Network equipment safety access system based on cache password and working method thereof
Technical Field
The invention relates to a network equipment security access system based on a cache password and a working method thereof, which are used for solving the defects of large password leakage risk, uncontrollable password and difficult responsibility tracing caused by the fact that the account password of the network equipment in the prior art adopts the traditional mechanism of local storage and local authentication in the prior IP network; when the bastion machine management mode is adopted, various defects of uncontrollable, asynchronous and reversible passwords exist. The invention adopts the AAA identity authentication mode to replace the traditional local authentication mode, replaces the traditional user account password with the cache password, and also sets the user management authority in the AAA server, so that the division of the user management authority is more convenient, and the network equipment is safer. Belonging to the technical field of network data communication.
Background
In the current communication system, there are two methods for managing network devices: the method includes directly logging in corresponding network equipment for an administrator by using account passwords of the network equipment and executing management operation. And the other type is that the administrator firstly logs in the bastion machine by using the account password of the bastion machine and then manages the network equipment through the bastion machine. The bastion machine is operation and maintenance operation behavior safety audit equipment which is widely used in an IT network at present and is based on a B/S framework, has the functions of carrying out safe, effective and visual operation audit on management, operation and maintenance of a host, a server, network equipment, safety equipment and the like in a core system, can promote the operation and maintenance audit from event audit to content audit, organically combines identity authentication, authorization, management and audit, and ensures that only legal users can use key resources of operation and maintenance authorities owned by the legal users; the bastion machine takes over the access of the terminal computer to the network and the server by cutting off the direct access of the terminal computer to the network and the server resources and adopting a protocol proxy mode.
However, there are several drawbacks and problems in the control operation process of the two methods.
First, a first method is introduced: the method comprises the following steps of directly logging in network equipment for management by using a network equipment account password:
step 1, connecting to a network device needing management: in this case, a method often used is to directly access its front-end management interface, or to access the management back-end through a protocol ssh (secure shell)/telnet (internet) created on the basis of the application layer and the transport layer, which is dedicated to providing security for telnet sessions and other network services. SSH is a versatile, powerful, software-based network security solution. Each time a computer sends data to the network, SSH automatically encrypts and compresses the data. When the data reaches the destination, the SSH automatically decompresses and decrypts the encrypted data; and the whole transmission process is transparent, the installation is easy, the use is simple, and the SSH is widely applied. Telnet is a standard protocol and main mode of remote login service, and supports a user to log in a remote host through a user name/password, so that a local computer temporarily becomes an emulation terminal of the remote host, and the user can complete the capacity of remote host work on the local computer.
And 2, inputting an account password corresponding to the network equipment needing to be managed so as to log in the network equipment.
Step 3, executing various management and control operations including account password management on the network equipment: the ordinary user can modify the account password used by the user for logging in the network equipment, and the user with special authority (such as a super administrator with the highest authority) can modify the account passwords of other users and create account numbers of other administrators.
With the continuous expansion of IT systems of enterprises and public institutions, the network scale and the number of network devices are rapidly expanded, and the corresponding account numbers and passwords of the network devices are also characterized by increasing number. Therefore, for the convenience of memory and management, the administrator often sets the same account password for a large number of network devices, and even records the plaintext password manually. Moreover, when passwords of each network device are required to be modified one by one, the operation is complex, and time and labor are wasted, so that account numbers and passwords of many existing network devices are always original assignments which are used for a long time and are kept unchanged. Also, it is common for multiple administrators to manage multiple different network devices using the exact same account password. Therefore, the above conventional method for directly logging in a network device for management by using a network device account password has the following problems:
1, the administrator manages account passwords which do not meet the basic requirements that network equipment should adopt different network security levels for protection; and the account password is easy to reveal, the risk is higher, and once revealing, the influence scope is large, and the loss is serious.
2, a plurality of users use the same account password, so that whether each user can respectively manage different network equipment cannot be effectively controlled and distinguished; and it is also difficult to distinguish and divide the management of different users for the same network device. In case of a security incident, it is difficult to locate the actual user of the account and the responsible person.
And 3, when different network devices are independently audited, the audit logs of each network device have different contents and different depths, a uniform access audit strategy cannot be formulated, illegal operation behaviors are difficult to find in time, and the illegal operation behaviors are tracked and collected.
A second method is introduced: the method comprises the following steps of logging in network equipment through a bastion machine to manage the network equipment, and has the following problems:
referring to fig. 1, a schematic connection diagram of a bastion machine and a network device, which are commonly used operation and maintenance auditing devices and have two management and control functions of core system operation and security audit, is described.
When the connection between the bastion machine and the network equipment is established for the first time, the initialization setting operation is required to be carried out:
and step 1, synchronizing the account password of the managed network equipment to the bastion machine.
And 2, creating corresponding users on the bastion machine, and setting and dividing corresponding permissions of user accounts according to different dimensions of the users, roles, network equipment, time, application protocols and the like.
Referring to fig. 2, the management operation process of the network device performed by the user through the bastion machine is described: the client logs in the bastion machine through the account password, and selects the account password of the corresponding network equipment through the bastion machine to log in the network equipment to execute management operation. During the period, the bastion machine accurately records all operations of the client, and records all input commands, data and the like for the character terminal.
However, if only the baster is used for managing the account password of the network device, certain defects exist:
1, uncontrollable password: in the first management method, the account password for logging in the network device is configured on the network device, and the password can be changed on the network device at any time. Therefore, the bastion machine cannot achieve complete control over all login account passwords on the network device.
2, the password is not synchronous: each network device is provided with a plurality of groups of account numbers and passwords, new account numbers and passwords thereof can be added, and the bastion machine cannot completely master the control right of each network device. After the password is changed, the account password originally stored in the bastion machine is naturally invalid, and the management and control of the network equipment are directly lost.
And 3, the password is not safe. The bastion machine stores plaintext account numbers and passwords of all core network devices, and once the bastion machine is attacked, the password leakage risk is high.
Therefore, how to manage and control IT network devices more safely, reliably, flexibly, simply and differently with different levels of authorization has become an important issue of great concern to science and technology personnel in the industry.
Disclosure of Invention
In view of this, the invention aims to provide a system for network device security access based on cache password and a working method thereof, the system composition device of the invention is additionally provided with an AAA server and a bastion server with improved structures, and the invention has the innovative characteristics that the AAA identity Authentication mode (AAA refers to Authentication, Authorization and Accounting for identity, and is used as a security protocol for providing network Authentication, Authorization and Accounting) is used for replacing the traditional local Authentication mode, and the AAA server is also provided with user management authority for replacing the traditional mechanisms of network device account password local storage and local Authentication adopted in the prior art, so that the division of the user management authority is more convenient, and the network device is safer. The system is characterized in that a user logs in a bastion machine server by using an authorized user account and a password, after authentication of an AAA server, the bastion machine server is connected with managed network equipment, and the bastion machine server provides control functions of safety protection, operation audit and the like, so that the access safety of the network equipment is further guaranteed. Therefore, the system and the working method thereof realize unification and simplification of account password management of the managed network equipment, the network equipment is safer, and the division of the operation authority of the administrator is more precise, reliable and convenient.
In order to achieve the above object, the present invention provides a system for network device secure access based on cache password, which includes a client and a managed network device; the method is characterized in that: the system consists of a bastion server, an AAA server and a log analysis server, wherein the structures of the bastion server and the AAA server are respectively improved; wherein:
the bastion server is used as a server which provides network equipment controlled by the single sign-on server for the client, does not store any network equipment account number and password any more, is only used for caching a user account number and a password for logging in the system, and is also connected with a log analysis server for storing a working log; the composition structure of the bastion server comprises a virtual terminal module which is originally and respectively connected with a client, a network device which is connected with a controlled network, and a protocol SSH (secure Shell)/Telnet (Internet) connection module which is established on the basis of an application layer and a transmission layer and is specially used for providing safe communication for remote login session and other network services, and is additionally provided with: AAA communication interface for data interaction with AAA server;
the AAA server is used as a control center of the system, is respectively connected with the bastion server, the log analysis server and the network equipment, is responsible for setting different management authorities of users, respectively performs authentication confirmation according to a user login connection request initiated by a client and an operation connection authentication request initiated by the network equipment which is applied and controlled by the user, and is responsible for returning an authentication verification result to the corresponding client or the corresponding network equipment; the AAA server is provided with: the system comprises an authentication protocol module, a user database and a bastion machine communication interface for interacting data with a bastion machine server;
the log analysis server is respectively connected with the bastion server and the AAA server, acquires authentication of user system login connection requests of the two servers, operation connection requests initiated by users and used for controlling network equipment, authentication requests of the controlled operation connection requests of the network equipment and all working logs of the connection operation of the users on the network equipment, and performs statistical analysis and security audit;
and the client is used for connecting the bastion server so as to access the network equipment required to be connected and managing and controlling the network equipment.
In order to achieve the above object, the present invention further provides a working method of the system for network device secure access based on dynamic password according to the present invention, wherein the working method comprises: the method comprises the following operation steps:
step 1, when a virtual terminal module of a bastion server receives a user system login connection request sent by a client, the user system login connection request is converted and analyzed to obtain and cache user account and password information, and then the user login connection request is transmitted to an AAA server authentication protocol module for authentication through an AAA communication interface and a bastion communication interface of the AAA server;
step 2, after the authentication is passed, the bastion server receives a network equipment operation connection request initiated by the client and prepared for management and control, and forwards the network equipment operation connection request, the cached user account and the password to the network equipment; the network equipment sends the IP address, the user account initiating the operation connection request and the password to an authentication protocol module of an AAA server for authentication;
step 3, the authentication protocol module of AAA server calls the user database information, and executes authentication to the operation connection authentication request of the network device; if the authentication is not successful, executing the step 4 in sequence, and if the authentication is successful, skipping to execute the step 5;
step 4, whether the client initiates the network equipment operation connection request for the preparation management and control of the client is determined, if yes, the step 2 is executed; if not, the operation flow is ended;
step 5, after receiving the operation connection authentication success information of the AAA server, the network equipment establishes connection with an SSH/Telnet connection module of the bastion server; and then, the client side performs management and control operation on the network equipment through a virtual terminal module and an SSH/Telnet module in the bastion server.
Compared with the prior art, the system and the method have the following innovative advantages and improved effects:
the invention relates to a system for network equipment safety access based on dynamic passwords and a working method thereof, in particular to a network system and a working method for executing brand-new unified management on account passwords of network equipment, wherein the network system comprises the following steps: under a traditional network equipment management mode, each network equipment has multiple sets of account passwords, and a large number of network equipment share the same account passwords; and when the management mode of the bastion machine is adopted, the defects of uncontrollable, asynchronous and reversible passwords, plaintext storage of the passwords and the like exist. However, in the system, the AAA server replaces the traditional local authentication mode of the network equipment with the authentication mode of the cached user account and password, and the bastion machine and the network equipment do not store the user account, the password and the authority setting for authentication any more. When a user logs in a bastion machine, an AAA server uniformly stores and manages a user account and a password for authentication; the cached user account and the password are stored and transmitted in an irreversible safe encryption mode, so that the password leakage risk does not exist; the managed network equipment allows the user to access only after passing the authentication, so that the safety and consistency of the user account and the password of the network equipment can be enhanced and ensured.
The system of the invention realizes centralized management of local authentication information scattered in a plurality of network devices by connecting the network devices with the AAA server. The AAA server is used for finely dividing the network element management authority of the user to replace the traditional authority of dividing the user through the bastion machine, so that the user can only obtain the identity verification result of the user and the network equipment list which is authorized to select connection after passing authentication, the user behavior is limited in the legal management control range, and the safety of the network equipment is ensured really.
The system can also add the operation steps of multi-factor authentication when the user selects to log in the virtual terminal, so as to ensure the identity of the user to be legal, reduce identity theft and improve the safety performance of network equipment.
The working method of the system of the invention is additionally provided with a priority verification mechanism: by adopting the method of united authentication of the bastion machine and the AAA server, the user firstly carries out identity authentication, then obtains a network equipment list capable of being selectively connected, and then establishes SSH/Telnet connection with the network equipment, thereby effectively avoiding the attack guess to act on the network equipment. And the bastion machine realizes zero management configuration. The bastion server in the system provides a virtual terminal interface, and the client does not need to use a third party to connect terminal software.
In the system, all communication information in each component device of the system such as the user client, the network equipment, the improved AAA server, the bastion server and the like is transmitted by adopting safe encryption, the password is irreversible, and the AAA server is transparent to the user, thereby fully improving the safety performance of the whole network system.
The system has compact and simple structure of the components, and the information interaction process between the network elements and the modules in the operation steps in the working method is very simple and easy to realize; and the system has good compatibility, can compatibly incorporate various network element devices such as a switch, a router, a firewall, a load balancer and the like of an IT network into unified control management, really ensures simple operation of system operation and maintenance, and can effectively improve the system operation efficiency while ensuring the system safety. In a word, the invention has good popularization and application prospect.
Drawings
Figure 1 is a schematic diagram of the connection of a prior art bastion machine to a network device.
Figure 2 is a schematic diagram of the prior art operation steps for managing network devices using a bastion machine.
Fig. 3 is a schematic diagram of the system structure for the secure access of the network device based on the cache password.
Fig. 4 is a flowchart of the operation steps of the operation method of the system for network device security access based on cache password.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings and examples.
The system of the invention has an important technical innovation characteristic that the AAA server is used for replacing the traditional local authentication mode of the network equipment when the original network equipment to be managed is connected with by the authentication mode of the cached user account and the password. The cache password used in the system is the account number and the password of the user cached by the bastion machine server when the user login system connection request of the client is received. When a user initiates an operation connection request for managing and controlling the network equipment, the cache password is sent to the managed and controlled network equipment by the bastion machine server, and then the cache password comprising the user account number and the password and the IP address thereof are sent to the AAA server by the network equipment for authentication. And the bastion machine and the network equipment do not store the user account and the password for authentication and the authority setting. When a user logs in a bastion machine, an AAA server uniformly stores and manages a user account and a password and is used for authentication; and the cached user account and the password are stored and transmitted in an irreversible safe encryption mode, so that the password leakage risk does not exist. The innovative characteristic solves a plurality of defects in the prior art. Furthermore, all the constituent devices in the system of the invention: all information interaction among the user client, the AAA server, the bastion server, the work log server and the network equipment adopts encrypted communication, and the password is irreversible.
Referring to fig. 3, the structural composition of the system for network device secure access based on cache password of the present invention is described: the system consists of a bastion server, an AAA server and a log analysis server, wherein the structures of the bastion server and the AAA server are respectively improved; the system also includes a client and a managed network device. The following are introduced separately:
the system comprises a server, a log analysis server and a server, wherein the server is used for providing network equipment managed and controlled by a single sign-on client, storing no account or password of any network equipment and only caching a user account and a password for logging in the system, and the log analysis server is connected with the log analysis server for storing a working log. The composition structure of the bastion server comprises a virtual terminal module which is originally and respectively connected with a client, network equipment which is connected with a controlled network, a protocol SSH (secure Shell)/remote terminal protocol Telnet (Internet) connection module which is established on the basis of an application layer and a transmission layer and is specially used for providing safe communication for remote login session and other network services, and the bastion server is additionally arranged: and the AAA communication interface is used for carrying out data interaction with the AAA server. The functions of each component of the bastion server are as follows:
the virtual terminal module is responsible for receiving a user login connection request from the client and an operation connection request of the management and control network equipment; after the system login connection request is converted and analyzed, caching a user account and a password in the obtained login connection request, and forwarding the login connection request containing the user account and the password to an AAA communication interface for a standby selection of an AAA server in combination with a mobile phone dynamic password of the user for performing multi-factor authentication and authentication on the user; the client is responsible for receiving login connection refusing information or a network equipment list with optional connection aiming at the user from the AAA communication interface, so that the client can directly select the network equipment or manually input the IP address of the network equipment needing to be managed and controlled to initiate an operation connection request to the network equipment; when receiving a request of a client user for operating and connecting network equipment to be managed and controlled, the virtual terminal module converts and analyzes the request containing the cache password and the operation and connection request into a result containing the following information: and the IP address of the network equipment requesting connection, the cached user account and the password are sent to the corresponding network equipment through the SSH/Telnet connection module.
And the SSH/Telnet connection module is responsible for receiving an operation connection request of the management network equipment, which is forwarded by the virtual terminal module from the client and contains the IP address of the network equipment to be connected, the cached user account and the password, forwarding the operation connection request to the corresponding network equipment to be connected, and connecting the network equipment to be connected selected by the user according to an SSH/Telnet protocol so as to execute management and control operation.
The AAA communication interface is used for respectively receiving the user system login connection request after the conversion analysis is completed from the virtual terminal module and then forwarding the user system login connection request to the bastion machine communication interface of the AAA server; and receiving login rejection connection information or a network equipment list capable of being connected optionally from the bastion machine communication interface of the AAA server, and forwarding the login rejection connection information or the network equipment list capable of being connected optionally to the client through the virtual terminal module for the user to select connection.
And (II) serving as a control center of the system, additionally arranging a communication interface for data interaction with the bastion server, connecting the AAA server with the network equipment in a butt joint mode, and respectively connecting the bastion server, the log analysis server and the network equipment, wherein the AAA server is responsible for setting different management authorities of users, respectively carrying out authentication confirmation according to a user login connection request initiated by a client and an operation connection authentication request initiated by the network equipment which is applied for management and control by the user, and is responsible for returning an authentication verification result to the corresponding client or the corresponding network equipment. The AAA server is provided with: the system comprises an authentication protocol module, a user database and a bastion machine communication interface for interacting data with a bastion machine server. The functions of each component of the AAA server are:
the bastion machine communication interface is responsible for receiving a connection request of a user login system forwarded by the bastion machine server AAA communication interface and forwarding the connection request to the authentication protocol module for authentication and authentication processing, and if authentication fails, the bastion machine communication interface receives login rejection connection information from the authentication protocol module and forwards the login rejection connection information to the AAA communication interface of the bastion machine server; if the authentication is successful, the bastion machine communication interface receives the network equipment list which is from the authentication protocol module and can be connected by the user, and forwards the network equipment list to the AAA communication interface of the bastion machine server.
The authentication protocol module is used as an operation control center of the AAA server and is respectively connected with other components: the system comprises a bastion machine communication interface, a user database and network equipment, wherein the bastion machine communication interface is responsible for receiving a user system login connection request from the bastion machine communication interface and calling corresponding user information in the user database for authentication; if the authentication is successful, the authentication protocol module returns the list of the optional connection network equipment corresponding to the user to the bastion machine communication interface; if the authentication fails, returning the information of refusing to log in the connection; and the system is also responsible for receiving an operation connection authentication message from the network equipment to be connected, extracting client information comprising the IP address of the network equipment to be managed and the user account password, then performing authentication with the called user database information, and judging whether the network equipment is a user connection network equipment or not according to an authentication result: if the operation connection authentication of the network equipment is successful, the network equipment formally establishes connection with the SSH/Telnet module, and the client side manages the network equipment through the virtual terminal module; if the operation connection authentication of the network equipment fails, the network equipment cuts off the connection with the SSH/Telnet module.
And the user database is used for storing the account number and the password of the network equipment administrator user and the network equipment management authority information comprising the network equipment list which can be optionally connected by the user, so that when the user account number and the password from the authentication protocol module, the user account number, the password and the IP address of the user returned by the network equipment are received, the user data are compared and compared with the user data stored by the user database, and a verification authentication result is returned.
And the log analysis server is respectively connected with the bastion server and the AAA server, acquires the authentication of the user system login connection request of the two servers, the request of operation connection initiated by the user and used for controlling the network equipment, the authentication result of the operation connection request sent by the controlled network equipment and all the working logs of the connection operation of the user on the network equipment, and performs statistical analysis and security audit.
And the client is used for connecting the bastion server so as to access the network equipment required to be connected and managing and controlling the network equipment.
And (V) various network devices managed and controlled by the client.
Referring to fig. 4, the specific operation steps of the working method of the system for network device secure access based on cache password according to the present invention are as follows:
step 1, when the virtual terminal module of the bastion server receives a user system login connection request sent by a client, the user system login connection request is converted and analyzed, user account and password information in the user system login connection request is obtained and cached, and then the user login connection request is transmitted to an AAA server authentication protocol module for authentication through an AAA communication interface and a bastion communication interface of the AAA server.
Step 2, after the authentication is passed, the bastion server receives a network equipment operation connection request initiated by the client and prepared for management and control, and forwards the network equipment operation connection request, the cached user account and the password to the network equipment; the network equipment sends the IP address, the user account and the password which initiate the operation connection request to an authentication protocol module of the AAA server for authentication.
Step 3, the authentication protocol module of AAA server calls the user database information, and executes authentication to the operation connection authentication request of the network device; if the authentication is not successful, the step 4 is executed in sequence, and if the authentication is successful, the step 5 is executed in a skipping way.
Step 4, whether the client initiates the network equipment operation connection request for the preparation management and control of the client is determined, if yes, the step 2 is executed; if not, the operation flow is ended. .
Step 5, after receiving the operation connection authentication success information of the AAA server, the network equipment establishes connection with an SSH/Telnet connection module of the bastion server; and then, the client side performs management and control operation on the network equipment through a virtual terminal module and an SSH/Telnet module in the bastion server.
The system and the method for the safe access of the network equipment have been used for testing facilities in a campus network of Beijing post and telecommunications university for a period of time, and the basic outline of the system of the testing facilities is briefly described as follows:
the campus network of Beijing post and telecommunications university contains 9 manufacturers, more than 50 models and 1000 different types of network devices. The implementation test of unified management on the passwords and login of all network equipment in the campus network by using the system for network equipment security access based on the cache password completely closes the traditional Telnet mode, and only SSH is allowed to be used for connecting the network equipment. The system administrator users are mainly divided into three groups: the common user group, the privileged user group and the network management system group are respectively provided with corresponding different management authorities. The user logs in the bastion machine through the client, selects the network equipment to be connected and the connection mode, then the AAA server authenticates the network equipment, and only after the authentication, the user can manage and control the network equipment which the user has the right to access. Moreover, the log of the user, the log of the authentication of the network device and the log of the operation of the bastion machine are all recorded in the system.
Tests carried out on examples up to several months were successful and achieved the object of the invention.