[go: up one dir, main page]

WO2009039679A1 - Architecture et procédé pour une gestion centralisée de minimisation et renforcement de la sécurité d'un système - Google Patents

Architecture et procédé pour une gestion centralisée de minimisation et renforcement de la sécurité d'un système Download PDF

Info

Publication number
WO2009039679A1
WO2009039679A1 PCT/CN2007/002824 CN2007002824W WO2009039679A1 WO 2009039679 A1 WO2009039679 A1 WO 2009039679A1 CN 2007002824 W CN2007002824 W CN 2007002824W WO 2009039679 A1 WO2009039679 A1 WO 2009039679A1
Authority
WO
WIPO (PCT)
Prior art keywords
status
central manager
servers
server
command
Prior art date
Application number
PCT/CN2007/002824
Other languages
English (en)
Inventor
Hao Wang
Original Assignee
Lucent Technologies Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lucent Technologies Inc. filed Critical Lucent Technologies Inc.
Priority to CN200780100537A priority Critical patent/CN101796523A/zh
Priority to PCT/CN2007/002824 priority patent/WO2009039679A1/fr
Publication of WO2009039679A1 publication Critical patent/WO2009039679A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks

Definitions

  • the present invention generally relates to the field of computer systems, more particularly, the invention relates to an architecture and method for realizing centralized system minimization and hardening management.
  • Every server needs to use the system minimization and protocol minimization procedure so that the whole network system can be secured.
  • the effort to minimize them grows.
  • Fig.l illustrates the existing solution for network system minimization.
  • every server has its own system minimization tools and user interface.
  • the network administrator has to log in every server and use its system minimization tools and user interface to make the server minimized, such as enabling/disabling one or more services and protocols on this server.
  • the existing solution provides management tools and interface on each server, it needs the network administrator log on to the servers to do the system minimization work one by one. In a large cooperation, the number of servers may be very huge, thus the effort will be very big.
  • the system minimization work on each server is independent of the work on other servers, there is no centralized traceability. That is to say, it doesn't provide a good way for the administrator to get the current status of each server, and there is either no easy way to understand and manage the impact to the whole network system after the minimization.
  • the objective of the present invention is to provide a solution for network system minimization, which can keep the above procedure as a centralized manageable process, so that the network system administrator can make the whole system minimization and protocol minimization in one point using uniform interface.
  • an architecture for realizing centralized system minimization and hardening management for a network comprising a plurality of servers.
  • the architecture comprises a central manager adapted to receive a command for the system minimization, obtain predefined server status for one or more of the plurality of servers according to the command, and send the predefined server status to the one or more servers respectively; and a plurality of agents residing on the plurality of servers respectively, each agent being adapted to get current service and protocol status of its server in response to the command, and change the current service and protocol status to meet the predefined server status received from the central manager.
  • a method for realizing centralized system minimization and hardening management for a network comprising a plurality of servers.
  • the method comprises receiving a command for the system minimization by a central manager; obtaining predefined server status for one or more of the plurality of servers by the central manager according to the command; sending the predefined server status respectively from the central manager to the respective agents residing on the one or more servers; getting, by each agent, current service and protocol status of its server in response to the command; and changing the current service and protocol status by the each agent to meet the predefined server status.
  • Fig.l is a representation of a conventional architecture for network system minimization known in the prior art
  • Fig.2 is a representation of a centralized system minimization and hardening management architecture in accordance with an embodiment of the present invention
  • Fig.3 is a schematic flow chart diagram illustrating the configuration of predefined server status in accordance with an embodiment of the present invention
  • Fig.4 is a schematic flow chart diagram illustrating the on-demand audit in accordance with an embodiment of the present invention.
  • Fig.5 is a schematic flow chart diagram illustrating the automatic audit in accordance with an embodiment of the present invention.
  • Fig.l shows schematically a conventional architecture for network system minimization known in the prior art, which has been discussed above in connection with the background of the present invention. Reference will now be made in detail to the preferred embodiments of the invention.
  • FIG. 2 shows schematically a centralized system minimization and hardening management architecture 200 in accordance with an embodiment of the present invention.
  • Architecture 200 is built on the basis of a network 210 comprising a plurality of servers 1...N.
  • the inventive solution is to use a central point to manage the system minimization of all the servers in the network 210.
  • This central point can send command messages to the respective agent on each server, respectively, and each agent will do actual system minimization work according to the command messages. These agents can send specific log information back to the central point.
  • architecture 200 may include a central manager 202, a plurality of agents 204 residing on the plurality of servers respectively, an administration interface 206 and a database 208, as shown in Fig.2.
  • Other elements may be presented, instead of or in addition to the above elements, in architecture 200 for other purposes without departing from the present invention.
  • Central manager 202 may receive and interpret command messages from the administration interface 206 or the agent 204, and read/write information according to the command messages by for example accessing the database 208.
  • the central manager 202 may send information for minimization, such as predefined server status (which will be detailed hereinafter), to the agent 204.
  • the central manager 202 may send command messages received from the administration interface 206 to the agent 204, and get information such as logs and records from the agent 204.
  • the central manager 202 is a system minimization management process that runs on one of the plurality of servers 1...N, such as a central server shown in Fig.2.
  • the central manager 202 is a multi-thread (or multi-process) program, so that it can do multiple jobs simultaneously.
  • Agent 204 may receive and interpret command messages from the central manager 202, get current status, such as service and protocol status, of its server according to the command messages, and send it back to the central manager 202. Moreover, the agent 204 may disable/enable specific services and protocols on the server according to the command messages received from the central manager 202, and audit current service and protocol status of its server by comparing the current service and protocol status with predefined status and then automatically changing the current status to the predefined status if there are discrepancies between them.
  • the agent 204 is a system minimization agent process living on each server that should be managed by administrator. In this case, managing means system minimization and hardening.
  • Administration interface 206 is possibly a GUI program that may or may not run on the same server of the central manager 202. Administrator 212 can login to the server that executes the administration interface 206 to do some work with respect to network system minimization, for instance, getting current service and protocol status of each server in the network, requesting enable/disable one or more services and protocols on one or more servers, configuring operational parameters for the minimization work, requesting each agent to audit current status of its server according to predefined status, etc.
  • the operational parameters may comprise an expected server status predefined for the minimization work, and automatic audit period set for the agent 204.
  • the predefined status can be used to all servers, or only be used to particular servers.
  • the administration interface 206 lives on a server that is the OA&M platform of the whole system, so that administrator 212 can easily access it. Further, the administration interface 206 is recommended to only interfaces with the central manager 202.
  • Database 208 may store the needed information of the minimization work, for example, the predefined status for the plurality of servers, and any other types of information such as logs and records from the agent 204.
  • the predefined status describes an expected server status (e.g., service and protocol status) for the plurality of servers when the network system minimization is accomplished.
  • the predefined status comprises default global status provided by a network operator, the global predefined status configured by system administrator, and the predefined status for specific servers configured by system administrator. Accordingly, there will be some kinds of data tables in the database 208 to maintain the above-described predefined status. In one embodiment, the following kinds of data tables are presented.
  • the first kind of table is Server Table shown as below, which stores information of server ID and FLAG.
  • the second kind of table is Global Predefined Status Table, which stores information of current and default global status of various services and protocols predefined for a plurality of servers.
  • this kind of table may comprise a global predefined service status table (shown as below), which stores information of service ID, service name, default predefined status, and current predefined status. There is no information of server ID stored in this table since the global predefined status is applicable to all servers.
  • Service ID is the unique identity of a service.
  • Service name is the name of a service (e.g. "IP forwarding").
  • Default predefined status is the network operator recommended status of a given service.
  • Current predefined status is the status for a given service configured by an administrator in terms of current minimization work.
  • this kind of table may also comprise a global predefined protocol status table with a structure similar to that of the global predefined service status table.
  • Predefined Status Table for Given Servers which stores information of current status of various services and protocols predefined for some specific servers. Similar to Global Predefined Status Table, Predefined Status Table for Given Servers may comprise a predefined service status table and a predefined protocol status table for such servers. As an example, the predefined service status table for given servers (shown as below) stores information of server ID, service ID, service name and current predefined status. Current predefined status is the predefined status configured by an administrator for a certain service on a given server.
  • Fig.3 is a schematic flow chart diagram illustrating the configuration of predefined server status in accordance with an embodiment of the present invention.
  • an administrator such as administrator 212 can configure various predefined status for one or more serves.
  • the first recommended step for customer to use the inventive architecture is to configure the global predefined status applicable to all of the plurality of serves.
  • the administration interface 206 receives a request to show the current global predefined status.
  • the administration interface 206 sends "Get current global predefined status" command to central manager 202.
  • the central manager 202 obtains the current global predefined status in step 303, for example by reading it from the database 208, and then sends it back to the administration interface 206 in step 304. If there is no global predefined status in the database 208, the default global status provided by the network operator will be read and sent to the administration interface 206.
  • the administration interface 206 shows the received information to the administrator 212. Then the administrator 212 changes the global predefined status for some services or protocols on the interface and submits the change in step 306.
  • the administration interface 206 sends "Change global predefined status" command and a new value of the global predefined status to the central manager 202, and then the central manager 202 saves the new global predefined status into the database 208 in step 308.
  • administrator 212 logins to the server that runs the administration interface 206 when he or she wants to configure the special predefined status for specific servers.
  • the administrator 212 uses the administration interface 206 to request to show the current predefined status for some specific servers.
  • the administration interface 206 sends "Get current predefined status for specific servers" command and the IDs of the specific servers to the central manager 202, which differs from the configuration of the global predefined status.
  • the central manager 202 obtains the current predefined status for the specific servers in step 303, for example by reading it from the database 208, and then sends it back to the administration interface 206 in step 304. If there is no predefined status for such servers in the database 208, the global server status will be read and sent to the administration interface 206. In step 305, the administration interface 206 shows the received information to the administrator 212. Then the administrator 212 changes the predefined status of some services or protocols for the specific servers on the interface and submits the change in step 306.
  • step 307 the administration interface 206 sends "Change predefined status for specific servers" command and a new value of the predefined status along with these servers' IDs to the central manager 202, and then the central manager 202 saves the new predefined status for these specific servers into the database 208 in step 308.
  • the central manager 202 may mark into the database 208 that the specific servers have their own predefined status.
  • Fig.4 is a schematic flow chart diagram illustrating the on-demand audit in accordance with an embodiment of the present invention.
  • a scenario that an administrator does audit job of the whole system is illustrated by reference to Fig.4.
  • administrator 212 logins to the server that runs the administration interface 206.
  • the administrator 212 requests to do audit of the whole system on the administration interface 206.
  • the administration interface 206 sends "Audit" command to the central manager 202.
  • the central manager 202 obtains in step 403 the predefined status for each server, for example by reading it from the database 208. If there is no special predefined status for the servers, the global predefined status will be read.
  • the central manager 202 sends "Audit" command and the predefined status to the respective agent 204 on each server, respectively. Step 403 and step 404 can also be occurs in a simultaneous way by "multithreaded” mechanism.
  • the agent 204 scans the current status (including services and protocols status) of its server in step 405, and in step 406 compares it with the corresponding predefined status sent from the central manager 202.
  • the agent 204 will change the server's status according to the predefined status.
  • the agent 204 sends results of execution to the central manager 202. For example, the agent 204 sends "Complete Audit" information to the central manager 202 upon completing the audit job. If there is error happened during the audit job, the agent 204 just sends "Fail to Audit” information to the central manager 202. Then the central manager 202 sends back the results to the administration interface 206 in step 408. It is noted that by a good multithreaded design and implement, the administrator 212 can see the results of each server in a real-time manner.
  • administrator 212 logins to the server that runs the administration interface 206.
  • the administrator 212 requests to do audit of the specific servers on the administration interface 206, wherein the servers need to audit can be selected from the administration interface 206.
  • the administration interface 206 sends "Audit" command to the central manager 202 along with a list of IDs of the specific servers.
  • the central manager 202 obtains the predefined status for each server in above list, for example by reading it from the database 208.
  • step 404 the central manager 202 sends "Audit" command and the predefined status to the respective agent 204 on each server in above list, respectively.
  • step 403 and step 404 can also be occurs in a simultaneous way by "multithreaded” mechanism.
  • the agent 204 scans the current status (including services and protocols status) of its server in step 405, and in step 406 compares it with the corresponding predefined status sent from the central manager 202. If there are discrepancies between them, the agent 204 will change the server's status according to the predefined status.
  • the agent 204 sends results of execution to the central manager 202. For example, the agent 204 sends "Complete Audit" information to the central manager 202 upon completing the audit job. If there is error happened during the audit job, the agent 204 just sends "Fail to Audit” information to the central manager 202. Then the central manager 202 sends back the results to the administration interface 206 in step 408. Similar to the situation of the on-demand audit for all servers, the administrator 212 also can see the results of each server in a real-time manner by a good multithreaded design and implement.
  • administrator 212 may request to get current status of servers in which he or she has interests, for example before issuing an audit command, so that the administrator 212 can track the status of such servers in real time and determine whether it is necessary to reconfigure current predefined status for these servers.
  • Administrator 212 logins to the server that runs the administration interface 206, and sends "Query Status" command and a list of IDs of the interested servers to the central manager 202 through the administration interface 206.
  • the central manager 202 then sends such "Query Status" command to the respective agents 204 on the interested servers, respectively.
  • the agent 204 works out the current status of its server and sends it back to the central manager 202.
  • the central manager 202 then sends the received information to the administration interface 206.
  • the administration interface 206 shows the current status of the interested servers to the administrator 212.
  • the periodic automatic audit may be performed so as to make the whole system to always keep up with the predefined status.
  • This needs an automatic audit period to be set at the respective agent 204 on each server respectively.
  • the administrator 212 logins to the server that runs the administration interface 206 and set the automatic audit period.
  • the administration interface 206 sends "Change Automatic Audit Duration" command and a new value of the audit period to the central manager 202.
  • the central manager 202 forwards such command messages to the respective agent 204 on each server, respectively.
  • the agent 204 changes its internal timer according to the new automatic period. It is noted that if the administrator 212 doesn't configure the audit period, the automatic audit will be executed at the expiration of a default audit period, which may be hard coded in the agent 204.
  • Fig.5 is a schematic flow chart diagram illustrating the automatic audit in accordance with an embodiment of the present invention.
  • the agent 204 sends "Get predefined status" command to the central manager 202.
  • the central manager 202 obtains the predefined status for the requested server in step 502, for example by reading it from the database 208. If there is no predefined status for the server, the global one will be read.
  • the predefined status for the server is sent to the respective agent 204 from the central manager 202.
  • the agent 204 scans the current services and protocols status of its server in step 504, and compares it with the predefined status in step 505.
  • the agent 204 will change the server's status according to the predefined status.
  • the audit results will be sent from the agent 204 to the central manager 202, and the later will record the results in some place such as database 208.
  • the centralized mechanism of the present invention greatly decreases the effort to minimize the services and protocols running on each server in a big network, since it does not need the network administrator login to the servers to do the system minimization work one by one. And this solution also makes the management work traceable, which can help the network administrator analyze and understand the impact onto the system after the minimization. Moreover, because the solution of the present invention can greatly save management effort for big cooperation, it will be applicable to any other environments which may adopt centralized operations.
  • the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention porte sur une architecture et un procédé pour effectuer une gestion centralisée de minimisation et de renforcement de la sécurité d'un système dans un réseau comportant une pluralité de serveurs. L'architecture comporte un gestionnaire central conçu pour recevoir une instruction pour la minimisation du système, pour obtenir un état de serveur prédéfini pour un ou plusieurs de la pluralité de serveurs conformément à l'instruction, et pour envoyer l'état de serveur prédéfini au ou aux serveurs respectivement; et une pluralité d'agents résidant sur la pluralité de serveurs respectivement, chaque agent étant conçu pour obtenir un état actuel de service et de protocole de son serveur en réponse à l'instruction, et à modifier l'état actuel de service et de protocole pour satisfaire à l'état de serveur prédéfini reçu en provenance du gestionnaire central. La solution de l'invention réduit nettement l'effort pour minimiser les services et les protocoles fonctionnant sur chaque serveur dans un grand réseau, et peut aider un administrateur de réseau à analyser et à comprendre l'impact sur le système après la minimisation.
PCT/CN2007/002824 2007-09-26 2007-09-26 Architecture et procédé pour une gestion centralisée de minimisation et renforcement de la sécurité d'un système WO2009039679A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200780100537A CN101796523A (zh) 2007-09-26 2007-09-26 用于集中式系统最小化和强化管理的体系结构和方法
PCT/CN2007/002824 WO2009039679A1 (fr) 2007-09-26 2007-09-26 Architecture et procédé pour une gestion centralisée de minimisation et renforcement de la sécurité d'un système

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2007/002824 WO2009039679A1 (fr) 2007-09-26 2007-09-26 Architecture et procédé pour une gestion centralisée de minimisation et renforcement de la sécurité d'un système

Publications (1)

Publication Number Publication Date
WO2009039679A1 true WO2009039679A1 (fr) 2009-04-02

Family

ID=40510723

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/002824 WO2009039679A1 (fr) 2007-09-26 2007-09-26 Architecture et procédé pour une gestion centralisée de minimisation et renforcement de la sécurité d'un système

Country Status (2)

Country Link
CN (1) CN101796523A (fr)
WO (1) WO2009039679A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107066292A (zh) * 2017-03-06 2017-08-18 北京百度网讯科技有限公司 服务器环境部署方法和装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1352429A (zh) * 2001-11-29 2002-06-05 上海复旦光华信息科技股份有限公司 域用户集中授权和管理系统
JP2004013411A (ja) * 2002-06-05 2004-01-15 Yaskawa Electric Corp リモートメンテナンス装置
US20060191007A1 (en) * 2005-02-24 2006-08-24 Sanjiva Thielamay Security force automation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1352429A (zh) * 2001-11-29 2002-06-05 上海复旦光华信息科技股份有限公司 域用户集中授权和管理系统
JP2004013411A (ja) * 2002-06-05 2004-01-15 Yaskawa Electric Corp リモートメンテナンス装置
US20060191007A1 (en) * 2005-02-24 2006-08-24 Sanjiva Thielamay Security force automation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CARDOSO R.C ET AL: "Towards Autonomic Minimization of Security Vulnerabilities Exploitation in Hybrid Network Environments", AUTONOMIC AND AUTONOMOUS SYSTEMS AND INTERNATIONAL CONFERENCE ON NETWORKING AND SERVICES, 2005. ICAS-ICNS 2005. JOINT INTERRNATIONAL CONFERENCE ON PAPETTE. IEEE, 2005 *

Also Published As

Publication number Publication date
CN101796523A (zh) 2010-08-04

Similar Documents

Publication Publication Date Title
US11700303B1 (en) Distributed data analysis for streaming data sources
US8122500B2 (en) Tracking the security enforcement in a grid system
US8255409B2 (en) Systems and methods for generating a change log for files in a managed network
US7418489B2 (en) Method and apparatus for applying policies
US7397770B2 (en) Checking and repairing a network configuration
US7519624B2 (en) Method for proactive impact analysis of policy-based storage systems
EP2548137B1 (fr) Système d'événements réparti pour modèles relationnels
US7640459B2 (en) Performing computer application trace with other operations
JP5335682B2 (ja) サプライチェーンディスカバリサービス
US12229094B2 (en) Proxy-based database scaling
CN111861140A (zh) 一种业务处理方法、装置、存储介质和电子装置
US20040260765A1 (en) System and method for distribution of software licenses in a networked computing environment
US8762507B1 (en) Method and system for managing an information technology system
JP2002041327A (ja) クライアント管理ツールにおいてポーリングエージェントを実装するコンピュータシステムおよび方法
US11748171B2 (en) Method and system for collaborative workload placement and optimization
US20190129787A1 (en) Method, device and computer program product for managing input/output stack
CN118368120B (zh) 一种运维平台的数据管理方法、装置、电子设备及介质
WO2009039679A1 (fr) Architecture et procédé pour une gestion centralisée de minimisation et renforcement de la sécurité d'un système
CN117395236A (zh) 一种http代理服务的方法及系统
US9921934B1 (en) Storage process metrics
WO2016091141A1 (fr) Procédé et appareil permettant une collecte d'informations
US20090019082A1 (en) System and Method for Discovery of Common Information Model Object Managers
US12095851B2 (en) Domain name system based global server load balancing service
Server Active Directory
CN118820333A (zh) 一种动态连接目标数据库的管控方法及相关设备

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200780100537.3

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07816439

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07816439

Country of ref document: EP

Kind code of ref document: A1