The objective of the invention is to: provide a kind of and carry out internal network security protection and user management, can effectively realize the network security policy, firewall system with packet filtering function by safety card, safety card CERTIFICATION AUTHORITY MANAGEMENT SYSTEM.
Task of the present invention is finished in the following manner: native system is made up of security manager, system administration manager, router, safety card and safety card CERTIFICATION AUTHORITY MANAGEMENT SYSTEM five parts.Router is carried out the control of turnover data according to the safety regulation of configuration, system administration manager is carried out the pre-configured and safety policy configuration (being referred to as system configuration) of this fire compartment wall after the mandate that obtains security manager, the mandate of security manager differentiates by safety card and Personal Identification Number and confirms that safety card is generated and management by the safety card CERTIFICATION AUTHORITY MANAGEMENT SYSTEM.
The present invention is placed between informant or inside (special use) network and the exterior I nternet, can protect internal resource not by unauthorized access and destruction, stops inner information output without issue and mandate.It can be used as the secure router between internal network and the Internet, adopts hardware mode to realize that processing speed is exceedingly fast.This fire compartment wall is through anti-sledge design, and the control of adopt that ripe at present packet filtering technology realizes internally, data flowing between the outer network realizes safeguard protection and management to firewall system itself by the safety card technology.
Security manager is made of central control module, I/O control module, safety control module, safety card identification module and communication control module etc., and it is connected with system administration manager, router by communication control module.It is a key component of the present invention, it keeps apart control (Console) port and the system administration manager (terminal) of router, the one, avoided terminal directly the network security rule to be configured from control port, the 2nd, undertaking legitimacy affirmation and Special Empower from system administration manager are being differentiated, the 3rd, implement the classification security control and collect audit information.The mandatory constraint means that this just provides technically to the configuration of Subscriber Unit network security rule reaches the purpose of protecting Subscriber Unit internal network resource security simultaneously.
The basic functional principle of security manager is that its communication control module is is constantly intercepted and captured the communication data from two ends, transmits after being judged, also can directly send order acquisition of information and data to router simultaneously.To data (order) from system administration manager, the data in the table compare judgement in the safety control module according to leaving in for it, implement other security control of classification, in case judge when needing Special Empower and carrying out legal identifications, just require the user to insert Personal Identification Number (PIN) data that safety card and input correctly identify identity.It is to carrying out necessary record and memory dump from the data (information) of router and system administration manager simultaneously, running status according to fire compartment wall, security manager provides self operating state prompting of living in, and is aided with the liquid crystal display of " normally ", " mistake " and " alarm " three kinds of states.When the configuration file of finding fire compartment wall may be modified, the warning of sounding, system for prompting the safety officer confirm.The program circuit of security manager will be illustrated in the accompanying drawing of back.
Security manager links to each other with router with system administration manager respectively by the RS232 interface, communicating to connect of control desk (system administration manager) and router is provided, additional authorization mechanism to control desk configuration router safety regulation manages, the operating position of record security manager, failure condition and collect from the parameter and the data of router, and with these data qualifications storages or be sent to control desk.
Security manager utilizes sound and light alarm to point out current action type when operating at system resource configuration and safety regulation setting.After attempting to enter safe condition and entering safe condition, except that the safety management standard-sized sheet is put, system will note the operation of all relevant security commands automatically, and should operate date, the time of carrying out, and file can be followed the trail of all relevant safety operations for a period of time thus.For possible to system resource configuration or the act of revision of the setting of safety regulation, system compares by the original safety regulation that stores and new safety regulation, can in time find incident in violation of rules and regulations, some violation incident is in time corrected automatically with reference to the basic security criterion of depositing in advance, and immediately the violation incident is carried out detailed record, comprise: incident in violation of rules and regulations, security command in violation of rules and regulations, utilize the sound and light alarm of security manager to remind operating personnel to have gross mistake simultaneously.
Router can be the product of any tool packet filtering function in the world.What model machine of the present invention adopted is Cisco 2501 products of U.S. Cisco company, and it provides Route Selection and packet filtering function, finishes according to the safety regulation of control desk configuration the filtration of turnover internal network information is controlled.Also can in the user of existing packet filtering router, install devices such as security manager and system administration manager additional and constitute system of the present invention; Can also be integrated into router in the security manager, these all are non-limiting enforcement special cases more of the present invention, do not influence generality of the present invention.
System administration manager is made up of one 386 above microcomputer or special-purpose PC and the system management software with advanced graphic user interface (GUI) function, operates under form (Windows) environment.Software requirement: operating system is DOS5.0 or upgrades version that running environment requires to Chinese Windows3.1 or upgrades version, perhaps English Windows 3.0 or renewal version (needing to load Chinese Star or other Chinese character platform software on English Windows).Hardware requirement: IBM or IBM compatible (80386DX processor, 4M internal memory, a floppy drive, a control serial port, a mouse interface), least residue hard drive space 20M.The above computer of 80486DX, the above internal memory of 8M, the above hard disk of 420M are used in suggestion.
The system management software is made of functional modules such as filtering rule editing machine, firewall state monitor, control tabulation monitor and warning information gatherers, is stored on the hard disk.
System administration manager links to each other with the control mouth of router via security manager, menu mode management and firewall system configuration and safety regulation configuration to system is provided, and collects audit information.
System administration manager is used to dispose the safety policy of whole network, control and the operation of monitoring fire compartment wall, observation login and warning information.
The present invention can use different safety regulations to be configured according to different safety requirements.We will be called pre-configured for guaranteeing the required basic configuration of network security.Pre-configured is the basic condition that makes up fire compartment wall, and the user must be added to pre-configured parameter in user's the configuration file when carrying out the route system configuration." CONFIG.SYS affirmation " program that the system management software provides compares pre-configured parameter provided by the invention and user configured operational factor, confirms whether its configuration is legal.
Firewall security rule configuration file leaves among the NVRAM of router, and it is the foundation that fire compartment wall " allows/forbid " connection or access control, controls the power to make decision that this configuration power has in fact just been grasped network security control.Taked following measure: (1) utilizes the AUX reserve order mouth of router and pre-configured it is configured to asynchronous communication (dedicated mode) mode, and this just forbids that terminal directly signs in to router from this mouth for this reason; (2), and strengthen entering the password of router privileged operation state, the management that identity is assert by the pre-configured of each communication port of router (containing the AUX mouth) forbidden that all internal and external customers sign in to router from network.Thereby, the configuration expedient of fire compartment wall is focused on the console port of router, the console port directly is connected with security manager, links system administration manager by security manager again.
The system safety manager utilizes the system management software of the present invention could be configured the system of fire compartment wall via security manager by terminal, otherwise security manager will be refused transmission information.When the system safety manager relates to the network security Control Parameter and is configured in to fire compartment wall, must be to " safety card reads in device " mouthful insertion safety card of fire compartment wall front panel, and import correct person identfication number sign indicating number (PIN), just can enter configuration status, otherwise the security manager of fire compartment wall will be refused to carry out.
The present invention's self safety is implemented protection by safety card and management system thereof.Safety card is the smart card (Smart card) with storage and processing capacity, and smart card is the microcomputer chip that comprises memory, and its size is identical with credit card, is a kind of active device that can handle cryptographic algorithm in real time.This technology belongs to known technology, and its fail safe is owing to advantages such as multi-functional, easy replacement, intellectuality are greatly improved.Safety card is by firewall security personnel keeping and use.Depositing card holder's safety certificate in the safety card, the generation of this safety certificate is to utilize advanced cryptological technique to realize that this mechanism is called " visa-granting office (CA) " by special mechanism with management.Its effect is: (1) differentiates instrument for fire compartment wall user and manager provide safety card; (2) safeguard the data item of differentiating in the safety card; (3) authority and the rank of change safety card; (4) issue safety card and generation PIN (Personal Identification Number); (5) checker of maintenance safe card.
A fire compartment wall has a safety card, and the legitimacy of safety card, validity, secure content etc. are signed and issued by a special safety card CERTIFICATION AUTHORITY MANAGEMENT SYSTEM (CAMS).The safety card CERTIFICATION AUTHORITY MANAGEMENT SYSTEM is the organic component of whole firewall system, but is managed by national departments concerned (or leading department of large-scale custom system).Only hold safety card, and have holder's Personal Identification Number (PIN), could carry out sequence of operations such as safety policy enforcement, change this fire compartment wall.
Safety card CERTIFICATION AUTHORITY MANAGEMENT SYSTEM (CAMS) be one under network environment (multiple fire-proof wall constitute interconnected environment) to a plurality of safety cards authorize, authenticate, the system of identification, maintenance and management, it provides a certificate to each safety card.This system is controlled by the department that country or governments at all levels are responsible for the fire compartment wall policy, to guarantee the legitimacy and the authority of safety card.
This CERTIFICATION AUTHORITY MANAGEMENT SYSTEM by one more than 386 microcomputer and the management software of the special exploitation of a cover constitute, the granting of its safety certificate can be off-line mode when fire compartment wall (single), also can be on-line mode (under the network environment).The safety card that CERTIFICATION AUTHORITY MANAGEMENT SYSTEM generates is mainly used in the safety storage of user secret information.It uses employed form to sticking into capable initialization according to firewall security.To be used for then security service pack into for information about the format after safety card.
The effect of safety card mainly is the safe storage of confidential data and the safe handling of fire compartment wall measure.The safe handling function can prevent the tracking attack of external attacker to the safety policy implementation procedure, and the safe storage function then can prevent unauthorized reading and writing operation.In firewall applications,, therefore just adopt safety card to store owing to be difficult to be remembered by the user based on the security parameter of cryptographic technique.
In use, user's Personal Identification Number that must have oneself activates safety card.Like this, even the safety manager also must have safety card when configuring firewalls, and with known to Personal Identification Number activate safety card, thereby reach effective protection to safety policy and this fire compartment wall self.
This security logic based on safety policy protection vital strategic secrets data is divided into following two kinds:
(1) policy safe in utilization disposes and revises core work parameter in the fire compartment wall so that obtain the authorization.This situation requires and must carry out by card safe in utilization, otherwise security module will be refused request.(2) policy not safe in utilization, no matter whether card safe in utilization to be, and security module all allows to visit fire compartment wall.But " reading " operation is only permitted in user's mandate, and any " writing " operation will be rejected.
In order to strengthen safety supervision, native system provides a Special Empower mechanism of configuring firewalls parameter.TCP (TCP/IP) is the communication protocol of Intemet, so computer that is attached thereto and network all must be installed corresponding ICP/IP protocol.According to ICP/IP protocol, any data (application layer data) of transmission all must be divided into some little datagrams (datagram), and each datagram is transmitted by physical layer after encapsulating through transport layer, IP layer and network access layer again.The data that data encapsulation is meant application layer are during by following each layer, and every layer all will oneself distinctive header be added in and receives the data segment front, delivers to down the process of one deck again.To packet filtering useful mainly be the header of transport layer and the header of IP layer.The TCP/IP form is known, and each packet all includes customizing messages such as IP source address, IP destination address, protocol type, source port number and destination slogan.Packet filtering is exactly the routing iinformation that utilizes these customizing messages and determined by router, and the control fire compartment wall stops or allows some grouping to pass through.
The present invention is by monopolizing " safety regulation is provided with power " technology and add-on security control licensing scheme, realizing tightly and reliably control and supervision and examination to network system resources configuration and safety regulation setting.In system, relate to safe parameter setting, safety regulation setting and change thereof and must pass through security audit.Security audit of the present invention has three grades of general management level, supervisor level and safety management levels etc.Enter the safety management level, need hold legal safety card and the correct safety card password of input.
System of the present invention is based on the network security control system of packet filtering technology, the safety regulation that it is set according to the user, to carrying out the security inspection analysis one by one into and out of grouping, it is unblocked that guarantee meets the grouping information of safety condition, stop the grouping information that does not meet safety condition to be passed through, thereby guarantee the safety of internal network.Therefore the correct configuration of safety regulation is the key that guarantees network security.
The configuration of safety regulation is in order to stop the attack possible to internal network; the present invention does not carry out the safety regulation configuration when dispatching from the factory; any freedom of information turnover on the default permission network; be that it only possesses routing function; firewall functionality remains after the user carries out the configuration of suitable safety regulation according to detailed policy, just can reach the purpose of protection internal network security.The present invention can use different safety regulations to be configured according to different safety requirements.The present invention also is equipped with and guarantees the required basic configuration of network security, and is promptly pre-configured." CONFIG.SYS affirmation " program that the system management software provides compares pre-configured parameter of the present invention and user configured operational factor, confirms whether its configuration is legal.
The use of native system except that satisfying the electric product conditions needed, also should be specifically noted that security context, and certain fire prevention, thief-proof, flood control and measure such as dustproof must be arranged, and dehumidification equipment should be considered in the place that has a humid climate; Anti-static precautions should be considered in dry place.
The invention is characterized in: native system is made of security manager, system administration manager, router, safety card and safety card CERTIFICATION AUTHORITY MANAGEMENT SYSTEM five parts.Router is carried out the control of turnover data according to the safety regulation of configuration, system administration manager is carried out the pre-configured and safety policy configuration (being referred to as system configuration) of this fire compartment wall after the mandate that obtains security manager, the mandate of security manager differentiates by safety card and Personal Identification Number and confirms that safety card is generated and management by the safety card CERTIFICATION AUTHORITY MANAGEMENT SYSTEM.
The present invention is placed between internet information supplier or internal network or dedicated network and the external network.The present invention adopts known packet filtering technology, its operation principle is the safety regulation according to configuration, source/address, place of advancing/going out grouping or port and control corresponding agreement are adjudicated, decision advance/go out grouping " allowing/forbid " by and make corresponding Route Selection.
Security manager is made of central control module, I/O control module, safety control module, safety card identification module and communication control module etc., and it is connected with system administration manager, router by communication control module.
The basic functional principle of security manager is, its communication control module is is constantly intercepted and captured the communication data from two ends, transmit after being judged, also can directly send order acquisition of information and data simultaneously to router, to data (order) from system administration manager, the data in the table compare judgement in the safety control module according to leaving in for it, implement other security control of classification, in case judge when needing Special Empower and carrying out legal identifications, just require the user to insert Personal Identification Number (PIN) data that safety card and input correctly identify identity.It is to carrying out necessary record and memory dump from the data (information) of router and system administration manager simultaneously, running status according to fire compartment wall, security manager provides self operating state prompting of living in, and is aided with the liquid crystal display of " normally ", " mistake " and " alarm " three kinds of states.When the configuration file of finding fire compartment wall may be modified, the warning of sounding, system for prompting the safety officer confirm.
System administration manager is made up of one 386 above microcomputer or special-purpose PC and the system management software with advanced graphic user interface (GUI) function, operates under the Windows environment.Software requirement: operating system is DOS5.0 or upgrades version that running environment requires to Chinese Windows3.1 or upgrades version, perhaps English Windows 3.0 or renewal version (needing to load Chinese Star or other Chinese character platform software on English Windows).Hardware requirement: IBM or IBM compatible (80386DX processor, 4M internal memory, a floppy drive, a control serial port, a mouse interface), least residue hard drive space 20M.The above computer of 80486DX, the above internal memory of 8M, the above hard disk of 420M are used in suggestion.
The system management software is made of each functional modules such as filtering rule editing machine, firewall state monitor, control tabulation monitor and warning information gatherers, and is stored in the hard disk.
System administration manager links to each other with the control mouth of router via security manager, menu mode management and firewall system configuration and safety regulation configuration to system is provided, and collects audit information.
Router can adopt the router product of various tool packet filtering functions more common on the present world market.Also can in the user of existing packet filtering router, install devices such as security manager and system administration manager additional and constitute system of the present invention; Can also be integrated into router in the security manager, these all are special cases more of the present invention, do not influence generality of the present invention.
The present invention is by monopolizing " safety regulation is provided with power " technology and add-on security control licensing scheme, realizing tightly and reliably control and supervision and examination to network system resources configuration and safety regulation setting.In system, relate to safe parameter setting, safety regulation setting and change thereof and must pass through security audit.Security audit of the present invention has three grades of general management level, supervisor level and safety management levels etc.Enter the safety management level, need hold legal safety card and the correct safety card password of input.
Security manager links to each other with router with system administration manager respectively by the RS232 interface, communicating to connect of control desk and router is provided, additional authorization mechanism to control desk configuration router safety regulation manages, the operating position of record security manager, failure condition and collect from the parameter and the data of router, and with these data qualifications storages or be sent to control desk.
Security manager will utilize sound and light alarm to point out current action type when operating at system resource configuration and safety regulation setting.After attempting to enter safe condition and entering safe condition, except that the safety management standard-sized sheet is put, system will note the operation of all relevant security commands automatically, and should operate date, the time of carrying out, and file can be followed the trail of all relevant safety operations for a period of time thus.For possible to system resource configuration or the act of revision of the setting of safety regulation, system compares by the original safety regulation that stores and new safety regulation, can in time find incident in violation of rules and regulations, some violation incident is in time corrected automatically with reference to the basic security criterion of depositing in advance, and immediately the violation incident is carried out detailed record, comprise: incident in violation of rules and regulations, security command in violation of rules and regulations, utilize the sound and light alarm of security manager to remind operating personnel to have gross mistake simultaneously.