CN114629655A - Method for ensuring optical transmission network management network safety - Google Patents

Method for ensuring optical transmission network management network safety Download PDF

Info

Publication number
CN114629655A
CN114629655A CN202210239891.0A CN202210239891A CN114629655A CN 114629655 A CN114629655 A CN 114629655A CN 202210239891 A CN202210239891 A CN 202210239891A CN 114629655 A CN114629655 A CN 114629655A
Authority
CN
China
Prior art keywords
authentication
user
service
resource
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210239891.0A
Other languages
Chinese (zh)
Inventor
林密
刘小敏
张焕域
李博
蔡文斌
陈龙
张宇
张阳
吴伟明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hainan Power Grid Co Ltd
Original Assignee
Hainan Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hainan Power Grid Co Ltd filed Critical Hainan Power Grid Co Ltd
Priority to CN202210239891.0A priority Critical patent/CN114629655A/en
Publication of CN114629655A publication Critical patent/CN114629655A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • H04Q2011/0079Operation or maintenance aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • H04Q2011/0086Network resource allocation, dimensioning or optimisation

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Power Engineering (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a method for ensuring the network security of an optical transmission network management, which comprises the following steps: step one, deploying service; step two, initializing setting; step three, ensuring the login safety; step four, the operation safety is guaranteed; in the first step, the security service comprises authentication micro-service and user management micro-service; in the first step, the resource synchronization module is used for monitoring a change notification of the single board resource and the network element resource; the resource modeling registration module is used for registering a new resource model, and resource data corresponding to the registered resource model can be stored in a resource table of the network management database; the method can effectively improve the safety of the optical transmission network management, so that the optical transmission network management is difficult to replace by a private illegal network management network, and can effectively exclude the coexistence of the private illegal network management network and a legal network management.

Description

Method for ensuring optical transmission network management network safety
Technical Field
The invention relates to the technical field of network security, in particular to a method for ensuring the network security of an optical transmission network management.
Background
Optical fiber communication has become an important pillar of modern communication networks at a glance due to the advantages of wide bandwidth, large capacity, high speed and the like, and an optical transmission network has become an indispensable and important strategic infrastructure of society; however, the optical transmission network also brings new hidden dangers to the network security while improving the network performance, and an attacker can control the network management by controlling a single device after contacting the optical transmission device and the network management system of the master station or any station, and can delete a large number of service channels after controlling the network management, thereby causing large-area services such as relay protection, stability control and the like to lose the channels, and seriously threatening the power grid security, so a method capable of improving the security of the optical transmission network management system is urgently needed.
Disclosure of Invention
The present invention aims to provide a method for ensuring the network security of an optical transmission network management system, so as to solve the problems proposed in the background technology.
In order to achieve the purpose, the invention provides the following technical scheme: a method for ensuring the network security of optical transmission network management includes the following steps: step one, deploying service; step two, initializing setting; step three, ensuring the login safety; step four, the operation safety is guaranteed;
in the first step, when the optical transmission network management is installed, a security service, a face authentication service, a UKey service, a resource synchronization module and a resource modeling registration module are deployed;
in the second step, initializing the network management setting comprises the following steps:
1) a system administrator uses a user authority management function to divide network element physical resources into different roles/users for regulation and control; after the division is completed, the role/user with the resource regulation and control authority can use the corresponding resource to carry out the new creation, deletion and modification of the end-to-end service, and the role/user without the resource regulation and control authority cannot use the corresponding resource to carry out the new creation, deletion and modification of the end-to-end service;
2) the user uses the network element management function of the network management to set the authentication granularity for the optical transmission network element, the attribute value is the network element or the port, and the default is the network element;
3) the user divides and manages the network element/single board/port managed by the user in the network management user management module;
4) starting user operation authentication for the specified function, and starting secondary biological double-factor authentication for the important function;
in the third step, before the user logs in the network manager, a system administrator designates the user to start face identification and UKey dual-factor login authentication, the dual-factor authentication acquires a final authentication mode from the authentication service according to the authentication mode setting, the face authentication service and the UKey service operation condition, and a dual-factor authentication result is a union result of two authentication mode results;
in the fourth step, when a user issues an operation, firstly, the service module judges whether user authentication of the current operation is needed or not, if so, the service module acquires a user authentication mode from the security service, calls different authentication front-end services according to the authentication mode, the current authentication mode is divided into a user name/password mode and a face + UKey mode, and the webmaster compares the current user information with the logged-in account information; if the comparison result is not consistent, the network manager refuses the operation instruction; if the comparison result is consistent, the service module judges whether secondary authentication is needed or not according to the category of the operation; if the secondary authentication is not needed, the network manager normally issues an operation instruction; if the secondary authentication is needed, the business module acquires a secondary authentication mode from the security service, calls different secondary authentication front-end services according to the secondary authentication mode, and divides the current secondary authentication into a user name/password mode and a face + UKey mode; after the second user biological authentication, the authentication service returns the authentication result, the service module obtains the secondary authentication result, and if the authentication is passed, the network manager normally issues an operation instruction; if the authentication fails, the network manager refuses the operation instruction.
Preferably, in the first step, the security service includes an authentication microservice and a user management microservice.
Preferably, in the first step, the resource synchronization module is configured to monitor a notification of a change of a board resource and a network element resource; the resource modeling registration module is used for registering a new resource model, and the resource data corresponding to the registered resource model can be stored in a resource table of the network management database.
Preferably, the monitoring of the resource synchronization module during the operation of the network manager includes the following two types: the first is to monitor the notification of single board creation/deletion/modification: the resource synchronization module acquires the authentication granularity attribute of the corresponding network element, if the authentication granularity is empty or the network element, the notification is discarded without any processing; if the authentication granularity is port, the processing logic of the three notifications is as follows: creating a notification: synchronizing the veneer data and the port data under the veneer into a resource library, wherein the veneer/port data needs to be embodied according to a parent-child relationship, namely: network element-board-port; and (4) deleting notification: synchronously deleting corresponding single board/port data in a resource library; and (4) modifying the notification: when the port number of the single board of the optical transmission equipment is changed, the port data of the resource library is synchronously updated at the moment; secondly, monitoring the network element attribute change notice: when the authentication granularity attribute of the network element is changed, the single board/port data of the network element in the resource library needs to be synchronously updated; if the authentication granularity is changed from 'network element' to 'port', the single board/port data of the network element needs to be synchronized to a resource library; if the authentication granularity is changed from 'port' to 'network element', the single board/port data of the network element in the resource library must be deleted synchronously.
Preferably, in the second step 1), the divided granularity supports the whole machine, the board cards and the ports, wherein the board cards comprise circuit board cards and branch board cards, and the ports comprise circuit ports and branch ports; the resource division authorization implementation steps are as follows: newly adding and defining single board/port resources, and newly defining two resource models: the system comprises a single board and a port, wherein a specific field in the model definition is configured as an authentication module supporting network management, the resource modeling registration module calls an API to register a resource model when being started, and when the API judges that repeated model definition exists in the system, the registration is not carried out.
Preferably, in the third step, when the user logs in the network manager, the network manager can use the face recognition and UKey double factors to perform login authentication under the condition that the face authentication service and the UKey service work normally; only under the condition of face authentication service failure, the network manager can use UKey + password to carry out login authentication; only under the condition of UKey service failure, the network manager can use face recognition and password to carry out login authentication; if both the face authentication service and the UKey service are in failure, the network manager allows login authentication only by using a password, and has the capability of monitoring the unavailability of the face authentication service and the UKey service due to the failure in real time.
Preferably, in the third step, the face recognition sub-process specifically includes:
1) the user photo import authentication system is characterized in that after an admin user successfully logs in for the first time, a network management login authentication mode is selected through a network management GUI (graphical user interface) interface, user photos are selected for other users to be imported, the imported photos call a face authentication service through a user management micro-service to obtain corresponding information, and an association relationship between the user and the photos is established;
2) the user carries out face authentication: when a user acquires a login network management home page, the authentication micro-service firstly judges whether the face authentication is started or not according to the judgment that the face authentication service is successfully deployed and the face login mode is started at the same time; when the face authentication condition is met, the browser displays a face authentication login page; the user performs biopsy shooting through the camera, and then sends the picture to the authentication microservice through the browser, and the authentication microservice performs user authentication; the user authentication process comprises the following steps: after receiving face photographing information transmitted by the authentication microservice, the user management microservice calls the face authentication service to perform photo verification and returns photos meeting the similarity index, finds a corresponding user according to the returned photo information, then sets login user information, completes authentication of the authentication microservice at the moment, generates Token, and succeeds in authentication; and if the user management micro-service cannot find the corresponding user according to the photo information, returning authentication failure and giving failure prompt information on the interface.
Preferably, in the third step, the UKey authentication sub-process specifically includes: a user needs to insert a UKey into a USB port of a logged computer or a logged terminal; inputting a user PIN code in a PIN code input box of a network management login interface of the browser; accessing UKey by using PIN code, checking PIN error and prompting user to return; verifying that the PIN code is correct, and accessing a UKey by the browser to acquire a random number, signature data and a user digital certificate; the browser sends the random number, the signature data and the user digital certificate to the security service, the user name in the digital certificate is compared with the user list in the security service, the security service calls the authentication service to verify the correctness and the validity of the digital signature in the user comparison process, and after the verification is passed, the authentication is completed to distribute Token.
Compared with the prior art, the invention has the beneficial effects that: the method can effectively improve the safety of the optical transmission network management, so that the optical transmission network management is difficult to replace by a private illegal network management network, and can effectively exclude the coexistence of the private illegal network management network and a legal network management.
Drawings
FIG. 1 is a flow chart of a method of the present invention;
FIG. 2 is a topological diagram of a network management security enhancing user authentication management function;
FIG. 3 is a photograph import flow diagram;
FIG. 4 is a face recognition sub-flow diagram;
FIG. 5 is a UKey authentication sub-flow diagram;
fig. 6 is a flow chart of the secondary authentication.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-6, an embodiment of the present invention is shown: a method for ensuring the network security of optical transmission network management includes the following steps: step one, deploying service; step two, initializing setting; step three, ensuring the login safety; step four, the operation safety is guaranteed;
in the first step, when the optical transmission network management is installed, a security service, a face authentication service, a UKey service, a resource synchronization module and a resource modeling registration module are deployed; the security service comprises authentication micro service and user management micro service; the resource synchronization module is used for monitoring the change notice of the single board resource and the network element resource; the resource modeling registration module is used for registering a new resource model, and resource data corresponding to the registered resource model can be stored in a resource table of the network management database; the monitoring of the resource synchronization module during the operation of the network manager comprises the following two types: the first is to monitor the notification of single board creation/deletion/modification: the resource synchronization module acquires the authentication granularity attribute of the corresponding network element, if the authentication granularity is empty or the network element, the notification is discarded without any processing; if the authentication granularity is port, the processing logic of the three notifications is as follows: creating a notification: synchronizing the veneer data and the port data under the veneer into a resource library, wherein the veneer/port data needs to be embodied according to a parent-child relationship, namely: network element-board-port; and (4) deleting notification: synchronously deleting corresponding single board/port data in a resource library; and (4) modifying the notification: when the port number of the single board of the optical transmission equipment is changed, the port data of the resource library is synchronously updated at the moment; secondly, monitoring the network element attribute change notice: when the authentication granularity attribute of the network element is changed, the single board/port data of the network element in the resource library needs to be synchronously updated; if the authentication granularity is changed from 'network element' to 'port', the single board/port data of the network element needs to be synchronized to a resource library; if the authentication granularity is changed from 'port' to 'network element', the single board/port data of the network element in the resource library needs to be deleted synchronously;
in the second step, initializing the network management setting comprises the following steps:
1) a system administrator uses a user authority management function to divide network element physical resources into different roles/users for regulation and control; the divided granularity supports the whole machine, the board cards and the ports, wherein the board cards comprise circuit board cards and branch board cards, and the ports comprise circuit ports and branch ports; after the division is completed, the role/user with the resource regulation and control authority can use the corresponding resource to carry out the new creation, deletion and modification of the end-to-end service, and the role/user without the resource regulation and control authority cannot use the corresponding resource to carry out the new creation, deletion and modification of the end-to-end service; the resource division authorization implementation steps are as follows:
newly adding and defining single board/port resources, and newly defining two resource models: the system comprises a single board and a port, wherein a specific field in a model definition is configured as an authentication module supporting network management, an API (application program interface) is called to register a resource model when a resource modeling registration module is started, and registration is not performed when the API judges that a repeated model definition exists in a system;
2) the user uses the network element management function of the network management to set the authentication granularity for the optical transmission network element, the attribute value is the network element or the port, and the default is the network element;
3) the user divides and manages the network element/single board/port managed by the user in the network management user management module;
4) starting user operation authentication on the specified function, and starting secondary biological double-factor authentication on the important function;
in the third step, before the user logs in the network manager, a system administrator designates the user to start face identification and UKey dual-factor login authentication, the dual-factor authentication acquires a final authentication mode from the authentication service according to the authentication mode setting, the face authentication service and the UKey service operation condition, and a dual-factor authentication result is a union result of two authentication mode results; when a user logs in a network manager, the network manager can use a face recognition factor and a UKey factor to carry out login authentication under the condition that a face authentication service and a UKey service normally work; only under the condition of face authentication service failure, the network manager can use UKey + password to carry out login authentication; only under the condition of UKey service failure, the network manager can use face recognition and password to carry out login authentication; if the face authentication service and the UKey service both fail, the network manager allows login authentication only by using a password, and has the capability of monitoring the face authentication service and the UKey service which are unavailable due to failure in real time;
the face recognition sub-process specifically comprises the following steps:
1) the user photo import authentication system is characterized in that after an admin user successfully logs in for the first time, a network management login authentication mode is selected through a network management GUI (graphical user interface) interface, user photos are selected for other users to be imported, the imported photos call a face authentication service through a user management micro-service to obtain corresponding information, and an association relationship between the user and the photos is established;
2) the user carries out face authentication: when a user acquires a home page of a login network manager, the authentication micro-service firstly judges whether face authentication is started or not, and the judgment basis is that the face authentication service is successfully deployed and the face login mode is started simultaneously; when the face authentication condition is met, the browser displays a face authentication login page; the user performs biopsy shooting through the camera, and then sends the picture to the authentication microservice through the browser, and the authentication microservice performs user authentication; the user authentication process comprises the following steps: after receiving face photographing information transmitted by the authentication microservice, the user management microservice calls the face authentication service to perform photo verification and returns photos meeting the similarity index, finds a corresponding user according to the returned photo information, then sets login user information, completes authentication of the authentication microservice at the moment, generates Token, and succeeds in authentication; if the user management micro-service cannot find the corresponding user according to the photo information, returning authentication failure and giving failure prompt information on an interface;
the UKey authentication sub-process specifically comprises the following steps: a user needs to insert a UKey into a USB port of a logged computer or a logged terminal; inputting a user PIN code in a PIN code input box of a network management login interface of a browser; accessing UKey by using PIN code, checking PIN error and prompting user to return; verifying that the PIN code is correct, and accessing the UKey by the browser to acquire a random number, signature data and a user digital certificate; the browser sends the random number, the signature data and the user digital certificate to a security service, a user name in the digital certificate is compared with a user list in the security service, the security service calls an authentication service to verify the correctness and the validity of the digital signature in the user comparison process, and after the verification is passed, the authentication is completed to distribute Token;
in the fourth step, when a user issues an operation, firstly, the service module judges whether user authentication of the current operation is needed or not, if so, the service module acquires a user authentication mode from the security service, calls different authentication front-end services according to the authentication mode, the current authentication mode is divided into a user name/password mode and a face + UKey mode, and the webmaster compares the current user information with the logged-in account information; if the comparison result is not consistent, the network manager refuses the operation instruction; if the comparison result is consistent, the service module judges whether secondary authentication is needed or not according to the category of the operation; if the secondary authentication is not needed, the network manager normally issues an operation instruction; if the secondary authentication is needed, the service module acquires a secondary authentication mode from the security service, calls different secondary authentication front-end services according to the secondary authentication mode, and divides the current secondary authentication into two modes of user name/password and face + UKey; after the second user biological authentication, the authentication service returns the authentication result, the service module obtains the secondary authentication result, and if the authentication is passed, the network manager normally issues an operation instruction; if the authentication fails, the network manager refuses the operation instruction.
Based on the above, the invention has the advantages that when the invention is used, the safety of the network management is improved through the related capability of the user authentication management function, the user authentication management uses the functions of user login biological authentication, secondary biological authentication, user operation authentication and user authority separation in the aspect of safety, the user login safety and the operation safety can be fully ensured, the coexistence of a private illegal network management network and a legal network management network is effectively excluded, the destructive operation of a destroyer is prevented, and the safety of the network management is comprehensively improved.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.

Claims (8)

1. A method for ensuring the network security of optical transmission network management includes the following steps: step one, deploying service; step two, initializing setting; step three, ensuring the login safety; step four, the operation safety is guaranteed; the method is characterized in that:
in the first step, when the optical transmission network manager is installed, a security service, a face authentication service, a UKey service, a resource synchronization module and a resource modeling registration module are deployed;
in the second step, initializing the network management setting comprises the following steps:
1) a system administrator uses a user authority management function to divide network element physical resources into different roles/users for regulation and control; after the division is completed, the role/user with the resource regulation and control authority can use the corresponding resource to carry out the new creation, deletion and modification of the end-to-end service, and the role/user without the resource regulation and control authority cannot use the corresponding resource to carry out the new creation, deletion and modification of the end-to-end service;
2) the user uses the network element management function of the network management to set the authentication granularity for the optical transmission network element, the attribute value is the network element or the port, and the default is the network element;
3) the user divides and manages the network element/single board/port managed by the user in the network management user management module;
4) starting user operation authentication on the specified function, and starting secondary biological double-factor authentication on the important function;
in the third step, before the user logs in the network manager, the system administrator designates the user to start face identification and UKey double-factor login authentication, the double-factor authentication obtains a final authentication mode from the authentication service according to the authentication mode setting, the face authentication service and the UKey service operation condition, and the double-factor authentication result is the union result of the two authentication mode results;
in the fourth step, when a user issues an operation, firstly, the service module judges whether user authentication of the current operation is needed or not, if so, the service module acquires a user authentication mode from the security service, calls different authentication front-end services according to the authentication mode, the current authentication mode is divided into a user name/password mode and a face + UKey mode, and the webmaster compares the current user information with the logged-in account information; if the comparison result is not consistent, the network manager refuses the operation instruction; if the comparison result is consistent, the service module judges whether secondary authentication is needed according to the category of the operation; if the secondary authentication is not needed, the network manager normally issues an operation instruction; if the secondary authentication is needed, the business module acquires a secondary authentication mode from the security service, calls different secondary authentication front-end services according to the secondary authentication mode, and divides the current secondary authentication into a user name/password mode and a face + UKey mode; after the second user biological authentication, the authentication service returns the authentication result, the service module obtains the secondary authentication result, and if the authentication is passed, the network manager normally issues an operation instruction; if the authentication fails, the network manager rejects the operation instruction.
2. The method according to claim 1, wherein the method for ensuring the network security of the optical transmission network management system comprises: in the first step, the security service comprises an authentication micro-service and a user management micro-service.
3. The method for ensuring the network security of the optical transmission network management according to claim 1, wherein: in the first step, the resource synchronization module is used for monitoring a change notification of the single board resource and the network element resource; the resource modeling registration module is used for registering a new resource model, and the resource data corresponding to the registered resource model can be stored in a resource table of the network management database.
4. A method for ensuring the network security of optical transmission network management according to claim 3, characterized in that: the monitoring of the resource synchronization module during the operation of the network manager comprises the following two steps: one is to monitor the board create/delete/modify notification: the resource synchronization module acquires the authentication granularity attribute of the corresponding network element, if the authentication granularity is null or the network element, the notice is discarded without any treatment; if the authentication granularity is port, the processing logic of the three notifications is as follows: creating a notification: synchronizing the veneer data and the port data under the veneer into a resource library, wherein the veneer/port data needs to be embodied according to a parent-child relationship, namely: network element-board-port; and (4) deleting notification: synchronously deleting corresponding single board/port data in a resource library; and (4) modifying the notification: when the port number of the single board of the optical transmission equipment is changed, the port data of the resource library is synchronously updated at the moment; secondly, monitoring the network element attribute change notice: when the authentication granularity attribute of the network element is changed, the single board/port data of the network element in the resource library needs to be synchronously updated; if the authentication granularity is changed from 'network element' to 'port', the single board/port data of the network element needs to be synchronized to a resource library; if the authentication granularity is changed from 'port' to 'network element', the single board/port data of the network element in the resource library must be deleted synchronously.
5. The method according to claim 1, wherein the method for ensuring the network security of the optical transmission network management system comprises: in the second step 1), the divided granularity supports the whole machine, the board cards and the ports, wherein the board cards comprise line board cards and branch board cards, and the ports comprise line ports and branch ports; the resource division authorization implementation steps are as follows: newly adding and defining single board/port resources, and newly defining two resource models: the system comprises a single board and a port, wherein a specific field in a model definition is configured as an authentication module supporting network management, a resource modeling registration module calls an API (application programming interface) to register a resource model when being started, and when the API judges that a repeated model definition exists in the system, the registration is not carried out.
6. The method according to claim 1, wherein the method for ensuring the network security of the optical transmission network management system comprises: in the third step, when a user logs in the network management, the network management can use a face recognition factor and a UKey double factor to carry out login authentication under the condition that a face authentication service and a UKey service normally work; only under the condition of face authentication service failure, the network manager can use UKey + password to carry out login authentication; only under the condition of UKey service failure, the network manager can use face recognition and password to carry out login authentication; if the face authentication service and the UKey service both fail, the network management allows login authentication only by using a password, and the network management has the capability of monitoring the face authentication service and the UKey service which are unavailable due to failure in real time.
7. The method according to claim 1, wherein the method for ensuring the network security of the optical transmission network management system comprises: in the third step, the face recognition sub-process specifically comprises:
1) the user photo import authentication system is characterized in that after an admin user successfully logs in for the first time, a network management login authentication mode is selected through a network management GUI (graphical user interface) interface, user photos are selected for other users to be imported, the imported photos call a face authentication service through a user management micro-service to obtain corresponding information, and an association relationship between the user and the photos is established;
2) the user carries out face authentication: when a user acquires a home page of a login network manager, the authentication micro-service firstly judges whether face authentication is started or not, and the judgment basis is that the face authentication service is successfully deployed and the face login mode is started simultaneously; when the face authentication condition is met, the browser displays a face authentication login page; the user performs biopsy shooting through the camera, and then sends the picture to the authentication microservice through the browser, and the authentication microservice performs user authentication; the user authentication process comprises the following steps: after receiving face photographing information transmitted by the authentication microservice, the user management microservice calls the face authentication service to perform photo verification and returns photos meeting the similarity index, finds a corresponding user according to the returned photo information, then sets login user information, completes authentication of the authentication microservice at the moment, generates Token, and succeeds in authentication; and if the user management micro-service cannot find the corresponding user according to the photo information, returning authentication failure and giving failure prompt information on the interface.
8. The method according to claim 1, wherein the method for ensuring the network security of the optical transmission network management system comprises: in the third step, the UKey authentication subprocess specifically is: a user needs to insert a UKey into a USB port of a logged computer or a logged terminal; inputting a user PIN code in a PIN code input box of a network management login interface of the browser; accessing UKey by using PIN code, checking PIN error and prompting user to return; verifying that the PIN code is correct, and accessing a UKey by the browser to acquire a random number, signature data and a user digital certificate; the browser sends the random number, the signature data and the user digital certificate to the security service, the user name in the digital certificate is compared with the user list in the security service, the security service calls the authentication service to verify the correctness and the validity of the digital signature in the user comparison process, and after the verification is passed, the authentication is completed to distribute Token.
CN202210239891.0A 2022-03-12 2022-03-12 Method for ensuring optical transmission network management network safety Pending CN114629655A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210239891.0A CN114629655A (en) 2022-03-12 2022-03-12 Method for ensuring optical transmission network management network safety

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210239891.0A CN114629655A (en) 2022-03-12 2022-03-12 Method for ensuring optical transmission network management network safety

Publications (1)

Publication Number Publication Date
CN114629655A true CN114629655A (en) 2022-06-14

Family

ID=81902602

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210239891.0A Pending CN114629655A (en) 2022-03-12 2022-03-12 Method for ensuring optical transmission network management network safety

Country Status (1)

Country Link
CN (1) CN114629655A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115529126A (en) * 2022-08-22 2022-12-27 中国南方电网有限责任公司 Double-factor authentication system for network management

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018155A (en) * 2007-02-08 2007-08-15 华为技术有限公司 Network element management method, system and network element
CN101197711A (en) * 2007-12-06 2008-06-11 华为技术有限公司 Method, device and system for implementing unified authentication management
CN113794563A (en) * 2021-07-08 2021-12-14 中国南方电网有限责任公司 Communication network security control method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018155A (en) * 2007-02-08 2007-08-15 华为技术有限公司 Network element management method, system and network element
CN101197711A (en) * 2007-12-06 2008-06-11 华为技术有限公司 Method, device and system for implementing unified authentication management
CN113794563A (en) * 2021-07-08 2021-12-14 中国南方电网有限责任公司 Communication network security control method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115529126A (en) * 2022-08-22 2022-12-27 中国南方电网有限责任公司 Double-factor authentication system for network management

Similar Documents

Publication Publication Date Title
CN113360862A (en) Unified identity authentication system, method, electronic device and storage medium
CN106470184B (en) Security authentication method, device and system
CN110535654B (en) Block chain based parallel system deployment method and device and computer equipment
CN110795174B (en) Application program interface calling method, device, equipment and readable storage medium
CN111586021B (en) Remote office business authorization method, terminal and system
CN109299333B (en) Block chain network account book member management method, device, equipment and storage medium
CN113973275B (en) Data processing method, device and medium
CN114338242B (en) Cross-domain single sign-on access method and system based on block chain technology
CN113722722A (en) Block chain-based high-security-level access control method and system
CN114629655A (en) Method for ensuring optical transmission network management network safety
CN111935195B (en) Distributed system management method, device, storage medium and distributed management system
CN106209751B (en) Service-oriented interface authentication method based on the operating system certificate of authority
CN112101945A (en) Method and system for supervising block chain content
CN106937282B (en) VPN access method and system based on mobile terminal
CN116048706A (en) Cloud desktop management method, device, equipment, storage medium and program product
CN114912149B (en) BIM cloud design platform and achievement protection method based on blockchain technology
CN115510496A (en) Database access control method and related device
CN113890751A (en) Method, apparatus and readable storage medium for controlling voting of alliance link authority
CN113596082A (en) Method and system for determining equipment data and electronic device
CN113852596A (en) Application authentication agent method and system based on Kubernetes
CN111064695A (en) Authentication method and authentication system
CN116055486B (en) Policy security management device and method based on blockchain
CN114499977B (en) Authentication method and device
CN115277233B (en) Hybrid cloud service platform based on data visualization plug-in and access method thereof
WO2024157828A1 (en) Management device, management method, and management program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination