CN101355427A - Internally-control safety method for information gateway-service support system - Google Patents
Internally-control safety method for information gateway-service support system Download PDFInfo
- Publication number
- CN101355427A CN101355427A CNA2008100221780A CN200810022178A CN101355427A CN 101355427 A CN101355427 A CN 101355427A CN A2008100221780 A CNA2008100221780 A CN A2008100221780A CN 200810022178 A CN200810022178 A CN 200810022178A CN 101355427 A CN101355427 A CN 101355427A
- Authority
- CN
- China
- Prior art keywords
- service
- information
- database
- client
- oracle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for internal control security of an information gateway-service supporting system, the method adopts a TCP/IP message interception technology, carries out finite analysis to an ORACLE communication protocol, combines an IPC communication technology and a shared memory technology, realizes the aim of supervising the database access behavior from a network layer and provides means for afterward supervision of the data access, thereby improving an internal control mechanism of information security.
Description
Technical field
The invention belongs to the information system security construction field of common carrier.What relate to is a kind of technology implementation method of the data access safety that adopts in information system security is built, to improve the Information Security of system.These innovation and creation can directly apply to the information security construction field of each common carrier to its business operation support system, also can further be generalized to the information security construction field of the large-scale IT system of industries such as bank, electric power, insurance.
Background technology
1, Changzhou branch company of China Mobile Jiangsu company empowerment management 2,000,000 mobile subscriber's data and call-informations thereof are one of core competence of enterprises to the safety assurance of these information.Traditional support system is carried out the open relatively pattern of database to the support personnel, and this message reference behavior for the inner support personnel is difficult to supervision.
2, the SQL daily record review mechanism that carries of ORACLE database can't be put into effect because of overhead is huge, needs the innovation of other means to improve this internal control security capabilities.
3, because the business operation support system of current domestic and international telecom operators has mostly been taked the measure of message reference supervision in the interface operation aspect, but the supervision at the technology operating level is then very weak, yet information security also is crucial aspect internal control, therefore needs domestic telecommunication operator to make positive exploration and innovation.
Summary of the invention
In order to remedy the deficiency of existing security system, the present invention proposes info gateway--business support system internal control safety method may further comprise the steps:
Step 1, the network segment are isolated: the leading in network layer of blocking-up client computer and database;
Step 3, client authentication;
Step 4, proxy database connect and information is transmitted;
Step 5, intercepting contact Bao Wen, database of record connects behavior and message reference behavior;
Step 6, regularly carry out safety inspection afterwards, in time take the associated safety measure according to security log.
Above-mentioned business support system internal control safety method, it is characterized in that: described configuration information gateway proxy system, be meant that info gateway wraps literary composition interception and information extraction, its process is as follows: service broker's device of info gateway receives the data access request bag that client is sent, resolve Bao Wen, the target data library information that therefrom extracts client-side information and will visit according to ORACLE communication protocol; Service broker's device of info gateway carries out after the client authentication according to the above-mentioned information of extracting, and sets up SOCKET according to the above-mentioned target data library information that obtains with target database and is connected, and begins to wrap literary composition and transmits; Service broker's device of info gateway is resolved Bao Wen again according to ORACLE communication protocol in the process that the bag literary composition is transmitted, therefrom extract data access information.
Above-mentioned business support system internal control safety method, it is further characterized in that: described client-side information is meant IP address, operating system account number; Described target data library information is meant IP address, port numbers, Service name etc.
Above-mentioned business support system internal control safety method, it further is characterised in that: use the Ethernet networking mode, use the routing safety strategy, the assurance client computer place network segment and the database server place network segment can not be led on route; Use the SOCKET technology, intercept the TCP/IP message in real time and analyze; According to the message data of intercepting, use the communication protocol of ORACLE and carry out limited parsing, extract the relevant client address information and the visit behavioural information of client.
Corresponding, the invention allows for a kind of info gateway--business support system internal control safety device is characterized in that it comprises:
Network segment isolated location is used to block sensible in network layer of client computer and database;
The info gateway agent unit;
Client authentication unit;
Proxy database connects and the information retransmission unit;
Intercepting contact Bao Wen, database of record connect behavior and message reference behavior unit;
Security check unit is regularly carried out safety inspection afterwards according to security log, in time takes the associated safety measure.
Above-mentioned business support system internal control safety device, it is further characterized in that:
Described info gateway agent unit is made up of service managerZ-HU, process controller, shared drive and service broker pond, wherein,
Described service managerZ-HU is responsible for intercepting the access request of client application, produce and management database switched service agency, simultaneously online service according to reality, assessment is to the load capacity of ORACLE bundle of services, with the peak restriction of decision, to reach the purpose of load balancing to some service; Described process controller: be replenishing of service managerZ-HU, be responsible for to the management work of each service in process level; Described shared drive is used for storage system at the required shared data of interprocess communication; Described service broker pond is database switched service agency's a container, and by each online service switching agency, promptly service broker's device is formed.
Described service broker's device, form by two reverse SOCKET passages, carry out unidirectional SOCKET service, carry out message and transmit in the obstruction mode, and in the process that E-Packets limited parsing ORACLE communication protocol, and carry out the record of data access behavior (SQL) in view of the above;
Between described service managerZ-HU (and process controller) and the service broker's device, use shared drive communication, content comprises: the associated process of service broker's device number, affiliated service port number, state information, continue the time of enlivening;
Between client application and the service managerZ-HU, use SOCKET communication, content comprises: ORACLE data access association message;
Between service broker's device and the ORACLE database: use SOCKET to communicate by letter, content comprises: ORACLE data access association message.
Beneficial effect of the present invention:
The info gateway of the invention--business support system internal control safety method has following four beneficial effects:
1. Chuan Xin info gateway data access networking mode has been broken the traditional data access module of Connect Anywhere, has strengthened the access-in management to client computer, and unregistered illegal client computer is carried out in advance risk prevention;
2. Chuan Xin info gateway notion and realization at the come and go technical intercept of information of network bottom layer, makes all data access behaviors all be included into the supervision visual field, guaranteed the accuracy and the completeness of behavior daily record;
3. the transparent passthrough function of info gateway makes when having kept the all-access information integrity, the database access performance is also influenced not quite the existence of client imperceptible gateway in the data access process;
4. the existence of info gateway makes the information security subsequent supervision become possibility, and tangible deterrent effect has been played in the unauthorized access behavior of information, thereby has reduced the message reference security risk.
Description of drawings
Fig. 1 is a business support system networking schematic diagram before the invention process;
Fig. 2 is a business support system networking schematic diagram after the invention process;
Fig. 3 is the technology implementation structure figure of info gateway among the present invention.
Embodiment
Below in conjunction with drawings and Examples the present invention is further described.
The info gateway of the embodiment of the invention--business support system internal control safety method may further comprise the steps:
Step 1, the network segment are isolated: the leading in network layer of blocking-up client computer and database;
Step 3, client authentication;
Step 4, proxy database connect and information is transmitted;
Step 5, intercepting contact Bao Wen, database of record connects behavior and message reference behavior;
Step 6, regularly carry out safety inspection afterwards, in time take the associated safety measure according to security log;
Above-mentioned " info gateway--business support system internal control safety method ", its technical characterstic is:
1. divide based on the network segment of ETHERNET: use the Ethernet networking mode, use the routing safety strategy, the assurance client computer place network segment and the database server place network segment can not be led on route;
2. hold back based on the TCP/IP message of SOCKET: use the SOCKET technology, intercept the TCP/IP message in real time and analyze;
3. based on the limited coded communication agreement of ORACLE: according to the message data of intercepting, use the communication protocol of ORACLE and carry out limited parsing, extract the relevant client address information and the visit behavioural information (SQL statement) of client;
4. based on the interprocess communication of IPC: use the IPC technology of UNIX, between multi-process, carry out the message transmission;
5. based on the concurrent control of shared drive: use the share memory technology of UNIX, the signalization amount is carried out atomic operation, realize between the multitask synchronously and mutual exclusion;
6. based on the load balancing of host port: the use and management information model, the notion of data, services is proposed, the distributed deployment of the encapsulation of acting on behalf of, the binding of port and service realizes load balancing.
The specific design of the embodiment of the invention is as follows:
1, the physical Design of gateway database
Database name: czigw
Instance Name: czzw04
Memory space: 10G
Memory parameters
Physical memory: 42G, database parameter is provided with as follows:
Parameter name | Value |
db_block_size | 8192 |
db_cache_size | 314572800 |
db_files | 200 |
db_file_multiblock_read_count | 16 |
java_pool_size | 20971520 |
large_pool_size | 20971520 |
shared_pool_size | 52428800 |
Processes | 500 |
2, the network segment is divided
Host Type | The network segment |
Client computer | 10.38.20.* |
Database server | 10.38.8.* |
3, serve port setting
8888: one group of centre of support
8889: two groups of centres of support
8890: other department of city company
8901: county company
As shown in Figure 1, business support system networking schematic diagram before the invention process, this figure is a conventional information accesses network topological diagram.Fig. 2 is a business support system networking schematic diagram after the invention process, i.e. the information of the invention is concentrated the operational network topological diagram, has increased info gateway between ORACLE database server and application end client computer.Wherein Fig. 3 is the technology implementation structure figure of info gateway among the present invention.
Explanation to Fig. 3:
Service managerZ-HU: be the core of whole system, it exists as system's finger daemon, is responsible for intercepting the access request of client application, produces and management database switched service agency; The service that service managerZ-HU can be online according to reality simultaneously, assessment are to the load capacity of ORACLE bundle of services, with the peak restriction of decision to some service, to reach the purpose of load balancing;
Process controller: be replenishing of service managerZ-HU, be responsible for to the management work of each service in process level;
The service broker pond: the service broker pond is database switched service agency's a container, is made up of each online service switching agency (service broker's device);
Service broker's device: form by two reverse SOCKET passages, carry out unidirectional SOCKET service in the obstruction mode, carry out message and transmit, and in the process that E-Packets limited parsing ORACLE communication protocol, and carry out the record of data access behavior (SQL) in view of the above.
Between service managerZ-HU (and process controller) and the service broker's device: use shared drive to communicate by letter, content comprises: the associated process of service broker's device number, affiliated service port number, state information, continue the time of enlivening;
Between client application and the service managerZ-HU: use SOCKET to communicate by letter, content comprises: ORACLE data access association message;
Between service broker's device and the ORACLE database: use SOCKET to communicate by letter, content comprises: ORACLE data access association message;
Info gateway wraps the process prescription of literary composition interception and information extraction:
1, service broker's device of info gateway receives the data access request bag that client is sent, resolve Bao Wen, the target data library information (IP address, port numbers, Service name etc.) that therefrom extracts client-side information (comprising IP address, operating system account number) and will visit according to ORACLE communication protocol;
2, service broker's device of info gateway carries out after the client authentication according to the above-mentioned information of extracting, and sets up SOCKET according to the above-mentioned target data library information that obtains with target database and is connected, and begins to wrap literary composition and transmits;
3, service broker's device of info gateway is resolved Bao Wen again according to ORACLE communication protocol in the process that the bag literary composition is transmitted, and therefrom extracts data access information
Though the present invention with preferred embodiment openly as above; but they are not to be used for limiting the present invention; anyly have the knack of this skill person; without departing from the spirit and scope of the invention; from when can doing various variations or retouching, so being as the criterion of should being defined with the application's claim protection range of protection scope of the present invention.
Claims (7)
1, a kind of info gateway--business support system internal control safety method may further comprise the steps:
Step 1, the network segment are isolated: the leading in network layer of blocking-up client computer and database;
Step 2, configuration information gateway proxy system;
Step 3, client authentication;
Step 4, proxy database connect and information is transmitted;
Step 5, intercepting contact Bao Wen, database of record connects behavior and message reference behavior;
Step 6, regularly carry out safety inspection afterwards, in time take the associated safety measure according to security log.
2, business support system internal control safety method according to claim 1 is characterized in that:
Described configuration information gateway proxy system is meant that info gateway wraps literary composition interception and information extraction, and its process is as follows:
Service broker's device of info gateway receives the data access request bag that client is sent, and resolves Bao Wen, the target data library information that therefrom extracts client-side information and will visit according to ORACLE communication protocol;
Service broker's device of info gateway carries out after the client authentication according to the above-mentioned information of extracting, and sets up SOCKET according to the above-mentioned target data library information that obtains with target database and is connected, and begins to wrap literary composition and transmits;
Service broker's device of info gateway is resolved Bao Wen again according to ORACLE communication protocol in the process that the bag literary composition is transmitted, therefrom extract data access information.
3, business support system internal control safety method according to claim 2 is characterized in that:
Described client-side information is meant IP address, operating system account number; Described target data library information is meant IP address, port numbers, Service name etc.
4, business support system internal control safety method according to claim 3 is characterized in that: use the Ethernet networking mode, use the routing safety strategy, the assurance client computer place network segment and the database server place network segment can not be led on route; Use the SOCKET technology, intercept the TCP/IP message in real time and analyze; According to the message data of intercepting, use the communication protocol of ORACLE and carry out limited parsing, extract the relevant client address information and the visit behavioural information of client.
5, a kind of info gateway--business support system internal control safety device is characterized in that it comprises:
Network segment isolated location is used to block sensible in network layer of client computer and database;
The info gateway agent unit;
Client authentication unit;
Proxy database connects and the information retransmission unit;
Intercepting contact Bao Wen, database of record connect behavior and message reference behavior unit;
Security check unit is regularly carried out safety inspection afterwards according to security log, in time takes the associated safety measure.
6, according to the described business support system internal control of claim 5 safety device, it is characterized in that:
Described info gateway agent unit is made up of service managerZ-HU, process controller, shared drive and service broker pond, wherein,
Described service managerZ-HU is responsible for intercepting the access request of client application, produce and management database switched service agency, simultaneously online service according to reality, assessment is to the load capacity of ORACLE bundle of services, with the peak restriction of decision, to reach the purpose of load balancing to some service;
Described process controller: be replenishing of service managerZ-HU, be responsible for to the management work of each service in process level;
Described shared drive is used for storage system at the required shared data of interprocess communication;
Described service broker pond is database switched service agency's a container, and by each online service switching agency, promptly service broker's device is formed.
7, according to the described business support system internal control of claim 6 safety device, it is characterized in that:
Described service broker's device, form by two reverse SOCKET passages, carry out unidirectional SOCKET service, carry out message and transmit in the obstruction mode, and in the process that E-Packets limited parsing ORACLE communication protocol, and carry out the record of data access behavior (SQL) in view of the above;
Between described service managerZ-HU (and process controller) and the service broker's device, use shared drive communication, content comprises: the associated process of service broker's device number, affiliated service port number, state information, continue the time of enlivening;
Between client application and the service managerZ-HU, use SOCKET communication, content comprises: ORACLE data access association message;
Between service broker's device and the ORACLE database: use SOCKET to communicate by letter, content comprises: ORACLE data access association message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008100221780A CN101355427A (en) | 2008-07-22 | 2008-07-22 | Internally-control safety method for information gateway-service support system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2008100221780A CN101355427A (en) | 2008-07-22 | 2008-07-22 | Internally-control safety method for information gateway-service support system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101355427A true CN101355427A (en) | 2009-01-28 |
Family
ID=40308039
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA2008100221780A Pending CN101355427A (en) | 2008-07-22 | 2008-07-22 | Internally-control safety method for information gateway-service support system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101355427A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101515931B (en) * | 2009-03-24 | 2012-09-19 | 北京理工大学 | Method for enhancing the database security based on agent way |
CN103023986A (en) * | 2012-11-27 | 2013-04-03 | 中国电信股份有限公司云计算分公司 | System and method for providing relational database management system (RDBMS) services for multiple users |
CN103176987A (en) * | 2011-12-21 | 2013-06-26 | 中国电信股份有限公司 | Method and device for controlling database access |
CN103188255A (en) * | 2011-12-31 | 2013-07-03 | 北京市国路安信息技术有限公司 | Application proxy and security module separated network security protection method |
CN104135475A (en) * | 2014-07-18 | 2014-11-05 | 国家电网公司 | Safety protection method of electric power information for mobile Internet |
CN107370759A (en) * | 2017-08-30 | 2017-11-21 | 安徽天达网络科技有限公司 | A kind of network access control system based on IP lockings |
CN108288003A (en) * | 2017-12-29 | 2018-07-17 | 上海上讯信息技术股份有限公司 | A kind of Database Dynamic desensitization method and system based on more agency mechanisms |
CN109861983A (en) * | 2018-12-29 | 2019-06-07 | 视联动力信息技术股份有限公司 | Information processing method and device |
CN110457897A (en) * | 2019-07-17 | 2019-11-15 | 福建龙田网络科技有限公司 | A kind of database security detection method based on communication protocol and SQL syntax |
-
2008
- 2008-07-22 CN CNA2008100221780A patent/CN101355427A/en active Pending
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101515931B (en) * | 2009-03-24 | 2012-09-19 | 北京理工大学 | Method for enhancing the database security based on agent way |
CN103176987A (en) * | 2011-12-21 | 2013-06-26 | 中国电信股份有限公司 | Method and device for controlling database access |
CN103188255A (en) * | 2011-12-31 | 2013-07-03 | 北京市国路安信息技术有限公司 | Application proxy and security module separated network security protection method |
CN103023986A (en) * | 2012-11-27 | 2013-04-03 | 中国电信股份有限公司云计算分公司 | System and method for providing relational database management system (RDBMS) services for multiple users |
CN103023986B (en) * | 2012-11-27 | 2016-01-13 | 中国电信股份有限公司 | A kind of system and method providing RDBMS to serve to multi-user |
CN104135475A (en) * | 2014-07-18 | 2014-11-05 | 国家电网公司 | Safety protection method of electric power information for mobile Internet |
CN104135475B (en) * | 2014-07-18 | 2017-05-24 | 国家电网公司 | Safety protection method of electric power information for mobile Internet |
CN107370759A (en) * | 2017-08-30 | 2017-11-21 | 安徽天达网络科技有限公司 | A kind of network access control system based on IP lockings |
CN108288003A (en) * | 2017-12-29 | 2018-07-17 | 上海上讯信息技术股份有限公司 | A kind of Database Dynamic desensitization method and system based on more agency mechanisms |
CN109861983A (en) * | 2018-12-29 | 2019-06-07 | 视联动力信息技术股份有限公司 | Information processing method and device |
CN110457897A (en) * | 2019-07-17 | 2019-11-15 | 福建龙田网络科技有限公司 | A kind of database security detection method based on communication protocol and SQL syntax |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101355427A (en) | Internally-control safety method for information gateway-service support system | |
CN103001999B (en) | For privately owned Cloud Server, intelligent apparatus client and the method for public cloud network | |
CN105656903B (en) | A kind of user safety management system of Hive platforms and application | |
CN106534164B (en) | Effective virtual identity depicting method based on cyberspace user identifier | |
CN101924757A (en) | Method and system for reviewing Botnet | |
CN108200146A (en) | A kind of micro services framework implementation method of lightweight | |
CN106992984A (en) | A kind of method of the mobile terminal safety access information Intranet based on electric power acquisition net | |
CN104601723B (en) | Power Marketing Management System SOA framework based on internal services bus | |
CN107888605A (en) | A kind of Internet of Things cloud platform traffic security analysis method and system | |
CN101047599B (en) | Distribution SSL VPN system and construction method | |
CN104618410B (en) | Resource supplying method and apparatus | |
CN103795582A (en) | Test method realized based on cloud service platform | |
CN1411209A (en) | Method of detecting and monitoring malicious user host machine attack | |
CN101599857B (en) | Method, device and network detection system for detecting number of host computers accessed to sharing | |
CN105577686B (en) | LAN single-point logging method based on network controller | |
CN102316122A (en) | Method for managing intranet security based on cooperative mode | |
CN101989975A (en) | Distributed method for blocking access of illegal computers | |
CN109600395A (en) | A kind of device and implementation method of terminal network access control system | |
CN106612300A (en) | Message push method and push server | |
CN112995008A (en) | Method for simultaneously accessing out-of-band management network of multiple internet data centers | |
CN205510108U (en) | A network access system for local lan | |
CN108023925A (en) | A kind of high concurrent news information processing system | |
CN110457897A (en) | A kind of database security detection method based on communication protocol and SQL syntax | |
CN106878378B (en) | Scatter processing method in network communication management | |
CN102664895A (en) | Partition echoing posting-before-verifying commenting system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Open date: 20090128 |