CN101123493B - Secure inspection method and secure policy server for network access control application system - Google Patents
Secure inspection method and secure policy server for network access control application system Download PDFInfo
- Publication number
- CN101123493B CN101123493B CN2007101518319A CN200710151831A CN101123493B CN 101123493 B CN101123493 B CN 101123493B CN 2007101518319 A CN2007101518319 A CN 2007101518319A CN 200710151831 A CN200710151831 A CN 200710151831A CN 101123493 B CN101123493 B CN 101123493B
- Authority
- CN
- China
- Prior art keywords
- application system
- safety inspection
- nac
- inspection item
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention discloses a method of the security inspection of a NAC application system. The method has three steps. Firstly, the security inspection items supported by an application system of desktop management (DM) are acquired; secondly, the application system of desktop management (DM) is instructed to perform the detection of at least one supported security inspection item on an access terminal; and finally, the detection result returned by the application system of desktop management (DM) is received. Applying a universal interface of the security inspection items between the NAC application system and the application system of desktop management (DM), the present invention has the advantages of good universality, convenient expandability and saving of development cost.
Description
Technical field
The present invention relates to network insertion control field, relate in particular to a kind of safety detection method and Security Policy Server of network access control application system.
Background technology
Along with constantly popularizing with deep of network application, network security becomes the problem that each enterprise very payes attention to.NAC (Network Access Control; network insertion control) application system provides a relative whole network security solution for enterprise; EAD (Endpoint Admission Defense as H3C (China's three communications); endpoint admission defense); the CNAC of Cisco (Cisco) (Cisco Network Admission Control; the cisco network access control) and the application systems such as MS-NAP (Microsoft Network Access Protection, microsoft network visit protection) of Microsoft's not issue as yet.
As shown in Figure 1, usually the NAC application system comprises AAA (AuthenticationAuthorization Accounting authenticates, authorizes charging) server 110, Security Policy Server 120, access device 130 and is installed in each NAC client software on 150 of accessing terminal respectively.When accessing terminal 150 when access device 130 access networks, the NAC application system is generally carried out two-stage control---authentication and safety inspection to it.Need to prove that each server is the logical block with corresponding function among Fig. 1, according to concrete network environment, these servers may be realized by the physical equipment of varying number.
The NAC application system is at first authenticated by access terminal 150 user's identity of 110 pairs of uses of aaa server, and this accesses terminal and 150 can not visit any other Internet resources before the user is by authentication, even does not have available IP address; After by authentication, the user can carry out the patch renewal of virus base renewal, terminal software etc. by the isolated area of this logic of 150 visits that accesses terminal in isolated area, and the user who is in isolated area can not communicate by letter each other.
The safety inspection of NAC application system is carried out in conjunction with the NAC client that accesses terminal on 150 by Security Policy Server 120, whether accessing terminal in the isolated area 150 is met safety requirements and detected, 150 remove and isolate restriction accessing terminal when meeting safety requirements in testing result.The content of safety inspection comprises a plurality of safety inspection items, and whether for example detecting accesses terminal exists virus on 150, detect to access terminal and whether opened certain specific listening port or moved certain specific software etc. on 150.
In order to realize network security better, enterprise often wishes various safety inspection items are listed in the safety inspection scope of NAC application system according to own characteristic, the detection of these safety inspection items has plenty of the function that DM (Desktop Management, desktop management) application system has had.As shown in Figure 1, the DM application system generally includes DM server 140 and is installed in the DM client software that accesses terminal on 150, can detect 150 certain or some the safety inspection items of accessing terminal.Before the network insertion control technology occurring, traditional desktop management application system has had the application of popularizing very much as Anti-Virus, patch management, software firewall etc.Be the protection existing investment, enterprise can require the NAC application system can work in coordination with the DM application system of using and carry out safety inspection work when introducing NAC application system strengthens its network security.
NAC application system is generally provided by a tame Networking Solutions ﹠ provisioned provider, and NAC application system provider can propose a NAC framework, and promotes DM application system provider and be dissolved into this NAC framework.In the prior art, comprise a series of in the NAC framework and the interface specification DM application system, these interface specifications not only business function with the DM application system are relevant, but also relevant to the specific implementation of this function with each DM system.
For example, in interface specification, have at NAC framework and anti-virus DM application system obtain access terminal on the interface of virus base update date of anti-virus client, this interface is relevant with the antivirus service function.Like this, for the NAC application system, the interface specification of anti-virus aspect goes for the anti-virus DM application system of different vendor's exploitation, but is not suitable for the DM application system of other type.Such as incorporating the NAC framework to the patch management system, need formulate the new interface specification of a cover at the patch management system.That is to say, have different interface specifications at dissimilar DM systems, when the NAC framework is supported the new DM application system of a class, all will formulate a cover corresponding interface standard, autgmentability is poor.
And for the DM application system, because the interface specification in the NAC framework is relevant with the specific implementation of DM application system, one independently the DM application system to be dissolved in the NAC framework, need carry out adaptive exploitation according to its specific implementation, so that, as provide the corresponding dynamic chained library at the interface specification of DM application system side realization by the formulation of NAC framework.
Provide DLL (Dynamic Linkage Library with the DM application system, dynamic link library) is example, the DLL storehouse of each DM application system is installed usually, for the NAC application system provides DM the calling interface of the security check function that application system is had in the NAC application system.When the NAC application system is carried out certain safety inspection item detection, can call the DLL interface of DM application system with corresponding function, detect accessing terminal with regard to this safety inspection item by the module that realizes this function in the DM application system.
Because the NAC framework that different N AC application system provider formulates is also often relevant with its specific implementation, the interface specification of the exploitation of DM application system does not have versatility yet, has to develop respectively at different N AC application system.
Summary of the invention
The present invention will solve is that versatility and autgmentability were poor when the NAC application system was with the collaborative work of DM application system in the prior art, the problem that need carry out a large amount of developments.
The invention provides a kind of safety detection method of NAC application system, comprising:
Obtain the safety inspection item that the DM application system is supported;
Instruction DM application system proceeds to the detection of the safety inspection item of its support of one item missing to accessing terminal;
Receive the testing result that the DM application system is returned.
The present invention also provides the safety detection method of a kind of DM application system in network insertion control, comprising:
Receive the instruction of NAC application system, comprise at least one safety inspection item that will detect in the described instruction accessing terminal;
Carry out the detection of described safety inspection item to accessing terminal;
Return testing result to the NAC application system.
The Security Policy Server of a kind of NAC application system disclosed by the invention comprises:
The ability information acquiring unit is used to obtain the safety inspection item that the DM application system is supported;
Detect indicating member, the information that is used for obtaining according to the ability information acquiring unit is indicated the detection of safety inspection item and the DM application system that described detection is carried out in indication;
The testing result unit is used to receive the result that described safety inspection item detects.
The DM server of a kind of DM application system provided by the invention comprises:
The command reception unit is used to receive the instruction of NAC application system, comprises at least one safety inspection item that will detect accessing terminal in the described instruction;
Instruction execution unit is used to indicate the described DM client that accesses terminal to carry out the detection of described safety inspection item;
The result reports the unit, is used to receive the testing result of DM client and it is reported to the NAC application system.
The invention also discloses a kind of accessing terminal, comprise the NAC client of NAC application system and the DM client of DM application system, wherein:
The NAC client is used to receive the safety inspection item detection of Security Policy Server indication and the DM application system that detects, instruct the DM client of described DM application system to carry out the detection of safety inspection item, and the testing result of DM client is reported to Security Policy Server;
The DM client is used for carrying out according to the instruction of NAC client the detection of safety inspection item, and returns testing result to it.
Carry out the detection of which safety inspection item by NAC application system instruction DM application system among the present invention, finish by the DM application system and detect and return results; The bottom functional module of calling the DM application system by the NAC application system in the prior art is finished the mode that corresponding safety inspection item detects, the present invention adopts the interface of safety inspection item as NAC application system and DM application system, be separated with NAC application system or DM application system specific implementation to functional module, has good versatility, be convenient to expansion, and can save development cost.
Description of drawings
Fig. 1: the schematic network structure of NAC application system and the collaborative work of DM application system;
Fig. 2: the flow chart of safety detection method embodiment one of the present invention;
Fig. 3: the flow chart of safety detection method embodiment two of the present invention;
Fig. 4: the present invention uses the formation schematic diagram of safety inspection universal classification specification sheet in the example;
Fig. 5: the present invention uses the formation schematic diagram of safety inspection classification in the example and safety inspection item thereof;
Fig. 6: the present invention uses the schematic diagram that security strategy in the example is determined the interface;
Fig. 7: the structural representation of NAC application system of the present invention and DM application system embodiment one;
Fig. 8: the structural representation of NAC application system of the present invention and DM application system embodiment two.
Embodiment
The DM application system has had the development of long duration, and the kind of the safety inspection item measuring ability that not only provides between the different DM application systems is different with quantity, and also there is very big difference in the realization of same safety inspection item measuring ability.In the prior art, the NAC application system is by the measuring ability module in the DLL library call DM application system, the NAC application system participates in the actual detected of DM application system to the safety inspection item like this, thereby the collaborative work of two application systems just needs to consider the specific implementation of each application system.
In fact, though the specific implementation difference of different DM application systems, for identical safety inspection item, the measuring ability that different DM application systems can provide is but distinguished not quite.Among the present invention, the safety inspection item that the NAC application system will need the DM application system to detect is indicated the application system to DM, is realized independently finishing according to it by the DM application system and detects and return testing result; Like this, the NAC application system can be utilized the respective detection function of this DM application system equally, and needn't be concerned about the specific implementation of this DM application system to measuring ability.Simultaneously, the safety inspection item can be general between each NAC application system and DM application system, so the present invention has good versatility.
The flow process of safety detection method embodiment one of the present invention as shown in Figure 2.In the present embodiment, the NAC application system comprises Security Policy Server and is installed at least one NAC client on accessing terminal, and the DM application system comprises the DM server and is installed in DM client on identical the accessing terminal with the NAC client.
Step S210: Security Policy Server obtains the safety inspection item that the DM application system is supported.
Can when starting, register by the DM server of DM application system, in log-on message, carry the safety inspection item that this DM application system is supported to Security Policy Server.Because the safety inspection item that the DM application system is supported only just can change when application system is upgraded usually, thereby also can on Security Policy Server, register each DM application system by hand by the keeper, and safety inspection item, these DM application systems and this NAC application system collaborative work in safety inspection that each DM application system is supported be set.The DM server also can satisfy the safety inspection item of informing its support of Security Policy Server when other impose a condition, perhaps by Security Policy Server to the above-mentioned information of DM server lookup.
For example, suppose that a DM system supports following safety inspection item, the summation of these safety inspection items has constituted the safety inspection ability of this DM system:
Forbid that Everyone (each user) share to be provided with, find that promptly certain terminal is provided with Everyone and shares setting and then think and do not meet safety requirements;
Forbid that system default share to be provided with, find that promptly certain terminal is provided with sharing of system default, then think as: c $ (driver C), d$ (driver D) etc. not meet safety requirements;
Forbid writing and share to be provided with, promptly find to provide on certain terminal to write to share and then think and do not meet safety requirements;
Forbid any shared setting,, then think not meet safety requirements no matter promptly find to have on certain terminal any shared setting to read to share or write shared;
Forbid providing the remote desktop login feature, promptly finding provides the remote desktop login feature on certain terminal, then think not meet safety requirements;
Forbid providing long-range FTP (File Transfer Protocol, file transfer protocol (FTP)) visit, promptly find to provide on certain terminal long-range FTP visit, then think not meet safety requirements;
Forbid providing long-range Telnet login, promptly find to provide on certain terminal long-range Telnet login, then think not meet safety requirements;
Forbid providing Web server (Web server) service, promptly find to provide on certain terminal Web server service, then think not meet safety requirements.
In this step, can on Security Policy Server, carry out manual registration, and the above-mentioned safety inspection item of its support is configured on the Security Policy Server by the keeper for the DM application system; Also can send the message that both sides arrange form to Security Policy Server, the safety inspection item that this DM system of notice Security Policy Server supports by the DM server of this DM system.
Step S220: determine which safety inspection item is the NAC application system will detect and these safety inspection items by which DM application system are detected, promptly generate the security strategy that this NAC application system comprises foregoing.
NAC application system often with the collaborative work of a plurality of DM application system, the safety inspection item that these DM application systems are supported may be identical, also may be different.Based on the safety inspection item that each the DM system that is obtained among the step S210 supports, Security Policy Server can be managed concentratedly the safety inspection of NAC application system, generates the security strategy of this NAC application system.Security strategy can customize according to the demand of real network environment, selects in all safety inspection items partly or entirely, detects to the safety inspection item of a plurality of DM application systems to its support by one.
For example, when DM application system a and DM application system b all support certain safety inspection item, Security Policy Server can be determined to carry out the detection of this safety inspection item by the DM application system a user that request inserts to part, by DM application system b the user that all the other requests insert is carried out the detection of this safety inspection item; Also can determine the user of first access to be carried out the detection of this safety inspection item by DM application system a, carry out regular monitoring by the user of DM application system b after, continue to satisfy the requirement of NAC application system with this safety inspection item of determining to insert the back user successful access network.
When the NAC application system only detected with the collaborative work of a DM application system and to whole safety inspection items of its support, because the information of obtaining in step S210 has generated the security strategy of NAC application system, then this step can be omitted.
Step S230: Security Policy Server issues security strategy to the NAC client that accesses terminal, safety inspection item that will detect and the NAC client that its DM application system that detects notice is accessed terminal.
To different users or access terminal, Security Policy Server can issue different security strategies, carries out the detection of different safety inspection items or is detected by different DM application systems.
Step S240:NAC client instructs this DM client that accesses terminal to carry out the detection of safety inspection item.
To the one or more DM application systems that relate in the security strategy that issues, the NAC client is sent instruction to the DM client of these DM application systems on same accessing terminal, and instructs it to carry out the detection of the definite corresponding safety inspection item of security strategy.
Step S250:DM client is returned testing result to the NAC client.
After the DM client of DM application system was finished detection, the NAC client on same accessing terminal was returned testing result.According to the specific implementation of DM application system, may comprise the testing process of some safety inspection items and to repair automatically not meeting accessing terminal of safety requirements.
In the testing result that the DM application system is returned, whether generally including accesses terminal passes through the conclusion that this safety inspection item detects.
Step S260:NAC client reports to Security Policy Server with testing result.
In some cases, when carrying out safety inspection as the user that request is inserted, the NAC client reports Security Policy Server after the testing result of different DM application systems can being compiled in the lump.
Among step S230 and the S240, NAC application system instruction DM application system proceeds to the detection of the safety inspection item of its support of one item missing to accessing terminal; Among step S250 and the S260, the DM application system of being instructed is returned testing result to the NAC application system.
In the present embodiment, on same accessing terminal, carry out information interaction and finish the safety inspection process, in the safety inspection process, do not need to carry out between Security Policy Server and the DM server directly mutual by NAC client and one or more DM clients.
Figure 3 shows that the flow process of safety detection method embodiment two of the present invention.In the present embodiment, the NAC application system comprises Security Policy Server, and the DM application system comprises the DM server and is installed at least one DM client on accessing terminal.
The step S310 of present embodiment and S320 respectively with safety detection method embodiment one of the present invention in step S210 and S220 identical, specifically describe and see also the foregoing description, no longer repeat.
Step S330: Security Policy Server instruction DM server carries out the detection of safety inspection item.
To the one or more DM application systems that relate in the security strategy, Security Policy Server sends instruction to the DM of these DM application systems server, specify its detection that proceeds to the safety inspection item that one item missing supports, these safety inspection items are determined to carry out detection by this DM system in security strategy.
Step S340:DM server instruction DM client is carried out the detection of the appointed safety inspection item of this DM application system to accessing terminal of its place.
Step S350:DM client reports testing result to above-mentioned safety inspection item to the DM server.
Step S340 and S350 are the functions that has had in existing DM application system.
Step S360:DM server returns the testing result of this DM application system to Security Policy Server.
According to the specific implementation of DM application system, may comprise the testing process of some safety inspection items and to repair automatically not meeting accessing terminal of safety requirements.In the testing result that the DM application system is returned, whether generally including accesses terminal passes through the conclusion that this safety inspection item detects.
The difference of present embodiment and the foregoing description is, NAC application system instruction DM application system is carried out the safety inspection item detect and realize accessing terminal, and the DM application system of being instructed is returned testing result to the NAC application system and realized by step S350 to 360 by step S330 to S340.
In the present embodiment, in the safety inspection process, carry out information interaction, and do not need to carry out between NAC client and the DM client directly mutual by NAC Security Policy Server and one or more DM server.
Below use example by one a kind of specific implementation that the present invention recommends be described.In following application example, adopt safety inspection universal classification specification sheet as the interface that transmits safety inspection item relevant information between NAC application system and the DM application system.The safety inspection item that the support of DM application system is arranged is carried out inducing classification can form safety inspection universal classification specification sheet, it comprises one to a plurality of safety inspection classification, and each safety inspection classification comprises one to a plurality of safety inspection items.
As shown in Figure 4, safety inspection item (Item) displays by the classification of the safety inspection under it (Category) in safety inspection universal classification specification sheet.Draw an analogy with tree, the safety inspection classification is tree root or branch, and safety inspection Xiang Ze is a leaf.
Can make each the safety inspection item in safety inspection classification take a binary position (ItemID), whether specify this safety inspection item in the information of representing to be transmitted with the value of this binary digit; Simultaneously, each safety inspection classification can characterize with its CategoryID that has corresponding relation with it.Like this, the value (CategoryValue) of a safety inspection classification, it is the summation of the binary digit value of all safety inspection item correspondences in the safety inspection classification, can show wherein which safety inspection item is designated, promptly be worth right<CategoryID, CategoryValue〉just can represent all appointed safety inspection items in safety inspection classification.
For example, in the safety inspection universal classification specification sheet of a NAC application system, the safety inspection sort file share be provided with check and remote service provide inspection is set formation as shown in Figure 5: the CategoryID that file-sharing is provided with inspection is 1000, and the ItemID 1,2,4,8 under it corresponds respectively to the safety inspection item to be forbidden that Everyone shares, the forbidding system default is shared, forbidding writes shared and forbid any shared setting; It is 1001 that remote service provides the CategoryID that inspection is set, and the ItemID 1,2,4,8,16 under it corresponds respectively to the safety inspection item and forbids providing the remote desktop login feature, forbids providing long-range FTP visit, forbids providing long-range Telnet login, forbids providing the online agency service and forbid providing Web Server service.
Like this, in the communicating by letter of NAC application system and DM application system, can adopted value right<1000,1〉expression safety inspection item forbidding Everyone shares designated, adopted value is right<and 1000,2〉expression safety inspection item forbidding system default is shared designatedly, and adopted value is right<and 1000,3〉expression two safety inspection items are shared with Everyone and the forbidding system default is shared all designated.A DM application system H3C-iChecker does not only have the security check function of forbidding providing the online agency service in above-mentioned two safety inspections classification, then its safety inspection item of supporting can be represented with following value pair set: {<1000,15 〉,<1001,23〉}.
Safety inspection universal classification specification sheet can be kept on Security Policy Server in the text.As depositing with file UniversalCategories_cn.ini, its file content comprises:
[1000]
The name=file-sharing is provided with inspection
1=forbidding Everyone shares
2=forbidding system default is shared
The 4=forbidding writes shared
8=is forbidden any shared setting
[1001]
The name=remote service provides inspection is set
1=forbids providing the remote desktop login feature
2=forbids providing long-range FTP visit
4=forbids providing long-range Telnet login
8=forbids providing the online agency service
16=forbids providing Web Server service
Other safety inspection classification and safety inspection item thereof in the safety inspection universal classification specification sheet also are stored among the file UniversalCategories_cn.ini according to above-mentioned form, no longer enumerate.
Before NAC application system and the collaborative work of DM application system, on Security Policy Server, carry out earlier the registration of DM application system.The registration of DM application system is that the safety inspection item of the support of a DM system is informed the NAC application system.Registration DM application system generally comprises:
Register the unique identification of this DM application system, as: MS-WSUS, H3C-iChecker;
Register this DM application system and support which safety inspection item, promptly register value the pair set {<CategoryId-1 of this DM application system, CategoryValue-1 〉,<CategoryId-N, CategoryValue-N〉}, wherein each value is to representing the safety inspection classification and the safety inspection item wherein of this DM application system support.For example, the value of DM application system H3C-iChecker is to being combined into {<1000,15 〉,<1001,23〉}.
The registration operation of DM application system can get final product by import an XML (eXtensible Markup Language, extensible markup language) file as follows on the Security Policy Server of NAC application system:
<software?id=”H3C-iChecker”>
<category?id=1000?value=15/>
<category?id=1001?value=23/>
</software>
A NAC application system can be registered a plurality of DM application systems, also can nullify one or more DM application systems of having registered.When nullifying the DM application system, only need find corresponding XML file, the log-on message deletion of this DM application system is got final product according to the unique identification of this DM application system.
After finishing the registration of DM application system, can concentrate on the Security Policy Server of NAC application system and carry out the setting of security strategy, its interface can be as shown in Figure 6.When security strategy is set, can select according to actual needs which safety inspection classification is detected, detection is not done in which safety inspection classification; Can need () to ask all or part of safety inspection item of selecting the DM application system to support neatly according to reality, for example, the NAC application system adopt the safety inspection item of any shared setting of forbidding of DM application system H3C-iChecker support; Can also be provided with according to actual needs when accessing terminal, carry out concrete operations, remind as isolating still not by certain safety inspection item detection.
Be provided with in the interface in security strategy shown in Figure 6, the safety inspection classification comes from safety inspection universal classification specification sheet.For each safety inspection classification, the keeper at first determines whether to detect (check box of promptly choosing the safety inspection classification that will detect) to this safety inspection classification, and determine further the detection of this safety inspection classification is assigned to which DM application system (promptly selecting corresponding DM application system sign in the drop-down list of the right side of this safety inspection specific name), and determine to allow this DM application system down concrete which the safety inspection item of this classification is implemented to detect (promptly choosing the check box of the safety inspection item that will detect).
Like this, all security strategies can be managed concentratedly on the Security Policy Server of NAC application system, make things convenient for the keeper to hold the setting of security strategy from integral body; Should handle with in the example DM application system being transferred in a safety inspection classification simultaneously, effectively reduce the complexity of configuration, further strengthen the convenience of management.
Initiate security check request when accessing terminal after, the Security Policy Server of NAC application system can be according to the security strategy that is provided with, and the safety inspection item that carry out is sent to corresponding DM application system respectively with the form of value pair set.As a value pair set {<1000,7 〉,<1001,23〉} is distributed to DM application system H3C-iChecker, instruct it to detect the safety inspection item of appointment, by the DM application system this is accessed terminal and detect.
Can also can the DM application system return testing result voluntarily by the NAC application system regularly to each DM application system inquiry testing result.Each DM application system can be returned the testing result of safety inspection item by the form of following four-tuple:
<CategoryId,ItemId,dwRtnVal,strInfo>
Wherein, the safety inspection item in CategoryId and the ItemId indication safety inspection classification represents this testing result is corresponding to which safety inspection item.
DwRtnVal represents the current results that detects can have following value and implication:
0: detect and finish, meet safety requirements;
1: detect and finish, do not meet safety requirements, do not support automatic reparation;
2: detect and finish, do not meet safety requirements, repair automatically;
3: detection is interrupted or is cancelled;
4: automatic repairing failure;
5: reparation is interrupted or is cancelled automatically;
6: repair automatically and finish;
7 reach the value greater than 7: keep being provided with the back expansion.
StrInfo can be the character string information of an XML form, is used for can not expressing fully when the value of dwRtnVal the side information of check result.As when dwRtnVal is 1 or 2, may need strInfo further to carry the details that related detection is not passed through.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, described program can be stored in the computer read/write memory medium, this program comprises all or part of step among the said method embodiment when carrying out; Described storage medium comprises: ROM/RAM (Read Only Memory/Random-Access/Memory, read-only memory/random-access memory), magnetic disc or CD etc.
The structure of NAC application system of the present invention and DM application system embodiment one can be as shown in Figure 7, wherein the NAC application system comprises Security Policy Server 400 and the NAC client 520 on 500 of accessing terminal, and Security Policy Server 400 comprises ability information acquiring unit 410, detects indicating member 420 and testing result unit 430; The DM application system comprises the DM client 510 that accesses terminal on 500, can also comprise DM server (not shown).One skilled in the art will appreciate that Security Policy Server 400 can connect one to a plurality of accessing terminal, and can comprise a DM client to a plurality of DM application systems on each accesses terminal.
The ability information acquiring unit 410 of Security Policy Server 400 is used for obtaining the safety inspection item that the DM application system is supported.This information can also can be reported to ability information acquiring unit 410 by the DM server of DM application system by keeper's handling capacity information acquisition unit 410 manual configuration.
Detect the information that indicating member 420 obtains according to ability information acquiring unit 410, the access terminal detection of the safety inspection item that 500 NAC client 520 will detect and of indication to its DM application system that detects.Detect indicating member 420 and comprise tactful determination module 421 and policy distribution module 422.Ability information acquiring unit 410 exports the safety inspection item of its DM application system obtained and support thereof to tactful determination module 421, strategy determination module 421 is determined the security strategy of this NAC application system promptly to detect and by which DM application system these safety inspection items to be detected to which safety inspection item according to above-mentioned information.Policy distribution module 422 issues determined security strategy to 500 the NAC client of accessing terminal, security strategy can because of access terminal or user's difference different.When the NAC application system only detected with the collaborative work of a DM application system and to whole safety inspection items of its support, tactful determination module 421 can omit.
500 the NAC client 520 of accessing terminal receives the security strategy that Security Policy Server 400 issues, and learning accesses terminal need carry out the detection of which safety detection item by on 500 for which DM application system.NAC client 520 is sent instruction to the DM application system in the same DM client 510 that accesses terminal on 500, instructs it to carry out detection corresponding to the safety inspection item of this DM application system.DM client 510 is carried out the detection of above-mentioned safety inspection item according to instruction, and returns testing result to NAC client 520.The testing result that the NAC client is returned the DM client reports to the testing result unit 430 of Security Policy Server 400.
The structure of NAC application system of the present invention and DM application system embodiment two is referring to Fig. 8, wherein the NAC application system comprises Security Policy Server 600, comprises ability information acquiring unit 410 in Security Policy Server 600, detects indicating member 620 and testing result unit 430.The DM application system comprises DM server 700 and accesses terminal 800 that wherein DM server 700 comprises that command reception unit 720, instruction execution unit 730 and result return unit 730, can also comprise comprising unit 710 on the ability; The 800 DM clients 810 that comprise the DM application system access terminal.Similarly, Security Policy Server 600 can connect one to a plurality of accessing terminal, and can comprise a DM client to a plurality of DM application systems on each accesses terminal.
The ability information acquiring unit 410 of Security Policy Server 400 is used for obtaining the safety inspection item that the DM application system is supported.This information can also can be reported unit 710 to report to ability information acquiring unit 410 by keeper's handling capacity information acquisition unit 410 manual configuration by the ability information of DM server 700.
Detect the information that indicating member 620 obtains according to ability information acquiring unit 410, instruction DM server 700 proceeds to the detection of the safety inspection item of its support of one item missing.Detecting indicating member 620 comprises tactful determination module 421 and detects instruction module 622.The information that strategy determination module 421 obtains according to ability information acquiring unit 410 is determined the security strategy of this NAC application system, promptly will detect and by which DM application system these safety inspection items be detected which safety inspection item.According to security strategy, detect instruction module 622 instruction DM servers 700 and carry out the detection of safety inspection item, these safety inspection items are determined to be detected by the DM application system at DM server 700 places in security strategy.
The command reception unit 720 of DM server 700 receives the instruction of Security Policy Server 600, and exports it to instruction execution unit 730.Instruction execution unit 730 indication accesses terminal, and the safety inspection item of appointment detects in the instruction of 810 pairs of Security Policy Servers 600 of DM client of this DM application system on 800.DM client 810 returns the result that testing result reports to DM server 700 to unit 740.The result returns the testing result unit 430 that unit 740 is back to the safety inspection item testing result of this DM application system Security Policy Server 600.
Because the versatility of safety inspection item itself, the present invention adopts the safety inspection item as the interface between NAC application system and the DM application system, has realized good versatility.Simultaneously, abundant along with the checking ability of DM system only need be brought new safety inspection item in the interface into and get final product, cooperates and develops and need not NAC application system and DM application system side, realized good autgmentability.In addition, the security strategy of NAC application system can be on Security Policy Server centralized configuration, be convenient to management.
What need statement is that foregoing invention content and embodiment are intended to prove the practical application of technical scheme provided by the present invention, should not be construed as the qualification to protection range of the present invention.Those skilled in the art are in spirit of the present invention and principle, when doing various modifications, being equal to and replacing or improve.Protection scope of the present invention is as the criterion with appended claims.
Claims (16)
1. the safety detection method of network insertion control NAC application system, described NAC application system comprises Security Policy Server, it is characterized in that, described method is carried out following operation by described Security Policy Server:
Obtain the safety inspection item that desktop management DM application system is supported;
Instruction DM application system proceeds to the detection of the safety inspection item of its support of one item missing to accessing terminal;
Receive the testing result that the DM application system is returned.
2. the safety detection method of NAC application system according to claim 1, it is characterized in that, before instruction DM application system was carried out the detection of safety inspection item to accessing terminal, described method also comprised: determine its safety inspection item that detects respectively in the safety inspection item of each DM application system support.
3. the safety detection method of NAC application system according to claim 1 is characterized in that the safety inspection item of the described DM of obtaining application system support further comprises: the safety inspection item that receives its support that the DM application system reports.
4. as the safety detection method of NAC application system as described in any one of the claim 1 to 3, it is characterized in that described NAC application system comprises the NAC client, described DM AMS comprises the DM client;
Described instruction DM application system further comprises the detection of carrying out the safety inspection item that accesses terminal:
Security Policy Server issues security strategy to the described NAC client that accesses terminal, and described security strategy comprises that the safety inspection item that will detect reaches its DM application system that detects;
The described DM client that accesses terminal of described NAC client instruction is carried out the detection of described safety inspection item;
The testing result that described reception DM application system is returned further comprises: described NAC client reports to Security Policy Server with it after receiving the testing result that the DM client returns.
5. as the safety detection method of NAC application system as described in any one of the claim 1 to 3, it is characterized in that described DM AMS comprises DM server and DM client;
Described instruction DM application system further comprises the detection of carrying out the safety inspection item that accesses terminal: Security Policy Server instruction DM server carries out the detection of described safety inspection item;
The testing result that described reception DM application system is returned further comprises: Security Policy Server receives the testing result that the DM server returns.
6. the safety detection method of NAC application system according to claim 1, it is characterized in that, the safety inspection item of described DM application system support is represented with safety inspection classification and value thereof under the described safety inspection item, whether each the safety inspection item in the safety inspection classification supports corresponding safety inspection item corresponding to a binary position according to this different expression of value DM application system;
The detection that described instruction DM application system is carried out the safety inspection item is undertaken by described safety inspection classification and value thereof, whether carries out the detection of corresponding safety inspection item with the different expressions of value of binary digit.
7. the safety detection method of a DM application system in network insertion control is characterized in that, comprising:
Report the safety inspection item of this DM application system support to the NAC application system;
Receive the instruction of NAC application system, comprise at least one safety inspection item that will detect in the described instruction accessing terminal;
Carry out the detection of described safety inspection item to accessing terminal;
Return testing result to the NAC application system.
8. as the safety detection method of DM application system as described in the claim 7 in network insertion control, it is characterized in that described NAC application system comprises the NAC client, described DM application system comprises the DM client;
The instruction of described reception NAC application system further comprises: the DM client receives the described instruction of NAC client;
Describedly return testing result to the NAC application system and further comprise: the DM client is returned testing result to the NAC client.
9. as the safety detection method of DM application system as described in the claim 7 in network insertion control, it is characterized in that described NAC application system comprises Security Policy Server, described DM application system comprises DM server and DM client;
The instruction of described reception NAC application system further comprises: the DM server receives the described instruction of Security Policy Server;
Described the detection of carrying out the safety inspection item that accesses terminal is further comprised: DM server instruction DM client is carried out the detection of described safety inspection item to accessing terminal of its place;
Describedly return testing result to the NAC application system and further comprise: the DM server is back to Security Policy Server with the testing result that the DM client reports.
10. as the safety detection method of DM application system as described in the claim 7 in network insertion control, it is characterized in that, the safety inspection item that described instruction comprises is represented with safety inspection classification and value thereof under the described safety inspection item, each safety inspection item in the safety inspection classification is corresponding to a binary position, according to this different safety inspection items of representing whether to detect correspondence of value.
11. the Security Policy Server of a NAC application system is characterized in that, comprising:
The ability information acquiring unit is used to obtain the safety inspection item that the DM application system is supported;
Detect indicating member, the information that is used for obtaining according to the ability information acquiring unit is indicated the detection of safety inspection item and the DM application system that described detection is carried out in indication;
The testing result unit is used to receive the result that described safety inspection item detects.
12. the Security Policy Server as NAC application system as described in the claim 11 is characterized in that described detection indicating member comprises the detection instruction module, is used to instruct the DM application system to carry out the detection of its at least one safety inspection item of supporting;
Described testing result unit receives testing result from the DM application system of being instructed.
13. Security Policy Server as NAC application system as described in the claim 11, it is characterized in that, described detection indicating member comprises the policy distribution module, be used for issuing security strategy, to indicate the safety inspection item and the corresponding DM application system that will detect to the NAC of described NAC application system client;
Described testing result unit receives testing result from described NAC client.
14. Security Policy Server as NAC application system as described in any one of the claim 12 to 13, it is characterized in that, described detection indicating member also comprises tactful determination module, and the information that is used for obtaining according to the ability information acquiring unit determines that the safety inspection item that will detect reaches its DM application system that detects.
15. the DM server of a DM application system is characterized in that, comprising:
Ability reports the unit, is used for the safety inspection item that reports this DM application system to support to the NAC application system;
The command reception unit is used to receive the instruction of NAC application system, comprises at least one safety inspection item that will detect accessing terminal in the described instruction;
Instruction execution unit is used to indicate the described DM client that accesses terminal to carry out the detection of described safety inspection item;
The result reports the unit, is used to receive the testing result of DM client and it is reported to the NAC application system.
16. one kind accesses terminal, and it is characterized in that, comprises the NAC client of NAC application system and the DM client of DM application system, wherein:
The NAC client is used to receive the safety inspection item detection of Security Policy Server indication and the DM application system that detects, instruct the DM client of described DM application system to carry out the detection of safety inspection item, and the testing result of DM client reported to Security Policy Server, the safety inspection item of wherein said Security Policy Server indication is that described DM application system reports the safety inspection item that the described DM application system of described NAC application system is supported;
The DM client is used for carrying out according to the instruction of NAC client the detection of safety inspection item, and returns testing result to it.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101518319A CN101123493B (en) | 2007-09-20 | 2007-09-20 | Secure inspection method and secure policy server for network access control application system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101518319A CN101123493B (en) | 2007-09-20 | 2007-09-20 | Secure inspection method and secure policy server for network access control application system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101123493A CN101123493A (en) | 2008-02-13 |
| CN101123493B true CN101123493B (en) | 2011-11-09 |
Family
ID=39085683
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101518319A Active CN101123493B (en) | 2007-09-20 | 2007-09-20 | Secure inspection method and secure policy server for network access control application system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101123493B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101232509A (en) * | 2008-02-26 | 2008-07-30 | 杭州华三通信技术有限公司 | Equipment, system and method for supporting insulation mode network access control |
| CN101272627B (en) * | 2008-04-30 | 2010-12-22 | 杭州华三通信技术有限公司 | Network access control method and apparatus for implementing roaming |
| CN102449955B (en) * | 2009-11-24 | 2014-02-19 | 华为技术有限公司 | Method, apparatus and system for controlling behaviors of machine type communication MTC terminals |
| CN102111294B (en) * | 2010-12-28 | 2012-12-19 | 北京神州泰岳软件股份有限公司 | Security check method |
| CN102737182B (en) * | 2012-06-11 | 2015-04-01 | 深圳市腾讯计算机系统有限公司 | Cloud computing-based scanning method and device |
| CN103634311B (en) * | 2013-11-26 | 2016-01-20 | 腾讯科技(深圳)有限公司 | Safety protecting method and device, terminal |
| KR102146034B1 (en) * | 2014-12-11 | 2020-08-21 | 비트데펜더 아이피알 매니지먼트 엘티디 | User Interface For Security Protection And Remote Management Of Network Endpoints |
| CN112241353B (en) * | 2019-07-16 | 2023-10-13 | 腾讯科技(深圳)有限公司 | Method, device, terminal and storage medium for checking running state |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1604541A (en) * | 2004-11-01 | 2005-04-06 | 沈明峰 | Security policy based network security management system and method |
| CN1859178A (en) * | 2005-11-07 | 2006-11-08 | 华为技术有限公司 | Network safety control method and system |
| CN1885788A (en) * | 2005-06-22 | 2006-12-27 | 杭州华为三康技术有限公司 | Network safety protection method and system |
| CN1933392A (en) * | 2006-08-16 | 2007-03-21 | 华为技术有限公司 | System for raising local side terminal constitutional safety and performance and method thereof |
-
2007
- 2007-09-20 CN CN2007101518319A patent/CN101123493B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1604541A (en) * | 2004-11-01 | 2005-04-06 | 沈明峰 | Security policy based network security management system and method |
| CN1885788A (en) * | 2005-06-22 | 2006-12-27 | 杭州华为三康技术有限公司 | Network safety protection method and system |
| CN1859178A (en) * | 2005-11-07 | 2006-11-08 | 华为技术有限公司 | Network safety control method and system |
| CN1933392A (en) * | 2006-08-16 | 2007-03-21 | 华为技术有限公司 | System for raising local side terminal constitutional safety and performance and method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101123493A (en) | 2008-02-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101123493B (en) | Secure inspection method and secure policy server for network access control application system | |
| CN104125258B (en) | Method for page jump, terminal, server and system | |
| CN102223365B (en) | User access method and device based on SSL (Secure Socket Layer) VPN (Virtual Private Network) gateway cluster | |
| CN103795690B (en) | A kind of method, proxy server and the system of cloud access control | |
| CN102769631B (en) | Access the method for Cloud Server, system and access device | |
| CN102724189B (en) | A kind of method and device controlling user URL access | |
| US9135293B1 (en) | Determining model information of devices based on network device identifiers | |
| CN101588390B (en) | Method for improving centralized authentication service system service viscosity and load equilibrium apparatus | |
| CN103596117B (en) | It was found that the method for machine-to-machine service, equipment and system | |
| CN109067930A (en) | Domain name cut-in method, domain name analytic method, server, terminal and storage medium | |
| CN101924785A (en) | Data uploading and downloading methods and system | |
| CN102713925B (en) | Confidential information is revealed the leakage of anti-locking system, confidential information leak-preventing method and confidential information and is prevented program | |
| CN103416040A (en) | Terminal control method, apparatus and terminal | |
| TW200417190A (en) | System and method for high performance shared web hosting | |
| CN103399909A (en) | Method and apparatus for assigning access control level in providing access to networked content file | |
| CN102867266B (en) | A kind of news valency method and device | |
| CN104040538B (en) | A kind of the Internet, applications exchange method, apparatus and system | |
| CN106101055A (en) | The data access method of a kind of multiple database and system thereof and proxy server | |
| CN101351808A (en) | Apparatus for executing and managing software as well as method and program thereof | |
| CN107274222A (en) | Advertisement placement method and device | |
| CN109450768A (en) | The method of container interconnection and the system interconnected for container | |
| CN105577843A (en) | System and method for realizing link load balance based on multi-strategy DNS proxy | |
| US7606937B2 (en) | Next site for distributed service connections | |
| CN102299945A (en) | Gateway configuration page registration method, system thereof and portal certificate server | |
| WO2021114874A1 (en) | Data processing method and computer-readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230625 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |