CN102195991A - Terminal security management and authentication method and system - Google Patents
Terminal security management and authentication method and system Download PDFInfo
- Publication number
- CN102195991A CN102195991A CN2011101761519A CN201110176151A CN102195991A CN 102195991 A CN102195991 A CN 102195991A CN 2011101761519 A CN2011101761519 A CN 2011101761519A CN 201110176151 A CN201110176151 A CN 201110176151A CN 102195991 A CN102195991 A CN 102195991A
- Authority
- CN
- China
- Prior art keywords
- terminal
- authentication
- information
- management
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention discloses a security management and authentication method and system. The system comprises a terminal manager. The terminal manager comprises an identity authentication service chip/module, a strategic management service chip/module and an alarm platform, wherein the identity authentication service chip/module is used for authenticating the identity of a terminal, and returning an authentication response message to the terminal after the terminal passes the identity authentication; the strategic management service chip/module comprises a memory/module used for storing management strategies corresponding to different users and terminals, and a management strategy configuration chip/module used for receiving the command of a system manager so as to manage and maintain the management strategies in a management strategy database module; and the alarm platform is used for sending an alarm to maintenance personnel. The security management method can be implemented by adding user information, a password corresponding to the user information, inherent characteristic information of the terminal and use authority information required by the user into the transmitted authentication message request.
Description
[technical field]
The present invention relates to the Terminal Security Management technical field, particularly a kind of G Terminal Security Management, authentication method and system.
[background technology]
Information Technology Development is to today, and people's work and life have more and more depended on computer and network; Yet rise that day that automatic network is born, and it just exists a major hidden danger---safety problem, and people are enjoying the convenient while that network brings, and have to bearing the secret anguish that network security problem brings.
Mention network security, people will expect network boundary safety naturally, all come from inside but actual conditions are most of security risks of network.Defence, important safety devices that conventional Prevention-Security means often are confined to gateway rank, network boundary aspects such as (fire compartment wall, IDS, vulnerability scannings) roughly concentrate on machine room or Web portal place, at the monitor closely of these equipment, reduce greatly from the security threat of network-external.On the contrary, the security threat from the computer of network internal but is the stubborn problem that numerous safety manager faced.
There is certain leak in existing company to the safety management of the online common equipment of local; equipment for the public sphere; can anyone be used by company; but generally be to adopt to distribute a public account number; there is a kind of drawback in this kind scheme; that can't be known exactly specifically is whom at this equipment of use, is unfavorable for the safety of resource conservation.
Therefore management system and the method for being badly in need of a kind of internal network termination solves the problems referred to above.
[summary of the invention]
For overcoming the defective that exists in the prior art, the invention provides a kind of Terminal Security Management method and system, by the fail safe of strengthening authentification of user and Classification Management are improved terminal, provide a kind of method of authentication especially.
A kind of authentication method that is used in the local area network (LAN) Terminal Security Management method, it is characterized in that, one terminal management device is set in local area network (LAN), this terminal management device comprises authentication service chip/module, tactical management service chip/module and alarm platform, and may further comprise the steps: the A1 step, starting terminal, before entering the operating system of this terminal, send authentication request message by local area network (LAN), in this message, comprise the information of inherent feature of user profile, the password corresponding, this terminal and the rights of using information of this customer requirements with user profile; The A2 step, after this terminal management device is received this authentication request, transferring to authentication service chip/module handles, certificate server reads the rights of using information of user profile in this authentication request message, password, inherent feature information and this customer requirements corresponding with user profile, examine whether the user name that comprises in the user profile is validated user, examine this inherent feature information and judge whether this terminal is legal terminal, if be that validated user is again legal terminal then continues the A3 step, otherwise carry out corresponding alarm and refuse this authentication; The A3 step, if be validated user be again legal terminal, then authentication service chip/module reads the policy information of this user in this memory/module, judges according to this policy information whether this user has authority to use this terminal, if continue the A4 step, otherwise refuse this authentication; The A4 step, if this user has authority to use this terminal, then authentication service chip/module judges whether the rights of using of this customer requirements in this authentication request message conform to the inherent feature information of user profile, terminal, if do not conform to then refuse this authentication, otherwise authentication is passed through, and this terminal management device passes through message to the terminal return authentication; This terminal management device of A5 according to tactical management serve the user profile of memory stores in chip/module, the management strategy of terminal correspondence is managed for configuration this terminal, finishes the startup of terminal operating system.Preferably, this method also comprises, carry out corresponding alarm in the described A2 step and refuse this authentication being specially: if the disabled user by name of the user in this user profile or this terminal are illegal terminal, then directly refuse this authentication request message, and to the alarm platform send a warning message, in warning information, comprise the information and the user profile of the inherent feature of terminal.
A kind of authentication method that is used in the local area network (LAN) Terminal Security Management method, it is characterized in that, one terminal management device is set in local area network (LAN), and may further comprise the steps: the A1 step, starting terminal, before entering the operating system of this terminal, send authentication request message by local area network (LAN), in this message, comprise the information of inherent feature of user profile, the password corresponding, this terminal and the rights of using information of this customer requirements with user profile; The A2 step, after this terminal management device is received this authentication request, read the rights of using information of user profile in this authentication request message, password, inherent feature information and this customer requirements corresponding with user profile, examine whether the user name that comprises in the user profile is validated user, examine this inherent feature information and judge whether this terminal is legal terminal, if be that validated user is again legal terminal then continues the A3 step, otherwise carry out corresponding alarm and refuse this authentication; The A3 step, if be validated user be again legal terminal, this terminal management device judges according to this user's policy information whether this user has authority to use this terminal, if continue the A4 step, otherwise refuses this authentication; The A4 step, if this user has authority to use this terminal, this terminal management device judges whether the rights of using of this customer requirements in this authentication request message conform to the inherent feature information of user profile, terminal, if do not conform to then refuse this authentication, otherwise authentication is passed through, and this terminal management device passes through message to the terminal return authentication; This terminal management device of A5 is managed for configuration this terminal according to the management strategy of stored user information, terminal correspondence, finishes the startup of terminal operating system.Wherein, the information of the inherent feature of described this terminal is: terminal name, IP address, MAC Address, hardware configuration information, software information.Preferably, described software information is OS Type/version, install software tabulation, and described hardware information is CPU model, memory size, hard disk model and size, equipment interface.
A kind of local area network (LAN) Terminal Security Management system that is used for, it is characterized in that, this safety management system comprises a terminal management device, this terminal management device comprises: authentication service chip/module, be used to terminal that authentication is provided, and after terminal is by authentication, be this terminal return authentication response message; Tactical management service chip/module, it comprises one memory/module, be used to store different users, the pairing management strategy of terminal, also comprise a management strategy configuring chip/module simultaneously, be used for order, the management strategy in the management strategy database module is managed and safeguards with the receiving system keeper; The alarm platform is used for sending alarm to the attendant.
A kind of local area network (LAN) Terminal Security Management system that is used for, it is characterized in that, this safety management system comprises terminal management engine, Strategy Center, three platforms of overview display, described terminal management engine platform, be used for upwards exporting identity information, assets information, and provide the unified warning on basis and response engine to call for each functional module, finish authentication simultaneously to terminal, user and user expectation authority; Described Strategy Center platform, be used to manage the functional module of all terminal managements, call Identity Management information, the assets information of basic platform, and store different users, the pairing management strategy of terminal, also be used for receiving system keeper's order, the management strategy in the management strategy database module is managed and safeguards; Described overview display platform is used to collect assets information, all security incidents of all terminals, and carries out unified displaying, and the security incident that each functional module takes place in management process is reported to the police and responded.
[description of drawings]
Fig. 1 is the functional schematic of a security manager of the present invention
Fig. 2 provides management schematic diagram when inserting for one of the present invention for terminal
[embodiment]
How describe the present invention in detail below in conjunction with Figure of description implements.
Terminal Security Management of the present invention system comprises: a plurality of terminals, insert Intranet; Switch or router, it is connected with described local area network (LAN), is used to described terminal that access is provided; Terminal management device system, it is connected with described local area network (LAN), by described switch or described router described terminal is carried out safety management.
Local area network (LAN) is wired Ethernet LAN or the WLAN (wireless local area network) that meets the 802.1X standard series, preferably, different rights of using are set in the system of this terminal, it is the computer of a limited authority for general employee, described limited authority is meant uses the user of this computer only to have the rights of using of power user, partial function and program that promptly can only using system there is no the rights of using of administrator.In the present invention, the user is when starting terminal and be linked into this local area network (LAN), and the rights of using that need the input user to expect are finished authentication and terminal management to the user according to user's rights of using.
This terminal is sent authentication information by local area network (LAN) to this switch or router when being linked into local area network (LAN), this authentication information comprises the information of inherent feature of user profile, this terminal and user's authority information (power user ﹠amp at least; Username, administrator user ﹠amp; Username), the information of the inherent feature of this terminal is terminal name, IP address, MAC Address, hardware configuration information (CPU model, internal memory, hard disk model and size, equipment interface), software information (OS Type/version, install software tabulation), and this user profile is affiliated organization, post, contact method etc.; This switch or router are transmitted to this terminal management device system with this information and carry out authentication.
This terminal management device comprises: authentication service chip/module is used to terminal that authentication is provided, and after terminal is by authentication, for this terminal return authentication response message, comprises the conversation key in this response message; Tactical management service chip/module, it comprises one memory/module, be used to store different users, the pairing management strategy of terminal, also comprise a management strategy configuring chip/module simultaneously, be used for order, the management strategy in the management strategy database module is managed and safeguards with the receiving system keeper; The alarm platform is used for sending alarm to the attendant.
Identifying procedure is:
The A1 starting terminal, before entering the operating system of this terminal, send authentication request message by local area network (LAN), in this message, comprise the information of inherent feature of user profile, the password corresponding, this terminal and the rights of using information of this customer requirements with user profile.
After this terminal management device of A2 is received this authentication request, transferring to authentication service chip/module handles, certificate server reads the rights of using information of user profile in this authentication request message, password, inherent feature information and this customer requirements corresponding with user profile, whether the user name of examining in this user profile is validated user, examine this inherent feature information and judge whether this terminal is legal terminal, if be that validated user is again legal terminal then continues the A3 step, otherwise carry out corresponding alarm and refuse this authentication.Wherein this user profile also can only be user name or the unique account number for distributing to the user, also can comprise information such as department, post, station phone.
Preferably, this carries out corresponding alarm and refuses this authentication specific as follows:
If this user is that disabled user or this terminal are illegal terminal, then directly refuse this authentication request message, and send a warning message to the alarm platform, in warning information, comprise the information and the user name of the inherent feature of terminal.
Preferred judge whether this user is that the method for validated user can judge directly whether this user is the user who registers in the terminal management device, and whether the while username and password is correct.
Preferred judge that whether this terminal is that the processing mode of illegal terminal has a variety of, for example, by the MAC Address whether MAC Address of judging this terminal is registered in this terminal management device system, further can judge in conjunction with the hardware information of this terminal and the software information of operation on it.Comprise user name and terminal inherent feature information in warning information, can show on the alarm platform, prompting is safeguarded or the monitor staff carries out corresponding artificial the verification, further to ensure safety.
If A3 is a validated user is again legal terminal, then authentication service chip/module reads the policy information of this user in this memory/module, judge according to this policy information whether this user has authority to use this terminal,, otherwise refuse this authentication if continue the A4 step.
In this way, just need not in account number the last configuration of the terminal equipment (as computer) of public sphere, when using someone to use a certain public computer, when landing this computer, import oneself user name (for example name) and password, could use this computer after authentication is passed through, so just can know specifically is who is using this public computer.
If this user of A4 has authority to use this terminal, then authentication service chip/module judges whether the rights of using of this customer requirements in this authentication request message conform to the inherent feature information of user profile (user name or account number), terminal, if do not conform to then refuse this authentication, otherwise authentication is passed through, and this terminal management device passes through message to the terminal return authentication.
At local area network (LAN), the safe class difference of device storage data that may be different, be not that all terminals all can allow all employees use, therefore, the present invention is by disposing different safe classes to different terminals, have only corresponding user that corresponding rights of using are just arranged, thereby improved the service efficiency and the fail safe of local area network (LAN) internal unit.
In this way, for all terminals of local area network (LAN), can be by in an operating database, its rights of using being configured, making can be when monitoring, record uses the user of terminal, simplified configuration and way to manage, also improved fail safe terminal.
When the user does not browse any information of this terminal equipment, owing in the A3 step, be rejected, in the A4 step, if it is owing to the desired rights of using of user are too high that the user is rejected, here, the user has the data of the minimum rights of using of browsing terminal at least, therefore, in the A4 step,, can allow the user select whether to finish the startup of this terminal with minimum authority if this authentication is rejected, allow the user use the data of minimum authority, for example, the authority of the file of the particular category browsed is only arranged, or the like.
This terminal management device of A5 according to tactical management serve the user name of memory stores in chip/module, the management strategy of terminal correspondence is managed for configuration this terminal, finishes the startup of terminal operating system.
Certainly, above-mentioned only is preferred identifying procedure, its this terminal management server can adopt said structure, also can adopt other structures, perhaps adopt one independently computer implement above-mentioned identifying procedure, the method for authentication service this moment chip/module, tactical management service chip/module and alarm function that platform possessed or execution all have one independently computer possess or carry out.
In further preferred, this alarm platform can be a server independently, also can be the module of integrated and this terminal management device, every warning information of record on alarm server/module, and carry out taxonomic revision and demonstration.For the resource of a certain safe class of correspondence, in case find invaded or unsanctioned granted access, display alarm information is immediately alarmed it with highest level.For example, the alarm grade can be set to red alarm, orange alarm, orange-yellow alarm, yellow alarm, and it is minimum rank alarm that highest ranking, yellow alarm are represented in red alarm.Simultaneously, there is a logger module in this alarm platform, and it is novel to write down all alarms.
After by authentication, the user uses in the process of terminal, also needs the use of terminal is monitored and controlled, and gives detailed description below.
Foregoing only is described from identifying procedure, but management for a terminal, do not finished management even if be by authenticating the back, must when using this terminal, the user manage accordingly and invigilate, need this terminal management device is carried out the function expansion for this reason, this terminal management device can be divided into the terminal management engine, Strategy Center, three platforms of overview display, as shown in Figure 1, wherein the terminal management engine is as the critical support platform, it is the basic platform of all terminal managements of carrying, upwards export identity information, assets information, and provide the unified warning on basis and response engine to call for each functional module, finish simultaneously terminal, the authentication of user and user expectation authority is corresponding to authentication service chip/module; Strategy Center is responsible for the functional module of all terminal managements, call Identity Management information, the assets information of basic platform, and store different users, the pairing management strategy of terminal, also comprise a management strategy configuring chip/module simultaneously, be used for order with the receiving system keeper, management strategy in the management strategy database module is managed and safeguards, corresponding to tactical management service chip/module; The overview display platform is collected assets information, all security incidents of all terminals, and carries out unified displaying, and the security incident that each functional module takes place in management process is reported to the police and responded.Simultaneously,, the information of other safety management systems and incident are linked in the system, on terminal, carry out unified warning and response by the whole network interlock.
System's all functions all are issued to client by tactful mode with instruction and carry out.And strategy itself has just comprised all management expectancys of each function, can provide detailed control device for the keeper, and the default setting by abundant can provide perfect convenience, and the keeper can adopt a large amount of default settings and easily finish tactful the setting at each strategy.
Outside last tactful key element, also have two key elements to be described in detail as follows.
System provides the management function of tactful priority, and the keeper can be provided with the strategy of different stage, and various strategies can sort according to priority, and when clashing between strategy, the strategy of high priority can cover the strategy of low priority.
System provides the safety management strategy based on scene, the keeper can be provided with different scenes, as setting different strategies according to operating time and time of having a rest, the strategy of setting in the operating time did not come into force in the time of having a rest, and the strategy of time of having a rest scene did not also come into force in the operating time.
Client operation for violating strategy can trigger warning in many ways, notifies the keeper to handle, and the information such as filename, Asset Type of for example pressing trigger alarm.Terminal and intranet security management system can be provided with respectively the strategy that 2 kinds of states of terminal on-line are used down.It is presence in the time of can communicating that client and server connects, and can't finish with server and be off-line state when communicating by letter.By 2 kinds of states of on-line are provided with different strategies, can provide the management of flexible more practicality for the equipment (as notebook) of frequent mobile office.
System provides a complete set of log services with the form of strategy, and log content comprises the daily record of following all functions, and the daily records such as all operations server carried out by control desk of keeper,
Method by automatic registration and management is checked writes down all kinds of terminal computer assets inventories, software-hardware configuration information and user's user profile, as the basic basis of Terminal Security Management.Asset content comprises: terminal name, IP address, MAC Address, hardware configuration information (CPU, internal memory, hard disk, equipment interface), software information (OS Type/version, install software tabulation), user profile (name, affiliated organization, post, contact method), or the like.
Simultaneously, the change to assets manages: find in time whether change is arranged on the terminal computer, illegal assets change row is handled automatically.
By setting up terminal role and user, definition role's operation and control authority, and the authority of distributing corresponding role for the user are with this basic basis as formulation safety management strategy.
The security strategy of violate setting when terminal computer, or set when carrying out alarm response according to strategy can be automatically with the reporting events server, and on terminal security incident is handled automatically.Report to the police with response as basic platform, for all functions module invokes, unitized, standardization, automation with response realize reporting to the police.
Automatically respond on terminal, response means comprises: desktop message notifying, locking terminal computer, disconnection network, the ejection specified URL page, the connection of disconnection access etc.
Terminal computer is automatically with the warning message upload server of security incident, and carries out alarm to the keeper on the controlling alarm platform.Provide checking of warning message to analyze and tabulate statistics.Support four ranks such as red alarm, orange warning, orange-yellow alarm and yellow alarm.
Aspect access, except carrying out legitimacy check and control to all clients, client illegal, that do not accept to manage will be isolated in outside the network, and legal client can be carried out normal running by access network, as shown in Figure 2.System provides the most comprehensive access control mode, can fully satisfy the access control demand under the various varying environments of user network.
802.1x access control: according to the managed terminal computer of 802.1x protocol authentication internal interface, identify and examine " legal " terminal, refuse " illegally " accessing terminal to network of unauthenticated by switch interlock mode.Like this, for wireless terminal, when it moves to WLAN (wireless local area network), just can judge whether it is illegal terminal.
ARP access control: in the low side network environment, can use access control mode, terminal is controlled based on the ARP agreement.Because of the particularity of ARP mode, generally be used for the not high occasion of requirement low cost, effect requirements.
Network boundary access control: by the terminal computer of safety access gateway management.
The application gateway access control: by using the access gateway in crucial deploy of using such as Portal, control does not meet the Internet resources of the terminal computer disable access appointment of entry criteria, the computer that allows to meet entry criteria conducts interviews.Using the access gateway is a software, is applicable to various web application systems.
Remote terminal access control:, remote terminal is carried out access control by long-range IAD.The computer that the terminal computer that does not meet entry criteria forbids being connected into Intranet, allow to meet entry criteria can be connected into Intranet.
The target of terminal security protection is protection terminal computer Environmental security, data security and related network communication security, and purpose is to create good safe operation environment for business, and the guarantee corporate business is normally runed.Therefore also must to and to detecting and controlling, as shown in Figure 2.Check and find terminal computer operating system and general-purpose system software security flaw in the linchpin, by the timely patching bugs of the technical measures of automation, the risk that the avoidance system leak is utilized by hacker, worm; Whether the sense terminals computer installs anti-virus software, avoids bringing virus problems because of the disappearance of anti-virus.
On terminal computer, carry out the real-time inspection of key safety configuration, prevent these key configuration of user's hack and cause safety problem.Mainly comprise " forbidding control panel ", " forbidden networks attribute ", " forbidding ' sending to ' ", " forbidding revising the IP address " ... promote the fail safe of client Deng multi-mode operation comprehensively.Simultaneously, support is to the strick precaution of ARP virus.
According to the service needed and the managerial demand of terminal computer, set whether allow to use peripheral hardware.Manageable peripheral hardware comprises: floppy drive (Floppy), CD-ROM drive (CD/DVD/HD-DVD/BlueRay), magnetic tape station, Flash memory device (USB flash disk and MP3 player), serial ports and parallel port (COM/LPT), scsi interface, bluetooth equipment, infrored equipment, printer, modulator-demodulator, USB interface, fire-wire interfaces (1394), PCMCIA slot etc.
In of the firewall technology measure of terminal computer deploy based on desktop, security strategy by enterprise-level is controlled access activity, the network attack that prevents the illegal connected reference of external network, hacker attacks and utilize terminal that inner network others service system is initiated.
Interior media can only use in Intranet usually, can not use beyond Intranet in principle.Management method is similarly registration+mandate, adopts cipher mode when different is registration.Medium after the encryption can only be read by authorization terminal, and unauthorized terminal can't be read Media Contents.Medium more can't be read beyond taking Intranet.
By the abuse of process management strategy, can stipulate clearly which program can be used, which program can not be used.Can prevent the in violation of rules and regulations risk that may bring of service routine of terminal computer thus, and assist company management, improve employee's labor productivity with this.
By checking and the network class flow of analysing terminal computer, bandwidth resource consumption that the flow that notes abnormalities may bring and suspicious network attack risk, and abnormal flow made control.
By security strategy control measure in terminal computer this locality, the security risk that the prevention terminal computer is networked in violation of rules and regulations and may be brought.
By the security strategy control measure in terminal computer this locality, the monitor terminal computer is visited the security risk that the harm website may be brought in violation of rules and regulations.And all web page access of can auditing.
By the function screen on the terminal in time being monitored and being recorded a video, prevent the computer of employee violation operation unit.
Can lock the remote terminal computer is carried out, nullify, restart, operation such as shutdown.The locking computer removes non-administrator's release, otherwise no matter force to restart or enter safe mode all can not use.
Simultaneously, administrative staff can be by the long-range control that obtains client computer of control desk, operates as on the spot in person.For the problem that remote client occurs, administrative staff can be immediately, solve easily.In remote maintenance or remote operation operation system, bring into play many-sided effect.
By the cascade management, realize the management of higher level to subordinate.Number of levels is unlimited.The transmission of support policy priority.
By unified Terminal Security Management platform; provide intuitively, visual, overall terminal computer safe operation state, security incident distribution and safeguard protection effect; make the senior management staff can grasp the terminal computer safe condition in view of the above comprehensively, control the overall situation, for security dispatching, administrative decision and close rule and check foundation is provided.The comprehensive statistics support is pressed terminal wealth, presses department, presses level of security, is pressed region etc., carries out the comprehensive inquiry statistics of security incident, represents the terminal security present situation authentic and validly.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (7)
1. authentication method that is used in the local area network (LAN) Terminal Security Management method, it is characterized in that, one terminal management device is set in local area network (LAN), and this terminal management device comprises authentication service chip/module, tactical management service chip/module and alarm platform, and may further comprise the steps:
The A1 step, starting terminal, before entering the operating system of this terminal, send authentication request message by local area network (LAN), in this message, comprise the information of inherent feature of user profile, the password corresponding, this terminal and the rights of using information of this customer requirements with user profile;
The A2 step, after this terminal management device is received this authentication request, transferring to authentication service chip/module handles, certificate server reads the rights of using information of user profile in this authentication request message, password, inherent feature information and this customer requirements corresponding with user profile, examine whether the user name that comprises in the user profile is validated user, examine this inherent feature information and judge whether this terminal is legal terminal, if be that validated user is again legal terminal then continues the A3 step, otherwise carry out corresponding alarm and refuse this authentication;
The A3 step, if be validated user be again legal terminal, then authentication service chip/module reads the policy information of this user in this memory/module, judges according to this policy information whether this user has authority to use this terminal, if continue the A4 step, otherwise refuse this authentication;
The A4 step, if this user has authority to use this terminal, then authentication service chip/module judges whether the rights of using of this customer requirements in this authentication request message conform to the inherent feature information of user profile, terminal, if do not conform to then refuse this authentication, otherwise authentication is passed through, and this terminal management device passes through message to the terminal return authentication;
This terminal management device of A5 according to tactical management serve the user profile of memory stores in chip/module, the management strategy of terminal correspondence is managed for configuration this terminal, finishes the startup of terminal operating system.
2. the method for claim 1, it is characterized in that, carry out corresponding alarm in the described A2 step and refuse this authentication being specially: if the disabled user by name of the user in this user profile or this terminal are illegal terminal, then directly refuse this authentication request message, and to the alarm platform send a warning message, in warning information, comprise the information and the user profile of the inherent feature of terminal.
3. an authentication method that is used in the local area network (LAN) Terminal Security Management method is characterized in that, a terminal management device is set in local area network (LAN), and may further comprise the steps:
The A1 step, starting terminal, before entering the operating system of this terminal, send authentication request message by local area network (LAN), in this message, comprise the information of inherent feature of user profile, the password corresponding, this terminal and the rights of using information of this customer requirements with user profile;
The A2 step, after this terminal management device is received this authentication request, read the rights of using information of user profile in this authentication request message, password, inherent feature information and this customer requirements corresponding with user profile, examine whether the user name that comprises in the user profile is validated user, examine this inherent feature information and judge whether this terminal is legal terminal, if be that validated user is again legal terminal then continues the A3 step, otherwise carry out corresponding alarm and refuse this authentication;
The A3 step, if be validated user be again legal terminal, this terminal management device judges according to this user's policy information whether this user has authority to use this terminal, if continue the A4 step, otherwise refuses this authentication;
The A4 step, if this user has authority to use this terminal, this terminal management device judges whether the rights of using of this customer requirements in this authentication request message conform to the inherent feature information of user profile, terminal, if do not conform to then refuse this authentication, otherwise authentication is passed through, and this terminal management device passes through message to the terminal return authentication;
This terminal management device of A5 is managed for configuration this terminal according to the management strategy of stored user information, terminal correspondence, finishes the startup of terminal operating system.
4. as claim 1 or 3 arbitrary described methods, it is characterized in that the information of the inherent feature of described this terminal is: terminal name, IP address, MAC Address, hardware configuration information, software information.
5. method as claimed in claim 4 is characterized in that, described software information is OS Type/version, install software tabulation, and described hardware information is CPU model, memory size, hard disk model and size, equipment interface.
6. one kind is used for local area network (LAN) Terminal Security Management system, it is characterized in that, this safety management system comprises a terminal management device, and this terminal management device comprises:
Authentication service chip/module is used to terminal that authentication is provided, and after terminal is by authentication, is this terminal return authentication response message; Tactical management service chip/module, it comprises one memory/module, be used to store different users, the pairing management strategy of terminal, also comprise a management strategy configuring chip/module simultaneously, be used for order, the management strategy in the management strategy database module is managed and safeguards with the receiving system keeper; The alarm platform is used for sending alarm to the attendant.
7. one kind is used for local area network (LAN) Terminal Security Management system, it is characterized in that, this safety management system comprises terminal management engine, Strategy Center, three platforms of overview display,
Described terminal management engine platform is used for upwards exporting identity information, assets information, and provides the unified warning on basis and response engine to call for each functional module, finishes the authentication to terminal, user and user expectation authority simultaneously;
Described Strategy Center platform, be used to manage the functional module of all terminal managements, call Identity Management information, the assets information of basic platform, and store different users, the pairing management strategy of terminal, also be used for receiving system keeper's order, the management strategy in the management strategy database module is managed and safeguards; Described overview display platform is used to collect assets information, all security incidents of all terminals, and carries out unified displaying, and the security incident that each functional module takes place in management process is reported to the police and responded.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101761519A CN102195991A (en) | 2011-06-28 | 2011-06-28 | Terminal security management and authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101761519A CN102195991A (en) | 2011-06-28 | 2011-06-28 | Terminal security management and authentication method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102195991A true CN102195991A (en) | 2011-09-21 |
Family
ID=44603378
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011101761519A Pending CN102195991A (en) | 2011-06-28 | 2011-06-28 | Terminal security management and authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102195991A (en) |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104469770A (en) * | 2014-11-27 | 2015-03-25 | 中国联合网络通信集团有限公司 | WLAN authentication method, platform and system for third-party application |
| CN104469765A (en) * | 2014-07-28 | 2015-03-25 | 北京佰才邦技术有限公司 | Terminal authentication method and device used in mobile communication system |
| CN104460657A (en) * | 2014-11-14 | 2015-03-25 | 北京网御星云信息技术有限公司 | Method, device and system for achieving protection of mobile operation and maintenance of industrial control system |
| CN104506352A (en) * | 2014-12-24 | 2015-04-08 | 福建江夏学院 | Internet-of-things data preprocessing method and system |
| WO2015090089A1 (en) * | 2013-12-18 | 2015-06-25 | 烽火通信科技股份有限公司 | Authentication and authorization system and method for management of communication network |
| CN105184188A (en) * | 2015-08-12 | 2015-12-23 | 北京因特信安软件科技有限公司 | Asset certificate based method for managing trusted terminal device |
| CN105471840A (en) * | 2015-11-12 | 2016-04-06 | 中国建设银行股份有限公司 | Terminal management system under large-scale enterprise network environment |
| CN105592021A (en) * | 2014-11-12 | 2016-05-18 | 成都安慧科技有限公司 | Novel internal network security protection method |
| CN107124422A (en) * | 2017-05-12 | 2017-09-01 | 北京明朝万达科技股份有限公司 | A kind of terminal admittance control method and system |
| CN107864164A (en) * | 2017-12-26 | 2018-03-30 | 北京中船信息科技有限公司 | The linkage alarm device distorted with MAC Address is usurped based on IP |
| CN108270601A (en) * | 2016-12-30 | 2018-07-10 | 中兴通讯股份有限公司 | Mobile terminal, warning information acquisition, alarm information sender method and device |
| CN108650020A (en) * | 2018-05-20 | 2018-10-12 | 北京天链测控技术有限公司 | A kind of business space flight measurement and control service management system and method based on cloud service |
| CN108989306A (en) * | 2018-07-12 | 2018-12-11 | 王振达 | A kind of mobile terminal safety managing and control system and implementation method |
| CN109302397A (en) * | 2018-10-12 | 2019-02-01 | 深信服科技股份有限公司 | A kind of network safety managing method, platform and computer readable storage medium |
| CN109559815A (en) * | 2018-10-23 | 2019-04-02 | 平安医疗健康管理股份有限公司 | A kind of information sharing method, device and relevant device |
| CN109612517A (en) * | 2018-12-21 | 2019-04-12 | 深圳创维-Rgb电子有限公司 | Analysis method, data server, monitoring device and the medium of production exception |
| CN112149159A (en) * | 2020-08-26 | 2020-12-29 | 网神信息技术(北京)股份有限公司 | Permission setting method and device of terminal, electronic equipment and storage medium |
| CN112398695A (en) * | 2020-11-19 | 2021-02-23 | 上海浦东发展银行股份有限公司 | Large-scale terminal equipment management and control method, system, equipment and storage medium |
| CN112511567A (en) * | 2021-02-05 | 2021-03-16 | 浙江地芯引力科技有限公司 | Method and device for managing secret communication priority of intelligent security chip |
| CN112613007A (en) * | 2020-12-22 | 2021-04-06 | 北京八分量信息科技有限公司 | Data access method and device based on credible authentication and related products |
| CN113010893A (en) * | 2019-12-19 | 2021-06-22 | 华为技术有限公司 | Software management method, device and system |
| CN114157503A (en) * | 2021-12-08 | 2022-03-08 | 北京天融信网络安全技术有限公司 | Access request authentication method and device, API gateway equipment and storage medium |
| WO2022062918A1 (en) * | 2020-09-25 | 2022-03-31 | 统信软件技术有限公司 | Control method for strategy implementation, strategy implementation system, and computing device |
| CN115314302A (en) * | 2022-08-10 | 2022-11-08 | 重庆电子工程职业学院 | Communication method and device based on network security grid |
| CN115314303A (en) * | 2022-08-10 | 2022-11-08 | 重庆电子工程职业学院 | Network security defense method and system based on whole network linkage |
| CN115529142A (en) * | 2022-10-09 | 2022-12-27 | 阳光电源股份有限公司 | Login management method, device, equipment and medium |
-
2011
- 2011-06-28 CN CN2011101761519A patent/CN102195991A/en active Pending
Cited By (37)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015090089A1 (en) * | 2013-12-18 | 2015-06-25 | 烽火通信科技股份有限公司 | Authentication and authorization system and method for management of communication network |
| CN104469765A (en) * | 2014-07-28 | 2015-03-25 | 北京佰才邦技术有限公司 | Terminal authentication method and device used in mobile communication system |
| CN104469765B (en) * | 2014-07-28 | 2020-10-23 | 北京佰才邦技术有限公司 | Terminal authentication method and apparatus for use in mobile communication system |
| CN105592021A (en) * | 2014-11-12 | 2016-05-18 | 成都安慧科技有限公司 | Novel internal network security protection method |
| CN104460657A (en) * | 2014-11-14 | 2015-03-25 | 北京网御星云信息技术有限公司 | Method, device and system for achieving protection of mobile operation and maintenance of industrial control system |
| CN104460657B (en) * | 2014-11-14 | 2017-09-19 | 北京网御星云信息技术有限公司 | A kind of method for realizing industrial control system movement O&M protection, apparatus and system |
| CN104469770B (en) * | 2014-11-27 | 2018-03-20 | 中国联合网络通信集团有限公司 | Towards WLAN authentication methods, platform and the system of third-party application |
| CN104469770A (en) * | 2014-11-27 | 2015-03-25 | 中国联合网络通信集团有限公司 | WLAN authentication method, platform and system for third-party application |
| CN104506352A (en) * | 2014-12-24 | 2015-04-08 | 福建江夏学院 | Internet-of-things data preprocessing method and system |
| CN104506352B (en) * | 2014-12-24 | 2018-04-20 | 福建江夏学院 | A kind of method and system of Internet of Things data pretreatment |
| CN105184188A (en) * | 2015-08-12 | 2015-12-23 | 北京因特信安软件科技有限公司 | Asset certificate based method for managing trusted terminal device |
| CN105471840A (en) * | 2015-11-12 | 2016-04-06 | 中国建设银行股份有限公司 | Terminal management system under large-scale enterprise network environment |
| CN108270601A (en) * | 2016-12-30 | 2018-07-10 | 中兴通讯股份有限公司 | Mobile terminal, warning information acquisition, alarm information sender method and device |
| CN107124422A (en) * | 2017-05-12 | 2017-09-01 | 北京明朝万达科技股份有限公司 | A kind of terminal admittance control method and system |
| CN107864164A (en) * | 2017-12-26 | 2018-03-30 | 北京中船信息科技有限公司 | The linkage alarm device distorted with MAC Address is usurped based on IP |
| CN107864164B (en) * | 2017-12-26 | 2020-11-06 | 北京中船信息科技有限公司 | Linkage alarm device based on IP embezzlement and MAC address tampering |
| CN108650020A (en) * | 2018-05-20 | 2018-10-12 | 北京天链测控技术有限公司 | A kind of business space flight measurement and control service management system and method based on cloud service |
| CN108650020B (en) * | 2018-05-20 | 2020-11-03 | 北京天链测控技术有限公司 | Commercial aerospace measurement and control service management system and method based on cloud service |
| CN108989306A (en) * | 2018-07-12 | 2018-12-11 | 王振达 | A kind of mobile terminal safety managing and control system and implementation method |
| CN109302397A (en) * | 2018-10-12 | 2019-02-01 | 深信服科技股份有限公司 | A kind of network safety managing method, platform and computer readable storage medium |
| CN109302397B (en) * | 2018-10-12 | 2022-06-21 | 深信服科技股份有限公司 | Network security management method, platform and computer readable storage medium |
| CN109559815A (en) * | 2018-10-23 | 2019-04-02 | 平安医疗健康管理股份有限公司 | A kind of information sharing method, device and relevant device |
| CN109612517A (en) * | 2018-12-21 | 2019-04-12 | 深圳创维-Rgb电子有限公司 | Analysis method, data server, monitoring device and the medium of production exception |
| CN109612517B (en) * | 2018-12-21 | 2021-03-30 | 深圳创维-Rgb电子有限公司 | Product production abnormity analysis method, data server, monitoring equipment and medium |
| CN113010893B (en) * | 2019-12-19 | 2024-05-17 | 华为云计算技术有限公司 | Software management method, device and system |
| CN113010893A (en) * | 2019-12-19 | 2021-06-22 | 华为技术有限公司 | Software management method, device and system |
| CN112149159A (en) * | 2020-08-26 | 2020-12-29 | 网神信息技术(北京)股份有限公司 | Permission setting method and device of terminal, electronic equipment and storage medium |
| WO2022062918A1 (en) * | 2020-09-25 | 2022-03-31 | 统信软件技术有限公司 | Control method for strategy implementation, strategy implementation system, and computing device |
| CN112398695A (en) * | 2020-11-19 | 2021-02-23 | 上海浦东发展银行股份有限公司 | Large-scale terminal equipment management and control method, system, equipment and storage medium |
| CN112398695B (en) * | 2020-11-19 | 2022-06-28 | 上海浦东发展银行股份有限公司 | Large-scale terminal equipment control method, system, equipment and storage medium |
| CN112613007A (en) * | 2020-12-22 | 2021-04-06 | 北京八分量信息科技有限公司 | Data access method and device based on credible authentication and related products |
| CN112613007B (en) * | 2020-12-22 | 2024-02-09 | 北京八分量信息科技有限公司 | Data admission method and device based on trusted authentication and related products |
| CN112511567A (en) * | 2021-02-05 | 2021-03-16 | 浙江地芯引力科技有限公司 | Method and device for managing secret communication priority of intelligent security chip |
| CN114157503A (en) * | 2021-12-08 | 2022-03-08 | 北京天融信网络安全技术有限公司 | Access request authentication method and device, API gateway equipment and storage medium |
| CN115314302A (en) * | 2022-08-10 | 2022-11-08 | 重庆电子工程职业学院 | Communication method and device based on network security grid |
| CN115314303A (en) * | 2022-08-10 | 2022-11-08 | 重庆电子工程职业学院 | Network security defense method and system based on whole network linkage |
| CN115529142A (en) * | 2022-10-09 | 2022-12-27 | 阳光电源股份有限公司 | Login management method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102195991A (en) | Terminal security management and authentication method and system | |
| CN109729180B (en) | Whole system intelligent community platform | |
| CN103179130B (en) | A kind of information system intranet security management platform and management method | |
| Montesino et al. | Information security automation: how far can we go? | |
| CN106534362B (en) | Software resource sharing method and device based on cloud platform | |
| CN103413083B (en) | Unit security protection system | |
| US20060149848A1 (en) | System, apparatuses, and method for linking and advising of network events related to resource access | |
| CN113032710A (en) | Comprehensive audit supervisory system | |
| WO2007089786B1 (en) | Identifying unauthorized privilege escalations | |
| CN102333090A (en) | Internal control bastion host and security access method of internal network resources | |
| CN104753936A (en) | Opc security gateway system | |
| US10637864B2 (en) | Creation of fictitious identities to obfuscate hacking of internal networks | |
| CN204465588U (en) | A kind of host monitor based on server architecture and auditing system | |
| KR20140035146A (en) | Apparatus and method for information security | |
| CN109936555A (en) | A kind of date storage method based on cloud platform, apparatus and system | |
| JP2005234729A (en) | Unauthorized access protection system and its method | |
| CN115314286A (en) | Safety guarantee system | |
| CN107196976B (en) | Audit gateway based on video protocol and method and system thereof | |
| KR101077652B1 (en) | Apparatus for authenticating remote network managment system and method thereof | |
| CN101848117A (en) | Illegal external connection monitoring method and system thereof | |
| Miloslavskaya et al. | Taxonomy for unsecure big data processing in security operations centers | |
| CN116894259A (en) | Safety access control system of database | |
| CN107104953A (en) | A kind of pair of net security system and the method for lifting Information Security | |
| CN108111503A (en) | Based on the information safety protection host machine for accessing limitation | |
| CN113347202A (en) | Account identification management system of centralized account management and control platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110921 |