CN102487378A - Front safety system for guaranteeing information safety - Google Patents
Front safety system for guaranteeing information safety Download PDFInfo
- Publication number
- CN102487378A CN102487378A CN2010105684057A CN201010568405A CN102487378A CN 102487378 A CN102487378 A CN 102487378A CN 2010105684057 A CN2010105684057 A CN 2010105684057A CN 201010568405 A CN201010568405 A CN 201010568405A CN 102487378 A CN102487378 A CN 102487378A
- Authority
- CN
- China
- Prior art keywords
- module
- application
- preposition
- safety system
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a front safety system for guaranteeing information safety. The system is connected between a client terminal and a server, and comprises a safe agent module, a safe transmission module, an identify authentication module, an access control module, a single sign-on module, a configuration management module, a safe audit module and an application forward module. After the system is used, all the access requests for accessing the application server must pass through the front safety system, and without changing any user operation, the application server is protected by the front safety system completely.
Description
Technical field
The present invention relates to information security field, particularly relate to a kind of preposition safety system that is used to ensure information safety.
Background technology
At present, a lot of important information systems or beginning turn to open B/S computation schema by early stage big machine system, there are typical three layers of application structure in these systems, and are as shown in Figure 1.Wherein, application server is accepted the business service request and the operation of client terminal, accomplishes service logic, and the data manipulation that business is relevant is converted into access of database on data/storage system, and the business service result is returned to client terminal.
In the reality, the application system with Fig. 1 structure often possesses following characteristic and security challenge:
1. be difficult to isolate between using, do not have tangible physics and network level boundary between the system.This be because, for a more large-scale information system, on the one hand; A plurality of service application possibly operate on the same application server jointly; On the other hand, some single service application possibly distribute simultaneously and operate on a plurality of application servers, simultaneously; Client terminal possibly visited different application according to the service needed of traffic operation staff; Therefore the protection of application system application safety can not realize through simple physics or Network Isolation, for example through fire compartment wall or other isolated device safety protection function is provided, and must discerns, isolate and protect different application at application.
2. application system is in exploitation and process of construction; May have that demand for security is inconsiderate, Safety Design comprehensively and the application and development coding owe perfect situation; These bring security breaches and security risk all can for user's application system; But for the key application system, because its business continuance requirement can only be taked a kind of level and smooth and compatible mode to the improvements in security of these systems.In addition; Under the B/S application structure; The core of service application biases toward application service one end relatively, and service logic, business datum etc. are mainly handled and preserved application service one side, and the client main task is that business operation is initiated, business datum is returned work such as demonstration.
In conjunction with above-mentioned application characteristic, in the B/S application structure, the safeguard protection emphasis of application system should be placed on the application service end, practices safety precautions such as isolation, authentication and access control at application.
Summary of the invention
To defective that exists in the prior art and deficiency; The present invention proposes a kind of preposition safety system; Try hard to guaranteeing that user's key business moves under the successional prerequisite; Improve the fail safe and the high availability of business application system, satisfy the requirement of national information safe class protection system and correlation technique standard.
To achieve these goals, the present invention proposes a kind of preposition safety system that is used to ensure information safety, and is connected between client terminal and the server; Said preposition safety system comprises: TSM Security Agent module, safe transmission module, authentication module; Access control module; The single-sign-on module, Configuration Manager, audit module are used forwarding module;
Wherein, said TSM Security Agent module is used for reducing the change to user's application operating pattern through transparent TSM Security Agent, guarantees safety and the compatible consistency of using;
Said safe transmission module is used to support ssl protocol, and between client terminal and preposition safety system, sets up secure transmission tunnel based on ssl protocol, guarantees confidentiality and the integralities of important information in Network Transmission such as authentication, professional sensitive data;
Said authentication module is used to realize the identity authentication function based on certificate;
Said access control module is used to support the application access control based on the role; Support distributes corresponding safety label according to the importance or the sensitivity of application and information thereof; And, satisfy the hierarchical protection specification requirement based on these safety labels enforcement pressure type access control;
Said audit module is used for record is carried out in user's application service request and operation and result thereof, and the record of the audit result in time is sent to the security audit center;
Said single-sign-on module is used for having passed through after the authentication the user, need not authentication is carried out in its each application;
Said application forwarding module is used for when the application server failover, and the application service request with the user is transferred on other application server that similar service is provided with operation automatically.
Preferred as technique scheme, said preposition safety system also comprises: prevent that DoS/DDoS from attacking module, based on role's Network Transmission control module, built-in LDAP service module.
Preferred as technique scheme, a plurality of said preposition safety systems can be clustered into preposition safety system cluster.
Preferred as technique scheme, a plurality of preposition safety systems heat each other are equipped with, and externally represent with a common virtual name and address through the network virtual technology.
Preferred as technique scheme, with one in a plurality of said preposition safety systems as the main equipment that moves under the normal condition, other as master-failure the time take over the slave unit of main equipment.
Preferred as technique scheme, said preposition safety system is supported unix system platform and linux system platform.
The preposition safety system that the present invention proposes is placed between the application server through the mode of transparent access, and the access request of all-access application server all must be passed through front-end system.When not changing the Any user operation, preposition safety system places application server under its protection fully.Through in information system, using preposition safety system of the present invention, application system can realize following safety function:
1. personnel and device authentication
Through secure digital certificate on system terminal, having guaranteed to have only can connecting system through authenticated device, has prevented that illegality equipment from bringing viral wooden horse into system.Through being equipped with digital certificate (like UKey) and user name password simultaneously for system operators, when guaranteeing user security, also satisfied the related request of high-grade information system in the hierarchical protection.
2. force access control based on the application layer of safety label
In security strategy, distribute to user's different security mark and carry out accordingly, guaranteed that system operators can only be visited through what authorize to use with its safe class fit based on role's empowerment management.This also is the desired key safety measure of high-grade information system in the hierarchical protection.
3. transfer of data and data protection
Through using preposition safety system, functions of application system the automatic safe between from the system terminal to the application server encrypt.Guaranteed that system information is not eavesdropped, is not destroyed in network transmission process, realized data transmission safety.
4. use automatic forwarding protection
Preposition safety system can the Auto-Sensing application server state.During the application server operate as normal, preposition safety system will balancedly be distributed to the application server on backstage from the access request of client; When certain application server performance seriously descends, preposition safety system sends to the application server of other operate as normal with access request, has prevented that the application server fault from bringing to application service to have a strong impact on.
5. flow is preferentially controlled
When visit capacity surpassed allow maximum concurrent several, preposition safety system was controlled access request through the mode of formation.For the access request of high priority, preposition safety system is preferentially passed through, and has guaranteed preferentially carrying out of key service, has guaranteed the availability of system.
6. concentrate audit
All Access Events are all audited, and no matter are normal access or access exception, satisfy the requirement of hierarchical protection to the high safety grade information system.Preposition safety system is supported the syslog agreement, but can audit event be mail to concentrated auditing system through the syslog agreement, realizes concentrating audit.
7. equipment hot-backup function
Performance is not being had under the situation of specific (special) requirements, preposition safety system can be disposed usually in two-node cluster hot backup.When background server has special high request to concurrent number (is clustered deploy(ment) like background server), preposition safety system is also supported the mode of clustered deploy(ment), guarantees that safety means itself do not become system bottleneck.
8. equipment self secure and trusted
The hardware of preposition safety system is the minicomputer platform of specialty customization, has guaranteed the hardware performance of system.The software of preposition safety system is the fully autonomous controlled professional system from the bottom module to application module, realizes based on reliable computing technology, has guaranteed the safety of self.
Below in conjunction with accompanying drawing, specific embodiments of the invention is done further to specify.For the person of ordinary skill in the field, from detailed description of the invention, above-mentioned and other purposes of the present invention, feature and advantage will be obvious.
Description of drawings
Fig. 1 is a B/S typical application structure in the prior art;
Fig. 2 is the application sketch map of the preposition safety system of the present invention's proposition;
Fig. 3 is the system construction drawing of the preposition safety system of the present invention's proposition;
Fig. 4 is the high available application safety system configuration scheme of the preposition safety system of use the present invention proposition.
Fig. 5 is the two-node cluster hot backup scheme of the preposition safety system of use the present invention proposition.
Embodiment
As shown in Figure 2, the preposition safety system that is used to ensure information safety that the present invention proposes is connected between client terminal and the server, and is as shown in Figure 3; Said preposition safety system comprises: TSM Security Agent module, safe transmission module, authentication module; Access control module; The single-sign-on module, Configuration Manager, audit module are used forwarding module.
Wherein, the TSM Security Agent module can reduce the change to user's application operating pattern through transparent TSM Security Agent function as far as possible, guarantees safety and the compatible consistency of using;
The safe transmission module is supported ssl protocol, and between client terminal and preposition safety system, sets up secure transmission tunnel based on ssl protocol, guarantees confidentiality and the integralities of important information in Network Transmission such as authentication, professional sensitive data;
Authentication module is the identity authentication function of realizing based on certificate; Except implementing the authentication based on certificate to using operating personnel; Also support to implement device authentication, guarantee to have only legal operating personnel business to be conducted interviews through terminal equipment through approval based on certificate to using terminal equipment;
Access control module is supported the application access control based on the role; Support distributes corresponding safety label according to the importance or the sensitivity of application and information thereof, and implements the access control of pressure type based on these safety labels, satisfies the hierarchical protection specification requirement;
Audit module is used for record is carried out in user's application service request and operation and result thereof, and the record of the audit result in time is sent to the security audit center;
The single-sign-on module is to let the user after the authentication of having passed through preposition safety system; Carry out authentication to each application again with regard to not needing; Can reduce the repeat work of user aspect the application login like this, avoid the user because authentication information is taken care of the safety problem of being not good at and bringing;
Use forwarding module; The application server failover is used for when can not externally provide service or service ability seriously to descend; Can be automatically user's application service request be transferred on other application server that similar service is provided with operation, guarantees the continuity of customer service.
Except above-mentioned module, this preposition safety system can also comprise:
Prevent that DoS/DDoS from attacking module, be used for network being connected the enforcement monitoring, prevent that the DoS/DDoS attack from causing the application server cisco unity malfunction at network level;
Based on role's Network Transmission control module, be used for providing the transport services of different quality according to user's role, such as: preferentially access application service apace of system manager or operating officer; Perhaps when service was busy, application system was refused general personnel's service access, but the operating officer can continue access application;
Built-in LDAP service module is used to support centralized and unified safety management, guarantees that application safety control does not have a strong impact on the overall performance generation of the service of using.Through built-in LDAP service, the security strategy of systematic unity is copied to this locality and converts the discernible security strategy of preposition safety system into, thereby avoided the network delay and the LDAP service delay expense that exist in the traditional LDAP centralized policy query script.In the system of wide coverage, network bandwidth resources anxiety, this function is particularly important.
Preposition safety system has the ability to guarantee the fail safe of self.Preposition safety system can be controlled the load operating of system executable code: based on the unique characteristic of code (like hashed value); Any code without permission can not moved by system call; Thereby guarantee that preposition safety system itself can not destroyed by forbidden code, or be used for carrying out illegal operation by malicious persons.
Preposition safety system can be supported the kinds of platform performance, comprises the Linux platform of high-end multiprocessor unix system platform and relative low side, satisfies the performance and the safety requirements of big-and-middle-sized business application system and compact applications system respectively.
Preposition safety system for example can be a many CPU hardware security platform based on unix system.It requires through the application safety that following security mechanism satisfies the user:
Through the application proxy login mechanism, avoid or reduce the work of user's repeat logon application, reduce the risk that exists in the password management, thereby satisfy user's single-sign-on requirement.The application proxy login mechanism of this preposition safety system need not change existing application structure of user and service logic.
Safety system detects the service availability of the application server supported automatically, and when the service performance on confirming application server was lower than preset performance threshold, the application server that system can select next that service of the same type is provided automatically continued to provide service.
To the key business system of industries such as railway, electric power,, can provide multiple high-availability arrangement this preposition safety system ability in addition based on this preposition safety system according to professional scale and the requirement of service security property.
1., application system business continuance exigent applied environment in large scale for business, relatively more typical representative has some the comprehensive service application in the railway system.Under this service application environment, can select to adopt the cluster scheme of Fig. 4.
Among Fig. 4, large-scale client application services request is assigned in each the preposition safety system in " preposition safety system cluster " through load-balancing device with operation, and preposition safety system is implemented safeguard protection based on security strategy to using." system cluster " guarantees application performance through two aspects: at first; The performance of preposition safety system itself is wanted and can be complementary with the performance of application server; Secondly; " system cluster " can be implemented load balancing to the service of using through a plurality of preposition safety systems, the security control that common completion is used.Preposition safety system quantity in " system cluster " can be carried out the additions and deletions adjustment according to the performance requirement of using.
Fig. 4 structure has guaranteed the high availability of application safety system from many aspects.At first; It has avoided the Single Point of Faliure of system; Be equipped with the cluster mechanism of a plurality of preposition safety systems to " system cluster " from the heat of SiteServer LBS, multiple reliable redundant connection the from the client terminal to the application service is provided, guaranteed that user's key business can round-the-clock running in 7X24 hour.
2. the applied environment larger for business, that the application system business continuance is had relatively high expectations.Under this service application environment, can select the dual-computer redundancy scheme, as shown in Figure 5.
Among Fig. 5, two preposition safety systems are fully hot each other, externally represent with a common virtual name/address through the network virtual technology.To the service of a particular type, wherein preposition safety system as main equipment, another is slave unit.Under the normal condition, main equipment provides application safety control for using, and when the application safety controlling mechanism on main equipment or the main equipment broke down, slave unit can monitor this state automatically, and took over main equipment, implements security control to using.Switching between all devices and the security control and recovery process are transparent to using the client.
Though; The present invention clearly demonstrates through above embodiment and accompanying drawing thereof; Yet under the situation that does not deviate from spirit of the present invention and essence thereof; The person of ordinary skill in the field works as can make various corresponding variations and correction according to the present invention, but these corresponding variations and correction all should belong to the protection range of claim of the present invention.
Claims (6)
1. a preposition safety system that is used to ensure information safety is connected between client terminal and the server, it is characterized in that; Said preposition safety system comprises: TSM Security Agent module, safe transmission module, authentication module; Access control module; The single-sign-on module, Configuration Manager, audit module are used forwarding module;
Wherein, said TSM Security Agent module is used for reducing the change to user's application operating pattern through transparent TSM Security Agent, guarantees safety and the compatible consistency of using;
Said safe transmission module is used to support ssl protocol, and between client terminal and preposition safety system, sets up secure transmission tunnel based on ssl protocol, guarantees confidentiality and the integralities of important information in Network Transmission such as authentication, professional sensitive data;
Said authentication module is used to realize the identity authentication function based on certificate;
Said access control module is used to support the application access control based on the role; Support distributes corresponding safety label according to the importance or the sensitivity of application and information thereof; And, satisfy the hierarchical protection specification requirement based on these safety labels enforcement pressure type access control;
Said audit module is used for record is carried out in user's application service request and operation and result thereof, and the record of the audit result in time is sent to the security audit center;
Said single-sign-on module is used for having passed through after the authentication the user, need not authentication is carried out in its each application;
Said application forwarding module is used for when the application server failover, and the application service request with the user is transferred on other application server that similar service is provided with operation automatically.
2. preposition safety system according to claim 1 is characterized in that, said preposition safety system also comprises: prevent that DoS/DDoS from attacking module, and based on role's Network Transmission control module, built-in LDAP service module.
3. preposition safety system according to claim 1 and 2 is characterized in that, a plurality of said preposition safety systems can be clustered into preposition safety system cluster.
4. preposition safety system according to claim 3 is characterized in that, a plurality of preposition safety systems heat each other are equipped with, and externally representes with a common virtual name and address through the network virtual technology.
5. preposition safety system according to claim 4 is characterized in that, with one in a plurality of said preposition safety systems as the main equipment that moves under the normal condition, other as master-failure the time take over the slave unit of main equipment.
6. preposition safety system according to claim 1 is characterized in that, said preposition safety system is supported unix system platform and linux system platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010568405.7A CN102487378B (en) | 2010-12-01 | A kind of preposition security system for ensuring information safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010568405.7A CN102487378B (en) | 2010-12-01 | A kind of preposition security system for ensuring information safety |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102487378A true CN102487378A (en) | 2012-06-06 |
| CN102487378B CN102487378B (en) | 2016-12-14 |
Family
ID=
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102904905A (en) * | 2012-11-13 | 2013-01-30 | 无锡江南计算技术研究所 | Application security proxy method and application security proxy system |
| CN102915374A (en) * | 2012-11-07 | 2013-02-06 | 北京搜狐新媒体信息技术有限公司 | Method, device and system for controlling access to database resources |
| CN105450713A (en) * | 2014-09-02 | 2016-03-30 | 阿里巴巴集团控股有限公司 | Front-end processor cluster deployment method, device and system |
| CN105516141A (en) * | 2015-12-09 | 2016-04-20 | 浪潮电子信息产业股份有限公司 | Safety control platform based on business system |
| CN105656837A (en) * | 2014-11-11 | 2016-06-08 | 江苏威盾网络科技有限公司 | Secure and controllable data protection system and method |
| CN106888191A (en) * | 2015-12-16 | 2017-06-23 | 上海金电网安科技有限公司 | Hierarchical protection multilevel security interacted system and its interconnected method |
| CN103905431B (en) * | 2014-03-07 | 2017-08-08 | 汉柏科技有限公司 | A kind of user authen method and subscriber authentication server |
| CN107113313A (en) * | 2015-03-02 | 2017-08-29 | 微软技术许可有限责任公司 | Data are uploaded to the agency service of destination from source |
| CN109726592A (en) * | 2018-12-31 | 2019-05-07 | 联动优势科技有限公司 | A kind of processing method and processing device of data sandbox |
| CN109726593A (en) * | 2018-12-31 | 2019-05-07 | 联动优势科技有限公司 | A kind of implementation method and device of data sandbox |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1536499A (en) * | 2003-04-07 | 2004-10-13 | 华为技术有限公司 | Method for accessing remote terminal in UNIX cenvironment |
| CN1681247A (en) * | 2004-06-30 | 2005-10-12 | 中国银行股份有限公司 | System of bank on-line inquiring system |
| CN101018130A (en) * | 2007-02-15 | 2007-08-15 | 物方恒德(北京)投资咨询有限公司 | Finance business system and finance business processing method |
| CN101093572A (en) * | 2007-07-20 | 2007-12-26 | 中国建设银行股份有限公司 | A preposition system and a centralized data processing system |
| CN101329791A (en) * | 2008-07-10 | 2008-12-24 | 大连新中连软件工程有限公司 | Identification verification system using finger print |
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1536499A (en) * | 2003-04-07 | 2004-10-13 | 华为技术有限公司 | Method for accessing remote terminal in UNIX cenvironment |
| CN1681247A (en) * | 2004-06-30 | 2005-10-12 | 中国银行股份有限公司 | System of bank on-line inquiring system |
| CN101018130A (en) * | 2007-02-15 | 2007-08-15 | 物方恒德(北京)投资咨询有限公司 | Finance business system and finance business processing method |
| CN101093572A (en) * | 2007-07-20 | 2007-12-26 | 中国建设银行股份有限公司 | A preposition system and a centralized data processing system |
| CN101329791A (en) * | 2008-07-10 | 2008-12-24 | 大连新中连软件工程有限公司 | Identification verification system using finger print |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102915374A (en) * | 2012-11-07 | 2013-02-06 | 北京搜狐新媒体信息技术有限公司 | Method, device and system for controlling access to database resources |
| CN102904905B (en) * | 2012-11-13 | 2015-10-07 | 无锡江南计算技术研究所 | Application safety Proxy Method and application safety agency plant |
| CN102904905A (en) * | 2012-11-13 | 2013-01-30 | 无锡江南计算技术研究所 | Application security proxy method and application security proxy system |
| CN103905431B (en) * | 2014-03-07 | 2017-08-08 | 汉柏科技有限公司 | A kind of user authen method and subscriber authentication server |
| CN105450713B (en) * | 2014-09-02 | 2019-02-12 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of clustered deploy(ment) front end processor |
| CN105450713A (en) * | 2014-09-02 | 2016-03-30 | 阿里巴巴集团控股有限公司 | Front-end processor cluster deployment method, device and system |
| CN105656837A (en) * | 2014-11-11 | 2016-06-08 | 江苏威盾网络科技有限公司 | Secure and controllable data protection system and method |
| CN107113313A (en) * | 2015-03-02 | 2017-08-29 | 微软技术许可有限责任公司 | Data are uploaded to the agency service of destination from source |
| CN105516141A (en) * | 2015-12-09 | 2016-04-20 | 浪潮电子信息产业股份有限公司 | Safety control platform based on business system |
| CN106888191A (en) * | 2015-12-16 | 2017-06-23 | 上海金电网安科技有限公司 | Hierarchical protection multilevel security interacted system and its interconnected method |
| CN109726592A (en) * | 2018-12-31 | 2019-05-07 | 联动优势科技有限公司 | A kind of processing method and processing device of data sandbox |
| CN109726593A (en) * | 2018-12-31 | 2019-05-07 | 联动优势科技有限公司 | A kind of implementation method and device of data sandbox |
| CN109726593B (en) * | 2018-12-31 | 2021-02-23 | 联动优势科技有限公司 | Method and device for realizing data sandbox |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8752150B2 (en) | System and method for information handling system multi-level authentication for backup services | |
| US7437752B2 (en) | Client architecture for portable device with security policies | |
| US7788366B2 (en) | Centralized network control | |
| US8739273B2 (en) | System and method for supporting subnet management packet (SMP) firewall restrictions in a middleware machine environment | |
| US20060224897A1 (en) | Access control service and control server | |
| US9594922B1 (en) | Non-persistent shared authentication tokens in a cluster of nodes | |
| JP2007507760A (en) | Secure cluster configuration dataset transfer protocol | |
| CN105656903A (en) | Hive platform user safety management system and application | |
| CN105430000A (en) | Cloud computing security management system | |
| CN109447876A (en) | A kind of burgher card system | |
| US11531777B2 (en) | Methods and systems for restricting data access based on properties of at least one of a process and a machine executing the process | |
| JP2006528387A (en) | Cluster server system and method for load balancing in cooperation | |
| CA2118940A1 (en) | Apparatus and method for providing network security | |
| US10484339B2 (en) | Pervasive data security | |
| US20130024948A1 (en) | System for enterprise digital rights management | |
| WO2014086149A1 (en) | Server account number and password management method and system, and server | |
| Tajadod et al. | Microsoft and Amazon: A comparison of approaches to cloud security | |
| JP4875781B1 (en) | Distributed data storage system | |
| JP4860779B1 (en) | Distributed data storage system | |
| US11658812B1 (en) | Distributed key management system | |
| CN111488597B (en) | Safety audit system suitable for cross-network safety area | |
| US11895227B1 (en) | Distributed key management system with a key lookup service | |
| CN116319803A (en) | Cloud edge cooperative distributed API calling method and system | |
| KR102071402B1 (en) | Key management services providing device in internet of things | |
| CN112953932B (en) | Identity authentication gateway integration design method and system based on CA certificate |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |