System and method for secure access to network devices based on one-time access credentials

Abstract

A system and method for secure access to network equipment based on one-time access credentials. The system is provided with: a bastion host server and an AAA server with improved structures, a log analysis server, a client, and managed network equipment. The innovative feature of the system of the present invention is that the AAA server randomly and dynamically generates a one-time access credential for each SSH / Telnet connection in real time, which is used for authentication; it replaces the local storage and local authentication mode of traditional network device account passwords and authority settings. And the one-time access credential is encrypted and transmitted, and it is discarded after each use. Only after the network device passes the authentication of the one-time access credential can the user be allowed to access, which can enhance and ensure the security and reliability of the network device login account password. . The AAA server realizes centralized management of the local authentication information dispersed in many network devices. It also finely divides user management rights, and limits user behavior to its legal management and control scope, so as to ensure the security of network equipment.

Description

technical field [0001] The present invention relates to a system and working method for secure access to network equipment based on one-time access credentials, which are used to solve the problem of using the traditional mechanism of local storage and local authentication for network equipment account passwords in the prior art in existing IP networks. The risk of password leakage is high, uncontrollable, and difficult to be held accountable; and when using the bastion machine management method, there are also many shortcomings of uncontrollable, out-of-sync, and reversible passwords. The present invention adopts the AAA identity authentication mode to replace the traditional local authentication mode, and replaces the traditional user account password with one-time access credentials, and also sets the user management authority in the AAA server, which makes the division of user management authority more convenient and the network equipment more secure . It belongs to the t...

AI Technical Summary

Problems solved by technology

[0009] 1. The administrator's management of account passwords does not meet the basic requirements that network equipment should be protected by different network security levels; and account passwords are easy to leak, with high risks, and once leaked, the scope of influence is large and the loss is serious

[0010] 2. Multiple users use the same account and password, which makes it impossible to effectively control and distinguish whether each user can manage their own different network devices; and it is also difficult to distinguish and divide the management of different users for the same network device

Once a security incident occurs, it is difficult to locate the actual user and responsible person of the account

[0011] 3. When different network devices are independently audited, the audit logs of each network device will have different content and different depths. It is impossible to formulate a unified access audit strategy, and it is difficult to find illegal operations in time and trace them.

Therefore, the bastion host cannot fully control all login accounts and passwords on the network device

[0020] 2. The passwords are not synchronized: each network device has multiple sets of account passwords, and there may be new accounts and their passwords. The bastion machine cannot fully control the management and control of each network device.

When the password is changed, the account password originally stored in the bastion host will naturally become invalid, and the management and control of the network device will be lost directly.

[0021] 3. The password is not secure

The plaintext account passwords of all core network devices are stored in the bastion host. Once attacked, the risk of password leakage is high.

Images