CN112565203A - Centralized management platform - Google Patents
Centralized management platform Download PDFInfo
- Publication number
- CN112565203A CN112565203A CN202011298100.9A CN202011298100A CN112565203A CN 112565203 A CN112565203 A CN 112565203A CN 202011298100 A CN202011298100 A CN 202011298100A CN 112565203 A CN112565203 A CN 112565203A
- Authority
- CN
- China
- Prior art keywords
- node
- access request
- access
- security device
- agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The embodiment of the invention provides a centralized management platform, which comprises a plurality of agent nodes and an access management node, wherein the corresponding safety equipment of every two agent nodes is different or partially different; the agent node is used for receiving an access request sent by the safety equipment corresponding to the agent node and forwarding the access request to the access management node; the access management node is configured to receive the access request forwarded by the proxy node, and determine whether to allow the security device to access the centralized management platform based on the access request.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a centralized management platform.
Background
Under the current internet environment with frequent vulnerabilities, companies and units often need to monitor and manage network security through various security devices in order to effectively detect and prevent external illegal requests and malicious attacks and ensure the security of the network.
In the related art, management of multiple security devices can only be managed in an independent monitoring mode, that is, centralized management of multiple security devices cannot be realized, however, under the condition that the number of security devices is large, the operation and maintenance difficulty of a networking system is increased and the operation and maintenance cost is also increased by the independent monitoring management mode.
Disclosure of Invention
The embodiment of the invention provides a centralized management platform.
The technical scheme of the embodiment of the invention is realized as follows:
the invention provides a centralized management platform which comprises a plurality of agent nodes and an access management node, wherein the corresponding safety equipment of every two agent nodes is different or partially different;
the agent node is used for receiving an access request sent by the safety equipment corresponding to the agent node and forwarding the access request to the access management node;
the access management node is configured to receive the access request forwarded by the proxy node, and determine whether to allow the security device to access the centralized management platform based on the access request.
In some embodiments, the access management node is a plurality;
correspondingly, the agent node is configured to receive an access request sent by the security device corresponding to the agent node, and forward the access request to the access management node, specifically:
the proxy node is used for receiving an access request sent by the safety equipment corresponding to the proxy node; determining an Internet Protocol (IP) and a port number of an access management node for processing the access request based on the access request; and forwarding the access request to an access management node corresponding to the IP and the port number based on the determined IP and the port number.
In some embodiments, the access request includes company identification information of the security device;
correspondingly, determining the IP and the port number of the access management node for processing the access request based on the access request comprises the following steps:
and determining the IP and the port number of an access management node for processing the access request based on the company identification information in the access request.
In some embodiments, the centralized management platform further comprises an addressing service node;
the addressing service node is used for acquiring access request information of the safety equipment and establishing connection with the safety equipment based on the access request information;
the addressing service node is further configured to determine, based on the access request information of the security device, agent identification information for an agent node corresponding to the security device, and return the agent identification information to the security device, so as to instruct the security device to perform an operation of "sending the access request to the corresponding agent node based on the agent identification information".
In some embodiments, the access request information is: and accessing request information of the preset website.
In some embodiments, the agent identification information includes an IP and a port number.
In some embodiments, the centralized management platform further comprises a gateway node, and the addressing service node comprises a plurality of:
the gateway node is used for receiving the access request information of the safety equipment and forwarding the access request information to a corresponding addressing service node;
correspondingly, the addressing service node is configured to obtain access request information of the security device, and specifically includes:
and the addressing service node is used for acquiring the access request information of the safety equipment forwarded by the gateway node.
In some embodiments, the access request information includes company identification information of the security device;
correspondingly, the addressing service node is further configured to determine, based on the access request information of the security device, agent identification information for an agent node corresponding to the security device, specifically:
the addressing service node is further configured to:
and obtaining agent identification information of an agent node corresponding to the company identification information based on the company identification information included in the access request information of the security device.
In some embodiments, the access request includes check information for access check;
correspondingly, the access management node is configured to receive the access request forwarded by the proxy node, and determine whether to allow the security device to access the centralized management platform based on the access request, specifically:
the access management node is configured to receive the access request forwarded by the proxy node, and perform access check based on check information included in the access request to determine whether to allow the security device to access the centralized management platform.
In some embodiments, the centralized management platform further provides at least one of the following preset services: the method comprises the following steps of linkage handling, single sign-on, policy management and Virtual Private Network (VPN) management.
The embodiment of the invention provides a centralized management platform, which comprises a plurality of agent nodes and an access management node, wherein the corresponding safety equipment of every two agent nodes is different or partially different; the agent node is used for receiving an access request sent by the safety equipment corresponding to the agent node and forwarding the access request to the access management node; the access management node is configured to receive the access request forwarded by the proxy node, and determine whether to allow the security device to access the centralized management platform based on the access request. The scheme provided by the invention can support the security device to access the access management node through the proxy node, thereby accessing the centralized management platform. And then can be convenient manage the operation and maintenance to all safety equipment that insert through centralized management platform, the operational aspect of control safety equipment for the operation and maintenance of safety equipment becomes simple swift, reduces the operation and maintenance cost, promotes the managerial efficiency. In addition, the invention also limits that the number of the agent nodes can be multiple, and the safety devices corresponding to two agent nodes are different or partially different, thus ensuring that when a large number of safety devices request to access the centralized management platform, a certain degree of load balance can be realized, and the processing efficiency of the access request is accelerated.
Drawings
Fig. 1 is a schematic structural diagram of a centralized management platform according to an embodiment of the present invention;
fig. 2a is a schematic structural diagram of an access frame of a security device in an embodiment of the present invention;
FIG. 2b is a flowchart illustrating an access timing sequence of the security device according to an embodiment of the present invention;
FIG. 3a is a schematic flow chart illustrating the process of obtaining agent node information according to an embodiment of the present invention;
fig. 3b is a schematic flowchart of security device access through a proxy node in the embodiment of the present invention.
Detailed Description
The present invention will be described in further detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
With the increase of the types and the number of the safety devices in the network system and the increase of the deployment and control scale of the safety devices, the management of the safety devices becomes more and more complex; in the related art, management of multiple safety devices can only be managed in a distributed and independent monitoring mode, that is, centralized management of multiple safety devices cannot be realized, however, under the condition that the number of safety devices is large, the operation and maintenance difficulty of a networking system is increased, the operation and maintenance cost is increased, and the management efficiency is reduced by the independent monitoring management mode.
In view of the above technical problems, the present invention will be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the examples provided herein are merely illustrative of the present invention and are not intended to limit the present invention. The embodiments described below are intended to be some embodiments for carrying out the present invention, and not to be all embodiments for carrying out the present invention, and the technical solutions described in the present invention may be implemented in any combination without conflict.
It is to be noted that, in the present invention, the terms "comprises", "comprising" or any other variation thereof are intended to cover a non-exclusive inclusion, so that a method or apparatus including a series of elements includes not only the explicitly recited elements but also other elements not explicitly listed or inherent to the method or apparatus. Without further limitation, the use of the phrase "including a. -. said." does not exclude the presence of other elements of interest in a method or apparatus including the element (e.g., steps in a method or elements in an apparatus, such as a part of a processor, part of a program or software, etc.).
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the term "at least one" herein means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, C, and may mean including any one or more elements selected from the group consisting of A, B and C.
For example, the centralized management platform provided by the present invention includes a series of nodes, but the centralized management platform provided by the present invention is not limited to include explicitly described nodes, and may include other nodes that need to be set for acquiring relevant information or performing processing based on information.
In some embodiments of the present invention, each node in the centralized management platform may be implemented in hardware, for example, by using a processor; or may be a software implementation. The Processor may be at least one of an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), a Digital Signal Processing Device (DSPD), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a Central Processing Unit (CPU), a controller, a microcontroller, and a microprocessor. In addition, each node may be implemented as one module, or may be implemented by being divided into a plurality of modules, which is not limited in the present invention.
Fig. 1 is a schematic structural diagram of a centralized management platform according to an embodiment of the present invention, where the centralized management platform may be disposed in a cloud, as shown in fig. 1, the centralized management platform 10 includes a plurality of agent nodes 110 and an access management node 111, where two agent nodes respectively correspond to different security devices or partially different security devices; the following is a description of a proxy node 110.
The agent node 110 is configured to receive an access request sent by a security device corresponding to the agent node, and forward the access request to the access management node;
and the access management node 111 is configured to receive the access request forwarded by the proxy node, and determine whether to allow the security device to access the centralized management platform based on the access request.
In one embodiment, the proxy node provides service for the external security device, the proxy node may be a proxy server, or other devices with proxy function, and the proxy node may also be implemented by software; the proxy node may be configured to receive an access request sent by the security device and forward the access request to the access management node. Here, the proxy node may provide proxy services to one or more security devices; the security devices corresponding to different proxy nodes may be partially the same or different.
In the embodiment of the invention, the safety equipment can ensure the safety of a user network or an enterprise level network; that is, the hardware, software and data in the system of the network system are protected, and are not damaged, changed and leaked due to accidental or malicious reasons, the system continuously, reliably and normally operates, and the network service is not interrupted.
In one embodiment, a security device may include: a terminal Detection and Response platform (EDR), A Firewall (AF), an Access Controller (AC), and the like.
Among other things, EDRs can monitor endpoints in real time and search for threats that penetrate into defense systems. The EDR service allows users to know whether and when an attacker enters the network, and detects attack paths when an attack occurs; furthermore, the system can help users respond to disposal security threats timely and efficiently. The AF generates a protective barrier between the internal and external network environments mainly by the action of hardware and software, thereby blocking the unsafe network factors of the computer. An AC, also called a wireless controller, is a network device and is responsible for managing wireless Access Points (APs) in a wireless network in a certain area; the method is used for centralized control of the wireless APs, is the core of a wireless network, is responsible for managing all the wireless APs in the wireless network, and comprises the following steps: configuration issuing, relevant configuration parameter modification, radio frequency intelligent management, access security control and the like.
In one embodiment, the access management node may be multiple; correspondingly, the agent node is configured to receive an access request sent by the security device corresponding to the agent node, and forward the access request to the access management node, and may be: the proxy node is used for receiving an access request sent by the safety equipment corresponding to the proxy node; determining an IP (Internet protocol) and a port number of an access management node for processing the access request based on the access request; and forwarding the access request to an access management node corresponding to the IP and the port number based on the determined IP and the port number. That is, there may be a plurality of access management nodes, so that when there are many access requests, further load balancing can be achieved. In addition, in the embodiment of the present invention, the access management node may be implemented by using a container engine (docker), so that access to the access management node may be implemented according to the IP and the port number.
In an embodiment, before forwarding an access request sent by a security device, a proxy node needs to determine an IP and a port number of an access management node corresponding to the access request; here, the IP and port numbers of different access management nodes are different; multiple access management nodes may be used to receive access requests for different security devices.
In one embodiment, the access request includes company identification information of the security device; accordingly, determining an IP and a port number of an access management node for processing the access request based on the access request may include: and determining the IP and the port number of the access management node for processing the access request based on the company identification information in the access request. In the embodiment of the invention, different companies occupy different access management nodes, and the agent node can acquire the IP and the port corresponding to the account information of the company by accessing the database, so as to apply for accessing the centralized management platform. Here, the IP and port number corresponding to the company identification information may be stored through a remote dictionary service (redis) database.
In one embodiment, the agent node may obtain company identification information corresponding to the security device in the access request; according to the company identification information, obtaining the IP and the port number of the access management node corresponding to the safety equipment; in turn, the access request of the security device may be forwarded to the corresponding access management node based on the IP and port number of the access management node.
In one embodiment, the centralized management platform further comprises an addressing service node; the addressing service node is used for acquiring access request information of the safety equipment and establishing connection with the safety equipment based on the access request information; and the addressing service node is also used for determining the agent identification information of the agent node corresponding to the safety equipment based on the access request information of the safety equipment, and returning the agent identification information to the safety equipment so as to instruct the safety equipment to execute the operation of sending the access request to the corresponding agent node based on the agent identification information.
In the embodiment of the present invention, the addressing service node plays a role of: in the technical solution of the foregoing embodiment, when the security device accesses the proxy node, the security device must communicate with the corresponding proxy node, which obviously requires configuring information (such as IP) of the corresponding proxy node in different security devices, which obviously causes configuration inconvenience, and in order to improve this inconvenience, an addressing service node may be additionally added, and the security device may access the addressing service node, perform query by the addressing service node, and acquire information of the corresponding proxy node. In order to ensure that the security device can establish more convenient communication with the addressing service node, the IP of the addressing service node can be configured in each security device (in order to ensure convenient communication of the security device, prevent excessive configuration information, the number of the addressing service nodes should be small, for example, only one addressing service node is provided, so that only one IP of the addressing service node is provided, and different configurations in different security devices are not needed); of course, it will also be understood by those skilled in the art that the security device may also be enabled to access the addressed service node by accessing a predetermined website, such as: device.sangfor.com.cn enables access to the addressed service node. In the embodiment of the invention, the addressing service node can provide the port number accessed by the safety equipment, and the safety equipment can establish connection with the addressing service node based on the access request information.
In one embodiment, the access request information may be: and accessing request information of the preset website (such as accessing: device. The access request information may be transmitted based on a hypertext Transfer Protocol (HTTP), or may be transmitted based on other types of transmission protocols, which is not limited in this embodiment of the present invention.
In one embodiment, the background of the security device issues access request information, which may include a domain name, a port number, and the like.
In one embodiment, when the addressing service node receives the access request information of the security device, the security device may establish a connection with the addressing service node by accessing the domain name.
In the embodiment of the invention, after the safety equipment is connected with the addressing service node, the access request information carries some parameter information, such as company account information and the like; the addressing service node can acquire company account information corresponding to the security equipment from the access request information; and then, searching agent identification information of the agent node accessed in the access process of the security device based on the company account information.
Here, the company account information may represent an identification number (ID) of the user or the business; typically, corporate account information is constant; the method for determining the company account information is not limited, and for example, the corresponding company account information can be determined according to the rule set by the user.
In some embodiments, the agent identification information of the security device may be looked up on the addressed service node based on the company account information.
In the embodiment of the invention, after the addressing service node acquires the company account information corresponding to the safety equipment, the IP and the port number of the proxy node corresponding to the company account information can be searched from the database on the addressing service node based on the company account information; that is, the database stores the mapping relationship between the company account information and the IP and port number of the proxy node; furthermore, according to the mapping relation, the IP and the port number of the proxy node accessed in the access process of the security device can be quickly found.
In an embodiment, the type of the database may be redis, or may be other types of databases, which is not limited in this embodiment of the present invention. The related information of the secure device, for example, information such as an access state of the secure device may be stored by a relational database management system (mysql).
In one embodiment, the centralized management platform further comprises a gateway node, and the addressing service node comprises a plurality of: the gateway node is used for receiving the access request information of the safety equipment and forwarding the access request information to the corresponding addressing service node; correspondingly, the addressing service node is configured to obtain access request information of the security device, and specifically includes: and the addressing service node is used for acquiring the access request information of the safety equipment forwarded by the gateway node.
In some embodiments, the gateway node may be used to forward access request information for each security device to the addressed service node before the security device establishes a connection with the addressed service node. The gateway node may achieve a degree of load balancing.
In the embodiment of the present invention, in order to ensure that the gateway device realizes a load balancing function, the access request information sent by the security device may further include routing information, the security device first sends the access request to the gateway node, and the gateway node may send the access request information of the security device to the corresponding addressing service node according to the routing information and the forwarding policy because the routing information is in the access request information of the security device. Of course, the gateway device may also perform load balancing based on the workload condition of each addressing service node, and the specific load balancing manner is not limited in the present invention.
In one embodiment, the gateway node may be a hardware gateway or a software gateway; the gateway node can realize a software gateway through a proxy server nginx (engine x) and is used as a part of a centralized management platform; the gateway node mainly plays a role in policy access control such as load balancing and access limitation.
In one embodiment, the access request information includes company identification information of the security device; correspondingly, the addressing service node is further configured to determine, based on the access request information of the security device, agent identification information for an agent node corresponding to the security device, specifically: addressing a service node, further to: and obtaining agent identification information of the agent node corresponding to the company identification information based on the company identification information included in the access request information of the security device.
In one embodiment, the agent identification information includes an IP and port number of the agent node to be accessed during the secure device access process. Here, the proxy nodes accessed by different security devices may be the same or different.
In one embodiment, it is assumed that the security device1 accesses the proxy node 1 during the access process; the security device2 can access the proxy node 1 and also the proxy node 2 during the access process.
In the embodiment of the invention, after the addressing service node finds the agent identification information of the agent node corresponding to the safety equipment, the agent identification information is returned to the safety equipment through the gateway node.
In one embodiment, after accessing the centralized management platform, the centralized management platform may manage a plurality of security devices; the multiple security devices may be all security devices in the network system, or may be part of security devices in the network system, which is not limited in this embodiment of the present invention.
In the embodiment of the invention, the safety equipment directly sends an access request to the proxy node according to the proxy identification information returned by the addressing service node; the agent node directly forwards the access request sent by the security device to the access management node through a corresponding routing strategy.
In one embodiment, if the centralized management platform receives an access request of the security device, the access of the security device is performed through the device access service; here, as for the access mode of the security device, the access can be performed through an account number, a password and an authentication mode.
In one embodiment, the access request includes check information for access check; correspondingly, the access management node is configured to receive the access request forwarded by the proxy node, and determine whether to allow the security device to access the centralized management platform based on the access request, specifically: and the access management node is used for receiving the access request forwarded by the agent node and carrying out access check based on the check information included in the access request so as to determine whether the security equipment is allowed to access the centralized management platform.
In some embodiments, after receiving an access request forwarded by an agent node, an access management node performs access verification on verification information included in the access request to obtain verification information; and accessing the safety equipment to a centralized management platform based on the verification result of the verification information.
In the embodiment of the invention, when the safety equipment accesses the agent node, the safety equipment sends the verification information to the centralized management platform, the equipment access service of the centralized management platform verifies the verification information to obtain the verification result of the verification information, and the verification result is returned to the safety equipment through the agent node; and the safety equipment obtains a judgment result of whether to access the centralized management platform according to the inspection result.
If the judgment result is yes, the access request of the safety equipment is legal, and then the safety equipment is accessed to the centralized management platform; and if the judgment result is negative, the access request of the safety equipment is not legal, and further the safety equipment cannot be sent to the centralized management platform.
In one embodiment, after completing the access, the security device may communicate with other services of the centralized management platform, thereby implementing the function of centrally managing each security device. The centralized management platform can also provide policy management services, VPN management services, linkage handling services, single sign-on services, and the like.
In the embodiment of the invention, each service in the centralized management platform can be realized by adopting an application container engine (docker); different dockers can be occupied by different company account information, and when the agent node needs to communicate with some dockers, the IP and the port number of the docker corresponding to the company account information can be obtained by accessing the database, so that corresponding services provided for the safety equipment can be obtained. Here, the IP and port number of docker corresponding to the company account information may be stored by redis.
If the centralized management platform receives a service request for carrying out policy configuration on the accessed security equipment, carrying out policy configuration on the security equipment through a policy management service; for example, EDR, AF, AC, or the like performs policy configuration by a policy management service and then issues VPN management.
After the VPN management service is performed on the Security device accessed to the centralized management platform, the VPN management service is issued to a secure Socket Layer Virtual Private Network (SSLVPN device).
The linkage disposal can directly call the network interface of the safety equipment through the centralized management platform, and corresponding network maintenance operation is carried out at the safety equipment end. For example: and the hacker IP can be blocked by linking the IP blocking function of the centralized management platform with firewall equipment. The file isolation function can directly perform operations such as isolation, trust, neglect and the like on virus files detected by the user terminal, for example: the EDR uploads the detected virus file information, and then the centralized management platform can check and kill the virus file and issue the virus file to safety equipment such as the EDR.
The single sign-on function can directly click the related information of the safety equipment through the web end, and directly jump to a safety equipment management page without secret to maintain and manage the safety equipment. Namely, the corresponding security device management page on the centralized management platform can be conveniently viewed through the web end, for example, the management page of the security device such as AF, EDR or AC can be viewed.
The centralized management platform can directly preset management operation through an operation interface of the centralized management platform; such as the World Wide Web (Web) side or the applet side.
Therefore, all the safety devices in the network system are accessed to the centralized management platform, so that all the safety devices can be managed, operated and maintained conveniently, the operation conditions of the safety devices are monitored, and the operation and maintenance cost is reduced.
The embodiment of the invention provides a centralized management platform, which comprises a plurality of agent nodes and an access management node, wherein the corresponding safety equipment of every two agent nodes is different or partially different; the agent node is used for receiving an access request sent by the safety equipment corresponding to the agent node and forwarding the access request to the access management node; and the access management node is used for receiving the access request forwarded by the agent node and determining whether to allow the security equipment to access the centralized management platform or not based on the access request. The scheme provided by the invention can support the security device to access the access management node through the proxy node, thereby accessing the centralized management platform. And then can be convenient manage the operation and maintenance to all safety equipment that insert through centralized management platform, the operational aspect of control safety equipment for the operation and maintenance of safety equipment becomes simple swift, reduces the operation and maintenance cost, promotes the managerial efficiency. In addition, the invention also limits that the number of the agent nodes can be multiple, and the safety devices corresponding to two agent nodes are different or partially different, thus ensuring that when a large number of safety devices request to access the centralized management platform, a certain degree of load balance can be realized, and the processing efficiency of the access request is accelerated.
In order to further embody the object of the present invention, the above embodiments of the present invention are further illustrated.
Fig. 2a is a schematic structural diagram of an access frame of a security device in an embodiment of the present invention, and as shown in fig. 2a, the access frame mainly includes: device, apigw, devaddr, database, proxy, and devmanager; wherein device represents the above-mentioned safety equipment; apigw denotes a gateway node; devaddr represents the addressing service node; database represents a database on an addressed service node, including: redis and mysql; proxy represents the above proxy node; devmanager represents the centralized management platform described above.
The process flow for accessing the device into the devmanager can be implemented by the above steps 100-102, which is not cumbersome.
Fig. 2b is a schematic flowchart of a security device access timing sequence in an embodiment of the present invention, and as shown in fig. 2b, in combination with the security device access framework in fig. 2a, an security device access flow includes:
step A1: the device sends access request information to the apigw.
Step A2: the apigw forwards the access request information to devaddr, and the devaddr accesses the database according to the access request information.
Step A3: and searching the agent node information which needs to be accessed when the safety equipment is accessed in the database, and sending the searched agent node information to the apigw.
Step A4: apigw returns the node information to device.
Step A5: and the device directly sends the access request to the proxy according to the proxy node information returned by the devaddr.
Step A6: and the proxy directly forwards the access request to the devmanager through a corresponding routing strategy. When the device accesses the proxy, it will send the verification information to devmanager.
Step A7: and the devmanager checks the check information to obtain a check result of the check information and sends the check result to proxy.
Step A8: the proxy returns the test result to the device; and the device determines whether to access the devmanager according to the detection result.
Fig. 3a is a schematic flow chart of acquiring proxy node information in the embodiment of the present invention, and as shown in fig. 3a, the device includes: device1, device2, device3, and device 4; wherein, device1, device2, device3 and device respectively represent different safety devices. The apigw is mainly responsible for the forwarding function of the access request information in the device access process, the device directly accesses the domain name of the access request information to establish connection with the addressing devddr, and the proxy node information to be accessed by the device access, namely the IP and the port number of the proxy, is obtained. The devaddr can specify the agent node information to be accessed in the device access process according to different devices, and returns the agent node information to the devices; and the device accesses the proxy according to the proxy node information, and the proxy forwards the access request to the devmanager to complete the access of the device.
Fig. 3b is a schematic flowchart of a process of accessing a security device through a proxy node in the embodiment of the present invention, and as shown in fig. 3b, a device includes: device1, device2, device3, and device 4; proxy includes: proxy1 and proxy 2; wherein proxy1 and proxy2 represent different proxy nodes, respectively; devmanager includes: devmanager1, devmanager2, and devmanager 3; among them, devmanager1, devmanager2, and devmanager3 represent different centralized management platforms, respectively. In the figure, device1 and device2 access proxy1 according to the proxy node information, and proxy1 forwards access requests of device1 and device2 to devmanager1 and devmanager 2; device3 and device4 access proxy2 according to the proxy node information, and proxy2 forwards access requests of device3 and device4 to devmanager2 and devmanager 3.
It can be seen that by accessing different agent nodes, the centralized management platforms accessed by different security devices may be the same or different; furthermore, all the accessed safety devices can be managed more flexibly through the centralized management platform.
The foregoing description of the various embodiments is intended to highlight various differences between the embodiments, and the same or similar parts may be referred to each other, which are not repeated herein for brevity
The methods disclosed in the method embodiments provided by the present invention can be combined arbitrarily without conflict to obtain a new method embodiment.
Features disclosed in each product embodiment provided by the invention can be combined arbitrarily to obtain a new product embodiment without conflict.
The features disclosed in the method or device embodiments of the invention may be combined in any combination to arrive at new method or device embodiments without conflict.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable security device access apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable security device access apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable security device access device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer implemented process such that the instructions which execute on the computer or other programmable device provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.
Claims (10)
1. A centralized management platform is characterized by comprising a plurality of agent nodes and an access management node, wherein the corresponding safety equipment of every two agent nodes is different or partially different;
the agent node is used for receiving an access request sent by the safety equipment corresponding to the agent node and forwarding the access request to the access management node;
the access management node is configured to receive the access request forwarded by the proxy node, and determine whether to allow the security device to access the centralized management platform based on the access request.
2. The centralized management platform of claim 1, wherein the access management node is a plurality of;
correspondingly, the agent node is configured to receive an access request sent by the security device corresponding to the agent node, and forward the access request to the access management node, specifically:
the proxy node is used for receiving an access request sent by the safety equipment corresponding to the proxy node; determining an Internet Protocol (IP) and a port number of an access management node for processing the access request based on the access request; and forwarding the access request to an access management node corresponding to the IP and the port number based on the determined IP and the port number.
3. The centralized management platform of claim 2, wherein the access request includes company identification information of the security device;
correspondingly, determining the IP and the port number of the access management node for processing the access request based on the access request comprises the following steps:
and determining the IP and the port number of an access management node for processing the access request based on the company identification information in the access request.
4. The centralized management platform of claim 1, wherein the centralized management platform further comprises an addressing service node;
the addressing service node is used for acquiring access request information of the safety equipment and establishing connection with the safety equipment based on the access request information;
the addressing service node is further configured to determine, based on the access request information of the security device, agent identification information for an agent node corresponding to the security device, and return the agent identification information to the security device, so as to instruct the security device to perform an operation of "sending the access request to the corresponding agent node based on the agent identification information".
5. The centralized management platform of claim 4, wherein the access request information is: and accessing request information of the preset website.
6. The centralized management platform of claim 4, wherein the agent identification information comprises an IP and a port number.
7. The centralized management platform of claim 4, wherein the centralized management platform further comprises a gateway node, and wherein the addressing service node comprises a plurality of:
the gateway node is used for receiving the access request information of the safety equipment and forwarding the access request information to a corresponding addressing service node;
correspondingly, the addressing service node is configured to obtain access request information of the security device, and specifically includes:
and the addressing service node is used for acquiring the access request information of the safety equipment forwarded by the gateway node.
8. The centralized management platform of claim 4, wherein the access request information includes company identification information of the security device;
correspondingly, the addressing service node is further configured to determine, based on the access request information of the security device, agent identification information for an agent node corresponding to the security device, specifically:
the addressing service node is further configured to:
and obtaining agent identification information of an agent node corresponding to the company identification information based on the company identification information included in the access request information of the security device.
9. The centralized management platform of any one of claims 1 to 8, wherein the access request includes verification information for access verification;
correspondingly, the access management node is configured to receive the access request forwarded by the proxy node, and determine whether to allow the security device to access the centralized management platform based on the access request, specifically:
the access management node is configured to receive the access request forwarded by the proxy node, and perform access check based on check information included in the access request to determine whether to allow the security device to access the centralized management platform.
10. The centralized management platform of any one of claims 1 to 8, wherein the centralized management platform further provides at least one of the following preset services: linkage handling, single sign-on, policy management, virtual private network VPN management.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011298100.9A CN112565203B (en) | 2020-11-19 | 2020-11-19 | Centralized management platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011298100.9A CN112565203B (en) | 2020-11-19 | 2020-11-19 | Centralized management platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112565203A true CN112565203A (en) | 2021-03-26 |
| CN112565203B CN112565203B (en) | 2023-02-03 |
Family
ID=75043922
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011298100.9A Active CN112565203B (en) | 2020-11-19 | 2020-11-19 | Centralized management platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112565203B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115622813A (en) * | 2022-12-19 | 2023-01-17 | 深圳市永达电子信息股份有限公司 | Remote access management method, system and electronic equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160148498A1 (en) * | 2014-11-24 | 2016-05-26 | Siemens Industry, Inc. | Systems and methods for addressably programming a notification safety device |
| CN106027358A (en) * | 2016-07-12 | 2016-10-12 | 上海厚泽信息技术有限公司 | Network security management and control system for accessing social video networks to video private network |
| CN106685999A (en) * | 2017-02-27 | 2017-05-17 | 郑州云海信息技术有限公司 | Safety protection method for virtual machine, system and safety device |
| CN110138586A (en) * | 2019-04-04 | 2019-08-16 | 平安科技(深圳)有限公司 | Block chain node administration method, electronic device, system and readable storage medium storing program for executing |
| CN111262746A (en) * | 2020-03-04 | 2020-06-09 | 深信服科技股份有限公司 | Equipment opening deployment system and method |
| CN111277635A (en) * | 2020-01-14 | 2020-06-12 | 深圳市网心科技有限公司 | Method, equipment, device and computer medium for accessing external node to block chain |
| CN111343254A (en) * | 2020-02-17 | 2020-06-26 | 天津卓朗科技发展有限公司 | Client connection method and device and electronic equipment |
| CN111371739A (en) * | 2020-02-14 | 2020-07-03 | 重庆邮电大学 | Internet of things data access control method based on block chain technology |
-
2020
- 2020-11-19 CN CN202011298100.9A patent/CN112565203B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160148498A1 (en) * | 2014-11-24 | 2016-05-26 | Siemens Industry, Inc. | Systems and methods for addressably programming a notification safety device |
| CN106027358A (en) * | 2016-07-12 | 2016-10-12 | 上海厚泽信息技术有限公司 | Network security management and control system for accessing social video networks to video private network |
| CN106685999A (en) * | 2017-02-27 | 2017-05-17 | 郑州云海信息技术有限公司 | Safety protection method for virtual machine, system and safety device |
| CN110138586A (en) * | 2019-04-04 | 2019-08-16 | 平安科技(深圳)有限公司 | Block chain node administration method, electronic device, system and readable storage medium storing program for executing |
| CN111277635A (en) * | 2020-01-14 | 2020-06-12 | 深圳市网心科技有限公司 | Method, equipment, device and computer medium for accessing external node to block chain |
| CN111371739A (en) * | 2020-02-14 | 2020-07-03 | 重庆邮电大学 | Internet of things data access control method based on block chain technology |
| CN111343254A (en) * | 2020-02-17 | 2020-06-26 | 天津卓朗科技发展有限公司 | Client connection method and device and electronic equipment |
| CN111262746A (en) * | 2020-03-04 | 2020-06-09 | 深信服科技股份有限公司 | Equipment opening deployment system and method |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115622813A (en) * | 2022-12-19 | 2023-01-17 | 深圳市永达电子信息股份有限公司 | Remote access management method, system and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112565203B (en) | 2023-02-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7360242B2 (en) | Personal firewall with location detection | |
| US9723019B1 (en) | Infected endpoint containment using aggregated security status information | |
| EP1591868B1 (en) | Method and apparatus for providing network security based on device security status | |
| US7325248B2 (en) | Personal firewall with location dependent functionality | |
| CN113228585B (en) | Network security system with feedback loop based enhanced traffic analysis | |
| US10944721B2 (en) | Methods and systems for efficient cyber protections of mobile devices | |
| US8230505B1 (en) | Method for cooperative intrusion prevention through collaborative inference | |
| CA2814261C (en) | Systems and methods for managing a network | |
| US20120255022A1 (en) | Systems and methods for determining vulnerability to session stealing | |
| EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
| KR100843537B1 (en) | Security checking program for communication between networks | |
| US11956279B2 (en) | Cyber-security in heterogeneous networks | |
| EP3545451B1 (en) | Automatic forwarding of access requests and responses thereto | |
| US11671405B2 (en) | Dynamic filter generation and distribution within computer networks | |
| IL211823A (en) | Methods and systems for securing and protecting repositories and directories | |
| JP2001313640A (en) | Method and system for deciding access type in communication network and recording medium | |
| CN112565203B (en) | Centralized management platform | |
| USRE48043E1 (en) | System, method and computer program product for sending unwanted activity information to a central system | |
| CN108040124B (en) | Method and device for controlling mobile terminal application based on DNS-Over-HTTP protocol | |
| JP7383145B2 (en) | Network service processing methods, systems and gateway devices | |
| CN112217770B (en) | Security detection method, security detection device, computer equipment and storage medium | |
| Amin et al. | Edge-computing with graph computation: A novel mechanism to handle network intrusion and address spoofing in SDN | |
| US11870815B2 (en) | Security of network traffic in a containerized computing environment | |
| WO2023194701A1 (en) | Security of network traffic in a containerized computing environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |