CN101616007A - A kind of implementation method of MAP server, system and equipment - Google Patents

A kind of implementation method of MAP server, system and equipment Download PDF

Info

Publication number
CN101616007A
CN101616007A CN200810127232A CN200810127232A CN101616007A CN 101616007 A CN101616007 A CN 101616007A CN 200810127232 A CN200810127232 A CN 200810127232A CN 200810127232 A CN200810127232 A CN 200810127232A CN 101616007 A CN101616007 A CN 101616007A
Authority
CN
China
Prior art keywords
metadata
map
map server
mutual request
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200810127232A
Other languages
Chinese (zh)
Other versions
CN101616007B (en
Inventor
刘冰
位继伟
尹瀚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Beijing University of Posts and Telecommunications
Original Assignee
Huawei Technologies Co Ltd
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd, Beijing University of Posts and Telecommunications filed Critical Huawei Technologies Co Ltd
Priority to CN2008101272328A priority Critical patent/CN101616007B/en
Publication of CN101616007A publication Critical patent/CN101616007A/en
Application granted granted Critical
Publication of CN101616007B publication Critical patent/CN101616007B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses a kind of implementation method of MAP server, comprising: the operation that the mutual request of metadata that transfer MAP server is sent according to the MAP client is sent interactive request metadata to the MAP server; Transfer MAP server receives the MAP server and returns response according to what the operation of described interactive request metadata was made, and response is sent to the MAP client.Among the present invention, the MAP server can satisfy the load of a large amount of end points, has alleviated the burden of the load of MAP Server, when a large amount of end points need to ask MAP Server alternately, by agency's MAP Server or multistage MAPServer, can significantly alleviate the pressure of single MAP Server.

Description

A kind of implementation method of MAP server, system and equipment
Technical field
The present invention relates to communication technical field, particularly relate to implementation method, system and the equipment of a kind of MAP (Metadata Access Point, metadata access point) server.
Background technology
Along with the fast development of the Internet in the whole world, the application layer in the OSI has been subjected to increasing security threat, virus for example, and assaults etc. emerge in an endless stream, and the threat of application layer was never stopped.It mainly is because open architecture may in IP (InternetProtocol, the agreement that interconnects between the network) technology and application layer itself lack the protection to security threat that application layer is subjected to increasing security threat.For protecting network; prior art has proposed framework TNC (the Trusted Network Connection of an end points access control; trustable network connects); make network can not be subjected to the threat from unsafe network side node, dangerous node comprises by the node of virus infections or has had the node of some security breaches.
Network manager in the TNC system is being attempted installation agent software on the node of access network, collect the system status information of end points and the integrity verification information of platform by agent software, and the system status information of end points and the integrity verification information of platform assessed, investigate the system status information of end points and the integrity verification information of platform and whether meet network security policy.Judge whether to allow this node to enter network according to assessment result then to certain node, the node that only meets the network security policy requirement just can be allowed to access network, for the node that does not meet network security policy, network manager will not allow its access network of this node, can notify this not meet the node of network security policy new way more simultaneously.
IF-MAP (Interface of Metadata Access Point, the metadata access point interface) is a MAP in the TNC framework, be used at MAP Server (Metadata Access Point Server, the metadata access point server) and between the MAP Client (Metadata Access Point Client, metadata access point client) communicate.Wherein, MAP Server is an independent entity, MAP client is the entity in the TNC framework, for example: PDP (Policy Decision Point, policy decision point), PEP (Policy Enforcement Point, Policy Enforcement Point), Sensor (transducer), Flow Controller (flow controller) etc., wherein Sensor and Flow Controller are conceptual entities, Sensor refers to have the equipment of sensing function, Flow Controller refers to have the equipment of flow control function, the equipment that has sensing function generally is meant IDS (Intrusion Detection System, intrusion system), the equipment that has flow control function generally is meant FW (FireWall, fire compartment wall).
In the IF-MAP agreement, MAP Server is equivalent to a BBS (Bulletin Board System), MAP Client can release news on MAP Server, also can be from subscription information on the MAP Server, these information are called metadata (metadata), metadata is the data of describing the endpoint security state, and is relevant with state, the security incident of end points.By using the IF-MAP agreement, can the TNC system architecture can be monitored the state of end points in real time, when end-on state makes a change, can continue access network by this end points of real-time assessment.For example, PDP subscribes to the information of a subscriber endpoints of surfing the Net by the IF-MAP agreement, when an IDS or fire compartment wall are issued some illegitimate traffic information of this user on MAP Server, MAP Server will send to PDP to this information with the form of metadata, and PDP just can determine whether to continue to allow this user access network in real time like this.
In the prior art, under the IF-MAP agreement, MAP client directly and MAP Server communicate, MAP Client directly issues metadata on MAP Server, or MAP Client directly subscribes to metadata on MAP Server.The Organization Chart of TNC is as shown in Figure 1 under the IF-MAP agreement:
On integrity measurement layer (Integrity Measurement Layer), AR (Access Requestor, access requestor) is integrity measurement gatherer (Integrity Measurement Collectors), it is the IF-M interface that direct strategy is carried out some Direct PEP, PDP is integrity measurement proofer IntegrityMeasurement Verifiers, Integrity Measurement Collectors is by communicating between IF-M interface and the Integrity Measurement Verifiers, Integrity MeasurementVerifiers is under the IF-MAP interface then, communicate with Metadata Access Point, Metadata AccessPoint is again by the IF-MAP interface, with Flow Controllers, equipment such as Sensors communicate.Same, on integrity assessment layer Integrity Evaluation Layer, AR is TNC Client, and DirectPEP is the IF-TNCCS interface, and PDP is TNC Server, TNC Client is by communicating between IF-TNCCS interface and the TNC Server, TNC Server communicates with MetadataAccess Point under the IF-MAP interface, and Metadata Access Point is again by the IF-MAP interface, with FlowControllers, equipment such as Sensors communicate.On network access layer Network Access Layer, AR is network access request person Network Access Requestor, Direct PEP is the IF-T interface, PDP is access to netwoks manager Network Access Authority, Network Access Requestor communicates by IF-T interface and Network Access Authority, Network Access Authority is under the IF-MAP interface, communicate with Metadata Access Point, Metadata Access Point is again by the IF-MAP interface, with Flow Controllers, equipment such as Sensors communicate, in the process that NetworkAccess Requestor communicates by IF-T interface and Network Access Authority, can increase by a Policy Enforcement Point Policy Enforcement Point, make and communicate between Network AccessRequestor and the PEP, PEP is communicating by IF-PEP interface and Network AccessAuthority, PEP also can by the IF-MAP interface directly and Metadata Access Point communicate.
The Organization Chart of TNC under the simplified summary IF-MAP agreement shown in Figure 1, as shown in Figure 2: MAPServer directly and transducer Sensor, flow controller Flow Controller, policy decision point PDP, Policy Enforcement Point PEP and end points Endpoint among the MAP client communicate.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: in the prior art, IF-MAP mainly is equipment issue and subscription metadata such as PDP, PEP, IDS, FW, when subscriber endpoints also needs issue and subscribes to metadata, the structure of TNC will be difficult to satisfy the load of a large amount of end points, the risk of safety also increases thereupon, also can become the target of being attacked.
Summary of the invention
The embodiment of the invention provides implementation method, system and the equipment of a kind of MAP Server, hides the address of MAPServer, reduces the burden of single MAP Server, but also has strengthened fail safe.
The embodiment of the invention proposes the implementation method of a kind of MAP Server, comprising:
The operation that the mutual request of the metadata of sending according to the MAP client is sent interactive request metadata to the MAP server;
Receive the MAP server and return response, response is sent to the MAP client according to what the operation of described interactive request metadata was made.
The embodiment of the invention has also proposed the realization system of a kind of MAP Server, comprising:
The MAP client is used for sending to transfer MAP server the mutual request message of metadata;
Transfer MAP server is used to receive described mutual request message, and described mutual request message is sent to the MAP server;
The MAP server is used to respond described mutual request message, and mutual request results is returned to described transfer MAP server.
The embodiment of the invention has also proposed a kind of communication equipment, comprising:
The server-side processes module is used to receive the metadata that the MAP client sends and asks alternately, and returns with described metadata to described MAP client and to ask the corresponding response result alternately;
The client process module is used for the mutual request message of described metadata is converted to the mutual request message of metadata of current device, sends to the MAP server; And receive that described MAP server returns ask corresponding mutual request results alternately with described metadata.
The embodiment of the invention has following advantage: the MAP server can satisfy the load of a large amount of end points, alleviated the burden of the load of MAP Server, when a large amount of end points need to ask MAP Server alternately, by transfer MAP Server, can significantly alleviate the pressure of single MAP Server, but also reduce the potential safety hazard that former MAP Server faces, strengthened fail safe.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the Organization Chart of TNC under the prior art IF-MAP agreement;
Fig. 2 is the Organization Chart of TNC under the IF-MAP agreement of prior art simplification;
Fig. 3 is the implementation method flow chart of a kind of MAP Server of the embodiment of the invention one proposition;
Fig. 4 is the implementation method flow chart of a kind of MAP Server of the embodiment of the invention two propositions;
Fig. 5 is the implementation method flow chart of a kind of MAP Server of the embodiment of the invention three propositions;
Fig. 6 is the implementation method flow chart of a kind of MAP Server of the embodiment of the invention four propositions;
Fig. 7 is the implementation method flow chart of a kind of MAP Server of the embodiment of the invention five propositions;
Fig. 8 is the implementation method flow chart of a kind of MAP Server of the embodiment of the invention six propositions;
Fig. 9 is the implementation method flow chart of a kind of MAP Server of the embodiment of the invention seven propositions;
Figure 10 is the realization system construction drawing of a kind of MAP Server of embodiment of the invention proposition;
Figure 11 is the realization system construction drawing of the another kind of MAP Server of embodiment of the invention proposition;
A kind of communication equipment structure chart that Figure 12 proposes for the embodiment of the invention;
The another kind of communication equipment structure chart that Figure 13 proposes for the embodiment of the invention;
The another kind of communication equipment structure chart that Figure 14 proposes for the embodiment of the invention;
The another kind of communication equipment structure chart that Figure 15 proposes for the embodiment of the invention;
The another kind of communication equipment structure chart that Figure 16 proposes for the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
The implementation method of a kind of MAP Server that the embodiment of the invention one proposes as shown in Figure 3, comprising:
Step S301, the operation that the mutual request of metadata that transfer MAP server is sent according to the MAP client is sent interactive request metadata to the MAP server;
Step S302, transfer MAP server receives the MAP server and returns response according to what the operation of described interactive request metadata was made, and response is sent to the MAP client.
As seen, in the embodiment of the invention, the MAP server can satisfy the load of a large amount of end points, alleviated the burden of the load of MAP Server, when a large amount of end points need to ask MAP Server alternately, by transfer MAP Server (agency's MAP Server or multistage MAP Server), can significantly alleviate the pressure of single MAP Server.But also reduce the potential safety hazard that former MAP Server faces, strengthened fail safe.
The implementation method of a kind of MAP Server that the embodiment of the invention two proposes, as shown in Figure 4.Group object for having subordinate relation all has the metadata demand, will each entity all directly and MAP server contact, only the needs main entity and the MAPserver that will have in this group object of subordinate relation gets in touch just passable.Concrete, as visual plants such as PDP, both can be used as the MAP client under the IF-MAP, also can be used as an agency's MAP server.PDP is as an agency's MAPserver, just be equivalent to a small-sized MAP Server, subordinate's entity of PDP, comprise PEP or end points etc., PDP will be responsible for mutual between its subordinate's end points and the MAP Server, when end points will be issued or subscribe to metadata, end points will send related news to PDP, PDP is given to MAPServer in again, the MAP Server result that will ask alternately returns to PDP then, end points just can directly obtain metadata from PDP like this, thereby has alleviated the burden of MAP server, has simplified the management of MAP Server.With reference to Fig. 4, the embodiment of the invention comprises:
Step S401, MAP server transmission is used for issue to the end points of MAP Client or subscription metadata asks alternately to acting on behalf of, and promptly asks or subscribe request to acting on behalf of MAP server transmission issue.
Step S402 acts on behalf of MAP server the mutual request message of MAP Client is changed into the mutual request message of acting on behalf of MAP Server.
Step S403 acts on behalf of the mutual request message that MAP server will act on behalf of MAP Server and sends to MAP Server.
Step S404, MAP Server makes response according to the mutual request message of acting on behalf of MAP Server, mutual request results is returned to act on behalf of MAP server then.
Step S405 acts on behalf of MAP server and will act on behalf of the end points that mutual request results among the MAP server returns to MAP Client.
As seen, in the embodiment of the invention, the MAP server can satisfy the load of a large amount of end points, and end points just can directly obtain metadata from acting on behalf of the MAP server, thereby has alleviated the burden of MAP server, has simplified the management of MAP Server.
The implementation method of a kind of MAP Server that the embodiment of the invention three proposes, as shown in Figure 5.When end points will be issued or subscribe to metadata, end points can send related news to acting on behalf of MAP server, act on behalf of the related news that MAP server does not store metadata, just be given to MAP Server in the related news that end points is sent, the MAP Server result that will ask alternately returns to and acts on behalf of MAP server then, and end points obtains metadata from acting on behalf of MAP server.This MAP of agency server does not store the related news of metadata, and the pass-through mode of just being given to MAP Server in the related news that end points is sent just is called the through type relay type.With reference to Fig. 5, the embodiment of the invention comprises:
Step S501, the end points of MAP Client is used for issue or subscribes to the mutual request message of metadata to acting on behalf of MAP server transmission.
Step S502, acting on behalf of MAP server can judge the mutual request message of the end points transmission of MAPClient according to predefined network security policy, if meet the requirement of network security policy, just mutual request message is let pass, forward step S504 then to, if do not meet the requirement of network security policy, just mutual request message is filtered out, forward step S503 then to.
Step S503 acts on behalf of after MAP server filters out mutual request message, will return a message that reports an error to the end points of MAP Client, illustrates that mutual request message does not meet the requirement of network security policy.
Step S504 acts on behalf of MAP server and will act on behalf of the mutual request message of letting pass among the MAP server and change into the mutual request message of acting on behalf of MAP Server.
Step S505 acts on behalf of the mutual request message that MAP server will act on behalf of MAP Server and sends to MAP Server.
Step S506, MAP Server makes response according to the mutual request message of acting on behalf of MAP Server, mutual request results is returned to act on behalf of MAP server then.
Step S507, acting on behalf of MAP server judges mutual request results according to predefined network security policy, if meet the requirement of network security policy, just mutual request results is let pass, forward step S509 then to, if do not meet the requirement of network security policy, just mutual request results is filtered out, forward step S508 then to.
Step S508 acts on behalf of after MAP server filters out mutual request results, will return a message that reports an error to MAP server, illustrates that the result of mutual request does not meet the requirement of network security policy.
Step S509 acts on behalf of MAP server and will act on behalf of the end points that mutual request results among the MAP server returns to MAP Client.
As seen, in the embodiment of the invention, the MAP server can satisfy the load of a large amount of end points, and end points just can directly obtain metadata from acting on behalf of the MAP server, thereby has alleviated the burden of MAP server, has simplified the management of MAP Server.But also reduce the potential safety hazard that former MAP Server faces, strengthened fail safe.
The implementation method of a kind of MAP Server that the embodiment of the invention four proposes, as shown in Figure 6.When end points will be issued or subscribe to metadata, end points can send related news to acting on behalf of MAP server, act on behalf of MAP server will be earlier the suitably mutual request of the certain metadata of buffer memory, and then be given to MAP Server in the disposable mutual request of metadata with buffer memory, the MAP Server result that will ask alternately returns to and acts on behalf of MAP server then, and end points obtains metadata from acting on behalf of MAP server.This MAP of agency server can the buffer memory some metadata ask alternately, then the mutual request of the metadata of buffer memory is given to MAP Server in disposable, such pass-through mode just is called the storage relay type.With reference to Fig. 6, the embodiment of the invention comprises:
Step S601, the end points of MAP Client is used for issue or subscribes to the mutual request message of metadata to acting on behalf of MAP server transmission.
Step S602, acting on behalf of MAP server judges mutual request message according to predefined network security policy, if meet the requirement of network security policy, just mutual request message is let pass, forward step S604 then to, if do not meet the requirement of network security policy, just mutual request message is filtered out, forward step S603 then to.
Step S603 acts on behalf of after MAP server filters out mutual request message, will return a message that reports an error to the end points of MAP Client, illustrates that mutual request message does not meet the requirement of network security policy.
Step S604 acts on behalf of the mutual request message that MAP server will let pass and carries out buffer memory.
Step S605 acts on behalf of MAP server with the disposable mutual request message of acting on behalf of MAP Server that changes into of the mutual request message of the some of buffer memory.
Step S606 acts on behalf of the mutual request message that MAP server will act on behalf of the some of MAP Server and sends to MAP Server.
Step S607, MAP Server makes response according to the mutual request message of the some of acting on behalf of MAP Server, mutual request results is returned to act on behalf of MAP server then.
Step S608 acts on behalf of MAP server mutual request results is carried out buffer memory.
Step S609, acting on behalf of MAP server judges these mutual request results according to predefined network security policy, if meet the requirement of network security policy, the mutual request results that just will meet safety requirements is let pass, forward step S611 then to, if do not meet the requirement of network security policy, the mutual request results that just will not meet safety requirements filters out, and forwards step S610 then to.
Step S610 acts on behalf of after mutual request results that MAP server will not meet safety requirements filters out, and will return the message that reports an error to MAP server, illustrates that the result of mutual request does not meet the requirement of network security policy.
Step S611 acts on behalf of the end points of MAP server with the disposable MAP of the returning to Client of mutual request results of some.
As seen, in the embodiment of the invention, the MAP server can satisfy the load of a large amount of end points, and end points just can directly obtain metadata from acting on behalf of the MAP server, thereby has alleviated the burden of MAP server, has simplified the management of MAP Server.But also reduce the potential safety hazard that former MAP Server faces, strengthened fail safe.
The implementation method of a kind of MAP Server that the embodiment of the invention five proposes as shown in Figure 7, is the implementation method of the MAP Server of a classification.When a TNC system is very huge, MAP Server will be made up of a main MAP Server and a plurality of secondary MAP Server, also may have three grades MAPServer, present embodiment is that example is described with the MAP Server of secondary, a huge TNC system, can be divided into a plurality of little subsystems, respectively there is the MAP Server of a secondary each subsystem the inside.When the metadata data of secondary MAP Server self storage can satisfy the demand of subordinate's end points, just as one completely MAP Server use, when the metadata data of secondary MAP Server self storage can not satisfy the demand of subordinate's end points, secondary MAP Server just was equivalent to one and acts on behalf of MAPServer.With reference to Fig. 7, the embodiment of the invention comprises:
Step S701, MAP Client send to secondary MAP server and are used for issue or subscribe to the mutual request message of metadata, and wherein, MAP Client comprises end points, PEP, transducer, and flow controller etc.
Step S702, whether secondary MAP server judges to have among the secondary MAP server with MAP Client asks corresponding metadata message alternately to the metadata of secondary MAP server issue or subscription, if having, forwards step S703 to, if do not have, then forward step S704 to.
Step S703, secondary MAP server will return to MAP Client to the corresponding metadata message of the mutual request of the metadata of secondary MAP server issue or subscription with MAP Client.
Step S704, secondary MAP server change into mutual request message the mutual request message of secondary MAP Server.
Step S705, secondary MAP server sends to MAP Server with the mutual request message of secondary MAP Server.
Step S706, MAP Server makes response according to the mutual request message of secondary MAP Server, then mutual request results is returned to secondary MAP server.
Step S707, secondary MAP server returns to MAP Client with mutual request results.
As seen, in the embodiment of the invention, the MAP server can satisfy the load of a large amount of end points, and end points just can directly obtain metadata from acting on behalf of the MAP server, thereby has alleviated the burden of MAP server, has simplified the management of MAP Server.When a large amount of end points need to ask MAP Server alternately, by multistage MAP Server, can significantly alleviate the pressure of single MAP Server, but also reduce the potential safety hazard that former MAP Server faces, strengthened fail safe.
The implementation method of a kind of MAP Server that the embodiment of the invention six proposes, as shown in Figure 8, a logic module is arranged in MAP Server, be specifically designed to the end points of handling MAP Client and ask alternately to MAP server issue or subscription metadata, can strengthen fail safe, reduce effective.With reference to Fig. 5, the embodiment of the invention comprises:
Step S801, the end points of MAP Client send to MAP server and are used for issue or subscribe to the mutual request message of metadata; Specifically can be: mutual request message is sent in the logic module among the MAP server.
Step S802, MAP server makes response according to the mutual request message in the logic module to mutual request of metadata, and mutual request results is returned to the end points of MAP Client via logical channel.
The implementation method of a kind of MAP Server that the embodiment of the invention seven proposes, when on MAP Server, realizing the operation of metadata, when a TNC system is very huge, MAP Server will be made up of the MAP Server of a total MAP Server and a plurality of lightweights, at this moment can adopt distributed model, make the MAP Server equity of each lightweight, shared data mutually between the MAP Server of lightweight.The MAP Server scene graph of lightweight, shown in 9: present embodiment is an example with the MAP Server of three lightweights, the intercommunication of each lightweight MAP Server.
Introduce the realization system of the MAP server of the embodiment of the invention below, comprising:
The MAP client is used for sending to transfer MAP server the mutual request message of metadata;
Transfer MAP server is used to receive described mutual request message, and described mutual request message is sent to MAP server, and the mutual request results that will receive sends to described MAP client;
The MAP server is used to respond described mutual request message, and mutual request results is returned to described transfer MAP server.
Under a kind of realization, the realization system of a kind of MAP Server that the embodiment of the invention proposes as shown in figure 10, comprising: MAP Client 10A, act on behalf of MAP server 20A, MAP server 30A;
MAP Client 10A is used for receiving by acting on behalf of the mutual request results that MAP server 20A sends to acting on behalf of the mutual request message that MAP server 20A sends issue or subscribes to metadata.Act on behalf of MAP server 20A, be used to receive the mutual request message that MAP Client 10A sends, the mutual request message that MAPClient 10A is sent changes into the mutual request message of acting on behalf of MAP Server 20A and sends to MAP server 30A, and the mutual request results that will receive sends to MAP Client 10A.
MAP server 30A is used for the mutual request message of response agent MAP server 20A, mutual request results is returned to act on behalf of MAP server 20A.
Under another kind is realized, except above-mentioned acting on behalf of the Server scene, also having a kind of typical scene is multistage MAP Server, when promptly a TNC system is very huge, comprise a main MAP Server and secondary MAP Server, should be understood that: a plurality of secondary MAP Server can be arranged, three grades MAP Server can also be arranged.Present embodiment is that typical case is described with the secondary.
The realization system of the another kind of MAP Server that the embodiment of the invention proposes as shown in figure 11, comprising: MAP Client 100, secondary MAP server 400, MAP server 300;
MAP Client 100 is used for sending the mutual request message of issuing or subscribing to metadata to secondary MAP server400, receives the mutual request results that is sent by secondary MAP server400.
Secondary MAP server 400, be used to receive the mutual request message that MAP Client 100 sends, judge whether the corresponding metadata message of the mutual request message that sends with MAP Client 100 is arranged among the secondary MAP server 400, if have, the corresponding metadata message of the mutual request message that sends with MAP Client 100 among the secondary MAP server 400 is returned to MAP Client 100, if do not have, the mutual request message that the mutual request message that MAP Client 100 is sent changes into secondary MAP Server 400 sends to MAP server300, and the mutual request results that comes from MAP server300 that will receive sends to MAP Client 100.
MAP server 300 is used to respond the mutual request message of secondary MAP server 400, and mutual request results is returned to secondary MAP server 400.
The embodiment of the invention also proposes a kind of communication equipment, as shown in figure 12, comprising:
Server-side processes module 20 is used to receive the mutual request message of metadata that the MAP client is sent, and returns the mutual request results corresponding with the mutual request message of metadata to the MAP client;
Client process module 21 is used for the mutual request message of metadata is converted to the mutual request message of metadata of current device, sends to the MAP server; And receive that the MAP server returns ask corresponding mutual request results alternately with described metadata.
The embodiment of the invention also proposes a kind of communication equipment, as shown in figure 13, comprising:
Authentication module 22, be used to judge whether the mutual request message of the described first server-side processes module 24 receptions meets the requirement of predefined network security policy, and/or, judge whether mutual request results meets the requirement of predefined network security policy;
The first client process module 23 is used for authentication module 22 is determined to meet the mutual request message of metadata that mutual request message that security strategy requires converts current device to, sends to the MAP server; And receive the mutual request results that the MAP server returns;
The first server-side processes module 24 is used to receive the metadata that MAP client 10 sends and asks alternately, and returns described authentication module 22 to MAP client 10 and determine to meet that security strategy requires asks corresponding mutual request results alternately with described metadata.
Inventive embodiments also proposes a kind of communication equipment, as shown in figure 14, comprising:
First memory module 25, the mutual request results that is used to store the mutual request message of the metadata that comes from the MAP client and comes from the MAP server;
The second client process module 26 is used for the mutual request message of metadata of the some of first memory module 25 storage is converted to the mutual request message of metadata of current device, sends to MAP server 30; At least one that reception MAP server 30 returns, the mutual request results corresponding with mutual request message also are stored in first memory module 25;
Second server end processing module 27 is used to receive the metadata that MAP client 10 sends and asks and be stored in first memory module 25 alternately, and returns the mutual request results of the some of storage in described first memory module 25 to described MAP client.
The embodiment of the invention also proposes a kind of communication equipment, as shown in figure 15, comprising:
The first memory module 25A, the mutual request results that is used to store the mutual request message of the metadata that comes from the MAP client and comes from the MAP server
Perhaps, under another kind was realized, the first memory module 25A was used to store mutual request message that comes from authentication module 28 and the interaction response result who comes from authentication module 28;
The second client process module 26A, the mutual request message of metadata that is used for some that the first memory module 25A is stored converts the mutual request message of metadata of current device to, sends to the MAP server; At least one mutual request results corresponding with mutual request message that reception MAP server returns also is stored in the first memory module 25A;
Second server end processing module 27A is used to receive the metadata that the MAP client sends and asks and be stored in the first memory module 25A alternately, and returns the mutual request results of the some of storing among the described first memory module 25A to described MAP client.
Authentication module 28, be used to judge whether the mutual request message of second server end processing module 27A reception meets the requirement of predefined network security policy, and/or, judge whether described mutual request results meets the requirement of predefined network security policy.
The embodiment of the invention has also proposed another kind of communication equipment, as shown in figure 16, comprising:
Server-side processes module 200 is used to receive the metadata that the MAP client sends and asks alternately, and returns with metadata to the MAP client and to ask corresponding mutual request results alternately;
Client process module 210 is used for the mutual request message of metadata is converted to the mutual request message of metadata of current device, sends to the MAP server; And receive that the MAP server returns ask corresponding mutual request results alternately with described metadata.
Conclude module 220, be used for judging whether current device exists the corresponding metadata of the mutual request of the metadata that sends with the MAP client, when not existing with described mutual request message metadata corresponding, by client process module 210 the mutual request message of metadata is changed into the mutual request message of the metadata of being sent by current device, and send to the MAP server, when in current device, storing, and will return to described MAP client as mutual request results with the corresponding metadata of the mutual request of described metadata by described server-side processes module 200 with mutual request message metadata corresponding.
As seen, provide the MAP Server mechanism of layered multi-stage in the embodiment of the invention, like this, when a large amount of end points also have the metadata demand, can alleviate the load of MAP Server to a certain extent, reduced the potential safety hazard that former MAP Server faces.
Act on behalf of MAP server or multistage MAP server by employing and hide former MAP Server address to the entity of end points level.Avoided can directly not obtaining the security threat that MAP Serve address is brought, and initiation is to the attack of former MAP Server by the agent side point.
Act on behalf of the load that MAP server or multistage MAP server are alleviated former MAP Server by employing.MAP Client and communicating by letter of MAP Server need be set up Session, when a large amount of end points need be asked MAP Server, MAP Server or secondary MAP Server by the agency, can significantly reduce the Session number that MAP Server keeps, effectively alleviate the pressure of single MAP Server.
Act on behalf of MAP server or multistage MAP server by employing, strengthened fail safe.By acting on behalf of the authentication module of Server the inside, can add certain safety function, as by to single endpoint in certain time period at most simple means such as MAP request number of times qualifications can effectively defend to attack at the DDOS of MAP Server.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be looked protection scope of the present invention.

Claims (17)

1, a kind of implementation method of metadata access point MAP server is characterized in that, comprising:
Send the mutual requested operation of metadata according to the mutual request of metadata that the MAP client is sent to the MAP server;
Receive the MAP server and return response, response is sent to the MAP client according to what the mutual requested operation of described metadata was made.
2, the method for claim 1 is characterized in that, the described mutual request of metadata of sending according to the MAP client is sent the mutual requested operation of metadata to the MAP server and comprised:
The metadata that transfer MAP server reception MAP client is sent is asked alternately, and the mutual request of metadata that the MAP client is sent changes into the mutual request message that is sent by transfer MAP server;
Mutual request message after transfer MAP server will transform sends to the MAP server.
3, the method for claim 1 is characterized in that, when transfer MAP server when acting on behalf of the MAP server, the described mutual request of metadata of sending according to the MAP client is sent the mutual requested operation of metadata to the MAP server and is comprised:
The described MAP of agency server receives the mutual request message of metadata that the MAP client is sent;
The described MAP of agency server is judged the mutual request message of described metadata according to predefined network security policy;
The mutual request message of metadata that the described MAP of agency server will meet the network security policy requirement changes into by acting on behalf of MAP server interaction request message, and described mutual request message is transmitted to described MAP server.
4, the method for claim 1 is characterized in that, when transfer MAP server when acting on behalf of the MAP server, the described mutual request of metadata of sending according to the MAP client is sent the mutual requested operation of metadata to the MAP server and is also comprised:
The described MAP of agency server receives the mutual request message of metadata that the MAP client is sent, and the mutual request message of the described metadata of buffer memory;
When being cached with the mutual request message of metadata of some, the described MAP of agency server changes into the mutual request message of described metadata by acting on behalf of MAP server interaction request message, and sends to described MAP server with described mutual request message is disposable.
5, the method for claim 1 is characterized in that, when transfer MAP server was classification MAP server, the described mutual request of metadata of sending according to the MAP client was sent the mutual requested operation of metadata to the MAP server and comprised:
Described classification MAP server receives the metadata that described MAP client sent and asks alternately;
When existing in the described classification MAP server, will return to the MAP client by response message with the corresponding metadata of the mutual request of described metadata with the corresponding metadata of the mutual request of described metadata;
When not existing in the described classification MAP server, the mutual request of described metadata is changed into the metadata of being sent by self ask alternately, and send to the MAP server with the corresponding metadata of the mutual request of described metadata.
6, the method for claim 1 is characterized in that, the mutual request of described metadata comprises at least a in the following request:
The subscribe request that is used for subscribing to metadata that the MAP client is sent to the MAP server;
The issue request that is used for issuing metadata that the MAP client is sent to the MAP server.
7, a kind of realization system of MAP server is characterized in that, comprising:
The MAP client is used for sending to transfer MAP server the mutual request message of metadata;
Transfer MAP server is used to receive described mutual request message, and described mutual request message is sent to MAP server, and the mutual request results that will receive sends to described MAP client;
The MAP server is used to respond described mutual request message, and mutual request results is returned to described transfer MAP server.
8, system as claimed in claim 7, it is characterized in that, when described transfer MAP server is acting server, the described MAP server of acting on behalf of, be used to receive described mutual request message, described mutual request message is changed into the mutual request message of the described MAP of agency server, and send to described MAP server, and the mutual request results that will receive sends to described MAP client.
9, system as claimed in claim 7, it is characterized in that, when described transfer MAP server is tiered server, described classification MAP server, be used to receive described mutual request message, judge self whether to exist and the corresponding metadata of described mutual request message, when self not existing with described mutual request message metadata corresponding, the mutual request message of described metadata is changed into the mutual request message of the metadata of being sent by self, send to described MAP server, and the mutual request results that will receive sends to described MAP client.
10, system as claimed in claim 9, it is characterized in that, described classification MAP server, be further used for when self storing, self storage returned to described MAP client with the corresponding metadata of the mutual request of described metadata by response message with described mutual request message metadata corresponding.
11, a kind of communication equipment is characterized in that, comprising:
The server-side processes module is used to receive the mutual request message of metadata that the MAP client is sent, and returns the mutual request results corresponding with the mutual request message of described metadata to described MAP client;
The client process module is used for the mutual request message of described metadata is converted to the mutual request message of metadata of current device, sends to the MAP server; And receive that described MAP server returns ask corresponding mutual request results alternately with described metadata.
12, equipment as claimed in claim 11 is characterized in that, also comprises:
Authentication module is used to judge whether the mutual request message of described server-side processes module reception meets the requirement of predefined network security policy, and/or, judge whether described mutual request results meets the requirement of predefined network security policy;
Described client process module is the first client process module, is used for described authentication module is determined to meet the mutual request message of metadata that mutual request message that security strategy requires converts current device to, sends to the MAP server; And receive the mutual request results that described MAP server returns;
Described server-side processes module is the first server-side processes module, be used to receive the metadata that the MAP client sends and ask alternately, and return described authentication module to described MAP client and determine to meet that security strategy requires asks corresponding mutual request results alternately with described metadata.
13, equipment as claimed in claim 11 is characterized in that, also comprises:
First memory module, the mutual request results that is used to store the mutual request message of the metadata that comes from described MAP client and comes from described MAP server;
Described client process module is the second client process module, and the mutual request message of metadata that is used for some that described first memory module is stored converts the mutual request message of metadata of current device to, sends to the MAP server; At least one that receives that described MAP server returns, the mutual request results corresponding with described mutual request message also are stored in described first memory module;
Described server-side processes module is a second server end processing module, be used to receive the metadata that the MAP client sends and ask and be stored in described first memory module alternately, and return the mutual request results of the some of storing in described first memory module to described MAP client.
14, equipment as claimed in claim 13 is characterized in that, also comprises:
Authentication module is used to judge whether the mutual request message of described server-side processes module reception meets the requirement of predefined network security policy, and/or, judge whether described mutual request results meets the requirement of predefined network security policy.
15, equipment as claimed in claim 11 is characterized in that, also comprises:
Conclude module, be used for judging whether described current device exists the corresponding metadata of the mutual request of the metadata that sends with described MAP client, when not existing with described mutual request message metadata corresponding, by described client process module the mutual request message of described metadata is changed into the mutual request message of the metadata of being sent by current device, and send to described MAP server.
16, equipment as claimed in claim 15, it is characterized in that, describedly conclude module, when being further used in described current device, storing, and will return to described MAP client as mutual request results with the corresponding metadata of the mutual request of described metadata by described server-side processes module with described mutual request message metadata corresponding.
17. a MAP server is characterized in that, comprising: as each described communication equipment in the claim 11 to 16.
CN2008101272328A 2008-06-24 2008-06-24 Method, system and device for realizing MAP server Active CN101616007B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008101272328A CN101616007B (en) 2008-06-24 2008-06-24 Method, system and device for realizing MAP server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008101272328A CN101616007B (en) 2008-06-24 2008-06-24 Method, system and device for realizing MAP server

Publications (2)

Publication Number Publication Date
CN101616007A true CN101616007A (en) 2009-12-30
CN101616007B CN101616007B (en) 2012-04-18

Family

ID=41495437

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008101272328A Active CN101616007B (en) 2008-06-24 2008-06-24 Method, system and device for realizing MAP server

Country Status (1)

Country Link
CN (1) CN101616007B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102215211A (en) * 2010-04-02 2011-10-12 中兴通讯股份有限公司 Communication method, and security policy negotiation method and system for supporting trusted network connect
CN102929958A (en) * 2012-10-10 2013-02-13 无锡江南计算技术研究所 Metadata processing method, agenting and forwarding equipment, server and computing system
CN103430488A (en) * 2010-11-05 2013-12-04 马克·卡明斯 Orchestrating wireless network operations
CN103546331A (en) * 2012-07-16 2014-01-29 中兴通讯股份有限公司 Method, device and system for acquiring monitoring information
CN104270432A (en) * 2014-09-22 2015-01-07 苏州耐克斯特能源开采技术有限公司 Real-time data service system and data interaction method based on drilling industry
CN106686026A (en) * 2015-11-06 2017-05-17 中兴通讯股份有限公司 Communication method and device
CN107169019A (en) * 2017-04-06 2017-09-15 华为技术有限公司 A kind of querying method of video metadata, equipment and system
CN109525627A (en) * 2017-09-20 2019-03-26 腾讯科技(上海)有限公司 Data transmission method, device, storage medium and electronic device
US10285094B2 (en) 2010-11-05 2019-05-07 Mark Cummings Mobile base station network
US10531516B2 (en) 2010-11-05 2020-01-07 Mark Cummings Self organizing system to implement emerging topologies
US10687250B2 (en) 2010-11-05 2020-06-16 Mark Cummings Mobile base station network
US10694402B2 (en) 2010-11-05 2020-06-23 Mark Cummings Security orchestration and network immune system deployment framework
US11477667B2 (en) 2018-06-14 2022-10-18 Mark Cummings Using orchestrators for false positive detection and root cause analysis

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105677754B (en) * 2015-12-30 2019-03-26 华为技术有限公司 Obtain the methods, devices and systems of subitem metadata in file system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101127623A (en) * 2007-09-27 2008-02-20 腾讯科技(深圳)有限公司 Data processing method, device and system
CN101184112B (en) * 2007-12-20 2010-12-29 腾讯科技(深圳)有限公司 Multimedia information transmission release system and method for releasing multimedia information thereof

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102215211B (en) * 2010-04-02 2016-01-20 中兴通讯股份有限公司 The security policy negotiation method and system of communication means, the access of support trustable network
CN102215211A (en) * 2010-04-02 2011-10-12 中兴通讯股份有限公司 Communication method, and security policy negotiation method and system for supporting trusted network connect
US10231141B2 (en) 2010-11-05 2019-03-12 Mark Cummings Collaborative computing and electronic records
CN103430488B (en) * 2010-11-05 2018-06-22 马克·卡明斯 Layout wireless network operator
US10694402B2 (en) 2010-11-05 2020-06-23 Mark Cummings Security orchestration and network immune system deployment framework
US10285094B2 (en) 2010-11-05 2019-05-07 Mark Cummings Mobile base station network
US9268578B2 (en) 2010-11-05 2016-02-23 Mark Cummings Integrated circuit design and operation for determining a mutually compatible set of configuration for cores using agents associated with each core to achieve an application-related objective
US9311108B2 (en) 2010-11-05 2016-04-12 Mark Cummings Orchestrating wireless network operations
US10687250B2 (en) 2010-11-05 2020-06-16 Mark Cummings Mobile base station network
US10536866B2 (en) 2010-11-05 2020-01-14 Mark Cummings Orchestrating wireless network operations
US9788215B2 (en) 2010-11-05 2017-10-10 Mark Cummings Collaborative computing and electronic records
US10880759B2 (en) 2010-11-05 2020-12-29 Mark Cummings Collaborative computing and electronic records
US10531516B2 (en) 2010-11-05 2020-01-07 Mark Cummings Self organizing system to implement emerging topologies
CN103430488A (en) * 2010-11-05 2013-12-04 马克·卡明斯 Orchestrating wireless network operations
US11812282B2 (en) 2010-11-05 2023-11-07 Mark Cummings Collaborative computing and electronic records
CN103546331B (en) * 2012-07-16 2018-10-26 南京中兴新软件有限责任公司 Acquisition methods, the apparatus and system of monitoring information
CN103546331A (en) * 2012-07-16 2014-01-29 中兴通讯股份有限公司 Method, device and system for acquiring monitoring information
CN102929958A (en) * 2012-10-10 2013-02-13 无锡江南计算技术研究所 Metadata processing method, agenting and forwarding equipment, server and computing system
CN104270432A (en) * 2014-09-22 2015-01-07 苏州耐克斯特能源开采技术有限公司 Real-time data service system and data interaction method based on drilling industry
CN104270432B (en) * 2014-09-22 2018-07-17 苏州耐克斯特能源开采技术有限公司 Based on drilling well industry Real-time Data Service system and data interactive method
CN106686026A (en) * 2015-11-06 2017-05-17 中兴通讯股份有限公司 Communication method and device
CN107169019A (en) * 2017-04-06 2017-09-15 华为技术有限公司 A kind of querying method of video metadata, equipment and system
CN107169019B (en) * 2017-04-06 2020-07-24 华为技术有限公司 Video metadata query method, device and system
CN109525627B (en) * 2017-09-20 2022-02-25 腾讯科技(上海)有限公司 Data transmission method, data transmission device, storage medium and electronic device
CN109525627A (en) * 2017-09-20 2019-03-26 腾讯科技(上海)有限公司 Data transmission method, device, storage medium and electronic device
US11477667B2 (en) 2018-06-14 2022-10-18 Mark Cummings Using orchestrators for false positive detection and root cause analysis
US11729642B2 (en) 2018-06-14 2023-08-15 Mark Cummings Using orchestrators for false positive detection and root cause analysis
US11985522B2 (en) 2018-06-14 2024-05-14 Mark Cummings Using orchestrators for false positive detection and root cause analysis

Also Published As

Publication number Publication date
CN101616007B (en) 2012-04-18

Similar Documents

Publication Publication Date Title
CN101616007B (en) Method, system and device for realizing MAP server
US9548961B2 (en) Detecting adverse network conditions for a third-party network site
US7346924B2 (en) Storage area network system using internet protocol, security system, security management program and storage device
CN106453669B (en) Load balancing method and server
CN110602156A (en) Load balancing scheduling method and device
US20100262706A1 (en) Network Security Using Trust Validation
CN106796547A (en) For the method and system that proxy caching smart object is eliminated
CN110958228A (en) Crawler access interception method and device, server and computer readable storage medium
KR102047088B1 (en) Method for allocating resource in network system, and network system implementing the same
CN109587122B (en) System and method for realizing self-guarantee of Web subsystem security based on WAF system function
CN101969445A (en) Method and device for defensing DDoS (Distributed Denial of Service) and CC (Connections Flood) attacks
CN112434304B (en) Method, server and computer readable storage medium for defending against network attacks
CN110247932A (en) A kind of detection system and method for realizing DNS service defence
CN108028828A (en) A kind of distributed denial of service ddos attack detection method and relevant device
CN108092940A (en) The means of defence and relevant device of a kind of DNS
CN110719286A (en) Network optimization scheme sharing system and method based on big data
CN102045379B (en) Method and system for IP storage and storage equipment
US8578445B2 (en) Micro and macro trust in a decentralized environment
Kugisaki et al. Bot detection based on traffic analysis
CN110519239A (en) A kind of protocol configuration method, device, equipment and readable storage medium storing program for executing
CN109040112B (en) Network control method and device
CN1329419A (en) Method for providing interconnected network access control and/or entering user into interconnected network and its equipment
CN114510711A (en) Method, device, medium and computer equipment for preventing CC attack
CN106878251B (en) Distributed website program vulnerability scanning system, method and device
CN205510109U (en) A serve dynamic routing system more for cloud computing environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant