Embodiment
The DM application system has had the development of long duration, and the kind of the safety inspection item measuring ability that not only provides between the different DM application systems is different with quantity, and also there is very big difference in the realization of same safety inspection item measuring ability.In the prior art, the NAC application system is by the measuring ability module in the DLL library call DM application system, the NAC application system participates in the actual detected of DM application system to the safety inspection item like this, thereby the collaborative work of two application systems just needs to consider the specific implementation of each application system.
In fact, though the specific implementation difference of different DM application systems, for identical safety inspection item, the measuring ability that different DM application systems can provide is but distinguished not quite.Among the present invention, the safety inspection item that the NAC application system will need the DM application system to detect is indicated the application system to DM, is realized independently finishing according to it by the DM application system and detects and return testing result; Like this, the NAC application system can be utilized the respective detection function of this DM application system equally, and needn't be concerned about the specific implementation of this DM application system to measuring ability.Simultaneously, the safety inspection item can be general between each NAC application system and DM application system, so the present invention has good versatility.
The flow process of safety detection method embodiment one of the present invention as shown in Figure 2.In the present embodiment, the NAC application system comprises Security Policy Server and is installed at least one NAC client on accessing terminal, and the DM application system comprises the DM server and is installed in DM client on identical the accessing terminal with the NAC client.
Step S210: Security Policy Server obtains the safety inspection item that the DM application system is supported.
Can when starting, register by the DM server of DM application system, in log-on message, carry the safety inspection item that this DM application system is supported to Security Policy Server.Because the safety inspection item that the DM application system is supported only just can change when application system is upgraded usually, thereby also can on Security Policy Server, register each DM application system by hand by the keeper, and safety inspection item, these DM application systems and this NAC application system collaborative work in safety inspection that each DM application system is supported be set.The DM server also can satisfy the safety inspection item of informing its support of Security Policy Server when other impose a condition, perhaps by Security Policy Server to the above-mentioned information of DM server lookup.
For example, suppose that a DM system supports following safety inspection item, the summation of these safety inspection items has constituted the safety inspection ability of this DM system:
Forbid that Everyone (each user) share to be provided with, find that promptly certain terminal is provided with Everyone and shares setting and then think and do not meet safety requirements;
Forbid that system default share to be provided with, find that promptly certain terminal is provided with sharing of system default, then think as: c $ (driver C), d$ (driver D) etc. not meet safety requirements;
Forbid writing and share to be provided with, promptly find to provide on certain terminal to write to share and then think and do not meet safety requirements;
Forbid any shared setting,, then think not meet safety requirements no matter promptly find to have on certain terminal any shared setting to read to share or write shared;
Forbid providing the remote desktop login feature, promptly finding provides the remote desktop login feature on certain terminal, then think not meet safety requirements;
Forbid providing long-range FTP (File Transfer Protocol, file transfer protocol (FTP)) visit, promptly find to provide on certain terminal long-range FTP visit, then think not meet safety requirements;
Forbid providing long-range Telnet login, promptly find to provide on certain terminal long-range Telnet login, then think not meet safety requirements;
Forbid providing Web server (Web server) service, promptly find to provide on certain terminal Web server service, then think not meet safety requirements.
In this step, can on Security Policy Server, carry out manual registration, and the above-mentioned safety inspection item of its support is configured on the Security Policy Server by the keeper for the DM application system; Also can send the message that both sides arrange form to Security Policy Server, the safety inspection item that this DM system of notice Security Policy Server supports by the DM server of this DM system.
Step S220: determine which safety inspection item is the NAC application system will detect and these safety inspection items by which DM application system are detected, promptly generate the security strategy that this NAC application system comprises foregoing.
NAC application system often with the collaborative work of a plurality of DM application system, the safety inspection item that these DM application systems are supported may be identical, also may be different.Based on the safety inspection item that each the DM system that is obtained among the step S210 supports, Security Policy Server can be managed concentratedly the safety inspection of NAC application system, generates the security strategy of this NAC application system.Security strategy can customize according to the demand of real network environment, selects in all safety inspection items partly or entirely, detects to the safety inspection item of a plurality of DM application systems to its support by one.
For example, when DM application system a and DM application system b all support certain safety inspection item, Security Policy Server can be determined to carry out the detection of this safety inspection item by the DM application system a user that request inserts to part, by DM application system b the user that all the other requests insert is carried out the detection of this safety inspection item; Also can determine the user of first access to be carried out the detection of this safety inspection item by DM application system a, carry out regular monitoring by the user of DM application system b after, continue to satisfy the requirement of NAC application system with this safety inspection item of determining to insert the back user successful access network.
When the NAC application system only detected with the collaborative work of a DM application system and to whole safety inspection items of its support, because the information of obtaining in step S210 has generated the security strategy of NAC application system, then this step can be omitted.
Step S230: Security Policy Server issues security strategy to the NAC client that accesses terminal, safety inspection item that will detect and the NAC client that its DM application system that detects notice is accessed terminal.
To different users or access terminal, Security Policy Server can issue different security strategies, carries out the detection of different safety inspection items or is detected by different DM application systems.
Step S240:NAC client instructs this DM client that accesses terminal to carry out the detection of safety inspection item.
To the one or more DM application systems that relate in the security strategy that issues, the NAC client is sent instruction to the DM client of these DM application systems on same accessing terminal, and instructs it to carry out the detection of the definite corresponding safety inspection item of security strategy.
Step S250:DM client is returned testing result to the NAC client.
After the DM client of DM application system was finished detection, the NAC client on same accessing terminal was returned testing result.According to the specific implementation of DM application system, may comprise the testing process of some safety inspection items and to repair automatically not meeting accessing terminal of safety requirements.
In the testing result that the DM application system is returned, whether generally including accesses terminal passes through the conclusion that this safety inspection item detects.
Step S260:NAC client reports to Security Policy Server with testing result.
In some cases, when carrying out safety inspection as the user that request is inserted, the NAC client reports Security Policy Server after the testing result of different DM application systems can being compiled in the lump.
Among step S230 and the S240, NAC application system instruction DM application system proceeds to the detection of the safety inspection item of its support of one item missing to accessing terminal; Among step S250 and the S260, the DM application system of being instructed is returned testing result to the NAC application system.
In the present embodiment, on same accessing terminal, carry out information interaction and finish the safety inspection process, in the safety inspection process, do not need to carry out between Security Policy Server and the DM server directly mutual by NAC client and one or more DM clients.
Figure 3 shows that the flow process of safety detection method embodiment two of the present invention.In the present embodiment, the NAC application system comprises Security Policy Server, and the DM application system comprises the DM server and is installed at least one DM client on accessing terminal.
The step S310 of present embodiment and S320 respectively with safety detection method embodiment one of the present invention in step S210 and S220 identical, specifically describe and see also the foregoing description, no longer repeat.
Step S330: Security Policy Server instruction DM server carries out the detection of safety inspection item.
To the one or more DM application systems that relate in the security strategy, Security Policy Server sends instruction to the DM of these DM application systems server, specify its detection that proceeds to the safety inspection item that one item missing supports, these safety inspection items are determined to carry out detection by this DM system in security strategy.
Step S340:DM server instruction DM client is carried out the detection of the appointed safety inspection item of this DM application system to accessing terminal of its place.
Step S350:DM client reports testing result to above-mentioned safety inspection item to the DM server.
Step S340 and S350 are the functions that has had in existing DM application system.
Step S360:DM server returns the testing result of this DM application system to Security Policy Server.
According to the specific implementation of DM application system, may comprise the testing process of some safety inspection items and to repair automatically not meeting accessing terminal of safety requirements.In the testing result that the DM application system is returned, whether generally including accesses terminal passes through the conclusion that this safety inspection item detects.
The difference of present embodiment and the foregoing description is, NAC application system instruction DM application system is carried out the safety inspection item detect and realize accessing terminal, and the DM application system of being instructed is returned testing result to the NAC application system and realized by step S350 to 360 by step S330 to S340.
In the present embodiment, in the safety inspection process, carry out information interaction, and do not need to carry out between NAC client and the DM client directly mutual by NAC Security Policy Server and one or more DM server.
Below use example by one a kind of specific implementation that the present invention recommends be described.In following application example, adopt safety inspection universal classification specification sheet as the interface that transmits safety inspection item relevant information between NAC application system and the DM application system.The safety inspection item that the support of DM application system is arranged is carried out inducing classification can form safety inspection universal classification specification sheet, it comprises one to a plurality of safety inspection classification, and each safety inspection classification comprises one to a plurality of safety inspection items.
As shown in Figure 4, safety inspection item (Item) displays by the classification of the safety inspection under it (Category) in safety inspection universal classification specification sheet.Draw an analogy with tree, the safety inspection classification is tree root or branch, and safety inspection Xiang Ze is a leaf.
Can make each the safety inspection item in safety inspection classification take a binary position (ItemID), whether specify this safety inspection item in the information of representing to be transmitted with the value of this binary digit; Simultaneously, each safety inspection classification can characterize with its CategoryID that has corresponding relation with it.Like this, the value (CategoryValue) of a safety inspection classification, it is the summation of the binary digit value of all safety inspection item correspondences in the safety inspection classification, can show wherein which safety inspection item is designated, promptly be worth right<CategoryID, CategoryValue〉just can represent all appointed safety inspection items in safety inspection classification.
For example, in the safety inspection universal classification specification sheet of a NAC application system, the safety inspection sort file share be provided with check and remote service provide inspection is set formation as shown in Figure 5: the CategoryID that file-sharing is provided with inspection is 1000, and the ItemID 1,2,4,8 under it corresponds respectively to the safety inspection item to be forbidden that Everyone shares, the forbidding system default is shared, forbidding writes shared and forbid any shared setting; It is 1001 that remote service provides the CategoryID that inspection is set, and the ItemID 1,2,4,8,16 under it corresponds respectively to the safety inspection item and forbids providing the remote desktop login feature, forbids providing long-range FTP visit, forbids providing long-range Telnet login, forbids providing the online agency service and forbid providing Web Server service.
Like this, in the communicating by letter of NAC application system and DM application system, can adopted value right<1000,1〉expression safety inspection item forbidding Everyone shares designated, adopted value is right<and 1000,2〉expression safety inspection item forbidding system default is shared designatedly, and adopted value is right<and 1000,3〉expression two safety inspection items are shared with Everyone and the forbidding system default is shared all designated.A DM application system H3C-iChecker does not only have the security check function of forbidding providing the online agency service in above-mentioned two safety inspections classification, then its safety inspection item of supporting can be represented with following value pair set: {<1000,15 〉,<1001,23〉}.
Safety inspection universal classification specification sheet can be kept on Security Policy Server in the text.As depositing with file UniversalCategories_cn.ini, its file content comprises:
[1000]
The name=file-sharing is provided with inspection
1=forbidding Everyone shares
2=forbidding system default is shared
The 4=forbidding writes shared
8=is forbidden any shared setting
[1001]
The name=remote service provides inspection is set
1=forbids providing the remote desktop login feature
2=forbids providing long-range FTP visit
4=forbids providing long-range Telnet login
8=forbids providing the online agency service
16=forbids providing Web Server service
Other safety inspection classification and safety inspection item thereof in the safety inspection universal classification specification sheet also are stored among the file UniversalCategories_cn.ini according to above-mentioned form, no longer enumerate.
Before NAC application system and the collaborative work of DM application system, on Security Policy Server, carry out earlier the registration of DM application system.The registration of DM application system is that the safety inspection item of the support of a DM system is informed the NAC application system.Registration DM application system generally comprises:
Register the unique identification of this DM application system, as: MS-WSUS, H3C-iChecker;
Register this DM application system and support which safety inspection item, promptly register value the pair set {<CategoryId-1 of this DM application system, CategoryValue-1 〉,<CategoryId-N, CategoryValue-N〉}, wherein each value is to representing the safety inspection classification and the safety inspection item wherein of this DM application system support.For example, the value of DM application system H3C-iChecker is to being combined into {<1000,15 〉,<1001,23〉}.
The registration operation of DM application system can get final product by import an XML (eXtensible Markup Language, extensible markup language) file as follows on the Security Policy Server of NAC application system:
<software?id=”H3C-iChecker”>
<category?id=1000?value=15/>
<category?id=1001?value=23/>
</software>
A NAC application system can be registered a plurality of DM application systems, also can nullify one or more DM application systems of having registered.When nullifying the DM application system, only need find corresponding XML file, the log-on message deletion of this DM application system is got final product according to the unique identification of this DM application system.
After finishing the registration of DM application system, can concentrate on the Security Policy Server of NAC application system and carry out the setting of security strategy, its interface can be as shown in Figure 6.When security strategy is set, can select according to actual needs which safety inspection classification is detected, detection is not done in which safety inspection classification; Can need () to ask all or part of safety inspection item of selecting the DM application system to support neatly according to reality, for example, the NAC application system adopt the safety inspection item of any shared setting of forbidding of DM application system H3C-iChecker support; Can also be provided with according to actual needs when accessing terminal, carry out concrete operations, remind as isolating still not by certain safety inspection item detection.
Be provided with in the interface in security strategy shown in Figure 6, the safety inspection classification comes from safety inspection universal classification specification sheet.For each safety inspection classification, the keeper at first determines whether to detect (check box of promptly choosing the safety inspection classification that will detect) to this safety inspection classification, and determine further the detection of this safety inspection classification is assigned to which DM application system (promptly selecting corresponding DM application system sign in the drop-down list of the right side of this safety inspection specific name), and determine to allow this DM application system down concrete which the safety inspection item of this classification is implemented to detect (promptly choosing the check box of the safety inspection item that will detect).
Like this, all security strategies can be managed concentratedly on the Security Policy Server of NAC application system, make things convenient for the keeper to hold the setting of security strategy from integral body; Should handle with in the example DM application system being transferred in a safety inspection classification simultaneously, effectively reduce the complexity of configuration, further strengthen the convenience of management.
Initiate security check request when accessing terminal after, the Security Policy Server of NAC application system can be according to the security strategy that is provided with, and the safety inspection item that carry out is sent to corresponding DM application system respectively with the form of value pair set.As a value pair set {<1000,7 〉,<1001,23〉} is distributed to DM application system H3C-iChecker, instruct it to detect the safety inspection item of appointment, by the DM application system this is accessed terminal and detect.
Can also can the DM application system return testing result voluntarily by the NAC application system regularly to each DM application system inquiry testing result.Each DM application system can be returned the testing result of safety inspection item by the form of following four-tuple:
<CategoryId,ItemId,dwRtnVal,strInfo>
Wherein, the safety inspection item in CategoryId and the ItemId indication safety inspection classification represents this testing result is corresponding to which safety inspection item.
DwRtnVal represents the current results that detects can have following value and implication:
0: detect and finish, meet safety requirements;
1: detect and finish, do not meet safety requirements, do not support automatic reparation;
2: detect and finish, do not meet safety requirements, repair automatically;
3: detection is interrupted or is cancelled;
4: automatic repairing failure;
5: reparation is interrupted or is cancelled automatically;
6: repair automatically and finish;
7 reach the value greater than 7: keep being provided with the back expansion.
StrInfo can be the character string information of an XML form, is used for can not expressing fully when the value of dwRtnVal the side information of check result.As when dwRtnVal is 1 or 2, may need strInfo further to carry the details that related detection is not passed through.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, described program can be stored in the computer read/write memory medium, this program comprises all or part of step among the said method embodiment when carrying out; Described storage medium comprises: ROM/RAM (Read Only Memory/Random-Access/Memory, read-only memory/random-access memory), magnetic disc or CD etc.
The structure of NAC application system of the present invention and DM application system embodiment one can be as shown in Figure 7, wherein the NAC application system comprises Security Policy Server 400 and the NAC client 520 on 500 of accessing terminal, and Security Policy Server 400 comprises ability information acquiring unit 410, detects indicating member 420 and testing result unit 430; The DM application system comprises the DM client 510 that accesses terminal on 500, can also comprise DM server (not shown).One skilled in the art will appreciate that Security Policy Server 400 can connect one to a plurality of accessing terminal, and can comprise a DM client to a plurality of DM application systems on each accesses terminal.
The ability information acquiring unit 410 of Security Policy Server 400 is used for obtaining the safety inspection item that the DM application system is supported.This information can also can be reported to ability information acquiring unit 410 by the DM server of DM application system by keeper's handling capacity information acquisition unit 410 manual configuration.
Detect the information that indicating member 420 obtains according to ability information acquiring unit 410, the access terminal detection of the safety inspection item that 500 NAC client 520 will detect and of indication to its DM application system that detects.Detect indicating member 420 and comprise tactful determination module 421 and policy distribution module 422.Ability information acquiring unit 410 exports the safety inspection item of its DM application system obtained and support thereof to tactful determination module 421, strategy determination module 421 is determined the security strategy of this NAC application system promptly to detect and by which DM application system these safety inspection items to be detected to which safety inspection item according to above-mentioned information.Policy distribution module 422 issues determined security strategy to 500 the NAC client of accessing terminal, security strategy can because of access terminal or user's difference different.When the NAC application system only detected with the collaborative work of a DM application system and to whole safety inspection items of its support, tactful determination module 421 can omit.
500 the NAC client 520 of accessing terminal receives the security strategy that Security Policy Server 400 issues, and learning accesses terminal need carry out the detection of which safety detection item by on 500 for which DM application system.NAC client 520 is sent instruction to the DM application system in the same DM client 510 that accesses terminal on 500, instructs it to carry out detection corresponding to the safety inspection item of this DM application system.DM client 510 is carried out the detection of above-mentioned safety inspection item according to instruction, and returns testing result to NAC client 520.The testing result that the NAC client is returned the DM client reports to the testing result unit 430 of Security Policy Server 400.
Testing result unit 430 receives each safety inspection item testing result that accesses terminal and report, thereby learns whether each terminal meets the safety requirements of NAC application system.
The structure of NAC application system of the present invention and DM application system embodiment two is referring to Fig. 8, wherein the NAC application system comprises Security Policy Server 600, comprises ability information acquiring unit 410 in Security Policy Server 600, detects indicating member 620 and testing result unit 430.The DM application system comprises DM server 700 and accesses terminal 800 that wherein DM server 700 comprises that command reception unit 720, instruction execution unit 730 and result return unit 730, can also comprise comprising unit 710 on the ability; The 800 DM clients 810 that comprise the DM application system access terminal.Similarly, Security Policy Server 600 can connect one to a plurality of accessing terminal, and can comprise a DM client to a plurality of DM application systems on each accesses terminal.
The ability information acquiring unit 410 of Security Policy Server 400 is used for obtaining the safety inspection item that the DM application system is supported.This information can also can be reported unit 710 to report to ability information acquiring unit 410 by keeper's handling capacity information acquisition unit 410 manual configuration by the ability information of DM server 700.
Detect the information that indicating member 620 obtains according to ability information acquiring unit 410, instruction DM server 700 proceeds to the detection of the safety inspection item of its support of one item missing.Detecting indicating member 620 comprises tactful determination module 421 and detects instruction module 622.The information that strategy determination module 421 obtains according to ability information acquiring unit 410 is determined the security strategy of this NAC application system, promptly will detect and by which DM application system these safety inspection items be detected which safety inspection item.According to security strategy, detect instruction module 622 instruction DM servers 700 and carry out the detection of safety inspection item, these safety inspection items are determined to be detected by the DM application system at DM server 700 places in security strategy.
The command reception unit 720 of DM server 700 receives the instruction of Security Policy Server 600, and exports it to instruction execution unit 730.Instruction execution unit 730 indication accesses terminal, and the safety inspection item of appointment detects in the instruction of 810 pairs of Security Policy Servers 600 of DM client of this DM application system on 800.DM client 810 returns the result that testing result reports to DM server 700 to unit 740.The result returns the testing result unit 430 that unit 740 is back to the safety inspection item testing result of this DM application system Security Policy Server 600.
Testing result unit 430 receives the safety inspection item testing result that DM server 700 reports, thereby learns whether each terminal meets the safety requirements of NAC application system.
Because the versatility of safety inspection item itself, the present invention adopts the safety inspection item as the interface between NAC application system and the DM application system, has realized good versatility.Simultaneously, abundant along with the checking ability of DM system only need be brought new safety inspection item in the interface into and get final product, cooperates and develops and need not NAC application system and DM application system side, realized good autgmentability.In addition, the security strategy of NAC application system can be on Security Policy Server centralized configuration, be convenient to management.
What need statement is that foregoing invention content and embodiment are intended to prove the practical application of technical scheme provided by the present invention, should not be construed as the qualification to protection range of the present invention.Those skilled in the art are in spirit of the present invention and principle, when doing various modifications, being equal to and replacing or improve.Protection scope of the present invention is as the criterion with appended claims.