WO2007030989A1 - A network management system and the method thereof - Google Patents

A network management system and the method thereof Download PDF

Info

Publication number
WO2007030989A1
WO2007030989A1 PCT/CN2006/000988 CN2006000988W WO2007030989A1 WO 2007030989 A1 WO2007030989 A1 WO 2007030989A1 CN 2006000988 W CN2006000988 W CN 2006000988W WO 2007030989 A1 WO2007030989 A1 WO 2007030989A1
Authority
WO
WIPO (PCT)
Prior art keywords
ssh
server
snmp
client
module
Prior art date
Application number
PCT/CN2006/000988
Other languages
French (fr)
Chinese (zh)
Inventor
Fuyou Miao
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007030989A1 publication Critical patent/WO2007030989A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network

Definitions

  • the present invention relates to the field of network management technologies, and in particular, to a network management system and method. Background technique
  • SNMP Simple Network Management Protocol
  • the S:NMP agent module (agent) is in the managed device for monitoring the operation of the managed device; the SNMP management module (manager) is located at the network management station, and the managed device is obtained through the SNMP agent module. Run the situation and send the administrator's configuration data to the managed device.
  • SNMP has now evolved to the third version of SNMP V3.
  • the security management mode has been added to SNMP V3
  • USM User-based Security Model
  • the USM is a module embedded in SNMP.
  • the other modules send the security requirements and security parameters (security name, key, and security level) of the packets to the USM.
  • the USM processes the packets based on these parameters, including the data source. Verification, data integrity and confidentiality.
  • the USM model needs to configure information such as the key and user name between every two SNMP agents and the network management station.
  • information such as the key and user name between every two SNMP agents and the network management station.
  • the USM account or the USM key cannot be used in common with other network management systems, which greatly increases the management complexity of SNMP.
  • SSH Secure Shell
  • the USM account must be re-established for the user in SNMP, which inevitably increases SNMP. The complexity of security management.
  • the main object of the present invention is to propose a network management system to reduce the complexity of SNMP security management.
  • Another object of the present invention is to provide a network management method to reduce the complexity of SNMP security management.
  • the present invention provides the following technical solutions:
  • a network management system includes: an SNMP agent module and an SNMP management module, and the system further includes:
  • a session channel establishing device respectively connected to the SNMP agent module and the SNMP management module, configured to establish, between the SNMP agent module and the SNMP management module, the SNMP agent module and the SNMP by using a secure shell SSH protocol
  • the management channel performs a session channel for data interaction.
  • the session channel establishing device includes: an SSH client and an SSH server connected thereto, where
  • the SSH client is further connected to the SNMP management module, configured to establish an SSH transmission connection with the SSH server according to the request of the SNMP management module, and initiate a user authentication request to the SSH server;
  • the SSH server is further connected to the SNMP agent module, and is configured to verify the user authentication request sent by the SSH client, establish a session channel with the SSH client on the SSH transmission connection, and start the SNMP agent module connected thereto as a child. system.
  • the SNMP management module and the SSH client are in the same process.
  • the SNMP agent module and the SSH server connected thereto are located in different processes on the same device.
  • the number of the SSH server and the SNMP agent module are the same, one or more, and corresponding to the connection.
  • the SSH client is connected to each SSH server.
  • the system further includes:
  • the authentication server is connected to the SSH server, and is configured to verify the user authentication request forwarded by the SSH server, and send the verification result to the SSH server.
  • a network management method for a management station to manage managed devices through a simple network management protocol comprising:
  • the SNMP agent module and the SNMP management module exchange data by using the session channel.
  • the step A includes:
  • the SSH client establishes an SSH connection with the SSH server according to the request of the SNMP management module.
  • the SSH client initiates a user authentication request to the SSH server by using the SSH transport connection.
  • the SSH server verifies the user authentication request
  • the SSH server After the verification is passed, the SSH server establishes a session channel with the SSH client and starts the SNMP agent module.
  • the steps of establishing an SSH transmission connection between the SSH client and the SSH server include:
  • the SSH client initiates an SSH transport connection creation request to the SSH server.
  • the SSH server listens for the transport connection creation request and creates an SSH transport connection with the SSH client based on the transport connection creation request.
  • the method further includes:
  • the SSH server After the SSH server detects the SSH client connection creation request from the SSH client, it provides a digital signature to the SSH client.
  • the SSH client checks the digital signature.
  • the step of the SSH client initiating a user authentication request to the SSH server is specifically as follows:
  • the SSH client initiates a password authentication request to the SSH server.
  • the steps of the SSH server to start the SNMP agent module include:
  • the SSH client sends a request to start the SNMP proxy module to the SSH server.
  • the SSH server initiates the request to start the SNMP agent module as a subsystem and redirects the standard input and output of the SNMP agent to the session channel.
  • the method further comprises: pre-establishing a connection between the authentication server and the SSH server.
  • the step of verifying the user authentication request by the SSH server includes: after receiving the user authentication request initiated by the SSH client, the SSH server sends the user authentication request to the authentication server;
  • the authentication server verifies the user authentication request and sends the verification result to the SSH server.
  • the SSH client establishes an SSH transmission connection with the SSH server, and initiates a user authentication request to the SSH server; the SSH server, the user The authentication request is verified, a session channel with the SSH client is established according to the SSH transport connection, and the SNMP agent module is started; the SNMP agent module exchanges data with the SNMP management module according to the session channel.
  • SSH is also a secure shell access tool, SNMP accounts and accounts accessed by the command line interface can be shared. Therefore, after the application of the present invention, the SNMP account is no longer required to be reconfigured, but the SSH account can be directly applied to the SNMP management, thereby greatly reducing the complexity of the SNMP security management.
  • an authentication server is employed, and centralized maintenance of user accounts on the authentication server does not require configuration of user information on each managed device, thereby greatly simplifying the configuration.
  • a user is added and the user can manage the managed device 1, the managed device 2, and the managed device 3, then only the account information of the user needs to be configured on the authentication server, and it is indicated that the account can manage the three.
  • the devices are configured, and the same account number is no longer required to be configured on the managed device 1, the managed device 2, and the managed device 3. Because every user in the network It is often possible to manage a large number of devices, the number of which may be hundreds. If the user is configured one by one, it needs to be configured hundreds of times, and the application of the present invention only needs to be configured once, so the invention is also greatly reduced.
  • the workload of the account configuration is often possible to manage a large number of devices, the number of which may be hundreds. If the user is configured one by one, it needs to be configured hundreds of times, and the application of the present invention only needs to be configured once, so the invention
  • FIG. 1 is a schematic block diagram of a system of the present invention
  • FIG. 2 is a schematic block diagram of a first embodiment of the system of the present invention.
  • FIG. 3 is a schematic block diagram of a second embodiment of the system of the present invention.
  • FIG. 4 is a schematic block diagram of a third embodiment of the system of the present invention.
  • Figure 5 is a flow chart showing the implementation of the method of the present invention.
  • FIG. 6 is a flowchart of establishing a session channel between an SNMP agent module and an SNMP management module in the method of the present invention.
  • the core of the invention is to establish a session channel between the SNMP agent module and the SNMP management module through an SSH (Secure Shell) transmission protocol, and the SNMP agent module and the SNMP management module use the session channel for data interaction, thereby implementing an SNMP network. management.
  • SSH Secure Shell
  • the SSH protocol is a security protocol based on the application layer and the transport layer. It is mainly composed of a transport layer protocol, a user authentication protocol, and a connection protocol to jointly implement the security and confidentiality mechanism of SSH.
  • the transport layer protocol provides security measures such as authentication, confidentiality, and integrity checks, and it provides data compression.
  • the user authentication protocol is used to implement identity authentication between the server and the client user.
  • the connection protocol allocates multiple encrypted channels to some logical channels, which run on top of the user authentication layer protocol.
  • the subsystem is a process running by the SSH server (SSH daemon, sshd).
  • SSH daemon SSH daemon, sshd
  • STDIN and STDOUT standard input and output
  • FIG. 1 is a block diagram of the system of the present invention:
  • the system includes: an SNMP agent module 101, an SNMP management module 103, and a session channel establishing means 11.
  • the SNMP agent module 101 is located on the managed device
  • the SNMP management module 103 is located on the network management device
  • the session channel establishing device 11 is connected to the SNMP agent module 101 and the SNMP management module 103, respectively.
  • the session channel establishing device 11 is configured to establish a session channel between the SNMP agent module and the SNMP management module by using the secure shell SSH protocol, so that the SNMP agent module and the SNMP management module can perform secure data interaction through the session channel, for example, SNMP management.
  • the module obtains the running status of the managed device through the SNMP agent module, and sends the configuration data to the managed device, thereby implementing management of the network device.
  • These managed network devices can be servers, workstations, routers, switches, and the like.
  • FIG. 2 shows a block diagram of the first embodiment of the system according to the invention:
  • the system includes: an SNMP agent module 101, an SSH server 102,
  • the SSH client 104 is connected to the SNMP management module 103, the SSH client 104 is further connected to the SSH server 102, and the SSH server 102 is further connected to the SNMP agent module 101.
  • the SSH client 104 is used by the SSH client 104. Establishing an SSH transmission connection with the SSH server 102, and initiating a user authentication request to the SSH server 102.
  • the SSH server 102 is configured to verify the user authentication request, and establish a session channel with the SSH client 104 on the SSH transmission connection.
  • the SNMP agent module 101 is started as a subsystem; the SNMP agent module 101 uses the session channel to exchange data with the SNMP management module 103.
  • the SNMP agent module 101 is located in the managed device, and may preferably be a process.
  • the SNMP agent module 101 monitors the running status of the managed device, and sends the running status of the managed device to the SNMP management module 103 through the session channel established by the SSH server 102 and the SSH client 104, and the configuration sent by the management module 103.
  • the data is forwarded to the managed device.
  • the SNMP management module 103 initiates a transmission connection creation request to the SSH client 104, and the SSH client 104 receives the request.
  • the transport connection creation request is sent to the SSH server 102.
  • the SSH server 102 listens for a transport connection creation request from the SSH client 104, wherein the listening port may not use the IANA (Internet Assigned Number Authority) assigned to the well-known port of the SSH. If the SSH server 102 is listening for a transport connection creation request from the SSH client 104, the SSH server 102 runs the SSH transport protocol, creates an SSH transport connection with the SSH client 104, and provides a digital signature to the SSH client 104; SSH server 102.
  • IANA Internet Assigned Number Authority
  • the user authentication request sent by the SSH client 104 is verified, wherein the user authentication request sent by the SSH client 104 is preferably a password authentication risk request.
  • the SSH server 104 checks the password according to a certain policy to complete the user authentication function.
  • the SSH server 102 responds to the session channel connection setup request from the SSH client 104 to create an interactive session channel, and activates the SNMP agent module 101 as a subsystem, and the SNMP agent module 101
  • the standard input and output (STDIN and STDOUT) are redirected to the created interactive session channel and the data between the SNMP agent module 101 and the SNMP management 103 is transmitted using the interactive session channel.
  • the SNMP management module 103 initiates a transport connection creation request to the SSH client 104, and the SSH client 104 sends the transport connection creation request to the SSH server 102 to create an SSH transport connection with the SSH client 104.
  • the SNMP management module 103 sends a data transfer request to the SSH client 104, and the SSH client 104 sends the data transfer request to the SSH server 102 to send data to the SSH client 104 or from the SSH client. 104 receives data.
  • the SNMP management module 103 is usually in the same process as the SSH client 104, and may also be located in different processes of the same device.
  • the SNMP management module 103 is located on the management station; and preferably the SNMP agent module 101 and the SSH server 102 are located. On the same device.
  • the SSH client 104 is configured to initiate a transport protocol creation request to the SSH server 102, check the digital signature of the SSH server 102, and initiate a user authentication request to the SSH server 102.
  • the SSH client 104 is further configured to initiate a session channel connection establishment to the SSH server 102. Requesting and instructing the SSH server 102 to start the SNMP agent module 101 as a subsystem; acquiring data from the SNMP management module 103 and transmitting the obtained data to the SSH server 102, or from SSH
  • the server 102 receives the data and sends the received data to the SNMP management module 103.
  • the SSH client 104 can connect to only one SSH server 102 or multiple SSH servers 102.
  • Figure 3 shows a block diagram of a second embodiment of the system of the present invention:
  • the SSH server includes a first SSH server 203, an nth SSH server 202, and an SNMP agent module includes a first SNMP agent module 201.
  • the SSH client 205 is connected to the first SSH server 203 nth SSH server 202; the first SSH server 203 is connected to the respective SNMP agent module; the SSH client 205 is connected to the SNMP management module 206.
  • SSH client 205 is the same as the first SSH server 203 nth SSH server
  • the SSH server 202 initiates a user authentication request; the first SSH server 203 authenticates the received user authentication request by the nth SSH server 202; the SSH client 205 also initiates an interactive session to the first SSH server 203, the nth SSH server 202, respectively.
  • the SSH client 205 acquires data from the SNMP management module 203
  • the obtained data is sent to the first SSH server 203, the nth SSH server 202, or the first SSH server 203, the nth SSH server 202, and the data is sent to the SNMP management module 206.
  • Figure 4 shows a block diagram of a third embodiment of the system of the present invention:
  • the system further includes an authentication server 311, which is respectively connected to the first SSH server 303 and the second SSH server 306 nth SSH server 308.
  • the nth SSH server 308 After receiving the user authentication request initiated by the SSH client connected to the first SSH server 303 and the second SSH server 306, the nth SSH server 308 sends the user authentication request to the authentication server 311, and the authentication server 311 receives the received authentication request.
  • Each user authentication request is verified, and the verification result is sent to the first SSH server 303, the second SSH server 306, the nth SSH server 308, and the first SSH service.
  • the 303, the second SSH server 306, and the nth SSH server 308 respectively determine whether the user authentication is legal according to the verification result.
  • the authentication server is used, and user authentication is centrally maintained on the authentication server, so that user information does not need to be configured on each managed device and management station, thus greatly simplifying the relationship between the managed device and the management station.
  • the configuration of information such as keys and user names also reduces the workload of configuration data maintenance.
  • FIG. 5 is a flowchart of an implementation of the method of the present invention, including the following steps:
  • Step 501 Establish a secure session channel between the SNMP agent module on the managed device and the SNMP management module on the management station through the SSH protocol.
  • the SSH protocol is a security protocol based on the transport layer, its application is mainly implemented by connecting a protocol and calling user authentication. Therefore, in the method of the present invention, the SSH protocol is used to improve the security of the SNMP, and the SSH protocol is used as the transmission protocol of the SNMP protocol, and the SSH client connected to the SNMP management module and the SSH server connected to the SNMP agent module are used for interaction. Establish a secure session channel between the SNMP agent module and the SNMP management module on the management station. The specific establishment process of the session channel will be described in detail later.
  • Step 502 The SNMP agent module and the SNMP management module exchange data by using the session channel.
  • the SNMP agent module can interact with the SNMP management module. Therefore, the SNMP agent module can send the operation status of the managed device to the SNMP management module; the SNMP management module can also send the configuration data of the administrator to the SNMP agent module, and the SNMP agent module sends the data to the managed device.
  • FIG. 6 shows a flow of establishing a session channel between an SNMP agent module and an SNMP management module in the method of the present invention, including the following steps:
  • Step 601 Establish an SSH transmission connection between the SSH client and the SSH server.
  • the SSH client first initiates an SSH transport connection creation request to the SSH server. After the SSH server listens to the transport connection creation request, it creates an SSH transport connection.
  • the SSH server can also provide a digital signature to the SSH client, which checks the digital signature. After the check is successful, the SSH client initiates a user authentication request to the SSH server, where the initiated user authentication request may be a password authentication request.
  • Step 602 The SSH client initiates a user authentication request to the SSH server through the established SSH transmission connection.
  • Step 603 The SSH server verifies the user authentication request.
  • Step 604 After the verification is passed, the SSH server establishes a session channel with the SSH client on the SSH transport connection, and starts the SMP proxy module as a subsystem.
  • the SSH client sends a request to start the SMP proxy module to the SSH server; the SSH server starts the SNMP agent module as a subsystem according to the request, and redirects the STDIN and STDOUT of the SNMP agent to the created session channel.
  • each SSH server needs to start the SNMP agent module as a subsystem, and each SSH server corresponds to a management station. .
  • these SSH server modules must use different TCP (Transfer Control Protocol) ports.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A network management system includes: the SNMP agent module; the SNMP manager module; the session channel establishing apparatus, which is separately connected with the SNMP agent module and the SNMP manager module, is used for establishing the session channel between the SNMP agent module and the SNMP manager module with the secure shell SSH protocol. Also a network management method includes: establish the session channel between the SNMP agent module of the managed device and the SNMP manager module of the manager station with the secure shell SSH protocol; the SNMP agent module and the SNMP manager module make use of the session channel to exchange the data. The invention can reduce the complexity of SNMP management.

Description

一种网络管理系统和方法  Network management system and method
技术领域 Technical field
本发明涉及网络管理技术领域, 具体涉及一种网络管理系统和方法。 背景技术  The present invention relates to the field of network management technologies, and in particular, to a network management system and method. Background technique
为解决互联网上的路由器管理问题, IETF ( Internet Engineering Task To solve the problem of router management on the Internet, IETF (Internet Engineering Task
Force, 互联网工程任务组)提出了 SNMP ( Simple Network Management Protocol, 筒单网络管理协议)。 目前, SNMP已经用于管理诸如服务器、 工作站、 路由器、 交换机、 网络集线器和个人计算机等网络设备。 SNMP 使得网络管理员能够管理网络运行, 发现并解决网絡问题, 并且对网络 发展进行规划。 在 SNMP网络管理系统中, S:NMP代理模块( agent )处 于被管设备中,用于监测被管设备的运行情况; SNMP管理模块( manager ) 位于网管站, 通过 SNMP代理模块获得被管设备的运行情况, 并将管理 员的配置数据发送给被管设备。 Force, Internet Engineering Task Force) proposed SNMP (Simple Network Management Protocol). Currently, SNMP has been used to manage network devices such as servers, workstations, routers, switches, network hubs, and personal computers. SNMP enables network administrators to manage network operations, identify and resolve network problems, and plan for network development. In the SNMP network management system, the S:NMP agent module (agent) is in the managed device for monitoring the operation of the managed device; the SNMP management module (manager) is located at the network management station, and the managed device is obtained through the SNMP agent module. Run the situation and send the administrator's configuration data to the managed device.
SNMP目前已经发展到第三版 SNMP V3。与前两种版本相比, SNMP V3 中增加了安全管理方式,在其结构中引入了 USM( User-based Security Model, 基于用户的安全模型)。 USM是内嵌于 SNMP中的模块, 其他模 块将报文的安全需求和安全参数(安全名、 密钥和安全水平等)传递给 USM, USM根据这些参数对报文进行处理, 包括对数据源验证, 保证数 据完整性和保密性。  SNMP has now evolved to the third version of SNMP V3. Compared with the previous two versions, the security management mode has been added to SNMP V3, and USM (User-based Security Model) has been introduced into its structure. The USM is a module embedded in SNMP. The other modules send the security requirements and security parameters (security name, key, and security level) of the packets to the USM. The USM processes the packets based on these parameters, including the data source. Verification, data integrity and confidentiality.
USM模型需要在每两个 SNMP代理和网管站之间配置密钥和用户名 等信息, 当被管设备和管理站的数量较大时, 不仅配置数据量急剧增加, 而且对这些数据的维护也是很困难的。  The USM model needs to configure information such as the key and user name between every two SNMP agents and the network management station. When the number of managed devices and management stations is large, not only the amount of configuration data increases sharply, but also the maintenance of these data is also Very difficult.
这种釆用 USM的 SNMP网络管理方式中, USM帐号或者 USM密 钥等并不能与其他网络管理系统通用, 这也极大地增加了 SNMP的管理 复杂性。 例如, 假如某用户具有 SSH ( Secure Shell, 安全外壳程序)管 理帐号, 即使该用户的 SSH管理对象和 SNMP管理对象是相同的, 那么 在采用 USM的现有技术中, 该 SSH帐号并不能用于 SNMP管理中, 而 必须在 SNMP中为该用户重新建立 USM帐号, 这就必然增加了 SNMP 的安全性管理的复杂性。 In the SNMP network management mode of the USM, the USM account or the USM key cannot be used in common with other network management systems, which greatly increases the management complexity of SNMP. For example, if a user has an SSH (Secure Shell) management account, even if the SSH management object and the SNMP management object of the user are the same, the SSH account cannot be used in the prior art of the USM. In SNMP management, the USM account must be re-established for the user in SNMP, which inevitably increases SNMP. The complexity of security management.
发明内容 Summary of the invention
有鉴于此, 本发明的主要目的在于提出一种网络管理系统, 以减少 SNMP的安全性管理的复杂性。  In view of this, the main object of the present invention is to propose a network management system to reduce the complexity of SNMP security management.
本发明的另一目的是提出一种网络管理方法, 以减少 SNMP的安全 性管理的复杂性。  Another object of the present invention is to provide a network management method to reduce the complexity of SNMP security management.
为达到上述目的, 本发明提供如下的技术方案:  In order to achieve the above object, the present invention provides the following technical solutions:
一种网络管理系统, 包括: SNMP代理模块、 SNMP管理模块, 所 述系统还包括:  A network management system includes: an SNMP agent module and an SNMP management module, and the system further includes:
会话信道建立装置, 分别与所述 SNMP代理模块和所述 SNMP管理 模块相连, 用于通过安全外壳程序 SSH协议在 SNMP代理模块与 SNMP 管理模块之间建立用于所述 SNMP代理模块与所述 SNMP管理模块进行 数据交互的会话信道。  a session channel establishing device, respectively connected to the SNMP agent module and the SNMP management module, configured to establish, between the SNMP agent module and the SNMP management module, the SNMP agent module and the SNMP by using a secure shell SSH protocol The management channel performs a session channel for data interaction.
所述会话信道建立装置包括: SSH客户端和与其相连的 SSH服务器, 其中,  The session channel establishing device includes: an SSH client and an SSH server connected thereto, where
所述 SSH客户端进一步与所述 SNMP管理模块相连,用于根据 SNMP 管理模块的请求与所述 SSH服务器建立 SSH传输连接, 并且向 SSH服 务器发起用户认证请求;  The SSH client is further connected to the SNMP management module, configured to establish an SSH transmission connection with the SSH server according to the request of the SNMP management module, and initiate a user authentication request to the SSH server;
所述 SSH服务器进一步与 SNMP代理模块相连,用于对 SSH客户端 发送的用户认证请求进行验证,在所述 SSH传输连接上建立与 SSH客户 端的会话信道, 并且启动与其相连的 SNMP代理模块作为子系统。  The SSH server is further connected to the SNMP agent module, and is configured to verify the user authentication request sent by the SSH client, establish a session channel with the SSH client on the SSH transmission connection, and start the SNMP agent module connected thereto as a child. system.
可选地, 所述 SNMP管理模块和所述 SSH客户端位于同一进程中。 可选地, 所述 SNMP代理模块和与其对应连接的 SSH服务器位于同 一台设备上的不同进程中。  Optionally, the SNMP management module and the SSH client are in the same process. Optionally, the SNMP agent module and the SSH server connected thereto are located in different processes on the same device.
所述 SSH服务器与所述 SNMP代理模块的数量相同, 分别为一个或 多个, 并且——对应连接。  The number of the SSH server and the SNMP agent module are the same, one or more, and corresponding to the connection.
当有多个 SSH服务器时,所述 SSH客户端分别与各 SSH服务器相连。 可选地, 所述系统进一步包括: When there are multiple SSH servers, the SSH client is connected to each SSH server. Optionally, the system further includes:
认证服务器, 与所述 SSH服务器连接, 用于对所述 SSH服务器转发 的用户认证请求进行验证, 并将验证结果发送给所述 SSH服务器。  The authentication server is connected to the SSH server, and is configured to verify the user authentication request forwarded by the SSH server, and send the verification result to the SSH server.
当有多个 SSH服务器时,所述认证服务器分别与各 SSH服务器相连。 一种网络管理方法,使管理站通过简单网络管理协议对被管设备进行 管理, 所述方法包括:  When there are multiple SSH servers, the authentication server is connected to each SSH server. A network management method for a management station to manage managed devices through a simple network management protocol, the method comprising:
A、 通过安全外壳程序 SSH协议在被管设备上的 SNMP代理模块与 管理站上的 SNMP管理模块之间建立会话信道;  A. Establish a session channel between the SNMP agent module on the managed device and the SNMP management module on the management station through the secure shell SSH protocol;
B、 SNMP代理模块与 SNMP管理模块利用所述会话信道交互数据。 所述步骤 A包括:  B. The SNMP agent module and the SNMP management module exchange data by using the session channel. The step A includes:
由 SSH客户端根据 SNMP管理模块的请求建立与 SSH服务器的 SSH 传输连接;  The SSH client establishes an SSH connection with the SSH server according to the request of the SNMP management module.
SSH客户端通过所述 SSH传输连接向所述 SSH服务器发起用户认证 请求;  The SSH client initiates a user authentication request to the SSH server by using the SSH transport connection.
所述 SSH服务器对该用户认证请求进行验证;  The SSH server verifies the user authentication request;
验证通过后, SSH服务器建立与 SSH客户端的会话信道, 并启动 SNMP代理模块。  After the verification is passed, the SSH server establishes a session channel with the SSH client and starts the SNMP agent module.
所述建立 SSH客户端与所述 SSH服务器的 SSH传输连接的步骤包 括:  The steps of establishing an SSH transmission connection between the SSH client and the SSH server include:
SSH客户端向 SSH服务器发起 SSH传输连接创建请求;  The SSH client initiates an SSH transport connection creation request to the SSH server.
SSH服务器侦听该传输连接创建请求, 并根据该传输连接创建请求 创建与 SSH客户端的 SSH传输连接。  The SSH server listens for the transport connection creation request and creates an SSH transport connection with the SSH client based on the transport connection creation request.
所述方法进一步包括:  The method further includes:
在 SSH服务器侦听到 SSH客户端的 SSH传输连接创建请求后, 向 SSH客户端提供数字签名;  After the SSH server detects the SSH client connection creation request from the SSH client, it provides a digital signature to the SSH client.
SSH客户端检查该数字签名。 所述 SSH客户端向 SSH服务器发起用户认证请求的步骤具体为:The SSH client checks the digital signature. The step of the SSH client initiating a user authentication request to the SSH server is specifically as follows:
SSH客户端向 SSH服务器发起口令认证请求。 The SSH client initiates a password authentication request to the SSH server.
所述 SSH服务器启动 SNMP代理模块的步骤包括:  The steps of the SSH server to start the SNMP agent module include:
SSH客户端向 SSH服务器发送启动 SNMP代理模块请求;  The SSH client sends a request to start the SNMP proxy module to the SSH server.
SSH服务器 居该请求启动 SNMP代理模块作为子系统,并将 SNMP 代理的标准输入输出重定向到所述会话信道。  The SSH server initiates the request to start the SNMP agent module as a subsystem and redirects the standard input and output of the SNMP agent to the session channel.
优选地, 所述方法进一步包括: 预先建立认证服务器与 SSH服务器 的连接。  Preferably, the method further comprises: pre-establishing a connection between the authentication server and the SSH server.
其中 , 所述 SSH服务器对该用户认证请求进行验证的步骤包括: SSH服务器接收到 SSH客户端发起的用户认证请求后, 向认证服务 器发送该用户认证请求;  The step of verifying the user authentication request by the SSH server includes: after receiving the user authentication request initiated by the SSH client, the SSH server sends the user authentication request to the authentication server;
认证服务器对所述用户认证请求进行验证,并将验证结果发送给所述 SSH服务器。  The authentication server verifies the user authentication request and sends the verification result to the SSH server.
从以上的技术方案中可以看出: 在本发明所提出的应用 SNMP的网 络管理系统中, SSH客户端与 SSH服务器建立 SSH传输连接, 并且向 SSH服务器发起用户认证请求; SSH服务器, 对该用户认证请求进行验 证, 根据 SSH传输连接建立与 SSH客户端的会话信道, 并且启动 SNMP 代理模块; SNMP代理模块, 根据所述会话信道与所述 SNMP管理模块 交互数据。由于 SSH同时是一个安全的外壳( shell )访问工具,所以 SNMP 的帐号和命令行接口访问的帐号可以共享。 因此, 应用本发明以后, 不 再需要重新配置 SNMP的帐号, 而是可以直接将 SSH帐号应用到 SNMP 管理中, 从而极大地减少了 SNMP的安全性管理的复杂性。  As can be seen from the above technical solution: In the network management system of the present invention, the SSH client establishes an SSH transmission connection with the SSH server, and initiates a user authentication request to the SSH server; the SSH server, the user The authentication request is verified, a session channel with the SSH client is established according to the SSH transport connection, and the SNMP agent module is started; the SNMP agent module exchanges data with the SNMP management module according to the session channel. Since SSH is also a secure shell access tool, SNMP accounts and accounts accessed by the command line interface can be shared. Therefore, after the application of the present invention, the SNMP account is no longer required to be reconfigured, but the SSH account can be directly applied to the SNMP management, thereby greatly reducing the complexity of the SNMP security management.
另外, 在本发明中采用了认证服务器, 在认证服务器上对用户帐号 进行集中维护, 并不需要在每个被管设备上配置用户信息, 因此极大地 简化了配置。例如,如果增加了某用户,并且该用户可以管理被管设备 1、 被管设备 2和被管设备 3 ,那么只需要在认证服务器上配置该用户的帐号 信息, 并指出该帐号可以管理这三个设备, 而不再需要在被管设备 1、 被 管设备 2和被管设备 3上分别配置相同的帐号。 由于网络中每个用户通 常能够管理大量的设备, 其数目可能数以百计, 如果增加用户时逐一对 帐号进行配置则需要配置上百次, 而应用本发明只需要配置一次即可, 因此本发明还极大地降低了帐号配置的工作量。 In addition, in the present invention, an authentication server is employed, and centralized maintenance of user accounts on the authentication server does not require configuration of user information on each managed device, thereby greatly simplifying the configuration. For example, if a user is added and the user can manage the managed device 1, the managed device 2, and the managed device 3, then only the account information of the user needs to be configured on the authentication server, and it is indicated that the account can manage the three. The devices are configured, and the same account number is no longer required to be configured on the managed device 1, the managed device 2, and the managed device 3. Because every user in the network It is often possible to manage a large number of devices, the number of which may be hundreds. If the user is configured one by one, it needs to be configured hundreds of times, and the application of the present invention only needs to be configured once, so the invention is also greatly reduced. The workload of the account configuration.
附图说明 图 1为本发明系统的原理框图; BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic block diagram of a system of the present invention;
图 2为本发明系统第一实施例的原理框图;  2 is a schematic block diagram of a first embodiment of the system of the present invention;
图 3为本发明系统第二实施例的原理框图;  3 is a schematic block diagram of a second embodiment of the system of the present invention;
图 4为本发明系统第三实施例的原理框图;  4 is a schematic block diagram of a third embodiment of the system of the present invention;
图 5为本发明方法的实现流程图;  Figure 5 is a flow chart showing the implementation of the method of the present invention;
图 6为本发明方法中 SNMP代理模块与 SNMP管理模块之间会话信 道的建立流程图。  FIG. 6 is a flowchart of establishing a session channel between an SNMP agent module and an SNMP management module in the method of the present invention.
具体实施方式 为了使本技术领域的人员更好地理解本发明方案, 下面结合附图和 实施方式对本发明作进一步的详细说明。 DETAILED DESCRIPTION OF THE INVENTION In order to make those skilled in the art better understand the present invention, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments.
本发明的核心是通过 SSH ( Secure Shell, 安全外壳程序 )传输协议 在 SNMP代理模块与 SNMP管理模块之间建立会话信道, SNMP代理模 块与 SNMP管理模块利用该会话信道进行数据交互, 从而实现 SNMP网 络管理。  The core of the invention is to establish a session channel between the SNMP agent module and the SNMP management module through an SSH (Secure Shell) transmission protocol, and the SNMP agent module and the SNMP management module use the session channel for data interaction, thereby implementing an SNMP network. management.
本技术领域人员知道, SSH协议是建立在应用层和传输层基础上的 安全协议, 它主要由传输层协议、 用户认证协议、 连接协议组成, 以共 同实现 SSH的安全保密机制。 传输层协议提供诸如认证、 保密性和完整 性检验等安全措施, 此外它还可以提供数据压缩功能。 用户认证协议用 来实现服务器跟客户端用户之间的身份认证。 连接协议分配多个加密通 道至一些逻辑通道上, 它运行在用户认证层协议之上。  Those skilled in the art know that the SSH protocol is a security protocol based on the application layer and the transport layer. It is mainly composed of a transport layer protocol, a user authentication protocol, and a connection protocol to jointly implement the security and confidentiality mechanism of SSH. The transport layer protocol provides security measures such as authentication, confidentiality, and integrity checks, and it provides data compression. The user authentication protocol is used to implement identity authentication between the server and the client user. The connection protocol allocates multiple encrypted channels to some logical channels, which run on top of the user authentication layer protocol.
使用 SSH执行服务器上的 shell程序和命令,分为 shell、可执行程序 和子系统三个类别。其中子系统( Subsystem )是 SSH服务器( SSH Daemon, sshd )运行的进程, 在用户认证通过后启动连接协议中建立信道时, 启动 该进程, 该进程将其标准输入输出 (STDIN和 STDOUT )重定向到新建 立的信道上。 因为用户和子系统之间的通信都重定向到 SSH的连接协议 的信道 Channel上, 所以该进程同用户之间的后续通信都通过 SSH来提 供保护。 Use SSH to execute shell programs and commands on the server, divided into three categories: shell, executable, and subsystem. The subsystem (Subsystem) is a process running by the SSH server (SSH daemon, sshd). When the channel is established in the connection protocol after the user authentication is passed, the process is started, and the process redirects its standard input and output (STDIN and STDOUT). Go to the newly established channel. Because the communication between the user and the subsystem is redirected to the SSH connection protocol On the channel Channel, so the subsequent communication between the process and the user is protected by SSH.
图 1是本发明系统的原理框图:  Figure 1 is a block diagram of the system of the present invention:
该系统包括: SNMP代理模块 101、 SNMP管理模块 103、 会话信道 建立装置 11。 其中, SNMP代理模块 101位于被管设备上, SNMP管理 模块 103位于网管设备上,会话信道建立装置 11分别与 SNMP代理模块 101和 SNMP管理模块 103连接。  The system includes: an SNMP agent module 101, an SNMP management module 103, and a session channel establishing means 11. The SNMP agent module 101 is located on the managed device, the SNMP management module 103 is located on the network management device, and the session channel establishing device 11 is connected to the SNMP agent module 101 and the SNMP management module 103, respectively.
会话信道建立装置 11用于通过安全外壳程序 SSH协议在 SNMP代 理模块与 SNMP管理模块之间建立会话信道,使 SNMP代理模块与 SNMP 管理模块可以通过该会话信道进行安全的数据交互, 比如, SNMP 管理 模块通过 SNMP代理模块获得被管设备的运行情况, 并将配置数据发送 给被管设备, 从而实现对网络设备的管理。 这些被管理的网络设备可以 是服务器、 工作站、 路由器、 交换机等。  The session channel establishing device 11 is configured to establish a session channel between the SNMP agent module and the SNMP management module by using the secure shell SSH protocol, so that the SNMP agent module and the SNMP management module can perform secure data interaction through the session channel, for example, SNMP management. The module obtains the running status of the managed device through the SNMP agent module, and sends the configuration data to the managed device, thereby implementing management of the network device. These managed network devices can be servers, workstations, routers, switches, and the like.
图 2示出了才艮据本发明系统第一实施例的原理框图:  Figure 2 shows a block diagram of the first embodiment of the system according to the invention:
如图 2所示, 该系统包括: SNMP代理模块 101、 SSH服务器 102、 As shown in FIG. 2, the system includes: an SNMP agent module 101, an SSH server 102,
SNMP管理模块 103和 SSH客户端 104, SSH客户端 104与 SNMP管理 模块 103连接, SSH客户端 104进一步与 SSH服务器 102连接, SSH服 务器 102进一步与 SNMP代理模块 101连接; 其中 SSH客户端 104, 用 于与 SSH服务器 102建立 SSH传输连接, 并且向 SSH服务器 102发起 用户认证请求; SSH服务器 102, 用于对该用户认证请求进行验证, 在该 SSH传输连接上建立与 SSH客户端 104的会话信道, 并且启动 SNMP代 理模块 101作为子系统; SNMP代理模块 101, 使用该会话信道与 SNMP 管理模块 103交互数据。 The SSH client 104 is connected to the SNMP management module 103, the SSH client 104 is further connected to the SSH server 102, and the SSH server 102 is further connected to the SNMP agent module 101. The SSH client 104 is used by the SSH client 104. Establishing an SSH transmission connection with the SSH server 102, and initiating a user authentication request to the SSH server 102. The SSH server 102 is configured to verify the user authentication request, and establish a session channel with the SSH client 104 on the SSH transmission connection. And the SNMP agent module 101 is started as a subsystem; the SNMP agent module 101 uses the session channel to exchange data with the SNMP management module 103.
SNMP代理模块 101位于被管设备中, 优选可以是一个进程。 SNMP 代理模块 101监测被管设备的运行情况, 并通过 SSH服务器 102与 SSH 客户端 104所建立的会话信道, 向 SNMP管理模块 103发送被管设备的 运行情况, 以及将管理模块 103所发送的配置数据转发给被管设备。  The SNMP agent module 101 is located in the managed device, and may preferably be a process. The SNMP agent module 101 monitors the running status of the managed device, and sends the running status of the managed device to the SNMP management module 103 through the session channel established by the SSH server 102 and the SSH client 104, and the configuration sent by the management module 103. The data is forwarded to the managed device.
当网管设备需要与被设备进行数据交互时,通过 SNMP管理模块 103 向 SSH客户端 104发起传输连接创建请求, SSH客户端 104收到该请求 后向 SSH服务器 102发送传输连接创建请求。 SSH服务器 102侦听来自 SSH客户端 104的传输连接创建请求, 其中侦听端口可以不使用 IANA ( Internet Assigned Number Authority, 因特网号码分配部门)分配给 SSH 的知名端口。如果 SSH服务器 102侦听到来自 SSH客户端 104的传输连 接创建请求, 则 SSH服务器 102运行 SSH传输协议, 创建与 SSH客户 端 104的 SSH传输连接, 并向 SSH客户端 104提供数字签名; SSH服务 器 102并且对 SSH客户端 104发来的用户认证请求进行验证, 其中 SSH 客户端 104发送过来的用户认证请求优选是口令认证险证请求。 SSH服 务器 104才艮据一定的策略对口令进行检查, 以完成用户认证功能。 在完 成用户认证以后, SSH服务器 102对来自 SSH客户端 104的会话信道连 接建立请求进行响应, 以创建交互式的会话信道, 并将 SNMP代理模块 101作为一个子系统启动, 而且将 SNMP代理模块 101的标准输入输出 ( STDIN和 STDOUT ) 重定向到所创建的交互式会话信道上, 并且使用 该交互式会话信道传输 SNMP代理模块 101和 SNMP管理 103之间的数 据。 When the network management device needs to perform data interaction with the device, the SNMP management module 103 initiates a transmission connection creation request to the SSH client 104, and the SSH client 104 receives the request. The transport connection creation request is sent to the SSH server 102. The SSH server 102 listens for a transport connection creation request from the SSH client 104, wherein the listening port may not use the IANA (Internet Assigned Number Authority) assigned to the well-known port of the SSH. If the SSH server 102 is listening for a transport connection creation request from the SSH client 104, the SSH server 102 runs the SSH transport protocol, creates an SSH transport connection with the SSH client 104, and provides a digital signature to the SSH client 104; SSH server 102. The user authentication request sent by the SSH client 104 is verified, wherein the user authentication request sent by the SSH client 104 is preferably a password authentication risk request. The SSH server 104 checks the password according to a certain policy to complete the user authentication function. Upon completion of the user authentication, the SSH server 102 responds to the session channel connection setup request from the SSH client 104 to create an interactive session channel, and activates the SNMP agent module 101 as a subsystem, and the SNMP agent module 101 The standard input and output (STDIN and STDOUT) are redirected to the created interactive session channel and the data between the SNMP agent module 101 and the SNMP management 103 is transmitted using the interactive session channel.
SNMP管理模块 103向 SSH客户端 104发起传输连接创建请求, SSH 客户端 104将该传输连接创建请求发送到 SSH服务器 102,以创建与 SSH 客户端 104的 SSH传输连接。 在创建交互式会话信道之后, SNMP管理 模块 103向 SSH客户端 104发送数据传送请求, SSH客户端 104将该数 据传送请求发送到 SSH服务器 102, 以向 SSH客户端 104发送数据或从 SSH客户端 104接收数据。 其中, SNMP管理模块 103通常与 SSH客户 端 104在同一个进程内, 当然也可以位于同一设备的不同进程中, 优选 SNMP管理模块 103位于管理站上;并且优选 SNMP代理模块 101和 SSH 服务器 102位于同一台设备上。  The SNMP management module 103 initiates a transport connection creation request to the SSH client 104, and the SSH client 104 sends the transport connection creation request to the SSH server 102 to create an SSH transport connection with the SSH client 104. After creating the interactive session channel, the SNMP management module 103 sends a data transfer request to the SSH client 104, and the SSH client 104 sends the data transfer request to the SSH server 102 to send data to the SSH client 104 or from the SSH client. 104 receives data. The SNMP management module 103 is usually in the same process as the SSH client 104, and may also be located in different processes of the same device. Preferably, the SNMP management module 103 is located on the management station; and preferably the SNMP agent module 101 and the SSH server 102 are located. On the same device.
SSH客户端 104用于向 SSH服务器 102发起传输协议创建请求, 检 查 SSH服务器 102的数字签名,并且向 SSH服务器 102发起用户认证请 求; SSH客户端 104还用于向 SSH服务器 102发起会话信道连接建立请 求,并指示 SSH服务器 102启动 SNMP代理模块 101为子系统;从 SNMP 管理模块 103获取数据并将获得的数据发送给 SSH服务器 102,或从 SSH 服务器 102接收数据并将接收的数据送给 SNMP管理模块 103。 The SSH client 104 is configured to initiate a transport protocol creation request to the SSH server 102, check the digital signature of the SSH server 102, and initiate a user authentication request to the SSH server 102. The SSH client 104 is further configured to initiate a session channel connection establishment to the SSH server 102. Requesting and instructing the SSH server 102 to start the SNMP agent module 101 as a subsystem; acquiring data from the SNMP management module 103 and transmitting the obtained data to the SSH server 102, or from SSH The server 102 receives the data and sends the received data to the SNMP management module 103.
其中, SSH客户端 104既可以只连接一个 SSH服务器 102, 也可以 连接多个 SSH服务器 102。  The SSH client 104 can connect to only one SSH server 102 or multiple SSH servers 102.
图 3示出了本发明系统第二实施例的原理框图:  Figure 3 shows a block diagram of a second embodiment of the system of the present invention:
如图 3所示, SSH服务器包括第一 SSH服务器 203 第 n SSH 服务器 202, SNMP代理模块包括第一 SNMP代理模块 201 第 n As shown in FIG. 3, the SSH server includes a first SSH server 203, an nth SSH server 202, and an SNMP agent module includes a first SNMP agent module 201.
SNMP代理模块 204。(其中 n为不少于 2的正整数)。 SSH客户端 205分 别与第一 SSH服务器 203 第 n SSH服务器 202相连接; 第一 SSH 服务器 203 第 n SSH服务器 202分别与各自的 SNMP代理模块连 接; SSH客户端 205与 SNMP管理模块 206连接。 SNMP agent module 204. (where n is a positive integer not less than 2). The SSH client 205 is connected to the first SSH server 203 nth SSH server 202; the first SSH server 203 is connected to the respective SNMP agent module; the SSH client 205 is connected to the SNMP management module 206.
SSH客户端 205分别同第一 SSH服务器 203 第 n SSH服务器 SSH client 205 is the same as the first SSH server 203 nth SSH server
202发起传输协议创建请求, 并分别向第一 SSH服务器 203 第 n202 initiates a transport protocol creation request and forwards to the first SSH server 203, respectively.
SSH服务器 202发起用户认证请求;第一 SSH服务器 203 第 n SSH 服务器 202分别对接收到的用户认证请求进行认证; SSH客户端 205还 分別向第一 SSH服务器 203 第 n SSH服务器 202发起交互式会话 信道连接建立请求, 并指示第一 SSH服务器 203启动第一 SNMP代理模 块 201为子系统 第 n SSH服务器 202启动第 n SNMP代理模块 204 为子系统;并且 SSH客户端 205从 SNMP管理模块 203获取数据, 分别 将获得的数据发送给第一 SSH服务器 203 第 n SSH服务器 202,或 从第一 SSH服务器 203 第 n SSH服务器 202接收数据, 并将数据 送给 SNMP管理模块 206。 The SSH server 202 initiates a user authentication request; the first SSH server 203 authenticates the received user authentication request by the nth SSH server 202; the SSH client 205 also initiates an interactive session to the first SSH server 203, the nth SSH server 202, respectively. a channel connection establishment request, and instructing the first SSH server 203 to start the first SNMP agent module 201 to start the nth SNMP agent module 204 as a subsystem for the subsystem nth SSH server 202; and the SSH client 205 acquires data from the SNMP management module 203 The obtained data is sent to the first SSH server 203, the nth SSH server 202, or the first SSH server 203, the nth SSH server 202, and the data is sent to the SNMP management module 206.
图 4示出了本发明系统第三实施例的原理框图:  Figure 4 shows a block diagram of a third embodiment of the system of the present invention:
如图 4所示, 该系统进一步包括认证服务器 311 , 认证服务器 311分 别与第一 SSH服务器 303、 第二 SSH服务器 306 第 n SSH服务器 308连接。 第一 SSH服务器 303、 第二 SSH服务器 306 第 n SSH 服务器 308接收到与其相连的 SSH客户端发起的用户认证请求后, 分别 向认证服务器 311发送所述用户认证请求,认证服务器 311对接收到的各 个用户认证请求进行验证, 并将验证结果分别发送给第一 SSH服务器 303、 第二 SSH服务器 306 第 n SSH服务器 308; 第一 SSH服务 器 303、 第二 SSH服务器 306 第 n SSH服务器 308分别根据验证 结果来判断用户认证是否合法。 As shown in FIG. 4, the system further includes an authentication server 311, which is respectively connected to the first SSH server 303 and the second SSH server 306 nth SSH server 308. After receiving the user authentication request initiated by the SSH client connected to the first SSH server 303 and the second SSH server 306, the nth SSH server 308 sends the user authentication request to the authentication server 311, and the authentication server 311 receives the received authentication request. Each user authentication request is verified, and the verification result is sent to the first SSH server 303, the second SSH server 306, the nth SSH server 308, and the first SSH service. The 303, the second SSH server 306, and the nth SSH server 308 respectively determine whether the user authentication is legal according to the verification result.
在图 4 中采用了认证服务器, 并且在认证服务器上对用户认证进行 集中维护, 从而不需要在每个被管设备和管理站上配置用户信息, 因此 极大地简化了被管设备和管理站间密钥和用户名等信息的配置, 也减少 了配置数据维护的工作量。  In Figure 4, the authentication server is used, and user authentication is centrally maintained on the authentication server, so that user information does not need to be configured on each managed device and management station, thus greatly simplifying the relationship between the managed device and the management station. The configuration of information such as keys and user names also reduces the workload of configuration data maintenance.
图 5为本发明方法的实现流程图, 包括以下步驟:  FIG. 5 is a flowchart of an implementation of the method of the present invention, including the following steps:
步骤 501 : 通过 SSH协议在被管设备上的 SNMP代理模块与管理站 上的 SNMP管理模块之间建立安全的会话信道。  Step 501: Establish a secure session channel between the SNMP agent module on the managed device and the SNMP management module on the management station through the SSH protocol.
由于 SSH协议是建立在传输层基础上的安全协议, 其应用主要通过 连接协议并调用用户认证来实现。 因此, 在本发明方法中, 利用 SSH协 议来改进 SNMP的安全性, 将 SSH协议作为 SNMP协议的传输协议, 利 用与 SNMP管理模块相连的 SSH客户端和与 SNMP代理模块相连的 SSH 服务器的交互, 建立起 SNMP代理模块与管理站上的 SNMP管理模块之 间建立安全的会话信道。 会话信道的具体建立过程将在后面详细描述。  Since the SSH protocol is a security protocol based on the transport layer, its application is mainly implemented by connecting a protocol and calling user authentication. Therefore, in the method of the present invention, the SSH protocol is used to improve the security of the SNMP, and the SSH protocol is used as the transmission protocol of the SNMP protocol, and the SSH client connected to the SNMP management module and the SSH server connected to the SNMP agent module are used for interaction. Establish a secure session channel between the SNMP agent module and the SNMP management module on the management station. The specific establishment process of the session channel will be described in detail later.
步骤 502: SNMP代理模块与 SNMP管理模块利用所述会话信道交互 数据。  Step 502: The SNMP agent module and the SNMP management module exchange data by using the session channel.
在建立了会话信道后, SNMP代理模块便可以和 SNMP管理模块交 互数据。从而, SNMP代理模块可以将被管设备的运行情况发送给 SNMP 管理模块; SNMP管理模块还可以将管理员的配置数据发送给 SNMP代 理模块, SNMP代理模块再将数据发送给被管设备。  After the session channel is established, the SNMP agent module can interact with the SNMP management module. Therefore, the SNMP agent module can send the operation status of the managed device to the SNMP management module; the SNMP management module can also send the configuration data of the administrator to the SNMP agent module, and the SNMP agent module sends the data to the managed device.
图 6示出了本发明方法中 SNMP代理模块与 SNMP管理模块之间会 话信道的建立流程, 包括以下步骤:  FIG. 6 shows a flow of establishing a session channel between an SNMP agent module and an SNMP management module in the method of the present invention, including the following steps:
步骤 601 : 建立 SSH客户端与 SSH服务器的 SSH传输连接; SSH客户端首先向 SSH服务器发起 SSH传输连接创建请求, SSH服 务器侦听到该传输连接创建请求后, 创建 SSH传输连接。 为了进一步提 高安全性, SSH服务器还可以向 SSH客户端提供数字签名, SSH客户端 对该数字签名进行检查。 检查合格后, SSH客户端向 SSH服务器发起用 户认证请求, 其中发起的用户认证请求可以是口令认证请求。 步骤 602: SSH客户端通过建立的 SSH传输连接向 SSH服务器发起 用户认证请求。 Step 601: Establish an SSH transmission connection between the SSH client and the SSH server. The SSH client first initiates an SSH transport connection creation request to the SSH server. After the SSH server listens to the transport connection creation request, it creates an SSH transport connection. To further improve security, the SSH server can also provide a digital signature to the SSH client, which checks the digital signature. After the check is successful, the SSH client initiates a user authentication request to the SSH server, where the initiated user authentication request may be a password authentication request. Step 602: The SSH client initiates a user authentication request to the SSH server through the established SSH transmission connection.
步骤 603: SSH服务器对该用户认证请求进行验证。  Step 603: The SSH server verifies the user authentication request.
步骤 604: 验证通过后, SSH服务器在 SSH传输连接上建立与 SSH 客户端的会话信道, 并启动 S MP代理模块作为子系统。  Step 604: After the verification is passed, the SSH server establishes a session channel with the SSH client on the SSH transport connection, and starts the SMP proxy module as a subsystem.
在建立会话信道时, SSH客户端向 SSH服务器发送启动 S MP代理 模块请求; SSH服务器根据该请求启动 SNMP代理模块作为子系统, 并 且将 SNMP代理的 STDIN和 STDOUT重定向到创建的会话信道上。  When the session channel is established, the SSH client sends a request to start the SMP proxy module to the SSH server; the SSH server starts the SNMP agent module as a subsystem according to the request, and redirects the STDIN and STDOUT of the SNMP agent to the created session channel.
以上过程中, 当多个管理站需要管理同一台设备时, 需要在该设备 上启动多个 SSH服务器, 其中每个 SSH服务器都需要启动 SNMP代理 模块作为子系统, 每个 SSH服务器对应一个管理站。 同时, 这些 SSH服 务器模块必须使用不同的 TCP ( Transfer Control Protocol,传输控制协议 ) 端口。  In the above process, when multiple management stations need to manage the same device, multiple SSH servers need to be started on the device. Each SSH server needs to start the SNMP agent module as a subsystem, and each SSH server corresponds to a management station. . At the same time, these SSH server modules must use different TCP (Transfer Control Protocol) ports.
以上过程中, 描述了单独应用 SSH对网络设备进行管理。 但是本发 明并不局限于此, 本发明还可以与 USM同时使用。  In the above process, the application of SSH to manage network devices is described. However, the present invention is not limited thereto, and the present invention can also be used simultaneously with the USM.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的 保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 Rights request
1、 一种网络管理系统, 包括: SNMP代理模块、 SNMP管理模块, 其特征在于, 所述系统还包括: 会话信道建立装置, 分别与所述 SNMP代理模块和所述 SNMP管理 模块相连, 用于通过安全外壳程序 SSH协议在 SNMP代理模块与 SNMP 管理模块之间建立用于所述 SNMP代理模块与所述 SNMP管理模块进行 数据交互的会话信道。 A network management system, comprising: an SNMP agent module and an SNMP management module, wherein the system further comprises: a session channel establishing device, which is respectively connected to the SNMP agent module and the SNMP management module, and is used for A session channel for data interaction between the SNMP agent module and the SNMP management module is established between the SNMP agent module and the SNMP management module through the secure shell SSH protocol.
2、 根据权利要求 1所述的网络管理系统, 其特征在于, 所述会话信 道建立装置包括: SSH客户端和与其相连的 SSH服务器, 其中,  2. The network management system according to claim 1, wherein the session channel establishing means comprises: an SSH client and an SSH server connected thereto, wherein
所述 SSH客户端进一步与所述 SNMP管理模块相连,用于根据 SNMP 管理模块的请求与所述 SSH服务器建立 SSH传输连接, 并且向 SSH服 务器发起用户认证请求;  The SSH client is further connected to the SNMP management module, configured to establish an SSH transmission connection with the SSH server according to the request of the SNMP management module, and initiate a user authentication request to the SSH server;
所述 SSH服务器进一步与 SNMP代理模块相连,用于对 SSH客户端 发送的用户认证请求进行验证,在所述 SSH传输连接上建立与 SSH客户 端的会话信道, 并且启动与其相连的 SNMP代理模块作为子系统。  The SSH server is further connected to the SNMP agent module, and is configured to verify the user authentication request sent by the SSH client, establish a session channel with the SSH client on the SSH transmission connection, and start the SNMP agent module connected thereto as a child. system.
3、 根据权利要求 2所述的网络管理系统, 其特征在于, 所述 SNMP 管理模块和所述 SSH客户端位于同一进程中。  3. The network management system according to claim 2, wherein the SNMP management module and the SSH client are located in the same process.
4、 根据权利要求 2所述的网络管理系统, 其特征在于, 所述 SNMP 代理模块和与其对应连接的 SSH服务器位于同一台设备上的不同进程 中。  4. The network management system according to claim 2, wherein the SNMP agent module and the SSH server connected thereto are located in different processes on the same device.
5、根据权利要求 2所述的网络管理系统, 其特征在于, 所述 SSH服 务器与所述 SNMP代理模块的数量相同, 分别为一个或多个, 并且—— 对应连接。  The network management system according to claim 2, wherein the number of the SSH server and the SNMP agent module are the same, one or more, and - a corresponding connection.
6、 根据权利要求 2所述的网络管理系统, 其特征在于,  6. The network management system according to claim 2, wherein
当有多个 SSH服务器时,所述 SSH客户端分别与各 SSH服务器相连。 When there are multiple SSH servers, the SSH client is connected to each SSH server.
7、 根据权利要求 2所述的网络管理系统, 其特征在于, 所述系统进 - 12- 一步包括: 7. The network management system according to claim 2, wherein the system is - 12- One step includes:
认证服务器, 与所述 SSH服务器连接, 用于对所述 SSH服务器转发 的用户认证请求进行验证, 并将验证结果发送给所述 SSH服务器。  The authentication server is connected to the SSH server, and is configured to verify the user authentication request forwarded by the SSH server, and send the verification result to the SSH server.
8、 根据权利要求 7所述的网络管理系统, 其特征在于,  8. The network management system according to claim 7, wherein:
当有多个 SSH服务器时,所述认证服务器分别与各 SSH服务器相连。 When there are multiple SSH servers, the authentication server is connected to each SSH server.
9、 一种网络管理方法, 使管理站通过简单网络管理协议对被管设备 进行管理, 其特征在于, 所述方法包括: A network management method, which enables a management station to manage managed devices through a simple network management protocol, wherein the method includes:
A、 通过安全外壳程序 SSH协议在被管设备上的 SNMP代理模块与 管理站上的 SNMP管理模块之间建立会话信道;  A. Establish a session channel between the SNMP agent module on the managed device and the SNMP management module on the management station through the secure shell SSH protocol;
B、 SNMP代理模块与 SNMP管理模块利用所述会话信道交互数据。 B. The SNMP agent module and the SNMP management module exchange data by using the session channel.
10、根据权利要求 9所述的网络管理方法, 其特征在于, 所述步骤 A 包括: The network management method according to claim 9, wherein the step A comprises:
由 SSH客户端根据 SNMP管理模块的请求建立与 SSH服务器的 SSH 传输连接;  The SSH client establishes an SSH connection with the SSH server according to the request of the SNMP management module.
SSH客户端通过所述 SSH传输连接向所述 SSH服务器发起用户认证 请求;  The SSH client initiates a user authentication request to the SSH server by using the SSH transport connection.
所述 SSH服务器对该用户认证请求进行验证;  The SSH server verifies the user authentication request;
验证通过后, SSH服务器建立与 SSH客户端的会话信道, 并启动 SNMP代理模块。  After the verification is passed, the SSH server establishes a session channel with the SSH client and starts the SNMP agent module.
11、 根据权利要求 10所述的网络管理方法, 其特征在于, 所述建立 11. The network management method according to claim 10, wherein the establishing
SSH客户端与所述 SSH服务器的 SSH传输连接的步骤包括: The steps of connecting the SSH client to the SSH server for SSH transmission include:
SSH客户端向 SSH服务器发起 SSH传输连接创建请求;  The SSH client initiates an SSH transport connection creation request to the SSH server.
SSH服务器侦听该传输连接创建请求, 并根据该传输连接创建请求 创建与 SSH客户端的 SSH传输连接。  The SSH server listens for the transport connection creation request and creates an SSH transport connection with the SSH client based on the transport connection creation request.
12、 根据权利要求 10所述的网絡管理方法, 其特征在于, 所述方法 进一步包括: - 13 - 在 SSH服务器侦听到 SSH客户端的 SSH传输连接创建请求后, 向 SSH客户端提供数字签名; The network management method according to claim 10, wherein the method further comprises: - 13 - After the SSH server listens to the SSH client's SSH transport connection creation request, it provides a digital signature to the SSH client.
SSH客户端检查该数字签名。  The SSH client checks the digital signature.
13、 根据权利要求 10所述的网络管理方法, 其特征在于, 所述 SSH 客户端向 SSH服务器发起用户认证请求的步骤具体为:  The network management method according to claim 10, wherein the step of the SSH client initiating a user authentication request to the SSH server is specifically:
SSH客户端向 SSH服务器发起口令认证请求。  The SSH client initiates a password authentication request to the SSH server.
14、 根据权利要求 10所述的网络管理方法, 其特征在于, 所述 SSH 服务器启动 SNMP代理模块的步驟包括:  The network management method according to claim 10, wherein the step of the SSH server starting the SNMP agent module comprises:
SSH客户端向 SSH服务器发送启动 SNMP代理模块请求;  The SSH client sends a request to start the SNMP proxy module to the SSH server.
SSH服务器根据该请求启动 SNMP代理模块作为子系统,并将 SNMP 代理的标准输入输出重定向到所述会话信道。  Based on the request, the SSH server starts the SNMP agent module as a subsystem and redirects the standard input and output of the SNMP agent to the session channel.
15、 居权利要求 10所述的网络管理方法, 其特征在于, 所述方法 进一步包括:  The network management method of claim 10, wherein the method further comprises:
预先建立认证服务器与 SSH服务器的连接。  Establish a connection between the authentication server and the SSH server in advance.
16、 根据权利要求 15所述的网络管理方法, 其特征在于, 所述 SSH 服务器对该用户认证请求进行验证的步驟包括:  The network management method according to claim 15, wherein the step of verifying the user authentication request by the SSH server comprises:
SSH服务器接收到 SSH客户端发起的用户认证请求后, 向认证服务 器发送该用户认证请求;  After receiving the user authentication request initiated by the SSH client, the SSH server sends the user authentication request to the authentication server.
认证服务器对所述用户认证请求进行验证,并将验证结果发送给所述 SSH服务器。  The authentication server verifies the user authentication request and sends the verification result to the SSH server.
PCT/CN2006/000988 2005-09-14 2006-05-16 A network management system and the method thereof WO2007030989A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200510102922.4 2005-09-14
CN 200510102922 CN100484027C (en) 2005-09-14 2005-09-14 Network management system and method using simple network management protocol

Publications (1)

Publication Number Publication Date
WO2007030989A1 true WO2007030989A1 (en) 2007-03-22

Family

ID=37864615

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/000988 WO2007030989A1 (en) 2005-09-14 2006-05-16 A network management system and the method thereof

Country Status (2)

Country Link
CN (1) CN100484027C (en)
WO (1) WO2007030989A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109379280A (en) * 2018-10-25 2019-02-22 许继电气股份有限公司 A kind of protocol conversion gateway

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101795206B (en) * 2009-11-26 2012-08-15 福建星网锐捷网络有限公司 Method and device for realizing SNMP agent on distributed equipment
CN102148704A (en) * 2011-01-19 2011-08-10 武汉迈威光电技术有限公司 Software implementation method for universal network management interface of safe switch
CN102521099A (en) * 2011-11-24 2012-06-27 深圳市同洲视讯传媒有限公司 Process monitoring method and process monitoring system
CN103001807B (en) * 2012-12-20 2015-09-09 北京思特奇信息技术股份有限公司 A kind of request-reply module corresponding with snmp protocol
CN110247803B (en) * 2019-06-20 2022-05-20 成都积微物联集团股份有限公司 Protocol optimization architecture and method for network management protocol SNMPv3
CN113067834A (en) * 2021-04-09 2021-07-02 上海新炬网络信息技术股份有限公司 Method for remotely controlling server based on Web browser

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6044468A (en) * 1997-08-25 2000-03-28 Emc Corporation Secure transmission using an ordinarily insecure network communication protocol such as SNMP
US6851113B2 (en) * 2001-06-29 2005-02-01 International Business Machines Corporation Secure shell protocol access control
CN1581795A (en) * 2003-08-06 2005-02-16 华为技术有限公司 Network management safety authentication method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6044468A (en) * 1997-08-25 2000-03-28 Emc Corporation Secure transmission using an ordinarily insecure network communication protocol such as SNMP
US6851113B2 (en) * 2001-06-29 2005-02-01 International Business Machines Corporation Secure shell protocol access control
CN1581795A (en) * 2003-08-06 2005-02-16 华为技术有限公司 Network management safety authentication method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109379280A (en) * 2018-10-25 2019-02-22 许继电气股份有限公司 A kind of protocol conversion gateway
CN109379280B (en) * 2018-10-25 2021-05-07 许继电气股份有限公司 Protocol conversion gateway

Also Published As

Publication number Publication date
CN100484027C (en) 2009-04-29
CN1933418A (en) 2007-03-21

Similar Documents

Publication Publication Date Title
US11936786B2 (en) Secure enrolment of security device for communication with security server
KR101086576B1 (en) System and method for automatic negotiation of a security protocol
US8447977B2 (en) Authenticating a device with a server over a network
JP2005085102A (en) Guarantee system
WO2018010146A1 (en) Response method, apparatus and system in virtual network computing authentication, and proxy server
WO2007030989A1 (en) A network management system and the method thereof
WO2015143651A1 (en) Network function virtualization-based certificate configuration method, apparatus and system
EP2031793A1 (en) Framework of managing network security and information processing method thereof
RU2008146517A (en) POLICY MANAGED ACCOUNT DEPARTMENT FOR UNIFIED NETWORK REGISTRATION AND SECURE ACCESS TO NETWORK RESOURCES
WO2010020187A1 (en) A trusted network management method of trusted network connections based on tri-element peer authentication
WO2006058493A1 (en) A method and system for realizing the domain authentication and network authority authentication
JP5023804B2 (en) Authentication method and authentication system
WO2014176997A1 (en) Method and system for transmitting and receiving data, method and device for processing message
WO2019237576A1 (en) Method and apparatus for verifying communication performance of virtual machine
WO2003081839A1 (en) A method for implementing handshaking between the network accessing device and the user based on 802.1x protocol
WO2021031465A1 (en) Sd-wan-based device authentication method and system
US8676998B2 (en) Reverse network authentication for nonstandard threat profiles
JP2006270431A (en) Call controller, terminal, their programs, and communication channel establishment method
CN111628960B (en) Method and apparatus for connecting to network services on a private network
JP4571006B2 (en) Network control device, network system, and program
KR100429395B1 (en) Duplication method of AAA system using pre-established transport layer security association
CN116723023A (en) Intranet penetration login method and system based on ssh protocol
CN116827885A (en) Resource access method, device, system, electronic equipment and readable storage medium
Headquarters Configuring Secure Signaling and Media Encryption for the Cisco VG224
KR20050046834A (en) Security system and method for internet commumication between client system and sever system of specific domain

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06741876

Country of ref document: EP

Kind code of ref document: A1