CN114050959A - Remote security management method and device based on SNMP - Google Patents
Remote security management method and device based on SNMP Download PDFInfo
- Publication number
- CN114050959A CN114050959A CN202111202047.2A CN202111202047A CN114050959A CN 114050959 A CN114050959 A CN 114050959A CN 202111202047 A CN202111202047 A CN 202111202047A CN 114050959 A CN114050959 A CN 114050959A
- Authority
- CN
- China
- Prior art keywords
- management
- trap
- snmp
- message
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 140
- 238000004891 communication Methods 0.000 claims abstract description 17
- 238000012795 verification Methods 0.000 claims abstract description 14
- 238000000034 method Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 7
- 238000012544 monitoring process Methods 0.000 claims description 6
- 239000003795 chemical substances by application Substances 0.000 description 19
- 238000013478 data encryption standard Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000006047 digesta Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
Abstract
The invention particularly relates to a remote security management method and a remote security management device based on SNMP. The SNMP-based remote security management method and the SNMP-based remote security management device establish a channel for communication with an agent terminal; authority verification is carried out on the channel and the agent end, remote login management of the management station on the managed equipment is completed, and remote login based on an SNMP protocol is achieved; a channel for communication is established with the management end, and authority verification is carried out on the channel and the management end, so that the management station can remotely manage the managed equipment; after the first authority of the management terminal is successfully verified, generating a Trap port corresponding to the management terminal, and informing the management terminal of the information of the Trap port; when a Trap message needs to be reported to the management end, the Trap message is sent to the Trap port. The SNMP-based remote security management method and the SNMP-based remote security management device effectively solve the contradiction between the requirement of remote login expansibility and the relative stability of the MIB, and can provide reliable security performance under the condition of not influencing the working efficiency of a simple network management system.
Description
Technical Field
The invention relates to the technical field of communication network management, in particular to a remote security management method and device based on SNMP.
Background
SNMP (Simple Network Management Protocol) was developed in the early nineties, is the most widely used Network Management Protocol in communication systems, and aims to simplify the Management of Network devices and the acquisition of data in large networks. Since SNMP works very well, network hardware vendors add SNMP to each device. For example, in a communication system, configuration management of a base station apparatus is also performed through the SN. The simple network management system (network management system using SNMP) includes two roles: an SNMP management (Manager) side and an SNMP agent (Gent) side. The SNMP agent side (hereinafter, simply referred to as agent side) is a part of a network device for implementing SNMP functions. The agent receives a read-write request message from an SNMP manager (hereinafter, simply referred to as a manager) at a port 161 of a User Datagram Protocol (UDP), and the manager receives an event notification message from the agent at a port 162 of the LDP.
The SNMP protocol has promulgated three versions, SNMPv1, SNMPv2, and SNMPv 3.
Among them, SNMPv1 is the first version released in SNMP, but it has been currently replaced by the most widely used SNMPv2 due to many defects and shortcomings of SNMPv 1.
The SNMPv2 is an enhanced version of SNMPv1, and functions of alarming, batch data acquisition, communication between a management end and the like are added on the basis of SNMPv 1. However, SNMPv2 still has some disadvantages, for example, SNMPv2 does not support encryption and authorization, and provides simple authentication only by the community name contained in the SNMP message, which functions like a password. The specific agent end checks the value of the group name field in the SNMP message, and receives and processes the SNP message when the value meets the preset value. According to the SNMP specification, the default value of the group name of the read-only operation set by most network products at the time of shipment is "Public", and the default value of the group name of the read-write operation is "Private", and in many cases, the network administrator never modifies the value. In fact, the community name is a weak link of SNMPV2 as the only means of SMP authentication. For example, the management side can often obtain access to the multi-channel device using well-known default values "Public" or "Private" and the name of the white space group. For another example, the group name embedded in the SP message is transmitted in clear code on the network, that is, after the group name is acquired by using sniff software, the IP source address can be counterfeited, and malicious damage can be performed on the network device. It follows that SNMV2 does not provide reliable safety performance.
SNMPv3 uses a user-based security model to ensure security. To protect the communication string, SNMPv3 encrypts Data communication using a Data Encryption Standard (DES) algorithm. In addition, SNMPv3 is also capable of verifying the identifier of a node using an information-digest Algorithm (M5, Message-digestA Algorithm 5) and a Secure Hash Algorithm (SHA, Secure Hash Algorithm). In SNMPv3, it is specified that when multiple managers run on the same workstation, each manager needs to bind its own Trap port, the default Trap port is 162, and each port allows only one application to bind. To solve this problem, a unified background service (Server) process is typically used to monitor 162 the port, so as to distribute the received alarm message to the corresponding management end. Although SNMPv3 increases the security performance, a large number of Trap messages related to the security performance seriously affect the working efficiency of the simple network management system. This is because when the speed of reporting the alarm message related to the security performance to the management end by the agent end is relatively fast, a large number of alarm messages may be congested on the port 162. Since the background service process can only take out the TRAP messages one by one for distribution processing, the working efficiency of the simple network management system is inevitably seriously affected, and even the phenomenon of congestion and packet loss can occur. Therefore, although the SNMPv3 increases the security performance, it affects the operation efficiency of the simple network management system.
Based on the above situation, the invention provides a remote security management method and device based on SNMP.
Disclosure of Invention
In order to make up for the defects of the prior art, the invention provides a simple and efficient remote security management method and device based on SNMP.
The invention is realized by the following technical scheme:
a remote security management method based on SNMP is characterized in that: the method comprises the following steps:
the first step, establishing a channel for communication with an agent end; authority verification is carried out on the channel and the agent end, remote login management of the management station on the managed equipment is completed, and remote login based on an SNMP protocol is achieved;
secondly, a channel for communication is established with the management end, and authority verification is carried out on the channel and the management end, so that the management station can remotely manage the managed equipment;
thirdly, after the first authority of the management end is successfully verified, a Trap port corresponding to the management end is generated, and information related to the Trap port is notified to the management end; when a Trap message needs to be reported to the management end, the Trap message is sent to the Trap port.
In the first step, the specific steps for realizing the remote login based on the SNMP protocol are as follows:
1) defining a plurality of universal object identifications in a management information base, wherein the universal object identifications at least comprise command data identifications used for representing login commands or response data;
2) the management station sends a login request message to the managed equipment through a setting request message;
3) the managed device analyzes the received login request message, performs related operation according to the general object identifier and the content value thereof, and stores corresponding response data;
4) and returning an acquisition response message indicating whether the login request message is correctly received to the management station, and sending a response data message to the management station by the managed equipment through the acquisition response message.
In step 1), the defined general object identifier further includes a current packet character length identifier, a total packet number identifier, and a current packet sequence number identifier.
In step 2), the login request message includes a generic object identifier and a content value represented by the generic object identifier.
In the step 4), the response data message includes a general object identifier and a content value represented by the general object identifier, where the content value is corresponding response data.
In the first step, the specific steps for realizing the remote login based on the SNMP protocol are as follows:
1) defining a plurality of universal object identifications in a management information base, wherein the universal object identifications comprise current packet character length identifications and command data identifications;
2) the management station sends a login request message to the managed equipment through a setting request message;
3) the managed device returns an acquisition response message indicating whether the login request message is correctly received to the management station;
4) the managed device carries out relevant operation according to the name and the parameter value of the login command, stores response data of corresponding results, and determines the total data packet number required by returning to the management station.
In the third step, the agent end sends the information of the Trap port corresponding to the management end; and the management terminal monitors the Trap port, and when a Trap message reaches the Trap port, the management terminal processes the received Trap message.
An SNMP-based remote security management device, comprising:
the channel establishing unit is used for establishing a channel for communication with the agent end/the management end;
the authority verification unit is used for performing authority verification with the agent end/management end on the channel established by the channel establishing unit;
the port generating unit is used for generating a Trap end corresponding to the management end after the authority verifying unit successfully verifies the first authority of the management end;
a notifying unit configured to notify the management side of information on the Trap port generated by the port generating unit;
the message sending unit is used for sending the Trap message to the Trap port when the Trap message needs to be reported to the management end after the notification unit notifies the management end of the information of the Trap end generated by the port generation unit;
an information obtaining unit for obtaining information provided by the agent side about a Trap port corresponding to the management side;
a monitoring unit configured to monitor the Trap port indicated by the information on the Trap port corresponding to the management side obtained by the information obtaining unit;
and the message processing unit is used for processing the received Trap message after the monitoring unit hears that the Trap message reaches the port.
The invention has the beneficial effects that: the SNMP-based remote security management method and the SNMP-based remote security management device effectively solve the contradiction between the requirement of remote login expansibility and the relative stability of the MIB, and can provide reliable security performance under the condition of not influencing the working efficiency of a simple network management system.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram of the remote security management method based on SNMP.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the embodiment of the present invention. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The remote safety management method based on the SNMP comprises the following steps:
the first step, establishing a channel for communication with an agent end; authority verification is carried out on the channel and the agent end, remote login management of the management station on the managed equipment is completed, and remote login based on an SNMP protocol is achieved;
secondly, a channel for communication is established with the management end, and authority verification is carried out on the channel and the management end, so that the management station can remotely manage the managed equipment;
thirdly, after the first authority of the management end is successfully verified, a Trap port corresponding to the management end is generated, and information related to the Trap port is notified to the management end; when a Trap message needs to be reported to the management end, the Trap message is sent to the Trap port.
In the first step, the specific steps for realizing the remote login based on the SNMP protocol are as follows:
1) defining a plurality of universal object identifications in a management information base, wherein the universal object identifications at least comprise command data identifications used for representing login commands or response data;
2) the management station sends a login request message to the managed equipment through a setting request message;
3) the managed device analyzes the received login request message, performs related operation according to the general object identifier and the content value thereof, and stores corresponding response data;
4) and returning an acquisition response message indicating whether the login request message is correctly received to the management station, and sending a response data message to the management station by the managed equipment through the acquisition response message.
In step 1), the defined general object identifier further includes a current packet character length identifier, a total packet number identifier, and a current packet sequence number identifier.
In step 2), the login request message includes a generic object identifier and a content value represented by the generic object identifier.
In the step 4), the response data message includes a general object identifier and a content value represented by the general object identifier, where the content value is corresponding response data.
In the first step, the specific steps for realizing the remote login based on the SNMP protocol are as follows:
1) defining a plurality of universal object identifications in a management information base, wherein the universal object identifications comprise current packet character length identifications and command data identifications;
2) the management station sends a login request message to the managed equipment through a setting request message;
3) the managed device returns an acquisition response message indicating whether the login request message is correctly received to the management station;
4) the managed device carries out relevant operation according to the name and the parameter value of the login command, stores response data of corresponding results, and determines the total data packet number required by returning to the management station.
In the third step, the agent end sends the information of the Trap port corresponding to the management end; and the management terminal monitors the Trap port, and when a Trap message reaches the Trap port, the management terminal processes the received Trap message.
The SNMP-based remote security management device comprises:
the channel establishing unit is used for establishing a channel for communication with the agent end/the management end;
the authority verification unit is used for performing authority verification with the agent end/management end on the channel established by the channel establishing unit;
the port generating unit is used for generating a Trap end corresponding to the management end after the authority verifying unit successfully verifies the first authority of the management end;
a notifying unit configured to notify the management side of information on the Trap port generated by the port generating unit;
the message sending unit is used for sending the Trap message to the Trap port when the Trap message needs to be reported to the management end after the notification unit notifies the management end of the information of the Trap end generated by the port generation unit;
an information obtaining unit for obtaining information provided by the agent side about a Trap port corresponding to the management side;
a monitoring unit configured to monitor the Trap port indicated by the information on the Trap port corresponding to the management side obtained by the information obtaining unit;
and the message processing unit is used for processing the received Trap message after the monitoring unit hears that the Trap message reaches the port.
The above describes a remote security management method and device based on SNMP in detail. While the present invention has been described with reference to specific examples, which are provided to assist in understanding the core concepts of the present invention, it is intended that all other embodiments that can be obtained by those skilled in the art without departing from the spirit of the present invention shall fall within the scope of the present invention.
Claims (8)
1. A remote security management method based on SNMP is characterized in that: the method comprises the following steps:
the first step, establishing a channel for communication with an agent end; authority verification is carried out on the channel and the agent end, remote login management of the management station on the managed equipment is completed, and remote login based on an SNMP protocol is achieved;
secondly, a channel for communication is established with the management end, and authority verification is carried out on the channel and the management end, so that the management station can remotely manage the managed equipment;
thirdly, after the first authority of the management end is successfully verified, a Trap port corresponding to the management end is generated, and information related to the Trap port is notified to the management end; when a Trap message needs to be reported to the management end, the Trap message is sent to the Trap port.
2. The SNMP-based remote security management method according to claim 1, wherein: in the first step, the specific steps for realizing the remote login based on the SNMP protocol are as follows:
1) defining a plurality of universal object identifications in a management information base, wherein the universal object identifications at least comprise command data identifications used for representing login commands or response data;
2) the management station sends a login request message to the managed equipment through a setting request message;
3) the managed device analyzes the received login request message, performs related operation according to the general object identifier and the content value thereof, and stores corresponding response data;
4) and returning an acquisition response message indicating whether the login request message is correctly received to the management station, and sending a response data message to the management station by the managed equipment through the acquisition response message.
3. The SNMP-based remote security management method according to claim 2, wherein: in step 1), the defined general object identifier further includes a current packet character length identifier, a total packet number identifier, and a current packet sequence number identifier.
4. The SNMP-based remote security management method according to claim 2, wherein: in step 2), the login request message includes a generic object identifier and a content value represented by the generic object identifier.
5. The SNMP-based remote security management method according to claim 3, wherein: in the step 4), the response data message includes a general object identifier and a content value represented by the general object identifier, where the content value is corresponding response data.
6. The SNMP-based remote security management method according to claim 1, wherein: in the first step, the specific steps for realizing the remote login based on the SNMP protocol are as follows:
1) defining a plurality of universal object identifications in a management information base, wherein the universal object identifications comprise current packet character length identifications and command data identifications;
2) the management station sends a login request message to the managed equipment through a setting request message;
3) the managed device returns an acquisition response message indicating whether the login request message is correctly received to the management station;
4) the managed device carries out relevant operation according to the name and the parameter value of the login command, stores response data of corresponding results, and determines the total data packet number required by returning to the management station.
7. The SNMP-based remote security management method according to claim 1, wherein: in the third step, the agent end sends the information of the Trap port corresponding to the management end; and the management terminal monitors the Trap port, and when a Trap message reaches the Trap port, the management terminal processes the received Trap message.
8. A remote security management device based on SNMP is characterized in that: the method comprises the following steps:
the channel establishing unit is used for establishing a channel for communication with the agent end/the management end;
the authority verification unit is used for performing authority verification with the agent end/management end on the channel established by the channel establishing unit;
the port generating unit is used for generating a Trap end corresponding to the management end after the authority verifying unit successfully verifies the first authority of the management end;
a notifying unit configured to notify the management side of information on the Trap port generated by the port generating unit;
the message sending unit is used for sending the Trap message to the Trap port when the Trap message needs to be reported to the management end after the notification unit notifies the management end of the information of the Trap end generated by the port generation unit;
an information obtaining unit for obtaining information provided by the agent side about a Trap port corresponding to the management side;
a monitoring unit configured to monitor the Trap port indicated by the information on the Trap port corresponding to the management side obtained by the information obtaining unit;
and the message processing unit is used for processing the received Trap message after the monitoring unit hears that the Trap message reaches the port.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111202047.2A CN114050959A (en) | 2021-10-15 | 2021-10-15 | Remote security management method and device based on SNMP |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111202047.2A CN114050959A (en) | 2021-10-15 | 2021-10-15 | Remote security management method and device based on SNMP |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114050959A true CN114050959A (en) | 2022-02-15 |
Family
ID=80205076
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111202047.2A Pending CN114050959A (en) | 2021-10-15 | 2021-10-15 | Remote security management method and device based on SNMP |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114050959A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101009580A (en) * | 2006-01-25 | 2007-08-01 | 中兴通讯股份有限公司 | A remote login implementation method based on SNMP protocol |
| CN101753353A (en) * | 2008-12-18 | 2010-06-23 | 大唐移动通信设备有限公司 | SNMP based safety management method, Trap message processing method and device |
-
2021
- 2021-10-15 CN CN202111202047.2A patent/CN114050959A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101009580A (en) * | 2006-01-25 | 2007-08-01 | 中兴通讯股份有限公司 | A remote login implementation method based on SNMP protocol |
| CN101753353A (en) * | 2008-12-18 | 2010-06-23 | 大唐移动通信设备有限公司 | SNMP based safety management method, Trap message processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8189468B2 (en) | System and method for regulating messages between networks | |
| US8856292B2 (en) | Managing command compliance in internetworking devices | |
| CN108848145B (en) | Method and system for accessing near-end network management of equipment through WEB agent and far-end network management | |
| Affandi et al. | Design and implementation fast response system monitoring server using Simple Network Management Protocol (SNMP) | |
| CN102055608A (en) | CPE (customer premise equipment) updating method, device and system | |
| CN114268938A (en) | Method, device, equipment and storage medium for managing user front equipment | |
| WO2023279831A1 (en) | Network management proxy and network element management platform | |
| CN114050959A (en) | Remote security management method and device based on SNMP | |
| CN111343033B (en) | Network management system for multi-layer difference | |
| CN112866186B (en) | Security level determination method and device | |
| Cisco | Configuring SNMP | |
| Cisco | Configuring SNMP | |
| Cisco | Configuring SNMP | |
| Cisco | Configuring SNMP | |
| CN111091204B (en) | Intelligent monitoring method and device for maintenance behaviors and computer readable storage medium | |
| Cisco | Configuring SNMP | |
| Cisco | Configuring SNMP | |
| Cisco | Configuring SNMP | |
| Cisco | SNMP Trap Support for the VSI Master MIB | |
| WO2012146100A1 (en) | Security protection method and apparatus using simple network management protocol | |
| EP3206334B1 (en) | Information sending method, managed system, and managing system | |
| CN101753353B (en) | SNMP based safety management method, Trap message processing method and device | |
| CN116866090B (en) | Network security management system and network security management method of industrial control network | |
| CN102148704A (en) | Software implementation method for universal network management interface of safe switch | |
| JP2007188298A (en) | Snmp agent apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220215 |