CN1200340C - Network method of safety management of firewall equipment - Google Patents
Network method of safety management of firewall equipment Download PDFInfo
- Publication number
- CN1200340C CN1200340C CN 02116933 CN02116933A CN1200340C CN 1200340 C CN1200340 C CN 1200340C CN 02116933 CN02116933 CN 02116933 CN 02116933 A CN02116933 A CN 02116933A CN 1200340 C CN1200340 C CN 1200340C
- Authority
- CN
- China
- Prior art keywords
- management
- firewall
- network
- work station
- firewall box
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a method for carrying out safety management for a firewall device through a network. A management work station is adopted, and a firewall management agent module is adopted in a controlled firewall device. The firewall management agent module carries out communication with the controlled firewall device, and sends the information of the firewall device to the management work station. The management work station collects the information sent by the firewall agent module and sends operation commands to the firewall agent module to carry out monitoring and management for the controlled firewall device. The management work station carries out management for a plurality of firewall devices through a network. A management center can be further adopted to carry out centralized management for a plurality of management work stations under the condition of a big network.
Description
Technical field
The present invention relates to the computer network security technology field, particularly relate to a kind of method of one or more firewall box being managed concentratedly by network.
Background technology
Firewall box is as safety equipment important in the network, and its maintenance and management operation is most important for the safety of network self.General firewall box management product only has the managerial ability to single device at present, usually is that every firewall box all needs the system security management personnel of a specialty to safeguard.Along with the continuous development of network size and safety technique, the diverse network safety equipment comprise that the configuration of firewall box and bookkeeping are increasingly sophisticated.More and more higher to system safety manager's requirement like this, and for the Generally Recognized as safe managerial personnel that lack professional knowledge, the any small configuration error of being violated on safety equipment all may cause the collapse of whole security system, therefore is difficult to competent safety management task.
Summary of the invention
In view of this, fundamental purpose of the present invention is to provide a kind of method of firewall box being carried out safety management by network, realizes the management of the firewall box on the network is put together, and carries out safety management by the system security management personnel unification of specialty.So both can reduce the potential safety hazard of bringing by Generally Recognized as safe keeper maloperation, and can reduce again by a firewall box and join personnel's waste that a safety officer brings.
For achieving the above object, technical scheme of the present invention specifically is achieved in that a kind of method of firewall box being carried out safety management by network, it is characterized in that: adopt (or a plurality of) management work station, and in firewall box, adopt a firewall management proxy module; Described firewall management proxy module and this management work station communicate by network, management work station is by the network discovery firewall box, the firewall management proxy module sends to management work station by network with the information of firewall box, the information of the firewall box that the fire wall proxy module sends is collected and to fire wall proxy module transmit operation order by management work station, realizes by the supervision and the management of pipe firewall box.
Management work station can manage many firewall boxs by network.Bigger at network, managed under the more situation of firewall box, can adopt the method for differentiated control, an administrative center at central level is set, many management work stations are managed concentratedly.
The firewall management proxy module can adopt a plurality of systems finger daemon, and it according to this operational order, is operated firewall box after the operational order that receives the management work station transmission.
Management work station can be by being configured the firewall box on the network the configurator in the fire wall proxy module.
The firewall management proxy module can adopt the Information Monitoring of a data collector, after the corresponding operating order that receives the management work station transmission, by the firewall management proxy module information of gathering is sent to management work station.
The firewall management proxy module can adopt an incident supervision/generator to monitor the inner event of firewall box constantly, under the system failure, invaded, flow blocks or Installed System Memory exhausts contingency condition, directly send emergency information to management work station.
The firewall management proxy module can adopt the daily record of a daily record maker generation system, by the firewall management proxy module system journal is sent to management work station, and management work station carries out syslog collection and analysis.
Preferably, communicating by letter of firewall management proxy module and management work station adopts Simple Network Management Protocol (snmp protocol, Simple Network Management Protocol) to carry out.
Preferably, authentication is adopted in communicating by letter of firewall management proxy module and management work station, and the encryption method of key agreement is carried out.Can be according to following steps: 1) symmetric key shared in advance of firewall management proxy module and management work station utilization carries out authentication, or utilizes private key to sign, and the method for utilizing PKI to verify realizes authentication; 2) carry out key agreement between firewall management proxy module and the management work station, form the working key of this secure communication; 3) utilizing working key and cryptographic algorithm that management information is encrypted with integrity verification between firewall management proxy module and the management work station protects.
For adapting to many fire walls on the network are managed concentratedly more easily, management work station can find to be connected the firewall box on the network automatically, may further comprise the steps: 1) management work station all firewall box transmitting apparatus querying commands in network; 2) manage after firewall box receives querying command, sent oneself positional information in network topology to management work station; 3) management work station is received by after the topology information of pipe firewall box, shows with the mode of figure or form literal; 4) firewall box is regularly reported the existence of oneself to management work station; 5) management work station receives and judges the authenticity of this report, and determines whether firewall box is registered according to actual conditions.
Management work station is further to being that the network on border carries out network system security subregion and the whole network and region security Rulemaking and concentrates distribution with the firewall box, and the working condition and the system running state of many firewall boxs are concentrated inquiry.Management work station further carries out the firewall box assets protection.By simultaneously all firewall boxs in the network being operated, firewall box is concentrated upgrading.
Preferably, management work station uses an incident to monitor that display module monitors by the working condition and the system running state of pipe firewall box, with receive by information demonstration, the storage of pipe firewall box, daily record audit or print, and under the system failure, invaded, flow blocks or Installed System Memory exhausts contingency condition, report to the police.
By such scheme as can be seen, key of the present invention is: adopt a management work station and adopt a firewall management proxy module in by the pipe firewall box; Communicate between them, the working condition and the system running state of firewall box are sent to management work station, information that each fire wall proxy module sends is collected and to each fire wall proxy module transmit operation order by management work station, and firewall box is monitored and manages.
Therefore, method of many firewall boxs being carried out safety management by network provided by the present invention, the management of the firewall box on the network can be put together, safety management is carried out in system security management personnel unification by specialty, so promptly can reduce the potential safety hazard of bringing by Generally Recognized as safe keeper maloperation, can reduce again by a firewall box and join personnel's waste that a safety officer brings.
Description of drawings
Fig. 1 shows a preferred embodiment of the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, by the following examples, and with reference to accompanying drawing, the present invention is described in more detail.
Fig. 1 shows a preferred embodiment of the present invention.See also Fig. 1, management work station 110 monitors many firewall boxs 100 by network and manages, wherein specifically illustrated the management work process to a firewall box 100.Promptly in by pipe firewall box 100, use a firewall management proxy module 102 and use a management work station 110, communicate by being handled 119 by encrypt/decrypt/authentication processing 118 and network communication protocol in the encrypt/decrypt/authentication processing 107 in the pipe firewall box 100 and network communication protocol processing 108 and the management work station 110, the working condition and the system running state of firewall box 100 are sent to management work station 110, information that each fire wall proxy module 102 sends is collected and to each fire wall proxy module 102 transmit operation order by management work station 110, realizes by the supervision and the management of pipe firewall box 100.
As shown in Figure 1, be provided with firewall management proxy module 102 in firewall box 100, it comprises configurator 103, data collector 104, incident supervision/generator 105 and daily record maker 106; Be provided with centralized management application system 111 in management work station 110, it comprises device discovery 112, events/failures management 113, monitoring 114, log management 115, configuration management 116 and comprises that the incident of warning monitors display module 117.If what face is bigger network, management work station 110 end softwares can be taked distributed deployment way, promptly managing application system 111 concentratedly can be distributed on the different processing node machines according to physical location or function, and the keeper can be by the concentrated whole network of management of an administrative center.
All setting completed with centralized management application system 111 when fire wall proxy module 102, just can manage by the fire wall and the network security of 111 pairs of whole networks of centralized management application system, and concrete management process can be:
At first, at firewall box 100 ends, finish data acquisition by fire wall proxy module 102, incident monitors, the order of receiving management workstation1 10, data back, or according to the order of management work station 110, execution is to being managed the operation of fire wall 100, wherein, firewall management proxy module 102 is realized by a master agent and plurality of sub agency plant finger daemon, system's finger daemon is responsible for the order that management of monitor workstation1 10 sends, finger daemon can be according to the order of management work station 110, firewall box 100 is operated, data acquisition unit 104 slave firewall inside are soft, hardware dot element 101 is collected the duty of fire wall operating system, network hardware situation, behind network traffics and the intrusion event, firewall management proxy module 102 sends to management work station 110 with above-mentioned incident.Finger daemon can also be soft by 103 pairs of fire wall inside of configuration manager to firewall box 100 according to the order of management work station 110, hardware dot element 101 is managed for configuration, as: this fire wall inside is soft, the security strategy of hardware dot element 101 etc.
Simultaneously, the supervision/generator in the firewall management proxy module 102 105 adopts the Trap event generator to monitor that constantly firewall box 100 inside are soft, the critical event of hardware dot element 101.In fault, invaded, flow blocks, and internal memory exhausts etc. under the contingency condition, can directly send emergency information to management work station 110, carry out the events/failures management by management work station 110, mainly comprise: SNMP Trap reports to the police, log record, or to being operated by pipe firewall box 100, like this, guaranteed that management work station 110 can in time recognize the emergency of fire wall, and made corresponding management and handle.
Then, communicate between fire wall proxy module 102 and the management work station 110, the procotol of processing 108 of the procotol of firewall management proxy module 102 and management work station 110 is handled 119 and is utilized the snmp protocol realization in the present embodiment, firewall management proxy module 102 is accepted the request of SNMPV1, V2, V3 form message, and beams back response with corresponding protocol.
Simultaneously; communication between firewall management proxy module 102 and the management work station 110 is also carried out encryption by the encrypt/decrypt/authentication processing in encrypt/decrypt/authentication processing in the firewall management proxy module 107 and the management work station 118; firewall management proxy module 102 and management work station 110 utilize the pre-symmetric key of sharing to carry out authentication; or utilize private key to sign; the method of utilizing PKI to verify realizes authentication; carry out key agreement between firewall management proxy module 102 and the management work station 110; form the working key of this secret communication, utilize working key and cryptographic algorithm that management information is encrypted with integrity verification between firewall management proxy module 102 and the management work station 110 and protect.
At last, at management work station 110 ends, when the centralized management application system 111 first operations of management work station 110, the topology of the collection and the equipment of generation is safeguarded tabulation, or by the automatic quilt pipe firewall box of finding to be connected on the network of management work station, management work station 110 all firewall box 100 transmitting apparatus query messages messages in network, management work station 110 receives its positional information in network topology that is sent to management work station 110 by pipe firewall box 100, as: the IP address, and devices'physical locations, type, title, after the basic equipment information of the unified sign of equipment, show with the mode of figure or form literal.Management work station 110 receives the exist information of firewall box 100 timings (comprising when starting) to management work station 110 reports oneself, and judges the authenticity of this report, and determines according to actual conditions.
Simultaneously, incident in the management work station 110 monitors that display module 117 starts with the startup of centralized management application system 111, real-time supervision is from the incident of firewall box 100, it is after the incident of receiving, according to conditional formatting display message such as Time To Event, content, source, destination, the orders of severity, and on the interface, show new incident, and come the warning reminding keeper with remarkable form (sound and flicker etc.).Like this, guaranteed that the system safety manager grasps the working condition and the system running state of fire wall 100 at any time, and in time made the respective handling operation.After centralized management application system 111 starts, the keeper can monitor that the working condition and the system running state of the firewall box 100 that monitors on the display module 117 operate on it at any time according to incident, and this operating process comprises: the operational factor of many firewall boxs 100 self and safety rule etc. are configured respectively and safeguard; Network carries out network system security subregion and the whole network and region security Rulemaking and concentrates distribution to being the border with these firewall boxs 100; Many firewall boxs 100 working conditions and system running state are concentrated inquiry; Syslog collection and analysis; To firewall box 100 assets protections; Firewall box 100 is concentrated upgrading etc., and press said sequence and carry out.
By said process as seen, method of many firewall boxs being carried out safety management by network provided by the present invention, realized many safety managements that firewall box is concentrated on the network, provide an efficient strong safety management instrument to the system safety manager, improved the efficient of safety management.
More than lift preferred embodiment; the purpose, technical solutions and advantages of the present invention are further described; institute is understood that; the above only is preferred embodiment of the present invention; not in order to restriction the present invention; within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (17)
1, a kind of by network to the method that firewall box carries out safety management, it is characterized in that: adopt a management work station, and in firewall box, adopt a firewall management proxy module; Communicate by network between this firewall management proxy module and this management work station, management work station is by the network discovery firewall box, and the firewall management proxy module sends to management work station by network with the information of firewall box; The information of the firewall box that the fire wall proxy module sends is collected and to fire wall proxy module transmit operation order by management work station, realizes by the supervision and the management of pipe firewall box.
2, method of firewall box being carried out safety management by network as claimed in claim 1, it is characterized in that: described firewall management proxy module adopts a plurality of systems finger daemon, it is after the operational order that receives the management work station transmission, according to this operational order, firewall box is operated.
3, as claimed in claim 1 by network to the method that firewall box carries out safety management, it is characterized in that: described management work station is by being configured the firewall box on the network the configurator in the fire wall proxy module.
4, method of firewall box being carried out safety management by network as claimed in claim 1, it is characterized in that: described firewall management proxy module adopts the Information Monitoring of a data collector, after the corresponding operating order that receives the management work station transmission, the information of gathering is sent to management work station by the firewall management proxy module.
5, method of firewall box being carried out safety management by network as claimed in claim 1, it is characterized in that: described firewall management proxy module adopts an incident supervision/generator to monitor the inner event of firewall box constantly, under the system failure, invaded, flow blocks or Installed System Memory exhausts contingency condition, directly send emergency information to management work station.
6, method of firewall box being carried out safety management by network as claimed in claim 1, it is characterized in that: described firewall management proxy module adopts the daily record of a daily record maker generation system, by the firewall management proxy module system journal is sent to management work station, management work station carries out syslog collection and analysis.
7, as claimed in claim 1 by network to the method that firewall box carries out safety management, it is characterized in that: communicating by letter of described firewall management proxy module and management work station adopts Simple Network Management Protocol to carry out.
8, as claimed in claim 1 by network to the method that firewall box carries out safety management, it is characterized in that: communicating by letter of described firewall management proxy module and management work station adopts the encryption method of authentication, key agreement to carry out.
9, as claimed in claim 8 by network to the method that firewall box carries out safety management, it is characterized in that: the encryption method of described authentication, key agreement comprises:
1) the shared in advance symmetric key of firewall management proxy module and management work station utilization carries out authentication, or utilizes private key to sign, and the method for utilizing PKI to verify realizes authentication;
2) carry out key agreement between firewall management proxy module and the management work station, form the working key of this secure communication;
3) utilizing working key and cryptographic algorithm that management information is encrypted with integrity verification between firewall management proxy module and the management work station protects.
10, as claimed in claim 1 by network to the method that firewall box carries out safety management, it is characterized in that: described management work station automatically finds to be connected the firewall box on the network, may further comprise the steps:
1) management work station all firewall box transmitting apparatus querying commands in network;
2) manage after firewall box receives querying command, sent oneself positional information in network topology to management work station;
3) management work station is received by after the topology information of pipe firewall box, shows with the mode of figure or form literal;
4) firewall box is regularly reported the existence of oneself to management work station;
5) management work station receives and judges the authenticity of this report, and determines whether firewall box is registered according to actual conditions.
11, as claimed in claim 1 by network to the method that firewall box carries out safety management, it is characterized in that: described management work station is further to being that the network on border carries out network system security subregion and the whole network and region security Rulemaking and concentrates distribution with the firewall box.
12, as claimed in claim 1 by network to the method that firewall box carries out safety management, it is characterized in that: described management work station further concentrates inquiry to the working condition and the system running state of many firewall boxs.
13, as claimed in claim 1 by network to the method that firewall box carries out safety management, it is characterized in that: described management work station further carries out firewall box to be safeguarded.
14, as claimed in claim 1 by network to the method that firewall box carries out safety management, it is characterized in that: described management work station concentrates upgrading by simultaneously all firewall boxs in the network being operated to firewall box.
15, method of firewall box being carried out safety management by network as claimed in claim 1, it is characterized in that: described management work station uses an incident to monitor that display module monitors by the working condition and the system running state of pipe firewall box, with receive by information demonstration, the storage of pipe firewall box, daily record audit or print, and under the system failure, invaded, flow blocks or Installed System Memory exhausts contingency condition, report to the police.
16, as claimed in claim 1 by network to the method that firewall box carries out safety management, it is characterized in that: described management work station manages many firewall boxs by network.
17, as claimed in claim 1 by network to the method that firewall box carries out safety management, it is characterized in that: further adopt an administrative center, many management work stations are managed concentratedly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02116933 CN1200340C (en) | 2002-04-26 | 2002-04-26 | Network method of safety management of firewall equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02116933 CN1200340C (en) | 2002-04-26 | 2002-04-26 | Network method of safety management of firewall equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1453700A CN1453700A (en) | 2003-11-05 |
| CN1200340C true CN1200340C (en) | 2005-05-04 |
Family
ID=29257061
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 02116933 Expired - Lifetime CN1200340C (en) | 2002-04-26 | 2002-04-26 | Network method of safety management of firewall equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1200340C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100452790C (en) * | 2004-03-04 | 2009-01-14 | 上海交通大学 | Method for implementing virtual fire wall teaching experiment to multi-user |
| CN101534289B (en) * | 2008-03-14 | 2012-05-23 | 华为技术有限公司 | Method, node device and system for traversing firewall |
| CN101826992B (en) * | 2010-02-04 | 2012-07-04 | 蓝盾信息安全技术股份有限公司 | Method of linkage audit and system thereof |
| US20150229475A1 (en) * | 2014-02-10 | 2015-08-13 | Qualcomm Incorporated | Assisted device provisioning in a network |
| CN106790113A (en) * | 2016-12-27 | 2017-05-31 | 华东师范大学 | A kind of hardware firewall configuring management method and device |
| CN111224996A (en) * | 2020-01-17 | 2020-06-02 | 国网福建省电力有限公司 | Firewall centralized auxiliary maintenance system |
-
2002
- 2002-04-26 CN CN 02116933 patent/CN1200340C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CN1453700A (en) | 2003-11-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101283539B (en) | Network security appliance | |
| CN101286954A (en) | Remote diagnostic system for robots | |
| CN101621408B (en) | Method for monitoring events in a communication network | |
| CN101197715B (en) | Method for centrally capturing mobile data service condition | |
| CA2571608A1 (en) | System and method for consolidating, securing and automating out-of-band access to nodes in a data network | |
| JP2004021549A (en) | Network monitoring system and program | |
| CN100399747C (en) | Computer network strategy management system and strategy management method | |
| CN105721198A (en) | Video monitoring system log safety audit method | |
| CN102065416B (en) | Method, device and system for formatting logs | |
| CN114553537A (en) | Abnormal flow monitoring method and system for industrial Internet | |
| CN112468592A (en) | Terminal online state detection method and system based on electric power information acquisition | |
| US20180324063A1 (en) | Cloud-based system for device monitoring and control | |
| CN1200340C (en) | Network method of safety management of firewall equipment | |
| CN105939353B (en) | Safety management and information feedback system based on GDOI protocol | |
| Paul et al. | Towards the protection of industrial control systems–conclusions of a vulnerability analysis of profinet IO | |
| CN114584366A (en) | Power monitoring network safety detection system and method | |
| CN1549493A (en) | Network safety system of computer network and controlling method thereof | |
| JP2000354035A (en) | Centralized non-infiltration monitoring system and method for distributed independent data network | |
| CN114466038B (en) | Communication protection system of electric power thing networking | |
| CN201213268Y (en) | Information serving server having monitoring remote equipment | |
| CN111343033B (en) | Network management system for multi-layer difference | |
| CN1196296C (en) | Easy-to-expand network invasion detecting and safety auditing system | |
| CN115361273A (en) | Block chain-based electric power operation and maintenance safety supervision and emergency management and control system and method | |
| CN114968583A (en) | Data calculation method and edge networking | |
| Feng et al. | Security analysis of simple network management protocol based IEEE P21451 internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20050504 |