WO2018088942A1 - Device and method for administration of a server - Google Patents
Device and method for administration of a server Download PDFInfo
- Publication number
- WO2018088942A1 WO2018088942A1 PCT/RU2017/050115 RU2017050115W WO2018088942A1 WO 2018088942 A1 WO2018088942 A1 WO 2018088942A1 RU 2017050115 W RU2017050115 W RU 2017050115W WO 2018088942 A1 WO2018088942 A1 WO 2018088942A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- server
- user
- administered
- administration
- administered server
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000009471 action Effects 0.000 claims abstract description 42
- 230000003993 interaction Effects 0.000 claims abstract description 7
- 238000004891 communication Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 5
- 230000000704 physical effect Effects 0.000 claims description 2
- 238000012545 processing Methods 0.000 abstract description 8
- 230000008859 change Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 150000003839 salts Chemical class 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
- G06F15/163—Interprocessor communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- the present invention generally relates to methods and devices for server administration, in particular to methods and devices for top security server administration.
- the patent document US2016269363 A1 discloses restricting communication in industrial control by integrating virtual private network functionality within a programmable logic controller of an industrial control network so that physical access to network interface is insufficient to access information.
- the programmable logic controller only accepts commands or messages provided through the virtual private network interface and does not accept messages routed directly to the programmable logic controller (20) itself, preventing security breaches in communications.
- security can also be breached, providing access to the logic controller.
- the patent document US2016269445 A1 discloses a method for providing cloud-based network security and access control in a networked computing system, the method comprising: receiving a network traffic request from a user device, identifying the user device, applying rules specific to the network traffic request and the user device, obtaining data specific to the network traffic request in accordance with the applied rules, and providing the data to the user device for presentation to a user in accordance with the applied rules.
- Applying rules may include blocking, capturing, processing, redirecting, reporting on, and/or alerting to, network traffic related to the user device.
- the method may also include monitoring network traffic to and from the user device, and generating reports regarding the monitored network traffic.
- the method may further include detecting a rule violation, and providing a rule violation alert regarding the rule violation to one or more designated alert recipient devices.
- security measures can be circumvented, providing direct access to network traffic; therefore the prior art method is not suitable for use in administration of top security servers.
- a rule engine configured to receive data flows, said data flows being between a network and an application, and a controller.
- the rule engine is provided between said network and said application, and is configured to determine data flow information and in dependence on said information to perform an action with respect to said flow.
- the controller is configured to provide control information to said rule engine to define one or more actions, wherein communications between said rule engine and said controller are secure.
- the object of the present invention is to provide a method and device for top security server administration, providing high level of server administration security.
- the object is solved by a device for administration of at least one administered server, the device comprising: an intermediate server comprising a random access memory, a read-only memory and a processor.
- the read-only memory of the intermediate server comprises a ruleset determining interaction between a predetermined user and at least one predetermined administered server of the at least one administered server.
- the intermediate server is connected to the at least one administered server and is configured to send commands regarding administrative actions for the administered server to the administered server, and to receive data regarding results of executing said commands.
- the intermediate server is configured to receive user requests to the random access memory for sending commands to carry out administrative actions for the administered server to the administered server, and for processing said requests by means of the processor in accordance with the ruleset.
- the technical result is top security server administration using the disclosed device providing high level of security in the administration process due to the disclosed device providing interaction with the administered servers without providing direct access thereto. Furthermore, actions regarding the administered servers are monitored.
- the intermediate server comprises input devices configured to receive user input requests regarding the administration of the at least one administered server.
- the intermediate server is configured to receive requests from remote users.
- the intermediate server is configured to record user requests and events in the intermediate server and/or in the at least one administered server associated with said requests.
- the intermediate server is configured to send data to at least one dedicated user.
- the ruleset comprises a refusal to carry out the request from the predetermined user regarding the at least one predetermined administered server.
- the ruleset comprises a permission to carry out the request from the predetermined user regarding the at least one predetermined administered server.
- the intermediate server is configured to provide the predetermined user with data regarding results of carrying out the user request with respect to the at least one predetermined administered server.
- the intermediate server further comprises a security unit, wherein the intermediate server is configured to change the ruleset by means of commands issued by the security unit and/or by at least one dedicated user.
- the security unit is configured to send user requests to the at least one dedicated user and receiving commands regarding processing of said requests therefrom, wherein the security unit is configured to monitor the intermediate server prior to receiving commands regarding request processing from the at least one dedicated user.
- the object is further solved by a method for administration of at least one administered server by means of the disclosed device, the method including receiving a user request regarding the administration of the at least one administered server and sending said request to the random access memory of the intermediate server; analyzing the user request based on a ruleset; refusing to carry out the request of the predetermined user if the user request is to be refused according to the ruleset; sending a command to carry out administrative actions for the administered server to the administered server in accordance with the user request if the user request is to be permitted according to the ruleset, and sending data regarding the results of carrying out said command to the intermediate server; and recording the user request and associated events related thereto in the intermediate server and/or in the at least one administered server associated with said request.
- the method is characterized by the following features: the user is not given a direct access to the at least one administered server itself, but the user is given only the right to send (recommend) a command (commands) in the form of the user request, an action based on the user request is deferred and executed by a system (in the form of the administered server and the device for administration itself) after analysis of the action.
- the whole "communication block" between the user and the administered server (actions of the user) consists of the following stages ( chain links of a chain ), from which one (last) stage (last chain link) ( namely, a direct action itself ( and which is deferred and executed only by the administered server itself) ) , is removed and hence the system made secure and not susceptible to external interaction :
- the disclosed method provides administration of at least one administered server, providing high level of administration security due to the fact that user requests are processed by the intermediate server based on a ruleset.
- the user is provided with data regarding the results of carrying out his request regarding the at least one predetermined administered server.
- the recorded data is further sent to at least one dedicated user.
- receiving a user request comprises receiving requests from remote users.
- Fig. 1 is a diagram of the device for server administration according to an embodiment of the present invention.
- Fig. 2 illustrates the method of server administration according to an embodiment of the present invention.
- administered server is used herein to refer to a server maintained and controlled by a dedicated user (network administrator).
- logging or “recording” are used herein to refer to the procedure of recording all user actions with respect to the server and server actions in response thereto (events).
- Fig. 1 is a schematic diagram of an device 100 for administration of one administered server 120, the device comprising an intermediate server 1 10 connected with the server 120, the intermediate server comprising a random access memory 10, a read-only memory 20, a processor 30 and a security unit 40 formed in this embodiment by an individual microcircuit; however, in other embodiments, the security unit can be formed by a software module stored in the memory 20 or can be implemented in a different form apparent to those skilled in the art.
- the device for administration can comprise other required components, particularly other or additional components in the intermediate server or additional intermediate servers. Further, the disclosed device for administration can be used for administration of two or more administered servers.
- the read-only memory 20 contains a ruleset defining the interaction between a predetermined user 130 and the administered server 120.
- the intermediate server can receive requests from the user 130 regarding sending commands to the administered server 120 to carry out administrative actions for the administered server 120, said commands received by the random access memory 10 of the server 1 10. Upon receiving such requests, the intermediate server 1 10 processes them by means of the processor 30 while applying a ruleset.
- the user 130 can send his requests to the server 1 10 using input means provided in the server 1 10 or by means of communications channels with the server 1 10, e.g., when the user 130 is located remotely from the server 1 10.
- the intermediate server 1 10 can further send commands to the server 120 to carry out administrative actions for the server 120 and can receive data regarding results of executing said commands by the server 120.
- the ruleset can permit a request by the predetermined user 130 in such manner that corresponding commands to carry out administrative actions for the server 120 are sent to the administered server 120, or the ruleset can define a refusal to carry out the request by the predetermined user 130 with respect to the administered server 120.
- the security unit 40 optionally sends commands regarding user 130 requests and commands for changing the ruleset to the processor 30.
- a meta- description of a task is formed for the intermediate server, said meta-description containing information regarding the user who initiated the task, the administered server which is the target server for performing the task, the command/application name, parameters for carrying out the task, and the parameters for the returned result.
- the intermediate server 1 10 records (continuously or at various intervals) user 130 requests and associated events occurring in the server 1 10 and the server 120 as a result of processing said requests. Furthermore, the intermediate server 1 10 provides the user 130 with data regarding the results of carrying out his request regarding the administered server 120, e.g. in the form of a file of a console command output. The result is output, e.g. by forming a file containing the results of carrying out the request on the administered server 120 at a security level accessible by the user 130.
- the server 1 10 can be monitored and controlled by a dedicated user 140 or the server administrator.
- the user 140 can receive data regarding the current status of the server 1 10 from the server 1 10, and the user 140 can further change or set the ruleset with respect to the predetermined user 130.
- the user 140 can further receive data regarding recording user requests and associated events in the intermediate server and/or the administered server 120 associated with said requests from the server 1 10.
- the security unit 40 sends data regarding user 130 requests to the user 140 who responds by sending commands regarding processing of said requests, in which case the security unit 40 monitors the actions of the intermediate server 1 10 prior to receiving user 140 commands.
- user 140 actions can also be recorded, e.g., by the security unit 40. It should be noted that, in other embodiments, two or more dedicated users can monitor and control the server 1 10.
- the disclosed device can be used for controlling access to administered servers containing confidential information (confidential servers), for limiting attempts to gain unauthorized access to administered servers, for reviewing user and administrator actions in confidential servers, and for isolating a group of confidential servers from the network segment with public and/or corporate access.
- confidential information confidential information
- the disclosed device provides an intermediate security and monitoring layer excluding erroneous, accidental or other commands determined to be unnecessary by means of previously defined security rules (a ruleset), which further reduces error and increases administered server security while further providing the following functionalities:
- FIG. 2 illustrates the method of server administration by means of the device disclosed hereinabove according to an embodiment of the present invention.
- a request for administration of the administered server is received from a user and sent to the random access memory of the intermediate server; then, at step 220, the user request is analyzed based on a ruleset.
- the request is analyzed in accordance with the ruleset: if the user request should be refused according to the ruleset, the request by the predetermined user is refused, and if the user request should be permitted according to the ruleset, a command to carry out administrative actions for the administered server is sent to the administered server in accordance with the user request (step 240), and data regarding the results of executing said command is sent to the intermediate server (step 250).
- the user request and the associated events at the intermediate server and the administered server associated with the request can be logged (recorded) in the intermediate server, the user can be provided with data regarding the results of carrying out his request with respect to the administered server, and the recorded data can be sent to at least one dedicated user.
- the disclosed method and device provide a high level of security in the server administration process.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
RU2016143765 | 2016-11-08 | ||
RU2016143765A RU2656692C2 (ru) | 2016-11-08 | 2016-11-08 | Устройство и способ администрирования сервера |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018088942A1 true WO2018088942A1 (en) | 2018-05-17 |
Family
ID=62110295
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/RU2017/050115 WO2018088942A1 (en) | 2016-11-08 | 2017-11-08 | Device and method for administration of a server |
Country Status (2)
Country | Link |
---|---|
RU (1) | RU2656692C2 (ru) |
WO (1) | WO2018088942A1 (ru) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111061555A (zh) * | 2019-12-22 | 2020-04-24 | 济南浪潮数据技术有限公司 | 一种基于Ansible的运维方法和相关装置 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6182142B1 (en) * | 1998-07-10 | 2001-01-30 | Encommerce, Inc. | Distributed access management of information resources |
US6408336B1 (en) * | 1997-03-10 | 2002-06-18 | David S. Schneider | Distributed administration of access to information |
WO2012079482A1 (en) * | 2010-12-16 | 2012-06-21 | Huawei Technologies Co., Ltd. | Method and apparatus to create and manage virtual private groups in a content oriented network |
RU2496136C1 (ru) * | 2012-05-14 | 2013-10-20 | Общество С Ограниченной Ответственностью "Мералабс" | Способ взаимодействия терминального устройства клиента с сервером по сети интернет с повышенным уровнем защиты от ddos атак и система для реализации способа |
US20160277447A1 (en) * | 2015-03-17 | 2016-09-22 | Solarflare Communications, Inc. | System and apparatus for providing network security |
-
2016
- 2016-11-08 RU RU2016143765A patent/RU2656692C2/ru not_active IP Right Cessation
-
2017
- 2017-11-08 WO PCT/RU2017/050115 patent/WO2018088942A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6408336B1 (en) * | 1997-03-10 | 2002-06-18 | David S. Schneider | Distributed administration of access to information |
US6182142B1 (en) * | 1998-07-10 | 2001-01-30 | Encommerce, Inc. | Distributed access management of information resources |
WO2012079482A1 (en) * | 2010-12-16 | 2012-06-21 | Huawei Technologies Co., Ltd. | Method and apparatus to create and manage virtual private groups in a content oriented network |
RU2496136C1 (ru) * | 2012-05-14 | 2013-10-20 | Общество С Ограниченной Ответственностью "Мералабс" | Способ взаимодействия терминального устройства клиента с сервером по сети интернет с повышенным уровнем защиты от ddos атак и система для реализации способа |
US20160277447A1 (en) * | 2015-03-17 | 2016-09-22 | Solarflare Communications, Inc. | System and apparatus for providing network security |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111061555A (zh) * | 2019-12-22 | 2020-04-24 | 济南浪潮数据技术有限公司 | 一种基于Ansible的运维方法和相关装置 |
Also Published As
Publication number | Publication date |
---|---|
RU2016143765A3 (ru) | 2018-05-11 |
RU2016143765A (ru) | 2018-05-11 |
RU2656692C2 (ru) | 2018-06-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11962614B2 (en) | Techniques for cloud security monitoring and threat intelligence | |
US11178103B2 (en) | Combined security and QOS coordination among devices | |
US10972492B2 (en) | Systems, methods, and computer-readable media for data security | |
US10341349B2 (en) | Session security splitting and application profiler | |
EP3660717B1 (en) | Dynamic authorization of requested actions using adaptive context-based matching | |
US9300673B2 (en) | Automation system access control system and method | |
EP2898652B1 (en) | Mobile device management and security | |
US8943575B2 (en) | Method and system for policy simulation | |
US9378359B2 (en) | Gateway for controlling mobile device access to enterprise resources | |
US20160127417A1 (en) | Systems, methods, and devices for improved cybersecurity | |
JP2019096339A (ja) | クラウド・コンピューティング・サービス(ccs)上に保存された企業情報をモニター、コントロール、及び、ドキュメント当たりの暗号化を行うシステム及び方法 | |
KR20220162774A (ko) | Iot 디바이스 검색 및 식별 | |
US9928359B1 (en) | System and methods for providing security to an endpoint device | |
US9264449B1 (en) | Automatic privilege determination | |
US20170099292A1 (en) | Systems and Methods for Access Permission Revocation and Reinstatement | |
US10671723B2 (en) | Intrusion detection system enrichment based on system lifecycle | |
CA2899909A1 (en) | Systems and methods for identifying and reporting application and file vulnerabilities | |
EP4229532B1 (en) | Behavior detection and verification | |
EP3987728B1 (en) | Dynamically controlling access to linked content in electronic communications | |
CN114553571A (zh) | 服务器管理方法、装置、电子设备及存储介质 | |
CN110597691A (zh) | 一种计算机监控系统 | |
WO2018088942A1 (en) | Device and method for administration of a server | |
CN114760083B (zh) | 一种攻击检测文件的发布方法、装置及存储介质 | |
Vilendečić et al. | The impact of human factors in the implementation of SIEM systems | |
US10116438B1 (en) | Managing use of security keys |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
DPE1 | Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17869763 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 20/09/2019) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17869763 Country of ref document: EP Kind code of ref document: A1 |