CN110719276B - Network equipment safety access system based on cache password and working method thereof - Google Patents
Network equipment safety access system based on cache password and working method thereof Download PDFInfo
- Publication number
- CN110719276B CN110719276B CN201910942178.0A CN201910942178A CN110719276B CN 110719276 B CN110719276 B CN 110719276B CN 201910942178 A CN201910942178 A CN 201910942178A CN 110719276 B CN110719276 B CN 110719276B
- Authority
- CN
- China
- Prior art keywords
- network equipment
- user
- authentication
- server
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Abstract
A system and method for network equipment safety access based on buffer cipher, the system is provided with: the system comprises a bastion server, an AAA server, a log analysis server, a client and a managed network device, wherein the structure of the bastion server and the structure of the AAA server are respectively improved. The system has the innovative characteristics that the bastion server caches the account number and the password of the client user and forwards the account number and the password to the AAA server for authentication; the method replaces the traditional local storage and local authentication mode of account number password and authority setting of the network equipment. And the buffered cipher encrypts the transmission. The managed network equipment allows the user to access only after passing the authentication of the cache password, and the safety and reliability of the login account password of the network equipment can be enhanced and ensured. The AAA server realizes centralized management of local authentication information scattered in a plurality of network devices. And the user management authority is finely divided, and the user behavior is limited within the legal management control range, so that the safety of the network equipment is ensured.
Description
Technical Field
The invention relates to a network equipment security access system based on a cache password and a working method thereof, which are used for solving the defects of large password leakage risk, uncontrollable password and difficult responsibility tracing caused by the fact that the account password of the network equipment in the prior art adopts the traditional mechanism of local storage and local authentication in the prior IP network; when the bastion machine management mode is adopted, various defects of uncontrollable, asynchronous and reversible passwords exist. The invention adopts the AAA identity authentication mode to replace the traditional local authentication mode, replaces the traditional user account password with the cache password, and also sets the user management authority in the AAA server, so that the division of the user management authority is more convenient, and the network equipment is safer. Belonging to the technical field of network data communication.
Background
In the current communication system, there are two methods for managing network devices: the method includes directly logging in corresponding network equipment for an administrator by using account passwords of the network equipment and executing management operation. And the other type is that the administrator firstly logs in the bastion machine by using the account password of the bastion machine and then manages the network equipment through the bastion machine. The bastion machine is operation and maintenance operation behavior safety audit equipment which is widely used in an IT network at present and is based on a B/S framework, has the functions of carrying out safe, effective and visual operation audit on management, operation and maintenance of a host, a server, network equipment, safety equipment and the like in a core system, can promote the operation and maintenance audit from event audit to content audit, organically combines identity authentication, authorization, management and audit, and ensures that only legal users can use key resources of operation and maintenance authorities owned by the legal users; the bastion machine takes over the access of the terminal computer to the network and the server by cutting off the direct access of the terminal computer to the network and the server resources and adopting a protocol proxy mode.
However, there are several drawbacks and problems in the control operation process of the two methods.
First, a first method is introduced: the method comprises the following steps of directly logging in network equipment for management by using a network equipment account password:
step 1, connecting to a network device needing management: in this case, a method often used is to directly access its front-end management interface, or to access the management back-end through a protocol ssh (secure shell)/telnet (internet) created on the basis of the application layer and the transport layer, which is dedicated to providing security for telnet sessions and other network services. SSH is a versatile, powerful, software-based network security solution. Each time a computer sends data to the network, SSH automatically encrypts and compresses the data. When the data reaches the destination, the SSH automatically decompresses and decrypts the encrypted data; and the whole transmission process is transparent, the installation is easy, the use is simple, and the SSH is widely applied. Telnet is a standard protocol and main mode of remote login service, and supports a user to log in a remote host through a user name/password, so that a local computer temporarily becomes an emulation terminal of the remote host, and the user can complete the capacity of remote host work on the local computer.
And 2, inputting an account password corresponding to the network equipment needing to be managed so as to log in the network equipment.
Step 3, executing various management and control operations including account password management on the network equipment: the ordinary user can modify the account password used by the user for logging in the network equipment, and the user with special authority (such as a super administrator with the highest authority) can modify the account passwords of other users and create account numbers of other administrators.
With the continuous expansion of IT systems of enterprises and public institutions, the network scale and the number of network devices are rapidly expanded, and the corresponding account numbers and passwords of the network devices are also characterized by increasing number. Therefore, for the convenience of memory and management, the administrator often sets the same account password for a large number of network devices, and even records the plaintext password manually. Moreover, when passwords of each network device are required to be modified one by one, the operation is complex, and time and labor are wasted, so that account numbers and passwords of many existing network devices are always original assignments which are used for a long time and are kept unchanged. Also, it is common for multiple administrators to manage multiple different network devices using the exact same account password. Therefore, the above conventional method for directly logging in a network device for management by using a network device account password has the following problems:
1, the administrator manages account passwords which do not meet the basic requirements that network equipment should adopt different network security levels for protection; and the account password is easy to reveal, the risk is higher, and once revealing, the influence scope is large, and the loss is serious.
2, a plurality of users use the same account password, so that whether each user can respectively manage different network equipment cannot be effectively controlled and distinguished; and it is also difficult to distinguish and divide the management of different users for the same network device. In case of a security incident, it is difficult to locate the actual user of the account and the responsible person.
And 3, when different network devices are independently audited, the audit logs of each network device have different contents and different depths, a uniform access audit strategy cannot be formulated, illegal operation behaviors are difficult to find in time, and the illegal operation behaviors are tracked and collected.
A second method is introduced: the method comprises the following steps of logging in network equipment through a bastion machine to manage the network equipment, and has the following problems:
referring to fig. 1, a schematic connection diagram of a bastion machine and a network device, which are commonly used operation and maintenance auditing devices and have two management and control functions of core system operation and security audit, is described.
When the connection between the bastion machine and the network equipment is established for the first time, the initialization setting operation is required to be carried out:
and step 1, synchronizing the account password of the managed network equipment to the bastion machine.
And 2, creating corresponding users on the bastion machine, and setting and dividing corresponding permissions of user accounts according to different dimensions of the users, roles, network equipment, time, application protocols and the like.
Referring to fig. 2, the management operation process of the network device performed by the user through the bastion machine is described: the client logs in the bastion machine through the account password, and selects the account password of the corresponding network equipment through the bastion machine to log in the network equipment to execute management operation. During the period, the bastion machine accurately records all operations of the client, and records all input commands, data and the like for the character terminal.
However, if only the baster is used for managing the account password of the network device, certain defects exist:
1, uncontrollable password: in the first management method, the account password for logging in the network device is configured on the network device, and the password can be changed on the network device at any time. Therefore, the bastion machine cannot achieve complete control over all login account passwords on the network device.
2, the password is not synchronous: each network device is provided with a plurality of groups of account numbers and passwords, new account numbers and passwords thereof can be added, and the bastion machine cannot completely master the control right of each network device. After the password is changed, the account password originally stored in the bastion machine is naturally invalid, and the management and control of the network equipment are directly lost.
And 3, the password is not safe. The bastion machine stores plaintext account numbers and passwords of all core network devices, and once the bastion machine is attacked, the password leakage risk is high.
Therefore, how to manage and control IT network devices more safely, reliably, flexibly, simply and differently with different levels of authorization has become an important issue of great concern to science and technology personnel in the industry.
Disclosure of Invention
In view of this, the invention aims to provide a system for network device security access based on cache password and a working method thereof, the system composition device of the invention is additionally provided with an AAA server and a bastion server with improved structures, and the invention has the innovative characteristics that the AAA identity Authentication mode (AAA refers to Authentication, Authorization and Accounting for identity, and is used as a security protocol for providing network Authentication, Authorization and Accounting) is used for replacing the traditional local Authentication mode, and the AAA server is also provided with user management authority for replacing the traditional mechanisms of network device account password local storage and local Authentication adopted in the prior art, so that the division of the user management authority is more convenient, and the network device is safer. The system is characterized in that a user logs in a bastion machine server by using an authorized user account and a password, after authentication of an AAA server, the bastion machine server is connected with managed network equipment, and the bastion machine server provides control functions of safety protection, operation audit and the like, so that the access safety of the network equipment is further guaranteed. Therefore, the system and the working method thereof realize unification and simplification of account password management of the managed network equipment, the network equipment is safer, and the division of the operation authority of the administrator is more precise, reliable and convenient.
In order to achieve the above object, the present invention provides a system for network device secure access based on cache password, which includes a client and a managed network device; the method is characterized in that: the system consists of a bastion server, an AAA server and a log analysis server, wherein the structures of the bastion server and the AAA server are respectively improved; wherein:
the bastion server is used as a server which provides network equipment controlled by the single sign-on server for the client, does not store any network equipment account number and password any more, is only used for caching a user account number and a password for logging in the system, and is also connected with a log analysis server for storing a working log; the composition structure of the bastion server comprises a virtual terminal module which is originally and respectively connected with a client, a network device which is connected with a controlled network, and a protocol SSH (secure Shell)/Telnet (Internet) connection module which is established on the basis of an application layer and a transmission layer and is specially used for providing safe communication for remote login session and other network services, and is additionally provided with: AAA communication interface for data interaction with AAA server;
the AAA server is used as a control center of the system, is respectively connected with the bastion server, the log analysis server and the network equipment, is responsible for setting different management authorities of users, respectively performs authentication confirmation according to a user login connection request initiated by a client and an operation connection authentication request initiated by the network equipment which is applied and controlled by the user, and is responsible for returning an authentication verification result to the corresponding client or the corresponding network equipment; the AAA server is provided with: the system comprises an authentication protocol module, a user database and a bastion machine communication interface for interacting data with a bastion machine server;
the log analysis server is respectively connected with the bastion server and the AAA server, acquires authentication of user system login connection requests of the two servers, operation connection requests initiated by users and used for controlling network equipment, authentication requests of the controlled operation connection requests of the network equipment and all working logs of the connection operation of the users on the network equipment, and performs statistical analysis and security audit;
and the client is used for connecting the bastion server so as to access the network equipment required to be connected and managing and controlling the network equipment.
In order to achieve the above object, the present invention further provides a working method of the system for network device secure access based on dynamic password according to the present invention, wherein the working method comprises: the method comprises the following operation steps:
step 1, when a virtual terminal module of a bastion server receives a user system login connection request sent by a client, the user system login connection request is converted and analyzed to obtain and cache user account and password information, and then the user login connection request is transmitted to an AAA server authentication protocol module for authentication through an AAA communication interface and a bastion communication interface of the AAA server;
step 2, after the authentication is passed, the bastion server receives a network equipment operation connection request initiated by the client and prepared for management and control, and forwards the network equipment operation connection request, the cached user account and the password to the network equipment; the network equipment sends the IP address, the user account initiating the operation connection request and the password to an authentication protocol module of an AAA server for authentication;
step 3, the authentication protocol module of AAA server calls the user database information, and executes authentication to the operation connection authentication request of the network device; if the authentication is not successful, executing the step 4 in sequence, and if the authentication is successful, skipping to execute the step 5;
step 4, whether the client initiates the network equipment operation connection request for the preparation management and control of the client is determined, if yes, the step 2 is executed; if not, the operation flow is ended;
step 5, after receiving the operation connection authentication success information of the AAA server, the network equipment establishes connection with an SSH/Telnet connection module of the bastion server; and then, the client side performs management and control operation on the network equipment through a virtual terminal module and an SSH/Telnet module in the bastion server.
Compared with the prior art, the system and the method have the following innovative advantages and improved effects:
the invention relates to a system for network equipment safety access based on dynamic passwords and a working method thereof, in particular to a network system and a working method for executing brand-new unified management on account passwords of network equipment, wherein the network system comprises the following steps: under a traditional network equipment management mode, each network equipment has multiple sets of account passwords, and a large number of network equipment share the same account passwords; and when the management mode of the bastion machine is adopted, the defects of uncontrollable, asynchronous and reversible passwords, plaintext storage of the passwords and the like exist. However, in the system, the AAA server replaces the traditional local authentication mode of the network equipment with the authentication mode of the cached user account and password, and the bastion machine and the network equipment do not store the user account, the password and the authority setting for authentication any more. When a user logs in a bastion machine, an AAA server uniformly stores and manages a user account and a password for authentication; the cached user account and the password are stored and transmitted in an irreversible safe encryption mode, so that the password leakage risk does not exist; the managed network equipment allows the user to access only after passing the authentication, so that the safety and consistency of the user account and the password of the network equipment can be enhanced and ensured.
The system of the invention realizes centralized management of local authentication information scattered in a plurality of network devices by connecting the network devices with the AAA server. The AAA server is used for finely dividing the network element management authority of the user to replace the traditional authority of dividing the user through the bastion machine, so that the user can only obtain the identity verification result of the user and the network equipment list which is authorized to select connection after passing authentication, the user behavior is limited in the legal management control range, and the safety of the network equipment is ensured really.
The system can also add the operation steps of multi-factor authentication when the user selects to log in the virtual terminal, so as to ensure the identity of the user to be legal, reduce identity theft and improve the safety performance of network equipment.
The working method of the system of the invention is additionally provided with a priority verification mechanism: by adopting the method of united authentication of the bastion machine and the AAA server, the user firstly carries out identity authentication, then obtains a network equipment list capable of being selectively connected, and then establishes SSH/Telnet connection with the network equipment, thereby effectively avoiding the attack guess to act on the network equipment. And the bastion machine realizes zero management configuration. The bastion server in the system provides a virtual terminal interface, and the client does not need to use a third party to connect terminal software.
In the system, all communication information in each component device of the system such as the user client, the network equipment, the improved AAA server, the bastion server and the like is transmitted by adopting safe encryption, the password is irreversible, and the AAA server is transparent to the user, thereby fully improving the safety performance of the whole network system.
The system has compact and simple structure of the components, and the information interaction process between the network elements and the modules in the operation steps in the working method is very simple and easy to realize; and the system has good compatibility, can compatibly incorporate various network element devices such as a switch, a router, a firewall, a load balancer and the like of an IT network into unified control management, really ensures simple operation of system operation and maintenance, and can effectively improve the system operation efficiency while ensuring the system safety. In a word, the invention has good popularization and application prospect.
Drawings
Figure 1 is a schematic diagram of the connection of a prior art bastion machine to a network device.
Figure 2 is a schematic diagram of the prior art operation steps for managing network devices using a bastion machine.
Fig. 3 is a schematic diagram of the system structure for the secure access of the network device based on the cache password.
Fig. 4 is a flowchart of the operation steps of the operation method of the system for network device security access based on cache password.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings and examples.
The system of the invention has an important technical innovation characteristic that the AAA server is used for replacing the traditional local authentication mode of the network equipment when the original network equipment to be managed is connected with by the authentication mode of the cached user account and the password. The cache password used in the system is the account number and the password of the user cached by the bastion machine server when the user login system connection request of the client is received. When a user initiates an operation connection request for managing and controlling the network equipment, the cache password is sent to the managed and controlled network equipment by the bastion machine server, and then the cache password comprising the user account number and the password and the IP address thereof are sent to the AAA server by the network equipment for authentication. And the bastion machine and the network equipment do not store the user account and the password for authentication and the authority setting. When a user logs in a bastion machine, an AAA server uniformly stores and manages a user account and a password and is used for authentication; and the cached user account and the password are stored and transmitted in an irreversible safe encryption mode, so that the password leakage risk does not exist. The innovative characteristic solves a plurality of defects in the prior art. Furthermore, all the constituent devices in the system of the invention: all information interaction among the user client, the AAA server, the bastion server, the work log server and the network equipment adopts encrypted communication, and the password is irreversible.
Referring to fig. 3, the structural composition of the system for network device secure access based on cache password of the present invention is described: the system consists of a bastion server, an AAA server and a log analysis server, wherein the structures of the bastion server and the AAA server are respectively improved; the system also includes a client and a managed network device. The following are introduced separately:
the system comprises a server, a log analysis server and a server, wherein the server is used for providing network equipment managed and controlled by a single sign-on client, storing no account or password of any network equipment and only caching a user account and a password for logging in the system, and the log analysis server is connected with the log analysis server for storing a working log. The composition structure of the bastion server comprises a virtual terminal module which is originally and respectively connected with a client, network equipment which is connected with a controlled network, a protocol SSH (secure Shell)/remote terminal protocol Telnet (Internet) connection module which is established on the basis of an application layer and a transmission layer and is specially used for providing safe communication for remote login session and other network services, and the bastion server is additionally arranged: and the AAA communication interface is used for carrying out data interaction with the AAA server. The functions of each component of the bastion server are as follows:
the virtual terminal module is responsible for receiving a user login connection request from the client and an operation connection request of the management and control network equipment; after the system login connection request is converted and analyzed, caching a user account and a password in the obtained login connection request, and forwarding the login connection request containing the user account and the password to an AAA communication interface for a standby selection of an AAA server in combination with a mobile phone dynamic password of the user for performing multi-factor authentication and authentication on the user; the client is responsible for receiving login connection refusing information or a network equipment list with optional connection aiming at the user from the AAA communication interface, so that the client can directly select the network equipment or manually input the IP address of the network equipment needing to be managed and controlled to initiate an operation connection request to the network equipment; when receiving a request of a client user for operating and connecting network equipment to be managed and controlled, the virtual terminal module converts and analyzes the request containing the cache password and the operation and connection request into a result containing the following information: and the IP address of the network equipment requesting connection, the cached user account and the password are sent to the corresponding network equipment through the SSH/Telnet connection module.
And the SSH/Telnet connection module is responsible for receiving an operation connection request of the management network equipment, which is forwarded by the virtual terminal module from the client and contains the IP address of the network equipment to be connected, the cached user account and the password, forwarding the operation connection request to the corresponding network equipment to be connected, and connecting the network equipment to be connected selected by the user according to an SSH/Telnet protocol so as to execute management and control operation.
The AAA communication interface is used for respectively receiving the user system login connection request after the conversion analysis is completed from the virtual terminal module and then forwarding the user system login connection request to the bastion machine communication interface of the AAA server; and receiving login rejection connection information or a network equipment list capable of being connected optionally from the bastion machine communication interface of the AAA server, and forwarding the login rejection connection information or the network equipment list capable of being connected optionally to the client through the virtual terminal module for the user to select connection.
And (II) serving as a control center of the system, additionally arranging a communication interface for data interaction with the bastion server, connecting the AAA server with the network equipment in a butt joint mode, and respectively connecting the bastion server, the log analysis server and the network equipment, wherein the AAA server is responsible for setting different management authorities of users, respectively carrying out authentication confirmation according to a user login connection request initiated by a client and an operation connection authentication request initiated by the network equipment which is applied for management and control by the user, and is responsible for returning an authentication verification result to the corresponding client or the corresponding network equipment. The AAA server is provided with: the system comprises an authentication protocol module, a user database and a bastion machine communication interface for interacting data with a bastion machine server. The functions of each component of the AAA server are:
the bastion machine communication interface is responsible for receiving a connection request of a user login system forwarded by the bastion machine server AAA communication interface and forwarding the connection request to the authentication protocol module for authentication and authentication processing, and if authentication fails, the bastion machine communication interface receives login rejection connection information from the authentication protocol module and forwards the login rejection connection information to the AAA communication interface of the bastion machine server; if the authentication is successful, the bastion machine communication interface receives the network equipment list which is from the authentication protocol module and can be connected by the user, and forwards the network equipment list to the AAA communication interface of the bastion machine server.
The authentication protocol module is used as an operation control center of the AAA server and is respectively connected with other components: the system comprises a bastion machine communication interface, a user database and network equipment, wherein the bastion machine communication interface is responsible for receiving a user system login connection request from the bastion machine communication interface and calling corresponding user information in the user database for authentication; if the authentication is successful, the authentication protocol module returns the list of the optional connection network equipment corresponding to the user to the bastion machine communication interface; if the authentication fails, returning the information of refusing to log in the connection; and the system is also responsible for receiving an operation connection authentication message from the network equipment to be connected, extracting client information comprising the IP address of the network equipment to be managed and the user account password, then performing authentication with the called user database information, and judging whether the network equipment is a user connection network equipment or not according to an authentication result: if the operation connection authentication of the network equipment is successful, the network equipment formally establishes connection with the SSH/Telnet module, and the client side manages the network equipment through the virtual terminal module; if the operation connection authentication of the network equipment fails, the network equipment cuts off the connection with the SSH/Telnet module.
And the user database is used for storing the account number and the password of the network equipment administrator user and the network equipment management authority information comprising the network equipment list which can be optionally connected by the user, so that when the user account number and the password from the authentication protocol module, the user account number, the password and the IP address of the user returned by the network equipment are received, the user data are compared and compared with the user data stored by the user database, and a verification authentication result is returned.
And the log analysis server is respectively connected with the bastion server and the AAA server, acquires the authentication of the user system login connection request of the two servers, the request of operation connection initiated by the user and used for controlling the network equipment, the authentication result of the operation connection request sent by the controlled network equipment and all the working logs of the connection operation of the user on the network equipment, and performs statistical analysis and security audit.
And the client is used for connecting the bastion server so as to access the network equipment required to be connected and managing and controlling the network equipment.
And (V) various network devices managed and controlled by the client.
Referring to fig. 4, the specific operation steps of the working method of the system for network device secure access based on cache password according to the present invention are as follows:
step 1, when the virtual terminal module of the bastion server receives a user system login connection request sent by a client, the user system login connection request is converted and analyzed, user account and password information in the user system login connection request is obtained and cached, and then the user login connection request is transmitted to an AAA server authentication protocol module for authentication through an AAA communication interface and a bastion communication interface of the AAA server.
Step 2, after the authentication is passed, the bastion server receives a network equipment operation connection request initiated by the client and prepared for management and control, and forwards the network equipment operation connection request, the cached user account and the password to the network equipment; the network equipment sends the IP address, the user account and the password which initiate the operation connection request to an authentication protocol module of the AAA server for authentication.
Step 3, the authentication protocol module of AAA server calls the user database information, and executes authentication to the operation connection authentication request of the network device; if the authentication is not successful, the step 4 is executed in sequence, and if the authentication is successful, the step 5 is executed in a skipping way.
Step 4, whether the client initiates the network equipment operation connection request for the preparation management and control of the client is determined, if yes, the step 2 is executed; if not, the operation flow is ended. .
Step 5, after receiving the operation connection authentication success information of the AAA server, the network equipment establishes connection with an SSH/Telnet connection module of the bastion server; and then, the client side performs management and control operation on the network equipment through a virtual terminal module and an SSH/Telnet module in the bastion server.
The system and the method for the safe access of the network equipment have been used for testing facilities in a campus network of Beijing post and telecommunications university for a period of time, and the basic outline of the system of the testing facilities is briefly described as follows:
the campus network of Beijing post and telecommunications university contains 9 manufacturers, more than 50 models and 1000 different types of network devices. The implementation test of unified management on the passwords and login of all network equipment in the campus network by using the system for network equipment security access based on the cache password completely closes the traditional Telnet mode, and only SSH is allowed to be used for connecting the network equipment. The system administrator users are mainly divided into three groups: the common user group, the privileged user group and the network management system group are respectively provided with corresponding different management authorities. The user logs in the bastion machine through the client, selects the network equipment to be connected and the connection mode, then the AAA server authenticates the network equipment, and only after the authentication, the user can manage and control the network equipment which the user has the right to access. Moreover, the log of the user, the log of the authentication of the network device and the log of the operation of the bastion machine are all recorded in the system.
Tests carried out on examples up to several months were successful and achieved the object of the invention.
Claims (6)
1. A system for network equipment safety access based on cache password comprises a client and a managed network equipment; the method is characterized in that: the system consists of a bastion server, an AAA server and a log analysis server, wherein the structures of the bastion server and the AAA server are respectively improved; wherein:
the bastion server is used as a server which provides network equipment controlled by the single sign-on server for the client, does not store any network equipment account number and password any more, is only used for caching a user account number and a password for logging in the system, and is also connected with a log analysis server for storing a working log; the composition structure of the bastion server comprises a virtual terminal module which is originally and respectively connected with a client, network equipment which is connected with a controlled network, a protocol SSH (secure Shell) and/or a remote terminal protocol Telnet (Internet) connection module which is established on the basis of an application layer and a transmission layer and is specially used for providing safe communication for remote login session and other network services, and the bastion server is additionally provided with: AAA communication interface for data interaction with AAA server;
when the virtual terminal module of the bastion server receives a user system login connection request sent by a client, the user system login connection request is converted and analyzed to obtain and cache user account and password information, and then the user login connection request is transmitted to the AAA server authentication protocol module for authentication through the AAA communication interface and the bastion communication interface of the AAA server; after the authentication is passed, the bastion machine server sends the bastion machine server to a list of the client network equipment, receives a network equipment operation connection request initiated by the client and prepared for management and control, forwards the network equipment operation connection request, the cached user account and the password to the network equipment, and the network equipment sends the IP address of the network equipment, the user account initiating the operation connection request and the password to an authentication protocol module of an AAA server for authentication and authentication;
the AAA server is used as a control center of the system, is respectively connected with the bastion server, the log analysis server and the network equipment, is responsible for setting different management authorities of users, respectively carries out authentication and verification according to a user login connection request initiated by a client and an operation connection authentication request initiated by the network equipment which is applied and controlled by the user, and is responsible for returning an authentication and verification result to the corresponding client or the corresponding network equipment; the AAA server is provided with: the system comprises an authentication protocol module, a user database and a bastion machine communication interface for interacting data with a bastion machine server;
the log analysis server is respectively connected with the bastion server and the AAA server, acquires authentication of user system login connection requests of the two servers, operation connection requests initiated by users and used for controlling network equipment, authentication requests of the controlled operation connection requests of the network equipment and all working logs of the connection operation of the users on the network equipment, and performs statistical analysis and security audit;
and the client is used for connecting the bastion server so as to access the network equipment required to be connected and managing and controlling the network equipment.
2. The system of claim 1, wherein: the cache password is an account and a password of a user cached when the bastion server receives a user login system connection request of the client; when a user initiates an operation connection request for managing and controlling the network equipment, the cache password is sent to the managed and controlled network equipment by the bastion machine server, and then the cache password comprising the user account number and the password is sent to the AAA server together with the IP address of the cache password by the network equipment for authentication.
3. The system of claim 1, wherein: the function of each component of fortress machine server is respectively:
the virtual terminal module is responsible for receiving a user login connection request from the client and an operation connection request of the management and control network equipment; after the system login connection request is converted and analyzed, caching a user account and a password in the obtained login connection request, and forwarding the login connection request containing the user account and the password to an AAA communication interface for a standby selection of an AAA server in combination with a mobile phone dynamic password of the user for performing multi-factor authentication and authentication on the user; the client is responsible for receiving login connection refusing information or a network equipment list with optional connection aiming at the user from the AAA communication interface, so that the client can directly select the network equipment or manually input the IP address of the network equipment needing to be managed and controlled to initiate an operation connection request to the network equipment; when receiving a request of a client user for operating and connecting network equipment to be managed and controlled, the virtual terminal module converts and analyzes the request containing the cache password and the operation and connection request into a result containing the following information: the IP address of the network equipment requesting connection, the cached user account and the password are sent to the corresponding network equipment through the SSH/Telnet connection module;
the SSH/Telnet connection module is responsible for receiving an operation connection request of the management network equipment, which is forwarded by the virtual terminal module and contains the IP address of the network equipment to be connected, the cached user account and the password, from the client, forwarding the operation connection request to the corresponding network equipment to be connected, and connecting the network equipment to be connected selected by the user according to an SSH/Telnet protocol so as to execute management and control operation;
the AAA communication interface is used for respectively receiving the user system login connection request after the conversion analysis is completed from the virtual terminal module and then forwarding the user system login connection request to the bastion machine communication interface of the AAA server; and receiving connection rejection information or a network equipment list with optional connection from the bastion machine communication interface of the AAA server, and forwarding the connection rejection information or the network equipment list to the client through the virtual terminal module for the user to select connection.
4. The system of claim 1, wherein: the functions of the components of the AAA server are respectively as follows:
the bastion machine communication interface is used for receiving the connection request of the user login system forwarded by the bastion machine server AAA communication interface and forwarding the connection request to the authentication protocol module for authentication; if the authentication fails, the bastion machine communication interface receives connection information refusing the user login from the authentication protocol module and forwards the connection information to the AAA communication interface of the bastion machine server; if the authentication is successful, the bastion machine communication interface receives a network equipment list which is from the authentication protocol module and can be connected by the user, and forwards the network equipment list to the AAA communication interface of the bastion machine server;
the authentication protocol module is used as an operation control center of the AAA server and is respectively connected with other components: the system comprises a bastion machine communication interface, a user database and network equipment, wherein the bastion machine communication interface is responsible for receiving a user system login connection request from the bastion machine communication interface and calling corresponding user information in the user database for authentication; if the authentication is successful, the authentication protocol module returns the list of the optional connection network equipment corresponding to the user to the bastion machine communication interface; if the authentication fails, returning the information of refusing to log in the connection; and the system is also responsible for receiving an operation connection authentication message from the network equipment to be connected, extracting client information comprising the IP address of the network equipment to be managed and the user account password, then performing authentication with the called user database information, and judging whether the network equipment is a user connection network equipment or not according to an authentication result: if the operation connection authentication of the network equipment is successful, the network equipment formally establishes connection with the SSH/Telnet module, and the client side manages the network equipment through the virtual terminal module; if the operation connection authentication of the network equipment fails, the network equipment cuts off the connection with the SSH/Telnet module;
and the user database is used for storing the account number and the password of the network equipment administrator user and the network equipment management authority information comprising the network equipment list which can be optionally connected by the user, so that when the user account number and the password from the authentication protocol module, the user account number, the password and the IP address of the user returned by the network equipment are received, the user data are compared and compared with the user data stored by the user database, and a verification authentication result is returned.
5. The system of claim 1, wherein: the system comprises the following components: all interactive communication among the user client, the AAA server, the bastion server, the work log server and the network equipment adopts encrypted communication, and the password is irreversible.
6. A method of operating a system for secure access to a network device based on cached passwords as claimed in claim 1, wherein: the method comprises the following operation steps:
step 1, when a virtual terminal module of a bastion server receives a user system login connection request sent by a client, the user system login connection request is converted and analyzed to obtain and cache user account and password information, and then the user login connection request is transmitted to an AAA server authentication protocol module for authentication through an AAA communication interface and a bastion communication interface of the AAA server;
step 2, after the authentication is passed, the bastion server receives a network equipment operation connection request initiated by the client and prepared for management and control, and forwards the network equipment operation connection request, the cached user account and the password to the network equipment; the network equipment sends the IP address, the user account initiating the operation connection request and the password to an authentication protocol module of an AAA server for authentication;
step 3, the authentication protocol module of AAA server calls the user database information, and executes authentication to the operation connection authentication request of the network device; if the authentication is not successful, executing the step 4 in sequence, and if the authentication is successful, skipping to execute the step 5;
step 4, whether the client initiates the network equipment operation connection request for the preparation management and control of the client is determined, if yes, the step 2 is executed; if not, the operation flow is ended;
step 5, after receiving the operation connection authentication success information of the AAA server, the network equipment establishes connection with an SSH/Telnet connection module of the bastion server; and then, the client side performs management and control operation on the network equipment through a virtual terminal module and an SSH/Telnet module in the bastion server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910942178.0A CN110719276B (en) | 2019-09-30 | 2019-09-30 | Network equipment safety access system based on cache password and working method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910942178.0A CN110719276B (en) | 2019-09-30 | 2019-09-30 | Network equipment safety access system based on cache password and working method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110719276A CN110719276A (en) | 2020-01-21 |
| CN110719276B true CN110719276B (en) | 2021-12-24 |
Family
ID=69212103
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910942178.0A Active CN110719276B (en) | 2019-09-30 | 2019-09-30 | Network equipment safety access system based on cache password and working method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110719276B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111586033A (en) * | 2020-03-07 | 2020-08-25 | 浙江齐治科技股份有限公司 | Asset data middle platform of data center |
| CN111526150A (en) * | 2020-04-28 | 2020-08-11 | 吴飞 | Zero-trust automation rule releasing platform and releasing method for single-cluster or multi-cluster cloud computer remote operation and maintenance port |
| CN111897786B (en) * | 2020-05-27 | 2024-03-15 | 深圳市广和通无线股份有限公司 | Log reading method, device, computer equipment and storage medium |
| CN113765866B (en) * | 2020-07-31 | 2023-09-05 | 北京沃东天骏信息技术有限公司 | Method and device for logging in remote host |
| CN112055005B (en) * | 2020-08-27 | 2022-04-15 | 中信银行股份有限公司 | Identity authentication method, device, system, electronic equipment and medium |
| CN114531433B (en) * | 2020-11-06 | 2023-07-21 | 中盈优创资讯科技有限公司 | Interaction method and device of web login equipment |
| CN112541170A (en) * | 2020-12-21 | 2021-03-23 | 武汉联影医疗科技有限公司 | System maintenance method, device, computer equipment and storage medium |
| CN112929162B (en) * | 2021-01-22 | 2023-03-07 | 中信银行股份有限公司 | Password management method and system, electronic equipment and readable storage medium |
| CN113346990B (en) * | 2021-05-11 | 2022-12-23 | 科大讯飞股份有限公司 | Secure communication method and system, and related equipment and device |
| CN113507375B (en) * | 2021-07-05 | 2024-03-01 | 国铁吉讯科技有限公司 | Remote login method and device based on time sequence password and storage medium |
| CN113810415B (en) * | 2021-09-17 | 2023-09-19 | 成都高新愿景数字科技有限公司 | Method for host account operation and maintenance free through fort machine |
| CN114553571A (en) * | 2022-02-25 | 2022-05-27 | 中国工商银行股份有限公司 | Server management method and device, electronic equipment and storage medium |
| CN115795439B (en) * | 2023-01-18 | 2023-04-18 | 北京景安云信科技有限公司 | Automatic resource encryption system based on safe fort machine |
| CN116232875B (en) * | 2023-05-09 | 2023-07-28 | 北京拓普丰联信息科技股份有限公司 | Remote office method, device, equipment and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333090A (en) * | 2011-09-28 | 2012-01-25 | 辽宁国兴科技有限公司 | Internal control bastion host and security access method of internal network resources |
| CN106657091A (en) * | 2016-12-28 | 2017-05-10 | 北京奇艺世纪科技有限公司 | Online server authorization management method and system |
| CN106657011A (en) * | 2016-11-22 | 2017-05-10 | 深圳市掌世界网络科技有限公司 | Business server authorized secure access method |
| CN106888084A (en) * | 2017-01-04 | 2017-06-23 | 浙江神州量子网络科技有限公司 | A kind of quantum fort machine system and its authentication method |
| CN108092988A (en) * | 2017-12-28 | 2018-05-29 | 北京网瑞达科技有限公司 | Unaware Certificate Authority network system and method based on dynamic creation temporary password |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10630410B2 (en) * | 2016-05-13 | 2020-04-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Network architecture, methods, and devices for a wireless communications network |
-
2019
- 2019-09-30 CN CN201910942178.0A patent/CN110719276B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333090A (en) * | 2011-09-28 | 2012-01-25 | 辽宁国兴科技有限公司 | Internal control bastion host and security access method of internal network resources |
| CN106657011A (en) * | 2016-11-22 | 2017-05-10 | 深圳市掌世界网络科技有限公司 | Business server authorized secure access method |
| CN106657091A (en) * | 2016-12-28 | 2017-05-10 | 北京奇艺世纪科技有限公司 | Online server authorization management method and system |
| CN106888084A (en) * | 2017-01-04 | 2017-06-23 | 浙江神州量子网络科技有限公司 | A kind of quantum fort machine system and its authentication method |
| CN108092988A (en) * | 2017-12-28 | 2018-05-29 | 北京网瑞达科技有限公司 | Unaware Certificate Authority network system and method based on dynamic creation temporary password |
Non-Patent Citations (5)
| Title |
|---|
| "Bridging the Cloud Trust Gap: Using ORCON Policy to Manage Consumer Trust between Different Clouds";S. S. Kirkman and R. Newman;《2017 IEEE International Conference on Edge Computing (EDGE), Honolulu, HI, USA》;20171231;82-89页 * |
| "Cloud-based Mission Observation, Response, Exploitation (CMORE) System";P. Hershey, C. B. Silio, A. Narayan and S. Rao;《2014 IEEE International Systems Conference Proceedings, Ottawa, ON, Canada》;20141231;317-324页 * |
| 基于医科类院校堡垒机的建设及应用展望初探;彭桂芬等;《现代信息科技》;20190525(第10期);160-162+165页 * |
| 基于权限细分的安全云计算服务关键技术与系统;崔冬;《中国优秀硕士论文全文数据库(电子期刊)信息科技辑》;20180415(第4期);I139-289页 * |
| 江苏有线南京分公司核心网堡垒机系统建设;朱红杰等;《有线电视技术》;20170215(第02期);81-85页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110719276A (en) | 2020-01-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110719276B (en) | Network equipment safety access system based on cache password and working method thereof | |
| CN110719277B (en) | System and method for secure access of network device based on one-time access credential | |
| CN108901022B (en) | Micro-service unified authentication method and gateway | |
| CN109120620B (en) | Server management method and system | |
| CN106330816B (en) | A kind of method and system logging in cloud desktop | |
| CN107612736B (en) | WEB browser operation and maintenance auditing method based on container | |
| CN105027493B (en) | Safety moving application connection bus | |
| US8024785B2 (en) | Method and data processing system for intercepting communication between a client and a service | |
| US9240977B2 (en) | Techniques for protecting mobile applications | |
| US20150007283A1 (en) | Delegating authentication for a web service | |
| CN107122674B (en) | Access method of oracle database applied to operation and maintenance auditing system | |
| CN101667918B (en) | Method and system for realizing cooperative work | |
| JP2016524742A (en) | Secure access to resources using proxies | |
| CN109981367B (en) | Virtual machine paas service management method based on intranet penetration | |
| CN100401706C (en) | Access method and system for client end of virtual private network | |
| CN109819053A (en) | Applied to the springboard machine system and its control method under mixing cloud environment | |
| CN112039873A (en) | Method for accessing business system by single sign-on | |
| US11451517B2 (en) | Secure and auditable proxy technology using trusted execution environments | |
| RU2415466C1 (en) | Method of controlling identification of users of information resources of heterogeneous computer network | |
| CN111526150A (en) | Zero-trust automation rule releasing platform and releasing method for single-cluster or multi-cluster cloud computer remote operation and maintenance port | |
| CN103475491A (en) | Remote maintenance system which is logged in to safely without code and achieving method | |
| Melton | Securing a cloud-native c2 architecture using sso and jwt | |
| Steinberg et al. | SSL VPN: Understanding, evaluating, and planning secure, web-based remote access | |
| Fang et al. | Research on iOS remote security access technology based on zero trust | |
| CN113965376B (en) | Cloud host remote data communication method based on data isolation platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Wang Junyan Inventor after: Guo Siqi Inventor after: Cluster Inventor before: Weng Yuan Inventor before: Guo Siqi Inventor before: Cluster |
|
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Wang Peng Inventor after: Deng Yuting Inventor after: Wang Junyan Inventor after: Guo Siqi Inventor after: Cluster Inventor before: Wang Junyan Inventor before: Guo Siqi Inventor before: Cluster |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |