Also Published As

Publication number Publication date
CN115426139B (en) 2025-06-24

Similar Documents

Publication Publication Date Title
CN112153098B (en) Application migration method and device
JP7035163B2 (en) Network security management methods and equipment
CN108513290B (en) A method and device for selecting a network slice
CN103906032B (en) Device-to-device communication means, module and terminal device
KR102469973B1 (en) Communication method and device
WO2021072749A1 (en) Device permission control method, device, and storage medium
CN102801800B (en) Method and system for performing resource sharing processing among plurality of wireless terminals
WO2023024931A1 (en) Inter-device communication method and apparatus
WO2023065778A1 (en) Method and apparatus for relay communication
US20230199870A1 (en) Application method of computing bearer and apparatus
CN106888459A (en) Reduce the information terminal and its communication means of D2D signaling consumptions and frequency spectrum resource interference
CN115915196A (en) Link state detection method, communication device and communication system
WO2024051313A1 (en) Communication resource management method, apparatus and system, and storage medium
CN115426139B (en) Access control method and communication device based on SIM card information
US11985501B2 (en) Third generation partnership project (3GPP) service delivery to non-3GPP user devices over 3GPP N1 links
US20230232318A1 (en) Authentication method and apparatus therefor
KR20220039120A (en) Method for authenticating device tethered through usb connection, and network system providing the method
KR20240144316A (en) System and method for providing priority network access to multi-link WLAN entities
WO2023124680A1 (en) Subscription management method and related apparatus
WO2021012236A1 (en) Resource publishing method and device
US20250106697A1 (en) Interworking between fifth generation core (5gc) and evolved packet core (epc) in wireless communication networks
WO2022104740A1 (en) Method and apparatus for updating non-public network subscription information
CN120302246A (en) Communication method, communication device, chip and computer readable storage medium
WO2025026098A1 (en) Communication method and apparatus
WO2025044773A1 (en) Security negotiation-based communication method, and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant