[0029] The present invention will be described in detail below with reference to the accompanying drawings and specific embodiments. Note that the aspects described below in conjunction with the accompanying drawings and specific embodiments are only exemplary, and should not be construed as any limitation to the protection scope of the present invention.
[0030] The existing operation and maintenance audit includes the following four management methods:
[0031] 1. Centralized account management
[0032] The global management based on the unique identifier realizes single sign-on, and no operation and maintenance personnel can bypass the security operation and maintenance audit system. Unified account management strategy to achieve seamless connection with various servers, network devices, etc.
[0033] 2. Centralized authorization management
[0034] Fine-grained command-level authorization policy, setting fine-grained authorization policies for multiple factors such as operation and maintenance personnel, server, server account, server application, access time, etc., so that the authority of operation and maintenance personnel is very finely divided, thus preventing The problem of unclear authority of operation and maintenance personnel.
[0035] 3. Centralized authentication management
[0036] The security operation and maintenance audit system provides a variety of authentication methods, including: local authentication, certificate authentication, RADIUS authentication and biometric fingerprint authentication. Centralized authentication effectively keeps illegitimate or unauthorized users out, like an unbreakable fortress.
[0037] 4. Centralized operation audit
[0038] Based on the unique identification, the whole process of auditing the user's operation behavior from login to logout provides a reliable and powerful basis for the post-event audit and responsibility positioning.
[0039] The above operation and maintenance capabilities can only cover the safe use of existing, logged-in, and authorized operation and maintenance users. Network isolation of dimensional terminals. like figure 1 As shown in the figure, when the login user is hijacked or the VPN information is leaked, it may be exploited by the attacker to upload the illegal attack script to the operation and maintenance terminal device through the operation and maintenance link channel, thereby breaking the security protection barrier of the operation and maintenance audit.
[0040] The reason for this kind of security accident is that there is no permission minimization strategy for the logged-in user. Once the authorization verification is met, the logged-in user is equivalent to having an operation and maintenance terminal.
[0041] In view of the above problems, the embodiments of the present application provide an operation and maintenance system, such as figure 2 As shown, including user terminal, operation and maintenance function centralized management platform and operation and maintenance terminal, operation and maintenance terminal remotely maps applications or terminal functions to operation and maintenance function centralized management platform, user terminal can communicate with operation and maintenance function centralized management platform and access The operation and maintenance function centrally manages the application or terminal functions provided by the platform.
[0042] The access strategy and protection strategy of traditional security operation and maintenance audits focus on pre-existing user verification, in-process authorization operations, and post-incident centralized auditing. ability. Therefore, when a hazard occurs, the hazard can be separated from the protected operation and maintenance terminal, which can further reduce the risk of intrusion.
[0043] The core of this system is to map the functions or applications originally in the operation and maintenance terminal to the centralized management platform through the remote mapping technology, so as to isolate the login user from the operation and maintenance terminal on the network. The network structure of the operation and maintenance terminal is hidden, so that the operation and maintenance terminal is protected from the risk of penetration scanning.
[0044] It should be noted that the remote mapping described in this application currently utilizes the remoteapp (remote desktop application) function on the winows host, which is based on the Microsoft Remote Desktop (RDP) protocol, which can run an application on a remote computer seamlessly". Through the remote app, you can only map the specified APP from the host machine to the centralized management platform for operation and maintenance functions, run "seamlessly" like a native program, and perfectly integrate with the native system. However, it should be noted that the remote mapping in this application is not limited to being implemented only by the remote app function, and may also be implemented by using similar software functions in other operating systems.
[0045] In a possible embodiment, the centralized management platform for operation and maintenance functions is a Windows host that has a remote app function and is protected by a security device such as a firewall.
[0046]Further, in large-scale network applications, there is a problem of huge consumption of network resources. Login users do not always need to perform operation and maintenance work through remote desktop links. In most cases, login users always access a certain application. To complete the operation and maintenance task, if you get a remote desktop for each access request, this is not only a waste of network resource allocation, but also increases the difficulty of security auditing of the operation and maintenance audit system. With the remote app technology, when a logged-in user runs an application on a remote server on a local client, he no longer needs to get the entire server desktop, but only needs to see the window where the application is running. This technology greatly reduces network resource consumption. At the same time, it also improves the security of operation and maintenance audit.
[0047] The construction process of the above operation and maintenance system includes the following steps:
[0048] (1) Create a centralized platform for operation and maintenance functions, which can be any Windows host with remote app function and protected by security devices such as firewalls;
[0049] (2) Create a login user, which can only be used for login operation and maintenance audit;
[0050] (3) The authorized login user can communicate with the centralized operation and maintenance function platform, but cannot directly log in to the centralized operation and maintenance function platform;
[0051] (4) The centralized platform for operation and maintenance functions creates various applications or terminal functions through the remote app to link the operation and maintenance terminals located at the lower layer of the core switch;
[0052] (5) Create an access authorization policy and bind the login user. The authorization policy includes the login user, the application program or terminal function that can access the centralized operation and maintenance function platform, and the operation and maintenance terminal resources and account information corresponding to each application program or terminal function.
[0053] In the traditional operation and maintenance system, the user terminal is directly connected to all managed terminal devices, setting itself in the production core network, and can only cover the existing, logged-in, and authorized logged-in users for safe use. When the logged-in user information is leaked , the production core network is completely exposed to the attacker; the present invention can be deployed in the protected operation and maintenance terminal network under the same conditions as the production environment, and the protected object can be stripped from the production core network. Protected Objects provides a solution that is completely targeted at the production core network.
[0054] The main purpose of the present invention is centralized management of operation and maintenance capabilities and isolation of operation and maintenance networks. A separate centralized access isolation channel is opened for operation and maintenance audit through switching devices. No matter whether the logged-in user is verified or not, the exposed accessible objects are only operation and maintenance. The centralized management platform for maintenance functions, and the authorized operation and maintenance functions on the platform, attackers cannot use the logged-in user to complete the information theft of operation and maintenance terminals and production core network resources.
[0055] In addition to the above-mentioned protection effect achieved by network isolation, the most important thing is also the core purpose of the present invention: centralized management of operation and maintenance functions, each logged-in user in the traditional operation and maintenance system must be assigned a remote desktop link when performing remote operation and maintenance. This is not only a waste of network resource allocation, but also increases the difficulty of security auditing of the operation and maintenance audit system. In this application, through the remote app technology, all the services that originally required decentralized remote access are concentrated on the centralized management platform for operation and maintenance functions, which greatly reduces the number of The number of remote desktop links is reduced, and it is only necessary to provide an accessible application or terminal function interface for the logged-in user, instead of providing a complete desktop link, which also reduces the difficulty of operation and maintenance monitoring, and only needs to maintain the stability of the centralized platform for operation and maintenance functions. sex and reliability.
[0056] To sum up, the centralized management platform for operation and maintenance functions provided by the embodiments of the present application can separately present the operation and maintenance capabilities required by the logged-in user to the logged-in user as an application program or terminal function, so that the logged-in user no longer has to Get a remote desktop, and at the same time, the operation and maintenance audit can also be transferred from the original remote desktop link of monitoring each operation and maintenance terminal to the remote application service of the monitoring operation and maintenance function centralized platform, which greatly reduces the difficulty of monitoring. In addition, the operation and maintenance function centralized management platform isolates the operation and maintenance terminal resources, production core network resources and external login users, which greatly improves the security barrier of operation and maintenance audit. It is only the centralized management platform for operation and maintenance functions and the authorized operation and maintenance functions on the platform. Attackers cannot use logged-in users to complete the theft of operation and maintenance terminal information and production core network resource information.
[0057] The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments can be referred to each other.
[0058] The previous description of the present disclosure is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to the present disclosure will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other variations without departing from the spirit or scope of the present disclosure. Thus, the present disclosure is not intended to be limited to the examples and designs described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
[0059] The above descriptions are only preferred examples of this application, and are not intended to limit this application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of this application shall be included in the protection of this application. within the range.
