刀片PC安全管理系统的设计与实现
|
摘要
目前,随着网络管理功能的不断完善,管理端越来越复杂,人们开始重视管理的环境和硬件的安全。不仅从管理软件上需要进行安全验证,从硬件上也要进行接口的禁止使用等措施。不仅如此,庞大的网络规模使得管理员的工作量加倍,设备维护量增加,从而使网络管理中的计算机系统从集中式、分布式转变为瘦客户机模式。而刀片技术也不甘寂寞,正试图冲出刚成气候的刀片服务器市场,将其安全、稳定、易管理、低成本等优势移植到客户端设备当中——这就是初露端倪的刀片PC。
刀片PC的硬件体系结构可以解决外接设备的安全隐患,这对网络管理的安全起到了很好的辅助作用。但刀片PC的自身管理软件的重点放在简化管理程序、易于管理和方便用户操作上,而简化了安全功能。因此在采用刀片PC做网络管理的计算机时,虽然可解决外接设备的安全隐患,但刀片PC管理端的管理软件安全功能薄弱,如果在此出现了安全问题,则后果并不亚于采取外接设备的恶意行为。因此,本文设计了一种刀片PC的安全管理系统,为解决刀片PC管理的安全问题提供了几种安全措施,使得刀片PC在管理和使用过程中,有了一定的安全保障。
文章首先介绍了网络安全管理技术的发展趋势和刀片PC技术的概念及架构。并从管理软件上对ClearCube和HP两家公司的刀片PC进行了分析,在此基础上参照CCI架构的刀片PC体系结构,提出了刀片PC安全管理系统的总体设计和安全服务架构。刀片PC安全管理系统的实现目的是通过制定策略方案来进行管理端和客户端的授权、访问控制、密钥管理、配置及控制管理、性能管理、故障管理和审计。将所使用的操作信息、策略规则、证书和密钥统一存放在安全管理信息库里,并遵循SNMPv3和IPSec—SNMP协议来管理刀片和安全设备(如VPN),这样管理权限从通信上分开,互不干涉,又可以增强系统对整个网络安全管理的能力和安全性,有利于扩展对其它安全产品或设备的综合管理。配置与控制管理主要负责刀片PC的软件安装、硬件使用等。性能管理监视每个刀片的使用情况,并分析其性能,合理的分配使用资源。故障管理是检测刀片硬件的状态信息,提供报警服务并及时更换备用刀片等。审计作为一个安全服务功能为管理端和客户端提供了访问检测和日志存储功能,并提出了一种关键字匹配算法(MMA)进行实时的搜索和查询。
At present, with the functions of network management improving ceaselessly, management port is becoming more and more complex. People start to attach importance to management circumstance and hardware security. Not only security validation is needed in management software, but also the measure of forbidding port is needed in hardware. Enormous network dimension doubles the workload of manager, increases the equipment maintenance. The computer system of network management turns form centralizing, distributing to thin client. The blade PC will not feel lonely and try to dash out from the blade sever market. It transplants the virtues of safety, stabilization, easy management and low cost to personal client equipment. This is the dayspring of blade PC.
The hardware system structure of blade PC can solute the security hidden trouble of external equipment. It brings better assistant function to network management security. The emphases of blade PC management software is predigesting management program, prone to manage and operate, but the security of it is predigested. When blade PC is used to manage network, it can solute the security hidden trouble of external equipment, but the security of blade PC sever port management software is weak. If security problems emerge at the sever port, the sequent is nothing less than the hostility actions of adopting external equipment. Therefore, we design a blade PC security management system. It provides some safety precautions in order to solving blade PC management security and brings some security guarantee in the course of managing and using blade PC.
First of all, we introduce the development trend of the network security management technology, the conception and the construction of the blade PC. The blade PC of ClearCube and HP are analyzed in management software. We put forward collectivity design of blade PC security management system and the security serve construction. The main purpose of the blade PC security management system is to authorize the manager end and the client end, realize access control, keys management, configure and control management, capability management, malfunction management, operation and use of audit through establishing the strategy scheme. All the operating information, strategy, certificate and keys in use are all saved in the security management database. The management of the blade and the security equipment (such as VPN) follows the SNMPv3 and IPSec-SNMP protocol, through this, the management purview and the communication are separated, and the ability and the security of the system managing the network are increased. The collocation and control management mostly take charge of the software installation, hardware use and so on. Capability management watches on the use of each blade, analyses their performance, and distributes the operating resource reasonably. Malfunction management is to check the hardware state of the blades, offers the alarm service and replaces the standby blade in time. As a security service, Audit offers the function of the access checking and log saving for the manager port and client port, on the same time, then a Multi-keyword Matching Arithmetic(MMA) is put forward to do the real-time searching.
刀片PC的硬件体系结构可以解决外接设备的安全隐患,这对网络管理的安全起到了很好的辅助作用。但刀片PC的自身管理软件的重点放在简化管理程序、易于管理和方便用户操作上,而简化了安全功能。因此在采用刀片PC做网络管理的计算机时,虽然可解决外接设备的安全隐患,但刀片PC管理端的管理软件安全功能薄弱,如果在此出现了安全问题,则后果并不亚于采取外接设备的恶意行为。因此,本文设计了一种刀片PC的安全管理系统,为解决刀片PC管理的安全问题提供了几种安全措施,使得刀片PC在管理和使用过程中,有了一定的安全保障。
文章首先介绍了网络安全管理技术的发展趋势和刀片PC技术的概念及架构。并从管理软件上对ClearCube和HP两家公司的刀片PC进行了分析,在此基础上参照CCI架构的刀片PC体系结构,提出了刀片PC安全管理系统的总体设计和安全服务架构。刀片PC安全管理系统的实现目的是通过制定策略方案来进行管理端和客户端的授权、访问控制、密钥管理、配置及控制管理、性能管理、故障管理和审计。将所使用的操作信息、策略规则、证书和密钥统一存放在安全管理信息库里,并遵循SNMPv3和IPSec—SNMP协议来管理刀片和安全设备(如VPN),这样管理权限从通信上分开,互不干涉,又可以增强系统对整个网络安全管理的能力和安全性,有利于扩展对其它安全产品或设备的综合管理。配置与控制管理主要负责刀片PC的软件安装、硬件使用等。性能管理监视每个刀片的使用情况,并分析其性能,合理的分配使用资源。故障管理是检测刀片硬件的状态信息,提供报警服务并及时更换备用刀片等。审计作为一个安全服务功能为管理端和客户端提供了访问检测和日志存储功能,并提出了一种关键字匹配算法(MMA)进行实时的搜索和查询。
At present, with the functions of network management improving ceaselessly, management port is becoming more and more complex. People start to attach importance to management circumstance and hardware security. Not only security validation is needed in management software, but also the measure of forbidding port is needed in hardware. Enormous network dimension doubles the workload of manager, increases the equipment maintenance. The computer system of network management turns form centralizing, distributing to thin client. The blade PC will not feel lonely and try to dash out from the blade sever market. It transplants the virtues of safety, stabilization, easy management and low cost to personal client equipment. This is the dayspring of blade PC.
The hardware system structure of blade PC can solute the security hidden trouble of external equipment. It brings better assistant function to network management security. The emphases of blade PC management software is predigesting management program, prone to manage and operate, but the security of it is predigested. When blade PC is used to manage network, it can solute the security hidden trouble of external equipment, but the security of blade PC sever port management software is weak. If security problems emerge at the sever port, the sequent is nothing less than the hostility actions of adopting external equipment. Therefore, we design a blade PC security management system. It provides some safety precautions in order to solving blade PC management security and brings some security guarantee in the course of managing and using blade PC.
First of all, we introduce the development trend of the network security management technology, the conception and the construction of the blade PC. The blade PC of ClearCube and HP are analyzed in management software. We put forward collectivity design of blade PC security management system and the security serve construction. The main purpose of the blade PC security management system is to authorize the manager end and the client end, realize access control, keys management, configure and control management, capability management, malfunction management, operation and use of audit through establishing the strategy scheme. All the operating information, strategy, certificate and keys in use are all saved in the security management database. The management of the blade and the security equipment (such as VPN) follows the SNMPv3 and IPSec-SNMP protocol, through this, the management purview and the communication are separated, and the ability and the security of the system managing the network are increased. The collocation and control management mostly take charge of the software installation, hardware use and so on. Capability management watches on the use of each blade, analyses their performance, and distributes the operating resource reasonably. Malfunction management is to check the hardware state of the blades, offers the alarm service and replaces the standby blade in time. As a security service, Audit offers the function of the access checking and log saving for the manager port and client port, on the same time, then a Multi-keyword Matching Arithmetic(MMA) is put forward to do the real-time searching.
引文
[1]宁磊,周卫著,Linux网络与安全管理[M].北京:人民邮电出版社,2001.
[2]谢希仁著,计算机网络[M].大连:大连理工大学出版社,2000.
[3]Douglas E.Comer著,林瑶等译.用TCP/IP进行网际互联第一卷:原理、议与结构[M].北京:电子工业出版社,2001.
[4]谢冬青,冷健著,PKI原理与技术[M].北京:清华大学出版社,2004.1
[5]关振胜著,公钥基础设施PKI与认证机构CA[M].北京:电子工业出版社,2002.
[6]CHAD WICK D W. An X.509 role—based privilege management infrastructure [R]. Salford, U.K.:University of Salford,2002.
[7][美]Carlton R.Davis著,周永彬,冯登国等译,IPSec:VPN的安全实施[M].北京:清华大学出版社,2002.1
[8]雷振甲著,计算机网络管理及系统开发[M].北京:电子工业出版社,2002.1
[9]U Blumenthal, B Wijnen. User-based Security Model(USM)for version 3 of the Simple Network Management Protocol[S]. RFC2574,1999.4
[10]Winjnen, R Presuhn, K McCloghrie. View-based Access Control Model(VACM)for the Simple Network Management Protocol[S]. RFC2575,1999.4
[11]Case J, M.Fedor, M.Schoffstall, J.Davin.The Simple Network Management Protocol(SNMP), RFC1157[Z]. University of Tennessee at Knoxville, Performance Systems International, Performance Systems International,and the MIT Laboratory for Computer Science, May 1990.
[12]J.Case, D.Harrington,R.Presuhn, B.Wijnen.Message Processing and Dispatching for the Simple Network Management Protocol(SNMP)[S]. RFC2272,1998.3.
[13]杜飞龙,刀片技术“嫁接”PC[EB/OL].http://newtest.cnw.cn/cnw_old/2004/htm2004/2004011_12960.htm,2004.01.01.
[14]韩晓明,许鲁,营造高效企业计算环境——透视企业计算机的应用现状及发展趋势[EB/OL].http://media.ccidnet.com/media/ciw/1327/e0601.htm,2004.07.05.
[15]Christopher Steel,Ramesh Nagappan, Ray Lai著,陈秋萍等译.安全模式——J2EE、Web服务和身份管理最佳实践与策略[M].机械工业出版社,2006.9.
[16]赵振平,宋琦,孔令山,SNMPv3对网络安全性的提高[J].现代电信科技,2003.3:33-37.
[17]A.Bieszczad, T.White,B.Pagurek.Mobile Agents for Network Management[EB/OL]. IEEE Communications Surveys.http://citeseer.ist.psu.edu/409608.html.1998.1.
[18]Mark A.Miller, P.E.Managing Internetworks With SNMP(Third Edition)[C]. IDG Books Worldwide, Inc.1999.9.
[19]胡维国,张红梅,胡钟岳,基于SNMP的MIB库访问分析与研究[J].交通与计算机,1996.5:16-21.
[20]张日飞,麻志强,使用SNMP协议对标准网络设备MIB库的访问[J].电脑开发与应用, 2002(12):27-28.
[21]雷浩,冯登国等,基于量化权限的门限访问控制方案[J].软件学报,2004.11:1680-1688.
[22]F.Jordi. Web-based Authorization based on X.509 Privilege Management Infrastructure [A]. In:Proc.of 2003 IEEE Pacific Rim Conference on Communications Computers and Signal Processing[C],2003,2:565-568.
[23]O.Sejong, R.Sandhu. A Model for Role Administration Using Organization Structure [J]. SACMAT 2002:155-162.
[24]陈丽侠,陈刚,董金祥.基于任务的工作流访问控制模型和实现框架[J].计算机应用研究,2003,20(9):42-44.
[25]雄云,白晓颖.一种工作流管理系统中的访问控制模型[J].计算机工程,2006,32(22):78-80.
[26]许峰,赖海光等,面向服务的角色访问控制技术研究[J].计算机学报,2005.4:686-693.
[27]王雅哲,李大兴,基于PMI中间件的资源访问控制方案[J].计算机工程,2005.5:121-124.
[28]Bhoj P.Singhal S.,Chuani S.SLA management in federated environments[J]. Computer Network,2001,35(1):5-24.
[29]Torsten B, Manfred B, Chiristian B,Volker H..Service level management with agent technology [J]. Computer Networks,2000,34(6):831-841.
[30]Harrington D, Presuhn R, Wignen B, An architecture for describing SNMP management framework[S]. RFC2261, Jan.1998.7
[31]Keith E.Strassberg Richard J.Gondek Gary Rollie等著,李昂,刘芳萍,杨旭,程鹏等译,防火墙技术大全[M].北京:机械工业出版社,2003.2.
[32]杨毅坚,主动防火墙系统及其网元化管理的研究[D].华中师范大学,2002.
[33]毕保祥,防火墙及其网元化管理的研究与设计[D].华中师范大学,2002.
[34]郑大勇,周玉辉,宋英雄,林如俭,SNMP代理服务器的实现方法[J].上海大学学报(自然科学版),2002(1):15-19.
[35]汪洋,魏峻,王振宇,基于体系结构模型检查分布式控制系统[J].软件学报,2004.6:823-833.
[36]李献昌等,基于SNMP的代理路由信息读取系统的设计与实现[J].计算机应用研究,2005.8:75-77.
[37]钱秀摈,张玉清,冯登国,网络安全管理综述[J].计算机工程与应用,2003(8):167-170.
[38]卢苇,黄锐,严斌宇,基于SNMP的网络管理系统的设计与实现[J].计算机应用研究,2002(4):144-145.
[39]范若晗,田小鹏,白英彩,通用网络管理代理模型的设计[J].计算机工程,2001(1):143-146.
[40]蒋屹新,李之棠,防火墙SNMP代理的设计与实现[J].小型微型计算机系统,2002(23):679-682.
[41]王鹏,包过滤防火墙的设计与实现[J].信息网络安全,2003.3:64-67.
[42]陈琳,黄杰,廖丽惠,综合系统管理与网络管理实现技术的研究[J].计算机工程与应用,2002(23):28-31.
[43]赵永翼,王光兴等,服务级管理策略的研究与实现[J].计算机学报,2004.11:1571-1575.
[44]凌琦,SNMP三大功能模块的研究和实现[J].计算机应用研究,2002.7:77-81.
[45]陈建宁,颜晓蔚,SNMP网络管理站的分析与实现[J].电力系统通信,2002.10:10-12.
[46]钱晨,范忠礼,当前通信网络管理发展趋势[J].电子质量.2002.6:84-86.
[47]高鹏,张德运等,网络信息审计系统中的多模式相似匹配算法[J].软件学报,2004.7:1074-1080.
[48]高磊,张德运等,端到端数据包协议完整性审计系统的研究[J].微电子学与计算机,2005.9:93-95.
[49]李秀英,蔡自兴,浅析网络信息安全技术[J].企业技术开发,2006.1:6-8
[50]黄俊飞,廖建新,基于SNMP的性能管理及其数据采集[J].计算机工程与应用,2003.12:146-148.
[51]严蔚敏,吴伟民.数据结构[M].北京:清华大学出版社,1997:251-262.
[52]Robert Sedgewick著,良忠译,C算法(第一卷基础、数据结构、排序和搜索)[M],北京:人民邮电出版社,2004.6.
[2]谢希仁著,计算机网络[M].大连:大连理工大学出版社,2000.
[3]Douglas E.Comer著,林瑶等译.用TCP/IP进行网际互联第一卷:原理、议与结构[M].北京:电子工业出版社,2001.
[4]谢冬青,冷健著,PKI原理与技术[M].北京:清华大学出版社,2004.1
[5]关振胜著,公钥基础设施PKI与认证机构CA[M].北京:电子工业出版社,2002.
[6]CHAD WICK D W. An X.509 role—based privilege management infrastructure [R]. Salford, U.K.:University of Salford,2002.
[7][美]Carlton R.Davis著,周永彬,冯登国等译,IPSec:VPN的安全实施[M].北京:清华大学出版社,2002.1
[8]雷振甲著,计算机网络管理及系统开发[M].北京:电子工业出版社,2002.1
[9]U Blumenthal, B Wijnen. User-based Security Model(USM)for version 3 of the Simple Network Management Protocol[S]. RFC2574,1999.4
[10]Winjnen, R Presuhn, K McCloghrie. View-based Access Control Model(VACM)for the Simple Network Management Protocol[S]. RFC2575,1999.4
[11]Case J, M.Fedor, M.Schoffstall, J.Davin.The Simple Network Management Protocol(SNMP), RFC1157[Z]. University of Tennessee at Knoxville, Performance Systems International, Performance Systems International,and the MIT Laboratory for Computer Science, May 1990.
[12]J.Case, D.Harrington,R.Presuhn, B.Wijnen.Message Processing and Dispatching for the Simple Network Management Protocol(SNMP)[S]. RFC2272,1998.3.
[13]杜飞龙,刀片技术“嫁接”PC[EB/OL].http://newtest.cnw.cn/cnw_old/2004/htm2004/2004011_12960.htm,2004.01.01.
[14]韩晓明,许鲁,营造高效企业计算环境——透视企业计算机的应用现状及发展趋势[EB/OL].http://media.ccidnet.com/media/ciw/1327/e0601.htm,2004.07.05.
[15]Christopher Steel,Ramesh Nagappan, Ray Lai著,陈秋萍等译.安全模式——J2EE、Web服务和身份管理最佳实践与策略[M].机械工业出版社,2006.9.
[16]赵振平,宋琦,孔令山,SNMPv3对网络安全性的提高[J].现代电信科技,2003.3:33-37.
[17]A.Bieszczad, T.White,B.Pagurek.Mobile Agents for Network Management[EB/OL]. IEEE Communications Surveys.http://citeseer.ist.psu.edu/409608.html.1998.1.
[18]Mark A.Miller, P.E.Managing Internetworks With SNMP(Third Edition)[C]. IDG Books Worldwide, Inc.1999.9.
[19]胡维国,张红梅,胡钟岳,基于SNMP的MIB库访问分析与研究[J].交通与计算机,1996.5:16-21.
[20]张日飞,麻志强,使用SNMP协议对标准网络设备MIB库的访问[J].电脑开发与应用, 2002(12):27-28.
[21]雷浩,冯登国等,基于量化权限的门限访问控制方案[J].软件学报,2004.11:1680-1688.
[22]F.Jordi. Web-based Authorization based on X.509 Privilege Management Infrastructure [A]. In:Proc.of 2003 IEEE Pacific Rim Conference on Communications Computers and Signal Processing[C],2003,2:565-568.
[23]O.Sejong, R.Sandhu. A Model for Role Administration Using Organization Structure [J]. SACMAT 2002:155-162.
[24]陈丽侠,陈刚,董金祥.基于任务的工作流访问控制模型和实现框架[J].计算机应用研究,2003,20(9):42-44.
[25]雄云,白晓颖.一种工作流管理系统中的访问控制模型[J].计算机工程,2006,32(22):78-80.
[26]许峰,赖海光等,面向服务的角色访问控制技术研究[J].计算机学报,2005.4:686-693.
[27]王雅哲,李大兴,基于PMI中间件的资源访问控制方案[J].计算机工程,2005.5:121-124.
[28]Bhoj P.Singhal S.,Chuani S.SLA management in federated environments[J]. Computer Network,2001,35(1):5-24.
[29]Torsten B, Manfred B, Chiristian B,Volker H..Service level management with agent technology [J]. Computer Networks,2000,34(6):831-841.
[30]Harrington D, Presuhn R, Wignen B, An architecture for describing SNMP management framework[S]. RFC2261, Jan.1998.7
[31]Keith E.Strassberg Richard J.Gondek Gary Rollie等著,李昂,刘芳萍,杨旭,程鹏等译,防火墙技术大全[M].北京:机械工业出版社,2003.2.
[32]杨毅坚,主动防火墙系统及其网元化管理的研究[D].华中师范大学,2002.
[33]毕保祥,防火墙及其网元化管理的研究与设计[D].华中师范大学,2002.
[34]郑大勇,周玉辉,宋英雄,林如俭,SNMP代理服务器的实现方法[J].上海大学学报(自然科学版),2002(1):15-19.
[35]汪洋,魏峻,王振宇,基于体系结构模型检查分布式控制系统[J].软件学报,2004.6:823-833.
[36]李献昌等,基于SNMP的代理路由信息读取系统的设计与实现[J].计算机应用研究,2005.8:75-77.
[37]钱秀摈,张玉清,冯登国,网络安全管理综述[J].计算机工程与应用,2003(8):167-170.
[38]卢苇,黄锐,严斌宇,基于SNMP的网络管理系统的设计与实现[J].计算机应用研究,2002(4):144-145.
[39]范若晗,田小鹏,白英彩,通用网络管理代理模型的设计[J].计算机工程,2001(1):143-146.
[40]蒋屹新,李之棠,防火墙SNMP代理的设计与实现[J].小型微型计算机系统,2002(23):679-682.
[41]王鹏,包过滤防火墙的设计与实现[J].信息网络安全,2003.3:64-67.
[42]陈琳,黄杰,廖丽惠,综合系统管理与网络管理实现技术的研究[J].计算机工程与应用,2002(23):28-31.
[43]赵永翼,王光兴等,服务级管理策略的研究与实现[J].计算机学报,2004.11:1571-1575.
[44]凌琦,SNMP三大功能模块的研究和实现[J].计算机应用研究,2002.7:77-81.
[45]陈建宁,颜晓蔚,SNMP网络管理站的分析与实现[J].电力系统通信,2002.10:10-12.
[46]钱晨,范忠礼,当前通信网络管理发展趋势[J].电子质量.2002.6:84-86.
[47]高鹏,张德运等,网络信息审计系统中的多模式相似匹配算法[J].软件学报,2004.7:1074-1080.
[48]高磊,张德运等,端到端数据包协议完整性审计系统的研究[J].微电子学与计算机,2005.9:93-95.
[49]李秀英,蔡自兴,浅析网络信息安全技术[J].企业技术开发,2006.1:6-8
[50]黄俊飞,廖建新,基于SNMP的性能管理及其数据采集[J].计算机工程与应用,2003.12:146-148.
[51]严蔚敏,吴伟民.数据结构[M].北京:清华大学出版社,1997:251-262.
[52]Robert Sedgewick著,良忠译,C算法(第一卷基础、数据结构、排序和搜索)[M],北京:人民邮电出版社,2004.6.