CN113065136A - Host protection trusted computing system - Google Patents
Host protection trusted computing system Download PDFInfo
- Publication number
- CN113065136A CN113065136A CN202110279770.4A CN202110279770A CN113065136A CN 113065136 A CN113065136 A CN 113065136A CN 202110279770 A CN202110279770 A CN 202110279770A CN 113065136 A CN113065136 A CN 113065136A
- Authority
- CN
- China
- Prior art keywords
- server
- security
- trusted
- trusted computing
- computing system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 claims abstract description 23
- 230000008569 process Effects 0.000 claims description 18
- 230000017525 heat dissipation Effects 0.000 claims description 16
- 238000012550 audit Methods 0.000 claims description 13
- 238000001816 cooling Methods 0.000 claims description 12
- 238000007726 management method Methods 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 7
- 239000007788 liquid Substances 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 abstract description 4
- 230000007547 defect Effects 0.000 abstract description 4
- 230000002787 reinforcement Effects 0.000 abstract description 4
- 241000700605 Viruses Species 0.000 description 3
- 230000006399 behavior Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000008260 defense mechanism Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 210000000987 immune system Anatomy 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of host computer protection, in particular to a trusted computing system for host computer protection, which comprises a network switch and at least one server, and is characterized in that: the network switch is connected with the server through the Ethernet, a hardware module USB-KEY which is used as a trust root of a system and a unique identifier of a user identity is added on a server hardware platform, a server security agent used for executing a security policy is installed on a server operation system kernel layer, and the network switch is connected with a security management center through the Ethernet. The method overcomes the defects of the prior art, and the system safety of the electric power information system in the transmission process can be improved by deploying the security reinforcement system software of the trusted computing security protection system for all the servers, so that the phenomenon that the safety of the electric power information system has certain defects is improved.
Description
Technical Field
The invention relates to the technical field of host protection, in particular to a host protection trusted computing system.
Background
Based on the particularity of the power service, the construction of the information security guarantee system of the power service not only needs to meet the requirements of safe and reliable operation of the system, but also needs to meet the relevant policies and requirements of the state and the power industry. The country pays great attention to the work of information security guarantee, and related departments of the country continuously issue corresponding documents and requirements.
In order to ensure the advancement and normalization of the construction of the safety guarantee system of the electric power information system, the invention provides a host protection trusted computing system based on comprehensive and deep planning and design of the safety guarantee system of the information.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a host protection trusted computing system, which overcomes the defects of the prior art, has simple structural design and effectively improves the problem of continuous and deep guarantee of the safety of an electric power information system.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme:
a host-protected trusted computing system comprising a network switch and at least one server, characterized in that: the network switch is connected with the server through the Ethernet, a hardware module USB-KEY which is used as a trust root of a system and a unique identifier of a user identity is added on a server hardware platform, a server security agent used for executing a security policy is installed on a server operation system kernel layer, and the network switch is connected with a security management center through the Ethernet.
As a preferred embodiment of the present invention, the server includes a data server, a mail server, and a database server.
As a preferred technical scheme of the invention, the hardware module USB-KEY is a trusted protection functional module, the trusted protection functional module comprises trusted computing functions of script program trust, trusted execution program, network connection trust, process mandatory access control, file mandatory access, software distribution management, registry mandatory access control, trusted mobile medium control, configuration trusted verification and the like, and the functions are uniformly managed through a trusted management platform.
As a preferred technical scheme of the invention, the security management center comprises a security management center module and a credible audit module.
As a preferred technical solution of the present invention, the computer protection trusted computing system further includes: the heat dissipation device comprises a liquid cooling heat dissipation unit and an air cooling heat dissipation unit, and the liquid cooling heat dissipation unit and the air cooling heat dissipation unit can be used independently to cool the server or the network switch and can also be used in a combined mode.
As a preferred embodiment of the present invention, a plurality of the servers and the network switch may be connected in parallel by a line.
As a preferred technical solution of the present invention, the security management center is connected to the network switch through a private network.
As a preferred technical solution of the present invention, the security management center is connected to the ethernet through a firewall and a router
(III) the beneficial effects.
The embodiment of the invention provides a host protection trusted computing system, which has the following beneficial effects:
1. deploying security reinforcement system software of a trusted computing security protection system for all servers, wherein the system comprises three parts: the system comprises a trusted computing security protection system security reinforcement system software security management center, a trusted computing security protection system security reinforcement system software security agent program and a user identity authentication USB-KEY, so that the system security of the power information system in the transmission process can be improved, and the phenomenon that the power information system is insufficient in security is improved;
2. the system realizes the limitation of the user and the behavior of the program process by limiting the program and the access control of the user on the basis of the credibility of the user identity and the credibility of the executive program, thereby establishing an active security defense mechanism of the server from three layers of identity, authority and security audit and reducing the risk of the server being attacked;
3. the system provides a server security centralized control center, is deployed by a B/S architecture, supports functions of server baseline configuration, security policy backup and recovery, centralized issuing of security policies and the like, reduces repeated work of administrators, and greatly improves the security operation and maintenance efficiency of the administrators;
4. the software provides a server security centralized control center, is deployed by a B/S architecture, supports functions of server baseline configuration, security policy backup and recovery, centralized issuing of security policies and the like, reduces repeated work of administrators, and greatly improves the security operation and maintenance efficiency of the administrators.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.
Fig. 1 is a schematic view of the overall connection structure of the present invention.
Detailed Description
The preferred embodiments of the present invention will hereinafter be described in conjunction with the appended drawings, it being understood that the preferred embodiments described herein are merely for the purpose of illustrating and explaining the present invention and are not intended to limit the present invention:
as shown in fig. 1: the utility model provides a host computer protection trusted computing system, includes network switch and at least one server, the network switch with connect through the ethernet between the server, increase a hardware module USB-KEY as the only sign of the root of trust of system and user identity on the server hardware platform, install the server security agent who is used for carrying out the security policy on the server operating system kernel layer, the network switch has the security management center through ethernet connection.
The server is of a data server, a mail server and a database server, and the protection system is wide in application range due to the fact that the server is of multiple types.
The hardware module USB-KEY is a trusted protection functional module, the trusted protection functional module comprises trusted computing functions of script program trust, trusted execution program, network connection trust, process mandatory access control, file mandatory access, software distribution management, registry mandatory access control, trusted mobile medium control, configuration trusted verification and the like, and the functions are uniformly managed through a trusted management platform;
the user identity credible module provides user identity identification verification based on credible calculation, binds credible verification equipment with the user identity and the server, realizes double-factor identity authentication of the user identity and supports the login authentication failure locking function; the idle overtime locking function after the user logs in is supported, the user login authority is controlled, and the server is effectively prevented from being damaged due to unauthorized authentication;
based on a trusted computing technology, a trusted verification mechanism is adopted to provide execution program trusted measurement, prevent unauthorized and unexpected execution programs from running, realize active defense on known/unknown malicious codes, reduce risks of destroying the integrity and usability of an operating system, support program installation control, provide a program installation interface, allow application programs to be installed on a server through the interface only, and strictly control program installation behaviors. By the rules, the capability of installing new application programs by unauthorized users is limited, the security threat of professionals who master internal services, understand techniques and can program to the server system is effectively prevented,
adopts an active immune system defense mechanism to provide credible verification for the script execution program, prevents the execution program from running without authorization and without expectation, realizes active defense for known/unknown malicious attacks,
the file mandatory access control realized based on the kernel layer is provided, and the problems of weak file access control of the operating system and security risks brought by a super user of the operating system are effectively solved. The security mechanism limits the access authority of a user or a process (subject) to a system directory and a file (object) by adopting a mode of authorizing a read-write authority to the user or the process, wherein the authority comprises read, read-write, refusal and the like; through file mandatory access control, the tampering and the damage of an attacker to important system files are refused,
providing a service program to divide a system security process domain and a file domain; the method supports the access authority of the process to the file according to the service access requirement, and ensures that the protected file is not illegally accessed by other processes; meanwhile, the method supports setting the file access right of the process to the authorized file, enforces that the process only has reasonable service access right,
providing a service program to divide a system security process domain and a file domain; the method supports the access authority of the process to the file according to the service access requirement, and ensures that the protected file is not illegally accessed by other processes; meanwhile, the method supports setting of file access permission of the process to files except the authorized file, and enforces that the process only has reasonable service access permission. Even if the user is subjected to misoperation or cheating and an executable authority is given to attack viruses, the platform can prevent the viruses from destroying the key data by appointing a legal access process for the data files. Really realizes 'no-go, no-go and no-change',
providing registry entity behavior control realized based on a kernel layer, and supporting the existing windows server version system; the sensitive registry key or value of the windows system is protected from being deleted or tampered; providing a registry maintenance interface that allows only protected registries to be modified or deleted through the interface; according to the security requirement, a registry protection strategy is added in a self-defined mode, and a mandatory protection strategy is set for registry entries or values; and providing a security protection template aiming at the registry of the widnows system, wherein the protection template strategy provides protection for the registry entries which are commonly used by common malicious programs or attackers and the registry entries related to the safe operation of the system.
Wherein, the safety management center includes safety management center module and credible audit module, and the security of system can further be improved to two sets of modules of setting, and credible audit module provides operating system and concentrates audit function, and the audit content includes: user login information, file operation information, process control information, policy loading audit, mobile storage audit, management center audit information, privilege supervision information and the like, the running state of the whole server operating system is known, and functions of audit inquiry, audit report forms and the like are provided.
Wherein the machine-guarded trusted computing system further comprises: the heat dissipation device comprises a liquid cooling heat dissipation unit and an air cooling heat dissipation unit, the cold heat dissipation unit and the air cooling heat dissipation unit can be independently used for cooling the server or the network switch and can also be used in a combined mode, and the service life of the heat dissipation device can be prolonged.
The plurality of servers and the network switch can be connected in parallel through lines, and the security system can be protected in a wider range by connecting the plurality of servers in parallel.
The safety management center is connected with the network switch through a private network, and the safety in information transmission can be further improved through the set private network connection.
Wherein, the security management center is connected with the Ethernet through a firewall and a router.
The working principle of the invention is as follows: by the trusted computing technology, the users logging in the server are ensured to be trusted, the programs running by the system are ensured to be trusted, the illegal user identity is prevented from being impersonated and attacked by known or unknown viruses and trojans,
furthermore, through the access control technology, the authority of IP accessing the server, network flow passing through the server, users logging in the server, system running processes and the like is ensured to be minimum, the users are prevented from unauthorized access or program unauthorized operation,
then, through various detection and data acquisition functions, the configuration conditions of multiple safety baselines of the host are detected in a user-defined mode; mastering host asset information in real time; grasping the state attribute change condition of the key directory or registry entries, grasping the password intensity of the host and the FTP login password;
finally, through a unified management platform, unified management and unified configuration of the reinforced server are realized, audit information is uniformly stored and analyzed, and safety of the whole information transmission system is improved.
Finally, it should be noted that: in the description of the present invention, it should be noted that the terms "vertical", "upper", "lower", "horizontal", and the like indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience of describing the present invention and simplifying the description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present invention.
In the description of the present invention, it should also be noted that, unless otherwise explicitly specified or limited, the terms "disposed," "mounted," "connected," and "connected" are to be construed broadly and may, for example, be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
Although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (7)
1. A host-protected trusted computing system comprising a network switch and at least one server, characterized in that: the network switch is connected with the server through Ethernet, a hardware module USB-KEY which is used as a trust root of a system and a unique identifier of a user identity is added on a server hardware platform, a server security agent for executing a security policy is installed on a server operating system kernel layer, and the network switch is connected with a security management center through Ethernet; the hardware module USB-KEY is a trusted protection functional module, the trusted protection functional module comprises trusted computing functions of script program trust, trusted execution program, network connection trust, process mandatory access control, file mandatory access, software distribution management, registry mandatory access control, trusted mobile medium control, configuration trusted verification and the like, and the functions are managed in a unified mode through a trusted management platform.
2. A host-protected trusted computing system as recited in claim 1, wherein: the server types include a data server, a mail server and a database server.
3. A host-protected trusted computing system as recited in claim 1, wherein: the security management center comprises a security management center module and a credible audit module.
4. A host-protected trusted computing system as recited in claim 1, wherein: the machine-guarded trusted computing system further comprises: the heat dissipation device comprises a liquid cooling heat dissipation unit and an air cooling heat dissipation unit, and the liquid cooling heat dissipation unit and the air cooling heat dissipation unit can be used independently to cool the server or the network switch and can also be used in a combined mode.
5. A host-protected trusted computing system as recited in claim 1, wherein: a plurality of the servers and the network switch can be connected in parallel through lines.
6. A host-protected trusted computing system as recited in claim 1, wherein: the security management center is connected with the network switch through a private network.
7. A host-protected trusted computing system as recited in claim 1, wherein: the security management center is connected with the Ethernet through a firewall and a router.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110279770.4A CN113065136B (en) | 2021-03-16 | 2021-03-16 | Host protection trusted computing system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110279770.4A CN113065136B (en) | 2021-03-16 | 2021-03-16 | Host protection trusted computing system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113065136A true CN113065136A (en) | 2021-07-02 |
| CN113065136B CN113065136B (en) | 2024-03-22 |
Family
ID=76560505
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110279770.4A Active CN113065136B (en) | 2021-03-16 | 2021-03-16 | Host protection trusted computing system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113065136B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113079160A (en) * | 2021-04-01 | 2021-07-06 | 广州海晟科技有限公司 | Safe host management system based on trusted computing |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| US7859571B1 (en) * | 1999-08-12 | 2010-12-28 | Honeywell Limited | System and method for digital video management |
| CN102340500A (en) * | 2011-07-13 | 2012-02-01 | 中国人民解放军海军计算技术研究所 | Security management system and method of dependable computing platform |
| CN106326699A (en) * | 2016-08-25 | 2017-01-11 | 广东七洲科技股份有限公司 | Method for reinforcing server based on file access control and progress access control |
| CN108243166A (en) * | 2016-12-27 | 2018-07-03 | 航天信息股份有限公司 | A kind of identity identifying method and system based on USBKey |
-
2021
- 2021-03-16 CN CN202110279770.4A patent/CN113065136B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7859571B1 (en) * | 1999-08-12 | 2010-12-28 | Honeywell Limited | System and method for digital video management |
| CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
| CN102340500A (en) * | 2011-07-13 | 2012-02-01 | 中国人民解放军海军计算技术研究所 | Security management system and method of dependable computing platform |
| CN106326699A (en) * | 2016-08-25 | 2017-01-11 | 广东七洲科技股份有限公司 | Method for reinforcing server based on file access control and progress access control |
| CN108243166A (en) * | 2016-12-27 | 2018-07-03 | 航天信息股份有限公司 | A kind of identity identifying method and system based on USBKey |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113079160A (en) * | 2021-04-01 | 2021-07-06 | 广州海晟科技有限公司 | Safe host management system based on trusted computing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113065136B (en) | 2024-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106326699B (en) | Server reinforcing method based on file access control and process access control | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| CN101534300B (en) | System protection framework combining multi-access control mechanism and method thereof | |
| CN105430000A (en) | Cloud computing security management system | |
| KR20050026624A (en) | Integration security system and method of pc using secure policy network | |
| CN113407949A (en) | Information security monitoring system, method, equipment and storage medium | |
| CN114418263A (en) | A defense system for power monitoring device of thermal power plant | |
| CN113709211A (en) | Network terminal admission control method based on bypass control technology | |
| CN113079160B (en) | Safe host management system based on trusted computing | |
| CN115314286A (en) | Safety guarantee system | |
| Rekik et al. | A cyber-physical threat analysis for microgrids | |
| Xu et al. | Network security | |
| CN113065136B (en) | Host protection trusted computing system | |
| Choon et al. | Grid-based intrusion detection system | |
| CN110086812B (en) | Safe and controllable internal network safety patrol system and method | |
| CN116015895A (en) | Big data computer network safety protection system | |
| CN111274620A (en) | USB device management and control method based on Windows operating system | |
| CN115766065A (en) | Safety protection method, system, medium and equipment for electric power Internet of things system | |
| Ke | Network information security technology based on cloud computing environment | |
| Choi | IoT (Internet of Things) based Solution Trend Identification and Analysis Research | |
| Deng et al. | TNC-UTM: A holistic solution to secure enterprise networks | |
| Ruha | Cybersecurity of computer networks | |
| Research on Computer Network Security Vulnerabilities and Preventive Measures Based on Multi-Platform | ||
| Yan et al. | RETRACTED: The realization of network security technology based on cloud computing environment | |
| Jia et al. | Research on Information Security Protection System of Intelligent Networked Vehicles under Computer Artificial Intelligence Technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |