基于统一身份认证平台的局域网安全设计
|
摘要
对于局域网进行安全设计时首先要以提高网络系统安全性为目标,其次还要保证局域网上的应用系统的安全性满足相应标准。对服务器、个人终端、网络接入设备、防火墙在内的所有参与到局域网服务过程中的节点进行分析研究,判断出网络系统安全存在的薄弱点。在这其中,"准入准出"平台的设计和建立是首先要考虑的技术手段。基于"统一身份认证"这一普遍使用的"准入准出"技术,以宝鸡文理学院局域网网络安全设计和建设为实例,讨论统一身份认证技术在网络安全中的应用。首先研究了统一认证平台的设计思想和具体功能,在这一基础上,画出了该平台的体系架构图;然后分别从目录服务、用户(角色)管理、同步管理、认证过程和授权管理等五个方面详细阐述了统一认证平台的设计,为局域网在安全规划和设计方面提供了有益的参考。
For the safety design of LAN,we must first aim at improving the security of network system,and then ensure the security of application system on LAN to meet the corresponding standards. All nodes involved in the LAN service process,including servers,personal terminals,network access devices and firewalls,are analyzed,and the weakness of network security is judged. Firstly,the design and establishment of the"access & exit"platform is to be considered. Taking the design and construction of LAN security in Baoji University of Arts and Sciences as an example,the application of unified identity authentication technology in network security is discussed. Firstly,the design idea and specific function of the unified authentication platform are studied. On this basis,the architecture diagram of the platform is drawn. Then,the design of unified authentication platform is elaborated from five aspects: directory service,user role management,synchronization management,authentication process and authorization management,which provides a useful reference for the LAN in security planning and design.
For the safety design of LAN,we must first aim at improving the security of network system,and then ensure the security of application system on LAN to meet the corresponding standards. All nodes involved in the LAN service process,including servers,personal terminals,network access devices and firewalls,are analyzed,and the weakness of network security is judged. Firstly,the design and establishment of the"access & exit"platform is to be considered. Taking the design and construction of LAN security in Baoji University of Arts and Sciences as an example,the application of unified identity authentication technology in network security is discussed. Firstly,the design idea and specific function of the unified authentication platform are studied. On this basis,the architecture diagram of the platform is drawn. Then,the design of unified authentication platform is elaborated from five aspects: directory service,user role management,synchronization management,authentication process and authorization management,which provides a useful reference for the LAN in security planning and design.
引文
[1]贺玉明,李晋宏,唐辉. LDAP在数字校园统一身份认证系统中的应用[J].计算机技术与发展,2011,21(5):139-142.
[2]沈锡臣,陈怀楚.高校信息化建设标准规范[J].清华大学学报:自然科学版,2003,43(4):529-531.
[3]谭继安.数字化校园数据中心安全问题研究[J].计算机安全,2011(5):89-92.
[4]张小红,樊中奎.基于认证协议的Web单点登录优化设计[J].计算机工程,2010,36(13):146-148.
[5] ARMANDO A,MERLO A,VERDERAME L. Security considerations related to the use of mobile devices in the operation of critical infrastructures[J]. International Journal of Critical Infrastructure Protection,2014,7(4):247-256.
[6]赵曦.基于LDAP的统一认证系统的研究与实现[D].西安:西安电子科技大学,2009.
[7] SEDAGHATBAF A,AZGOMI M A. Attack modelling and security evaluation based on stochastic activity netw orks[J].Security and Communication Netw orks,2014,7(4):715-737.
[8]冯黔华.基于LDAP认证的保险数据交互中心建设[D].上海:复旦大学,2010.
[9]王静.统一身份认证和用户管理平台在集团型电力企业的应用[J].信息网络安全,2016(12):81-85.
[10]姜卫宏.基于Web的单点登录统一认证系统的设计与实现[D].上海:上海交通大学,2014.
[11]王伟.校园网统一身份认证平台的设计与实施[D].济南:山东大学,2010.
[12] REN X,SHI L. The cloud single sign-on authentication based on Kerberos and SAM L[J]. Wit Transactions on Information&Communication Technologies,2014,52:1311-1320.
[13] ZHANG Weihui,FENG Luo. A design and realization of SSO based on CAS[J]. Applied M echanics&M aterials,2013,380-384(4):2165-2168.
[14]刘斌.基于LDAP的校园统一身份认证系统的研究与实现[J].电子设计工程,2011,19(23):4-6.
[2]沈锡臣,陈怀楚.高校信息化建设标准规范[J].清华大学学报:自然科学版,2003,43(4):529-531.
[3]谭继安.数字化校园数据中心安全问题研究[J].计算机安全,2011(5):89-92.
[4]张小红,樊中奎.基于认证协议的Web单点登录优化设计[J].计算机工程,2010,36(13):146-148.
[5] ARMANDO A,MERLO A,VERDERAME L. Security considerations related to the use of mobile devices in the operation of critical infrastructures[J]. International Journal of Critical Infrastructure Protection,2014,7(4):247-256.
[6]赵曦.基于LDAP的统一认证系统的研究与实现[D].西安:西安电子科技大学,2009.
[7] SEDAGHATBAF A,AZGOMI M A. Attack modelling and security evaluation based on stochastic activity netw orks[J].Security and Communication Netw orks,2014,7(4):715-737.
[8]冯黔华.基于LDAP认证的保险数据交互中心建设[D].上海:复旦大学,2010.
[9]王静.统一身份认证和用户管理平台在集团型电力企业的应用[J].信息网络安全,2016(12):81-85.
[10]姜卫宏.基于Web的单点登录统一认证系统的设计与实现[D].上海:上海交通大学,2014.
[11]王伟.校园网统一身份认证平台的设计与实施[D].济南:山东大学,2010.
[12] REN X,SHI L. The cloud single sign-on authentication based on Kerberos and SAM L[J]. Wit Transactions on Information&Communication Technologies,2014,52:1311-1320.
[13] ZHANG Weihui,FENG Luo. A design and realization of SSO based on CAS[J]. Applied M echanics&M aterials,2013,380-384(4):2165-2168.
[14]刘斌.基于LDAP的校园统一身份认证系统的研究与实现[J].电子设计工程,2011,19(23):4-6.