策略思想在网络管理中的应用
摘要
基于策略的网络管理是未来网络的关键构件之一。目前策略管理在服务质量领域已经得到广泛应用,比如CISCO推出QPM3.0侧重对资源预留和差分服务,已扩充到网络管理领域。目前针对安全领域的研究主要体现在策略的推/拉技术方面,没有真正的实现动态策略管理。本文着重论述策略思想在分布式管理中的应用,特别是在网络管理和网络安全领域。
论文的思想就是融合网络管理和网络安全,采用统一的策略管理,来实现网络的统一部署,统一管理。同时本文探讨了此思想的具体实现---基于策略的动态网络管理系统(PBDNMS)。本文的内容主要包括策略思想的阐述、策略传输协议、策略在安全方面的应用、策略在网络管理方面的应用以及策略传输安全性研究。
作为策略思想的实现PBDNMS主要采用linux和CISCO 7500实现策略管理的客户功能,采用windows作为策略服务器,实现策略的管理。对于不支持COPS的网络设备,PBDNMS这部分的策略主要通过SNMP以及CLI来实现对网络设备的管理。PBDNMS在策略传输方面通过IPSEC提供IP层数据的安全保护。PBDNMS主要结合FREESWAN和NETFILTER的设计思想,将IPSEC的处理放在系统内核的钩子函数中来处理。
随着网络的发展,基于策略的应用会越来越为人们所关注。本文提出的将网络管理和网络安全融合在一起提供策略管理,也正符合策略思想的发展方向。
With the expansion of network, how to manage the network is becoming harder and more complex. Policy-based network management (PBNM) is becoming popular in network field. PBNM is the key component of future network. Its merit is to provide excellent management on network, such as the ability to control Internet operation's increasing, the ability to make management more flexible, the ability to simplify the configuration on device and application, and the ability to integrate various management systems.
This paper concentrates the importance of policy -based idea on the distributed application, especially in the field of network security. Under the control and guide of integrative security policy, PD2R uses detection tool to understand and evaluate the system's security status, and uses proper response to make system most safe and in low risk while using protection tool. The main idea of this paper is to integrate network management and network security in order to use consistent policy to implement consistent deployment and management in network field. And I illustrate the implement of this idea-Policy-Based Dynamic Network Management System (PBDNMS).
PBDNMS uses linux PC and Cisco 7500 as PEP, windows PC server as PDF.
With the application of policy, more and more people will turn their eyes on PBNM. Showing the excellent facts of policy, this paper will be more useful in security management and other fields.
论文的思想就是融合网络管理和网络安全,采用统一的策略管理,来实现网络的统一部署,统一管理。同时本文探讨了此思想的具体实现---基于策略的动态网络管理系统(PBDNMS)。本文的内容主要包括策略思想的阐述、策略传输协议、策略在安全方面的应用、策略在网络管理方面的应用以及策略传输安全性研究。
作为策略思想的实现PBDNMS主要采用linux和CISCO 7500实现策略管理的客户功能,采用windows作为策略服务器,实现策略的管理。对于不支持COPS的网络设备,PBDNMS这部分的策略主要通过SNMP以及CLI来实现对网络设备的管理。PBDNMS在策略传输方面通过IPSEC提供IP层数据的安全保护。PBDNMS主要结合FREESWAN和NETFILTER的设计思想,将IPSEC的处理放在系统内核的钩子函数中来处理。
随着网络的发展,基于策略的应用会越来越为人们所关注。本文提出的将网络管理和网络安全融合在一起提供策略管理,也正符合策略思想的发展方向。
With the expansion of network, how to manage the network is becoming harder and more complex. Policy-based network management (PBNM) is becoming popular in network field. PBNM is the key component of future network. Its merit is to provide excellent management on network, such as the ability to control Internet operation's increasing, the ability to make management more flexible, the ability to simplify the configuration on device and application, and the ability to integrate various management systems.
This paper concentrates the importance of policy -based idea on the distributed application, especially in the field of network security. Under the control and guide of integrative security policy, PD2R uses detection tool to understand and evaluate the system's security status, and uses proper response to make system most safe and in low risk while using protection tool. The main idea of this paper is to integrate network management and network security in order to use consistent policy to implement consistent deployment and management in network field. And I illustrate the implement of this idea-Policy-Based Dynamic Network Management System (PBDNMS).
PBDNMS uses linux PC and Cisco 7500 as PEP, windows PC server as PDF.
With the application of policy, more and more people will turn their eyes on PBNM. Showing the excellent facts of policy, this paper will be more useful in security management and other fields.
引文
【1】李晓东,IP QoS的业务区分结构Diff-Serv,http://www.networkunion.org/suject/ipqos/ipqos3.htm
【2】M.Stevens,M.Mahon,B.Moore,PolicyFramework,Drafl "draft-ietf-policy-framework-00.txt"
【3】B.Moore, E. Ellesson, J. Strassner, Policy Framework Core Information Model, Draft "draft-ietf-policy-core-info-model-02.txt"
【4】Y. Snir, Y. Ramberg, J. Strassner, QoS Policy Framework Information Model and Schema, Draft "draft-snir-policy-QoS-infomodel-00.txt"
【5】Y. Snir, Y. Ramberg, J. Strassner, QoS Policy Framework Information Model,Draft "draft-snir-qos-policy-schema-01.txt"
【6】Policy Framework Definition Language. Internet Draft, Nov 1998. draft-ietf-policy-framework-pfdl-00.txt
【7】R. Moats, John Strassner, "LDAP Schema for the DMTF Core CIM Model",09/17/1999, 〈draft-moats-dmtf-core-ldap-00.txt〉
【8】J. Boyle, R. Cohen, S. Herzog, R. Rajan, The COPS (Common Open Policy Service) Protocol, Draft "draft-ietf-rap-cops-07.txt"
【9】S. Herzog, Kwok Ho Chan, D. Durham, R. Yavatkar, COPS usage for Policy Provisioning, Draft "draft-ietf-rap-pr-00.txt"
【10】F. Reichmeyer, R. Yavatkar, S. Herzog, COPS Usage for Differentiated Services, Draft "draft-ietf-rap-cops-ds-01 .txt"
【11】M. Fine,K. McCloghrie, S. Hahn, K. Chan, A. Smith, Quality of Service Policy Information Base June 1999 http://www.ietf.org/intemet-drafts/draft-mfine-cops-pib-01.txt
【12】Stallings, William; SNMP, SNMPv2 and CMIP." The Practical Guide to Network Management Standards, Addison-Wesley, Reading, Massachusetts,1993
【13】J. Case, M. Fedor, M. Schoffstall, "A Simple Network Managenet Protocol
(SNMP)", RFC1157, May 1990
【14】M. Waldbusser, J. McCloghrie, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996;
【15】Barbara Fraser, Jeffrey Schiller, IP Security Protocol Working Group, http://www.ietf.org/html.charters/ipsec-charter.htm
【16】S. Shenker, C. Partrige, R.Guerin, Specification of Guaranteed Quality of Service, Requests for Comments, RFC-2212
【17】CiscoWorks QoS Policy Manager, http://www.cisco.com/warp/public/cc/pd/wr2k/qoppmn/index.shtml
【18】申雅琴, P~2DR 模型——网络安全管理的指南, http://cnhacker.myrice.com/hacker/teach/t37.htm
【19】R. Rajan, S. Kamat, "A Simple Framework and Architecture for Networking Policy", May 1999,, Work in Progress 1
【20】Chris Hare,Karanjit Siyan,Intemet Firewall and Network Security,机械工业出版社, 1998.5;
【21】T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1",Black Hat Briefings 2000
【22】Sniffer Technologies, http://www.sniffer.com/
【23】Rusty Russell, Linux 2.4 Packet Filtering HOWTO, http://www.netfilter.org/unreliable-guides/packet-filtering-HOWTO/
【24】Snortfire, The Open Source Network Intrusion Detection System,http://www.snort. org
【25】戴英侠,连一峰,王航,系统安全与入侵检测,清华大学出版社,2002年3月,第一版。
【26】Martijn van Oosterhout, Paul B Schroeder, Linux Advanced Routing & Traffic Control, http://lartc.org/
【27】tommytang, superli, wangxin0203, 基于Linux和IPSec的VPN网关, http://cosoft, org.cn/projects/linuxipsecvpn/
【28】Linux FreeS/WAN, http://www.freeswan.org
【29】Yi Pan ,Qos, http://www.ics.uci.edu/~ypan/.
【30】Snacc Homepage, http://www.fokus.gmd.de/ovma/freeware/snacc/
【31】胡艳,洪佩琳,李津生,“QOS策略控制系统中COPS协议的实现”,July,2000 《电路与系统学报》,Vol5,N03.
【32】Writing a Module for netfilter Http://www.linux-mag.com/2000-06/gear.htm
【33】Harald Welte, IP Queue Multiplex Daemon, http://gnumonks.org/projects
【34】Guido Van Rooij,Real stateful TCP Packet Filtering in IP Filter,www.darkart.com/mirrors/www.obfuscation.org/ ipf/tcp_filtering.pdf
【35】W. Richard Stevens, "TCP/IP Illustrated, Volume 1: The Protocols", Addison Wesley, 1994.
【36】Perttu Kivimki,Qbone, http://qbone.internet2.edu/
【37】Ariffin Yahaya,Qos Router, http://www.ecs.csun.edu/~ariffin/
【38】Jal,POSTECH DiffServ MIB Implementation , http://dpnm.postech.ac.kr/research/01/ipqos/dsmib/.
【2】M.Stevens,M.Mahon,B.Moore,PolicyFramework,Drafl "draft-ietf-policy-framework-00.txt"
【3】B.Moore, E. Ellesson, J. Strassner, Policy Framework Core Information Model, Draft "draft-ietf-policy-core-info-model-02.txt"
【4】Y. Snir, Y. Ramberg, J. Strassner, QoS Policy Framework Information Model and Schema, Draft "draft-snir-policy-QoS-infomodel-00.txt"
【5】Y. Snir, Y. Ramberg, J. Strassner, QoS Policy Framework Information Model,Draft "draft-snir-qos-policy-schema-01.txt"
【6】Policy Framework Definition Language. Internet Draft, Nov 1998. draft-ietf-policy-framework-pfdl-00.txt
【7】R. Moats, John Strassner, "LDAP Schema for the DMTF Core CIM Model",09/17/1999, 〈draft-moats-dmtf-core-ldap-00.txt〉
【8】J. Boyle, R. Cohen, S. Herzog, R. Rajan, The COPS (Common Open Policy Service) Protocol, Draft "draft-ietf-rap-cops-07.txt"
【9】S. Herzog, Kwok Ho Chan, D. Durham, R. Yavatkar, COPS usage for Policy Provisioning, Draft "draft-ietf-rap-pr-00.txt"
【10】F. Reichmeyer, R. Yavatkar, S. Herzog, COPS Usage for Differentiated Services, Draft "draft-ietf-rap-cops-ds-01 .txt"
【11】M. Fine,K. McCloghrie, S. Hahn, K. Chan, A. Smith, Quality of Service Policy Information Base June 1999 http://www.ietf.org/intemet-drafts/draft-mfine-cops-pib-01.txt
【12】Stallings, William; SNMP, SNMPv2 and CMIP." The Practical Guide to Network Management Standards, Addison-Wesley, Reading, Massachusetts,1993
【13】J. Case, M. Fedor, M. Schoffstall, "A Simple Network Managenet Protocol
(SNMP)", RFC1157, May 1990
【14】M. Waldbusser, J. McCloghrie, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996;
【15】Barbara Fraser, Jeffrey Schiller, IP Security Protocol Working Group, http://www.ietf.org/html.charters/ipsec-charter.htm
【16】S. Shenker, C. Partrige, R.Guerin, Specification of Guaranteed Quality of Service, Requests for Comments, RFC-2212
【17】CiscoWorks QoS Policy Manager, http://www.cisco.com/warp/public/cc/pd/wr2k/qoppmn/index.shtml
【18】申雅琴, P~2DR 模型——网络安全管理的指南, http://cnhacker.myrice.com/hacker/teach/t37.htm
【19】R. Rajan, S. Kamat, "A Simple Framework and Architecture for Networking Policy", May 1999,
【20】Chris Hare,Karanjit Siyan,Intemet Firewall and Network Security,机械工业出版社, 1998.5;
【21】T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1",Black Hat Briefings 2000
【22】Sniffer Technologies, http://www.sniffer.com/
【23】Rusty Russell, Linux 2.4 Packet Filtering HOWTO, http://www.netfilter.org/unreliable-guides/packet-filtering-HOWTO/
【24】Snortfire, The Open Source Network Intrusion Detection System,http://www.snort. org
【25】戴英侠,连一峰,王航,系统安全与入侵检测,清华大学出版社,2002年3月,第一版。
【26】Martijn van Oosterhout, Paul B Schroeder, Linux Advanced Routing & Traffic Control, http://lartc.org/
【27】tommytang, superli, wangxin0203, 基于Linux和IPSec的VPN网关, http://cosoft, org.cn/projects/linuxipsecvpn/
【28】Linux FreeS/WAN, http://www.freeswan.org
【29】Yi Pan ,Qos, http://www.ics.uci.edu/~ypan/.
【30】Snacc Homepage, http://www.fokus.gmd.de/ovma/freeware/snacc/
【31】胡艳,洪佩琳,李津生,“QOS策略控制系统中COPS协议的实现”,July,2000 《电路与系统学报》,Vol5,N03.
【32】Writing a Module for netfilter Http://www.linux-mag.com/2000-06/gear.htm
【33】Harald Welte, IP Queue Multiplex Daemon, http://gnumonks.org/projects
【34】Guido Van Rooij,Real stateful TCP Packet Filtering in IP Filter,www.darkart.com/mirrors/www.obfuscation.org/ ipf/tcp_filtering.pdf
【35】W. Richard Stevens, "TCP/IP Illustrated, Volume 1: The Protocols", Addison Wesley, 1994.
【36】Perttu Kivimki,Qbone, http://qbone.internet2.edu/
【37】Ariffin Yahaya,Qos Router, http://www.ecs.csun.edu/~ariffin/
【38】Jal,POSTECH DiffServ MIB Implementation , http://dpnm.postech.ac.kr/research/01/ipqos/dsmib/.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |