RU2637993C2 - Heterogeneous computer network informational resources integration solution - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: according to the solution, the unified centralized secured data repository, which is accessible from every computer network node, is formed in the CM of the computer network, the addressing data and the data on the information exchange among the CM are maintained in the centralized repository, the full suite of the DataMarket access addresses is written to the centralized secured data repository, the computer network node, where the credential information and the data on the executive officers access rights is posted, is singled out from the CM available suite, at a minimum one computer network node is also selected in the computer network for the application server functions implementation. This computer network node is suitable for the remote use of the available software and hardware resources, and the registration information is recorded on it.

EFFECT: network operational reliability level increase.

3 dwg

Description

The invention relates to the field of telecommunications and relates to the integration of information resources of a heterogeneous computer network.

The claimed method can be used to create a common secure transport environment with the integration of information resources to ensure a uniform data exchange between the Central Information Object (CIO) and the complexes of automation tools (KSA) for all computing and information tasks.

A known method of providing access to data in the database management system "Linter-VS", described in the patent of the Russian Federation No. 2130643 (publ. 05/20/1999). In this method, when processing an access request, several successive checks are performed to compare the user admission rank with the access rank of the requested data.

The disadvantage of this method is the limited scope of its use, expressed in its practical implementation for a particular DBMS and the use of a mandatory model to provide user access to data controlled by the DBMS.

There is a method of creating a protection system for a virtual channel of a corporate network built on communication channels and switching means of a public communication network for integrating information resources, which is disclosed in RF patent No. 2143728 (publ. 12/27/1999). In accordance with this method, a closed protocol generation unit, a client authentication unit by IP address, an access permission unit by the server’s logical name are introduced into the system containing the firewalls. The security system is divided into client and server parts.

The disadvantage of this method is the relatively low level of protection, the orientation is to protect all intranet traffic without taking into account the heterogeneity of the data provided by the network resources.

There is a method of creating a protection system for a virtual channel of a corporate network built on communication channels and switching means of a public communication network for integrating information resources, which is disclosed in RF patent No. 2143728 (publ. 12/27/1999). In accordance with this method, a closed protocol generation unit, a client authentication unit by IP address, an access permission unit by the server’s logical name are introduced into the system containing the firewalls. The security system is divided into client and server parts.

The disadvantage of this method is the relatively low level of protection of the virtual channel when building a network with a large number of segments. In this case, user authentication by IP address and logical server name is insufficient due to the frequent cases of development and application of software and hardware tools to replace authentication attributes data for unauthorized access to protected resources.

Closest to the proposed is a method of integrating information resources of a heterogeneous computer network, as set forth in RF patent No. 2359319 (publ. 06/20/2009).

The method consists in the fact that to achieve the indicated effect, the following actions are performed: install system-wide software (OSPO) on each computing installation; provide a unified means of inter-machine information exchange; provide guaranteed secure interaction between end applications through queues of outgoing and incoming messages; create on each computing installation a secure randomized data warehouse, called a personal safe; save queues of outgoing and incoming messages in a personal safe; provide the ability to create and delete information objects called links, with the ability to extract these links to specialized information resources called data marts; provide guaranteed storage of data marts in a personal safe in the form of a collection of links called DataMarket; keep confidential data and official authority in a personal safe; provide mandatory and discretionary control of an official’s access to DataMarket data; provide guaranteed processing of links to DataMarket; systematically check the credentials of each official who is allowed to work with DataMarket and stop the work session of a particular official if at least one parameter from the corresponding access profile stored in the personal safe of the computing installation does not match.

This method effectively solves the problem of combining heterogeneous data sources of a computer network by balancing the number and volume of classifiers of corresponding tasks. Moreover, the proposed method provides an original way of presenting the results of queries, which in the general case have different structures and formats of the data provided.

The disadvantage of the closest analogue is the relatively low level of reliability of the network. This is caused by the presence on each computing installation of a local storage of confidential information (a “personal data safe”) related to the entire computer network. This approach entails the need to synchronize all user “personal safes”, which can lead to a significant decrease in the security of service confidential information, and also increases the requirements for ensuring connectivity (the presence of a constant data channel) of nodes in a given network.

The technical result of the proposed solution is to increase the reliability level of the network, by eliminating personal safes and the formation of a single data warehouse.

The specified technical result is achieved by the fact that in the known method of integrating the information resources of a heterogeneous computer network represented in the form of two connected by a communication network computing units (WU), at least one of which is equipped with a different operating system (OS), and in the context of this The OS operates the final application of this WU, which consists in the fact that at the first stage, they install on each WU the system-wide software (OSPO) by reinstalling the basic set of transport software protocols designed for node addressing and packet routing, as well as a set of application-level data exchange formats, install the same type of inter-machine information exchange tools on each WU that implement the physical connectivity of all WUs, form queues of outgoing and incoming messages to achieve guaranteed secure interaction in the information space between the final applications of the WU, repeat the operations of adding / removing links of data marts of each computing installation centrally read only data warehouse. At the second stage, a single, centralized, protected data warehouse, accessible from any node of the computer network, is formed on the WU of the computer network. The centralized storage stores address information and data on information exchange between the WUs. The entire set of DataMarket links is recorded in a centralized secure data warehouse and the computer network node is allocated from the available set of WUs where information about the authorities and access rights of officials is posted. At least one node is allocated in the computer network to perform the functions of an application server, with the possibility of remote use of the software and hardware resources available on it, and registration information is recorded on it. Initiate, in the absence of the final application required for data processing at the recipient node, a remote application call through the application server. They deploy an additional data service within the computer network, operating in a time mode close to real, for organizing distributed storage of file and other information, monitoring data integrity, replicating, restoring and issuing it on demand for processing by the final application. The lists of users are compared with their permissions on a node of a computer network that performs the functions of authorization and authentication of end users.

Thanks to a new set of essential features in a heterogeneous computer network by eliminating personal safes on each computing installation and creating a single information store, the stated technical result is achieved.

The claimed method is illustrated by drawings, which show:

FIG. 1 - technology for integration into DataMarket;

FIG. 2 - technology to increase the reliability of the network;

FIG. 3 - probability of network discredit.

The claimed method is implemented as follows.

At each WU, system-wide software (OSPO) is installed by reinstalling the basic set of transport protocols for addressing nodes and routing packets, as well as a set of application-level data exchange formats;

establish on each VU the same type of means of inter-machine information exchange, realizing the physical connectivity of all VU;

queues of outgoing and incoming messages are formed to achieve guaranteed secure interaction in the information space between the end-user applications;

repeat the operations of adding / removing links of data marts of each computing installation to a centralized data warehouse, then to the WU of the computer network:

form a single, centralized, secure data warehouse, accessible from any node of the computer network;

store address information and data on information exchange between the WUs in a centralized repository;

record the entire set of DataMarket links in a centralized secure data warehouse;

allocate a node of the computer network from the available set of WUs in which information about the powers and access rights of officials is posted;

also allocate in the computer network at least one node of the computer network to perform the functions of an application server, with the ability to remotely use the available software and hardware resources on it and record registration information on it;

initiate, in the absence of the final application required for data processing at the recipient node, a remote application call through the application server;

deploy within the computer network an additional data transfer service operating in a near real time mode for organizing distributed storage of file and other information, monitoring data integrity, replicating, restoring and issuing it on demand for processing by the final application;

match the lists of users with their privileges on the node of the computer network that performs the functions of authorization and authentication of end users,

moreover, for installing on the WU the same type of means of inter-machine information exchange:

form an intermediate network environment based on the use of the OSI model of the network layer protocol socket mechanism for the interaction of end applications;

formalize information exchange through application protocols of a higher level of abstraction, implemented on the basis of network layer protocols;

determine the interaction of end applications, both through message passing and through a remote procedure call mechanism.

to queue outgoing and incoming messages in order to achieve guaranteed secure interaction between endpoint applications:

form a unified protected information space of the aforementioned computer network by streamlining information exchange between the mentioned end applications by providing an intermediate reassignment of information flows, recoding classifiers of information support, automatic coordination of the formats of the extracted data for their uniform presentation in the interests of joint operation of applications.

The implementation of this method provides an increase in the reliability of the network, which is confirmed by the following:

Obtaining quantitative estimates of improved properties is based on standard considerations in the theory of system reliability.

As the estimated parameter, we choose the probability of network discredit. By network discrediting we mean the transition to the attacker of the information contained on the servers or workstations of the protected computer network, critical from the point of view of violating the confidentiality of information about network users and their professional activities.

There are various approaches to assessing security related, for example, to considering a model of an external and internal attacker, evaluating the resources spent, and so on. However, in its most general form, the probability of network discredit is estimated by the probabilities of several events, the most significant of which are:

probability of hijacking of a network server;

probability of hijacking of a workstation.

In either case, it can be argued that after some time the network’s defamation can be considered a reliable event.

Other security threats exist (for example, an attacker could discredit the network by connecting a workstation to the network or other technical means that are not part of the network), but within the framework of the proposed method, we consider the probability of occurrence of adverse consequences from attempts to implement them to be constant. In other words, the claimed method does not consider measures to counter such threats; they are considered to be governed by other (e.g., organizational) measures.

When organizing a secure network using the closest prototype method, critical confidential information is contained both on the corresponding servers of the computer network, and on workstations, in users' personal safes. Thus, the total probability of network discredit can be calculated by the formula:

, где

where

P _D - the probability of network discredit,

P _serv - the probability of hijacking of a network server,

P _{pc i} - the probability of capture (hacking) of the i-th workstation,

n is the number of workstations in the network.

Considering the usual conditions for the design and creation of network security systems, one can come to the following conclusions (assumptions):

the probabilities of hijacking (hacking) of workstations P _{pc i are} taken to be approximately equal, which, as a first approximation, can be considered a fair statement, based on the fundamental technical similarity of computing facilities. Nevertheless, the method explicitly refers to the heterogeneity of the network, it is assumed, inter alia, the construction of a network with a large number of, possibly of different types of workstations. To account for this heterogeneity, we introduce the concept of reduced probability of capture (hacking) of a workstation P _pc . Those. for the purposes of statistical analysis, we assume the occurrence of this event is equally probable for any network workstation;

the probability of server hijacking (hacking) is much lower than this parameter for a workstation P _serv << P _pc (usually not less than 2 orders of magnitude). Thus, the change in the result of R _D when the multiplier is taken into account (1-P _serv ) is about tenths of a percent, which can be considered a negligible value within the framework of the considered assessment;

Then, taking into account two of these assumptions, the formula for calculating the probability of network discredit will take the form:

R _D ≅1- (1-P _pc ) ⁿ

The right-hand side of the expression considered with respect to the number of workstations n is a parametric logarithmic dependence, which is clearly demonstrated by a diagram of a series of calculations of the total probability with respect to the reduced probability and the number of workstations in the network of FIG. 3

In the proposed method, critical information is stored only on the servers of the computer network. Thus, hacking (hijacking) by an attacker of a workstation is only a necessary condition for starting the procedure of hacking network servers. In other words, an increase in the number of workstations in the network, as well as a decrease in the security of a particular computing installation, asymptotically brings the probability of network discredit not to 1, as in the case of the closest prototype, but to the value of the probability of hacking (hijacking) the server.

Thus, the proposed method for constructing a secure network, unlike the closest prototype, is weakly sensitive to an increase in the number of workstations in the network, which is a fundamental improvement for building real heterogeneous computer networks.

The above security assessment clearly demonstrates the improvement of network security when using the proposed method.

The proposed method may impose increased requirements for the technical availability of network servers (network connectivity), which, however, is not a critical factor compared with similar requirements for a network formed in accordance with the method of the closest prototype.

This statement is based on the fact that in case of technical unavailability of the servers of the formed network, network services will be unavailable in full. The method of constructing the network of the closest prototype in this case gives the user a theoretical opportunity to access the message history, which in practice is not a significant functional advantage.

Claims (1)

A method of integrating information resources of a heterogeneous computer network, presented in the form of two computing units (WUs) connected by a communication network, at least one of which is equipped with a different operating system (OS), and in the context of this OS, the end application of this WU functions, comprising in the fact that at the first stage, system-wide software (OSPO) is installed on each WU by reinstalling the basic set of transport protocols designed for node addressing and routing of packages networks, as well as a set of application-level data exchange formats, install the same type of inter-machine information exchange tools on each WU that implement the physical connectivity of all WUs, form queues of outgoing and incoming messages to achieve guaranteed secure interaction in the information space between the end applications of the WU, repeat the add / removing links of data marts of each computing installation to a centralized data warehouse, characterized in that in the second stage at the WU the computer network form a single, centralized, secure data warehouse accessible from any node of the computer network, store address information and information exchange information between the WUs in the centralized storage, write down the entire set of DataMarket links in a centralized secure data warehouse, and select the computing node from the available set of WUs the network in which information about the powers and access rights of officials is posted also allocates at least one subtraction node to the computer network network to perform the functions of the application server, with the ability to remotely use the software and hardware resources available on it, and record registration information on it, initiate, in the absence of the final application required for data processing on the recipient node, a remote application call through the application server, deploy within the framework of the computer network an additional data transfer service operating in a time mode close to the real one for organizing distributed storage tions and other file information, monitoring of the integrity of data, their replication, recovery and issuance of request for processing to the end application, user lists are compared with their powers on the host computer network, perform authentication and authorization functions of end-users.

Images