SSL VPN系统用户权限管理模块的设计与实现
|
摘要
本文主要介绍了华为三康公司的SSL VPN系统中用户权限管理(User Authorization Management,简称UAM)模块的相关内容,包括需求分析,功能设计和具体实现等。
本文首先介绍了SSL VPN的相关概念。SSL VPN作为新一代的安全远程访问平台,是一种基于应用层的虚拟专网技术。它利用SSL技术和代理技术,提供给终端用户以安全访问HTTP资源、C/S资源和文件共享资源等功能,而且可以让网络管理人员更容易地实现细粒度的访问控制,从而在更高层面上保证企业的网络和信息安全。同时,由于SSLVPN采用浏览器作为客户端,利用浏览器已有的SSL功能,用户无需安装客户端软件,因而使用更加简单方便,公司网络的部署和维护成本更低。
用户权限管理模块是SSL VPN系统的基础模块,主要任务是对SSL VPN用户进行访问授权。UAM通过设计和实现用户组,资源组,客户端安全策略等概念,实现了基于用户身份的动态授权。UAM将用户进行角色划分,并将系统资源进行细分,实现了对访问的高细粒度控制。本文从SSL VPN系统对UAM的需求开始,分析了UAM的应用环境,功能设计以及模块内部数据流,并介绍了UAM的六个子模块和主要的数据结构等内容。UAM在SSL VPN系统中的主要功能如下:
1.基于角色的用户授权:根据用户的在系统中的等级和所属域及用户组,并结合用户登陆时所使用设备的安全状况所对应的安全策略,针对具体会话,动态授予用户相应的访问权限。
2.权限管理信息的管理和维护:对系统中的用户,用户组,资源,资源组进行管理和维护,包括日常的增删改查等操作,以及设置和管理安全策略等。
This paper primarily introduces the User Authorization Management (UAM) in the SSL VPN system, including the requirement analyses, function design, detail implementation and so on.
First of all, this paper introduces some information about SSL VPN. As a new generation of secure remote access platform, SSL VPN is a virtual private network technology based on application layer. By using SSL and agent technologies, SSL VPN provides end-users the security access to the HTTP resources, C/S resources, file sharing resources and so on. SSL VPN makes it easier for administrator to control the remote access by more effective ways, which ensures the security of network and information in enterprises at a higher level. At the same time, SSL VPN user doesn't need install client software, because SSL VPN uses browser as client by using the SSL component in browser. In this way, the application is more simple and convenient to use, and the cost of enterprises deploying and maintaining network is reduced.
User Authorization Management is a base module in SSL VPN system, its main task is granting authorization to SSL VPN user. By designing and implementing some concepts, such as user group, resource group, client security policy, UAM achieves dynamic authorization according to user's role. In order to control remote access more strictly, UAM divide SSL VPN users into user groups, and assigns resources to user groups. This paper summarily introduces the module requirements and application environment, then analyses the function design and data flow in UAM. At last, this paper introduces the six sub modules and some important data structures. The main functions of UAM as follows:
1. UAM grants authorizations to SSL VPN user based on user's roleand the security information of user's client.
2 . UAM manages and maintain the configuration of user'sauthorization, including some information of user group, resource group,security policy and operations on them.
本文首先介绍了SSL VPN的相关概念。SSL VPN作为新一代的安全远程访问平台,是一种基于应用层的虚拟专网技术。它利用SSL技术和代理技术,提供给终端用户以安全访问HTTP资源、C/S资源和文件共享资源等功能,而且可以让网络管理人员更容易地实现细粒度的访问控制,从而在更高层面上保证企业的网络和信息安全。同时,由于SSLVPN采用浏览器作为客户端,利用浏览器已有的SSL功能,用户无需安装客户端软件,因而使用更加简单方便,公司网络的部署和维护成本更低。
用户权限管理模块是SSL VPN系统的基础模块,主要任务是对SSL VPN用户进行访问授权。UAM通过设计和实现用户组,资源组,客户端安全策略等概念,实现了基于用户身份的动态授权。UAM将用户进行角色划分,并将系统资源进行细分,实现了对访问的高细粒度控制。本文从SSL VPN系统对UAM的需求开始,分析了UAM的应用环境,功能设计以及模块内部数据流,并介绍了UAM的六个子模块和主要的数据结构等内容。UAM在SSL VPN系统中的主要功能如下:
1.基于角色的用户授权:根据用户的在系统中的等级和所属域及用户组,并结合用户登陆时所使用设备的安全状况所对应的安全策略,针对具体会话,动态授予用户相应的访问权限。
2.权限管理信息的管理和维护:对系统中的用户,用户组,资源,资源组进行管理和维护,包括日常的增删改查等操作,以及设置和管理安全策略等。
This paper primarily introduces the User Authorization Management (UAM) in the SSL VPN system, including the requirement analyses, function design, detail implementation and so on.
First of all, this paper introduces some information about SSL VPN. As a new generation of secure remote access platform, SSL VPN is a virtual private network technology based on application layer. By using SSL and agent technologies, SSL VPN provides end-users the security access to the HTTP resources, C/S resources, file sharing resources and so on. SSL VPN makes it easier for administrator to control the remote access by more effective ways, which ensures the security of network and information in enterprises at a higher level. At the same time, SSL VPN user doesn't need install client software, because SSL VPN uses browser as client by using the SSL component in browser. In this way, the application is more simple and convenient to use, and the cost of enterprises deploying and maintaining network is reduced.
User Authorization Management is a base module in SSL VPN system, its main task is granting authorization to SSL VPN user. By designing and implementing some concepts, such as user group, resource group, client security policy, UAM achieves dynamic authorization according to user's role. In order to control remote access more strictly, UAM divide SSL VPN users into user groups, and assigns resources to user groups. This paper summarily introduces the module requirements and application environment, then analyses the function design and data flow in UAM. At last, this paper introduces the six sub modules and some important data structures. The main functions of UAM as follows:
1. UAM grants authorizations to SSL VPN user based on user's roleand the security information of user's client.
2 . UAM manages and maintain the configuration of user'sauthorization, including some information of user group, resource group,security policy and operations on them.
引文
[1]高海英 薛元星 辛阳等 VPN技术 机械工业出版社2004年
[2]viiay Bollapragada,Mohamed Khalid,Scott Wainner等 IPSec VPN设计 人民邮电出版社2006年
[3]戴宗坤 VPN与网络安全 电子工业出版社2002年
[4]Mark Norris,Steve Pretty全域网设计:Intrancet、VPN及企业网 人民邮电出版社2001年
[5]刘易斯 VPN故障诊断与排除 人民邮电出版社 2006年
[6]Vijay Bollapragada,Mohamed Khalid,Scott Wainner IPSec VPN设计 人民邮电出版社2006年
[7]Eric Rescorla SSL与TLS 中国电力出版社2002年
[8]崔雅娟 C语言:程序设计导论 人民邮电出版社2002年
[10]康一梅 嵌入式软件设计 机械工业出版社 2007年
[2]viiay Bollapragada,Mohamed Khalid,Scott Wainner等 IPSec VPN设计 人民邮电出版社2006年
[3]戴宗坤 VPN与网络安全 电子工业出版社2002年
[4]Mark Norris,Steve Pretty全域网设计:Intrancet、VPN及企业网 人民邮电出版社2001年
[5]刘易斯 VPN故障诊断与排除 人民邮电出版社 2006年
[6]Vijay Bollapragada,Mohamed Khalid,Scott Wainner IPSec VPN设计 人民邮电出版社2006年
[7]Eric Rescorla SSL与TLS 中国电力出版社2002年
[8]崔雅娟 C语言:程序设计导论 人民邮电出版社2002年
[10]康一梅 嵌入式软件设计 机械工业出版社 2007年