CN107995203A - Network appliance safe management system, method and computer-readable recording medium - Google Patents

Network appliance safe management system, method and computer-readable recording medium Download PDF

Info

Publication number
CN107995203A
CN107995203A CN201711294715.2A CN201711294715A CN107995203A CN 107995203 A CN107995203 A CN 107995203A CN 201711294715 A CN201711294715 A CN 201711294715A CN 107995203 A CN107995203 A CN 107995203A
Authority
CN
China
Prior art keywords
certification
management
network equipment
network
user account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711294715.2A
Other languages
Chinese (zh)
Inventor
严睿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unihub China Information Technology Co Ltd
Zhongying Youchuang Information Technology Co Ltd
Original Assignee
Unihub China Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unihub China Information Technology Co Ltd filed Critical Unihub China Information Technology Co Ltd
Priority to CN201711294715.2A priority Critical patent/CN107995203A/en
Publication of CN107995203A publication Critical patent/CN107995203A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Abstract

An embodiment of the present invention provides a kind of network appliance safe management system, method and computer-readable recording medium, wherein, which includes:Control machine is managed, for receiving the management strategy for being respectively each user account and the setting of each network equipment, and management strategy is sent to certification machine in real time;The certification machine, the certification request initiated by user account and authorization for receiving network equipment transmission are asked, the certification request and authorization request are responded according to the management strategy of the network equipment and the management strategy of the user account respectively, realize the safety management to the network equipment.

Description

Network appliance safe management system, method and computer-readable recording medium
Technical field
The present invention relates to technical field of network security, more particularly to a kind of network appliance safe management system, method and meter Calculation machine readable storage medium storing program for executing.
Background technology
At present, it is necessary to configure the certification of user on network devices when configuration local user's mode is authenticated and authorizes And authorization message, including user name, password etc..Which is primarily present following defect:
1st, the rank of local user, password expired time, the inspection of account term of validity password complexity, the idle cut-out of user Time etc. is all optional configuration item or default configuration, and security is relatively low, depends on the consciousness of operator, can not be ensured The uniformity of safety standard.
2nd, local user can only be effective to this TV station network equipment, and reaching the standard grade if new network device needs to configure again, or Situations such as replacement occurs for person network management personnel, personnel leave office, then need to increase/deletion local user in all-network equipment newly Account.The fussy degree and workload of aforesaid operations=webmaster personnel's x network equipment numbers, can develop and index with network size Formula rises.
3rd, consider for convenience, all there are all devices in many networks, all-network administrator all share it is identical Local account situation.Above-mentioned security breaches easily occur:Caused by security incident, operation are lack of standardization caused by unauthorized access Human accident, accident are difficult to the situation that audit is traced to the source after occurring.For taking precautions against management and control network risks, meeting that supervision is closed rule and required It is very unfavorable.
The content of the invention
An embodiment of the present invention provides a kind of network appliance safe management system, to solve in the prior art in the network equipment Upper configuration user authentication and the technical problem that existing security is low, cumbersome degree is high when authorizing.The system includes:Management Control machine, for receiving the management strategy for being respectively each user account and the setting of each network equipment, and management strategy is real When be sent to certification machine;The certification machine, for receive the network equipment transmission by user account initiate certification request and Authorization is asked, and is recognized according to the management strategy of the network equipment and the management strategy of the user account respond respectively Card request and authorization request, realize the safety management to the network equipment.
The embodiment of the present invention additionally provides a kind of network appliance safe management method, to solve to set in network in the prior art Standby upper configuration user authentication and the technical problem that existing security is low, cumbersome degree is high when authorizing.This method includes: Manage in control machine, be respectively that each user account and each network equipment set management strategy, and management strategy is sent out in real time Give certification machine;The certification request initiated by user account and the authorization that the network equipment is sent are received by the certification machine Request, and the certification request is responded according to the management strategy of the network equipment and the management strategy of the user account respectively Asked with the authorization, realize the safety management to the network equipment.
The embodiment of the present invention additionally provides a kind of computer-readable recording medium, to solve in the prior art in the network equipment Upper configuration user authentication and the technical problem that existing security is low, cumbersome degree is high when authorizing.It is described computer-readable Storage medium is stored with the computer program for performing any of the above-described kind of network appliance safe management method.
In embodiments of the present invention, by setting the network equipment and network to set in the management control machine outside the network equipment The management strategy of standby user account, avoids setting certification and authorization message on network devices, and recognizing outside the network equipment The certification request that is sent on card machine according to the management strategy of the network equipment and the management strategy response to network equipment of user account and Authorization is asked, and is realized to network equipment certification and the safety management authorized.Due to avoiding setting certification on network devices And authorization message, there is which configuration item to be just managed according to corresponding configuration item in management strategy so that can to avoid by In security caused by phenomena such as option and installment or default configuration occur dependent on the consciousness of operator is low the problem of;It is each The network equipment, which is unified in control machine, sets management strategy, reach the standard grade if new network device need to configure again, network management Situations such as personnel occur to replace or personnel leave office, without to increase newly in all-network equipment/delete local user's account, favorably In the cumbersome degree of reduction, reduce workload;For the respective management strategy of heterogeneous networks equipment and user configuration, without institute There are equipment, all-network administrator all to share identical local account, peace caused by avoiding unauthorized access can be conducive to Human accident and accident are difficult to the situation that audit is traced to the source caused by total event, operation are lack of standardization after occurring, and are conducive into one Step improves security.
Brief description of the drawings
Attached drawing described herein is used for providing a further understanding of the present invention, forms the part of the application, not Form limitation of the invention.In the accompanying drawings:
Fig. 1 is a kind of structure diagram of network appliance safe management system provided in an embodiment of the present invention;
Fig. 2 is a kind of structure diagram of specific network appliance safe management system provided in an embodiment of the present invention;
Fig. 3 is a kind of fundamental diagram of network appliance safe management system provided in an embodiment of the present invention;
Fig. 4 is a kind of structure diagram for managing control machine provided in an embodiment of the present invention;
Fig. 5 is a kind of flow chart of network appliance safe management method provided in an embodiment of the present invention.
Embodiment
It is right with reference to embodiment and attached drawing for the object, technical solutions and advantages of the present invention are more clearly understood The present invention is described in further details.Here, the exemplary embodiment and its explanation of the present invention are used to explain the present invention, but simultaneously It is not as a limitation of the invention.
In embodiments of the present invention, there is provided a kind of network appliance safe management system, as shown in Figure 1, the system includes:
Control machine 101 is managed, for receiving the management strategy for being respectively each user account and the setting of each network equipment, And management strategy is sent to certification machine 102 in real time;
The certification machine 102, for receiving the certification request initiated by user account and the operation of network equipment transmission Authorization requests, responding the certification respectively according to the management strategy of the network equipment and the management strategy of the user account please The authorization of summing is asked, and realizes the safety management to the network equipment.
Understand as shown in Figure 1, in embodiments of the present invention, by setting net in the management control machine outside the network equipment The management strategy of network equipment and network device user account, avoids setting certification and authorization message on network devices, and in net Sent out on certification machine outside network equipment according to the management strategy of the network equipment and the management strategy response to network equipment of user account Certification request and the authorization request sent, are realized to network equipment certification and the safety management authorized.Due to avoiding in network Certification and authorization message are set in equipment, have which configuration item to be just managed according to corresponding configuration item in management strategy, Allow to avoid due to safety caused by phenomena such as option and installment or default configuration occur dependent on the consciousness of operator The problem of property is low;Each network equipment, which is unified in control machine, sets management strategy, if new network device reaches the standard grade needs again Situations such as secondary configuration, network management personnel occur to replace or personnel leave office, without to increase newly in all-network equipment/delete this Ground user account, advantageously reduces cumbersome degree, reduces workload;It is respective for heterogeneous networks equipment and user configuration Management strategy, identical local account is all shared without all devices, all-network administrator, can be conducive to avoid without awarding Human accident and accident are difficult to the feelings that audit is traced to the source caused by security incident, operation are lack of standardization caused by power accesses after occurring Condition, is conducive to further improve security.
When it is implemented, administrator, which is each user account and each network equipment in management control machine, sets management plan After slightly, certification machine is according to the management strategy of the network equipment and the management strategy of user account responds certification request respectively and operation is awarded Power request.Certification request and/or authorization request are initiated specifically, being operated on network devices by user account in user When, as shown in Fig. 2, can by an above-mentioned certification machine or more above-mentioned certification machines come receive and respond certification request and/or Authorization is asked, for example, in order to adapt to Enterprise Network to the elastic telescopic between large-scale carrier network, can be according to net The quantity of network equipment selects an appropriate number of certification machine, realizes the horizontal extension of system, and do not reduce service quality.Although part Hardware and software can break down, and the service of whole system can ensure uninterrupted when 7X24 is small.
For the mininet scene of network equipment negligible amounts, an above-mentioned certification machine can be used, i.e., as shown in Figure 2 Standalone version pattern, received at this time by an above-mentioned certification machine and respond certification request and/or authorization request.Standalone version mould The certification machine of formula can not depend on other resources, independent deployment, out-of-the-box, it is only necessary to simple initial configuration, suitable for medium and small Type network scenarios.
For in catenet scene, more above-mentioned certification machines can be used, i.e., cluster version pattern as shown in Figure 2 is more Platform certification machine forms a cluster, and more certification machines handle certification request and/or authorization request at the same time.More certification units Use, avoid the high-end devices of the high configuration host of buying or F5 etc, advantageously reduce cost, improve economy.
Meanwhile under the pattern that more certification machines form a cluster, it is enough in the process performance of every certification machine in itself When the strong or instruction response time is shorter, is received parallel by more certification machines and respond certification request and/or authorization request, In the case that network equipment quantity is larger, be also beneficial to realize increases (people to the time unobvious of operational order response Unaware);The quantity for managing the network equipment is not less than 100,000.
When it is implemented, using more certification machines receive parallel and respond certification request and/or authorization request During, in order to avoid there is the situation of load imbalance, in the present embodiment, as shown in Fig. 2, said system further includes:It is negative Balanced device is carried, for selecting a certification machine in the more certification machines as main control computer, wherein, the main control computer receives Certification request and the authorization request that the network equipment is sent, and according to the load feelings of other certification machines in the more certification machines Condition, certification request and authorization request is evenly distributed on other certification machines, other certification machines, which each respond, to be distributed to Certification request and authorization request.
Specifically, under using standalone version pattern, after the network equipment of request certification reaches certain scale, certification machine Load exceedes critical value;But under using cluster version pattern, after increasing load equalizer in certification cluster, even if please The network equipment of certification is asked to reach certain scale, Load Balanced is distributed on each certification machine, and the load of each certification machine is not above Critical value, is conducive to improve the stability of certification machine.Specifically, the load-balancing algorithm that load equalizer can select has by inquiry Algorithm, random algorithm, source address hash algorithm, weighting algorithm, Smallest connection figure method.A certification being responsible in election cluster Machine node re-elects one automatically as main control computer if the node delays machine.
Specifically, increase load equalizer in certification cluster so that without purchasing the hardware of similar L4-7 layer switch Load equalizer and avoid related maintenance expense (quotation of presently relevant manufacturer is usually 20-30 ten thousand every).
When it is implemented, corresponding program can be set in certification machine come complete to receive and respond certification request and/or The function of authorization request.For example, as shown in figure 3, when user operates initiation certification by user account on network devices During request, certification machine receives certification request, and requires operation user to input the information such as user name/password, to combine user's account Number management strategy in account information and the network equipment management strategy in account information (specifically, when user account and When the network equipment is both provided with management strategy, then the management strategy for combining the two is authenticated;If work as user account and network Only have a side to be provided with management strategy in equipment, be then authenticated according to the management strategy of a side) to operating use input by user The information such as name in an account book/password are verified, to realize the response to certification request, complete certification;After authentication is complete, user is worked as By user account on network devices operate initiate authorization request when, certification machine receive authorization request, with reference to Command operation authority in the management strategy of family account and the command operation authority in the management strategy of the network equipment (specifically, When user account and the network equipment are both provided with management strategy, then the management strategy for combining the two is authenticated;Used if worked as Only have a side to be provided with management strategy in family account and the network equipment, be then authenticated according to the management strategy of a side) to operation Authorization requests are responded, and judge whether allow to perform the operation asked, if it is allowed, then directly output allows to operate;If Do not allow, then the operation of output refusal;To realize the response to authorization request, authorization identifying.
When it is implemented, when certification machine handles certification request, can be with the side such as tacacs+ support agreement and radius protocol Formula, specifically, can be directed to the different types of network equipment selects corresponding authentication mode.
When it is implemented, in the processing authorization request of certification machine, can support according to order line and Permission Levels two Kind mode, specifically, can be directed to the different types of network equipment selects corresponding authorization.
When it is implemented, certification machine receive and respond certification request and/or authorization ask during, Yong Hufang After asking, operating the network equipment, certification machine storage operation log, the operation behavior of operation log recording user, time of origin Etc. information, it is stored in and cannot be persisted caused by network equipment the machine and can to avoid the operation note of local user's account The problem of to be wiped by disabled user.Specifically, certification machine is supported to store all user operation records, retention cycle must not be less than Six months.To meet China's stem that on November 7th, 2016 passes through《Network security method》In clear stipulaties:" chapter 3 second 11 (three) take monitoring, record network operation state, the technical measures of network safety event, and retain according to the rules related Network log be no less than six months ".
Specifically, operation log also can be dumped to disk array or cloud storage resource pool by certification machine according to user demand In.
Specifically, the operation log of certification machine storage can include the content shown in table 1 below.
Device address Source address User account User's name Operating time Order line
119.146.1.2 172.168.0.108 yzrui Yang Zhong 2017/8/1 11:57 show port 1/1/14
119.146.1.2 172.168.0.108 yzrui Yang Zhong 2017/8/1 11:58 show port 1/1/14
119.146.1.2 172.168.0.108 yzrui Yang Zhong 2017/8/1 11:59 show port 1/1/14
119.146.1.2 172.168.0.108 yzrui Yang Zhong 2017/8/1 11:55 show port 1/1/4
119.146.1.2 172.168.0.108 yzrui Yang Zhong 2017/8/1 11:55 show port 1/1/14
119.146.1.2 172.168.0.108 yzrui Yang Zhong 2017/8/1 11:55 show port 1/1/14
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 12:00 configure router
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 12:00 info
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 12:01 info
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 12:01 interface″ge-1/1/14″
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 12:02 show port 1/1/14
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 12:00 ping 172.19.17.78
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 12:01 address 172.19.17.78/30
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 12:01 show port 1/1/14
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 13:15 show router route-table 19.0.0.0
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 13:15 configure router
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 13:15 info
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 13:15 no static-route 19.0.0.0/8 next-hop 17.19.17.77
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 13:16 static-route 19.0.0.0/8 next-hop 172.19.17.77
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 13:16 info
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 13:16 show router route-table 19.0.0.0
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 13:16 exit
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 13:16 admin save
119.146.2.3 202.103.1.8 mzmccw01 Plum tinkling of pieces of jades 2017/8/1 15:20 show router route-table 125.89.159.0
Table 1
When it is implemented, in order to realize that each user and each network equipment are unified in management control machine to be set and manage Strategy, in the present embodiment, as shown in figure 4, the management control machine, including:
Role's setup module 401, for the command operation being received as in the management strategy of each user account setting Authority;For example, first set user account to allow the order under some rank all to allow to use, it is as shown in table 2 below.Then set Deny rules (as shown in table 3 below), disabling fall some orders for not wanting to allow user account to use, then set permit rules (such as Shown in table 4 below), license user account uses some special commands.
Device group management module 402;For by all-network device packets, be received as every set of network devices set it is described Command operation authority in management strategy, wherein, the management plan per set of network devices is the network equipment according to the group What working characteristics was set;For example, whether being working centre equipment for every set of network devices, or whether it is common working equipment, For the importance of every set of network devices, different command operation authorities is set respectively.
User group management module 403;For the user account of all-network equipment to be grouped, every group of user account is received as Command operation authority in the management strategy set, wherein, the management plan of every group of user account is according to the group What the working characteristics of user was set, specifically, the source address of some groups of user account logging in network equipment can be limited.Example Such as, in the scene of small business's network, it is system manager or general authority user that can distinguish user account, according to not Same work identity sets different command operation authorities;In the scene of large-enterprise network, employee can be divided into difference Working group, the work importance of each working group processing is different, can be directed to different operating group user account set it is different Command operation authority.
Account management module 504, the management of the password setup for being received as each user account and the network equipment Account management item in strategy, for example, recycling etc. is managed automatically for user account and network equipment password expired time, temporary account Director.
Cisco router Default action rule is set Permission Levels are set
Operational order Operation rules Whether allow
show permit.*
traceroute permit.*
ping permit.*
context permit.*
admin permit.*
dir permit.*
(following to omit)
Table 2
Juniper routers Default action rule is set Permission Levels are set
Check operational order Operation rules Whether allow
request permit
configure deny
restart deny
start deny
Configure operational order Operation rules
System-view.* deny
(following to omit)
Table 3
Huawei's router Default action rule is set Permission Levels are set
Operational order Operation rules Whether allow
display permit.*
ping permit.*
save deny.*
(following to omit)
Table 4
When it is implemented, in order to realize the certification of above-mentioned network appliance safe management system, authorize and compatible can support not Same producer, the different types of network equipment, in the present embodiment, the management control machine, is additionally operable to the net for different manufacturers Network equipment, provides management strategy corresponding with producer's network equipment by interface and sets logic, be received as each network equipment Corresponding contents in the management strategy of input.So that above-mentioned network appliance safe management system from access layer equipment to core to converging Poly layer equipment is supported comprehensively, it is possible to achieve not less than the management scale of 100,000 equipment, for example, certain landing project router: 2200, interchanger:10000, A/B/ER equipment:31000;DSLAM/OLT equipment:23000.
Wherein it is possible to the network equipment including different manufacturers, for example, Huawei's (router can be included:NE40/80E systems Row, 5200G, ME60 series, NE5000E series;Interchanger:S9300 series, S3300 series;IPRANATN910、ATN950、 CX600;Fire wall 1000TA etc.), Cisco's (router:CRS series, 7609 series), in emerging (router:ME6000;Exchange Machine:8905th, T64G), Alcatle 7750, RedbackSE800/SE1200 series, Juniper ERX series etc.;OLT device (Alcatel 7302R2, Huawei 5600, in emerging 9800V3, Huawei 5100, Greenville GFA series);DSLAM equipment (flames of war 5006-20, Huawei 5616, in emerging 9806H);F5B-IGP series;Green alliance's safety means etc..
Based on same inventive concept, a kind of network appliance safe management method is additionally provided in the embodiment of the present invention, it is as follows Described in the embodiment in face.Due to the principle that network appliance safe management method solves the problems, such as and network appliance safe management system phase Seemingly, therefore the implementation of network appliance safe management method may refer to the implementation of network appliance safe management system, repeat part Repeat no more.
Fig. 5 is the flow chart of the network appliance safe management method of the embodiment of the present invention, as shown in figure 5, this method includes:
Step 501:It is respectively that each user account and each network equipment set management strategy in management control machine, And management strategy is sent to certification machine in real time;
Step 502:The certification request initiated by user account and the behaviour that the network equipment is sent are received by the certification machine Make authorization requests, and management strategy according to the network equipment and the management strategy of the user account respond respectively described in recognize Card request and authorization request, realize the safety management to the network equipment.
In one embodiment, the above method further includes:Operation log is stored on the certification machine.
In one embodiment, the certification initiated by user account for network equipment transmission being received by the certification machine please Sum operation authorization requests, and responded respectively according to the management strategy of the network equipment and the management strategy of the user account The certification request and authorization request, including:Receive simultaneously response to network equipment parallel by the more certification machines Certification request and the authorization request of transmission.
In one embodiment, the certification request that simultaneously response to network equipment is sent is received parallel by the more certification machines Asked with authorization, including:One certification machine is selected in the more certification machines by load equalizer and is used as master control Machine, wherein, the main control computer receives certification request and the authorization request that the network equipment is sent, and according to the more certifications The loading condition of other certification machines in machine, certification request and authorization request are evenly distributed on other certification machines, other Certification machine each responds the certification request being distributed to and authorization request.
In one embodiment, it is respectively that each user account and each network equipment set pipe in management control machine Reason strategy, including:For each user account, the command operation authority in the management strategy is set;By all-network equipment point Group, is the command operation authority set per set of network devices in the management strategy, wherein, the management per set of network devices Plan is set according to the working characteristics of the network equipment of the group;The user account of all-network equipment is grouped, is every group of use Family account sets the command operation authority in the management strategy, wherein, the management strategy of every group of user account is basis What the working characteristics of the user account of the group was set;For management described in the password setup of each user account and each network equipment Account management item in strategy.
In one embodiment, it is respectively that each network equipment sets management strategy in management control machine, including:Pin To the network equipment of different manufacturers, provide management strategy corresponding with producer's network equipment by interface and logic is set, according to Corresponding management strategy sets the corresponding contents that logic is inputted for each network equipment in management strategy.
A kind of computer-readable recording medium is additionally provided in the present embodiment, which has Perform the computer program of any of the above-described kind of network appliance safe management method.
When it is implemented, the proposition of above-mentioned network appliance safe management method and system so that each producer is without right again Oneself sets the information such as certification, mandate by the network equipment, can uniformly control the network equipment of each producer by above-mentioned management Machine sets management strategy, then it is unified be authenticated by above-mentioned certification machine, authorisation process.
The embodiment of the present invention realizes following technique effect:By setting net in the management control machine outside the network equipment The management strategy of network equipment and network device user account, avoids setting certification and authorization message on network devices, and in net Sent out on certification machine outside network equipment according to the management strategy of the network equipment and the management strategy response to network equipment of user account Certification request and the authorization request sent, are realized to network equipment certification and the safety management authorized.Due to avoiding in network Certification and authorization message are set in equipment, have which configuration item to be just managed according to corresponding configuration item in management strategy, Allow to avoid due to safety caused by phenomena such as option and installment or default configuration occur dependent on the consciousness of operator The problem of property is low;Each network equipment, which is unified in control machine, sets management strategy, if new network device reaches the standard grade needs again Situations such as secondary configuration, network management personnel occur to replace or personnel leave office, without to increase newly in all-network equipment/delete this Ground user account, advantageously reduces cumbersome degree, reduces workload;It is respective for heterogeneous networks equipment and user configuration Management strategy, identical local account is all shared without all devices, all-network administrator, can be conducive to avoid without awarding Human accident and accident are difficult to the feelings that audit is traced to the source caused by security incident, operation are lack of standardization caused by power accesses after occurring Condition, is conducive to further improve security.
Obviously, those skilled in the art should be understood that each module of the above-mentioned embodiment of the present invention or each step can be with Realized with general computing device, they can be concentrated on single computing device, or are distributed in multiple computing devices On the network formed, alternatively, they can be realized with the program code that computing device can perform, it is thus possible to by it Store and performed in the storage device by computing device, and in some cases, can be to be held different from order herein They, are either fabricated to each integrated circuit modules or will be multiple in them by the shown or described step of row respectively Module or step are fabricated to single integrated circuit module to realize.In this way, the embodiment of the present invention be not restricted to it is any specific hard Part and software combine.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the invention, for the skill of this area For art personnel, the embodiment of the present invention can have various modifications and variations.Within the spirit and principles of the invention, made Any modification, equivalent substitution, improvement and etc., should all be included in the protection scope of the present invention.

Claims (11)

  1. A kind of 1. network appliance safe management system, it is characterised in that including:
    Control machine is managed, for receiving the management strategy for being respectively each user account and the setting of each network equipment, and will pipe Reason strategy is sent to certification machine in real time;
    The certification machine, the certification request initiated by user account and authorization for receiving network equipment transmission please Ask, the certification request and institute are responded according to the management strategy of the network equipment and the management strategy of the user account respectively Authorization request is stated, realizes the safety management to the network equipment.
  2. 2. network appliance safe management system as claimed in claim 1, it is characterised in that the certification machine is more, more Certification request and the authorization request that the certification machine receives parallel and response to network equipment is sent.
  3. 3. network appliance safe management system as claimed in claim 2, it is characterised in that further include:
    Load equalizer, for selecting a certification machine in the more certification machines as main control computer, wherein, the master control Machine receives certification request and the authorization request that the network equipment is sent, and according to other certification machines in the more certification machines Loading condition, certification request and authorization request is evenly distributed on other certification machines, other certification machines each respond quilt Certification request and the authorization request being distributed to.
  4. 4. network appliance safe management system as claimed any one in claims 1 to 3, it is characterised in that the management control Machine processed, including:
    Role's setup module, for the command operation authority being received as in the management strategy of each user account setting;
    Device group management module;The management plan set for by all-network device packets, being received as every set of network devices Command operation authority in slightly, wherein, the management plan per set of network devices is the work spy according to the network equipment of the group Property set;
    User group management module;For the user account of all-network equipment to be grouped, it is received as what every group of user account was set Command operation authority in the management strategy, wherein, the management plan of every group of user account is user's account according to the group Number working characteristics set;
    Account management module, the management strategy of the password setup for being received as each user account and each network equipment In account management item.
  5. 5. network appliance safe management system as claimed any one in claims 1 to 3, it is characterised in that
    The management control machine, is additionally operable to the network equipment for different manufacturers, is provided and producer's network equipment by interface Corresponding management strategy sets logic, the corresponding contents being received as in the management strategy of each network equipment input.
  6. A kind of 6. network appliance safe management method, it is characterised in that including:
    It is respectively that each user account and each network equipment set management strategy in management control machine, and by management strategy It is sent to certification machine in real time;
    The certification request initiated by user account and the authorization request that the network equipment is sent are received by the certification machine, and The certification request and described is responded according to the management strategy of the network equipment and the management strategy of the user account respectively Authorization is asked, and realizes the safety management to the network equipment.
  7. 7. network appliance safe management method as claimed in claim 6, it is characterised in that network is received by the certification machine and is set Client-initiated certification request and the authorization request that preparation is sent, and the management strategy according to the network equipment and the use The management strategy of family account responds the certification request and authorization request respectively, including:
    Received parallel by the more certification machines and the certification request of response to network equipment transmission and authorization are asked.
  8. 8. network appliance safe management method as claimed in claim 7, it is characterised in that connect parallel by the more certification machines Receive and the certification request of response to network equipment transmission and authorization are asked, including:
    One certification machine is selected in the more certification machines by load equalizer and is used as main control computer, wherein, the master control Machine receives certification request and the authorization request that the network equipment is sent, and according to other certification machines in the more certification machines Loading condition, certification request and authorization request is evenly distributed on other certification machines, other certification machines each respond quilt Certification request and the authorization request being distributed to.
  9. 9. the network appliance safe management method as any one of claim 6 to 8, it is characterised in that in management control machine On, respectively each user account and each network equipment set management strategy, including:
    For each user account, the command operation authority in the management strategy is set;
    It is the command operation authority set per set of network devices in the management strategy by all-network device packets, wherein, often The management plan of set of network devices is set according to the working characteristics of the network equipment of the group;
    The user account of all-network equipment is grouped, is that every group of user account sets the command operation in the management strategy to weigh Limit, wherein, the management strategy of every group of user account is set according to the working characteristics of the user of the group;
    For the account management item in management strategy described in the password setup of each user account and each network equipment.
  10. 10. the network appliance safe management method as any one of claim 6 to 8, it is characterised in that in management control machine On, it is respectively that each network equipment sets management strategy, including:
    For the network equipment of different manufacturers, provide management strategy setting corresponding with producer's network equipment by interface and patrol Volume, logic is set for the corresponding contents in each network equipment input management strategy according to corresponding management strategy.
  11. 11. a kind of computer-readable recording medium, it is characterised in that the computer-readable recording medium storage has perform claim It is required that the computer program of the network appliance safe management method any one of 6 to 10.
CN201711294715.2A 2017-12-08 2017-12-08 Network appliance safe management system, method and computer-readable recording medium Pending CN107995203A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711294715.2A CN107995203A (en) 2017-12-08 2017-12-08 Network appliance safe management system, method and computer-readable recording medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711294715.2A CN107995203A (en) 2017-12-08 2017-12-08 Network appliance safe management system, method and computer-readable recording medium

Publications (1)

Publication Number Publication Date
CN107995203A true CN107995203A (en) 2018-05-04

Family

ID=62036863

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711294715.2A Pending CN107995203A (en) 2017-12-08 2017-12-08 Network appliance safe management system, method and computer-readable recording medium

Country Status (1)

Country Link
CN (1) CN107995203A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116567001A (en) * 2023-05-16 2023-08-08 上海凯翔信息科技有限公司 Cloud NAS-based data migration system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1889452A (en) * 2005-07-21 2007-01-03 华为技术有限公司 Common network management safety control system and method thereof
US20090154494A1 (en) * 2006-08-21 2009-06-18 Huawei Technologies Co., Ltd. Method and system for service application and service application control agent
CN101588360A (en) * 2009-07-03 2009-11-25 深圳市安络大成科技有限公司 Associated equipment and method for internal network security management
US7634436B1 (en) * 2003-05-05 2009-12-15 Wagner Gerald C Systems and methods for scheduling contributions to a retirement savings plan
CN105471905A (en) * 2015-12-30 2016-04-06 迈普通信技术股份有限公司 AAA implementation method and system in stacking system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7634436B1 (en) * 2003-05-05 2009-12-15 Wagner Gerald C Systems and methods for scheduling contributions to a retirement savings plan
CN1889452A (en) * 2005-07-21 2007-01-03 华为技术有限公司 Common network management safety control system and method thereof
US20090154494A1 (en) * 2006-08-21 2009-06-18 Huawei Technologies Co., Ltd. Method and system for service application and service application control agent
CN101588360A (en) * 2009-07-03 2009-11-25 深圳市安络大成科技有限公司 Associated equipment and method for internal network security management
CN105471905A (en) * 2015-12-30 2016-04-06 迈普通信技术股份有限公司 AAA implementation method and system in stacking system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116567001A (en) * 2023-05-16 2023-08-08 上海凯翔信息科技有限公司 Cloud NAS-based data migration system
CN116567001B (en) * 2023-05-16 2023-12-29 上海凯翔信息科技有限公司 Cloud NAS-based data migration system

Similar Documents

Publication Publication Date Title
CN109474632B (en) Method, apparatus, system, and medium for authenticating and managing rights of user
EP2658207A1 (en) Authorization method and terminal device
JP2013008229A (en) Authentication system, authentication method and program
CN109361753A (en) A kind of Internet of things system framework and encryption method
CN109413080B (en) Cross-domain dynamic authority control method and system
CN105577757B (en) Multi-level management system and authentication method of intelligent power terminal based on load balancing
CN103179130A (en) Intranet security unified management platform and management method of management platform
CN108881309A (en) Access method, device, electronic equipment and the readable storage medium storing program for executing of big data platform
CN102307114A (en) Management method of network
CN110719298A (en) Method and device for supporting user-defined change of privileged account password
CN106559389A (en) A kind of Service Source issue, call method, device, system and cloud service platform
CN106059802A (en) Terminal access authentication method and device
CN106209847A (en) Electric data transmission method and device
CN105100028A (en) Account number management method and account number management device
CN114866346B (en) Password service platform based on decentralization
CN107204995A (en) A kind of system, certificate server and the method for control access rights
CN108377244A (en) A kind of Intranet uniform authentication method
CN103065104B (en) Movable storage device and the supervisory system formed thereof
CN102201935A (en) Access control method and device based on VIEW
CN107995203A (en) Network appliance safe management system, method and computer-readable recording medium
CN108366087B (en) ISCSI service realization method and device based on distributed file system
US9590998B2 (en) Network switch with hierarchical security
CN105471905B (en) The realization method and system of AAA in a kind of stacking system
Yan et al. The research and design of cloud computing security framework
EP3709571A1 (en) Device management clustering

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180504

RJ01 Rejection of invention patent application after publication