An enterprise generally uses an internal network to prevent leakage of enterprise information. However, when an internal user of the enterprise privately connects a wireless network device to the internal network, leakage of a wireless signal of the internal network is caused, and consequently, an outsider can attack the internal network by using the wireless network with leakage; or an internal user downloads internal data by connecting a mobile terminal to the wireless network device, which results in information leakage. Therefore, for the internal network of the enterprise, the wireless network device that is privately connected to the internal network by the internal user is an unauthorized wireless network device, and the connection of the unauthorized wireless network device brings about a great potential security risk to the internal network of the enterprise.
To eliminate a potential security risk brought about by an unauthorized wireless network device to an internal network of an enterprise, a network management system in the prior art establishes a fingerprint database of authorized wireless network devices according to MAC (Media Access Control) addresses of all authorized wireless network devices within the internal network, where the fingerprint database of the authorized wireless network devices includes the MAC addresses of all the authorized wireless network devices within the internal network. After that, the network management system acquires a MAC forwarding table corresponding to a network port, and a MAC forwarding table corresponding to a network port includes a MAC address of a device connected to the network port. Only one device is generally connected to a downlink network port used by a user of an internal network, for example, only one computer allocated by the company is connected to a network port of one employee. Therefore, a network management system considers by default that a situation in which only one device is connected to a network port is a normal situation. In the prior art, only when the network management system detects that two or more than two MAC addresses exist in the MAC forwarding table corresponding to the network port, the network management system detects whether the MAC addresses in the MAC forwarding table exist in the fingerprint database of the authorized wireless network devices, and if a MAC address in the MAC forwarding table does not exist in the fingerprint database of the authorized wireless network devices, the network management system considers that an unauthorized wireless device is connected to the internal network. However, when the MAC forwarding table corresponding to the network port has only one MAC address, that is, only one device is connected to the network port, the network management system determines that a situation in which only one device is connected to the network port is a normal situation, and considers by default that it is an authorized wireless network device that connects to the network port.
Therefore, when an internal user replace an authorized wireless network device that is originally connected to a network port with an unauthorized wireless network device, the network management system detects that only one MAC address exists in a MAC forwarding table corresponding to the network port, and still considers by default that it is an authorized wireless network device that connects to the network port. In this case, not all unauthorized wireless network devices connected to the internal network can be found, which reduces accuracy of finding an unauthorized wireless network device connected to the internal network, and also reduces security of internal network information.