CN107995203A - Network appliance safe management system, method and computer-readable recording medium - Google Patents
Network appliance safe management system, method and computer-readable recording medium Download PDFInfo
- Publication number
- CN107995203A CN107995203A CN201711294715.2A CN201711294715A CN107995203A CN 107995203 A CN107995203 A CN 107995203A CN 201711294715 A CN201711294715 A CN 201711294715A CN 107995203 A CN107995203 A CN 107995203A
- Authority
- CN
- China
- Prior art keywords
- certification
- management
- network equipment
- network
- user account
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Abstract
An embodiment of the present invention provides a kind of network appliance safe management system, method and computer-readable recording medium, wherein, which includes:Control machine is managed, for receiving the management strategy for being respectively each user account and the setting of each network equipment, and management strategy is sent to certification machine in real time;The certification machine, the certification request initiated by user account and authorization for receiving network equipment transmission are asked, the certification request and authorization request are responded according to the management strategy of the network equipment and the management strategy of the user account respectively, realize the safety management to the network equipment.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of network appliance safe management system, method and meter
Calculation machine readable storage medium storing program for executing.
Background technology
At present, it is necessary to configure the certification of user on network devices when configuration local user's mode is authenticated and authorizes
And authorization message, including user name, password etc..Which is primarily present following defect:
1st, the rank of local user, password expired time, the inspection of account term of validity password complexity, the idle cut-out of user
Time etc. is all optional configuration item or default configuration, and security is relatively low, depends on the consciousness of operator, can not be ensured
The uniformity of safety standard.
2nd, local user can only be effective to this TV station network equipment, and reaching the standard grade if new network device needs to configure again, or
Situations such as replacement occurs for person network management personnel, personnel leave office, then need to increase/deletion local user in all-network equipment newly
Account.The fussy degree and workload of aforesaid operations=webmaster personnel's x network equipment numbers, can develop and index with network size
Formula rises.
3rd, consider for convenience, all there are all devices in many networks, all-network administrator all share it is identical
Local account situation.Above-mentioned security breaches easily occur:Caused by security incident, operation are lack of standardization caused by unauthorized access
Human accident, accident are difficult to the situation that audit is traced to the source after occurring.For taking precautions against management and control network risks, meeting that supervision is closed rule and required
It is very unfavorable.
The content of the invention
An embodiment of the present invention provides a kind of network appliance safe management system, to solve in the prior art in the network equipment
Upper configuration user authentication and the technical problem that existing security is low, cumbersome degree is high when authorizing.The system includes:Management
Control machine, for receiving the management strategy for being respectively each user account and the setting of each network equipment, and management strategy is real
When be sent to certification machine;The certification machine, for receive the network equipment transmission by user account initiate certification request and
Authorization is asked, and is recognized according to the management strategy of the network equipment and the management strategy of the user account respond respectively
Card request and authorization request, realize the safety management to the network equipment.
The embodiment of the present invention additionally provides a kind of network appliance safe management method, to solve to set in network in the prior art
Standby upper configuration user authentication and the technical problem that existing security is low, cumbersome degree is high when authorizing.This method includes:
Manage in control machine, be respectively that each user account and each network equipment set management strategy, and management strategy is sent out in real time
Give certification machine;The certification request initiated by user account and the authorization that the network equipment is sent are received by the certification machine
Request, and the certification request is responded according to the management strategy of the network equipment and the management strategy of the user account respectively
Asked with the authorization, realize the safety management to the network equipment.
The embodiment of the present invention additionally provides a kind of computer-readable recording medium, to solve in the prior art in the network equipment
Upper configuration user authentication and the technical problem that existing security is low, cumbersome degree is high when authorizing.It is described computer-readable
Storage medium is stored with the computer program for performing any of the above-described kind of network appliance safe management method.
In embodiments of the present invention, by setting the network equipment and network to set in the management control machine outside the network equipment
The management strategy of standby user account, avoids setting certification and authorization message on network devices, and recognizing outside the network equipment
The certification request that is sent on card machine according to the management strategy of the network equipment and the management strategy response to network equipment of user account and
Authorization is asked, and is realized to network equipment certification and the safety management authorized.Due to avoiding setting certification on network devices
And authorization message, there is which configuration item to be just managed according to corresponding configuration item in management strategy so that can to avoid by
In security caused by phenomena such as option and installment or default configuration occur dependent on the consciousness of operator is low the problem of;It is each
The network equipment, which is unified in control machine, sets management strategy, reach the standard grade if new network device need to configure again, network management
Situations such as personnel occur to replace or personnel leave office, without to increase newly in all-network equipment/delete local user's account, favorably
In the cumbersome degree of reduction, reduce workload;For the respective management strategy of heterogeneous networks equipment and user configuration, without institute
There are equipment, all-network administrator all to share identical local account, peace caused by avoiding unauthorized access can be conducive to
Human accident and accident are difficult to the situation that audit is traced to the source caused by total event, operation are lack of standardization after occurring, and are conducive into one
Step improves security.
Brief description of the drawings
Attached drawing described herein is used for providing a further understanding of the present invention, forms the part of the application, not
Form limitation of the invention.In the accompanying drawings:
Fig. 1 is a kind of structure diagram of network appliance safe management system provided in an embodiment of the present invention;
Fig. 2 is a kind of structure diagram of specific network appliance safe management system provided in an embodiment of the present invention;
Fig. 3 is a kind of fundamental diagram of network appliance safe management system provided in an embodiment of the present invention;
Fig. 4 is a kind of structure diagram for managing control machine provided in an embodiment of the present invention;
Fig. 5 is a kind of flow chart of network appliance safe management method provided in an embodiment of the present invention.
Embodiment
It is right with reference to embodiment and attached drawing for the object, technical solutions and advantages of the present invention are more clearly understood
The present invention is described in further details.Here, the exemplary embodiment and its explanation of the present invention are used to explain the present invention, but simultaneously
It is not as a limitation of the invention.
In embodiments of the present invention, there is provided a kind of network appliance safe management system, as shown in Figure 1, the system includes:
Control machine 101 is managed, for receiving the management strategy for being respectively each user account and the setting of each network equipment,
And management strategy is sent to certification machine 102 in real time;
The certification machine 102, for receiving the certification request initiated by user account and the operation of network equipment transmission
Authorization requests, responding the certification respectively according to the management strategy of the network equipment and the management strategy of the user account please
The authorization of summing is asked, and realizes the safety management to the network equipment.
Understand as shown in Figure 1, in embodiments of the present invention, by setting net in the management control machine outside the network equipment
The management strategy of network equipment and network device user account, avoids setting certification and authorization message on network devices, and in net
Sent out on certification machine outside network equipment according to the management strategy of the network equipment and the management strategy response to network equipment of user account
Certification request and the authorization request sent, are realized to network equipment certification and the safety management authorized.Due to avoiding in network
Certification and authorization message are set in equipment, have which configuration item to be just managed according to corresponding configuration item in management strategy,
Allow to avoid due to safety caused by phenomena such as option and installment or default configuration occur dependent on the consciousness of operator
The problem of property is low;Each network equipment, which is unified in control machine, sets management strategy, if new network device reaches the standard grade needs again
Situations such as secondary configuration, network management personnel occur to replace or personnel leave office, without to increase newly in all-network equipment/delete this
Ground user account, advantageously reduces cumbersome degree, reduces workload;It is respective for heterogeneous networks equipment and user configuration
Management strategy, identical local account is all shared without all devices, all-network administrator, can be conducive to avoid without awarding
Human accident and accident are difficult to the feelings that audit is traced to the source caused by security incident, operation are lack of standardization caused by power accesses after occurring
Condition, is conducive to further improve security.
When it is implemented, administrator, which is each user account and each network equipment in management control machine, sets management plan
After slightly, certification machine is according to the management strategy of the network equipment and the management strategy of user account responds certification request respectively and operation is awarded
Power request.Certification request and/or authorization request are initiated specifically, being operated on network devices by user account in user
When, as shown in Fig. 2, can by an above-mentioned certification machine or more above-mentioned certification machines come receive and respond certification request and/or
Authorization is asked, for example, in order to adapt to Enterprise Network to the elastic telescopic between large-scale carrier network, can be according to net
The quantity of network equipment selects an appropriate number of certification machine, realizes the horizontal extension of system, and do not reduce service quality.Although part
Hardware and software can break down, and the service of whole system can ensure uninterrupted when 7X24 is small.
For the mininet scene of network equipment negligible amounts, an above-mentioned certification machine can be used, i.e., as shown in Figure 2
Standalone version pattern, received at this time by an above-mentioned certification machine and respond certification request and/or authorization request.Standalone version mould
The certification machine of formula can not depend on other resources, independent deployment, out-of-the-box, it is only necessary to simple initial configuration, suitable for medium and small
Type network scenarios.
For in catenet scene, more above-mentioned certification machines can be used, i.e., cluster version pattern as shown in Figure 2 is more
Platform certification machine forms a cluster, and more certification machines handle certification request and/or authorization request at the same time.More certification units
Use, avoid the high-end devices of the high configuration host of buying or F5 etc, advantageously reduce cost, improve economy.
Meanwhile under the pattern that more certification machines form a cluster, it is enough in the process performance of every certification machine in itself
When the strong or instruction response time is shorter, is received parallel by more certification machines and respond certification request and/or authorization request,
In the case that network equipment quantity is larger, be also beneficial to realize increases (people to the time unobvious of operational order response
Unaware);The quantity for managing the network equipment is not less than 100,000.
When it is implemented, using more certification machines receive parallel and respond certification request and/or authorization request
During, in order to avoid there is the situation of load imbalance, in the present embodiment, as shown in Fig. 2, said system further includes:It is negative
Balanced device is carried, for selecting a certification machine in the more certification machines as main control computer, wherein, the main control computer receives
Certification request and the authorization request that the network equipment is sent, and according to the load feelings of other certification machines in the more certification machines
Condition, certification request and authorization request is evenly distributed on other certification machines, other certification machines, which each respond, to be distributed to
Certification request and authorization request.
Specifically, under using standalone version pattern, after the network equipment of request certification reaches certain scale, certification machine
Load exceedes critical value;But under using cluster version pattern, after increasing load equalizer in certification cluster, even if please
The network equipment of certification is asked to reach certain scale, Load Balanced is distributed on each certification machine, and the load of each certification machine is not above
Critical value, is conducive to improve the stability of certification machine.Specifically, the load-balancing algorithm that load equalizer can select has by inquiry
Algorithm, random algorithm, source address hash algorithm, weighting algorithm, Smallest connection figure method.A certification being responsible in election cluster
Machine node re-elects one automatically as main control computer if the node delays machine.
Specifically, increase load equalizer in certification cluster so that without purchasing the hardware of similar L4-7 layer switch
Load equalizer and avoid related maintenance expense (quotation of presently relevant manufacturer is usually 20-30 ten thousand every).
When it is implemented, corresponding program can be set in certification machine come complete to receive and respond certification request and/or
The function of authorization request.For example, as shown in figure 3, when user operates initiation certification by user account on network devices
During request, certification machine receives certification request, and requires operation user to input the information such as user name/password, to combine user's account
Number management strategy in account information and the network equipment management strategy in account information (specifically, when user account and
When the network equipment is both provided with management strategy, then the management strategy for combining the two is authenticated;If work as user account and network
Only have a side to be provided with management strategy in equipment, be then authenticated according to the management strategy of a side) to operating use input by user
The information such as name in an account book/password are verified, to realize the response to certification request, complete certification;After authentication is complete, user is worked as
By user account on network devices operate initiate authorization request when, certification machine receive authorization request, with reference to
Command operation authority in the management strategy of family account and the command operation authority in the management strategy of the network equipment (specifically,
When user account and the network equipment are both provided with management strategy, then the management strategy for combining the two is authenticated;Used if worked as
Only have a side to be provided with management strategy in family account and the network equipment, be then authenticated according to the management strategy of a side) to operation
Authorization requests are responded, and judge whether allow to perform the operation asked, if it is allowed, then directly output allows to operate;If
Do not allow, then the operation of output refusal;To realize the response to authorization request, authorization identifying.
When it is implemented, when certification machine handles certification request, can be with the side such as tacacs+ support agreement and radius protocol
Formula, specifically, can be directed to the different types of network equipment selects corresponding authentication mode.
When it is implemented, in the processing authorization request of certification machine, can support according to order line and Permission Levels two
Kind mode, specifically, can be directed to the different types of network equipment selects corresponding authorization.
When it is implemented, certification machine receive and respond certification request and/or authorization ask during, Yong Hufang
After asking, operating the network equipment, certification machine storage operation log, the operation behavior of operation log recording user, time of origin
Etc. information, it is stored in and cannot be persisted caused by network equipment the machine and can to avoid the operation note of local user's account
The problem of to be wiped by disabled user.Specifically, certification machine is supported to store all user operation records, retention cycle must not be less than
Six months.To meet China's stem that on November 7th, 2016 passes through《Network security method》In clear stipulaties:" chapter 3 second
11 (three) take monitoring, record network operation state, the technical measures of network safety event, and retain according to the rules related
Network log be no less than six months ".
Specifically, operation log also can be dumped to disk array or cloud storage resource pool by certification machine according to user demand
In.
Specifically, the operation log of certification machine storage can include the content shown in table 1 below.
Device address | Source address | User account | User's name | Operating time | Order line |
119.146.1.2 | 172.168.0.108 | yzrui | Yang Zhong | 2017/8/1 11:57 | show port 1/1/14 |
119.146.1.2 | 172.168.0.108 | yzrui | Yang Zhong | 2017/8/1 11:58 | show port 1/1/14 |
119.146.1.2 | 172.168.0.108 | yzrui | Yang Zhong | 2017/8/1 11:59 | show port 1/1/14 |
119.146.1.2 | 172.168.0.108 | yzrui | Yang Zhong | 2017/8/1 11:55 | show port 1/1/4 |
119.146.1.2 | 172.168.0.108 | yzrui | Yang Zhong | 2017/8/1 11:55 | show port 1/1/14 |
119.146.1.2 | 172.168.0.108 | yzrui | Yang Zhong | 2017/8/1 11:55 | show port 1/1/14 |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 12:00 | configure router |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 12:00 | info |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 12:01 | info |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 12:01 | interface″ge-1/1/14″ |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 12:02 | show port 1/1/14 |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 12:00 | ping 172.19.17.78 |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 12:01 | address 172.19.17.78/30 |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 12:01 | show port 1/1/14 |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 13:15 | show router route-table 19.0.0.0 |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 13:15 | configure router |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 13:15 | info |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 13:15 | no static-route 19.0.0.0/8 next-hop 17.19.17.77 |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 13:16 | static-route 19.0.0.0/8 next-hop 172.19.17.77 |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 13:16 | info |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 13:16 | show router route-table 19.0.0.0 |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 13:16 | exit |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 13:16 | admin save |
119.146.2.3 | 202.103.1.8 | mzmccw01 | Plum tinkling of pieces of jades | 2017/8/1 15:20 | show router route-table 125.89.159.0 |
Table 1
When it is implemented, in order to realize that each user and each network equipment are unified in management control machine to be set and manage
Strategy, in the present embodiment, as shown in figure 4, the management control machine, including:
Role's setup module 401, for the command operation being received as in the management strategy of each user account setting
Authority;For example, first set user account to allow the order under some rank all to allow to use, it is as shown in table 2 below.Then set
Deny rules (as shown in table 3 below), disabling fall some orders for not wanting to allow user account to use, then set permit rules (such as
Shown in table 4 below), license user account uses some special commands.
Device group management module 402;For by all-network device packets, be received as every set of network devices set it is described
Command operation authority in management strategy, wherein, the management plan per set of network devices is the network equipment according to the group
What working characteristics was set;For example, whether being working centre equipment for every set of network devices, or whether it is common working equipment,
For the importance of every set of network devices, different command operation authorities is set respectively.
User group management module 403;For the user account of all-network equipment to be grouped, every group of user account is received as
Command operation authority in the management strategy set, wherein, the management plan of every group of user account is according to the group
What the working characteristics of user was set, specifically, the source address of some groups of user account logging in network equipment can be limited.Example
Such as, in the scene of small business's network, it is system manager or general authority user that can distinguish user account, according to not
Same work identity sets different command operation authorities;In the scene of large-enterprise network, employee can be divided into difference
Working group, the work importance of each working group processing is different, can be directed to different operating group user account set it is different
Command operation authority.
Account management module 504, the management of the password setup for being received as each user account and the network equipment
Account management item in strategy, for example, recycling etc. is managed automatically for user account and network equipment password expired time, temporary account
Director.
Cisco router | Default action rule is set | Permission Levels are set |
Operational order | Operation rules | Whether allow |
show | permit.* | |
traceroute | permit.* | |
ping | permit.* | |
context | permit.* | |
admin | permit.* | |
dir | permit.* | |
(following to omit) |
Table 2
Juniper routers | Default action rule is set | Permission Levels are set |
Check operational order | Operation rules | Whether allow |
request | permit | |
configure | deny | |
restart | deny | |
start | deny | |
Configure operational order | Operation rules | |
System-view.* | deny | |
(following to omit) |
Table 3
Huawei's router | Default action rule is set | Permission Levels are set |
Operational order | Operation rules | Whether allow |
display | permit.* | |
ping | permit.* | |
save | deny.* | |
(following to omit) |
Table 4
When it is implemented, in order to realize the certification of above-mentioned network appliance safe management system, authorize and compatible can support not
Same producer, the different types of network equipment, in the present embodiment, the management control machine, is additionally operable to the net for different manufacturers
Network equipment, provides management strategy corresponding with producer's network equipment by interface and sets logic, be received as each network equipment
Corresponding contents in the management strategy of input.So that above-mentioned network appliance safe management system from access layer equipment to core to converging
Poly layer equipment is supported comprehensively, it is possible to achieve not less than the management scale of 100,000 equipment, for example, certain landing project router:
2200, interchanger:10000, A/B/ER equipment:31000;DSLAM/OLT equipment:23000.
Wherein it is possible to the network equipment including different manufacturers, for example, Huawei's (router can be included:NE40/80E systems
Row, 5200G, ME60 series, NE5000E series;Interchanger:S9300 series, S3300 series;IPRANATN910、ATN950、
CX600;Fire wall 1000TA etc.), Cisco's (router:CRS series, 7609 series), in emerging (router:ME6000;Exchange
Machine:8905th, T64G), Alcatle 7750, RedbackSE800/SE1200 series, Juniper ERX series etc.;OLT device
(Alcatel 7302R2, Huawei 5600, in emerging 9800V3, Huawei 5100, Greenville GFA series);DSLAM equipment (flames of war
5006-20, Huawei 5616, in emerging 9806H);F5B-IGP series;Green alliance's safety means etc..
Based on same inventive concept, a kind of network appliance safe management method is additionally provided in the embodiment of the present invention, it is as follows
Described in the embodiment in face.Due to the principle that network appliance safe management method solves the problems, such as and network appliance safe management system phase
Seemingly, therefore the implementation of network appliance safe management method may refer to the implementation of network appliance safe management system, repeat part
Repeat no more.
Fig. 5 is the flow chart of the network appliance safe management method of the embodiment of the present invention, as shown in figure 5, this method includes:
Step 501:It is respectively that each user account and each network equipment set management strategy in management control machine,
And management strategy is sent to certification machine in real time;
Step 502:The certification request initiated by user account and the behaviour that the network equipment is sent are received by the certification machine
Make authorization requests, and management strategy according to the network equipment and the management strategy of the user account respond respectively described in recognize
Card request and authorization request, realize the safety management to the network equipment.
In one embodiment, the above method further includes:Operation log is stored on the certification machine.
In one embodiment, the certification initiated by user account for network equipment transmission being received by the certification machine please
Sum operation authorization requests, and responded respectively according to the management strategy of the network equipment and the management strategy of the user account
The certification request and authorization request, including:Receive simultaneously response to network equipment parallel by the more certification machines
Certification request and the authorization request of transmission.
In one embodiment, the certification request that simultaneously response to network equipment is sent is received parallel by the more certification machines
Asked with authorization, including:One certification machine is selected in the more certification machines by load equalizer and is used as master control
Machine, wherein, the main control computer receives certification request and the authorization request that the network equipment is sent, and according to the more certifications
The loading condition of other certification machines in machine, certification request and authorization request are evenly distributed on other certification machines, other
Certification machine each responds the certification request being distributed to and authorization request.
In one embodiment, it is respectively that each user account and each network equipment set pipe in management control machine
Reason strategy, including:For each user account, the command operation authority in the management strategy is set;By all-network equipment point
Group, is the command operation authority set per set of network devices in the management strategy, wherein, the management per set of network devices
Plan is set according to the working characteristics of the network equipment of the group;The user account of all-network equipment is grouped, is every group of use
Family account sets the command operation authority in the management strategy, wherein, the management strategy of every group of user account is basis
What the working characteristics of the user account of the group was set;For management described in the password setup of each user account and each network equipment
Account management item in strategy.
In one embodiment, it is respectively that each network equipment sets management strategy in management control machine, including:Pin
To the network equipment of different manufacturers, provide management strategy corresponding with producer's network equipment by interface and logic is set, according to
Corresponding management strategy sets the corresponding contents that logic is inputted for each network equipment in management strategy.
A kind of computer-readable recording medium is additionally provided in the present embodiment, which has
Perform the computer program of any of the above-described kind of network appliance safe management method.
When it is implemented, the proposition of above-mentioned network appliance safe management method and system so that each producer is without right again
Oneself sets the information such as certification, mandate by the network equipment, can uniformly control the network equipment of each producer by above-mentioned management
Machine sets management strategy, then it is unified be authenticated by above-mentioned certification machine, authorisation process.
The embodiment of the present invention realizes following technique effect:By setting net in the management control machine outside the network equipment
The management strategy of network equipment and network device user account, avoids setting certification and authorization message on network devices, and in net
Sent out on certification machine outside network equipment according to the management strategy of the network equipment and the management strategy response to network equipment of user account
Certification request and the authorization request sent, are realized to network equipment certification and the safety management authorized.Due to avoiding in network
Certification and authorization message are set in equipment, have which configuration item to be just managed according to corresponding configuration item in management strategy,
Allow to avoid due to safety caused by phenomena such as option and installment or default configuration occur dependent on the consciousness of operator
The problem of property is low;Each network equipment, which is unified in control machine, sets management strategy, if new network device reaches the standard grade needs again
Situations such as secondary configuration, network management personnel occur to replace or personnel leave office, without to increase newly in all-network equipment/delete this
Ground user account, advantageously reduces cumbersome degree, reduces workload;It is respective for heterogeneous networks equipment and user configuration
Management strategy, identical local account is all shared without all devices, all-network administrator, can be conducive to avoid without awarding
Human accident and accident are difficult to the feelings that audit is traced to the source caused by security incident, operation are lack of standardization caused by power accesses after occurring
Condition, is conducive to further improve security.
Obviously, those skilled in the art should be understood that each module of the above-mentioned embodiment of the present invention or each step can be with
Realized with general computing device, they can be concentrated on single computing device, or are distributed in multiple computing devices
On the network formed, alternatively, they can be realized with the program code that computing device can perform, it is thus possible to by it
Store and performed in the storage device by computing device, and in some cases, can be to be held different from order herein
They, are either fabricated to each integrated circuit modules or will be multiple in them by the shown or described step of row respectively
Module or step are fabricated to single integrated circuit module to realize.In this way, the embodiment of the present invention be not restricted to it is any specific hard
Part and software combine.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the invention, for the skill of this area
For art personnel, the embodiment of the present invention can have various modifications and variations.Within the spirit and principles of the invention, made
Any modification, equivalent substitution, improvement and etc., should all be included in the protection scope of the present invention.
Claims (11)
- A kind of 1. network appliance safe management system, it is characterised in that including:Control machine is managed, for receiving the management strategy for being respectively each user account and the setting of each network equipment, and will pipe Reason strategy is sent to certification machine in real time;The certification machine, the certification request initiated by user account and authorization for receiving network equipment transmission please Ask, the certification request and institute are responded according to the management strategy of the network equipment and the management strategy of the user account respectively Authorization request is stated, realizes the safety management to the network equipment.
- 2. network appliance safe management system as claimed in claim 1, it is characterised in that the certification machine is more, more Certification request and the authorization request that the certification machine receives parallel and response to network equipment is sent.
- 3. network appliance safe management system as claimed in claim 2, it is characterised in that further include:Load equalizer, for selecting a certification machine in the more certification machines as main control computer, wherein, the master control Machine receives certification request and the authorization request that the network equipment is sent, and according to other certification machines in the more certification machines Loading condition, certification request and authorization request is evenly distributed on other certification machines, other certification machines each respond quilt Certification request and the authorization request being distributed to.
- 4. network appliance safe management system as claimed any one in claims 1 to 3, it is characterised in that the management control Machine processed, including:Role's setup module, for the command operation authority being received as in the management strategy of each user account setting;Device group management module;The management plan set for by all-network device packets, being received as every set of network devices Command operation authority in slightly, wherein, the management plan per set of network devices is the work spy according to the network equipment of the group Property set;User group management module;For the user account of all-network equipment to be grouped, it is received as what every group of user account was set Command operation authority in the management strategy, wherein, the management plan of every group of user account is user's account according to the group Number working characteristics set;Account management module, the management strategy of the password setup for being received as each user account and each network equipment In account management item.
- 5. network appliance safe management system as claimed any one in claims 1 to 3, it is characterised in thatThe management control machine, is additionally operable to the network equipment for different manufacturers, is provided and producer's network equipment by interface Corresponding management strategy sets logic, the corresponding contents being received as in the management strategy of each network equipment input.
- A kind of 6. network appliance safe management method, it is characterised in that including:It is respectively that each user account and each network equipment set management strategy in management control machine, and by management strategy It is sent to certification machine in real time;The certification request initiated by user account and the authorization request that the network equipment is sent are received by the certification machine, and The certification request and described is responded according to the management strategy of the network equipment and the management strategy of the user account respectively Authorization is asked, and realizes the safety management to the network equipment.
- 7. network appliance safe management method as claimed in claim 6, it is characterised in that network is received by the certification machine and is set Client-initiated certification request and the authorization request that preparation is sent, and the management strategy according to the network equipment and the use The management strategy of family account responds the certification request and authorization request respectively, including:Received parallel by the more certification machines and the certification request of response to network equipment transmission and authorization are asked.
- 8. network appliance safe management method as claimed in claim 7, it is characterised in that connect parallel by the more certification machines Receive and the certification request of response to network equipment transmission and authorization are asked, including:One certification machine is selected in the more certification machines by load equalizer and is used as main control computer, wherein, the master control Machine receives certification request and the authorization request that the network equipment is sent, and according to other certification machines in the more certification machines Loading condition, certification request and authorization request is evenly distributed on other certification machines, other certification machines each respond quilt Certification request and the authorization request being distributed to.
- 9. the network appliance safe management method as any one of claim 6 to 8, it is characterised in that in management control machine On, respectively each user account and each network equipment set management strategy, including:For each user account, the command operation authority in the management strategy is set;It is the command operation authority set per set of network devices in the management strategy by all-network device packets, wherein, often The management plan of set of network devices is set according to the working characteristics of the network equipment of the group;The user account of all-network equipment is grouped, is that every group of user account sets the command operation in the management strategy to weigh Limit, wherein, the management strategy of every group of user account is set according to the working characteristics of the user of the group;For the account management item in management strategy described in the password setup of each user account and each network equipment.
- 10. the network appliance safe management method as any one of claim 6 to 8, it is characterised in that in management control machine On, it is respectively that each network equipment sets management strategy, including:For the network equipment of different manufacturers, provide management strategy setting corresponding with producer's network equipment by interface and patrol Volume, logic is set for the corresponding contents in each network equipment input management strategy according to corresponding management strategy.
- 11. a kind of computer-readable recording medium, it is characterised in that the computer-readable recording medium storage has perform claim It is required that the computer program of the network appliance safe management method any one of 6 to 10.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711294715.2A CN107995203A (en) | 2017-12-08 | 2017-12-08 | Network appliance safe management system, method and computer-readable recording medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711294715.2A CN107995203A (en) | 2017-12-08 | 2017-12-08 | Network appliance safe management system, method and computer-readable recording medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107995203A true CN107995203A (en) | 2018-05-04 |
Family
ID=62036863
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711294715.2A Pending CN107995203A (en) | 2017-12-08 | 2017-12-08 | Network appliance safe management system, method and computer-readable recording medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107995203A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116567001A (en) * | 2023-05-16 | 2023-08-08 | 上海凯翔信息科技有限公司 | Cloud NAS-based data migration system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1889452A (en) * | 2005-07-21 | 2007-01-03 | 华为技术有限公司 | Common network management safety control system and method thereof |
US20090154494A1 (en) * | 2006-08-21 | 2009-06-18 | Huawei Technologies Co., Ltd. | Method and system for service application and service application control agent |
CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
US7634436B1 (en) * | 2003-05-05 | 2009-12-15 | Wagner Gerald C | Systems and methods for scheduling contributions to a retirement savings plan |
CN105471905A (en) * | 2015-12-30 | 2016-04-06 | 迈普通信技术股份有限公司 | AAA implementation method and system in stacking system |
-
2017
- 2017-12-08 CN CN201711294715.2A patent/CN107995203A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7634436B1 (en) * | 2003-05-05 | 2009-12-15 | Wagner Gerald C | Systems and methods for scheduling contributions to a retirement savings plan |
CN1889452A (en) * | 2005-07-21 | 2007-01-03 | 华为技术有限公司 | Common network management safety control system and method thereof |
US20090154494A1 (en) * | 2006-08-21 | 2009-06-18 | Huawei Technologies Co., Ltd. | Method and system for service application and service application control agent |
CN101588360A (en) * | 2009-07-03 | 2009-11-25 | 深圳市安络大成科技有限公司 | Associated equipment and method for internal network security management |
CN105471905A (en) * | 2015-12-30 | 2016-04-06 | 迈普通信技术股份有限公司 | AAA implementation method and system in stacking system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116567001A (en) * | 2023-05-16 | 2023-08-08 | 上海凯翔信息科技有限公司 | Cloud NAS-based data migration system |
CN116567001B (en) * | 2023-05-16 | 2023-12-29 | 上海凯翔信息科技有限公司 | Cloud NAS-based data migration system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109474632B (en) | Method, apparatus, system, and medium for authenticating and managing rights of user | |
EP2658207A1 (en) | Authorization method and terminal device | |
JP2013008229A (en) | Authentication system, authentication method and program | |
CN109361753A (en) | A kind of Internet of things system framework and encryption method | |
CN109413080B (en) | Cross-domain dynamic authority control method and system | |
CN105577757B (en) | Multi-level management system and authentication method of intelligent power terminal based on load balancing | |
CN103179130A (en) | Intranet security unified management platform and management method of management platform | |
CN108881309A (en) | Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform | |
CN102307114A (en) | Management method of network | |
CN110719298A (en) | Method and device for supporting user-defined change of privileged account password | |
CN106559389A (en) | A kind of Service Source issue, call method, device, system and cloud service platform | |
CN106059802A (en) | Terminal access authentication method and device | |
CN106209847A (en) | Electric data transmission method and device | |
CN105100028A (en) | Account number management method and account number management device | |
CN114866346B (en) | Password service platform based on decentralization | |
CN107204995A (en) | A kind of system, certificate server and the method for control access rights | |
CN108377244A (en) | A kind of Intranet uniform authentication method | |
CN103065104B (en) | Movable storage device and the supervisory system formed thereof | |
CN102201935A (en) | Access control method and device based on VIEW | |
CN107995203A (en) | Network appliance safe management system, method and computer-readable recording medium | |
CN108366087B (en) | ISCSI service realization method and device based on distributed file system | |
US9590998B2 (en) | Network switch with hierarchical security | |
CN105471905B (en) | The realization method and system of AAA in a kind of stacking system | |
Yan et al. | The research and design of cloud computing security framework | |
EP3709571A1 (en) | Device management clustering |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180504 |
|
RJ01 | Rejection of invention patent application after publication |