CN114499989A - Security device management method and device - Google Patents

Security device management method and device Download PDF

Info

Publication number
CN114499989A
CN114499989A CN202111651814.8A CN202111651814A CN114499989A CN 114499989 A CN114499989 A CN 114499989A CN 202111651814 A CN202111651814 A CN 202111651814A CN 114499989 A CN114499989 A CN 114499989A
Authority
CN
China
Prior art keywords
management
security
reverse proxy
message
tunnel
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111651814.8A
Other languages
Chinese (zh)
Inventor
杜佳浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202111651814.8A priority Critical patent/CN114499989A/en
Publication of CN114499989A publication Critical patent/CN114499989A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention provides a method and a device for managing safety equipment, wherein the method applied to the management equipment comprises the following steps: receiving device registration information sent by one or more safety devices; establishing a reverse proxy tunnel with each of the security devices, the reverse proxy tunnel being established by the security devices based on an SSH protocol unsolicited request; sending a configuration message to each of the security devices based on the reverse proxy tunnel, the configuration message being used to configure the security devices. The safety equipment management method provided by the invention realizes the centralized management of the safety equipment by the management equipment and improves the safety of the safety equipment management.

Description

Security device management method and device
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for managing safety equipment.
Background
For a large network (e.g., an intranet), many security devices such as firewalls may be deployed in different areas because different lans have different uses. However, because the security of the firewall is set (e.g., ACL configuration), the management port of the firewall is inaccessible to the management device, and thus, the firewall can only be set one by one, and the firewall cannot be uniformly managed by the management device.
Disclosure of Invention
The invention provides a method and a device for managing safety equipment, which are used for solving the defect that the safety equipment cannot be uniformly managed in the prior art and realizing the centralized management of the safety equipment.
In a first aspect, the present invention provides a security device management method, applied to a management device, including:
receiving device registration information sent by one or more safety devices;
establishing a reverse proxy tunnel with each of the security devices, the reverse proxy tunnel being established by the security devices based on an SSH protocol unsolicited request;
sending a configuration message to each of the security devices based on the reverse proxy tunnel, the configuration message being used to configure the security devices.
Optionally, the receiving device registration information sent by one or more security devices includes:
receiving a first authentication message sent by each security device, wherein the first authentication message comprises SSL certificate information of the security device;
sending a first authentication response message to each of the security devices, the first authentication response message including SSL certificate information of the management device;
receiving a registration message sent by each safety device, wherein the registration message comprises device information of the safety device;
and determining a monitoring port based on the equipment information, wherein the monitoring port is bound with the safety equipment corresponding to the equipment information one by one and is used for monitoring the information of the management equipment by the corresponding safety equipment based on the monitoring port.
Optionally, the establishing a reverse proxy tunnel with each of the security devices includes:
sending a registration response message to each security device, wherein the registration response message comprises port information of the monitoring port;
and receiving a tunnel establishment request message sent by each safety device, and establishing the reverse proxy tunnel based on the tunnel establishment request message and the monitoring port.
Optionally, the method further comprises:
and receiving a public key sent by each safety device, wherein the public key is used for the management device to encrypt and decrypt transmission data, and the transmission data is data transmitted between the safety device and the management device.
Optionally, before sending the configuration message to each of the security devices, the method further includes:
and sending a second authentication message to each safety device, wherein the second authentication message is used for the safety device to perform device management authority authentication on the management device, and the management authority is pre-allocated to the safety device.
Optionally, the sending of the configuration message is implemented based on a django-http-proxy open source library.
In a second aspect, the present invention further provides a security device management method, applied to a security device, including:
sending device registration information to the management device;
establishing a reverse proxy tunnel with the management device, the reverse proxy tunnel being established by the security device based on an SSH protocol active request;
and receiving a configuration message sent by the management device based on the reverse proxy tunnel, wherein the configuration message is used for configuring the safety device.
Optionally, the sending device registration information to the management device includes:
sending a first authentication message to the management device, the first authentication message including SSL certificate information of the security device;
receiving a first authentication response message sent by the management device, wherein the first authentication response message comprises SSL certificate information of the management device;
sending a registration message to the management device, the registration message including device information of the security device.
Optionally, the establishing a reverse proxy tunnel with the management device includes:
receiving a registration response message sent by the management device, where the registration response message includes port information of a monitoring port, and the monitoring port is determined by the management device based on the device information, is bound with the security devices corresponding to the device information one by one, and is used for the corresponding security devices to monitor the message of the management device based on the monitoring port;
and sending a tunnel establishment request message to the management equipment, and establishing a reverse proxy tunnel based on the tunnel establishment request message and the monitoring port.
Optionally, the method further comprises:
and sending a public key to the management device, wherein the public key is used for the management device to encrypt and decrypt transmission data, and the transmission data is data transmitted between the security device and the management device.
Optionally, before receiving the configuration message sent by the management device, the method further includes:
receiving a second authentication message sent by the management equipment;
and performing device management authority authentication on the management device based on the second authentication message, wherein the management authority is pre-assigned by the safety device.
In a third aspect, the present invention further provides a security device management apparatus, applied to a management device, including:
the first receiving module is used for receiving equipment registration information sent by one or more safety equipment;
a first tunnel establishing module, configured to establish a reverse proxy tunnel with each security device, where the reverse proxy tunnel is established by the security device based on an SSH protocol active request;
a first sending module, configured to send a configuration message to each of the security devices based on the reverse proxy tunnel, where the configuration message is used to configure the security devices.
In a fourth aspect, the present invention further provides a security device management apparatus, which is applied to a security device, and includes:
the second sending module is used for sending the equipment registration information to the management equipment;
a second tunnel establishing module, configured to establish a reverse proxy tunnel with the management device, where the reverse proxy tunnel is actively established by the security device based on an SSH protocol;
a second receiving module, configured to receive, based on the reverse proxy tunnel, a configuration message sent by the management device, where the configuration message is used to configure the security device.
In a fifth aspect, the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the security device management method according to the first aspect or the steps of the security device management method according to the second aspect when executing the computer program.
In a sixth aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the security device management method according to the first aspect, or the steps of the security device management method according to the second aspect.
In a seventh aspect, the present invention also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of the method for managing security devices according to the first aspect, or the steps of the method for managing security devices according to the second aspect.
According to the safety equipment management method provided by the embodiment of the invention, the management equipment actively sends the message to the safety equipment through the reverse proxy tunnel, so that the function of centralized management of the safety equipment through the management equipment is realized, and the reverse proxy tunnel is actively established by the safety equipment and does not disclose the management port of the safety equipment, so that the safety is ensured; the reverse proxy tunnel is established based on the SSH protocol, and the SSH protocol can effectively prevent the problem of information leakage in the management process, thereby improving the safety of safety equipment management; in addition, the equipment registration in the embodiment of the invention realizes the service requirement of equipment registration on the expansion equipment according to the network organization service requirement, so that the safety equipment not only can intensively control the firewall equipment, but also can manage boundary safety equipment such as probes, VPN and sub-safety equipment.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow diagram of a reverse proxy provided by the present invention;
FIG. 2 is a schematic diagram of an application scenario provided by an embodiment of the present invention;
fig. 3 is a flowchart illustrating a security device management method according to an embodiment of the present invention;
fig. 4 is a second flowchart illustrating a security device management method according to an embodiment of the present invention;
fig. 5 is a third schematic flowchart of a security device management method according to an embodiment of the present invention;
fig. 6 is a schematic reverse proxy diagram of a security device management method according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a security device management apparatus according to an embodiment of the present invention;
fig. 8 is a second schematic structural diagram of a security device management apparatus according to a second embodiment of the present invention;
fig. 9 is a schematic structural diagram of an electronic device provided in an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The technical terms related to the invention are described as follows:
reverse Proxy (Reverse Proxy): the method is characterized in that a proxy server is used for receiving a connection request on the internet, then the request is forwarded to a server on an internal network, and a result obtained from the server is returned to a client requesting connection on the internet, and the proxy server is represented as a server to the outside. Fig. 1 is a schematic flow chart of a reverse proxy provided by the present invention, and as shown in fig. 1, requests of users (user equipment a, user equipment B, and user equipment C) are received by one proxy server (which may also be referred to as a reverse proxy server), and the requests are distributed to proxy servers (server a, server B, and server C), so that different users can obtain the same service by requesting the reverse proxy server.
SSH (secure Shell) is a security protocol built on the basis of the application layer. SSH is a more reliable security protocol that is specifically provided for telnet sessions and other web services.
ACL (Access Control Lists, Access Control list): is an access control technology based on packet filtering, which can filter the data packet on the interface according to the set condition, allow it to pass or drop.
Fig. 2 is a schematic view of an application scenario provided by an embodiment of the present invention, and as shown in fig. 2, fig. 2 shows a management device and a common deployment manner of a security device, where the security device and the management device both belong to a subnet, but due to security setting (such as ACL setting of a firewall), a management port of the security device is not accessible to the management device. And the security device may discover the management device through the network. In such a scenario, the conventional reverse proxy technology cannot meet the requirement of the management device for managing the security device, so the embodiment of the present invention provides a security device management method, which is used to implement centralized management of the security device by the management device.
The following describes a security device management method provided by an embodiment of the present invention with reference to fig. 3 to fig. 6.
Fig. 3 is a schematic flowchart of a security device management method provided in an embodiment of the present invention, and as shown in fig. 3, the security device management method provided in an embodiment of the present invention is applied to a management device, and includes:
step 110, receiving device registration information sent by one or more secure devices;
in particular, the security device refers to an edge device used in the security field, also called an edge security protection device, such as a firewall, a probe, a vpn, or a sub-management device. For example, for a large network system, the firewall may send device registration information to the sub-management device, and the sub-management device sends the device registration information to the management device, so as to form multi-level management. The device registration information is used for accessing the security device to the centralized management of the management device.
Illustratively, the management device establishes an underlying communication channel with the security device based on the ssl protocol. And the management equipment receives the equipment registration information sent by one or more safety equipment through the bottom layer communication channel.
Step 120, establishing a reverse proxy tunnel with each of the security devices, where the reverse proxy tunnel is established by the security device based on an SSH protocol active request;
specifically, the reverse proxy tunnel is used for communication between the management device and the security device, and the reverse proxy tunnel is an SSH tunnel that is actively requested to be established by the security device, and may bind a port of the management device, monitor the bound port of the management device, monitor that data (such as an HTTP request packet) is sent based on the port, and forward the data to the security device.
Step 130, sending a configuration message to each of the security devices based on the reverse proxy tunnel, where the configuration message is used to configure the security devices.
Specifically, the configuration message includes configuration information (e.g., a security policy) used to configure the security device. The configuration information may be obtained by the management device based on user input on the management device; or may be obtained based on a user configuration message sent by the user equipment to the management equipment, where the user configuration message is generated based on an input of the user on the user equipment, and the user configuration message includes configuration information.
According to the security device management method provided by the embodiment of the invention, the management device actively sends messages to one or more registered security devices through the reverse proxy tunnel, and the centralized management function of the management device on the security devices is realized; the reverse proxy tunnel is established based on an SSH protocol, and the SSH protocol can effectively prevent the problem of information leakage in the management process and improve the safety of safety equipment management; in addition, the equipment registration in the embodiment of the invention realizes the service requirement of equipment registration on the expansion equipment according to the network organization service requirement, so that the management equipment not only can intensively manage and control the firewall equipment, but also can manage boundary safety equipment such as probes, VPN and sub-safety equipment.
In the following, a possible implementation manner of the above steps in a specific embodiment is further described.
Step 110, receiving device registration information sent by one or more secure devices.
Optionally, the receiving device registration information sent by one or more security devices includes:
step 111, receiving a first authentication message sent by each security device, where the first authentication message includes SSL certificate information of the security device;
step 112, sending a first authentication response message to each security device, wherein the first authentication response message comprises SSL certificate information of the management device;
it can be understood that the management device cannot actively send a message to the security device because the port of the security device is unknown before the reverse proxy tunnel is established, but the management device may open a communication port for receiving the message actively sent by the security device and sending a response message (response message) to the security device in response to the message actively sent by the security device, so as to implement passive message transmission, as in step 110, the management device establishes an underlying communication channel with the security device based on the ssl protocol. For example, the security device may learn the open port of the management device based on the input of the user, thereby establishing a one-way communication connection with the management device and sending a communication message to the management device.
As for the SSL certificate information of the security device and the SSL certificate information of the management device, the SSL certificate is a digital certificate configured on the server, and is also called an SSL server certificate, and has functions of server authentication and data transmission encryption. In the step, the SSL certificate bidirectional exchange technology is adopted to carry out identity authentication on the security equipment and the management equipment.
Step 113, receiving a registration message sent by each secure device, where the registration message includes device information of the secure device;
specifically, the device information may include a device name and the like.
Optionally, the management device receives heartbeat information (which may also be referred to as a heartbeat packet or a heartbeat packet, and the name is not limited in this embodiment) that includes information of the security device itself and is sent by the security device.
Step 114, determining a monitoring port based on the device information, where the monitoring port is bound with the security device corresponding to the device information one by one, and is used for the corresponding security device to monitor the message of the management device based on the monitoring port.
Specifically, the management device allocates a listening port (which may also be referred to as a listening port) to the security device based on the device information and port negotiation technology, and allocates a listening port to the security device on an idle security port, where the listening port is to be bound with the security device. The monitoring port is used for sending the message of the management device to the safety device. Illustratively, port 8888 is bound to security device 001 as a listening port.
And step 120, establishing a reverse proxy tunnel with each security device, wherein the reverse proxy tunnel is established by the security device based on an active request of an SSH protocol.
Optionally, the establishing a reverse proxy tunnel with each of the security devices includes:
step 121, sending a registration response message to each of the security devices, where the registration response message includes port information of the listening port;
specifically, in response to the registration message sent by the security device, a registration response message is sent to the security device, and the port information (e.g., the port number) of the listening port determined in step 114 is sent to the security device. Illustratively, after receiving the registration message sent by the security device 001, a registration response message is sent to the security device 001, where the registration response message includes the port number of the listening port 8888.
Step 122, receiving a tunnel establishment request message sent by each security device, and establishing the reverse proxy tunnel based on the tunnel establishment request message and the listening port.
Specifically, a tunnel establishment request message sent by the security device is received, where the tunnel establishment request message is actively sent to the management device after the security device receives port information of the monitoring port. Illustratively, the following information may be included in the tunnel establishment request message: device information of the security device; the port number of the corresponding monitoring port; the device information is managed. The security device will assign a management port for reverse proxy tunnel establishment to communicate with the management device, but for increased security the management port of the security device is not exposed. After the reverse proxy tunnel is established, the data sent based on the monitoring port is sent to the security device through the reverse proxy tunnel. Illustratively, the security device 001 can perform port listening to the port 8888 based on the reverse proxy tunnel and acquire data sent by the management device based on the port 8888.
Optionally, the method further comprises:
and receiving a public key sent by each safety device, wherein the public key is used for the management device to encrypt and decrypt transmission data, and the transmission data is data transmitted between the safety device and the management device.
Specifically, the public key and the private key are in one-to-one correspondence, and the public key and the private key are generated by the security device. The management device manages the public key of the security device, and public key-based login can be realized, namely the security device does not need to input a password to log in the management device (namely SSH connection is established).
Step 130, sending a configuration message to each of the security devices based on the reverse proxy tunnel, where the configuration message is used to configure the security devices.
Optionally, before sending the configuration message to each of the security devices, the method further includes:
step 1301, sending a second authentication message to each of the security devices, where the second authentication message is used for the security devices to perform device management authority authentication on the management device, and the management authority is pre-assigned by the security devices.
Specifically, the security device allocates an account with a management authority to the management device, and when the HTTP connection is established with the security device, the management device needs to perform identity authentication through the account allocated to the security device, thereby achieving the purpose of managing the security device. It will be appreciated that HTTP requests are used to set up the security device, and that HTTP requests may be tunneled through the reverse proxy.
The method for managing the safety equipment adopts a role authority authentication mechanism, prevents servers except the management equipment from entering a management port of the safety equipment, and improves the safety of the management of the safety equipment.
Optionally, the sending of the configuration message is implemented based on a django-http-proxy open source library.
The Django-http-proxy open source library may proxy requests from the Django server to other servers. And based on the request forwarding function of the django-HTTP-proxy open source library, forwarding and responding of the HTTP request in the reverse proxy tunnel are realized. Illustratively, the management device sends configuration information to the security device through an HTTP request, and based on a django-HTTP-proxy open source library, the HTTP request is forwarded to the security device from the management device, and a response message of the security device to the HTTP request is transmitted back.
Optionally, the method further comprises: the management device receives the disconnection message sent by the security device.
Fig. 4 is a second flowchart of the security device management method according to the embodiment of the present invention, and as shown in fig. 4, the security device management method according to the embodiment of the present invention is applied to a security device, and includes:
step 210, sending device registration information to a management device;
step 220, establishing a reverse proxy tunnel with the management device, wherein the reverse proxy tunnel is established by the security device based on an SSH protocol active request;
step 230, receiving a configuration message sent by the management device based on the reverse proxy tunnel, where the configuration message is used to configure the security device.
For the descriptions of the security device, the management device, and the reverse proxy tunnel, refer to the description in fig. 3, and are not described herein again.
According to the safety equipment management method provided by the embodiment of the invention, the safety equipment actively requests the management equipment to establish the reverse proxy tunnel, so that the centralized management function of the management equipment on the safety equipment is realized, and the reverse proxy tunnel is actively requested to establish by the safety equipment and does not disclose the management port of the safety equipment, so that the management port of the safety equipment is prevented from being invaded by other equipment, and the safety is improved; the reverse proxy tunnel is established based on an SSH protocol, and the SSH protocol can effectively prevent the problem of information leakage in the management process and improve the safety of safety equipment management; in addition, the equipment registration in the embodiment of the invention realizes the service requirement of equipment registration on the expansion equipment according to the network organization service requirement, so that the boundary safety equipment such as the firewall, the probe, the VPN and the sub safety equipment can initiate the equipment registration to the management equipment, and the centralized management is realized.
In the following, a possible implementation manner of the above steps in a specific embodiment is further described.
Step 210, sending the device registration information to the management device.
Optionally, the sending device registration information to the management device includes:
sending a first authentication message to the management device, the first authentication message including SSL certificate information of the security device;
receiving a first authentication response message sent by the management device, wherein the first authentication response message comprises SSL certificate information of the management device;
sending a registration message to the management device, the registration message including device information of the security device.
For the description of the SSL certificate and the registration message, refer to the description in fig. 3, and are not described herein.
Step 220, establishing a reverse proxy tunnel with the management device, where the reverse proxy tunnel is established by the security device based on an SSH protocol active request.
Optionally, the establishing a reverse proxy tunnel with the management device includes:
step 221, receiving a registration response message sent by the management device, where the registration response message includes port information of a monitoring port, and the monitoring port is determined by the management device based on the device information, is bound with the security device corresponding to the device information one by one, and is used for the corresponding security device to monitor the message of the management device based on the monitoring port;
step 222, sending a tunnel establishment request message to the management device, and establishing a reverse proxy tunnel based on the tunnel establishment request message and the listening port.
Illustratively, a registration response message sent by the management device is received, where the registration response message includes a port number 8888 assigned by the management device to the listening port of the secure device 001, and a management port number 3000 of the secure device 001 (it is understood that the management port 3000 is unknown to devices other than the secure device 001) is used for communicating with the management device. At this time, a management port 3000 of the security device 001 initiates a tunnel establishment request to the management device, the SSH binds to the monitoring port 8888 at the management device side, binds to the request message sending port (i.e., the management port 3000) at the security device side, the security device monitors data at the 8888 port through the reverse proxy tunnel, and forwards the data sent based on the port 8888 to the security device. At the moment, the data is transmitted to the request message sending port of the safety equipment by monitoring, so that the management equipment does not need to follow a local address; a local port; a target address; the command format of the target port' sends a message to the security device, so that the reverse proxy tunnel is established under the condition that the management port of the security device is not disclosed, and the communication between the security device and the management device is realized.
Optionally, the method further comprises:
and sending a public key to the management device, wherein the public key is used for the management device to encrypt and decrypt transmission data, and the transmission data is data transmitted between the security device and the management device.
Specifically, the secure device generates its own public and private keys through SSH-keygen. The public key is public and can be sent to the outside. The public and private keys are in one-to-one correspondence, with each private key having one and only one corresponding public key, and vice versa. Illustratively, the secure device sends to the management device via the one-way communication connection public key described in step 112. The public key login can be realized based on the public key of the management device managing the security device. The security device requests to connect the management device based on SSH, and the management device sends a random character string to the security device; the safety device encrypts the random character string according to the private key of the safety device and then sends the random character string to the management device; and the management equipment decrypts the encrypted character string by using the public key, logs in the security equipment if the character string is correct, and refuses the login if the character string is not correct. The public key login can solve the problem that a password needs to be input when the management equipment logs in (namely SSH connection is established) every time, the convenience of the management of the safety equipment is improved, and the safety of the management of the safety equipment can be improved through the asymmetric encryption of the public key and the private key.
Step 230, receiving a configuration message sent by the management device based on the reverse proxy tunnel, where the configuration message is used to configure the security device.
Optionally, before receiving the configuration message sent by the management device, the method further includes:
receiving a second authentication message sent by the management equipment;
and performing device management authority authentication on the management device based on the second authentication message, wherein the management authority is pre-assigned by the safety device.
For the description of the device management authority authentication, refer to the description in fig. 3, and will not be described herein.
The method for managing the safety equipment adopts a role authority authentication mechanism, prevents servers except the management equipment from entering a management port of the safety equipment, and improves the safety of the management of the safety equipment.
Optionally, the security device establishes an underlying communication channel with the management device based on the ssl protocol. And the safety equipment sends equipment registration information to the management equipment through the bottom layer communication channel.
Optionally, the method further comprises: the security device sends, to the management device, heartbeat information (which may also be referred to as a heartbeat packet or a heartbeat packet, and the like, and the name is not limited in this embodiment) including information of the security device itself, where the heartbeat information is sent by the security device based on the bottom-layer communication channel.
Optionally, the method further comprises: and the safety equipment sends a disconnection message to the management equipment, wherein the disconnection message is used for indicating the management equipment to disconnect.
According to the method for managing the safety equipment, the safety equipment sends the disconnection message to the management equipment, so that the disconnection message can be actively sent to the management equipment in the scene that the safety equipment detects that the current connection is unstable or unsafe and the like, and the safety of safety equipment management is further improved.
Fig. 5 is a third schematic flowchart of a security device management method according to an embodiment of the present invention, and as shown in fig. 5, the security device management method according to the embodiment of the present invention includes: device registration, tunnel establishment, and reverse proxy.
Specifically, considering the security of the reverse proxy tunnel, the SSL certificate exchange technique is used to authenticate the identities of the management device and the security device during device registration, and furthermore, when a tunnel port is allocated to the security device, a port negotiation technique is used, and the management device randomly allocates a listening port to the security device on an idle security port, where the listening port is bound to the security device.
In the tunnel establishment process, the unique deployment scene of the security device and the management device is considered, the public key of the security device is managed on the management device, the monitoring port negotiated in the previous step is sent to the security device, and the security device actively establishes a reverse proxy tunnel to the management device, so that the autonomy and the security of the security device are guaranteed, and the risk of port exposure is avoided.
The last step is a reverse proxy process, in order to prevent services except the management equipment from entering a management port of the safety equipment, a role authority authentication mechanism is adopted, the safety equipment allocates an account with management authority for the management equipment, when HTTP connection is established with the safety equipment, the management equipment needs to perform identity authentication through the account allocated by the account safety equipment, and further achieves the purpose of managing the safety equipment.
According to the method for managing the safety equipment, provided by the embodiment of the invention, under the limitation of safety rules in an intranet scene, reverse proxy from the management equipment to a management port of the safety equipment is realized, and further, the requirement of more convenient and faster centralized management on boundary safety equipment such as a firewall is realized; the embodiment of the invention adopts SSH technology to realize a safe, reliable and strong-expansibility reverse proxy framework. In the aspect of ensuring the safety, a tunnel encryption technology of an SSH technology is adopted, and a device registration, a port negotiation and a management authority authentication means are combined, so that a safety management technology from a management device to a safety device is realized. In addition, based on the SSH reverse proxy technology, the technologies of equipment authentication, data transmission and the like are added, so that the reverse proxy has strong expansion performance.
Fig. 6 is a schematic reverse proxy diagram of a security device management method according to an embodiment of the present invention, and as shown in fig. 6, in the security device management method according to the embodiment of the present invention, a user device sends a security device configuration message to a management device, and the management device forwards the configuration message to the security device, so that an effect of performing centralized management on the security device by the user device is achieved.
According to the method for managing the safety equipment, firstly, the safety equipment deployed in different areas is uniformly and intensively managed through one management equipment by a reverse proxy technology, so that the convenience of a user for deploying a firewall is greatly improved; second, for security devices such as firewalls, ACL (access control list) rule restrictions may exist for devices in different subnets. The SSH reverse proxy can provide strong intranet penetration capacity on the basis of ensuring the security; thirdly, the security is improved, and the data tunnel established by the SSH reverse proxy is an encryption tunnel. The SSH can automatically encrypt and decrypt network data between all SSH clients and the server; fourthly, the expansibility is increased: based on the reverse proxy framework, the service requirements such as the authentication of the expansion equipment of the respective service of the network can be met. Therefore, the management equipment can not only centrally control the firewall equipment, but also manage the probe, the VPN, the management equipment and other similar boundary safety equipment.
The following describes the security device management apparatus provided by the present invention, and the security device management apparatus described below and the security device management method described above may be referred to in correspondence with each other.
Fig. 7 is a schematic structural diagram of a security device management apparatus according to an embodiment of the present invention, and as shown in fig. 7, the security device management apparatus according to the embodiment of the present invention is applied to a management device, and includes: a first receiving module 710, a first tunnel establishing module 720 and a first transmitting module 730;
a first receiving module 710, configured to receive device registration information sent by one or more security devices;
optionally, the first receiving module 710 can maintain a long connection between the security device and the management device, illustratively, the first receiving module maintains an underlying communication channel between the security device and the management device based on an ssl connection. The first receiving module 710 is configured to receive device registration information sent by one or more security devices. The first receiving module 710 is further configured to receive device information sent by the security device, for example, the management device receives, through the first receiving module 710, heartbeat information (which may also be referred to as a heartbeat packet or a heartbeat packet, and the like, and the name of the management device is not limited in this embodiment) that includes information of the security device itself and is sent by the security device; a first receiving module 710, further configured to receive a message that the security device is disconnected; optionally, the first receiving module 710 is further configured to manage a session channel between the security device and the management device after the registration is successful. Optionally, the first receiving module 710 is further used for establishing, maintaining and cleaning up the communication connection between the security device and the management device.
A first tunnel establishing module 720, configured to establish a reverse proxy tunnel with each of the security devices, where the reverse proxy tunnel is established by the security device based on an SSH protocol active request;
a first sending module 730, configured to send a configuration message to each of the security devices based on the reverse proxy tunnel, where the configuration message is used to configure the security devices.
It should be noted that, the apparatus provided in the embodiment of the present invention can implement all the method steps implemented by the method embodiment and achieve the same technical effect, and detailed descriptions of the same parts and beneficial effects as the method embodiment in this embodiment are omitted here.
Fig. 8 is a schematic structural diagram of a security device management apparatus according to an embodiment of the present invention, and as shown in fig. 8, the embodiment of the present invention provides a security device management apparatus, which is applied to a security device, and includes: a second sending module 810, a second tunnel establishing module 820 and a second receiving module 830;
a second sending module 810, configured to send device registration information to the management device;
a second tunnel establishing module 820, configured to establish a reverse proxy tunnel with the management device, where the reverse proxy tunnel is established by the security device based on an SSH protocol active request;
a second receiving module 830, configured to receive, based on the reverse proxy tunnel, a configuration message sent by the management device, where the configuration message is used to configure the security device.
It should be noted that, the apparatus provided in the embodiment of the present invention can implement all the method steps implemented by the method embodiment and achieve the same technical effect, and detailed descriptions of the same parts and beneficial effects as the method embodiment in this embodiment are omitted here.
Fig. 9 illustrates a physical structure diagram of an electronic device, and as shown in fig. 9, the electronic device may include: a processor (processor)910, a communication Interface (Communications Interface)920, a memory (memory)930, and a communication bus 940, wherein the processor 910, the communication Interface 920, and the memory 930 communicate with each other via the communication bus 940. Processor 910 may invoke logic instructions in memory 930 to perform a security device management method for a management device, comprising: receiving device registration information sent by one or more safety devices; establishing a reverse proxy tunnel with each of the security devices, the reverse proxy tunnel being established by the security devices based on an SSH protocol unsolicited request; sending a configuration message to each of the security devices based on the reverse proxy tunnel, the configuration message being used to configure the security devices.
Furthermore, the logic instructions in the memory 930 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Fig. 10 illustrates a physical structure diagram of an electronic device, and as shown in fig. 10, the electronic device may include: a processor (processor)1010, a communication Interface (Communications Interface)1020, a memory (memory)1030, and a communication bus 1040, wherein the processor 1010, the communication Interface 1020, and the memory 1030 communicate with each other via the communication bus 1040. Processor 1010 may invoke logic instructions in memory 1030 to perform a security device management method, applied to a security device, comprising: sending device registration information to the management device; establishing a reverse proxy tunnel with the management device, the reverse proxy tunnel being established by the security device based on an SSH protocol active request; and receiving a configuration message sent by the management device based on the reverse proxy tunnel, wherein the configuration message is used for configuring the safety device.
Furthermore, the logic instructions in the memory 1030 can be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, where the computer program product includes a computer program, the computer program may be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, a computer can execute a security device management method provided by the above methods, where the method is applied to a management device, and the method includes: receiving device registration information sent by one or more safety devices; establishing a reverse proxy tunnel with each of the security devices, the reverse proxy tunnel being established by the security devices based on an SSH protocol unsolicited request; sending a configuration message to each of the security devices based on the reverse proxy tunnel, the configuration message being used to configure the security devices.
The present invention also provides a computer program product, the computer program product comprising a computer program, the computer program being storable on a non-transitory computer-readable storage medium, the computer program, when executed by a processor, being capable of executing a security device management method provided by the above methods, the method being applied to a security device, and comprising: sending device registration information to the management device; establishing a reverse proxy tunnel with the management device, the reverse proxy tunnel being established by the security device based on an SSH protocol active request; and receiving a configuration message sent by the management device based on the reverse proxy tunnel, wherein the configuration message is used for configuring the safety device.
In still another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program being implemented by a processor to perform a security device management method provided by the above methods, the method being applied to a management device, and the method including: receiving device registration information sent by one or more safety devices; establishing a reverse proxy tunnel with each of the security devices, the reverse proxy tunnel being established by the security devices based on an SSH protocol unsolicited request; sending a configuration message to each of the security devices based on the reverse proxy tunnel, the configuration message being used to configure the security devices.
The present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor implements a security device management method provided by the above methods, the method being applied to a security device, and including: sending device registration information to the management device; establishing a reverse proxy tunnel with the management device, the reverse proxy tunnel being established by the security device based on an SSH protocol active request; and receiving a configuration message sent by the management device based on the reverse proxy tunnel, wherein the configuration message is used for configuring the safety device.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (16)

1. A safety device management method is applied to a management device and comprises the following steps:
receiving device registration information sent by one or more safety devices;
establishing a reverse proxy tunnel with each of the security devices, the reverse proxy tunnel being established by the security devices based on an SSH protocol unsolicited request;
sending a configuration message to each of the security devices based on the reverse proxy tunnel, the configuration message being used to configure the security devices.
2. The method for managing the security device according to claim 1, wherein the receiving the device registration information sent by the one or more security devices comprises:
receiving a first authentication message sent by each security device, wherein the first authentication message comprises SSL certificate information of the security device;
sending a first authentication response message to each of the security devices, the first authentication response message including SSL certificate information of the management device;
receiving a registration message sent by each safety device, wherein the registration message comprises device information of the safety device;
and determining a monitoring port based on the equipment information, wherein the monitoring port is bound with the safety equipment corresponding to the equipment information one by one and is used for monitoring the information of the management equipment by the corresponding safety equipment based on the monitoring port.
3. The method for managing security devices according to claim 2, wherein the establishing a reverse proxy tunnel with each of the security devices comprises:
sending a registration response message to each security device, wherein the registration response message comprises port information of the monitoring port;
and receiving a tunnel establishment request message sent by each safety device, and establishing the reverse proxy tunnel based on the tunnel establishment request message and the monitoring port.
4. The security device management method according to claim 3, further comprising:
and receiving a public key sent by each safety device, wherein the public key is used for the management device to encrypt and decrypt transmission data, and the transmission data is data transmitted between the safety device and the management device.
5. The method for managing a security device according to claim 1, wherein before the sending the configuration message to each of the security devices, the method further comprises:
and sending a second authentication message to each safety device, wherein the second authentication message is used for the safety device to carry out device management authority authentication on the management device, and the management authority is pre-distributed by the safety device.
6. The method for managing the security device according to claim 1, wherein the sending of the configuration message is implemented based on a django-http-proxy open source library.
7. A safety device management method is applied to a safety device and comprises the following steps:
sending device registration information to the management device;
establishing a reverse proxy tunnel with the management device, the reverse proxy tunnel being established by the security device based on an SSH protocol active request;
and receiving a configuration message sent by the management device based on the reverse proxy tunnel, wherein the configuration message is used for configuring the safety device.
8. The security device management method according to claim 7, wherein the sending of the device registration information to the management device includes:
sending a first authentication message to the management device, the first authentication message including SSL certificate information of the security device;
receiving a first authentication response message sent by the management device, wherein the first authentication response message comprises SSL certificate information of the management device;
sending a registration message to the management device, the registration message including device information of the security device.
9. The security device management method according to claim 8, wherein the establishing a reverse proxy tunnel with the management device includes:
receiving a registration response message sent by the management device, where the registration response message includes port information of a monitoring port, and the monitoring port is determined by the management device based on the device information, is bound with the security devices corresponding to the device information one by one, and is used for the corresponding security devices to monitor the message of the management device based on the monitoring port;
and sending a tunnel establishment request message to the management equipment, and establishing a reverse proxy tunnel based on the tunnel establishment request message and the monitoring port.
10. The security device management method according to claim 9, further comprising:
and sending a public key to the management device, wherein the public key is used for the management device to encrypt and decrypt transmission data, and the transmission data is data transmitted between the security device and the management device.
11. The method according to claim 7, wherein before receiving the configuration message sent by the management device, the method further comprises:
receiving a second authentication message sent by the management equipment;
and performing device management authority authentication on the management device based on the second authentication message, wherein the management authority is pre-assigned by the safety device.
12. A security device management apparatus, applied to a management device, includes:
the first receiving module is used for receiving equipment registration information sent by one or more safety equipment;
a first tunnel establishing module, configured to establish a reverse proxy tunnel with each security device, where the reverse proxy tunnel is established by the security device based on an SSH protocol active request;
a first sending module, configured to send a configuration message to each of the security devices based on the reverse proxy tunnel, where the configuration message is used to configure the security devices.
13. A security device management apparatus, applied to a security device, includes:
the second sending module is used for sending the equipment registration information to the management equipment;
a second tunnel establishing module, configured to establish a reverse proxy tunnel with the management device, where the reverse proxy tunnel is actively established by the security device based on an SSH protocol;
a second receiving module, configured to receive, based on the reverse proxy tunnel, a configuration message sent by the management device, where the configuration message is used to configure the security device.
14. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the secure device management method of any one of claims 1 to 6, or the steps of the secure device management method of any one of claims 7 to 11 when executing the program.
15. A non-transitory computer readable storage medium, having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the steps of the secure device management method of any of claims 1 to 6, or the steps of the secure device management method of any of claims 7 to 11.
16. A computer program product comprising a computer program, wherein the computer program when executed by a processor implements the steps of the security device management method of any one of claims 1 to 6 or the steps of the security device management method of any one of claims 7 to 11.
CN202111651814.8A 2021-12-30 2021-12-30 Security device management method and device Pending CN114499989A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111651814.8A CN114499989A (en) 2021-12-30 2021-12-30 Security device management method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111651814.8A CN114499989A (en) 2021-12-30 2021-12-30 Security device management method and device

Publications (1)

Publication Number Publication Date
CN114499989A true CN114499989A (en) 2022-05-13

Family

ID=81508124

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111651814.8A Pending CN114499989A (en) 2021-12-30 2021-12-30 Security device management method and device

Country Status (1)

Country Link
CN (1) CN114499989A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726652A (en) * 2022-05-20 2022-07-08 北京网藤科技有限公司 Security equipment management method and system based on L7 proxy
CN115037525A (en) * 2022-05-18 2022-09-09 深圳奇迹智慧网络有限公司 Multi-connection dynamic security shell protocol reverse proxy system and method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003021464A2 (en) * 2001-09-05 2003-03-13 Rubenstein, Allen, I. Secure remote access between peers
CN102333075A (en) * 2010-06-30 2012-01-25 丛林网络公司 The many service VPN networking clients that dynamic fault shifts that have that are used for mobile device
CN108965256A (en) * 2018-06-15 2018-12-07 四川斐讯全智信息技术有限公司 A kind of system and method remotely managing embedded device based on SSH reverse tunnel
CN111711659A (en) * 2020-05-22 2020-09-25 北京天维信通科技有限公司 Method and device for remotely managing terminal, equipment and storage medium thereof
CN111901304A (en) * 2020-06-28 2020-11-06 北京可信华泰信息技术有限公司 Registration method and device of mobile security equipment, storage medium and electronic device
CN113259344A (en) * 2021-05-11 2021-08-13 商汤国际私人有限公司 Remote access method and device, electronic equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003021464A2 (en) * 2001-09-05 2003-03-13 Rubenstein, Allen, I. Secure remote access between peers
CN102333075A (en) * 2010-06-30 2012-01-25 丛林网络公司 The many service VPN networking clients that dynamic fault shifts that have that are used for mobile device
CN108965256A (en) * 2018-06-15 2018-12-07 四川斐讯全智信息技术有限公司 A kind of system and method remotely managing embedded device based on SSH reverse tunnel
CN111711659A (en) * 2020-05-22 2020-09-25 北京天维信通科技有限公司 Method and device for remotely managing terminal, equipment and storage medium thereof
CN111901304A (en) * 2020-06-28 2020-11-06 北京可信华泰信息技术有限公司 Registration method and device of mobile security equipment, storage medium and electronic device
CN113259344A (en) * 2021-05-11 2021-08-13 商汤国际私人有限公司 Remote access method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037525A (en) * 2022-05-18 2022-09-09 深圳奇迹智慧网络有限公司 Multi-connection dynamic security shell protocol reverse proxy system and method
CN114726652A (en) * 2022-05-20 2022-07-08 北京网藤科技有限公司 Security equipment management method and system based on L7 proxy

Similar Documents

Publication Publication Date Title
US10148628B2 (en) System and method for secure messaging in a hybrid peer-to-peer network
KR101093902B1 (en) Method and system for controlling the access authorisation for a user in a local administrative domain when said user connects to an ip network
EP2815551B1 (en) Peer to peer networking and sharing systems and methods
JP5010608B2 (en) Creating a secure interactive connection with a remote resource
JP2022550356A (en) Methods, systems, and computer-readable media for providing multi-tenant software-defined wide area network (SD-WAN) nodes
CN107113319B (en) Method, device and system for responding in virtual network computing authentication and proxy server
US20080022392A1 (en) Resolution of attribute overlap on authentication, authorization, and accounting servers
EP1942629A1 (en) Method and system for object-based multi-level security in a service oriented architecture
RU2008146517A (en) POLICY MANAGED ACCOUNT DEPARTMENT FOR UNIFIED NETWORK REGISTRATION AND SECURE ACCESS TO NETWORK RESOURCES
US9246906B1 (en) Methods for providing secure access to network resources and devices thereof
CN114499989A (en) Security device management method and device
US11088996B1 (en) Secure network protocol and transit system to protect communications deliverability and attribution
WO2012051868A1 (en) Firewall policy distribution method, client, access server and system
CN112615839B (en) Data transmission system, data transmission method and data transmission device
WO2019120160A1 (en) Method and device for data storage, and distributed storage system
CN111064742B (en) Method, device and related equipment for realizing intranet access based on network agent
WO2009082950A1 (en) Key distribution method, device and system
EP3932044B1 (en) Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp)
CN112887278A (en) Interconnection system and method of private cloud and public cloud
KR20180081965A (en) Apparatus and methdo for providing network service
Cisco Easy VPN Server
JP4584776B2 (en) Gateway device and program
CN110120907B (en) Proposed group-based IPSec VPN tunnel communication method and device
US20200287868A1 (en) Systems and methods for in-band remote management
CN107135226B (en) Transport layer proxy communication method based on socks5

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination