CN100346610C - Security policy based network security management system and method - Google Patents

Security policy based network security management system and method Download PDF

Info

Publication number
CN100346610C
CN100346610C CNB2004100732114A CN200410073211A CN100346610C CN 100346610 C CN100346610 C CN 100346610C CN B2004100732114 A CNB2004100732114 A CN B2004100732114A CN 200410073211 A CN200410073211 A CN 200410073211A CN 100346610 C CN100346610 C CN 100346610C
Authority
CN
China
Prior art keywords
responsible
module
policy
network
strategy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2004100732114A
Other languages
Chinese (zh)
Other versions
CN1604541A (en
Inventor
沈明峰
李胜磊
张勇
王军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CNB2004100732114A priority Critical patent/CN100346610C/en
Publication of CN1604541A publication Critical patent/CN1604541A/en
Application granted granted Critical
Publication of CN100346610C publication Critical patent/CN100346610C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention discloses a network security management system based on a security policy, and a method thereof. The network security management system based on a security policy comprises a system support platform, a policy management center, policy executing points and a log server. In the method, a target needing protection is firstly set, the policy is published to the policy executing points of a target device and the system through the system support platform, and after the policy executing points execute the policy, results are informed to the log server. The network security management system based on a security policy can uniformly realize secure uniform planning and disposition in one network so as to achieve the effect of increasing integral security; simultaneously, the present invention not only avoids external or internal attack, but also prevents sensitive information from being leaked in security.

Description

Network security management system and method based on security strategy
Technical field
The invention belongs to network security control technology field, particularly a kind of network security management system and method based on security strategy.
Background technology
In order to solve the network security problem that increases day by day, people adopt multinomial technology, as fire compartment wall, intrusion detection, Virtual Private Network, antivirus protection, vulnerability scanning etc.These technology can guarantee the safety of network to a certain extent, but also have some shortcomings, mainly are:
Can not solve attack from organization internal.The conventional security technology comparatively speaking, lacks at the safety of desktop and the technological means of internal network security mostly towards the mechanism border;
Be difficult to provide the general safety solution.The safety of catenet is a system engineering, needs cooperation, support and coordination between the multiple technologies means, yet the collaborative work ability between the present visible safe practice means is also very poor; Secondly, should be complementary between the safe practice means, such as have complementary functions, hierarchical structure complementation etc.,
Can not provide and effectively concentrate safety management.The safety of catenet should be the tactical management of concentrating, unified plan, and the safety management person of mechanism should guarantee that security strategy implements in the every nook and cranny, and the conventional security technology is distributed management, is difficult to accomplish centralized management and unified plan.
Network boundary blurs and brings new dangerous passage.With the fire compartment wall is example, and the work of traditional firewall depends on defining of network boundary.Along with popularizing of wireless network, mobile network and technology such as mobile computing, Virtual Private Network, network boundary thickens gradually, makes traditional access control be difficult to play one's part to the full.
Existing network environment is not made change.Traditional network security solution nearly all needs the original user network environment is transformed, and the study of the network rebuilding and new technology need expend a large amount of man power and materials.
Expensive.The deployment of conventional art means all needs to transform original network environment and structure basically, and buys special equipment or system, implementation cost height.The maintenance of system, management and use need the safety training to personnel's competency profiling height, have increased human cost, have reduced the efficient of core business.
The influence that can not effectively avoid safety means network performance to be caused at network boundary.Catenet is very big to the demand of bandwidth, makes the network bandwidth constantly increase.Traditional border formula safe practice (as fire compartment wall) relies on (or several) safety means to guarantee safety for thousands of nodes in the network, becomes the performance bottleneck of whole network easily.In addition, border formula safe practice tends to become the single failpoint of network, influences the availability of whole network.
Can not effectively prevent the inner attack of externally initiating.Traditional means of resolving safely mainly prevent outside internal attack; When organization internal had the people outwards to launch a offensive and traced, this attack is the image of damaging tissue greatly.
Summary of the invention
The objective of the invention is concentrated design and control and management by security strategy, one cover network security management system is provided, realize security strategy customization, distribution, management and control unified under the network environment, and collaborative early warning by security incident and location fast, both protected the safety of network also to protect the safety of host computer system; Both prevented the leakage of sensitive information, and also better stoped inside and outside attack, and to reduce the client be the great number managed cost that ensures safety and need pay.
Another object of the present invention provides a kind of network safety managing method.
The present invention seeks to realize like this.
A kind of network security management system based on security strategy comprises:
---system's supporting platform, this system's supporting platform is installed in the network that needs protection as the server of management system, is responsible for the Policy Enforcement Point and the tactical management center of administration network are authenticated, authorize, and is responsible for the issue and the preservation of security strategy; The legal hosts fragility discovery of network is found and linked to the illegal host of linking network.
---tactical management center, this tactical management center are responsible for the safety of administration network is managed, and are responsible for security strategy is defined, and specify the application of security strategy;
---Policy Enforcement Point, this Policy Enforcement Point are installed in the system and equipment that needs protection, and are responsible for downloading and implementation strategy, and place equipment and system are protected;
---log server, this log server are responsible for collecting, gathering log information, so that concentrate audit and incident to trace.System's supporting platform has following functional module:
The distributed coordination module is responsible for the back-office support of the distributed management of system, is responsible for the information interchange and the command analysis of each level system supporting platform;
Administration module is responsible for reception and the processing order from the tactical management center, and is called other module and carry out this order;
Authentication module is responsible for the tactical management center in institute's compass of competency, Policy Enforcement Point and following level system supporting platform are carried out authentication and authorization;
Line module is responsible for carrying out alternately with Policy Enforcement Point, and management strategy is carried out every information of point, and gives other modules with these feedback information;
The interlock module is responsible for the mutual of native system and other products, forms the interlock protection with other products;
Configuration module is responsible for the configuration of native system and the backstage of data and is preserved and inquiry;
The communication encryption module is responsible for the encryption and decryption and the classification of communication data, guarantees the safety of communication data.
The vulnerability scanning module is responsible for the leak of the existence of legal hosts is scanned;
Illegal external connection is found module, and the illegal host in the network is linked in responsible discovery.
The tactical management center has following functional module:
Man Machine Interface, responsible mutual with the manager, realize man-machine interaction, administration interface is provided;
The control of authority module is responsible for gerentocratic authority is limited, and different managers has different configurations and administration authority;
Enquiry module is responsible for response log inquiry and configuration retrieval command, and return results;
Configuration module is responsible for the every configuration operation of response, and gives system's supporting platform with the Notification of Changes of configuration;
Remote monitoring module is responsible for response management person's monitor command, and return results;
The login authentication module is responsible for carrying out gerentocratic authentication request, with the system's mutual back of supporting platform return results;
The consistency operation relevant with daily record is responsible in log management;
The communication encryption module is responsible for the encryption and decryption and the classification of communication data, guarantees the safety of communication data;
Each Policy Enforcement Point comprises a policy download engine and N policy execution engine, N 〉=1.
The policy download engine is responsible for download policy and configuration home environment, and it comprises as lower module:
Man Machine Interface, responsible mutual with the local user, administration interface is provided;
User management module is responsible for local user's management, response configuration and query manipulation, and return results;
The login authentication module, responsible mutual with system's supporting platform, authenticate;
Log management module is responsible for the unified management of local daily record, and is saved in the remote data storehouse alternately with log server;
Strategy local management module is responsible for this locality of strategy and is preserved and renewal;
Local communication module, responsible mutual with policy execution engine, transmission policy and daily record;
The communication encryption module is responsible for the encryption and decryption and the classification of network communication data, guarantees the safety of communication data;
Policy execution engine is responsible for implementation strategy, and the system and the equipment at protection place, and it comprises as lower module:
The local Executive Module of strategy is responsible for the execution of strategy, and is returned response;
Strategy analyzing module is responsible for parses policy;
Local communication module is responsible for communicating by letter transmission policy and daily record with the policy download engine.
Log server has following functional module:
The log analysis module is responsible for the daily record that receives is analyzed and preserved;
Alarm module is responsible for daily record according to the classification processing of reporting to the police;
The communication encryption module is responsible for the encryption and decryption and the classification of communication data, guarantees the safety of communication data.
System's supporting platform is supported multilevel distributed deployment, when large scale network is disposed, system's supporting platform can be divided into the N level according to affiliated network size and supervisory level, there is the administration relation in N 〉=1 between the platforms at different levels, wherein the one-level management secondary reaches with subordinate, the secondary management reaches with subordinate for three grades, and the like, the separate work of each system's supporting platform, also can with the collaborative work of other system supporting platform.
Network security management system based on security strategy can link with other safety products and networking products, thereby reaches the purpose of common defence, comprises the interlock with fire compartment wall, anti-virus, vulnerability scanning, intrusion detection, the network equipment etc.
A kind of network safety managing method based on security strategy, security strategy are the definition of needs being carried out the target and the method for safeguard protection, and definition, issue, operation that this method is based on security strategy realize, comprise the steps:
1. in tactical management center definition security strategy, set the target that needs protection;
2. by system's supporting platform with policy issue to the Policy Enforcement Point of target device and system;
3. after the Policy Enforcement Point implementation strategy with the result notification log server.
The 1. middle security strategy of above-mentioned steps is divided into firewall policy collection, application security, mail protection, Web protection, authority protection, intrusion detection, high-level policy, system's supervision, anti-Denial of Service attack, data backup and reduction, encryption and safe transmission.
Safety management control system of the present invention adopts integrated network safety defence thought; follow the P2DR security model; the theory and the technology of application integration defence are supported distributed architecture, can protect terminal use's main frame and various network services device, the network equipment and safety means.
Network security management system based on security strategy is an integrated defence system, and multinomial safe practices such as safety certification, information audit, intrusion detection, access control, data protection are overlapped powerful safety management control system by make up one based on the management method of security strategy, unified security control management platform, distributed architecture.
The effect of invention
1, can in a network, realize the unified planning and the deployment of safety well based on the network security management system of security strategy, thereby reach the effect that overall security improves.
2, safety function, the present invention had both stoped in fail safe from outside or inner attack, had also prevented the leakage of sensitive information.Provide than other safety systems rich functions (as shown in table 1) more based on the network security management system of security strategy:
The function contrast of table 1 native system and other system
Function point Fire compartment wall Intrusion detection Backup recovers VPN Anti-virus Vulnerability scanning Information filtering Authentication The security policy manager system
Authentication Y Y
Access control Y Y
Intrusion detection Y Y Y
System's supervision Y
Anti-DoS Y Y Y
Web filters Y Y
The operating system protection Y
Hardware constraints Y
Vulnerability scanning Y Y
Illegal external connection is found Y
The mail protection Y Y Y
The application program protection Y
Reduction of data and protection Y Y
Encrypted transmission Y Y
Anti-virus Y Self can anti-internet worm; And can link with anti-virus, can expand
3, to the strick precaution of large scale network virus
Can guarantee that based on the network security management system of security strategy network takes precautions against internet worms such as the Sasser that occurred in nearly 2 years, shock wave effectively.By the set of strategy such as application firewall strategy, operating system patch strategy, before can occurring in new extensive virus with network in the safety of All hosts bring up to the stage that is enough to take precautions against.Like this, even there is the part main frame to infect internet worm, but can not propagate into other main frames.
4, safe construction cost reduces
From the cost angle, the explicit cost that safety is built mainly comprises: equipment cost and staff training cost; In addition, also have huge invisible cost, for example: keeper's cost of labor, information loss cost, network configuration change cost and keeper's maintenance cost or the like.
Employing is about 1/2 of employing conventional security solution cost based on the equipment purchase cost of the network security management system of security strategy;
Also greatly reduce client's invisible cost based on the network security management system of security strategy.(as shown in table 2)
The contrast of table 2 invisible cost
Network security management system based on security strategy The conventional security solution
Keeper's cost of labor Only need single keeper Distinct device may need different keepers
The information loss cost Prevented from outside and inner unauthorized access and attack Can only prevent unauthorized access and attack from the outside
Network configuration changes cost Do not need to change network configuration Usually need to change network configuration
Keeper's regular maintenance cost Seldom, can remote maintenance The on-site maintenance cost is very high
5, effectively adapt to the variation of customer location
Can effectively adapt to the variation of customer location based on the network security management system of security strategy.No matter where user's main frame connects network,, can obtain consistent safeguard protection no matter the user uses any main frame in the network.Broken away from of the restriction of conventional security solution to Network Access Point.
Description of drawings
Fig. 1: the cut-away view of system's supporting platform
Fig. 2: system's supporting platform initialization step
Fig. 3: tactical management central inner structure chart
Fig. 4: tactical management center initialization step
Fig. 5: Policy Enforcement Point cut-away view
Fig. 6: policy download engine internal structure chart
Fig. 7: policy execution engine cut-away view
Fig. 8: Policy Enforcement Point initialization step
Fig. 9: log server cut-away view
Figure 10: log server initialization step
Figure 11: with the firewall linkage schematic diagram
Figure 12: with vulnerability scanning interlock schematic diagram
Figure 13: with intrusion detection interlock schematic diagram
Figure 14: with networking products interlock schematic diagram
Figure 15: user management membership credentials figure
Figure 16: strategy execution work schematic diagram
Figure 17: actual deployment schematic diagram
The invention will be further described below in conjunction with accompanying drawing.
The present invention realizes the protection of important information, IT system and the unified safety management of information assets towards various scale users.Both protect the safety of network also to protect the safety of host computer system, both prevented the leakage of sensitive information, also better stoped inside and outside attack.
One, the present invention is made up of four parts, is respectively system's supporting platform (SSP), tactical management center (PMC), Policy Enforcement Point (PEP), log server, and each several part working mechanism is as follows:
System's supporting platform (SSP): the back-office support of the Certificate Authority of responsible system, log management, tactical management, the issue and the preservation of the security information of responsible collection network system and host computer system and management information, responsible strategy.The support distributed multi-stage is disposed, and can be applicable to the application of large-scale network environment, and Fig. 1 is the cut-away view of system's supporting platform.
The working mechanism of system's supporting platform
Initialization step:
As shown in Figure 2, installation system supporting platform in the administration territory at first, the administration territory of each platform of initialization and relation each other, and start platforms at different levels
Authenticating step:
1, receives the connection request of PMC and PEP
2, receive the authentication request of PMC and PEP, verify, return success or fail
If 3 failures disconnect connection
Configuration step:
1, SSP receives the configuring request of PMC
2, carry out config update, and transmit configuring request as required
3, return the config update success or not and give PMC
Monitoring or commands steps:
1, SSP receives the command request of PMC
2, according to the destination object of order, SSP and PEP are given in local execution or forward command request
3, receive execution result, and be transmitted to PMC
Information gathering and query steps:
Cycle is collected every information (comprising: the network equipment, PEP, PSP), safeguards writing to each other and state information between at different levels.
Tactical management center (PMC): be responsible for organization's management, user management, policy definition and application, system monitoring, system's setting, log query, statement analysis, a unified management platform is provided.Fig. 3 is a tactical management central inner structure chart.
The working mechanism at tactical management center.
Initialization step:
As shown in Figure 4.Mounting strategy administrative center, and dispose system's supporting platform and the administration territory that can manage, can there be inclusion relation in the corresponding one or more administrations of a system's supporting platform territory between the territory.Define keepers at different levels, comprising: other role of manager of each level such as system manager, each domain administrator, operator, auditor, the authority person of examining.Definition needs the network equipment and the targeted customer of management or collaborative work.
Login step:
1, keeper input manager person account information
2, PMC sets up the network connection to system's supporting platform, and sends authentication request
3, according to keeper's jurisdiction, system's supporting platform authenticates it
4, after the checking of system's supporting platform was passed through, login entered into management system, reads current configuration.Otherwise the process of logging off.
Configuration step:
1, organization and the customer group in definition and the configuration administration territory defines and disposes keepers at different levels, defines and dispose each network equipment.
2, configuration distributing is given system's supporting platform, whether returns success after system's supporting platform verification
Monitoring and commands steps:
1, sends monitored instruction or special command to SSP (destination object can be SSP or PEP)
2, receive monitoring content or the execution result that SSP returns
Nullify step:
1, PMC sends de-registration request to SSP
2, PMC disconnects and being connected of SSP.
Policy Enforcement Point (pEP): the operation policy execution engine, the safety of responsible protection host computer system, server and the network equipment, the security strategy that customizes is carried out in the various security information and the daily record of gathering system.Policy Enforcement Point is deployed on the main frame that needs protection, server and the network equipment.Cut-away view such as Fig. 5, Fig. 6, shown in Figure 7.
Working mechanism comprises:
Initialization step:
As shown in Figure 8.The equipment mounting strategy that needs protection is carried out point, the watch-dog of needs is provided with relevant parameters.
Registration step:
1, input usersaccount information and login territory
2, set up network to scope system of institute supporting platform and connect, and send authentication request
3, to the SSP update user information
Login step:
1, input usersaccount information and login territory
2, set up network to scope system of institute supporting platform and connect, and send authentication request (network breaks down and can switch to the standby system supporting platform)
3, system's supporting platform authenticates it
4, after the checking of system's supporting platform is passed through, download and implementation strategy
Monitoring and commands steps:
1, receives order and the monitoring request that SSP transmits
2, local fill order, and the result returned to this SSP
Nullify step:
1, sends de-registration request to SSP
2, stop and the communicating by letter of SSP
Log server: be responsible for collecting, gathering log information, so that concentrate audit and incident to trace.(as shown in Figure 9).
Working mechanism comprises:
Initialization procedure:
As shown in figure 10.Installation database system and log server, and configuration log server and Database Systems be connected and communication mode (ODBC, ADO, DAO, OLEDB or Database Systems mode) the starting log server.
Collector journal:
Log server is collected the log information of various piece and is recorded in the database, and the needs alarm log is sent warning message.
Network communication protocol of the present invention comprises: the tactful login protocol between SSP and the PEP is based on ICP/IP protocol, and based on the UDP/IP agreement, the tactical management agreement between SSP and the PMC is based on TCP/IP between SSP and PEP.Because the user is a lot, considers scaling concern, can adopt TCP and UDP dual mode to realize between SSP and the PEP, heartbeat mechanism generally adopts UDP to realize, and login adopts TCP to realize.ICP/IP protocol is adopted in the interlock of SSP and miscellaneous equipment.
The present invention can with other safety product joint-action mechanisms, thereby reach the purpose of common defence.Based on the network security management system support of security strategy and the interlock of multiple existing safety means.Comprise as follows:
Interlock with fire compartment wall
As shown in figure 11, based on the network security management system and the firewall linkage of security strategy, can guarantee to have only main frame to conduct interviews to specific resources through safeguard protection.
1, Policy Enforcement Point is to system's supporting platform application authentication;
2, behind the authentication success, system's supporting platform is notified fire compartment wall with user's IP address;
3, fire compartment wall determines whether allowing this user to pass through according to the notice of system's supporting platform.
Notice between system's supporting platform and the fire compartment wall can adopt following several mechanism:
1, proactive notification in time.System's supporting platform one finds to have authenticated user to change, and just notifies fire compartment wall;
2, regularly notify.System's supporting platform is just notified fire compartment wall at set intervals;
3, initiatively inquiry.Fire compartment wall is in case discovery has new IP address access request, with regard to active inquiry system supporting platform.
Interlock with anti-virus
Utilization can realize the automatic mandatory upgrade of anti-virus client based on the long-range virus base upgrade function of the network security management system of security strategy.
Interlock with vulnerability scanning
The interlock of shown in Figure 12 and vulnerability scanning.
Based on the network security management system of security strategy and vulnerability scanning interlock, can guarantee that system's supporting platform is deployed to efficient strategy on the Policy Enforcement Point.
1, vulnerability scanning carries out vulnerability detection to protected host (Policy Enforcement Point);
2, according to result's (risk class and leak type) untill further notice system supporting platform of surveying;
3, system's supporting platform is formulated corresponding strategy in view of the above, and is applied on the Policy Enforcement Point.
Interlock with intrusion detection
As shown in figure 13, network security management system and intrusion detection interlock based on security strategy can guarantee security incident is in time responded, and prevent the further deterioration of security incident.
1, intruding detection system reports to system's supporting platform with detected security incident;
2, according to detecting content, system's supporting platform can be taked different strategies: if the source of incident is authentic Policy Enforcement Point, then strategy will be forbidden the associative operation of this Policy Enforcement Point; If the source of incident is not the Policy Enforcement Point of current authentication, strategy will notify relevant Policy Enforcement Point that the malicious act in this source is taked corresponding protection and precautionary measures.
Interlock with networking products
As shown in figure 14, network security management system and networking products interlock based on security strategy can guarantee to have only the main frame through safeguard protection to conduct interviews to specific resources.
1, Policy Enforcement Point is to system's supporting platform application authentication;
2, behind the authentication success, system's supporting platform is with user's IP address informing network product;
3, networking products determine whether allowing this user to pass through according to the notice of system's supporting platform.
Notice between system's supporting platform and the networking products can adopt following several mechanism:
1, proactive notification in time.System's supporting platform one finds to have authenticated user to change, with regard to the informing network product;
2, regularly notify.System's supporting platform at set intervals, with regard to the informing network product;
3, initiatively inquiry.Networking products are in case discovery has new IP address access request, with regard to active inquiry system supporting platform.
The present invention adopts multistage open-ended user management system (territory-tissue-user), and the territory and the organization and system of support multilayer, as shown in figure 15, can there be keeper separately in each territory, and the keeper also supports four kinds of supervisory levels (system manager, domain administrator, domain operator, auditor) according to the difference of authority.A plurality of territories can be deployed on the SSP.Also can independent part be deployed on the SSP.The differentiated control in territory is that the classification by SSP realizes.
Two, the present invention is based on the secure network management method of security strategy, and adopts the distributed multi-stage management system, and each several part is to have certain independence separately, and complementing each other again simultaneously constitutes a complete integrated defence system, may further comprise the steps:
1, at first dispose and the installation system supporting platform, system's supporting platform is disposed and is supported multilevel distributed deployment, and can match with the actual management system of network.In the multiple management system, system's supporting platform can be divided (one-level, secondary, three grades ...) according to affiliated supervisory level, have the administration relation between the platforms wherein at different levels, one-level management secondary and with subordinate, the secondary management reaches with subordinate for three grades, and the like.Collaborative work between can defining between peer relation also can separate work, and deployment way is very flexible.Can backup each other between the platform at the same level simultaneously, and support the failover mode.When certain grade platform breaks down, his task can transfer to superior platforms or other platforms at the same level are taken over; Powerful recovery mechanism is provided.
2, in tactical management center definition security strategy, the tactical management central part is deployed on the multiple operation platforms such as PC, notebook, work station, dispose and manage whole system, definition administration territory, keeper's division of functions and powers, definition organization and customer group, definition strategy and set of strategies, distribution policy collection, log query and report generation, user monitoring, network monitoring, system monitoring;
3, be published on the Policy Enforcement Point of target device and system by system's supporting platform, Policy Enforcement Point is deployed on the main frame and/or equipment that needs protection and manage, comprise: PC, notebook, work station, server, the network equipment, safety means, according to default policy or User Defined rule and tactful, carry out corresponding protection;
4, after the execution, system's supporting platform, tactical management center and strategy execution are named a person for a particular job the result with daily record form notice log server, and the needs alarm log is sent warning message;
The present invention is based on security strategy, and security strategy is according to protection purpose and method safe practice have been carried out the classification of science, and it is carried out abstract representing with a kind of unified method.Writing that strategy is described adopts the XML language to realize.Be defined as follows about strategy:
Strategy is divided into several sections: essential part, condition (Condition), action (Action), daily record (Log).A strategy can hold multiple Condition and Action.
In order to support kinds of platform, strategy is distributed to (handle oneself the strategy back that also has some platforms directly to download the XML form) on the dissimilar platforms after being compiled into different forms.Strategy after the compiling has compact more form, and it is little to take memory space, helps the low equipment platform of disposal ability.
Below several assisted class in order to the expression strategy condition:
AppCondition:AppName, AppVersion, AppDegist, AppExePath, AppCreateTimestamp, AppSize etc.
FwAclCondition:AclProto, AclLocalIp, AclRemoteIp, AclLocalPort, AclRemotePort, AclIcmpcode etc.
TimeCondition:TimeMonthMask, TimeDayOfMonthMask, TimeDayOfWeekMask, TimeOfDayMask etc.
The strategy of a complexity, possible its condition are the subclasses of a plurality of classes.And the flexible strategies condition is ExtCondition (an extendible policy condition) more, and it is right that it is based on attribute/value, is called to have prop and two attributes of val
Action be divided into Drop (abandoning), Reject (refusal), Pass (by), Skip (ignoring)
Log is divided into according to rank
Rank English keyword Abbreviation The Chinese keyword Describe
0 Emergencv Emerg Emergence message May cause the mistake of systemic breakdown
1 Alert Alert Warning information Gross error must be taked at once
2 Critical Crit Gross error Grave error
3 Error Error Error message General mistake
4 Warning Warn Warning message Warning message
5 Notification Notice Announcement information Important information
6 Informational Info Information General information
7 None None Not daily record Do not produce daily record
Strategy can be divided into group, and it is as follows that each organizes its basic format:
    PolicyGroup{         PolGroupName=POLICYGROUPNAME;         PolGroupVersion=POLICYGROUPVERSION;         PolGroupPriority=POLICYGROUPPRIORITY;         Policy{              pid=PID;              PolPriority=POLICYPRIORITY;              XXXCondition{};...              Action{                  actionType=ACTIONTYPE;                  actionParam=ACTIONPARAMETER;              };         };         Policy{...};     };
Be the strategy demonstration of a buffer memory below:
    PolicyGroup{      PolGroupName=“PG1”;       PolGroupVersion=10;      PolGroupPriority=20;      Policy{           pid=185439;           PolPriority=12;           AppCondition{           AppName=iexplorer.exe;           AppVersion=400000;//Version 4.0        };        Action{             ActionType=Alert;             ActionParam=“Upgrade your IE please.”;        };    };    Policy{         pid=xxx;         PolPriority=0;         AppCondition{            AppName=aftp.exe;         };         Action{              ActionType=PASS;         };     };     Policy{          pid=2001212;          PolPriority=0;          
        AppCondition{           AppName=foxmail.exe;        };        FwAclCondition{           AclProto=TCP;           AclRemotePort=25,110;        };        Action{             ActionType=PASS;        };    };    Policy{        pid=xxx;        PolPriority=5;        TimeCondition{            TimeDayOfWeekMask=0x3E;//Monday~Friday            TimeOfDayMask=0x0003CF00;//8:00~12:00,14:00~18:00        };        XXX{};        YYY{};        Action{             ActionType=PASS;        };    };
Order shown in the execution map interlinking 16 of wall scroll strategy is finished.
This policy description language has:
(1) extendible: because policy description language need adapt to multiple safe access control mechanism, such as access control based on address, agreement, port, content-based access control etc.; And these mechanism itself are all in constantly changing.
(2) versatility:,, can be supported by kinds of platform so policy description language should be general because strategy can be implemented on kinds of platform.
(3) support policy collision detection: inevitably can have conflict in the complicated security strategy, conflict mutually between promptly several policing rules, this can cause the error configurations or the misunderstanding of security strategy.The method that policy conflict detects is converted into policing rule the regular logic expression way often, adopts special algorithm to detect.
(4) Ce Lve easy to understand: understandable policy language makes things convenient for the keeper to formulate accurate security strategy, convenient correctness examination and maintenance to security strategy.
Though the formulation of strategy is very flexibly, strategy can be very complicated, for the convenience of managing, still common several strategies need be done a classification.
Strategy all can have some options except the primary condition part, such as time conditions, environmental condition (operating system and version thereof, network type, whether be in screen protection state etc.) etc.
Among the present invention strategy is divided into 11 big classes according to function and target.The mode classification of strategy to be present technique use at actual environment the security strategy theory planning and application mode.The classification of strategy is the refinement for policy definition.
The firewall policy collection
Purpose: block inside or outside access to netwoks and attack, the visit of limit network resource.
Content:
Support is based on IP, ICMP, IGMP, TCP, the access control of agreements such as UDP
Support is based on the access control of packet size
Support the access control of particular network application service, for example: HTTP, FTP, POP3, SMTP, TELNET, OICQ,, ICQ, MsnMessager etc.
Support the access control of TCP, the UDP network port
Support is based on the access control of TCP flag bit
File-sharing control based on Netbios
Access control based on time, date
Syntactic description:
        FwPolicy{            pid=PID;            PolPriority=POLICYPRIORITY;       ProtoCondtion{                ProtoType=(IP:ICMP:IGMP:TCP:UDP)                ServType=(HTTP:FTP:POP3:SMTP:TELNET:OICQ:ICQ:Custom)                PktParam=(PKTSIZE:TCPFLAG:IPADDR:HWADDR)            }            TimeCondition{                TimeCond=STARTENDTIME;                DateCond=STARTENDDATE;                };           Action{                actionType=ACTIONTYPE;                actionParam=ACTIONPARAMETER;           };           Log{           logGrade=LOGGRADE;           logParam=LOGPARAMETER;           }        };
Application security
Purpose: the network access authority of restriction specified application; Limit the execution authority of specified application
Content:
The Version Control of support typical application, completeness check etc., for example: IE browser, OutLook, explorer etc.
Support Version Control, the completeness check of expansion to user-written subroutine
The TCP of defining application, UDP open network port
The operation authority of defining application
The safe operation configuration of defining application
Mandatory use manager of programming's password intensity
Application program based on time, date is used control
Syntactic description:
      AppPolicy{          pid=PID;          PolPriority=POLICYPRIORITY;       AppCondtion{               AppType=(IE、OUTLOOK、...)               AppParam=APPPRIV:APPPATH:APPINFO          }          TimeCondition{              TimeCond=STARTENDTIME;              DateCond=STARTENDDATE;              };          Action{              actionType=ACTIONTYPE;              actionParam=ACTIONPARAMETER;              
            };            Log{            logGrade=LOGGRADE;            logParam=LOGPARAMETER;            }        };
The mail protection
Purpose: the leakage of information that limits mail Network Based; The audit Mail Contents is blocked possible malice mail
Content:
Filtrating mail based on black, ash, white list
Forbid the transmission and the acceptance of certain content or keyword mail
The filtration and the detection of multiple form Email attachment are provided
Restriction of Email attachment size and the restriction of Mail Contents size are provided
Filtrating mail based on sender and addressee
Mail based on time, date uses control
Support is to specifying the automatic encrypted transmission of mail of posting address
Support is deciphered automatically to the mail of specifying the outbox address
Syntactic description:
      MailPolicy{           pid=PID;           PolPriority=POLICYPRIORITY;       MailCondtion{               MailAddr=RECVER:SENDER               MailAttach=ATTACHINFO               MailArgu=FORMAT:TYPE           }           ContentConditio{               Content=OBJKEY           }           TimeCondition{               TimeCond=STARTENDTIME;               DateCond=STARTENDDATE;               };           Action{               actionType=ACTIONTYPE;               actionParam=ACTIONPARAMETER;           };           Log{           logGrade=LOGGRADE;           logParam=LOGPARAMETER;           }       };
The Web protection
Purpose: the web browsing access rights of restriction protected host; Block possible invalid information issue
Content:
Limit the authority that user network is browsed
Support is based on the home page filter of URL
Support is based on the home page filter of keyword
Support the home page filter and the restriction (pornographic, politics, management, news, inartful etc.) of content-based classification
Limiting network forum delivers authority
File type, medium type filter
Limiting uploading, file in download
Restriction JavaApplet, JavaScript, ActiveX
Restriction Cookie
Limit the Popup advertisement or eject similar window
WEB based on time, date uses control
Syntactic description:
      WebPolicy{          pid=PID;          PolPriority=POLICYPRIORITY;       WebCondtion{              WebUrl=OBJURL              WebArgu=MIME:REQUEST:REPLY:PRIV          }          ContentConditio{              Content=OBJKEY          }          TimeCondition{              TimeCond=STARTENDTIME;              DateCond=STARTENDDATE;              };          Action{              actionType=ACTIONTYPE;              actionParam=ACTIONPARAMETER;          };          Log{          logGrade=LOGGRADE;          logParam=LOGPARAMETER;          }      };
The authority protection
Purpose: the rights of using of protection main frame valuable source
Content:
The rights of using of protection main frame valuable source
Limit to use specific local file resource (for example: the reading/revise of directory access, disk protect, file/carry out authority)
Limit Share Permissions
Limit system service unlatching, close
The protection registration table is not distorted
Protection operating system customized configuration is not modified
The execution of restriction certain system configurations
The use of restriction given hardware device (for example: USB device and jaws equipment (printer), serial equipment (Com1, Com2), floppy disk, CDROM CD-ROM drive, DVD drive, infrared interface, ZIP dish etc.)
The binding of equipment such as CPU, hard disk, network interface card (IP, MAC), mainboard or address
Authority based on time, date is used control
Syntactic description:
      PrivPolicy{           pid=PID;           PolPriority=POLICYPRIORITY;       FILECondtion{              PrivResource=FILE:DISK              PrivArgu=PATHINFO              
            }            DevCondtion{                PrivResource=DEVICE(USB,PRINTER,CD/DVD....)                PrivArgu=DEVINFO            }            SysCondtion{                SysEnv=REGISTER:SYSSERVICE                PrivArgu=OSINFO            }            ProtectCond{            ProtectType=READ:WRITE:LIST:EXEC:DO            }            TimeCondition{                TimeCond=STARTENDTIME;                DateCond=STARTENDDATE;                };            Action{                actionType=ACTIONTYPE;                actionParam=ACTIONPARAMETER;            };            Log{            logGrade=LOGGRADE;            logParam=LOGPARAMETER;            }        };
Intrusion detection
Purpose: detect and block possible network intrusions and attack
Protection:
Intrusion detection based on feature is provided
Support is based on unusual intrusion detection
Stop scanning attacks such as network sweep, TCP, operating system scanning
Support virus to detect
Syntactic description:
      IdsPolicy{           pid=PID;           PolPriority=POLICYPRIORITY;       IdsCondtion{                IdsSig=IDSSIGNATURE           }           VirusCondtion{                VirusSig=VIRUSSIGNATURE           }           TimeCondition{               TimeCond=STARTENDTIME;               DateCond=STARTENDDATE;               };           Action{               actionType=ACTIONTYPE;               actionParam=ACTIONPARAMETER;           };           Log{           
            logGrade=LOGGRADE;            logParam=LOGPARAMETER;            }        };
High-level policy
Purpose: custom-built system global policies and making an announcement
Protection:
The custom-built system information broadcast
Force remote operating system auto-update and automatic installing operating system patch
Force long-range virus base auto-update
Force the remote application auto-update
Force long-range PEP auto-update
Remote system is locked
Force the password screen protection
Mandatory administration person's password password intensity
Restricted Sniffer network monitoring
Default network state (allow, forbid) is set
The limited dialing access rights
User's IP, MAC binding
Legal hosts fragility is found
Illegal host is linked discovery
Syntactic description:
AdvPolicy{ pid=PID; PolPriority=POLICYPRIORITY; AdvCondtion{ AdvType=MSG:UPDATE:PROTECT:MONITOR AdvArgu=ADVARGU (according to TYPE) } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; ; Action{ actionType=ACTIONTYPE; ActionParam=ACTIONPARAMETER; ; Log{ logGrade=LOGGRADE; LogParam=LOGPARAMETER; ;
System's supervision
Purpose: the operating state of supervision and Control Network main frame and server; The operating state of monitoring network equipment and safety means
Content:
Monitor the network traffics of protected equipment
Monitor the network interface card operating state (mode of operation, bandwidth) of protected equipment
Monitor the operating position of the every resource of protected equipment
The operating state of monitoring and mandate supervisory systems service and process
Monitoring and mandate supervision fdisk and data backup and reduction
The file system backup and reduction of monitoring and mandate supervision main frame
Authorize long-range intercepting host computer system screen
Authorize and long-range the host computer system keyboard is supervised
Syntactic description:
MonPolicy{ pid=PID; PolPriority=POLICYPRIORITY; MonCondtion{ MonType=FLOW:NICMODE:OS:DISKRECOVER:FILERECOVER:SCREEN:K EY MonArgu=MONARGU (according to TYPE) } TimeCondition{ TimeCond=STARTENDTIME; DateCond=STARTENDDATE; ; Action{ actionType=ACTIONTYPE; ActionParam=ACTIONPARAMETER; ; Log{ logGrade=LOGGRADE; LogParam=LOGPARAMETER; ;
Anti-Denial of Service attack
Purpose: protection and reduction main frame and service suffer the infringement of Denial of Service attack
Protection:
Restriction ARP reports to the police and attacks
Restriction UdpFlood attacks
Restriction ICMPFlood attacks
The bonding strength of restricted T CP agreement
The characteristic (length, frequency) of restriction ICMP packet
Dynamic control based on the weights analysis
The flow size of the network segment is specified in restriction
Support the visit intensity restriction of address section Network Based
Syntactic description:
    DOSPolicy{            pid=PID;            PolPriority=POLICYPRIORITY;       DosCondition{               DosType=DYNAMIC:STATIC:ANALYSIS       }       ArpCondtion{              ArpMac=SRCMAC:DSTMAC               ArpLimit=LIMIT          }          TcpCondtion{              Tcp=TCPINFO              TcpLimit=LIMIT          }          
                UdpCondtion{                   Udp=UDPINFO                   UdpLimit=LIMIT                }                IcmpCondtion{                Icmp=ICMPINFO                IcmpLimit=LIMIT            }            TimeCondition{                TimeCond=STARTENDTIME;                DateCond=STARTENDDATE;                };            Action{                actionType=ACTIONTYPE;                actionParam=ACTIONPARAMETER;            };            Log{            logGrade=LOGGRADE;            logParam=LOGPARAMETER;            }        };
Data backup and reduction
Purpose: backup and recovery hard disc data, effectively take precautions against loss of data and system crash that formatting hard disk, virus attack or artificial destruction cause; Protected file system, effectively recovery file and data
Content:
Support the data protection of super large hard disk
Support the protection of cmos data
Support the protection of partition level and disk level
Support hiding, the read-write protection of subregion
Support is based on the data protection of file directory
Support is based on the data protection of file type
Support Win2000, Xp, 2003 operating systems
Support FAT16, Fat32, file system such as NTFS
3/10000ths disk occupancy
Support moment restore data technology
Support automatic recovery, manual recovery, preservation automatically, the manual preservation
Support long-range installation, Long-distance Control, remote backup and recovery
Support password protection
Formats such as anti-FDISK
With subregion instrument compatibilities such as PQ Magic
Support the file or the subdirectory of particular category to encrypt
Syntactic description:
    RecoverPolicy{            pid=PID;            PolPriority=POLICYPRIORITY;        RecvCondition{                RecvType=DISK:FILE:PATH                RecMothod=MANUAL:AUTO                ProtecType=FULL:PASS:HIDE        }        
           TimeCondition{               TimeCond=STARTENDTIME;               DateCond=STARTENDDATE;               };           Action{               actionType=ACTIONTYPE;               actionParam=ACTIONPARAMETER;           };           Log{           logGrade=LOGGRADE           logParam=LOGPARAMETER;           }
Encrypt and safe transmission
Purpose: confidentiality and the integrality of protected data in transmission course
Content:
Support the VPN encrypted transmission the when user visits assigned address
Support the plaintext transmission the when user visits non-assigned address
Syntactic description:
    CryptPolicy{             pid=PID;             PolPriority=POLICYPRIORITY;        CryptCondition{                CrypType=DES、ADES、MD5,SHA...                AuthType=CLEARTEXT:CERT:SSL:TLS                           :OTP:KERBEROS:SASL        }        TimeCondition{                TimeCond=STARTENDTIME;                DateCond=STARTENDDATE;                };            Action{                actionType=ACTIONTYPE;                actionParam=ACTIONPARAMETER;            };            Log{            logGrade=LOGGRADE;            logParam=LOGPARAMETER;            }        };
The ways of distribution of security strategy among the present invention comprises following content:
" pushing away ", " drawing " combination are adopted in the distribution of strategy, carry out in the mode of " drawing ".SSP adopts the means of " pushing away " to inform PEP in all management domains after strategy change, and this can adopt multicast mode, to raise the efficiency.If network can not be supported multicast, perhaps network size is little, also can adopt the mode of clean culture.PEP can initiatively " draw strategy " and come after signing in to SSP.
In addition, PEP regularly sends " heartbeat " (Heartbeat) signal to strategic server, to inform the information relevant with strategy with some that exists of SSP oneself, such as current main frame login user, host operating system and version, current strategies version number etc.
Application example
Certain client is a nationwide mechanism, be divided into several levels such as national center, provincial center and center, each department from institutional framework, the technical force at national center and provincial center is relative stronger, but the intown technical force in various places relatively a little less than, organization internal often runs into a lot of safety problems, and for example: internet worm spreads unchecked, in time installation system patch, system default are shared opening, can't be prevented that inside from having the people to visit the illegal website, can't prevent that internal user from leaking outside information or the like.
Practical problem and demand at the client, the client provides the network security management system solution based on security strategy, whole system is made up of several parts: as shown in figure 17, one or more (realization load balancing) system's supporting platform and tactical management center is respectively disposed at national center and provincial center; The network security manager utilizes the tactical management center can set the strategy and the authority of different user in the compass of competency; These strategies and authority and user profile are kept on system's supporting platform; System's supporting platform at national center and provincial center is formed a tree, guarantees the synchronous and tactful unification of each information; Each user's strategy is different and different according to affiliated grouping.
Mounting strategy is carried out engine on all subscriber's main station and the server in tissue, when user's logging in network, engine can be from affiliated system's supporting platform download security strategy automatically, and automatically perform in this locality.
Testing time: on October 14th, 2004
Testing tool: X-Scan v3.1, scan base select in August, 2004 detection range: 192.168.2.86 for use
Main security strategy:
Forbid two-way wooden horse
Do not allow to obtain this machine title
Forbid that everyone connects low port
Forbid all open sharing
Allow outside ftp, telnet, http, smtp, pop3
Do not allow others to survey, allow outside ping to survey with the ping order
Behind the network security management system of deployment based on security strategy, solve and prevented the various safety and the problem of management that occur in the original system effectively, greatly reduced the maintenance and management cost of keeper to subscriber's main station, the transparent safety that guarantees subscriber's main station effectively, and the propagation of taking precautions against and having resisted extensive worm-type virus effectively.
Before the network security management system of disposing based on security strategy, there is very big potential safety hazard in this main frame, and risk class is higher; Utilization has shielded this main frame overwhelming majority leak based on the network security management system of security strategy, makes the system risk rank reduce greatly.

Claims (9)

1, a kind of network security management system based on security strategy is characterized in that:
Network security management system comprises:
-system supporting platform, this system's supporting platform is installed in the network that needs protection as the server of management system, be responsible for the Policy Enforcement Point and the tactical management center of administration network are authenticated, authorize, be responsible for the issue and the preservation of security strategy, the illegal host of linking network is found the legal hosts fragility discovery of embedded network;
-tactical management center, this tactical management center are responsible for the safety of administration network is managed, and are responsible for security strategy is defined, and specify the application of security strategy;
-Policy Enforcement Point, this Policy Enforcement Point are installed in the system and equipment that needs protection, and are responsible for downloading and implementation strategy, and place equipment and system are protected;
-log server, this log server are responsible for collecting, gathering log information, so that concentrate audit and incident to trace.
2, according to the described network security management system based on security strategy of claim 1, it is characterized in that: system's supporting platform has following functional module:
The distributed coordination module is responsible for the back-office support of the distributed management of system, is responsible for the information interchange and the command analysis of each level system supporting platform;
Administration module be responsible for reception and the processing order from the tactical management center, and other module in the calling system supporting platform is carried out this order;
Authentication module is responsible for the tactical management center in institute's compass of competency, Policy Enforcement Point and following level system supporting platform are carried out authentication and authorization;
Line module is responsible for carrying out alternately with Policy Enforcement Point, and management strategy is carried out every information of point, and with these feedback information to other module in system's supporting platform;
The interlock module is responsible for the interlock protection of native system and fire compartment wall, anti-virus, vulnerability scanning, intrusion detection and networking products;
Configuration module is responsible for the configuration of native system and the backstage of data and is preserved and inquiry;
The communication encryption module is responsible for the encryption and decryption and the classification of communication data, guarantees the safety of communication data;
The vulnerability scanning module is responsible for the leak of the existence of legal hosts is scanned;
Illegal external connection is found module, and the illegal host in the network is linked in responsible discovery.
3, according to the described network security management system based on security strategy of claim 1, it is characterized in that: the tactical management center has following functional module:
Man Machine Interface, responsible mutual with the manager, realize man-machine interaction, administration interface is provided;
The control of authority module is responsible for gerentocratic authority is limited, and different managers has different configurations and administration authority;
Enquiry module is responsible for response log inquiry and configuration retrieval command, and return results;
Configuration module is responsible for the every configuration operation of response, and gives system's supporting platform with the Notification of Changes of configuration;
Remote monitoring module is responsible for response management person's monitor command, and return results;
The login authentication module is responsible for carrying out gerentocratic authentication request, with the system's mutual back of supporting platform return results;
The consistency operation relevant with daily record is responsible in log management;
The communication encryption module is responsible for the encryption and decryption and the classification of communication data, guarantees the safety of communication data.
4, according to the described network security management system based on security strategy of claim 1, it is characterized in that: each Policy Enforcement Point comprises a policy download engine and N policy execution engine, N 〉=1,
The policy download engine is responsible for download policy and configuration home environment, and it comprises as lower module:
Man Machine Interface, responsible mutual with the local user, administration interface is provided;
User management module is responsible for local user's management, response configuration and query manipulation, and return results;
The login authentication module, responsible mutual with system's supporting platform, authenticate;
Log management module is responsible for the unified management of local daily record, and is saved in the remote data storehouse alternately with log server;
Strategy local management module is responsible for this locality of strategy and is preserved and renewal;
Local communication module, responsible mutual with policy execution engine, transmission policy and daily record;
The communication encryption module is responsible for the encryption and decryption and the classification of network communication data, guarantees the safety of communication data;
Policy execution engine is responsible for implementation strategy, and the system and the equipment at protection place, and it comprises as lower module:
The local Executive Module of strategy is responsible for the execution of strategy, and is returned response;
Strategy analyzing module is responsible for parses policy;
Local communication module is responsible for communicating by letter transmission policy and daily record with the policy download engine.
5, according to the described network security management system based on security strategy of claim 1, it is characterized in that: log server has following functional module:
The log analysis module is responsible for the daily record that receives is analyzed and preserved;
Alarm module is responsible for daily record according to the classification processing of reporting to the police;
The communication encryption module is responsible for the encryption and decryption and the classification of communication data, guarantees the safety of communication data.
6, according to the described network security management system of claim 1 based on security strategy, it is characterized in that: system's supporting platform is supported multilevel distributed deployment, when large scale network is disposed, system's supporting platform can be divided into the N level according to affiliated network size and supervisory level, N 〉=1, there is the administration relation between the platforms at different levels, wherein the one-level management secondary reaches with subordinate, the secondary management reaches with subordinate for three grades, and the like, the separate work of each system's supporting platform also can or backup each other with the collaborative work of other system supporting platform.
7, according to the described network security management system of claim 1 based on security strategy, it is characterized in that: this system can link with other safety products, thereby reach the purpose of common defence, comprise interlock with fire compartment wall, anti-virus, vulnerability scanning, intrusion detection, networking products etc.
8, a kind of network safety managing method based on security strategy is characterized in that: security strategy is needs to be carried out the definition of the target and the method for safeguard protection, and definition, issue, operation that this method is based on security strategy realize, comprise the steps:
1. in tactical management center definition security strategy, set the target that needs protection;
2. by system's supporting platform with policy issue to the Policy Enforcement Point of target device and system;
3. after the Policy Enforcement Point implementation strategy with the result notification log server.
9, according to the described a kind of network safety managing method based on security strategy of claim 8, it is characterized in that: the 1. middle security strategy of step is divided into firewall policy collection, application security, mail protection, Web protection, authority protection, intrusion detection, high-level policy, system's supervision, anti-Denial of Service attack, data backup and reduction, encryption and safe transmission.
CNB2004100732114A 2004-11-01 2004-11-01 Security policy based network security management system and method Expired - Fee Related CN100346610C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100732114A CN100346610C (en) 2004-11-01 2004-11-01 Security policy based network security management system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100732114A CN100346610C (en) 2004-11-01 2004-11-01 Security policy based network security management system and method

Publications (2)

Publication Number Publication Date
CN1604541A CN1604541A (en) 2005-04-06
CN100346610C true CN100346610C (en) 2007-10-31

Family

ID=34666879

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100732114A Expired - Fee Related CN100346610C (en) 2004-11-01 2004-11-01 Security policy based network security management system and method

Country Status (1)

Country Link
CN (1) CN100346610C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965305A (en) * 2018-07-25 2018-12-07 安徽三实信息技术服务有限公司 A kind of internet security monitoring system and its monitoring method

Families Citing this family (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100382506C (en) * 2005-09-20 2008-04-16 华为技术有限公司 Method for verifying network-unit server in network management system
CN100364280C (en) * 2005-12-15 2008-01-23 杭州华三通信技术有限公司 Method for sending safety strategy
US8099786B2 (en) * 2006-12-29 2012-01-17 Intel Corporation Embedded mechanism for platform vulnerability assessment
CN101231682B (en) * 2007-01-26 2011-01-26 李贵林 Computer information safe method
CN101291426B (en) 2007-04-18 2010-08-25 联想(北京)有限公司 Method and system for third party to real-time monitor remote control process
CN101330383B (en) * 2007-06-19 2011-09-14 瑞达信息安全产业股份有限公司 Credible system for monitoring network resource based on user identification and action
CN101123493B (en) * 2007-09-20 2011-11-09 杭州华三通信技术有限公司 Secure inspection method and secure policy server for network access control application system
CN101399698A (en) * 2007-09-30 2009-04-01 华为技术有限公司 Safety management system, device and method
CN101729531B (en) * 2009-03-16 2016-04-13 中兴通讯股份有限公司 Network security policy distribution method, Apparatus and system
CN101902505B (en) * 2009-05-31 2013-02-27 中国科学院计算机网络信息中心 Distributed DNS inquiry log real-time statistic device and method thereof
CN101582883B (en) * 2009-06-26 2012-05-09 西安电子科技大学 System and method for managing security of general network
CN101714990B (en) * 2009-10-30 2013-06-05 清华大学 Network security safeguarding integrated system and control method thereof
CN101917419A (en) * 2010-08-04 2010-12-15 安徽天虹数码技术有限公司 Job network behavior fire wall
CN102143179A (en) * 2011-03-31 2011-08-03 中国人民解放军信息工程大学 Network-wide linked and integrated network service control method
CN103023682A (en) * 2011-09-26 2013-04-03 腾讯科技(深圳)有限公司 Security policy management method and device
CN102624717B (en) * 2012-03-02 2015-11-18 深信服网络科技(深圳)有限公司 Automatically the method generated based on the security strategy of vulnerability scanning and device
US9444840B2 (en) 2012-03-13 2016-09-13 Alcatel Lucent Method and apparatus for a distributed security service in a cloud network
CN103326883A (en) * 2013-05-27 2013-09-25 杭州帕拉迪网络科技有限公司 Uniform safety management and comprehensive audit system
CN104426850A (en) * 2013-08-23 2015-03-18 南京理工大学常熟研究院有限公司 Vulnerability detection method based on plug-in
CN103618689A (en) * 2013-09-12 2014-03-05 天脉聚源(北京)传媒科技有限公司 Method, device and system for network intrusion detection
CN105608344A (en) * 2014-10-31 2016-05-25 江苏威盾网络科技有限公司 Application program safety management system and method
CN105812326B (en) * 2014-12-29 2019-06-11 北京网御星云信息技术有限公司 A kind of centralized control method and system of isomery firewall policy
CN106612214B (en) * 2015-10-26 2019-08-02 任子行网络技术股份有限公司 A kind of integrated system and its adaptive communication method
CN106656987A (en) * 2016-11-03 2017-05-10 郑州理工职业学院 Computer information security management system
CN108965215B (en) * 2017-05-26 2019-12-24 中国科学院沈阳自动化研究所 Dynamic security method and system for multi-fusion linkage response
CN108769005B (en) * 2018-05-25 2021-06-04 深圳市量智信息技术有限公司 WEB system of network space vulnerability merging platform
US11290491B2 (en) * 2019-03-14 2022-03-29 Oracle International Corporation Methods, systems, and computer readable media for utilizing a security service engine to assess security vulnerabilities on a security gateway element
CN110597629A (en) * 2019-08-30 2019-12-20 上海辰锐信息科技公司 Resource scheduling method based on resource preposed atomization and cloud pooling
CN110417821B (en) * 2019-09-09 2021-11-02 北京华赛在线科技有限公司 Networking detection method and system
CN110708340A (en) * 2019-11-07 2020-01-17 深圳市高德信通信股份有限公司 Enterprise private network security supervision system
CN112202750B (en) * 2020-09-25 2023-01-24 统信软件技术有限公司 Control method for policy execution, policy execution system and computing device
CN112866219B (en) * 2021-01-07 2022-08-23 深圳市永达电子信息股份有限公司 Safety management and control method and system
CN112905993B (en) * 2021-03-22 2022-07-08 华东师范大学 Large-scale network-oriented distributed password equipment management system and construction method
CN114629677B (en) * 2021-11-26 2024-03-19 中国大唐集团科学技术研究院有限公司火力发电技术研究院 Safety protection system and method for electric quantity charging system of thermal power generating unit

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1024627A2 (en) * 1999-01-29 2000-08-02 Lucent Technologies Inc. A method and apparatus for managing a firewall
WO2002097585A2 (en) * 2001-05-31 2002-12-05 Xm Satellite Radio Inc. System and method for mobile commerce
WO2004095801A1 (en) * 2003-03-31 2004-11-04 Intel Corporation Methods and systems for managing security policies

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1024627A2 (en) * 1999-01-29 2000-08-02 Lucent Technologies Inc. A method and apparatus for managing a firewall
WO2002097585A2 (en) * 2001-05-31 2002-12-05 Xm Satellite Radio Inc. System and method for mobile commerce
WO2004095801A1 (en) * 2003-03-31 2004-11-04 Intel Corporation Methods and systems for managing security policies

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965305A (en) * 2018-07-25 2018-12-07 安徽三实信息技术服务有限公司 A kind of internet security monitoring system and its monitoring method

Also Published As

Publication number Publication date
CN1604541A (en) 2005-04-06

Similar Documents

Publication Publication Date Title
CN100346610C (en) Security policy based network security management system and method
CN1781087A (en) Method and system for providing secure access to private networks with client redirection
CN1160616C (en) Anti-virus agent for use with database and mail servers
CN1286039C (en) Method and device for maintaining internet field names data
CN1488115A (en) System for providing services and virtual programming interface
CN1206837C (en) Method and system of implementing IP data transmission on multi-service-unit according to defined strategy
CN1725227A (en) Method for operating networks of devices
CN1791871A (en) Enterprise console
CN1694419A (en) Checking the security of web services configurations
CN1820262A (en) Event monitoring and management
CN1623140A (en) System and method for network vulnerability detection and reporting
CN1802637A (en) Password change system
CN1574792A (en) Multi-layer based method for implementing network firewalls
CN1698033A (en) System and method for actively managing an enterprise of configurable components
CN1656773A (en) Method for authenticating a user to a service of a service provider
CN1842782A (en) Server architecture for network resource information routing
CN1906604A (en) Routing of resource information in a network
CN101069169A (en) Caching content and state data at a network element
CN1655145A (en) Systems and methods that optimize row level database security
CN1380610A (en) System and method for testing computer device
CN1754351A (en) Communication model, signal, method, and device for confirming reachability in network where host reachability is accomplished by relating static identifier to dynamic address
CN1665184A (en) Using a flexible rights template to obtain a signed rights label (SRL) for digital content
CN1678993A (en) Web services apparatus and methods
CN1666205A (en) Verification of a person identifier received online
CN1396568A (en) Digital works protection system, recording medium device, transmission device and playback device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Assignee: Xi'an Angelltech Co., Ltd.

Assignor: Shen Mingfeng| Li Shenglei|Zhang Yong|Wang Jun

Contract record no.: 2011610000086

Denomination of invention: Security policy based network security management system and method

Granted publication date: 20071031

License type: Exclusive License

Open date: 20050406

Record date: 20110708

C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20071031

Termination date: 20111101