CN102487378B - A kind of preposition security system for ensuring information safety - Google Patents
A kind of preposition security system for ensuring information safety Download PDFInfo
- Publication number
- CN102487378B CN102487378B CN201010568405.7A CN201010568405A CN102487378B CN 102487378 B CN102487378 B CN 102487378B CN 201010568405 A CN201010568405 A CN 201010568405A CN 102487378 B CN102487378 B CN 102487378B
- Authority
- CN
- China
- Prior art keywords
- module
- application
- preposition
- security system
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 claims abstract description 17
- 238000005516 engineering process Methods 0.000 claims description 7
- 230000000875 corresponding Effects 0.000 claims description 6
- 230000035945 sensitivity Effects 0.000 claims description 3
- 238000000034 method Methods 0.000 description 8
- 239000012141 concentrate Substances 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 241001489523 Coregonus artedi Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000011030 bottleneck Methods 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000004059 degradation Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000977 initiatory Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006011 modification reaction Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
Abstract
The present invention relates to a kind of preposition security system for ensuring information safety, it is connected between client terminal and server, described preposition security system includes: TSM Security Agent module, safe transmission module, authentication module, access control module, single-sign-on module, Configuration Manager, security audit module, apply forwarding module.After using the present invention, the access request of all access application servers all must pass through front-end system, and while not changing any user operation, application server is completely disposed under its protection by preposition security system.
Description
Technical field
The present invention relates to information security field, particularly relate to a kind of preposition security system for ensuring information safety.
Background technology
At present, the most important information system or starts to be turned to open B/S to calculate mould by big machine system in early days
Formula, these systems have typical three-layer application program, as shown in Figure 1.Wherein, application server accepts the business of client terminal
Sum operation, finishing service logic are asked in service, are converted into the data manipulation that business is relevant to data base in data/storage system
Access, and business service result is returned to client terminal.
In reality, there is the application system of Fig. 1 structure and often possess following characteristics and security challenge:
1. it is difficult to isolate between application, between system, there is not obvious physics and network level boundary.This is because, right
In a relatively large information system, on the one hand, multiple service application may be operated together on same application server, separately
On the one hand, some single service application may be distributed simultaneously operate on multiple application server, and meanwhile, client terminal is according to industry
The service needed of business operator may access different application, and therefore the protection of application system application safety can not be by simple
Physics or Network Isolation realize, such as provide safety protection function by fire wall or other isolated device, and
At application, different application must be identified, isolated and protected.
2. application system is in exploitation and process of construction, may have that demand for security is inconsiderate, safe design is the most complete
Face and application and development coding owe perfect situation, and these bring security breaches and security risk all can to user's application system,
But for crucial application system, due to its business continuance requirement, the improvements in security of these systems can only be taked a kind of flat
Sliding and compatible mode.It addition, under B/S application structure, the core of service application biases toward application service one end, business relatively
Logic, business datum etc. mainly process application service one side and preserve, and client main task is business operation initiation, business
Data return the work such as display.
In conjunction with above-mentioned application feature, in B/S application structure, the safeguard protection emphasis of application system should be placed on application clothes
Business end, practices the safety precautions such as isolation, authentication and access control at application.
Summary of the invention
For defect and deficiency present in prior art, the present invention proposes a kind of preposition security system, tries hard to ensureing
On the premise of user's key business runs seriality, improve safety and the high availability of business application system, meet state's letter from home
Breath protection based on security rank system and the requirement of Its Relevant Technology Standards.
To achieve these goals, the present invention proposes a kind of preposition security system for ensuring information safety, and is connected to
Between client terminal and server, described preposition security system includes: TSM Security Agent module, safe transmission module, authentication
Module, access control module, single-sign-on module, Configuration Manager, security audit module, apply forwarding module;
Wherein, user's application operating pattern is changed by described TSM Security Agent module for being reduced by transparent safety agency
Become, it is ensured that safety and the compatible concordance of application;
Described safe transmission module is used for supporting ssl protocol, and based on ssl protocol in client terminal and preposition security system
Between set up secure transmission tunnel, it is ensured that the important informations such as authentication, business sensitive data network transmit in confidentiality
And integrity;
Described authentication module is for realizing identity authentication function based on certificate;
Described access control module controls for supporting the application of based role to access, and supports according to application and information thereof
Importance or sensitivity distribute corresponding safety label, and implement the access control of pressure type based on these safety labels, meet
Hierarchical protection technology requirement;
Described security audit module for asking sum operation and result thereof to carry out record to the application service of user, and will examine
Meter record result sends in time to security audit center;
Described single-sign-on module is used for user after having passed through authentication, it is not necessary to each of which application is carried out identity
Certification;
The application service of user, for when application server is because of fault, is asked and behaviour by described application forwarding module automatically
It is transferred on other application server that similar service is provided.
Preferred as technique scheme, described preposition security system also includes: prevent DoS/DDoS from attacking module, base
In the network transmission control module of role, built-in LDAP service module.
Preferred as technique scheme, multiple described preposition security systems can be clustered into preposition security system collection
Group.
Preferred as technique scheme, multiple preposition security systems are the most hot standby, external by network virtual technology
Represent with a common virtual name and address.
Preferred, using in multiple described preposition security systems as transporting under normal circumstances as technique scheme
Row main equipment, other as during master-failure adapter main equipment from equipment.
Preferred as technique scheme, described preposition security system supports that unix system platform and linux system are put down
Platform.
The preposition security system that the present invention proposes is placed between application server by the way of transparent access, all visits
Ask that the access request of application server all must pass through front-end system.While not changing any user operation, preposition safety
Application server is completely disposed under its protection by system.By using the preposition security system of the present invention in information system,
Application system can realize following security function:
1. personnel and device authentication
By secure digital certificate on system terminal, it is ensured that only can be anti-with access system by the equipment of certification
Stop illegality equipment and bring virus wooden horse into system.By being equipped with digital certificate (such as UKey) to system operators and using simultaneously
Name in an account book password, while ensureing user security, also meets the related request of high-grade information system in hierarchical protection.
2. application layer forced symmetric centralization based on safety label
In security strategy, distribute to the different safety label of user and carry out the empowerment management of corresponding based role, protecting
Demonstrate,prove system operators and can only access applying with its safe class fit through mandate.This is also high in hierarchical protection
Level key safety measure required by information system.
3. data transmission and data protection
By using preposition security system, application system achieves the automatic peace between system terminal to application server
Full encryption.Ensure that system information is not ravesdropping in network transmission process, be not destroyed, it is achieved that the safety of data transmission.
4. apply automatic forwarding protection
Preposition security system can the state of Auto-Sensing application server.When application server normally works, preposition peace
Access request from client is balancedly distributed to the application server on backstage by total system;When certain application server performance
Degradation, access request is sent to other application server normally worked by preposition security system, it is therefore prevented that application service
Device fault is brought to application service and is had a strong impact on.
5. flow priority acccess control
When visit capacity exceedes the maximum number of concurrent of permission, preposition security system controls to access by the way of queue asks
Ask.For the access request of high priority, preposition security system is preferentially passed through, it is ensured that preferentially carrying out of key service, it is ensured that
The availability of system.
6. concentrate audit
All of Access Events is all audited, and either normal access or access exception, meet hierarchical protection to height
The requirement of safety level information system.Preposition security system supports syslog agreement, can be able to be audited by syslog agreement
Event mails to concentrate auditing system, it is achieved concentrate audit.
7. equipment hot-backup function
In the case of performance is not had particular/special requirement, preposition security system generally can be disposed with two-node cluster hot backup.Work as backstage
When server has special high request to number of concurrent (if background server is clustered deploy(ment)), preposition security system also supports cluster
The mode disposed, it is ensured that safety equipment itself do not become system bottleneck.
8. equipment inherently safe is credible
The hardware of preposition security system is the minicomputer platform of specialty customization, it is ensured that the hardware performance of system.Preposition peace
System-wide software is the entirely autonomous controlled professional system from bottom module to application module, real based on reliable computing technology
Existing, it is ensured that the safety of self.
Below in conjunction with the accompanying drawings, the detailed description of the invention of the present invention is described in further detail.Affiliated technology is led
For the technical staff in territory, from detailed description of the invention, the above and other objects, features and advantages of the present invention will be aobvious
And be clear to.
Accompanying drawing explanation
Fig. 1 is B/S typical application framework in prior art;
Fig. 2 is the application schematic diagram of the preposition security system that the present invention proposes;
Fig. 3 is the system construction drawing of the preposition security system that the present invention proposes;
Fig. 4 is the application safety system structure scheme of the High Availabitity of the preposition security system using the present invention to propose.
Fig. 5 is the two-node cluster hot backup scheme of the preposition security system using the present invention to propose.
Detailed description of the invention
As in figure 2 it is shown, the present invention propose for the preposition security system that ensures information safety be connected to client terminal and
Between server, as it is shown on figure 3, described preposition security system includes: TSM Security Agent module, safe transmission module, authentication
Module, access control module, single-sign-on module, Configuration Manager, security audit module, apply forwarding module.
Wherein, TSM Security Agent module can be reduced as far as possible changed user's application operating pattern by transparent safety agent functionality
Become, it is ensured that safety and the compatible concordance of application;
Safe transmission module supports ssl protocol, and sets up between client terminal and preposition security system based on ssl protocol
Secure transmission tunnel, it is ensured that the important informations such as authentication, business sensitive data network transmit in confidentiality and integrity;
Authentication module is to realize identity authentication function based on certificate, except implementing application operator based on card
Outside the authentication of book, also support application terminal unit is implemented device authentication based on certificate, it is ensured that the most legal operation
Personnel are by conducting interviews to business through the terminal unit of approval;
Access control module is supported that the application of based role accesses and is controlled;Support according to application and the importance of information or
Sensitivity distributes corresponding safety label, and implements the access control of pressure type based on these safety labels, meets hierarchical protection
Technology requirement;
Security audit module for asking sum operation and result thereof to carry out record to the application service of user, and audit is remembered
Record result sends in time to security audit center;
Single-sign-on module is to allow user after the authentication having passed through preposition security system, avoids the need for again for often
Individual application carries out authentication, so can reduce user's repeated work in terms of application login, it is to avoid user is because of identity
The safety problem that authentication information keeping is not good at and is brought;
Application forwarding module, under can not externally providing service or service ability seriously at application server because of fault
During fall, can automatically the application service of user please sum operation be transferred on other application server providing similar service,
Ensure the seriality of customer service.
In addition to above-mentioned module, this preposition security system can also include:
Prevent DoS/DDoS from attacking module, for network being connected implementing monitoring at network level, prevent DoS/DDoS from attacking
Hit and cause application server cisco unity malfunction;
The network transmission control module of based role, for providing the network transmission clothes of different quality according to the role of user
Business, such as: system manager or operating officer can access application service the most rapidly;Or when servicing busy, should
Refuse the service access of general staff by system, but operating officer can continue to access application;
Built-in LDAP service module, for supporting centralized and unified safety management, it is ensured that application safety controls not to application
The overall performance of service produces and has a strong impact on.Serviced by built-in LDAP, the security strategy of systematic unity is copied to this locality
And be converted to the discernible security strategy of preposition security system, thus avoid in traditional LDAP centralized policy query script and deposit
Network delay and LDAP service delay expense.In the system that wide coverage, network bandwidth resources are nervous, this function
Particularly important.
Preposition security system has the ability to ensure the safety of self.Preposition security system can be to system executable code
Load operating is controlled: based on code unique features (such as hashed value), any code without permission will not be by system call
Run, thus ensure that preposition security system itself will not be destroyed by forbidden code, or be used for performing illegal operation by malicious persons.
Preposition security system can support kinds of platform performance, including high-end multiprocessor unix system platform with relative
The Linux platform of low side, meets big-and-middle-sized business application system and the performance of compact applications system and safety requirements respectively.
Preposition security system can be such as a multi-CPU hardware security platform based on unix system.It is by following
Security mechanism meets the application safety of user and requires:
By application proxy login mechanism, it is to avoid or reduce the work that user's repeat logon is applied, reduce in password management
The risk existed, thus meet the single-sign-on requirement of user.The application proxy login mechanism of this preposition security system need not
Change the existing application structure of user and service logic.
The service availability of the application server supported is detected, when the clothes determined on application server by security system automatically
When business performance is less than the performance threshold preset, system can automatically select next provides the application server with type of service to continue
Service is provided.
In addition for the key service system of the industry such as railway, electric power, according to business scale and service security requirement, can
To provide this preposition security system energy of multiple high-availability arrangement based on this preposition security system.
1., application system business continuance exigent applied environment huge for business scale, than more typical generation
Some comprehensive service application in the Biao You railway system.Under this service application environment, can select to use the cluster side of Fig. 4
Case.
In Fig. 4, the service of large-scale client application sum operation please be assigned to " preposition safety by load-balancing device
System cluster " in each preposition security system in, preposition security system based on security strategy to application implementation safeguard protection.
" system cluster " ensures application performance by two aspects: first, and the performance of preposition security system itself is wanted can be with application clothes
The performance of business device matches, and secondly, application service can be implemented load point by multiple preposition security systems by " system cluster "
Load, completes the security control of application jointly.Preposition security system quantity in " system cluster " can be wanted according to the performance of application
Ask and carry out additions and deletions adjustment.
Fig. 4 structure ensure that the high availability of application safety system from many aspects.First, it avoids the single-point of system
Fault, from the hot standby Clustering mechanism to preposition security systems multiple " system cluster " of SiteServer LBS, it is provided that from visitor
Family terminal is to the multiple reliable redundancy link of application service, it is ensured that user's key business can round-the-clock running in 7X24 hour.
2., application system business continuance relatively big for business scale requires higher applied environment.This service application
Under environment, dual-computer redundancy scheme can be selected, as shown in Figure 5.
In Fig. 5, two preposition security systems are the most hot standby, by network virtual technology externally with a common virtual name
Title/address represents.To a certain types of service, wherein preposition security system as main equipment, another be from setting
Standby.Under normal circumstances, main equipment provides application safety to control for application, when the application safety on main equipment or main equipment controls machine
When system breaks down, can automatically monitor this state from equipment, and take over main equipment, to application implementation security control.
Switching between all devices and security control and recovery process are transparent to application client.
Although, the present invention has understood explanation by above example and accompanying drawing thereof, but without departing substantially from present invention spirit
And in the case of essence, person of ordinary skill in the field is when making various corresponding change according to the present invention and repair
Just, but these corresponding variations and modifications all should belong to the scope of the claims of the present invention.
Claims (6)
1. for the preposition security system ensured information safety, being connected between client terminal and server, its feature exists
In, described preposition security system includes: TSM Security Agent module, safe transmission module, authentication module, access control module,
Single-sign-on module, Configuration Manager, security audit module, apply forwarding module;
Wherein, described TSM Security Agent module, for reducing the change to user's application operating pattern by transparent safety agency, is protected
Card safety and the compatible concordance of application;
Described safe transmission module is used for supporting ssl protocol, and based on ssl protocol between client terminal and preposition security system
Set up secure transmission tunnel, it is ensured that confidentiality in network transmits of authentication information, business sensitive data information and complete
Property;
Described authentication module is for realizing identity authentication function based on certificate;
Described access control module controls for supporting the application of based role to access, and supports according to application and information important thereof
Property or sensitivity distribute corresponding safety label, and based on these safety labels implement pressure type access control, meet grade
Resist technology requirement;
Described security audit module for asking sum operation and result thereof to carry out record to the application service of user, and audit is remembered
Record result sends in time to security audit center;
Described single-sign-on module is used for user after having passed through authentication, it is not necessary to each of which application is carried out identity and recognizes
Card;
The application service of user, for when application server is because of fault, please sum operation be turned by described application forwarding module automatically
Receive on other application server that similar service is provided.
Preposition security system the most according to claim 1, it is characterised in that described preposition security system also includes: prevent
DoS/DDoS attacks module, the network transmission control module of based role, built-in LDAP service module.
Preposition security system the most according to claim 1 and 2, it is characterised in that multiple described preposition security systems can
It is clustered into preposition security system cluster.
Preposition security system the most according to claim 3, it is characterised in that multiple preposition security systems are the most hot standby, logical
Cross network virtual technology externally to represent with a common virtual name and address.
Preposition security system the most according to claim 4, it is characterised in that by multiple described preposition security systems
Individual as the main equipment run under normal circumstances, other as during master-failure adapter main equipment from equipment.
Preposition security system the most according to claim 1, it is characterised in that described preposition security system supports unix system
Platform and linux system platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010568405.7A CN102487378B (en) | 2010-12-01 | A kind of preposition security system for ensuring information safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010568405.7A CN102487378B (en) | 2010-12-01 | A kind of preposition security system for ensuring information safety |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102487378A CN102487378A (en) | 2012-06-06 |
| CN102487378B true CN102487378B (en) | 2016-12-14 |
Family
ID=
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1536499A (en) * | 2003-04-07 | 2004-10-13 | 华为技术有限公司 | Method for accessing remote terminal in UNIX cenvironment |
| CN1681247A (en) * | 2004-06-30 | 2005-10-12 | 中国银行股份有限公司 | System of bank on-line inquiring system |
| CN101018130A (en) * | 2007-02-15 | 2007-08-15 | 物方恒德(北京)投资咨询有限公司 | Finance business system and finance business processing method |
| CN101093572A (en) * | 2007-07-20 | 2007-12-26 | 中国建设银行股份有限公司 | A preposition system and a centralized data processing system |
| CN101329791A (en) * | 2008-07-10 | 2008-12-24 | 大连新中连软件工程有限公司 | Identification verification system using finger print |
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1536499A (en) * | 2003-04-07 | 2004-10-13 | 华为技术有限公司 | Method for accessing remote terminal in UNIX cenvironment |
| CN1681247A (en) * | 2004-06-30 | 2005-10-12 | 中国银行股份有限公司 | System of bank on-line inquiring system |
| CN101018130A (en) * | 2007-02-15 | 2007-08-15 | 物方恒德(北京)投资咨询有限公司 | Finance business system and finance business processing method |
| CN101093572A (en) * | 2007-07-20 | 2007-12-26 | 中国建设银行股份有限公司 | A preposition system and a centralized data processing system |
| CN101329791A (en) * | 2008-07-10 | 2008-12-24 | 大连新中连软件工程有限公司 | Identification verification system using finger print |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105656903B (en) | A kind of user safety management system of Hive platforms and application | |
| CN105430000A (en) | Cloud computing security management system | |
| CN109831327A (en) | IMS full service network based on big data analysis monitors intelligent operation support system | |
| CN109670768A (en) | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain | |
| CN109447876A (en) | A kind of burgher card system | |
| CN101594360B (en) | Local area network system and method for maintaining safety thereof | |
| CN102891840B (en) | Based on the Information Security Management System of separation of the three powers and the management method of information security | |
| CN105991734A (en) | Cloud platform management method and system | |
| CN102307114A (en) | Management method of network | |
| CN104168333A (en) | Working method of PROXZONE service platform | |
| CN103179130A (en) | Intranet security unified management platform and management method of management platform | |
| CN106959854A (en) | Cloud terminal virtualization system | |
| CN104320389A (en) | Fusion identify protection system and fusion identify protection method based on cloud computing | |
| CN107197041A (en) | A kind of safe cloud computing system | |
| CN101986599A (en) | Network security control method based on cloud service and cloud security gateway | |
| CN103188105A (en) | Safety enhancing system and method thereof of NAS equipment | |
| CN109089259A (en) | A kind of online difference upgrade-system | |
| CN106603488A (en) | Safety system based on power grid statistical data searching method | |
| CN110719298A (en) | Method and device for supporting user-defined change of privileged account password | |
| CN106600231A (en) | Dynamic management system for infrastructure projects | |
| CN114866346B (en) | Password service platform based on decentralization | |
| CN104580081A (en) | Integrated SSO (single sign on) system | |
| CN103297266A (en) | System access management method based on enterprise integration bus | |
| CN102546522A (en) | Intranet security system and implementation method thereof | |
| CN201491036U (en) | Host monitoring and auditing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |