CN1835452A - Computer network strategy management system and strategy management method - Google Patents
Computer network strategy management system and strategy management method Download PDFInfo
- Publication number
- CN1835452A CN1835452A CN 200510055447 CN200510055447A CN1835452A CN 1835452 A CN1835452 A CN 1835452A CN 200510055447 CN200510055447 CN 200510055447 CN 200510055447 A CN200510055447 A CN 200510055447A CN 1835452 A CN1835452 A CN 1835452A
- Authority
- CN
- China
- Prior art keywords
- data
- protocol
- policy
- message
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The system comprises the strategy management server and the strategy management proxy located on the device under management. The method includes: the strategy data and strategy status information indicating the strategy data variation of the device under management are saved in the strategy management proxy; said strategy management proxy actively reports the registration parameters and strategy request parameters to the strategy management server; after receiving the registration parameters, the strategy management server saves the registration parameters; after receiving the strategy request parameters, the strategy management server returns the strategy status information to the strategy management proxy; after receiving the strategy status information, the strategy management proxy decides if the strategy data is changed; if yes, then the message of requesting strategy data is sent to strategy management server; the strategy management server returns the strategy data to the device under management.
Description
Technical field
The present invention relates to computer network facility centralized management technology, relate in particular to a kind of computer network policy management system and policy management method.
Background technology
Expansion day by day along with the network environment scale, the quantity of various device also sharply increases in the network, this comprises various route exchange devices, memory device, and numerous safety means, such as fire compartment wall, intruding detection system (IDS, Intrusion Detection System), VPN(Virtual Private Network) equipment or the like.
The very important aspect that numerous network equipments are managed is provided with various running environment parameters to these equipment exactly, and the exercises condition of equipment, and these all are classified as the tactical management to equipment.Tactical management comprises performance management, fault management etc.Scale along with network constantly enlarges at present, and security threat becomes increasingly conspicuous, and the tactical management of these network equipments being carried out the overall situation has become extremely important.These strategies may comprise the collocation strategy of the network equipment, the security strategy of fire compartment wall, the VPN strategy of VPN(Virtual Private Network) equipment etc.These tactful numbers are numerous, and configuration is complicated, and some strategy needs global coordination competence exertion effect.For example IKE in the VPN strategy and IPSEC strategy dispose complexity, need unify configuration in each equipment, and the workload of configuration is very huge.At these problems, press for centralized and unified collocation strategy, be distributed to then in each equipment; And when strategy changed, relevant device is update strategy automatically.
In the prior art, tactical management mainly adopts the administrative center system initiatively to the relevant strategy of managed device issue, the agreement that this scheme adopts comprises the proprietary protocol of Simple Network Management Protocol (SNMP) and some manufacturers, the management mode that adopts is traditional network management pattern, i.e. installation administration proxy server on managed device, state by administrative center system active probe and control managed device sends administration order and policy data according to the state of managed device to managed device.Its management process is to be set up the object of each managed device in the administrative center system by the keeper, edit the relevant policy data of each managed device object, the policy data that edits manually or automatically is sent to the administration agent device of relevant managed device, carries out relevant strategy by the administration agent device.When the policy data of administrative center system changes, policy data is distributed to relevant managed device by the administrative center system.
There is following problem in existing technical scheme:
1, because the equipment that described tactical management relates to is numerous, comprise network exchange machine equipment, fire compartment wall, VPN equipment, all kinds of main frames etc., and the network design circumstance complication, therefore need policy management system can adapt to various complexity and large-scale network environment.But prior art is in some network environments, and the administrative center system may not visit the managed device of being managed.
For example: network with network address translation (nat) equipment.In some large-scale networks, because the restriction of IP address, can adopt NAT device to connect network, map addresses to an outside ip address with a plurality of managed devices in the in-house network, therefore be the managed device that directly to visit NAT inside by the IP address of managed device in the outside of NAT device, but the managed device of NAT inside can be visited the equipment of NAT outside, just can't initiatively transmit the managed device of strategy to NAT inside so be positioned at the administrative center system of NAT outside.
Again for example:,,, more can't realize to managed device distribution policy data so administrative center can't use IP address location managed device because this IP address is dynamic change if managed device adopts DHCP (DHCP) to obtain the IP address.
2, because adopting the administrative center system initiatively to issue to managed device, prior art sends administration order and policy data, if long-range managed device breaks down or network breaks down, can't visit managed device, cause strategy distribution unsuccessful, when fault recovery, need again to these managed device distribution policy data, this moment must need manual intervention or poll is to managed device distribution policy data successively, could guarantee that policy data is distributed to managed device, therefore, cause policy data can't in time be distributed to managed device.
3, in existing scheme, because the administrative center system adopts SNMP or other simple protocols initiatively to managed device acquisition mode and distribution policy data, signaling and data message mixed transport, cause network traffics very big, administrative center's system handles burden is heavy, causes the managed device number of each administrative center's system management limited; And, because the restriction of management region and authority, need a plurality of administrative center system to manage, but prior art does not disclose the means of communication between a plurality of administrative center system, therefore can't carry out the global policies management, therefore in sum, prior art is difficult to adapt to the overall distributed policy management of large network environment.
Summary of the invention
In view of this, main purpose of the present invention provides a kind of policy management method of computer network, thereby improves the tactical management performance, realizes the network equipment in the complex network environment is carried out tactical management.
Another object of the present invention provides a kind of policy management system of computer network, thereby improves the tactical management performance, realizes the network equipment in the complex network environment is carried out tactical management.
In order to realize the foregoing invention purpose, technical scheme of the present invention is:
A kind of policy management method of computer network, be applicable to the computer network that comprises tactical management server and managed device, the Policy Status information that storage managed device corresponding strategy data and reflection policy data change in the tactical management server, pass through signaling protocol message and the communication of data protocol message between tactical management server and the managed device, and comprise:
A, managed device initiatively send the signaling protocol message that carries the registration parameter and carry the signaling protocol message of strategy request parameter to the tactical management server, and comprise type identification in the described signaling protocol message;
After B, tactical management server are received protocol massages, resolve this protocol massages, the type identification that carries according to this protocol massages is judged the type of this protocol massages, if signaling protocol message, then further judge the parameter that it carries, if carry the registration parameter, then store described registration parameter, if carry the strategy request parameter, then search described managed device corresponding strategy state information, this Policy Status information is packaged into the signaling protocol response message, returns to managed device, execution in step C; If the data protocol message is then searched described managed device corresponding strategy data from the policy data of self storing, this policy data is packaged into the data protocol response message, and returns this data protocol response message, execution in step C to managed device;
After C, managed device are received the protocol responses message, resolve this protocol responses message, the type identification that carries according to this protocol responses message is judged the type of this protocol responses message, if signaling protocol response message, then execution in step D; If data protocol response message, then execution in step E;
D, whether change according to the value determination strategy data of the Policy Status information in the signaling protocol message, if, then send the data protocol message that carries type identification to the tactical management server, return step B; Otherwise, return steps A;
E, parse the policy data that carries in this data protocol response message,, return steps A according to this policy data implementation strategy.
Preferably, in the steps A,
The managed device active to the opportunity that the tactical management server sends the signaling protocol message that carries the registration parameter is: send when the registration parameter of managed device changes;
Managed device initiatively to the opportunity that the tactical management server sends the signaling protocol message that carries the strategy request parameter is: timed sending or breaking down and fault is got rid of the back and sent.
Preferably, among the step B, after finding described managed device corresponding strategy data, with this policy data, be packaged into the data protocol response message before, further comprise: processing is encrypted, compressed to the policy data that finds;
In the step e, after parsing described policy data, before the policy data implementation strategy, further comprise: to the policy data that parses be decrypted, decompression processing.
In the step e, described detailed process according to the policy data implementation strategy comprises:
Existing policy data in described policy data and the managed device is compared, find out the policy data that changes, according to this policy data implementation strategy that changes.
Preferably, the format information of the described tactful communications protocol message of storage in tactical management server and the managed device;
Among the step B, after the tactical management server is received protocol massages, judge before the type of this protocol massages, further comprise: judge whether the protocol massages of being received meets the form that described format information is described, if, the then subsequent operation of execution in step B; Otherwise, abandon this protocol massages, process ends;
Among the step C, after managed device is received response message, judge before the type of this response message, further comprise: judge whether the response message of being received meets the form that described format information is described, if, the then subsequent operation of execution in step C; Otherwise, abandon this response message, process ends.
Preferably, described signaling protocol message includes only header, and described data protocol message comprises header and data division, and described policy data is encapsulated in data division.
Preferably, described method further comprises:
Whether the policy data of judging managed device changes, if change, then the Policy Status information of the corresponding managed device of being stored is changed to the sign that changes, if do not change, then is changed to the sign that does not change.
A kind of computer network policy management system, this system comprises: tactical management proxy server and tactical management server, carry out communication by signaling protocol message and data protocol message between this tactical management proxy server and the tactical management server, wherein:
Described tactical management proxy server is arranged on the managed device, be used for initiatively sending the signaling protocol message that carries the registration parameter and carrying the signaling protocol message of strategy request parameter to the tactical management server, and receive the signaling protocol response message that the tactical management server returns, whether change according to the Policy Status change information determination strategy data of carrying in the response message, if change, then send the data protocol message to the tactical management server, and receive the data protocol response message that the tactical management server returns, policy data implementation strategy on managed device of carrying according to this response message;
Described tactical management server is used for the Policy Status information of storage policy data and the variation of reflection policy data, and real-time listening receives the protocol massages that the tactical management proxy server initiatively reports, for the signaling protocol message that carries the registration parameter that listens to, store described registration parameter; For the signaling protocol message that carries the strategy request parameter that listens to, search described managed device corresponding strategy state information, this Policy Status information is packaged into the signaling protocol response message, return to the tactical management proxy server; For the data protocol message that listens to, then search described managed device corresponding strategy data, this policy data is packaged into the data protocol response message, and returns this data protocol response message to managed device.
Preferably, described tactical management proxy server specifically comprises:
The communications protocol client modules, be used for initiatively sending carrying registration parameter signal protocol massages and carrying the signaling protocol message of strategy request parameter to the tactical management server, receive the signaling protocol response message that the tactical management server returns, determine according to the Policy Status change information that carries in the response message whether policy data changes, if change, then send the data protocol message to the tactical management server, and receive the data protocol response message that the tactical management server returns, from this data protocol response message, parse policy data, send to policy enforcement module;
Policy enforcement module is used to receive the policy data that tactful telecommunication customer end module sends, and carries out this strategy according to this policy data on managed device.
Preferably, described tactical management server specifically comprises: database, communications protocol are monitored module, communications protocol processing module and policy data processing module, wherein:
Described database is used for the Policy Status information of storage policy data and the variation of reflection policy data;
Described communications protocol is monitored module and is used for the protocol massages that monitoring reception tactical management proxy server reports, judge the legitimacy of protocol massages, legal protocol massages is passed to the communications protocol processing module, and the response protocol message of communications protocol processing module is replied to the tactical management proxy server that sends protocol massages;
Described communications protocol processing module is used to receive communications protocol and monitors the protocol massages that the module transmission comes, and resolves this communications protocol request message, and the parameter that is resolved to is transferred to the policy data processing module; And receive the data that the policy data processing module is returned, and the judgment data type, if policy data then is packaged into the data protocol response message with this policy data, otherwise, the data encapsulation of returning is become the signaling protocol response message; Protocol responses message after the encapsulation is returned to communications protocol monitor module;
Described policy data processing module is used to receive the parameter from the communications protocol processing module, according to the parameter type accessing database, for the registration parameter, should register parameter and deposit database in, returns the information of succeeding in registration to the communications protocol processing module; For the strategy request parameter, the Policy Status information of the described managed device of inquiry is returned this Policy Status information to the communications protocol processing module from database; For the data protocol parameter, the policy data of the described managed device of inquiry returns this policy data to the communications protocol processing module from database.
Described tactical management server further comprises:
The policy data editor module is used to receive the edit commands of extraneous input, edits signal according to the content of this edit commands to the transmission of policy data processing module, and receives the edited result that the policy data processing module is returned;
Described policy data processing module further comprises the editing and processing unit, is used to receive editor's signal that tactful editor module sends, and according to editor's signal the policy data in the described policy database is edited, and is returned edited result to tactful editor module.
Described policy data processing module further comprises:
Judging unit, whether the policy data that is used for each managed device of judgment data storehouse changes, if change, then the Policy Status information with corresponding managed device in the database is changed to the sign that changes, if do not change, then be changed to the sign that does not change.
Preferably, described tactical management server is a plurality of, be divided into center tactical management server and a plurality of regional strategy management server, described regional strategy management server and managed device communication, described center tactical management server and each regional strategy management server communication.
Among the present invention, because the tactical management proxy server of managed device is initiatively initiated strategy request to the tactical management server, after the tactical management server was received request, therefore distribution policy can adapt to complicated and large-scale network environment, for example NAT and DHCP environment again.
Concrete, in the present invention, by managed device active access strategy management server, himself address is carried in the visit message, the tactical management server can be according to this address to the managed device distribution policy, therefore can set up network from the inner initiation of NAT and connect, obtain relevant strategy, be applicable to the NAT network from policy manager.
Because among the present invention, initiatively register the information of self to the tactical management server by managed device, comprise title, the IP address, running statuses etc. are after the self information of managed device changes, will re-register automatically, on the tactical management server, upgrade in time, therefore go for the network environment of managed device self information dynamic change, for example the DHCP environment.
Because managed device of the present invention regularly sends signaling protocol to the tactical management server, when equipment or network breaks down and fault recovery normal after, managed device will in time obtain the updating strategy data to the tactical management server, and do not need the administrative center system to judge whether managed device is normal, therefore can realize that the policy data after the fault recovery in time is issued to managed device.
In addition, because the transmission means that tactful communications protocol of the present invention adopts control information to separate with data message is divided into signaling protocol message and data protocol message, signaling protocol message data form is simplified, and data volume is little; The data protocol message is encrypted for the transmission data and is compressed.Therefore, the present invention can reduce network traffics under the prerequisite of guaranteeing data security property and reliability, has improved the flexibility and the extensibility of transfer of data simultaneously, and improves the operational efficiency of tactical management server.
Because method of the present invention has also realized the scheme of distributed layer management strategy, a plurality of regional strategy management servers of distributed deployment according to demand, the managed device of each regional strategy server admin some, for global policies, can dispose a center strategic server, region server by communications protocol to center strategic server request global policies.Therefore the method for the invention has better flexibility and extensibility on network design, can adapt to large-scale network environment.
Description of drawings
Fig. 1 is the structured flowchart of policy management system of the present invention;
Fig. 2 is the basic flow sheet of the method for the invention;
Fig. 3 is the flowchart of the embodiment of the invention at the tactical management server side;
Fig. 4 is the flowchart of the embodiment of the invention in managed device side tactical management proxy server;
Fig. 5 is the structure chart of distributed deployment tactical management server of the present invention.
Embodiment
Further specify implementation method of the present invention below in conjunction with the drawings and specific embodiments.
Fig. 1 is the structured flowchart of policy management system of the present invention.As shown in Figure 1, described policy management system comprises: tactical management server 11, tactical management proxy server 12.Carry out communication by tactful communications protocol and managed device between described tactical management server 11 and the tactical management proxy server 12.The message of this strategy communications protocol adopts the mode of control signal and data separating, is divided into signaling protocol message and data protocol message, and the signaling protocol message only transmits registration parameter, strategy request parameter and Policy Status information; The data protocol message is used for the transmission policy data, and data protocol can provide encryption and data compression function, the fail safe and the reliability of assurance policy data.
The form of strategy communications protocol message is divided into header and data division, is encapsulated in the data division of User Datagram Protoco (UDP) (UDP).Header wherein comprises: protocol-identifier, sequence number, data division length, transmission parameter; Data division comprises policy data, and adopts and encrypt and compressed format.Described protocol-identifier is the protocol type sign, represents the type of this protocol massages, and being the signaling protocol message still is the data protocol message, transmits parameter and can comprise registration parameter, strategy request parameter, Policy Status information etc.Described signaling protocol message only comprises header, and the data protocol message comprises header and data division.The descriptor format of above-mentioned tactful communications protocol message and described protocol datagram sign can be used as the format information of tactful communications protocol message, this format information is stored in the policy agent device of described tactical management server and managed device, is used to check whether the message that is received is legal tactful communications protocol message.In addition, the information source of described tactful communications protocol message and stay of two nights address are at the header portion of packaged UDP message.
Described Policy Status information representation is during the tactical management server is receiving that current strategies required parameter and last time are received the strategy request parameter, whether described managed device corresponding strategy data change, if change, then the tactical management server is changed to the sign that changes with this Policy Status information, for example value is 1, if do not change, then be changed to the sign that does not change, for example value is 0.
Described tactful communications protocol is with good expansibility and adaptability based on describing text, as long as new equipment and new strategy define descriptor format, can directly join and describe in the text.
Described tactful communications protocol is a request/response protocol, communication process each time comprises that the requesting party sends request message, response side provides response message, the requesting party receives response message and represents that a communication finishes, if do not receive response message, adopt the mechanism of the overtime re-transmission of UDP, time-out time and number of retransmissions can be regulated according to network condition.
Tactical management server 11 is the central module of policy management system, is used to edit storage policy data, the Policy Status information of reflection policy data variation and the format information of described tactful communications protocol message; The protocol massages that the policy agent device of these tactical management server 11 real-time listening managed devices initiatively sends to the tactical management server, after listening to protocol massages, resolve this protocol massages, protocol-identifier by protocol header is determined protocol type, if signaling protocol message, then search described managed device corresponding strategy state information, this Policy Status information is packaged into the signaling protocol response message, return to managed device; If the data protocol message is then searched described managed device corresponding strategy data from the policy data of self storing, this policy data is packaged into the data protocol response message, and returns this data protocol response message to managed device.
Tactical management server 11 specifically comprises:
Communications protocol is monitored module 111, be used to monitor udp port, receive protocol massages, judge the legitimacy of protocol massages, judge promptly whether the protocol massages of being received meets the form that described format information is described, legal protocol massages is passed to communications protocol processing module 112 carry out dissection process, illegal protocol massages is abandoned, and the response protocol message of communications protocol processing module 112 is replied to the tactical management proxy server 12 that sends protocol massages by udp port;
Communications protocol processing module 112 is used to receive communications protocol and monitors the protocol massages that module 111 transmission come, and resolves this communications protocol request message, gives policy data processing module 113 with the message transmission that is resolved to.This communications protocol processing module 112 judges that by the protocol-identifier of protocol header this protocol massages is signaling protocol message or data protocol message, if signaling protocol message, send managed device identification information and signaling protocol parameter to the policy data processing module, the managed device identification information adopts device name or device address.The signaling protocol parameter comprises facility registration information and status information of equipment, and facility registration information comprises device name, the device address; Status information of equipment comprises the information that reflects equipment working state, when the log-on message of equipment changes, the signaling protocol message will send log-on message, include only status information of equipment under the situation that log-on message does not change, because the tactical management server can return Policy Status information to managed device after receiving status information of equipment, therefore can claim that also status information of equipment is the strategy request parameter; If the data protocol message then sends managed device identification information and data protocol parameter to the policy data processing module, the data protocol parameter comprises the mode of acquisition strategy and the serial number of policy data.The present support sector of strategy obtain manner branch obtains (get) and all obtains (getAll), and get represents then to read the strategy of change if strategy changes; GetAll represents to read whole strategies no matter whether strategy changes; The serial number of described policy data is used at policy data more for a long time, will be divided into a plurality of data protocol messages and obtain data, and this serial number is used for the order of identification data protocol massages.Communications protocol processing module 112 also receives the data that policy data processing module 113 is returned, and is packaged into tactful communications protocol response message, this response message is returned to communications protocol monitor module 111; If the data that policy data processing module 113 is returned are policy data, then this policy data is packaged into the data protocol response message, otherwise, the data encapsulation of returning is become the signaling protocol response message, and these data are positioned at the transmission argument section of this signaling protocol response message.
Policy data processing module 113 is used to receive managed device address information and the protocol parameter that communications protocol processing module 112 parses, and judges the type of protocol parameter; If signaling protocol parameter, judge further that then this signaling protocol parameter is registration parameter or strategy request parameter, if registration parameter, then will register parameter is deposited in the clauses and subclauses corresponding with the managed device identification information in the policy database 115, if strategy request parameter, then call its inner Policy Status query unit, the Policy Status information of from policy database, inquiring about described managed device according to the identification information of managed device, and return the Policy Status information that inquires to communications protocol processing module 112; If data protocol parameter, regulative strategy data query unit then, identification information according to managed device is inquired about the policy data that this protocol parameter is asked from policy database 115, and the policy data that inquires encrypted and compresses, to communications protocol processing module 112 return encrypt and compression after policy data; Simultaneously, also further comprise the editing and processing unit in the policy data processing module 113, be used to receive editor's signal that tactful editor module 114 is sent, according to editor's signal the policy data in the described policy database edited, and returned edited result to tactful editor module.Described editor's signal comprises: edit commands commonly used such as newly-increased, modification, deletion strategy data.In addition, the policy data processing module also comprises a judging unit, whether the policy data of each managed device changes in the judgment data storehouse, if change, then the Policy Status information with corresponding managed device in the database is changed to the sign that changes, if do not change, then be changed to the sign that does not change.
Policy data editor module 114, as the interface that the management strategy data are provided to the external world, be used to receive the edit commands of extraneous input, content according to this edit commands sends editor's signal to policy data processing module 113, and receiving the edited result that policy data processing module 113 is returned, described edit commands comprises: edit commands commonly used such as newly-increased, modification, deletion strategy data.
Described tactical management proxy server 12 is installed on the managed device, comprises communications protocol client modules 121 and policy enforcement module 122, wherein:
Communications protocol client modules 121, be used for initiatively regularly sending the signaling protocol message to tactical management server 11, receive the signaling protocol response message that tactical management server 11 returns simultaneously, whether change according to the Policy Status change information determination strategy data of carrying in the response message, if do not change, then do not operate; If change, then send the data protocol message, and receive the data protocol response message that the tactical management server returns to tactical management server 11, resolve this response message, the policy data that this response message is carried sends to policy enforcement module 122.The time interval of described timing can be configured according to deployment scenario.
Method of the present invention is applicable to the network system that comprises tactical management server and managed device, and the state information of storage policy data and policy data in the described tactical management server is used for policy data is edited, managed and distributes; Described managed device can receive policy data, and implementation strategy.Pass through signaling protocol message and the communication of data protocol message between described tactical management server and the managed device.
Fig. 2 is the basic flow sheet of the method for the invention.As shown in Figure 2, described flow process comprises:
In this step 201, for the signaling protocol message that carries strategy request information, managed device needs regularly to send or breaking down and fault is got rid of the back and sent to the tactical management server to the tactical management server; For the signaling protocol message that carries log-on message, managed device needs to send to the tactical management server when all situations that can cause log-on message to change take place, for example during self initial startup, during the dynamic change of self IP address or the like.
After step 202~step 204, tactical management server are received protocol massages, protocol-identifier by protocol header is determined protocol type, if signaling protocol message, then search described managed device corresponding strategy state information, this Policy Status information is packaged into the signaling protocol response message, return to managed device, execution in step 205; If the data protocol message is then searched described managed device corresponding strategy data from the policy data of self storing, this policy data is packaged into the data protocol response message, and returns this data protocol response message, execution in step 205 to managed device.
After step 205, managed device are received the protocol responses message, judge the type of this protocol responses message by the protocol-identifier of protocol header, if the signaling protocol response message, then execution in step 206; If the data protocol response message, then execution in step 208;
Step 206~step 207, whether change according to the value determination strategy data of the Policy Status information in the signaling protocol message, if, then send the data protocol message to the tactical management server, return step 202; Otherwise, return step 201;
Above-mentioned is the overall procedure of the described method of the embodiment of the invention, below is the execution flow process separately of tactful management server side and managed device side in the described method of present embodiment.
Fig. 3 is the flowchart of the described method of present embodiment at the tactical management server side.As shown in Figure 3, this flow process comprises:
Whether the protocol massages that step 302~step 303, judgement are received is legal tactful communications protocol message, judges promptly whether the protocol massages of being received meets the form that described format information is described, if then execution in step 304; Otherwise abandon this protocol massages, finish handling process, return step 301, receive next protocol massages current reception protocol massages.
Step 304, resolve described protocol massages, promptly read out the information of carrying in this protocol massages.
Step 306~step 311, the entrained protocol parameter of judgement signaling protocol message are registration parameter or strategy request parameter, if registration parameter, the managed device that carries according to this signaling protocol message identifies, it can be the IP address herein, this registration parameter is stored in the clauses and subclauses of this managed device in the policy database, and return the signaling protocol response message that comprises the information of succeeding in registration to this managed device, return step 301 again, prepare to receive next protocol massages, managed device is handled after receiving the signaling protocol response message accordingly; If strategy request parameter, then the managed device IP address of carrying according to this signaling protocol message is the search index policy database, find this managed device corresponding strategy state information, this Policy Status information is packaged into the signaling protocol response message, return this signaling protocol response message to managed device, return step 301 again, prepare to receive next protocol massages, managed device is handled after receiving the signaling protocol response message accordingly.
Step 312~step 314, be this managed device searched in index from the policy data of self storing policy data according to the managed device IP address of carrying in the data protocol message, this policy data is encrypted and compressed processing, be packaged into the data protocol response message, and return this data protocol response message to managed device, return step 301 again, prepare to receive next protocol massages, managed device is handled after receiving the data protocol response message accordingly.
Fig. 4 is the flowchart of the described method of present embodiment in managed device side tactical management proxy server.As shown in Figure 4, this flow process comprises:
Tactical management proxy server in step 401, the managed device initiatively sends the signaling protocol message to the tactical management server.
Whether the protocol responses message that step 403~step 404, judgement are received is legal, promptly whether meets the form that described format information is described, if then execution in step 405; Otherwise, abandon this message.
Step 405, analysis protocol message.
The type of step 406, judgement protocol responses message, if the signaling protocol response message, then execution in step 407; If the data protocol response message, then execution in step 410.
Step 407, judge the information that succeeds in registration or Policy Status information that this signaling protocol response message comprises,, then return step 401, wait for sending the signaling protocol message next time if succeed in registration information; Otherwise, execution in step 408.
Step 408~step 409, whether the value determination strategy data according to the Policy Status information in the signaling protocol message change, if, for example value is 1, then send the data protocol message to the tactical management server, return step 402, if mistake has taken place in the transmission of policy data protocol massages, then resend the data protocol message according to pre-configured overtime retransmission mechanism, if in the scope that retransmits, do not send successfully, then return step 401, when sending the signaling protocol request, continue to repeat to send the data protocol message, till success next time; If policy data does not change, then return step 401, wait for sending the signaling protocol message next time.
Existing policy data compares in step 411, the policy data after step 210 handled and the managed device, finds out the policy data that changes.
In this step,, can think that then the All Policies data after step 410 processing all are the policy datas that changes if there is not policy data in the managed device, and according to this policy data implementation strategy that changes.
Described system and method can further be a hierarchy, tactful management server is carried out distributed deployment, Fig. 5 is the structure chart of distributed deployment tactical management server of the present invention, as shown in Figure 5, the tactical management server can distributed deployment or is according to circumstances expanded, the unified strategy of the configuration overall situation if desired, can dispose a center tactical management server, distribute and dispose a plurality of regional strategy management servers, management domain of each regional strategy management service management, manage the managed device of some in this management domain respectively, the strategy request of the tactical management server forwards managed device that each is regional, and to the tactical management server requests global policies data at center.
The network design environment of system and method for the present invention once below is described:
System and method of the present invention needs management Strategy mainly to comprise: the collocation strategy of the network equipment, the safety regulation of firewall box, the internet cipher key change (IKE) of VPN(Virtual Private Network) equipment and internet protocol safety (IPSec) strategy; The managed device of supporting can reach 1000.
For distributed deployment scenario, for example for the whole nation, each provincial administrative center need dispose a regional strategy management server, dispose a center tactical management server in Pekinese administrative center, be in charge of some global policies data, the regional strategy management server of provincial administrative center adopts described tactful communications protocol to the relevant global policies of center tactical management server requests.
Mounting strategy administration agent device on the managed device of needs management, the tactical management server has fixed IP addresses or domain name, and all administration agent devices are according to this IP address or domain name access tactical management server.
Tactical management server stores policy data, the tactical management proxy server obtains the corresponding strategies data of self managed device to the tactical management server, with the user's name of managed device or IP address sign as policy data, user cipher also can be expanded the instrument of certificate as authentication and encryption that use as the shared key of encrypting.
The dispositions method of system of the present invention below is described:
1) deployment strategy management server, configuration can be for the IP address or the domain name of managed device visit.
2) the IP address or the domain name of collocation strategy server on the managed device at tactical management proxy server place, the policy service port, be used to the user's name and the password that authenticate and encrypt, the time interval of timed sending signaling protocol message, the time interval of overtime retry and number of times.
3) keeper can obtain for the tactical management proxy server by the tactful editor module editor corresponding strategies of tactical management server.
4) the tactical management proxy server regularly sends the signaling protocol message to the tactical management server, send the state of managed device implementation strategy to the tactical management server, can supply tactical management server monitoring tactical management object, the state information of corresponding strategies on the management server of acquisition strategy simultaneously, if variation has taken place in strategy, send the policy data protocol massages to the tactical management server, obtain the corresponding strategies data, implementation strategy and coming into force at once on management object.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with the people of this technology in the disclosed technical scope of the present invention; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.
Claims (13)
1, a kind of policy management method of computer network is applicable to the computer network that comprises tactical management server and managed device, and storage managed device corresponding strategy data is characterized in that in the tactical management server,
The Policy Status information that storage reflection managed device policy data changes in the tactical management server, pass through signaling protocol message and the communication of data protocol message between tactical management server and the managed device, and comprise:
A, managed device initiatively send the signaling protocol message that carries the registration parameter and carry the signaling protocol message of strategy request parameter to the tactical management server, and comprise type identification in the described signaling protocol message;
After B, tactical management server are received protocol massages, resolve this protocol massages, the type identification that carries according to this protocol massages is judged the type of this protocol massages, if signaling protocol message, then further judge the parameter that it carries, if carry the registration parameter, then store described registration parameter, if carry the strategy request parameter, then search described managed device corresponding strategy state information, this Policy Status information is packaged into the signaling protocol response message, returns to managed device, execution in step C; If the data protocol message is then searched described managed device corresponding strategy data from the policy data of self storing, this policy data is packaged into the data protocol response message, and returns this data protocol response message, execution in step C to managed device;
After C, managed device are received the protocol responses message, resolve this protocol responses message, the type identification that carries according to this protocol responses message is judged the type of this protocol responses message, if signaling protocol response message, then execution in step D; If data protocol response message, then execution in step E;
D, whether change according to the value determination strategy data of the Policy Status information in the signaling protocol message, if, then send the data protocol message that carries type identification to the tactical management server, return step B; Otherwise, return steps A;
E, parse the policy data that carries in this data protocol response message,, return steps A according to this policy data implementation strategy.
2, the method for claim 1 is characterized in that, in the steps A,
The managed device active to the opportunity that the tactical management server sends the signaling protocol message that carries the registration parameter is: send when the registration parameter of managed device changes;
Managed device initiatively to the opportunity that the tactical management server sends the signaling protocol message that carries the strategy request parameter is: timed sending or breaking down and fault is got rid of the back and sent.
3, the method for claim 1 is characterized in that,
Among the step B, after finding described managed device corresponding strategy data, with this policy data, be packaged into the data protocol response message before, further comprise: processing is encrypted, compressed to the policy data that finds;
In the step e, after parsing described policy data, before the policy data implementation strategy, further comprise: to the policy data that parses be decrypted, decompression processing.
As claim 1 or 3 described methods, it is characterized in that 4, in the step e, described detailed process according to the policy data implementation strategy comprises:
Existing policy data in described policy data and the managed device is compared, find out the policy data that changes, according to this policy data implementation strategy that changes.
5, the method for claim 1 is characterized in that, the format information of the described tactful communications protocol message of storage in tactical management server and the managed device;
Among the step B, after the tactical management server is received protocol massages, judge before the type of this protocol massages, further comprise: judge whether the protocol massages of being received meets the form that described format information is described, if, the then subsequent operation of execution in step B; Otherwise, abandon this protocol massages, process ends;
Among the step C, after managed device is received response message, judge before the type of this response message, further comprise: judge whether the response message of being received meets the form that described format information is described, if, the then subsequent operation of execution in step C; Otherwise, abandon this response message, process ends.
6, the method for claim 1 is characterized in that, described signaling protocol message includes only header, and described data protocol message comprises header and data division, and described policy data is encapsulated in data division.
7, the method for claim 1 is characterized in that, described method further comprises:
Whether the policy data of judging managed device changes, if change, then the Policy Status information of the corresponding managed device of being stored is changed to the sign that changes, if do not change, then is changed to the sign that does not change.
8, a kind of computer network policy management system, it is characterized in that, this system comprises: tactical management proxy server and tactical management server, carry out communication by signaling protocol message and data protocol message between this tactical management proxy server and the tactical management server, wherein:
Described tactical management proxy server is arranged on the managed device, be used for initiatively sending the signaling protocol message that carries the registration parameter and carrying the signaling protocol message of strategy request parameter to the tactical management server, and receive the signaling protocol response message that the tactical management server returns, whether change according to the Policy Status change information determination strategy data of carrying in the response message, if change, then send the data protocol message to the tactical management server, and receive the data protocol response message that the tactical management server returns, policy data implementation strategy on managed device of carrying according to this response message;
Described tactical management server is used for the Policy Status information of storage policy data and the variation of reflection policy data, and real-time listening receives the protocol massages that the tactical management proxy server initiatively reports, for the signaling protocol message that carries the registration parameter that listens to, store described registration parameter; For the signaling protocol message that carries the strategy request parameter that listens to, search described managed device corresponding strategy state information, this Policy Status information is packaged into the signaling protocol response message, return to the tactical management proxy server; For the data protocol message that listens to, then search described managed device corresponding strategy data, this policy data is packaged into the data protocol response message, and returns this data protocol response message to managed device.
9, system as claimed in claim 8 is characterized in that, described tactical management proxy server specifically comprises:
The communications protocol client modules, be used for initiatively sending carrying registration parameter signal protocol massages and carrying the signaling protocol message of strategy request parameter to the tactical management server, receive the signaling protocol response message that the tactical management server returns, determine according to the Policy Status change information that carries in the response message whether policy data changes, if change, then send the data protocol message to the tactical management server, and receive the data protocol response message that the tactical management server returns, from this data protocol response message, parse policy data, send to policy enforcement module;
Policy enforcement module is used to receive the policy data that tactful telecommunication customer end module sends, and carries out this strategy according to this policy data on managed device.
10, system as claimed in claim 8 is characterized in that, described tactical management server specifically comprises: database, communications protocol are monitored module, communications protocol processing module and policy data processing module, wherein:
Described database is used for the Policy Status information of storage policy data and the variation of reflection policy data;
Described communications protocol is monitored module and is used for the protocol massages that monitoring reception tactical management proxy server reports, judge the legitimacy of protocol massages, legal protocol massages is passed to the communications protocol processing module, and the response protocol message of communications protocol processing module is replied to the tactical management proxy server that sends protocol massages;
Described communications protocol processing module is used to receive communications protocol and monitors the protocol massages that the module transmission comes, and resolves this communications protocol request message, and the parameter that is resolved to is transferred to the policy data processing module; And receive the data that the policy data processing module is returned, and the judgment data type, if policy data then is packaged into the data protocol response message with this policy data, otherwise, the data encapsulation of returning is become the signaling protocol response message; Protocol responses message after the encapsulation is returned to communications protocol monitor module;
Described policy data processing module is used to receive the parameter from the communications protocol processing module, according to the parameter type accessing database, for the registration parameter, should register parameter and deposit database in, returns the information of succeeding in registration to the communications protocol processing module; For the strategy request parameter, the Policy Status information of the described managed device of inquiry is returned this Policy Status information to the communications protocol processing module from database; For the data protocol parameter, the policy data of the described managed device of inquiry returns this policy data to the communications protocol processing module from database.
11, system as claimed in claim 10 is characterized in that, described tactical management server further comprises:
The policy data editor module is used to receive the edit commands of extraneous input, edits signal according to the content of this edit commands to the transmission of policy data processing module, and receives the edited result that the policy data processing module is returned;
Described policy data processing module further comprises the editing and processing unit, is used to receive editor's signal that tactful editor module sends, and according to editor's signal the policy data in the described policy database is edited, and is returned edited result to tactful editor module.
12, system as claimed in claim 10 is characterized in that, the policy data processing module further comprises:
Judging unit, whether the policy data that is used for each managed device of judgment data storehouse changes, if change, then the Policy Status information with corresponding managed device in the database is changed to the sign that changes, if do not change, then be changed to the sign that does not change.
13, system as claimed in claim 8, it is characterized in that, described tactical management server is a plurality of, be divided into center tactical management server and a plurality of regional strategy management server, described regional strategy management server and managed device communication, described center tactical management server and each regional strategy management server communication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510055447XA CN100399747C (en) | 2005-03-17 | 2005-03-17 | Computer network strategy management system and strategy management method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200510055447XA CN100399747C (en) | 2005-03-17 | 2005-03-17 | Computer network strategy management system and strategy management method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1835452A true CN1835452A (en) | 2006-09-20 |
| CN100399747C CN100399747C (en) | 2008-07-02 |
Family
ID=37003066
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200510055447XA Expired - Fee Related CN100399747C (en) | 2005-03-17 | 2005-03-17 | Computer network strategy management system and strategy management method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100399747C (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103152192A (en) * | 2011-12-07 | 2013-06-12 | 中国移动通信集团浙江有限公司 | Data transmission method and network management system |
| CN103414579A (en) * | 2013-07-24 | 2013-11-27 | 广东电子工业研究院有限公司 | Cross-platform monitoring system applicable to cloud computing and monitoring method thereof |
| CN104094249A (en) * | 2012-04-25 | 2014-10-08 | 惠普发展公司,有限责任合伙企业 | File transfer using xml |
| CN104320272A (en) * | 2014-10-21 | 2015-01-28 | 中国联合网络通信集团有限公司 | Device information transmission method and network device |
| CN106664310A (en) * | 2014-09-01 | 2017-05-10 | 三星电子株式会社 | Electronic device and method for managing re-registration |
| CN108512743A (en) * | 2018-03-06 | 2018-09-07 | 北京奇艺世纪科技有限公司 | LAN instant messaging method of servicing, device and electronic equipment |
| CN113434337A (en) * | 2021-06-24 | 2021-09-24 | 华云数据控股集团有限公司 | Retry strategy control method and device and electronic equipment |
| CN114024824A (en) * | 2021-10-27 | 2022-02-08 | 中国人民解放军战略支援部队信息工程大学 | Quantum network management system |
| CN115374445A (en) * | 2022-03-31 | 2022-11-22 | 国家计算机网络与信息安全管理中心 | Terminal system security assessment method, device and system based on cross-network scene |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101684016B1 (en) * | 2014-12-11 | 2016-12-07 | 현대자동차주식회사 | Apparatus for processing a plurality of logging policy and method thereof |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ATE360937T1 (en) * | 1999-06-10 | 2007-05-15 | Alcatel Internetworking Inc | SYSTEM AND METHOD FOR SELECTIVE LDAP DATABASE SYNCHRONIZATION |
| CN1152515C (en) * | 2001-06-21 | 2004-06-02 | 华为技术有限公司 | Network management system based on strategy |
| KR100887874B1 (en) * | 2002-06-28 | 2009-03-06 | 주식회사 케이티 | System for managing fault of internet and method thereof |
| JP2004133652A (en) * | 2002-10-10 | 2004-04-30 | Business Brain Showa Ota Inc | Management solution system and computer program |
| CN1243432C (en) * | 2003-06-26 | 2006-02-22 | 中国科学院计算技术研究所 | Session and medium authorization method in IP video telephone system based on session start protocol |
-
2005
- 2005-03-17 CN CNB200510055447XA patent/CN100399747C/en not_active Expired - Fee Related
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103152192B (en) * | 2011-12-07 | 2016-12-07 | 中国移动通信集团浙江有限公司 | Data transmission method and network management system |
| CN103152192A (en) * | 2011-12-07 | 2013-06-12 | 中国移动通信集团浙江有限公司 | Data transmission method and network management system |
| CN104094249A (en) * | 2012-04-25 | 2014-10-08 | 惠普发展公司,有限责任合伙企业 | File transfer using xml |
| US9614895B2 (en) | 2012-04-25 | 2017-04-04 | Hewlett Packard Enterprise Development Lp | File transfer using XML |
| US9860301B2 (en) | 2012-04-25 | 2018-01-02 | Ent. Services Development Corporation Lp | File transfer using XML |
| CN103414579A (en) * | 2013-07-24 | 2013-11-27 | 广东电子工业研究院有限公司 | Cross-platform monitoring system applicable to cloud computing and monitoring method thereof |
| CN106664310B (en) * | 2014-09-01 | 2020-05-19 | 三星电子株式会社 | Electronic device and method for managing re-registration |
| CN106664310A (en) * | 2014-09-01 | 2017-05-10 | 三星电子株式会社 | Electronic device and method for managing re-registration |
| CN104320272A (en) * | 2014-10-21 | 2015-01-28 | 中国联合网络通信集团有限公司 | Device information transmission method and network device |
| CN108512743A (en) * | 2018-03-06 | 2018-09-07 | 北京奇艺世纪科技有限公司 | LAN instant messaging method of servicing, device and electronic equipment |
| CN113434337A (en) * | 2021-06-24 | 2021-09-24 | 华云数据控股集团有限公司 | Retry strategy control method and device and electronic equipment |
| CN113434337B (en) * | 2021-06-24 | 2024-03-19 | 华云数据控股集团有限公司 | Retry strategy control method and device and electronic equipment |
| CN114024824A (en) * | 2021-10-27 | 2022-02-08 | 中国人民解放军战略支援部队信息工程大学 | Quantum network management system |
| CN114024824B (en) * | 2021-10-27 | 2023-11-17 | 中国人民解放军战略支援部队信息工程大学 | Quantum network management system |
| CN115374445A (en) * | 2022-03-31 | 2022-11-22 | 国家计算机网络与信息安全管理中心 | Terminal system security assessment method, device and system based on cross-network scene |
| CN115374445B (en) * | 2022-03-31 | 2024-03-08 | 国家计算机网络与信息安全管理中心 | Terminal system security assessment method, device and system based on cross-network scene |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100399747C (en) | 2008-07-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1835452A (en) | Computer network strategy management system and strategy management method | |
| US8584195B2 (en) | Identities correlation infrastructure for passive network monitoring | |
| EP3410336B1 (en) | Forensic analysis | |
| CN100340084C (en) | A method for implementing equipment group and intercommunication between grouped equipments | |
| CN101035031A (en) | Method and device for detecting the number of the shared access host | |
| CN1213567C (en) | Concentrated network equipment managing method | |
| US9860107B2 (en) | Computer network system and a method for monitoring and controlling a network | |
| CN1750651A (en) | Multimedia monitor system | |
| CN1905475A (en) | Method and system for initial configuration of managed apparatus | |
| CN1728711A (en) | The method and apparatus of automatic tunnel configuration | |
| CN1832428A (en) | Apparatus, program and system of user terminal management | |
| CN1863052A (en) | Remote-controlling system and method | |
| CN101047504A (en) | Network log-in authorization method and authorization system | |
| CN1957566A (en) | Server for routing connection to client device | |
| CN1866863A (en) | Vicinage finding method and system for network apparatus | |
| CN101061454A (en) | Systems and methods for managing a network | |
| CN1874218A (en) | Method, system and equipment for license management | |
| CN1913474A (en) | Method and system for catching connection information of network auxiliary request part | |
| CN1620034A (en) | Identification gateway and its data treatment method | |
| CN1856163A (en) | Communication system with dialog board controller and its command transmitting method | |
| CN101043361A (en) | Method and system for SNMP protocol based network management | |
| CN1859409A (en) | Method and system for improving network dynamic host configuration DHCP safety | |
| CN1842030A (en) | Management system for warranting consistency between inter-client communication logs | |
| CN101031134A (en) | Agent server and method and safety telecommunication system therewith | |
| CN1453959A (en) | Remote control system and method for domestic network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080702 Termination date: 20210317 |