Systems and methods for secure access to network device based on one-time access credentials

Abstract

The invention discloses a system and a method for secure access to a network device based on one-time access credentials. The system is provided with a bastion host server, an AAA server, a log analysis server, a client and managed network equipment, wherein the structures of the bastion host server and the AAA server are respectively improved. The system is innovatively characterized in that an AAA server randomly and dynamically generates one-time access evidences for SSH/telnet connection each time in real time, and the one-time access evidences are used for authentication; and the traditional local storage and local authentication mode of account password and authority setting of the network device is replaced. the one-time access credential is transmitted in an encrypted manner and isdiscarded after being used each time, and the network device only allows the user to access after passing the authentication of the one-time access credential, so that the safety and reliability of the login account password of the network device can be enhanced and ensured. The AAA server realizes centralized management of local authentication information dispersed in numerous network devices. The user management authority is finely divided, and the user behavior is limited in a legal management control range, so that the security of the network equipment is ensured.

Description

technical field [0001] The present invention relates to a system and working method for secure access to network equipment based on one-time access credentials, which are used to solve the problem of using the traditional mechanism of local storage and local authentication for network equipment account passwords in the prior art in existing IP networks. The risk of password leakage is high, uncontrollable, and difficult to be held accountable; and when using the bastion machine management method, there are also many shortcomings of uncontrollable, out-of-sync, and reversible passwords. The present invention adopts the AAA identity authentication mode to replace the traditional local authentication mode, and replaces the traditional user account password with one-time access credentials, and also sets the user management authority in the AAA server, which makes the division of user management authority more convenient and the network equipment more secure . It belongs to the t...

AI Technical Summary

Problems solved by technology

[0009] 1. The administrator's management of account passwords does not meet the basic requirements that network equipment should be protected by different network security levels; and account passwords are easy to leak, with high risks, and once leaked, the scope of influence is large and the loss is serious

[0010] 2. Multiple users use the same account and password, which makes it impossible to effectively control and distinguish whether each user can manage their own different network devices; and it is also difficult to distinguish and divide the management of different users for the same network device

Once a security incident occurs, it is difficult to locate the actual user and responsible person of the account

[0011] 3. When different network devices are independently audited, the audit logs of each network device will have different content and different depths. It is impossible to formulate a unified access audit strategy, and it is difficult to find illegal operations in time and trace them.

Therefore, the bastion host cannot fully control all login accounts and passwords on the network device

[0020] 2. The passwords are not synchronized: each network device has multiple sets of account passwords, and there may be new accounts and their passwords. The bastion machine cannot fully control the management and control of each network device.

When the password is changed, the account password originally stored in the bastion host will naturally become invalid, and the management and control of the network device will be lost directly.

[0021] 3. The password is not secure

The plaintext account passwords of all core network devices are stored in the bastion host. Once attacked, the risk of password leakage is high.

Images