CN100456689C - Network management safety authentication method - Google Patents
Network management safety authentication method Download PDFInfo
- Publication number
- CN100456689C CN100456689C CNB031437915A CN03143791A CN100456689C CN 100456689 C CN100456689 C CN 100456689C CN B031437915 A CNB031437915 A CN B031437915A CN 03143791 A CN03143791 A CN 03143791A CN 100456689 C CN100456689 C CN 100456689C
- Authority
- CN
- China
- Prior art keywords
- webmaster
- snmp
- network management
- request message
- snmp request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a safety identification method for network management, which comprises the following steps: configuring a network manager parameter table is configured; transmitting an SNMP(simple network management protocol) request message by a network manager; receiving the SNMP request message transmitted by the network manager; judging whether attribute parameters representing the identity of the network manager exist in the SNMP request message or not, if false, stop the SNMP request, else, process the SNMP request message and return a processed result to the network manager. A simple network management user identification mechanism and a user authentication identification function before agent visit are added by the present invention under the condition without modifying an SNMPV1/V2 protocol stack and increasing additional development effort so as to improve the safety of the SNMPV1/V2 protocol.
Description
Technical field
The present invention relates to network security technology, be specifically related to a kind of method of network management security authentication, especially, relate to method based on the network management security authentication of SNMP V1/V2.
Background technology
Network security is an organic component of system safety, and network security mainly comprises the fail safe (safety of physical layer, link layer) of physical circuit, the network equipment, the fail safe aspects such as (safety of network layer, transport layer) of TCP (transmission control protocol)/IP (internet protocol).The hidden danger that exists aspect the network equipment is bigger, at first is the fail safe of physical equipment itself, and this can control by various management means; Next is the fail safe of network service, and for example: the disabled user can cause physical equipment excellent by being remotely logged into the destruction of carrying out system configuration or ios software on the router/switch, but can not carry out the function of route/local area network (LAN) exchange.Therefore, monitor and control i.e. network management network.According to the definition of International Organization for Standardization, network management has five big categories:
(1) fault management: to the process that the problem in the network or fault position, it comprises pinpoints the problems, separation problem, finds out reason, reparation problem.
(2) configuration management: find and be provided with the process of the network equipment, it comprises the information that obtains the current network configuration, and the means of remotely modifying configuration are provided, and stores to safeguard up-to-date equipment list and produce report.
(3) accounting management: follow the tracks of each individual and group to the operating position of Internet resources, it is collected rational expense; And increased the network manager uses Internet resources to the user understanding.
(4) safety management: control is to the process of the message reference in the network.
(5) performance management: the performance of hardware and software in the Measurement Network, for sub-district access network of certain scale, make whole network can keep good running status, perfect network management is absolutely necessary.Simultaneously, good network management also should be able to provide the various analyses of network operation situation, thereby provides reliable foundation for the planning of extension of network.
In order to finish above-mentioned management function, a network management system has four big parts:
(1) a plurality of by the pipe agency;
(2) at least one manager;
(3) general NMP (as SNMP);
(4) management information bank (MIB).
Generally speaking, network management workstation is the manager, and other online machines are the agency.Manager and agency be machine also, as network management workstation.
The manager utilizes SNMP (Simple Network Management Protocol) request broker to carry out the collection and the setting of information.The agency obtains mib information according to gerentocratic SNMP request visit MIB management information bank, and the manager is done to reply or to change the content of asking to change among the MIB according to it.The agency also can initiatively send out data to the manager by self-trapping (Trap) when emergency is arranged.
SNMP is the industry-standard protocol that is widely accepted and comes into operation, and its target is to guarantee that management information transmits in any 2, is convenient to any node retrieving information of network manager on network, makes amendment trouble-shooting; Finish failure diagnosis, capacity planning and report generate.It adopts polling mechanism, and basic functions collection is provided.
The basic operation of SNMP comprises GET/GET-NEXT/SET/TRAP etc., network management workstation (NMS) sends various query messages to network equipment Agent (administration agent), and reception shows the result from response and trap (trap) message of managed device Agent.Agency (agent) is a process that resides on the managed device, is responsible for accepting, handling the request message from network management workstation, obtains the numerical value of management variable then on the slave unit in other protocol modules, forms response message, sends to NMS.At some in emergency circumstances, change as Interface status, in the time of access success etc., proactive notification NMS (sending trap TRAP message), its communication process is as shown in Figure 1.
SNMP V1/V2 is widely used in the network management-application at present, and it is verified by group's name and realizes that simple fail safe guarantees.Ordinary circumstance, a SNMP Agent has two CommunityName (group's name), and one only has read right, and another has access limit.When NMS sends a SNMP request message, the Community Name that the Agent program of managed devices sends according to webmaster differentiates the read/write authority that this SNMP request is had, if group's name authentication success then allow webmaster read/write corresponding M IB variable, otherwise will return the mistake of group's name authentification failure.SNMP V1/V2 protocol processes process as shown in Figure 2.Because the intrinsic shortage security mechanism of V1/V2 agreement, only rely on the Community Name that expressly transmits to discern user identity and have very big potential safety hazard, in the network transport process, be easy to be obtained its Community Name, make the hacker pretend webmaster managed devices is carried out the data change configuration by other human packet catcher; The V1/V2 agreement only relies on the character string of borrowing group's name to the identity of NMS user and relatively authenticates and also lack enough fail safes in addition.
Safety defect based on SNMP V1/V2 agreement, SNMP V3 agreement has increased based on user's safety management with based on the safety management of view, and message encryption, and fail safe has had large increase, but SNMP V3 implements difficulty, and present most of equipment is only supported SNMP V1/V2 agreement.
Summary of the invention
The objective of the invention is to overcome the above-mentioned shortcoming of prior art, a kind of method of network management security authentication is provided, described method comprises step:
Configuration webmaster parameter list, described webmaster parameter list is used to distinguish the identity of webmaster;
Webmaster sends Simple Network Management Protocol (SNMP) request message;
Receive described request message of SNMP sent by network management;
Whether the property parameters of judging the described webmaster identity of expression in the described SNMP request message is present in the described webmaster parameter list, and further comprise: IP address and/or webmaster title to described webmaster are carried out legal authentication; Group's name to described webmaster is carried out legal authentication;
If there is no, then return illegal webmaster error message, and end the SNMP request,
If exist, then handle described SNMP request message, and result is returned to webmaster.
Alternatively, described webmaster parameter list comprises project: webmaster title, webmaster IP address, webmaster maintenance mode, group's name, port numbers.
Preferably, described webmaster maintenance mode comprises: in-band management and outband management, described in-band management represent that the mode that manages by service channel, described outband management represent the mode that manages by Ethernet interface.
Alternatively, the described step that the IP address and/or the webmaster title of described webmaster are carried out legal authentication comprises step:
PDU (protocol Data Unit) according in the described SNMP request message that receives judges whether the IP address of described webmaster and/or webmaster title are present in the described webmaster parameter list,
If exist, then continue to handle described SNMP request,
If there is no, then end described SNMP request, and return the non-existent error message of described webmaster.
Alternatively, described group's name to described webmaster step of carrying out legal authentication comprises step:
The described SNMP request message that decoding receives;
Judge whether described group name is present in the described webmaster parameter list in the IP address and/or webmaster title respective items with described webmaster,
If exist, then continue to handle described SNMP request,
If there is no, then end described SNMP request, and return described webmaster group name authentification failure error message.
Utilize the present invention, can not revise SNMP V1/V2 protocol stack and not increase under the situation of extra development amount, increase a kind of simple NMS user authentication mechanism, increase the preceding subscription authentication authentication function of visit Agent, distinguish that whether real NMS user to determine whether to allow to visit the MIB storehouse of managed devices, to improve the fail safe of SNMP V1/V2 agreement.
Description of drawings
Fig. 1 is NMS (network management workstation) and Agent (administration agent) communication process schematic diagram;
Fig. 2 is present SNMP V1/V2 protocol processes process flow diagram;
Fig. 3 is the structural representation of the parameter list of webmaster described in the preferred embodiments of the present invention;
Fig. 4 is the flow chart of step of the method for the preferred embodiments of the present invention network management security authentication.
Embodiment
The present invention is described in further detail below in conjunction with drawings and embodiments:
At first with reference to Fig. 1, Fig. 1 has described the schematic diagram of NMS (network management workstation) and Agent (administration agent) communication process in the typical network management system:
The simple network management system comprises two parts: network management workstation (NMS) and SNMP agency (AGENT).The agency is the part that is used for realizing the SNMP function in the real network equipment.The agency is in the read-write requests message of the 161 ports reception NMS of UDP (User Datagram Protoco (UDP)), and NMS receives agency's event notification message at 162 ports of UDP.In case obtain the access rights of equipment, just can access means information, rewriting and configuration device parameter.
Usually, network management system comprises four elements: keeper, administration agent, management information base, proxy service device.Wherein, first three key element is essential, and the 4th is option.
SNMP is a kind of connectionless protocol, and by using request message and the mode of returning response, SNMP is transmission information between administration agent and keeper.Snmp protocol has defined the form of packet and the information exchange between network manager and the administration agent, and it is also controlling the MIB data object of administration agent.Therefore, can be used for handling the various tasks of administration agent definition.It externally provides three kinds of basic operation command that are used to control mib object.They are: Set, Get and Trap:
Set: be a privileged command, can change the configuration of equipment or the operating condition of control appliance by it;
Get: be the basic mode that from the network equipment, obtains management information.
Trap: its function is exactly under the prerequisite that network management system does not explicitly call for, and has some special situations or problem to take place by administration agent informing network management system.
The PDU of SNMPv1 (protocol Data Unit) has five types, and they comprise: GetRequest, GetNextRequest, SetRequest, GetResponse, Trap.SNMPv2 has increased by two kinds of PDU:GetBulkRequest and InformRequest again.
Snmp management person uses GetRequest retrieving information from the network equipment that has the SNMP agency, and SNMP acts on behalf of with GetResponse message response GetRequest.The information that can exchange is a lot, as the name of system, and the time of normal operation after system's self-starting, network interface number in the system or the like.GetRequest and GetNextRequest combine use can obtain an object in the table.GetRequest fetches a special object; Use GetNextRequest then is the next object in the required list.Use SetRequest to carry out Remote configuration to the parameter in the equipment.Set-Request can be provided with the name of equipment, turns off a port or removes an item in the address resolution table.Trap is a snmp trap, is the non-request message that the SNMP agency sends to management station.These message inform that a particular event has taken place this equipment of management station, and as port failure, power down restarts etc., and management station can deal with accordingly.
The present invention just is based on this typical network management system shown in Figure 1, and a kind of method of network management security authentication is provided on the basis of SNMP V1/V2 agreement.
With reference to Fig. 4, Fig. 4 has described the flow process of step of the method for the preferred embodiments of the present invention network management securities authentication:
At first in step 41, dispose the webmaster parameter list, described webmaster parameter list is used to distinguish the identity of webmaster, and its structure and project are as shown in Figure 3;
Then, enter step 42, webmaster sends the SNMP request message, and a SNMP message is made up of three parts: version field (version field), group territory (community field) and snmp protocol data cell territory (SNMP PDU field), length of data package is not fixed;
Enter step 43, receive SNMP sent by network management by the SNMP agency and ask message clearly;
Enter step 44, the SNMP request message is decoded;
Enter step 45, according to source IP address and/or the webmaster title in the protocol Data Unit (PDU) in the SNMP request message that receives, identity to NMS user is carried out legal authentication, judges promptly whether source IP address and/or the webmaster title among the PDU is present in the above-mentioned webmaster parameter list that has disposed;
If there is no, then enter step 46, return illegal webmaster error message,
Then, return step 43, receive request message of SNMP sent by network management by the SNMP agency;
If exist, show that then the webmaster identity is legal, enter step 47, group's name of NMS user is authenticated, promptly judge the group's name in the decoded SNMP bag, whether be present in the above-mentioned webmaster parameter list that has disposed and in the list item corresponding with above-mentioned source IP address;
If there is no, then enter step 48, return group's name authentification failure error message,
Then, return step 43, receive request message of SNMP sent by network management by the SNMP agency; If exist, show that then webmaster is real legal identity, enter step 49, treatment S NMP request message;
Then, enter step 410, result is returned to webmaster;
The structural representation that Fig. 3 has described webmaster parameter list described in the preferred embodiments of the present invention has been mentioned in the front, below with reference to Fig. 3 described webmaster parameter list is done one and describes in detail:
Comprise in the webmaster parameter list: webmaster title, webmaster IP address, webmaster maintenance mode, group's name, port numbers.Wherein, the webmaster maintenance mode comprises maintenance mode and the outer maintenance mode of band in the band, and described in-band management represents that a kind of way to manage of being undertaken by service channel, described outband management represent a kind of way to manage of being undertaken by Ethernet interface.
In addition, can also increase other project according to system's actual needs.Its structure can be provided with flexibly, not only arrests in frame mode shown in Figure 3.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.
Claims (5)
1. the method for network management security authentication is characterized in that described method comprises step:
Configuration webmaster parameter list, described webmaster parameter list is used to distinguish the identity of webmaster;
Webmaster sends Simple Network Management Protocol (SNMP) request message;
Receive described request message of SNMP sent by network management;
Whether the property parameters of judging the described webmaster identity of expression in the described SNMP request message is present in the described webmaster parameter list, and further comprise: IP address and/or webmaster title to described webmaster are carried out legal authentication; Group's name to described webmaster is carried out legal authentication;
If there is no, then return illegal webmaster error message, and end the SNMP request,
If exist, then handle described SNMP request message, and result is returned to webmaster.
2. the method for network management security authentication as claimed in claim 1 is characterized in that described webmaster parameter list comprises project: webmaster title, webmaster IP address, webmaster maintenance mode, group's name, port numbers.
3. the method for network management security authentication as claimed in claim 2, it is characterized in that, described webmaster maintenance mode comprises: in-band management and outband management, described in-band management represents that the mode that manages by service channel, described outband management represent the mode that manages by Ethernet interface.
4. the method for network management security authentication as claimed in claim 1 is characterized in that the described step that the IP address and/or the webmaster title of described webmaster are carried out legal authentication comprises step:
PDU (protocol Data Unit) according in the described SNMP request message that receives judges whether the IP address of described webmaster and/or webmaster title are present in the described webmaster parameter list,
If exist, then continue to handle described SNMP request,
If there is no, then end described SNMP request, and return the non-existent error message of described webmaster.
5. the method for network management security authentication as claimed in claim 1 is characterized in that the step that described group's name to described webmaster is carried out legal authentication comprises step:
The described SNMP request message that decoding receives;
Judge whether described group name is present in the described webmaster parameter list in the IP address and/or webmaster title respective items with described webmaster,
If exist, then continue to handle described SNMP request,
If there is no, then end described SNMP request, and return described webmaster group name authentification failure error message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031437915A CN100456689C (en) | 2003-08-06 | 2003-08-06 | Network management safety authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031437915A CN100456689C (en) | 2003-08-06 | 2003-08-06 | Network management safety authentication method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1581795A CN1581795A (en) | 2005-02-16 |
| CN100456689C true CN100456689C (en) | 2009-01-28 |
Family
ID=34579523
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031437915A Expired - Lifetime CN100456689C (en) | 2003-08-06 | 2003-08-06 | Network management safety authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100456689C (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100484027C (en) * | 2005-09-14 | 2009-04-29 | 华为技术有限公司 | Network management system and method using simple network management protocol |
| CN100563246C (en) * | 2005-11-30 | 2009-11-25 | 华为技术有限公司 | A kind of IP-based voice communication boundary safety coutrol system and method |
| US7877469B2 (en) * | 2006-02-01 | 2011-01-25 | Samsung Electronics Co., Ltd. | Authentication and authorization for simple network management protocol (SNMP) |
| CN100420206C (en) * | 2006-04-05 | 2008-09-17 | 华为技术有限公司 | SNMP communication system and method |
| CN101237443B (en) | 2007-02-01 | 2012-08-22 | 华为技术有限公司 | Method and system for user authentication in management protocol |
| CN102006178B (en) * | 2009-09-03 | 2013-11-20 | 电信科学技术研究院 | SNMP-based network management method and system |
| CN101714926B (en) * | 2009-11-02 | 2013-01-30 | 福建星网锐捷网络有限公司 | Method, device and system for managing network equipment |
| CN102006296B (en) * | 2010-11-26 | 2013-12-11 | 杭州华三通信技术有限公司 | Security certification method and equipment |
| CN102158363A (en) * | 2011-04-26 | 2011-08-17 | 中兴通讯股份有限公司 | Security protection method and device of simple network management protocol (SNMP) |
| CN102983986B (en) * | 2011-09-06 | 2017-11-28 | 中兴通讯股份有限公司 | A kind of method and system of network element device authentication management |
| CN111049674B (en) * | 2019-11-25 | 2021-03-23 | 三维通信股份有限公司 | Network management parameter configuration method, device, equipment and computer readable storage medium |
| CN113839776B (en) * | 2021-11-29 | 2022-02-15 | 军事科学院系统工程研究院网络信息研究所 | Method and system for safety interconnection protocol between network management and router |
| CN114844664A (en) * | 2022-03-11 | 2022-08-02 | 江苏天创科技有限公司 | Monitoring system and monitoring method for data security management |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2001229098A (en) * | 2000-02-17 | 2001-08-24 | Nec Eng Ltd | Network monitor system |
| CN1384642A (en) * | 2001-04-29 | 2002-12-11 | 华为技术有限公司 | Method of adding subscriber's security confirmation to simple network management protocol |
-
2003
- 2003-08-06 CN CNB031437915A patent/CN100456689C/en not_active Expired - Lifetime
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2001229098A (en) * | 2000-02-17 | 2001-08-24 | Nec Eng Ltd | Network monitor system |
| CN1384642A (en) * | 2001-04-29 | 2002-12-11 | 华为技术有限公司 | Method of adding subscriber's security confirmation to simple network management protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1581795A (en) | 2005-02-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6404743B1 (en) | Enhanced simple network management protocol (SNMP) for network and systems management | |
| Stallings | SNMP and SNMPv2: the infrastructure for network management | |
| US6430613B1 (en) | Process and system for network and system management | |
| CN100456689C (en) | Network management safety authentication method | |
| US20040205689A1 (en) | System and method for managing a component-based system | |
| US20050091371A1 (en) | Ingress points localization of a flow in a network | |
| CN103516543B (en) | Filtering in device management protocol inquiry | |
| CN102215132A (en) | Embedded SNMP (Simple Network Management Protocol) management end data collecting device, system and method based on database | |
| CN100499502C (en) | Trap analyzing and preprocessing system and method thereof | |
| EP1079566A2 (en) | System management in a communications network comprising SNMP and CMIP agents | |
| Cisco | Chapter 8, Network Management | |
| Cisco | Traps and Events | |
| Cisco | Cisco 10000 ESR MIB Overview | |
| Cisco | Cisco 10000 ESR MIB Overview | |
| Cisco | Chapter 7, Network Management | |
| Cisco | Configuring SNMP Support | |
| US20040168089A1 (en) | Security method for operator access control of network management system | |
| CN102158363A (en) | Security protection method and device of simple network management protocol (SNMP) | |
| CN103248505A (en) | View-based network monitoring method and device | |
| Tyata et al. | Network Management Protocols: Analytical Study and Future Research Directions | |
| KR20060084045A (en) | Apparatus and method for processing snmp in network system | |
| Genkov | Implementing port security feature using snmp protocol | |
| KR100250118B1 (en) | Apparatus of alarm gateway and methods of alarm message tramslation between systems of heterogeneous protocol | |
| Piliouras | Network Management Tools | |
| Tian et al. | Network Management Architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20090128 |
|
| CX01 | Expiry of patent term |