DCSM内网安全管理系统
|
摘要
随着以太网接入方式变得越来越开放,支撑的业务越来越复杂,因漏洞、病毒、身份认证等引起的内部网络安全问题开始超过外部的网络攻击,棘手的摆在网络管理员面前。
要实现一套完善的内网安全机制,集中的安全认证是首要因素,其次是需要部署安全监控系统。IDS/IPS负责监控网络中的异常行为,判断系统是否遭到某种人为或者病毒攻击。在判断出问题后,之后采取的行动非常重要。一般的方法都是直接封掉攻击者的IP地址,但由于攻击者可以很轻松的更改其IP和MAC地址,所以这种方法的效果不是太好。但是在引入安全认机制后,系统就可以定位出某一个IP的用户,然后将相关事件确定到具体的交换机端口上,这样就可以避免封掉整个IP子网的情况发生。
本文首先介绍了课题的研究背景和实现目标。对本项目的的需求进行总体描述;整个系统分为两大部分,管理系统和客户端。管理系统在工控机上运行,能够实现双机热备。包含用户设备添加,策略配置、网络设备管理、安全服务器等功能。同时提供对系统自身运行状况的监控和维护。客户端装载在使用网络的客户机上,配合管理端程序,实现检查主机安全、设定禁用指定程序或设备,自动打补丁、升级防病毒软件等功能。根据需求概述,按照企业需求撰写详细需求说明书。
本文为应对网管人员在日常使用中碰到的问题,整合现有资源,开发DCSM内网安全控制系统。整个系统通过管理终端接入的方式控制和管理网络,同时辅以网络功能实现对网络设备的管理。
Nowadays the trend of security community is to be flat. An authentication system still cannot bring more value if it exists in isolation, even if it is as powerful as possible. In fact, authentication system has increasingly become a subsystem, which ensures that the intranet security mechanism can finally locate the specific equipment or specific personnel when security problems arise in enterprise network.
Currently, a number of security firms have started to improve their own intranet security technology, and made an organic combination with the identity authentication system. The waterproof wall (SOC), DCBI authentication system, IDS, firewall, together form a DCSM intranet security management technology, to be the materialization of 3DSMP technology. In DCSM technology, however, five-element-control has been proposed. That is to say, user name, user ID, IP address, switch port, VLAN are bounded together to do further access control.
On this basis, intranet security mechanism can make a judgment on users according to IDS/IPS'alert. Such as whether a user is launched an attack or whether a user is infected with a specific virus. For example, if it finds out that this user is scanning a specific port number, it will make the conclusion that this user has been infected with worm-type virus, and DCBI control center will make a real-time alert. If the alarm is invalid, the system will block a user's network connection. Through this complete authentication process, the system can clearly know the switch port and VLAN in which this user is, so block will be very accurate.
To achieve a complete intranet security mechanism, firstly we need a centralized security authentication; followed by the deployment of supervisory system. IDS/IPS is responsible for monitoring the behavior of the network, judging whether there is some kind of attack or a certain virus, and carrying out concretely. It is very important to make the system have a reasonable implementation after the issue is judged. Blocking IP traditionally is ineffective for attacks and viruses now, for both the MAC address and IP address of attacks and viruses can change. Therefore, the effective way is that the system can locate a particular IP user after the security authentication, and then determine in which switch port the relevant incident occurred. So it can prevent blocking the entire IP subnet when taking action. In addition, through the use of 802. 1X protocol, the switch will be interacted up by the whole security system, which allows more accurate targeting of clients with security incidents.
DCSM is made up with the server, client, switch, and other network security devices. Through the flexible combination of these units, we can achieve the goals that risk users can be isolated automatically, and smooth network running is ensured in a variety of network environments.
In this paper, we introduce the research background and goals of the topic at first and then make a general description of this project's requirement. The whole system is divided into two parts, management system and client. Management system runs in the Industrial Personal Computer, and Hot Standby can be achieved. It contains user-device-adding, plot configuration, network device management, security servers and other functions while providing monitoring and maintenance of the system's running state.
Client is loaded in the client computer which uses the network. Coordinating with management-side program, it brings about checking host security, setting to disable the specified procedures or equipments, patching installing automatically, upgrading anti-virus software and other functions.
Based on the requirements overview, we compose a detailed requirements specification according to enterprise demand. In the management side, we mainly introduce the data formats and operating requirements of the resource and user management module, IP and MAC management module, authentication management module, network management module, the message communication module, SNMP& CLI processing module and monitoring module. In the client, we mainly introduce the data formats and operating requirements of the NIC detection requirements, the host patch scanning plug-in, anti-virus scanning plug-in,802.1x authentication plug-in, anti-host-ARP deception, anti-MAC-address theft, Clone PC, anti-agent, anti-DHCP Server, anti-enabled illegal software, white list software's not running alarm, message interception, receiving advertising information of service providers, client auto-upgrading and software distribution plug-in.
In this paper, we describe the main framework, which can be divided into three layers from the distribution. They are Client layer (responsible for GUI), communication layer, server layer (responsible for request conversion and logic control). In accordance with the relevant operation, Client management is divided into Web management module, the administrator management module, user management module, authentication and security plot management module, device management module and server management module. Server management consists of request conversion part and logic control part. Request conversion module is responsible for the transformation between the request of client management and the request which can be coped with by logic handling part (including the starting and stopping of license control module).
The innovation of this paper is as follows:
1. Clients uses RCP framework, and it is of modularization. The whole platform is formed by the various components "plugin" and has light-coupling structure with strong expandability. While structuring a robust infrastructure, RCP Framework provides a rich UI features, help features, error handling characteristics.
2. Expansibility
Owing to the way of responsibility chain, each module only handles the request that can be resolved by itself. If the request cannot be handled by the current module, it will be handed to the next module. The advantages of using this model is that each module is only concerned with their own information processing, without considering whether the system is capable of handling the module or not. If you add a module, you should add it before the module that cannot be handled, or that is to say the end of the responsibility chain. As we know, it is similar to the implementation of linked list. So deleting a module needs only to connect the chain as well. Moreover, each module can be tested independently by using this model. As a result of many objects in our system, we use the way combine distribution with chain, which is using distribution to call each object in a module.
3. XMLRPC is Remote Method Invocation (RMI) base on HTTP protocol, whose lifecycle is the same as Browser's access to HTTP Server. Compared with traditional RMI in JAVA, it is not only platform-independent, but also language-independent. With strong expandability, it is easy to realize and inherits all the HTTP features, including SSL, etc.
In a word, we integrated the available resources and developed DCSM intranet security control system to cope with the problems administrators encounter in everyday use. In this paper, the whole system controls and manages the network by the way of management terminal's access, supplemented by network functions to realize the management of network equipment.
要实现一套完善的内网安全机制,集中的安全认证是首要因素,其次是需要部署安全监控系统。IDS/IPS负责监控网络中的异常行为,判断系统是否遭到某种人为或者病毒攻击。在判断出问题后,之后采取的行动非常重要。一般的方法都是直接封掉攻击者的IP地址,但由于攻击者可以很轻松的更改其IP和MAC地址,所以这种方法的效果不是太好。但是在引入安全认机制后,系统就可以定位出某一个IP的用户,然后将相关事件确定到具体的交换机端口上,这样就可以避免封掉整个IP子网的情况发生。
本文首先介绍了课题的研究背景和实现目标。对本项目的的需求进行总体描述;整个系统分为两大部分,管理系统和客户端。管理系统在工控机上运行,能够实现双机热备。包含用户设备添加,策略配置、网络设备管理、安全服务器等功能。同时提供对系统自身运行状况的监控和维护。客户端装载在使用网络的客户机上,配合管理端程序,实现检查主机安全、设定禁用指定程序或设备,自动打补丁、升级防病毒软件等功能。根据需求概述,按照企业需求撰写详细需求说明书。
本文为应对网管人员在日常使用中碰到的问题,整合现有资源,开发DCSM内网安全控制系统。整个系统通过管理终端接入的方式控制和管理网络,同时辅以网络功能实现对网络设备的管理。
Nowadays the trend of security community is to be flat. An authentication system still cannot bring more value if it exists in isolation, even if it is as powerful as possible. In fact, authentication system has increasingly become a subsystem, which ensures that the intranet security mechanism can finally locate the specific equipment or specific personnel when security problems arise in enterprise network.
Currently, a number of security firms have started to improve their own intranet security technology, and made an organic combination with the identity authentication system. The waterproof wall (SOC), DCBI authentication system, IDS, firewall, together form a DCSM intranet security management technology, to be the materialization of 3DSMP technology. In DCSM technology, however, five-element-control has been proposed. That is to say, user name, user ID, IP address, switch port, VLAN are bounded together to do further access control.
On this basis, intranet security mechanism can make a judgment on users according to IDS/IPS'alert. Such as whether a user is launched an attack or whether a user is infected with a specific virus. For example, if it finds out that this user is scanning a specific port number, it will make the conclusion that this user has been infected with worm-type virus, and DCBI control center will make a real-time alert. If the alarm is invalid, the system will block a user's network connection. Through this complete authentication process, the system can clearly know the switch port and VLAN in which this user is, so block will be very accurate.
To achieve a complete intranet security mechanism, firstly we need a centralized security authentication; followed by the deployment of supervisory system. IDS/IPS is responsible for monitoring the behavior of the network, judging whether there is some kind of attack or a certain virus, and carrying out concretely. It is very important to make the system have a reasonable implementation after the issue is judged. Blocking IP traditionally is ineffective for attacks and viruses now, for both the MAC address and IP address of attacks and viruses can change. Therefore, the effective way is that the system can locate a particular IP user after the security authentication, and then determine in which switch port the relevant incident occurred. So it can prevent blocking the entire IP subnet when taking action. In addition, through the use of 802. 1X protocol, the switch will be interacted up by the whole security system, which allows more accurate targeting of clients with security incidents.
DCSM is made up with the server, client, switch, and other network security devices. Through the flexible combination of these units, we can achieve the goals that risk users can be isolated automatically, and smooth network running is ensured in a variety of network environments.
In this paper, we introduce the research background and goals of the topic at first and then make a general description of this project's requirement. The whole system is divided into two parts, management system and client. Management system runs in the Industrial Personal Computer, and Hot Standby can be achieved. It contains user-device-adding, plot configuration, network device management, security servers and other functions while providing monitoring and maintenance of the system's running state.
Client is loaded in the client computer which uses the network. Coordinating with management-side program, it brings about checking host security, setting to disable the specified procedures or equipments, patching installing automatically, upgrading anti-virus software and other functions.
Based on the requirements overview, we compose a detailed requirements specification according to enterprise demand. In the management side, we mainly introduce the data formats and operating requirements of the resource and user management module, IP and MAC management module, authentication management module, network management module, the message communication module, SNMP& CLI processing module and monitoring module. In the client, we mainly introduce the data formats and operating requirements of the NIC detection requirements, the host patch scanning plug-in, anti-virus scanning plug-in,802.1x authentication plug-in, anti-host-ARP deception, anti-MAC-address theft, Clone PC, anti-agent, anti-DHCP Server, anti-enabled illegal software, white list software's not running alarm, message interception, receiving advertising information of service providers, client auto-upgrading and software distribution plug-in.
In this paper, we describe the main framework, which can be divided into three layers from the distribution. They are Client layer (responsible for GUI), communication layer, server layer (responsible for request conversion and logic control). In accordance with the relevant operation, Client management is divided into Web management module, the administrator management module, user management module, authentication and security plot management module, device management module and server management module. Server management consists of request conversion part and logic control part. Request conversion module is responsible for the transformation between the request of client management and the request which can be coped with by logic handling part (including the starting and stopping of license control module).
The innovation of this paper is as follows:
1. Clients uses RCP framework, and it is of modularization. The whole platform is formed by the various components "plugin" and has light-coupling structure with strong expandability. While structuring a robust infrastructure, RCP Framework provides a rich UI features, help features, error handling characteristics.
2. Expansibility
Owing to the way of responsibility chain, each module only handles the request that can be resolved by itself. If the request cannot be handled by the current module, it will be handed to the next module. The advantages of using this model is that each module is only concerned with their own information processing, without considering whether the system is capable of handling the module or not. If you add a module, you should add it before the module that cannot be handled, or that is to say the end of the responsibility chain. As we know, it is similar to the implementation of linked list. So deleting a module needs only to connect the chain as well. Moreover, each module can be tested independently by using this model. As a result of many objects in our system, we use the way combine distribution with chain, which is using distribution to call each object in a module.
3. XMLRPC is Remote Method Invocation (RMI) base on HTTP protocol, whose lifecycle is the same as Browser's access to HTTP Server. Compared with traditional RMI in JAVA, it is not only platform-independent, but also language-independent. With strong expandability, it is easy to realize and inherits all the HTTP features, including SSL, etc.
In a word, we integrated the available resources and developed DCSM intranet security control system to cope with the problems administrators encounter in everyday use. In this paper, the whole system controls and manages the network by the way of management terminal's access, supplemented by network functions to realize the management of network equipment.
引文
[1]高娜娜;陈昕.关于内网安全应急响应管理的技术探讨[J].办公自动化,2009(10)
[2]邹翔;王志海;李志涛.内网安全数据保密技术分析与比较[J].信息安全与通信保密,2009(7)
[3]曾朝蓉.内网安全管理方案探讨[J].网络安全技术与应用,2009(11)
[4]金波;张兵;王志海.内网安全技术分析与标准探讨[J].信息安全与通信保密,2007(7)
[5]孙玮;何兴高.内网安全监管审计系统的架构设计[J].计算机应用,2008(s2)
[6]蔡家楣;蔡其星;江颉.基于遗传神经网络分析的内网用户行为审计系统[J].计算机系统应用,2009(2)
[7]张世永.信息安全审计技术的发展和应用[J]电信科学,2003,(12).
[8]侯红,施荣华.基于RBAC的权限管理系统的设计与开发[J]铁路计算机应用,2008,(01).
[9]朱海龙,张国清.基于802.1X的以太网接入技术[J]计算机工程,2003,(18).
[10]蒋明华,李声,李俊.入侵检测系统与防火墙系统联动平台的设计[J]网络安全技术与应用[J].2009,(07).
[11]徐大为,龚玲,杨宇航.NDIS中间层驱动程序设计和虚拟专用网客户端的实现[J]计算机工程,2002,(02).
[12]蒋建春,黄菁,卿斯汉.黑客攻击机制与防范[J]计算机工程,2002,(07).
[13]陆余良,张永,刘克胜,蔡铭.ARP协议在局域网类型探测中的应用[J]计算机工程,2004,(01).
[14]何永飞,姜建国.基于旁路方式网络监控的TCP/IP协议分析与阻断[J]科学技术与工程,2007,(20).
[15]董文生.内网安全之“防内”专题如何构建可信并可控的内网[J]信息安全与通信保密,2004,(12).
[16]徐润沁,刘军杰.基于DHCP+的接入认证系统的技术浅析[J]计算机系统应用,2009,(05).
[17]赵东生,方伟,谷红勋,鲁均.利用改进的DHCP+技术实现宽带IP网用户认证计费管理[J]电信科学,2002,(07)
[18]孙力芾,李生红.DHCP及Option82安全机制的原理与实现[J]信息技术,2005,(08)
[19]黄现代.网络入侵检测系统初探[J]科技信息(学术研究),2007,(27).
[20]普里斯.Oracle Database 10g SQL开发指南[M].北京:机械工业出版社,2004,(17).
[2]邹翔;王志海;李志涛.内网安全数据保密技术分析与比较[J].信息安全与通信保密,2009(7)
[3]曾朝蓉.内网安全管理方案探讨[J].网络安全技术与应用,2009(11)
[4]金波;张兵;王志海.内网安全技术分析与标准探讨[J].信息安全与通信保密,2007(7)
[5]孙玮;何兴高.内网安全监管审计系统的架构设计[J].计算机应用,2008(s2)
[6]蔡家楣;蔡其星;江颉.基于遗传神经网络分析的内网用户行为审计系统[J].计算机系统应用,2009(2)
[7]张世永.信息安全审计技术的发展和应用[J]电信科学,2003,(12).
[8]侯红,施荣华.基于RBAC的权限管理系统的设计与开发[J]铁路计算机应用,2008,(01).
[9]朱海龙,张国清.基于802.1X的以太网接入技术[J]计算机工程,2003,(18).
[10]蒋明华,李声,李俊.入侵检测系统与防火墙系统联动平台的设计[J]网络安全技术与应用[J].2009,(07).
[11]徐大为,龚玲,杨宇航.NDIS中间层驱动程序设计和虚拟专用网客户端的实现[J]计算机工程,2002,(02).
[12]蒋建春,黄菁,卿斯汉.黑客攻击机制与防范[J]计算机工程,2002,(07).
[13]陆余良,张永,刘克胜,蔡铭.ARP协议在局域网类型探测中的应用[J]计算机工程,2004,(01).
[14]何永飞,姜建国.基于旁路方式网络监控的TCP/IP协议分析与阻断[J]科学技术与工程,2007,(20).
[15]董文生.内网安全之“防内”专题如何构建可信并可控的内网[J]信息安全与通信保密,2004,(12).
[16]徐润沁,刘军杰.基于DHCP+的接入认证系统的技术浅析[J]计算机系统应用,2009,(05).
[17]赵东生,方伟,谷红勋,鲁均.利用改进的DHCP+技术实现宽带IP网用户认证计费管理[J]电信科学,2002,(07)
[18]孙力芾,李生红.DHCP及Option82安全机制的原理与实现[J]信息技术,2005,(08)
[19]黄现代.网络入侵检测系统初探[J]科技信息(学术研究),2007,(27).
[20]普里斯.Oracle Database 10g SQL开发指南[M].北京:机械工业出版社,2004,(17).
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |