批量密码管理子系统的设计与实现
详细信息    本馆镜像全文|  推荐本文 |  |   获取CNKI官网全文
摘要
网络设备的管理与维护是当今电信网中的重要组成部分,是网络能否正常运行的要素之一。网络设备管理包括设备的规划、配置、监控、故障管理、性能控制、安全等等,而网络设备的密码管理则是网络设备安全管理的重中之重,它将网络安全与管理集于一身。
     本文针对华为公司的网络设备密码集中化、自动化管理问题,调查与研究了现有的网络设备管理系统、网络设备密码管理系统和它们的研究和发展现状,根据实际的具体需要,实现了集中化、自动化、安全的网络设备管理系统的批量密码修改子系统。
     出于安全可靠的角度考虑,本文在利用现有的HTTP隧道技术的前提下,放弃原来的人为的密码设置方式,而采用密码自动生成技术,并对生成的密码进行二次审核,使密码的安全度更高,更加难以破解,增加了网络设备的安全性。
     由于许多网络设备都有对密码进行集中化管理的需求,而现有的网络设备管理系统缺乏对这种管理方式的有效支持,许多同样的工作仍然需要分别处理,设备密码修改起来极不方便而且还容易出错。为了解决这一问题,本文提出的密码自动化管理,突破了常见的远程密码管理方式,采用批量密码管理。
     本文分析设计实现了网络设备管理系统的批量密码修改子系统,在实现方式上,采用B/S结构,利用Power Designer UML统一建模工具进行需求分析,概要设计和详细设计的建模,采用JSP+Servlet技术在Eclipse集成开发环境下实现了系统的各个功能模块。
     系统主要分三个功能模块:用户管理模块、网络设备管理模块(网元管理模块)、日志管理模块。用户管理模块用来对管理员进行统一身份认证和授权,网元管理模块是该系统的核心部分,共分为三个主要子模块:分别为密码自动生成模块,复杂度检查模块和密码再次审核模块,这三个子模块实现了密码的批量自动化和安全管理。密码批量修改的过程中可能出现个别设备密码修改失败,为了进行错误分析,进行手动的远程登录修改或者其他方式解决,需要记录设备密码管理的相关信息,日志管理模块主要用于记录这些信息,以便于管理人员的查询与维护。
     批量密码修改子系统的实现,使华为网元设备密码的修改实现了自动化、集中化。批量密码修改子系统通用性很好,管理员可在多种平台下对网络设备的密码进行维护。通过对该子系统的使用及使用情况统计表明:在保证安全可靠性的前提下,原来600多个网元,一次密码修改大概需要3个工作日精力高度集中的工作,现在运用该子系统进行密码修改只需2个小时即可完成。该子系统的运用节省了大量重复的人工劳动,提高了密码管理的质量和效率,具有现实意义。
Nowadays, the management and maintenance of network equipment is importantcomponent of telecommunication network, and one factor of network normal running.Network equipment management includes planning, configuration, supervision, faultmanagement and performance control, security and so on. Password administration isa primary task of the security management network equipment, and it sets networksecurity and management in a suit.
     This paper surveys and researches the existing network equipment managementsystem,and development situation of current network equipment managementresearch. Considering the security and reliability, encryption and decryption of data isstudied in this paper. To ensure the data is not theft, it uses Asymmetric encryption inthe process of the password transmission, combining hash check technology to ensurethat the data was not damaged. Besides, while modifying password, this paper usespassword automatically generating instead of the original human setting. So, thesecurity of password is higher, and can not be obtained easily.
     The author’s main work is attending the overall design of net element equipmentmanagement system, designing in detail and realizing user management module andequipment management module, also proposing password modify in batches inequipment management module.
     In the design of the system, this paper adopts B/S structure and the pattern ofjsp+ servlet, in order to make system transplantation easier, so that user can operate itin any OS. It uses Object-oriented method in the analysis of the system, adoptsUnified Modeling Language (UML) and modeling tool Power Design to design themanagement system, realizes the system by the design pattern of MVC(Model-View-Controller). Model layer realizes specific business logic, View layerdisplays user interface and Controller layer is mainly in charge of the controlrelationship between Model layer and View layer. Among the system html+CSSdesigns the presentation layer, so a good interface environment is realized. The patternof jsp+ servlet abstracts specific business, and the formative javabean is used toexpress specific model, while all of the requests are sent to servlet which is regard asthe controller, according to request, method of specific model is called. This designway commendably realizes not only the separation of presentation layer and businesslayer, but also high reusability and practicability, so developing life cycle cost isreduced and it is in favor of the soft engineered management.
     The system is mainly divided into three functional modules: user module,equipment module, and log module. Three of the modules are interrelated. The author is responsible for the design of user module and password modify in batches ofequipment module, also some functions such as CRUD. Because of the large scale,there can not be only several administrators, and the duties of administrators are notidentical, so the author adopts the idea of delamination, divides the users into differentlevels, that is, different roles have different permissions. In equipment management,this paper puts forward concept of group, divides equipments into different groupsaccording to actual area or specific types of equipments, mean wile, concept of groupalso applies to the users. User manages equipments belong to his group, so differentgroups of users can manage different sets of equipment. Therefore, three user levels,ordinary user only has the permission to view equipments, equipment groupadministrator can manage the restructuring of the equipment; super administrator canmanage the administrator manager and ordinary users.
     Equipment requires regular password modify, but the past system do not have thefunction of modify in batches, so it is inconvenient to do it. Therefore, the authorproposes the pattern of password modify in batches, and gives up the past human way,adopts password automatically generating. During modifying password in batches,individual failures may occur, this need to manual remote log to modify or find othersolving ways according to error analysis. At the same time, password in databaseshould also be modified, in order to maintain data synchronization. Of course, userscan individually modify equipment password.
     The underlying communication of system adopts HTTP tunnel technology,which is based on Web Service, using SOAP(simple object access protocol)ascommunication protocol, HTTP as transport protocol, so it can pass through allfirewalls.
     With the continuous development of computer science and technology, the scaleexpanding of computer networks, network equipment management will become moreand more important, and password management will be more widely appreciated.
引文
[1]江流松.校园网统一身份认证系统安全分析与设计.[A].厦门大学.2009.
    [2]杨波.基于web的集中身份认证管理系统的网管子系统的设计与实现.[A].北京邮电大学.2007.
    [3]俞冰.用户可视化界面中网元配置管理的实现.[A].南京理工大学.2004.
    [4]张格妮.统一网管系统中命令管理子系统的设计和实现.[A].西安电子科技大学.2006
    [5]徐高潮.胡亮.鞠九滨.分布计算系统.[M].高等教育出版社. 123-127.2004.
    [6]高焕芝.单点登录技术的研究.[A].北京邮电大学.2006.
    [7]王彩霞.密码分析中几种方法的研究及其设计与实现.[A].2004.
    [8]荆继武.信息安全国家重点实验室信息安全丛书.北京科学出版社.2008
    [9]张冲,武超,杨要科著.校园网统一身份认证系统的设计与实现.中原工学院学报.
    [10]冯长龙.图书馆电子阅览室建设[J].图书馆学研究,2002, (2): 63-64.
    [11]毕保祥,肖德宝. SOCKS5的身份认证机构[J].计算机应用, 2000, 20 (7):38-40.
    [12]陆伟锋,胡文,韩贞宇.校园网计费系统的设计原[J].计算机与现代化,2000, (6): 53-56.
    [13]顾丽,石福斌,曹乐松,采用目录服务认证实现统一身份认证.[J].信息技术,2007.4.
    [14]朱参世.基于证书的身份认证系统的分析和研究.[J].电脑应用技术.2006.
    [15]张乾.基于B/S的网元管理系统的研究与设计.[D].天津大学.2007.
    [16]马刚勇.权建校.韩文报.安全口令生成器的设计与实现.[J].2008.
    [17] Halevi S, Krawczyk H. Public-Key Cryptography and PasswordProtocols. ACM Trans Inf Sys Secur (TISSEC), Vol 2, Issue New York:ACM Press, 1999. 230—268
    [18]Bellare M, Pointcheval D, Rogway P. Authenticated key exchangesecure against dictionary attacks. In: Preneel B, ed. Ad-vances inCryptology– Proceedings of EUROCRYPT’2000 (14—18 may 2000,Brugge, Belgium). LNCS 1807. New York Springer-Verlag, 2000. 139—155
    [19]Boyko V, MacKenzie P, Patel S. Provably secure password-authenticatedkey exchange using diffie-hellman. In: Preneel B,ed. Advances inCryptology-Proceedings of EUROCRYPT’2000 (14—18 may 2000, Brugge,Belgium). LNCS 1807. NewYork: Springer-Verlag, 2000, 156—171
    [20] Yeh H T, Sun H M. Simple authenticated key agreement protocol resistto password guessing attacks. In: ACM SIGOPSOper Syst Rev. New York:ACM Press, 2002. 14—22.
    [21]冯登国.计算机通信网络安全.北京:清华大学出版社, 2001. 56—62.
    [22]卢开澄.计算机密码学———计算机网络中的数据保密与安全[M].北京:清华大学出版社, 2000. 2.

© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号

地址:北京市海淀区学院路29号 邮编:100083

电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700