CN113114643A - Operation and maintenance access method and system of operation and maintenance auditing system - Google Patents

Operation and maintenance access method and system of operation and maintenance auditing system Download PDF

Info

Publication number
CN113114643A
CN113114643A CN202110342047.6A CN202110342047A CN113114643A CN 113114643 A CN113114643 A CN 113114643A CN 202110342047 A CN202110342047 A CN 202110342047A CN 113114643 A CN113114643 A CN 113114643A
Authority
CN
China
Prior art keywords
maintenance
session
module
connection
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110342047.6A
Other languages
Chinese (zh)
Other versions
CN113114643B (en
Inventor
黄代平
范渊
吴永越
郑学新
刘韬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu DBAPPSecurity Co Ltd
Original Assignee
Chengdu DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu DBAPPSecurity Co Ltd filed Critical Chengdu DBAPPSecurity Co Ltd
Priority to CN202110342047.6A priority Critical patent/CN113114643B/en
Publication of CN113114643A publication Critical patent/CN113114643A/en
Application granted granted Critical
Publication of CN113114643B publication Critical patent/CN113114643B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions
    • G06Q30/0601Electronic shopping [e-shopping]
    • G06Q30/0609Buyer or seller confidence or verification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5077Network service management, e.g. ensuring proper service fulfilment according to agreements wherein the managed service relates to simple transport services, i.e. providing only network infrastructure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding

Abstract

The invention discloses an operation and maintenance access method and system of an operation and maintenance auditing system, wherein the system comprises an operation and maintenance auditing server and an operation and maintenance client, and the operation and maintenance auditing server comprises a TunServ module; the operation and maintenance client comprises a TunCli module. And after receiving the operation and maintenance request, establishing an operation and maintenance session and generating a session ID, establishing a session channel among the target asset, the operation and maintenance server and the operation and maintenance client by taking the session ID as an identifier, mapping the session channel to a local port of a user, and connecting the local port by using a corresponding operation and maintenance tool by the user so as to communicate with the target asset and complete operation and maintenance. The invention realizes the access control of the operation and maintenance access without depending on a specific application protocol, provides better operation and maintenance access compatibility, better improves the development efficiency of developers on the operation and maintenance access, and improves the user experience.

Description

Operation and maintenance access method and system of operation and maintenance auditing system
Technical Field
The invention belongs to the technical field of operation and maintenance auditing, and particularly relates to an operation and maintenance access method and system of an operation and maintenance auditing system.
Background
The operation and maintenance access to various application resources (such as SSH, RDP, various database services, and the like) is realized, and functions such as access authorization, access control, and the like to the application resources are provided, which is the most basic and most core function of an operation and maintenance auditing system, and thus the operation and maintenance auditing system must realize authentication and authorization of network connection of applications, that is, when a user uses a certain operation and maintenance tool to connect a target asset, the operation and maintenance auditing system must identify a user identity of a connection initiator (i.e., a client), and check whether the user identity has a right to access the target asset.
For an operation and maintenance auditing system, the information at least contained in one operation and maintenance request initiated by a user is as follows: user name, user password, asset IP, asset port, asset account, the general flow of which is as follows:
1. a user initiates connection to (an application port of) an operation and maintenance audit server through an operation and maintenance tool and sends the information;
2. the server firstly verifies the identity of the user through the user name and the user password so as to ensure that the request is legal; then, it is retrieved whether there is a target asset uniquely identified by the specified asset IP, asset port, asset account, and it is checked whether the user has access to the corresponding target asset (configured by the operation and maintenance administrator).
3. And if the authentication and the authorization pass, the server is directly connected with the target asset and starts to forward the communication data between the operation and maintenance tool and the target asset until the operation and maintenance operation is completed.
However, there is a great disadvantage that the above information must be transmitted through the application protocol itself, so developers need to pre-research specific application protocols and corresponding operation and maintenance tools to determine whether and how to carry the additional information in the specific application protocols under the corresponding operation and maintenance tools, internal implementation of each application protocol is different, and the same application protocol may not be consistently expressed on different operation and maintenance tools, so developers need to perform research and adaptation work on various application protocols and various operation and maintenance tools, resulting in an increase in workload of system development and maintenance; and even if the operation and maintenance access is realized in the mode, the use experience of the user on the operation and maintenance tool is influenced. On the premise of not changing the network environment of the user, there are two types of solutions: port forwarding and tunneling techniques.
Port forwarding: after the operation and maintenance auditing server receives an operation and maintenance request initiated by an operation and maintenance client and completes authority check and session creation, a temporary port is directly opened on the operation and maintenance auditing server, and once a user uses a corresponding operation and maintenance tool to connect the server port, the system directly forwards data received from the port to a target asset to complete an operation and maintenance flow. The scheme can complete operation and maintenance access without using a tunnel, but the scheme cannot be applied to an operation and maintenance auditing system due to the introduction of the following defects:
1. the port should have only been open for access by a designated authorized user, but virtually anyone (including an unauthenticated user) can access the target asset through this port (impersonating an authorized user), and therefore is not secure.
2. In order to prevent malicious port scanning, an operation and maintenance administrator usually configures a firewall to allow only a limited fixed port to be accessed externally, in which case, a port temporarily opened by the operation and maintenance server cannot be accessed by a user, and thus the operation and maintenance operation cannot be completed smoothly.
3. The number of listening ports available to a single server is limited (about 6 ten thousand at most), so when the number of simultaneously accessed operation and maintenance requests is too high, the available ports will be exhausted and the operation and maintenance requests cannot be continued.
The tunnel technology comprises the following steps: the authentication and authorization of the operation and maintenance auditing system to the network connection are put into a tunnel protocol, a tunnel is mapped to a local port, and a subsequent operation and maintenance tool is connected with the server port, so that the operation and maintenance access can be realized. The authentication and authorization implementation for tunnels is different for different tunneling protocol implementations. Common SSH tunnels: the forwarding port can be mapped to the user local through the forward proxy of the tunnel, thereby avoiding the defects in the direct port forwarding scheme. However, the use of SSH tunnels in the operation and maintenance auditing system is not the best solution because SSH tunnels use a target network address (IP) and a target PORT (PORT) for tunneling, whereas in the operation and maintenance auditing system, IP and PORT alone are not sufficient to uniquely identify the target asset. So the object of the present invention cannot be achieved directly using SSH tunnels.
Based on the defects of the scheme, the invention provides a universal and safe method for providing operation and maintenance access capability in an operation and maintenance auditing system, so that the operation and maintenance access can be completed without depending on a specific application protocol.
Disclosure of Invention
The invention aims to provide an operation and maintenance access method of an operation and maintenance auditing system, which can complete operation and maintenance access without depending on a specific application protocol.
The invention also aims to provide an operation and maintenance access system of the operation and maintenance auditing system, a session channel is established among the target asset, the operation and maintenance server and the operation and maintenance client by using the session ID as an identifier through the TunServ module and the TunCli module, and a message processed by a tunnel protocol in the session channel contains the session ID so as to uniquely determine the target asset.
The invention is mainly realized by the following technical scheme: an operation and maintenance access method of an operation and maintenance auditing system comprises the steps of establishing an operation and maintenance session after receiving an operation and maintenance request, generating a session ID, establishing a session channel among a target asset, an operation and maintenance server and an operation and maintenance client by taking the session ID as an identifier, mapping the session channel to a local port of a user, connecting the local port by the user through a corresponding operation and maintenance tool, communicating with the target asset, and completing operation and maintenance.
In order to better implement the invention, the method mainly comprises the following steps:
step S100: initiating an operation and maintenance request for assets to an operation and maintenance auditing server through an operation and maintenance client, receiving the operation and maintenance request by the server, establishing an operation and maintenance session if authentication and authorization pass, and returning a session ID to the operation and maintenance client;
step S200: after receiving the session ID, the operation and maintenance client creates a session channel instance associated with the session ID through the TunCli module, monitors a temporarily allocated local port, starts a corresponding operation and maintenance tool, and connects the monitored local port and starts operation and maintenance;
step S300: after receiving an original message sent by an operation and maintenance tool, the TunCli module of the operation and maintenance client further encapsulates the message into a data packet, wherein the encapsulated data packet comprises an operation and maintenance session ID or a connection ID, and then sends the data packet to a TunServ module of an operation and maintenance audit server;
step S400: after the TunServ module of the operation and maintenance audit server receives the encapsulated data packet, acquiring a session ID or a connection ID, and searching an operation and maintenance session associated with the session ID or the connection ID; and acquiring the information of the assets from the operation and maintenance session, and forwarding the original messages contained in the data packets to the assets, wherein the messages of the assets are also returned to the operation and maintenance tool according to the original path.
In order to better implement the present invention, further, the operation and maintenance request in step S100 includes asset ID, asset IP, asset port, and asset account information that can uniquely determine the asset; and after receiving the operation and maintenance request, the server searches whether the specified assets exist or not and checks whether the user has the right to access the corresponding target assets or not.
In order to better implement the present invention, further, the session ID in step S100 is a session unique identifier, the connection ID in step S300 is associated with the session ID, and one session ID includes a plurality of connection IDs; the connection ID in step S300 is the unique identifier of the current session connection.
In order to better implement the present invention, further, in step S300, when the TunCli module receives the original data from the operation and maintenance tool, the message is further encapsulated into a data packet, the original message is used as a payload of the data packet, the data header includes a connection ID or a session ID, and the data packet is sent to the TunServ module.
In order to better implement the present invention, further, in step S400, when the TunServ module receives the original data from the target asset, the message is further encapsulated into a data packet, the original message is used as a payload of the data packet, the data header includes a connection ID or a session ID, and the data packet is sent to the TunCli module.
In order to better implement the present invention, further, the communication steps of the session channel are as follows:
step A7: when the TunCli module receives original data from an operation and maintenance tool, further packaging the message into a data packet, using the original message as the load of the data packet, wherein the data header comprises a connection ID or a session ID, and then sending the data packet to the TunServ module;
step A8: the TunServ module receives the data packet, obtains connection with the target asset through the connection ID, and sends load data of the data packet to the target asset;
step A9: when the TunServ module receives original data from a target asset, further packaging the message into a data packet, using the original message as the load of the data packet, wherein the data header comprises a connection ID or a session ID, and then sending the data packet to the TunCli module;
step A10: the TunCli module receives the data packet, obtains connection with the operation and maintenance tool through the connection ID, and sends load data of the data packet to the operation and maintenance tool; at this point, the first communication between the operation and maintenance tool and the target asset is completed, and the subsequent communication is repeated from step a7 to step a 10.
In order to better implement the invention, further, the method also comprises the following steps:
step A1: the TunCli module is connected with the TunServ module, completes identity authentication through multiple times of communication and enters a ready state;
step A2: after the operation and maintenance client receives the session ID, the TunCli module starts to monitor a temporarily allocated local port A, and the port A is associated with the session ID;
step A3: when the operation and maintenance tool is connected with a local port, the TunCli module sends a connection packet to the TunServ module, wherein the connection packet comprises a session ID;
step A4: the TunServ module receives the connect packet, obtains the operation and maintenance session through the session ID, and further obtains the asset information of the target asset;
step A5: the TunServ module is connected with the target asset, if the connection is successful, a connection ID is generated, the connection ID is unique at least under the same session ID, and an accept packet is returned to the TunCli module to indicate that the connection of the operation and maintenance client is accepted;
step A6: and after the TunCli module receives the accept packet, marking that the connection is successful, and starting to receive the data connected by the operation and maintenance tool.
The invention is mainly realized by the following technical scheme: an operation and maintenance access system of an operation and maintenance audit system comprises an operation and maintenance audit server, an operation and maintenance client, an operation and maintenance tool and a target asset, wherein the operation and maintenance audit server comprises a TunServ module; the operation and maintenance client comprises a TunCli module; the TunCli module is used for creating a session channel instance associated with the session ID and monitoring a local port; the TunServ module is used for obtaining a session ID or a connection ID and searching for an operation and maintenance session related to the session ID or the connection ID; a session channel is established among the target asset, the operation and maintenance server and the operation and maintenance client by using the session ID as the identifier through the TunServ module and the TunCli module, the session channel is mapped to a local port of a user, and the user can communicate with the target asset by connecting the local port by using a corresponding operation and maintenance tool to complete operation and maintenance.
For a more visual understanding of our scheme, the following are exemplified: when a user wishes to trade with a specified market, we (referring to the operation and maintenance auditing system) create a virtual market (listening to a port) directly in the user's home (local to the user's PC), and this virtual market is associated with a certain trade order (operation and maintenance session) by an order number (session ID). Once the user has traded with this virtual market, we put the transaction data into a package, write the manifest number on the package (connection ID, associated with session ID, a session ID may contain multiple connection IDs), then send the package to the headquarters (operation and maintenance audit server), after receiving the package, the headquarters looks up the order number through the manifest number, looks up the real market (target asset information), and then sends the contents inside the package directly to the real market. At the moment, a virtual channel is formed between the virtual market, the headquarters and the real market, and the user can directly trade with the virtual market at home.
The functions that can be realized by the invention are as follows:
1. providing operation and maintenance access function to any application based on TCP protocol;
2. the functions of authentication and authorization of operation and maintenance connection are realized;
3. information used to uniquely determine the target asset includes, but is not limited to, address (IP), PORT (PORT), asset account;
4. for each operation and maintenance session, the operation and maintenance client monitors a local port;
5. connecting this local port to access the remote asset using an operation and maintenance tool (e.g., a database tool);
6. after the operation and maintenance session is finished, the remote assets can not be accessed through the port any more.
The invention has the beneficial effects that:
the invention realizes the access control of the operation and maintenance access without depending on a specific application protocol, provides better operation and maintenance access compatibility, better improves the development efficiency of developers on the operation and maintenance access, and improves the user experience.
Drawings
Fig. 1 is a schematic block diagram of the present invention.
Detailed Description
Example 1:
an operation and maintenance access method of an operation and maintenance auditing system comprises the steps of establishing an operation and maintenance session after receiving an operation and maintenance request, generating a session ID, establishing a session channel among a target asset, an operation and maintenance server and an operation and maintenance client by taking the session ID as an identifier, mapping the session channel to a local port of a user, connecting the local port by the user through a corresponding operation and maintenance tool, communicating with the target asset, and completing operation and maintenance.
The invention realizes the access control of the operation and maintenance access without depending on a specific application protocol, provides better operation and maintenance access compatibility, better improves the development efficiency of developers on the operation and maintenance access, and improves the user experience.
Example 2:
the embodiment is optimized on the basis of embodiment 1, and mainly comprises the following steps:
step S100: initiating an operation and maintenance request for assets to an operation and maintenance auditing server through an operation and maintenance client, receiving the operation and maintenance request by the server, establishing an operation and maintenance session if authentication and authorization pass, and returning a session ID to the operation and maintenance client;
step S200: after receiving the session ID, the operation and maintenance client creates a session channel instance associated with the session ID through the TunCli module, monitors a temporarily allocated local port, starts a corresponding operation and maintenance tool, and connects the monitored local port and starts operation and maintenance;
step S300: after receiving an original message sent by an operation and maintenance tool, the TunCli module of the operation and maintenance client further encapsulates the message into a data packet, wherein the encapsulated data packet comprises an operation and maintenance session ID or a connection ID, and then sends the data packet to a TunServ module of an operation and maintenance audit server;
step S400: after receiving the encapsulated data packet, the operation and maintenance auditing server acquires a session ID or a connection ID by a TunServ module arranged in the operation and maintenance server and searches an operation and maintenance session associated with the session ID; and acquiring the information of the assets from the operation and maintenance session, and forwarding the original messages contained in the data packets to the assets, wherein the messages of the assets are also returned to the operation and maintenance tool according to the original path.
Other parts of this embodiment are the same as embodiment 1, and thus are not described again.
Example 3:
in this embodiment, optimization is performed on the basis of embodiment 2, and the operation and maintenance request in step S100 includes asset ID, asset IP, asset port, and asset account information that can uniquely determine an asset; and after receiving the operation and maintenance request, the server searches whether the specified assets exist or not and checks whether the user has the right to access the corresponding target assets or not.
Further, the session ID in step S100 is a session unique identifier, the connection ID in step S300 is associated with the session ID, and one session ID includes a plurality of connection IDs; in step S300, the operation and maintenance session ID or the connection ID is the unique identifier of the current session connection.
Further, in step S300, when the TunCli module receives the original data from the operation and maintenance tool, the message is further encapsulated into a data packet, the original message is used as a load of the data packet, the data header includes a connection ID or a session ID, and the data packet is sent to the TunServ module.
Further, in step S400, when the TunServ module receives the original data from the target asset, the message is further encapsulated into a data packet, the original message is used as a payload of the data packet, the data header includes a connection ID or a session ID, and the data packet is sent to the TunCli module.
The functions that can be realized by the invention are as follows:
providing operation and maintenance access function to any application based on TCP protocol;
the functions of authentication and authorization of operation and maintenance connection are realized;
information used to uniquely determine the target asset includes, but is not limited to, address (IP), PORT (PORT), asset account;
for each operation and maintenance session, the operation and maintenance client monitors a local port;
connecting this local port to access the remote asset using an operation and maintenance tool (e.g., a database tool);
after the operation and maintenance session is finished, the remote assets can not be accessed through the port any more.
The other parts of this embodiment are the same as those of embodiment 2, and thus are not described again.
Example 4:
an operation and maintenance access method of an operation and maintenance auditing system is shown in fig. 1, and mainly comprises the following steps:
1. a user initiates an operation and maintenance request for an asset A to an operation and maintenance auditing server (WebServ) through an operation and maintenance client (which can be in a Web mode or a local client), wherein the request comprises a series of information (such as asset ID, asset IP, asset port, asset account number and the like, which are determined by specific asset types) capable of uniquely determining the asset A; the server receives the request, searches whether the designated assets exist, checks whether the user has the right to access the corresponding target assets (configured by the operation and maintenance administrator), then creates the operation and maintenance session, and returns a session ID (session unique identification) to the operation and maintenance client.
2. After receiving the session ID, the operation and maintenance client creates a session channel instance associated with the session ID, monitors the local port a (the module responsible for this operation is TunCli), and then starts the corresponding operation and maintenance tool a.
3. And the operation and maintenance tool A is connected with the local port A monitored by the TunCli to start operation and maintenance.
And 4, after receiving the original message sent by the operation and maintenance tool A, the TunCli module further encapsulates the message into a data packet, wherein the new data packet comprises an operation and maintenance session ID or a connection ID (the unique identification of the current session connection). And then sending the encapsulated data packet to an operation and maintenance audit server.
5. After receiving the data packet encapsulated by the client, the operation and maintenance server obtains the session ID (or connection ID) and searches for the operation and maintenance session associated with the session ID (the module responsible for the operation is TunServ).
The TunServ module takes the asset a information from the operation and maintenance session and then forwards the original message contained in the data packet to asset a. The message of the asset A is returned to the operation and maintenance tool according to the original route of the flow, and the whole operation and maintenance communication link is opened.
The functions that can be realized by the invention are as follows:
providing operation and maintenance access function to any application based on TCP protocol;
the functions of authentication and authorization of operation and maintenance connection are realized;
information used to uniquely determine the target asset includes, but is not limited to, address (IP), PORT (PORT), asset account;
for each operation and maintenance session, the operation and maintenance client monitors a local port;
connecting this local port to access the remote asset using an operation and maintenance tool (e.g., a database tool);
after the operation and maintenance session is finished, the remote assets can not be accessed through the port any more.
The invention realizes the access control of the operation and maintenance access without depending on a specific application protocol, provides better operation and maintenance access compatibility, better improves the development efficiency of developers on the operation and maintenance access, and improves the user experience.
Example 5:
the present embodiment is optimized on the basis of any of embodiments 1 to 4, and the following explains the working principle of the session channel involved in the above steps; the communication process of the session channel is as follows:
1. and the TunCli is connected with the TunServ, completes identity authentication through multiple communications and enters a ready state.
2. After the operation and maintenance client receives the session ID (step 2 of the operation and maintenance scheme), the TunCli starts to monitor a temporarily allocated local port a, where the port a is associated with the session ID.
3. When the operation and maintenance tool is connected with the local port A, the TunCli sends a connection packet to the TunServ through the connection established in the step 1, wherein the connection packet comprises a session ID.
4. And the TunServ receives the connect packet, acquires the operation and maintenance session through the session ID, and further acquires the asset information (asset IP, asset port, asset account number and the like) of the target asset.
5. And the TunServ is connected with the target asset, if the connection is successful, a connection ID (at least unique under the same session ID) is generated, and an accept packet is returned to the TunCli to indicate that the connection of the operation and maintenance client is received.
6. And after the TunCli receives the accept packet, marking that the connection is successful, and starting to receive the data connected by the operation and maintenance tool.
7. When the TunCli receives the original data from the operation and maintenance tool, the message is further packaged into a data packet (the original message is used as the load of the data packet), the data header contains a connection ID (and possibly a session ID), and the data packet is sent to TunServ.
8. And the TunServ receives the data packet, acquires the connection with the target asset through the connection ID, and sends the load data of the data packet to the target asset.
9. When the TunServ receives the original data from the target asset, the message is further encapsulated into a data packet (the original message serves as the payload of the data packet), the data header contains the connection ID (and possibly the session ID), and this data packet is sent to the TunCli.
10. And the TunCli receives the data packet, acquires the connection with the operation and maintenance tool through the connection ID, and sends the load data of the data packet to the operation and maintenance tool. At this point, the first communication between the operation and maintenance tool and the target asset is completed, and the subsequent communication is repeated from step 7 to step 10.
Other parts of this embodiment are the same as any of embodiments 1 to 4, and thus are not described again.
Example 6:
an operation and maintenance access system of an operation and maintenance auditing system is shown in fig. 1 and comprises an operation and maintenance auditing server, an operation and maintenance client, an operation and maintenance tool and a target asset, wherein the operation and maintenance auditing server comprises a TunServ module; the operation and maintenance client comprises a TunCli module; the TunCli module is used for creating a session channel instance associated with the session ID and monitoring a local port; the TunServ module is used for obtaining a session ID or a connection ID and searching for an operation and maintenance session related to the session ID or the connection ID; a session channel is established among the target asset, the operation and maintenance server and the operation and maintenance client by using the session ID as the identifier through the TunServ module and the TunCli module, the session channel is mapped to a local port of a user, and the user can communicate with the target asset by connecting the local port by using a corresponding operation and maintenance tool to complete operation and maintenance.
The invention establishes a session channel among the target asset, the operation and maintenance server and the operation and maintenance client by using the session ID as the identifier through the TunServ module and the TunCli module, and the message processed by the tunnel protocol in the session channel contains the session ID so as to uniquely determine the target asset. The invention realizes the access control of the operation and maintenance access without depending on a specific application protocol, provides better operation and maintenance access compatibility, better improves the development efficiency of developers on the operation and maintenance access, and improves the user experience.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.

Claims (9)

1. An operation and maintenance access method of an operation and maintenance auditing system is characterized in that an operation and maintenance session is created after an operation and maintenance request is received, a session ID is generated, a session channel is established among a target asset, an operation and maintenance server and an operation and maintenance client by taking the session ID as an identifier and is mapped to a local port of a user, and the user uses a corresponding operation and maintenance tool to connect the local port, so that the user can communicate with the target asset to complete operation and maintenance.
2. The operation access method of the operation audit system according to claim 1, characterized in that the method mainly comprises the following steps:
step S100: initiating an operation and maintenance request for assets to an operation and maintenance auditing server through an operation and maintenance client, receiving the operation and maintenance request by the server, establishing an operation and maintenance session if authentication and authorization pass, and returning a session ID to the operation and maintenance client;
step S200: after receiving the session ID, the operation and maintenance client creates a session channel instance associated with the session ID through the TunCli module, monitors a temporarily allocated local port, starts a corresponding operation and maintenance tool, and connects the monitored local port and starts operation and maintenance;
step S300: after receiving an original message sent by an operation and maintenance tool, the TunCli module of the operation and maintenance client further encapsulates the message into a data packet, wherein the encapsulated data packet comprises an operation and maintenance session ID or a connection ID, and then sends the data packet to a TunServ module of an operation and maintenance audit server;
step S400: after the TunServ module of the operation and maintenance audit server receives the encapsulated data packet, acquiring a session ID or a connection ID, and searching an operation and maintenance session associated with the session ID or the connection ID; and acquiring the information of the assets from the operation and maintenance session, and forwarding the original messages contained in the data packets to the assets, wherein the messages of the assets are also returned to the operation and maintenance tool according to the original path.
3. The operation access method of the operation auditing system according to claim 2, characterized in that the operation request in step S100 includes asset ID, asset IP, asset port, asset account information that can uniquely determine the asset; and after receiving the operation and maintenance request, the server searches whether the specified assets exist or not and checks whether the user has the right to access the corresponding target assets or not.
4. The operation and maintenance access method of an operation and maintenance auditing system according to claim 2, where in step S100 the session ID is a session unique identifier, and in step S300 the connection ID is associated with the session ID, and a session ID contains several connection IDs; the connection ID in step S300 is the unique identifier of the current session connection.
5. The operation access method of an operation audit system according to claim 2, wherein in step S300, when the TunCli module receives the original data from the operation tool, the message is further encapsulated into a data packet, the original message is used as a load of the data packet, the data header includes a connection ID or a session ID, and the data packet is sent to the TunServ module.
6. The operation access method of an operation auditing system according to claim 2 or 5, characterized in that in step S400, when the TunServ module receives original data from a target asset, the message is further encapsulated into a data packet, the original message is used as a payload of the data packet, the data header contains a connection ID or a session ID, and the data packet is sent to the TunCli module.
7. The operation and maintenance access method of the operation and maintenance auditing system according to claim 2, characterized in that the communication steps of the session channel are as follows:
step A7: when the TunCli module receives original data from an operation and maintenance tool, further packaging the message into a data packet, using the original message as the load of the data packet, wherein the data header comprises a connection ID or a session ID, and then sending the data packet to the TunServ module;
step A8: the TunServ module receives the data packet, obtains connection with the target asset through the connection ID, and sends load data of the data packet to the target asset;
step A9: when the TunServ module receives original data from a target asset, further packaging the message into a data packet, using the original message as the load of the data packet, wherein the data header comprises a connection ID or a session ID, and then sending the data packet to the TunCli module;
step A10: the TunCli module receives the data packet, obtains connection with the operation and maintenance tool through the connection ID, and sends load data of the data packet to the operation and maintenance tool; at this point, the first communication between the operation and maintenance tool and the target asset is completed, and the subsequent communication is repeated from step a7 to step a 10.
8. The operation access method of the operation auditing system according to claim 7, characterized by further comprising the steps of:
step A1: the TunCli module is connected with the TunServ module, completes identity authentication through multiple times of communication and enters a ready state;
step A2: after the operation and maintenance client receives the session ID, the TunCli module starts to monitor a temporarily allocated local port A, and the port A is associated with the session ID;
step A3: when the operation and maintenance tool is connected with a local port, the TunCli module sends a connection packet to the TunServ module, wherein the connection packet comprises a session ID;
step A4: the TunServ module receives the connect packet, obtains the operation and maintenance session through the session ID, and further obtains the asset information of the target asset;
step A5: the TunServ module is connected with the target asset, if the connection is successful, a connection ID is generated, the connection ID is unique at least under the same session ID, and an accept packet is returned to the TunCli module to indicate that the connection of the operation and maintenance client is accepted;
step A6: and after the TunCli module receives the accept packet, marking that the connection is successful, and starting to receive the data connected by the operation and maintenance tool.
9. An operation and maintenance access system of an operation and maintenance audit system is characterized by comprising an operation and maintenance audit server, an operation and maintenance client, an operation and maintenance tool and a target asset, wherein the operation and maintenance audit server comprises a TunServ module; the operation and maintenance client comprises a TunCli module; the TunCli module is used for creating a session channel instance associated with the session ID and monitoring a local port; the TunServ module is used for obtaining a session ID or a connection ID and searching for an operation and maintenance session related to the session ID or the connection ID; a session channel is established among the target asset, the operation and maintenance server and the operation and maintenance client by using the session ID as the identifier through the TunServ module and the TunCli module, the session channel is mapped to a local port of a user, and the user can communicate with the target asset by connecting the local port by using a corresponding operation and maintenance tool to complete operation and maintenance.
CN202110342047.6A 2021-03-30 2021-03-30 Operation and maintenance access method and system of operation and maintenance auditing system Active CN113114643B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110342047.6A CN113114643B (en) 2021-03-30 2021-03-30 Operation and maintenance access method and system of operation and maintenance auditing system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110342047.6A CN113114643B (en) 2021-03-30 2021-03-30 Operation and maintenance access method and system of operation and maintenance auditing system

Publications (2)

Publication Number Publication Date
CN113114643A true CN113114643A (en) 2021-07-13
CN113114643B CN113114643B (en) 2022-03-29

Family

ID=76713144

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110342047.6A Active CN113114643B (en) 2021-03-30 2021-03-30 Operation and maintenance access method and system of operation and maintenance auditing system

Country Status (1)

Country Link
CN (1) CN113114643B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114338087A (en) * 2021-12-03 2022-04-12 成都安恒信息技术有限公司 Directional operation and maintenance auditing method and system based on firewall

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100263042A1 (en) * 2007-11-20 2010-10-14 Zte Corporation Method and System for Implementing the Inter-Access of Stack Members
CN102215133A (en) * 2011-06-21 2011-10-12 德讯科技股份有限公司 Audit data positioning playback system and method based on RDP remote protocol board-jumping machine
US20180279411A1 (en) * 2017-03-27 2018-09-27 Electronics And Telecommunications Research Institute Method for releasing context of user equipment in non-3gpp access network and network entity performing the same
US20190316737A1 (en) * 2014-01-16 2019-10-17 Msp Resourcing Canada Inc. Tracking Inspection Attributes In Piping Installations
CN110365767A (en) * 2019-07-12 2019-10-22 成都安恒信息技术有限公司 A kind of single O&M multiple TCP connections polymerization of O&M auditing system
CN111522611A (en) * 2020-03-31 2020-08-11 成都安恒信息技术有限公司 Collaborative operation and maintenance method for operation and maintenance auditing system
CN112491604A (en) * 2019-01-18 2021-03-12 创新先进技术有限公司 Remote management implementation method, device and system for Internet of things equipment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100263042A1 (en) * 2007-11-20 2010-10-14 Zte Corporation Method and System for Implementing the Inter-Access of Stack Members
CN102215133A (en) * 2011-06-21 2011-10-12 德讯科技股份有限公司 Audit data positioning playback system and method based on RDP remote protocol board-jumping machine
US20190316737A1 (en) * 2014-01-16 2019-10-17 Msp Resourcing Canada Inc. Tracking Inspection Attributes In Piping Installations
US20180279411A1 (en) * 2017-03-27 2018-09-27 Electronics And Telecommunications Research Institute Method for releasing context of user equipment in non-3gpp access network and network entity performing the same
CN112491604A (en) * 2019-01-18 2021-03-12 创新先进技术有限公司 Remote management implementation method, device and system for Internet of things equipment
CN110365767A (en) * 2019-07-12 2019-10-22 成都安恒信息技术有限公司 A kind of single O&M multiple TCP connections polymerization of O&M auditing system
CN111522611A (en) * 2020-03-31 2020-08-11 成都安恒信息技术有限公司 Collaborative operation and maintenance method for operation and maintenance auditing system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《尚码园》: "堡垒机原理和配置使用方法", 《尚码园》 *
凌佳娜等: "基于SIP的呼叫中心IVR系统设计与实现", 《现代通信》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114338087A (en) * 2021-12-03 2022-04-12 成都安恒信息技术有限公司 Directional operation and maintenance auditing method and system based on firewall
CN114338087B (en) * 2021-12-03 2024-03-15 成都安恒信息技术有限公司 Directional operation and maintenance auditing method and system based on firewall

Also Published As

Publication number Publication date
CN113114643B (en) 2022-03-29

Similar Documents

Publication Publication Date Title
US10069939B2 (en) Establishing a virtual tunnel between two computers
EP3471375B1 (en) Method and apparatus for managing field device based on cloud server
US6101543A (en) Pseudo network adapter for frame capture, encapsulation and encryption
US5960177A (en) System for performing remote operation between firewall-equipped networks or devices
CN101138219B (en) Communication method and system with client computer by network
US6662223B1 (en) Protocol to coordinate network end points to measure network latency
CN102035904B (en) Method for converting TCP network communication server into client
CN106209838B (en) IP access method and device of SSL VPN
CN100574237C (en) Act on behalf of cut-in method, control network devices and act on behalf of connecting system
CN103608787B (en) Data transmission method, system and device
JPH09270788A (en) Secure network protocol system and method
JPH11205388A (en) Packet filter, authentication server, packet filtering method and storage medium
CN109005179A (en) Network security tunnel establishing method based on port controlling
CN111343083B (en) Instant messaging method, instant messaging device, electronic equipment and readable storage medium
CN110661858A (en) Websocket-based intranet penetration method and system
CN110691097A (en) Industrial honey pot system based on hpfeeds protocol and working method thereof
US6829709B1 (en) Validation of network communication tunnels
CN113114643B (en) Operation and maintenance access method and system of operation and maintenance auditing system
US8646066B2 (en) Security protocol control apparatus and security protocol control method
CN110049024A (en) A kind of data transmission method, transfer server and access site server
CN114095213B (en) Network access control policy management system
CN113905109B (en) Zero trust network data transmission method, device, equipment and computer storage medium
CN112583599B (en) Communication method and device
CN116233071A (en) Method for accessing intranet resources by client and readable storage medium
CN100592265C (en) Method, system and computer system for guaranteeing communication safety by route packet quantity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant