高安全IP网络监控系统的设计与实现
摘要
Internet的蓬勃发展促使全世界的数据通信业务爆炸性的增长,随着网络中数据业务量成为主导后,以IP交换为基础的通信网框架成为信息通信的主导技术。
当前,电信运营商、Internet服务商和企业有越来越多的关键应用和服务建立在数据网络上,因此,确保网络正常,高效的运转对于这些网络用户变得至关重要。而随着网络规模的扩大,网络复杂性的增加,网络管理已成为保障网络正常有效运行的关键,因此研究和开发高性能、可伸缩的分布式数据网络管理系统是当前通信领域中的一个热点。而设计和开发拥有我国自主知识产权的IP网络管理系统有着重要的理论意义和实用价值。
本文结合一个实际的IP网络管理系统的建设,对IP网络管理系统中性能管理子系统建设中面临的实际问题进行了分析,设计实现了这个子系统。本文还对IP网络管理系统本身存在的安全问题进行了分析,提出了实现安全IP网络管理系统相应的策略的实现方案。
随着IP网络用户对网络服务质量的要求逐渐提高,业界提出了“电信级的IP网络”的概念,因此,将TMN(Telecommunications Management Network)思想引入IP网络管理领域已成为当前IP网络管理研究的热点。本文所提出的IP网络管理系统遵循TMN框架,体现了分层、模块化的思路,确保了系统具有足够的开发性和伸缩性,能够适应今后的发展。
为了确保IP网络管理系统的高性能和可伸缩性,本文对当前主流的分布式计算技术与平台进行了分析与比较,从对跨平台的支持性,服务的可靠性和高效性的角度,选择J2EE作为系统的分布式框架。
在IP网络管理系统中,性能管理是核心功能之一。具体来说,性能管理的
目的在于维护网络服务质量和网络运营效率。本文从数据采集、数据处理与数
据呈现三方面分析与实现了性能管理子系统,在数据处理模块中针对网络监控
的一些具体问题给出了相应算法分析及其实现,如分布式Timer算法、智能轮
询算法、据ICMP流向对网络故障进行分析以及网络性能趋势分析等;在数据
呈现模块中采用MVC设计模式,以松祸合的方式实现了数据层与表示层的分
离,提高了系统的扩展性。
作为下一代网络应用业务的主要支撑平台,lP技术本身存在一些有待解决
的问题,比较突出的是IP协议的安全问题,如网络数据的私有性、授权、访问
控制等方面。由于IP网络的安全问题,而IP网络管理的手段是带内管理,网
络管理系统也是一种特殊的被管对象,因此,基于伊的网络管理系统也存在安
全问题。本文在分析了JZEE和JBOSS的安全框架的基础上,从数据与操作两
个方面对IP网络管理系统存在的安全问题进行了剖析,并从数据安全和系统效
率的角度提出了RMI+SSL的安全数据传输方案、基于WWwWWH(WHO,
WHERE,WHEN,WHAT,WHICH,HOW)的访问控制策略,并以安全代理
模式实现了上述解决方案,从而不仅保证了数据传输和访问的高安全性,也加
强了系统的灵活性。
The prosperity of Internet has impelled the explosive increase of data communication all over the world. As data service becomes the main part of network, IP based communication framework becomes the leading technology of information communication.
At present, more and more key applications and services of telecom carriers, ISPs and enterprises are built on data network. How to assure the network works high efficiently is critical to these network users. However, with the growth of network size, complexity of network increases, network management has become essential to enable the network work efficiently. Building a distributed management system for data network with high scalability and high performance is one hotspot of communication world. Moreover, build such a system with intelligence property right of our own country is valuable both in theory and practice.
Based on construction of a real IP network management system, the thesis analyzes the problems of building performance subsystem of IP network management system and finally implements the subsystem. The thesis also analyzes the security issues of the management system itself, and presents a solution for it.
Since IP network users are requiring better quality of network services, the industry promotes concept of "Carrier Grade IP Network". As a result, introduction of TMN (Telecommunication Management Network) to IP network management has already become hotspot of current research of IP network. The system of the thesis
follows framework of TMN embodies concepts of layering and modularization, which ensures the system, has enough scalability.
To ensure the high performance and scalability of IP network management system, the thesis analyzes and compares the mainstream distributed computing technologies and platforms. J2EE is finally chosen as system framework for its cross platform ability, service reliability and high performance.
Performance management is kernel function of the IP network management system. More specific, performance management is to maintain the quality of service and network efficiency. The thesis analyzes and implements the performance management sub-system from data collection, data processing, data presentation three aspects, and gives algorithm and algorithm implementation for concrete problems in data processing modules, such as distributed Timer, Intelligent Polling, Network fault detection based on ICMP stream analysis, network performance tendency analysis. As for data presentation modules, MVC design pattern is used to decouple the data and data's presentation, improve the scalability of the system.
As the main supporting platform for network service of next generation, IP technique itself has some problems to be solved. One outstanding is security of IP protocol, such as privacy, authorization, and access control of network data. Because of the security problem of IP network and in-bind mode of IP network management, network management system has security problem too. Based on detailed analysis of security framework of J2EE and JBOSS, the thesis gives description of security problem from data and data operation aspects, and provides a data transmission solution based on RMI plus SSL, a data access control solution based on WWWWWH(WHO,WHERE,WHEN,WHAT,WHICH,HOW) security policy. The real system provides the security solution through proxy, which not only assures the high security of the system, but also improves the flexibility of the system.
当前,电信运营商、Internet服务商和企业有越来越多的关键应用和服务建立在数据网络上,因此,确保网络正常,高效的运转对于这些网络用户变得至关重要。而随着网络规模的扩大,网络复杂性的增加,网络管理已成为保障网络正常有效运行的关键,因此研究和开发高性能、可伸缩的分布式数据网络管理系统是当前通信领域中的一个热点。而设计和开发拥有我国自主知识产权的IP网络管理系统有着重要的理论意义和实用价值。
本文结合一个实际的IP网络管理系统的建设,对IP网络管理系统中性能管理子系统建设中面临的实际问题进行了分析,设计实现了这个子系统。本文还对IP网络管理系统本身存在的安全问题进行了分析,提出了实现安全IP网络管理系统相应的策略的实现方案。
随着IP网络用户对网络服务质量的要求逐渐提高,业界提出了“电信级的IP网络”的概念,因此,将TMN(Telecommunications Management Network)思想引入IP网络管理领域已成为当前IP网络管理研究的热点。本文所提出的IP网络管理系统遵循TMN框架,体现了分层、模块化的思路,确保了系统具有足够的开发性和伸缩性,能够适应今后的发展。
为了确保IP网络管理系统的高性能和可伸缩性,本文对当前主流的分布式计算技术与平台进行了分析与比较,从对跨平台的支持性,服务的可靠性和高效性的角度,选择J2EE作为系统的分布式框架。
在IP网络管理系统中,性能管理是核心功能之一。具体来说,性能管理的
目的在于维护网络服务质量和网络运营效率。本文从数据采集、数据处理与数
据呈现三方面分析与实现了性能管理子系统,在数据处理模块中针对网络监控
的一些具体问题给出了相应算法分析及其实现,如分布式Timer算法、智能轮
询算法、据ICMP流向对网络故障进行分析以及网络性能趋势分析等;在数据
呈现模块中采用MVC设计模式,以松祸合的方式实现了数据层与表示层的分
离,提高了系统的扩展性。
作为下一代网络应用业务的主要支撑平台,lP技术本身存在一些有待解决
的问题,比较突出的是IP协议的安全问题,如网络数据的私有性、授权、访问
控制等方面。由于IP网络的安全问题,而IP网络管理的手段是带内管理,网
络管理系统也是一种特殊的被管对象,因此,基于伊的网络管理系统也存在安
全问题。本文在分析了JZEE和JBOSS的安全框架的基础上,从数据与操作两
个方面对IP网络管理系统存在的安全问题进行了剖析,并从数据安全和系统效
率的角度提出了RMI+SSL的安全数据传输方案、基于WWwWWH(WHO,
WHERE,WHEN,WHAT,WHICH,HOW)的访问控制策略,并以安全代理
模式实现了上述解决方案,从而不仅保证了数据传输和访问的高安全性,也加
强了系统的灵活性。
The prosperity of Internet has impelled the explosive increase of data communication all over the world. As data service becomes the main part of network, IP based communication framework becomes the leading technology of information communication.
At present, more and more key applications and services of telecom carriers, ISPs and enterprises are built on data network. How to assure the network works high efficiently is critical to these network users. However, with the growth of network size, complexity of network increases, network management has become essential to enable the network work efficiently. Building a distributed management system for data network with high scalability and high performance is one hotspot of communication world. Moreover, build such a system with intelligence property right of our own country is valuable both in theory and practice.
Based on construction of a real IP network management system, the thesis analyzes the problems of building performance subsystem of IP network management system and finally implements the subsystem. The thesis also analyzes the security issues of the management system itself, and presents a solution for it.
Since IP network users are requiring better quality of network services, the industry promotes concept of "Carrier Grade IP Network". As a result, introduction of TMN (Telecommunication Management Network) to IP network management has already become hotspot of current research of IP network. The system of the thesis
follows framework of TMN embodies concepts of layering and modularization, which ensures the system, has enough scalability.
To ensure the high performance and scalability of IP network management system, the thesis analyzes and compares the mainstream distributed computing technologies and platforms. J2EE is finally chosen as system framework for its cross platform ability, service reliability and high performance.
Performance management is kernel function of the IP network management system. More specific, performance management is to maintain the quality of service and network efficiency. The thesis analyzes and implements the performance management sub-system from data collection, data processing, data presentation three aspects, and gives algorithm and algorithm implementation for concrete problems in data processing modules, such as distributed Timer, Intelligent Polling, Network fault detection based on ICMP stream analysis, network performance tendency analysis. As for data presentation modules, MVC design pattern is used to decouple the data and data's presentation, improve the scalability of the system.
As the main supporting platform for network service of next generation, IP technique itself has some problems to be solved. One outstanding is security of IP protocol, such as privacy, authorization, and access control of network data. Because of the security problem of IP network and in-bind mode of IP network management, network management system has security problem too. Based on detailed analysis of security framework of J2EE and JBOSS, the thesis gives description of security problem from data and data operation aspects, and provides a data transmission solution based on RMI plus SSL, a data access control solution based on WWWWWH(WHO,WHERE,WHEN,WHAT,WHICH,HOW) security policy. The real system provides the security solution through proxy, which not only assures the high security of the system, but also improves the flexibility of the system.
引文
[1]. Arthur Berger Bell Labs, Lucent Technologies, Holmdel, N707733, USA , Bottleneck analysis inmulticlass closed queueing networks and its application
[2]. Akira Kanamaru, Kohei Ohta, Nei Kato, Glenn Mansfield and Yoshiaki Nemoto, A Simple Packet aggregation technique for fault detection, INTERNATIONAL JOURNALOF NETWORK MANAGEMENT Int. J. Network Mgmt 2000; 10:215-228
[3]. Management Information Base for Network Management of TCP/IP-based internets: MIB-II, RFC 1213, Performance Systems International, March 1991.
[4]. Gavalas D.,Greenwool D. Ghanbari M.,O' Mahony M. Advanced network monitoring applications based on mobile/intelligent agent technology[j].Computer Communications. 2000.23
[5]. Puliafito A.,Tomarchio O, Using mobile agents to implements flexible network management strategies[j].Computer Communications. 2000.23
[6]. CAO Hong-qing, Kang Li-shan, Cheng Yu-ping, A Hybrid Evolutionary Modeling Algorithm for Dynamic Systems[j]. Journal of Computer Research and Development, 1999,36(8)
[7]. OMG. The common object request broker[j].Architecture and Specification
[8]. Scott Stark, Integrate security infrastructures with JbossSX, http://www.javaworld.com/
[9]. Java2 Platform Enterprise Edition Specification, V1.4
[10]. Floyd Marinescu, EJB Design Patterns, Wiley Computer Publishing
[11]. Ed Roman, Scott Ambler, Mastering Enterprise JavaBeans second
Edition, Wiley Computer Publishing
[12]. Customized EJB security in JBoss, http://www.javaworld.com/
[13]. L. Koved, A. NadalinmN. Nagaratnam, Security challenges for Enterprise Java in an e-business environment,
[14]. Java Naming and Directory Interface specifications, http:// java. sun. com/products/jndi/.
[15]. RMI over IIOP, http://java, sun. com/products/rmi-iiop/.
[16]. L. Gong, Inside Java 2 Platform Security: Architecture, API De-sign, and Implementation, Addison-Wesley Publishing Co., Reading, MA (1999).
[17]. V. Samar and C. Lai, "Making Login Services Independent of Authentication Technologies," http://java, sun. com/security/jaas/doc/pam, html/.
[18]. SSL 3.0 Specifications, http://home, netscape, com/eng/ss13/.
[19]. Extensible Markup Language (XML) 1.0 http://www.w3.org/TR/1998/REC-xml-19980210
[20]. http://java, sun. com/products/ejb/docs.html
[21].蔡茂,基于TMN 的 IP 业务支撑系统,http://www.chinamobile.com/ydsc/ipwlfwxt.htm
[22].李晓娟,袁道华,杨丽丽,GML在IP网管中实现分域分级管理,计算机工程,2003.6
[23].王亚沙,王兴光等,网络性能管理中一种数据采集算法的研究,计算机研究与发展 2002.9
[24].李航等,分布式网管系统性能管理的设计与实现,沈阳工业学院学报,2002.3
[25].龚俭等,基于网络报文对的网络瓶颈带宽测试技术的研究,计算机工程与科学,2001.1
[26].王新苗等,IP网络技术及IP网络管理发展趋势,电子技术 1999.9
[27].陈学峰等,分布式实时网络监测系统的设计与实现,计算机工程,2002.6
[28].章淼等,互联网端到端拥赛控制研究综述,软件学报,2002.3
[29].田小鹏等,基于MIB的网络性能分析与故障诊断,软件学报,1997.6
[30].陶洋,一种网络阻塞传染路径的确定算法,计算机研究与发展,2001/5
[31].陈惠开,图论—网络流,北京:人民邮电出版社,1992
[32].郭小平等,网络管理中基于IP的安全技术,洛阳师范学院学报,2002.2
[33].李木金等,一种被用于网络管理的性能分析模型和实现,软件学报,2000.11
[34].陶军等,一种基于分布式对象软件构架的网络管理模型,小型微型计算机系统,2002.9
[35].中国移动通信集团公司,中国移动CMNET省网网管系统技术规范书,2002.5
[36].熊桂喜 王小虎等,计算机网络(第三版),清华大学出版社
[37].张鹏,李增智等,基于多Agent的网络流量管理方法,西安交通大学学报,2001.8
[38].张国鸣,唐树才,薛刚逊,网络管理实用技术,清华大学出版社,2002.6
[39].郭军,网络管理,北京邮电大学出版社,2001.9
[40].岑贤道等,网络管理协议及应用开发,清华大学出版社,1998.7
[41].孟洛明,亓峰,现代网络管理技术,北京邮电大学出版社,1999.11
[2]. Akira Kanamaru, Kohei Ohta, Nei Kato, Glenn Mansfield and Yoshiaki Nemoto, A Simple Packet aggregation technique for fault detection, INTERNATIONAL JOURNALOF NETWORK MANAGEMENT Int. J. Network Mgmt 2000; 10:215-228
[3]. Management Information Base for Network Management of TCP/IP-based internets: MIB-II, RFC 1213, Performance Systems International, March 1991.
[4]. Gavalas D.,Greenwool D. Ghanbari M.,O' Mahony M. Advanced network monitoring applications based on mobile/intelligent agent technology[j].Computer Communications. 2000.23
[5]. Puliafito A.,Tomarchio O, Using mobile agents to implements flexible network management strategies[j].Computer Communications. 2000.23
[6]. CAO Hong-qing, Kang Li-shan, Cheng Yu-ping, A Hybrid Evolutionary Modeling Algorithm for Dynamic Systems[j]. Journal of Computer Research and Development, 1999,36(8)
[7]. OMG. The common object request broker[j].Architecture and Specification
[8]. Scott Stark, Integrate security infrastructures with JbossSX, http://www.javaworld.com/
[9]. Java2 Platform Enterprise Edition Specification, V1.4
[10]. Floyd Marinescu, EJB Design Patterns, Wiley Computer Publishing
[11]. Ed Roman, Scott Ambler, Mastering Enterprise JavaBeans second
Edition, Wiley Computer Publishing
[12]. Customized EJB security in JBoss, http://www.javaworld.com/
[13]. L. Koved, A. NadalinmN. Nagaratnam, Security challenges for Enterprise Java in an e-business environment,
[14]. Java Naming and Directory Interface specifications, http:// java. sun. com/products/jndi/.
[15]. RMI over IIOP, http://java, sun. com/products/rmi-iiop/.
[16]. L. Gong, Inside Java 2 Platform Security: Architecture, API De-sign, and Implementation, Addison-Wesley Publishing Co., Reading, MA (1999).
[17]. V. Samar and C. Lai, "Making Login Services Independent of Authentication Technologies," http://java, sun. com/security/jaas/doc/pam, html/.
[18]. SSL 3.0 Specifications, http://home, netscape, com/eng/ss13/.
[19]. Extensible Markup Language (XML) 1.0 http://www.w3.org/TR/1998/REC-xml-19980210
[20]. http://java, sun. com/products/ejb/docs.html
[21].蔡茂,基于TMN 的 IP 业务支撑系统,http://www.chinamobile.com/ydsc/ipwlfwxt.htm
[22].李晓娟,袁道华,杨丽丽,GML在IP网管中实现分域分级管理,计算机工程,2003.6
[23].王亚沙,王兴光等,网络性能管理中一种数据采集算法的研究,计算机研究与发展 2002.9
[24].李航等,分布式网管系统性能管理的设计与实现,沈阳工业学院学报,2002.3
[25].龚俭等,基于网络报文对的网络瓶颈带宽测试技术的研究,计算机工程与科学,2001.1
[26].王新苗等,IP网络技术及IP网络管理发展趋势,电子技术 1999.9
[27].陈学峰等,分布式实时网络监测系统的设计与实现,计算机工程,2002.6
[28].章淼等,互联网端到端拥赛控制研究综述,软件学报,2002.3
[29].田小鹏等,基于MIB的网络性能分析与故障诊断,软件学报,1997.6
[30].陶洋,一种网络阻塞传染路径的确定算法,计算机研究与发展,2001/5
[31].陈惠开,图论—网络流,北京:人民邮电出版社,1992
[32].郭小平等,网络管理中基于IP的安全技术,洛阳师范学院学报,2002.2
[33].李木金等,一种被用于网络管理的性能分析模型和实现,软件学报,2000.11
[34].陶军等,一种基于分布式对象软件构架的网络管理模型,小型微型计算机系统,2002.9
[35].中国移动通信集团公司,中国移动CMNET省网网管系统技术规范书,2002.5
[36].熊桂喜 王小虎等,计算机网络(第三版),清华大学出版社
[37].张鹏,李增智等,基于多Agent的网络流量管理方法,西安交通大学学报,2001.8
[38].张国鸣,唐树才,薛刚逊,网络管理实用技术,清华大学出版社,2002.6
[39].郭军,网络管理,北京邮电大学出版社,2001.9
[40].岑贤道等,网络管理协议及应用开发,清华大学出版社,1998.7
[41].孟洛明,亓峰,现代网络管理技术,北京邮电大学出版社,1999.11
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |