CN101980481B - Method for realizing session replication and tracking during security terminal emulation protocol monitoring - Google Patents
Method for realizing session replication and tracking during security terminal emulation protocol monitoring Download PDFInfo
- Publication number
- CN101980481B CN101980481B CN 201010533530 CN201010533530A CN101980481B CN 101980481 B CN101980481 B CN 101980481B CN 201010533530 CN201010533530 CN 201010533530 CN 201010533530 A CN201010533530 A CN 201010533530A CN 101980481 B CN101980481 B CN 101980481B
- Authority
- CN
- China
- Prior art keywords
- session
- monitoring system
- server
- client
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 59
- 238000000034 method Methods 0.000 title claims abstract description 18
- 230000010076 replication Effects 0.000 title claims abstract description 18
- 238000013507 mapping Methods 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
一种安全终端仿真协议监控时实现会话复制和跟踪的方法,其实现步骤为:⑴监控系统对SSH协议进行二次登录或代理,客户端向监控系统发起开启会话复制的请求,在监控系统和客户端之间建立一个新的独立的虚拟会话;⑵监控系统同时向服务器端发起开启会话复制请求,在服务器端和监控系统之间也建立一个新的独立的虚拟会话;⑶监控系统将两端所有的虚拟会话一一对应地映射起来;⑷在内存中绘制虚拟内存屏幕,并在这个屏幕中截取每个会话的操作,达到了对每个会话进行单独跟踪的目的。通过本发明的技术手段在满足了对安全终端仿真协议进行监控的前提下,还实现了在对安全终端仿真协议监控时进行会话复制和跟踪,操作简单易行。A method for realizing session replication and tracking during security terminal emulation protocol monitoring, the implementation steps are: (1) the monitoring system performs secondary login or proxy to the SSH protocol, the client initiates a request for opening session replication to the monitoring system, and the monitoring system and Establish a new independent virtual session between the clients; (2) The monitoring system initiates a session replication request to the server at the same time, and also establishes a new independent virtual session between the server and the monitoring system; (3) The monitoring system connects both ends All virtual sessions are mapped one by one; (4) draw a virtual memory screen in memory, and capture the operation of each session in this screen, achieving the purpose of tracking each session individually. Through the technical means of the present invention, on the premise of satisfying the monitoring of the security terminal emulation protocol, it also realizes session duplication and tracking during the monitoring of the security terminal emulation protocol, and the operation is simple and easy.
Description
技术领域 technical field
本发明属于安全终端仿真协议监控技术领域,具体是涉及一种安全终端仿真协议监控时实现会话复制和跟踪的方法。 The invention belongs to the technical field of security terminal emulation protocol monitoring, and in particular relates to a method for realizing session duplication and tracking during security terminal emulation protocol monitoring.
背景技术 Background technique
终端仿真协议是用于维护UNIX或者LINUX服务器的常用协议,早期基于TCP/IP网络终端仿真的比较流行的协议有TELNET和RLOGIN两种,但由于它们在网络传输的过程中采用明文的方式,这产生了很大的安全隐患,居心叵测者可以很方便地在旁路对用户名和密码,甚至操作进行监听和截获。因此这两种协议逐步地被传输更安全、功能更强大的安全终端仿真协议(以下简称SSH协议)所取代。SSH协议不仅通过采用SSL非对称加密的方法使得网络数据传输更为安全,而且SSH协议还通过虚拟通道的方法提供了在同一个TCP连接上开启多个虚拟会话的功能,即SSH的会话复制,极大地方便了服务器维护人员。正是由于SSH协议的安全性,通过常用的旁路抓取数据包的方式是无法从中获得有效数据的,因此如果需要对基于SSH的远程访问操作进行监控,就必须在监控系统上对SSH协议进行二次登陆或者代理,否则就无法从加密的数据中还原出维护人员的操作。所谓二次登录,就是操作人员首先通过SSH协议登录到监控系统上,监控系统为已授权的操作人员提供友好的菜单界面,操作人员可以在菜单内选择自己所需要登录的服务器直接进行登录。所谓代理,就是操作人员将监控系统指定为SSH协议的代理服务器,所有的SSH协议访问均以监控系统作为代理来访问目标服务器。综上所述,根据二次登陆或者代理的原理可以知道,操作人员发起的SSH协议连接在监控系统上进行了终结,所有对维护的目标服务器的连接都是由监控系统发起的,这样监控系统对客户端而言是服务器,而对服务器端而言是客户端,通过这种方法可以很方便地反解析操作行为。这样可以满足了对SSH协议的监控,但是由于在这种情况下,客户端的SSH协议连接是与监控系统建立的,同样服务器端SSH协议连接也是与监控系统建立的,因此对会话复制功能的转发,以及对每个会话的全过程跟踪就变得非常困难。 The terminal emulation protocol is a common protocol used to maintain UNIX or LINUX servers. There are two popular protocols based on TCP/IP network terminal emulation in the early days, TELNET and RLOGIN, but because they use plain text during network transmission, this A great security risk has been generated, and those with malicious intentions can easily monitor and intercept user names, passwords, and even operations in the bypass. Therefore, these two protocols are gradually replaced by the secure terminal emulation protocol (hereinafter referred to as the SSH protocol) with more secure transmission and more powerful functions. The SSH protocol not only makes network data transmission more secure by using SSL asymmetric encryption, but also provides the function of opening multiple virtual sessions on the same TCP connection through the virtual channel method, that is, SSH session replication, Greatly facilitate the server maintenance personnel. It is precisely because of the security of the SSH protocol that it is impossible to obtain valid data from it through the commonly used bypass method of grabbing data packets. Therefore, if you need to monitor SSH-based remote access operations, you must monitor the SSH protocol on the monitoring system. Perform secondary login or proxy, otherwise, the operation of the maintenance personnel cannot be restored from the encrypted data. The so-called secondary login means that the operator first logs in to the monitoring system through the SSH protocol. The monitoring system provides a friendly menu interface for the authorized operator, and the operator can select the server he needs to log in in the menu to log in directly. The so-called proxy means that the operator designates the monitoring system as the proxy server of the SSH protocol, and all SSH protocol access uses the monitoring system as the proxy to access the target server. To sum up, according to the principle of secondary login or proxy, it can be known that the SSH protocol connection initiated by the operator is terminated on the monitoring system, and all connections to the target server for maintenance are initiated by the monitoring system. In this way, the monitoring system For the client, it is a server, and for the server, it is a client. In this way, the operation behavior can be reversed very conveniently. This can satisfy the monitoring of the SSH protocol, but in this case, the SSH protocol connection of the client is established with the monitoring system, and the SSH protocol connection of the server is also established with the monitoring system, so the forwarding of the session replication function , and tracking the entire process of each session becomes very difficult.
发明内容 Contents of the invention
本发明主要是解决现有技术所存在的技术问题,提供了一种安全终端仿真协议监控时实现会话复制和跟踪的方法。 The invention mainly solves the technical problems existing in the prior art, and provides a method for realizing session duplication and tracking during security terminal emulation protocol monitoring.
本发明的上述技术问题主要是通过下述技术方案得以解决的:一种安全终端仿真协议监控时实现会话复制和跟踪的方法,其实现步骤为:⑴监控系统对SSH协议进行二次登录或代理,客户端向监控系统发起开启会话复制的请求,并请求一个标识,监控系统响应该会话复制请求,协商完成后在监控系统和客户端之间建立一个新的独立的虚拟会话;⑵监控系统同时向服务器端发起开启会话复制请求,服务器端响应该会话复制请求,并请求一个标识,协商完成后在服务器端和监控系统之间也建立一个新的独立的虚拟会话;⑶监控系统根据客户端发送来的会话数据查找出对应的面向服务器端的会话通道并通过这个会话通道将数据发送给服务器,同时监控系统根据服务器端发送来的会话数据查找出对应的面向客户端的会话通道并通过这个会话通道将数据发送给客户端,将两端所有的虚拟会话一一对应地映射起来;⑷在内存中绘制虚拟内存屏幕,并在这个屏幕中截取每个会话的操作,达到了对每个会话进行单独跟踪的目的。 The above-mentioned technical problems of the present invention are mainly solved by the following technical solutions: a method for realizing session duplication and tracking during monitoring of a security terminal emulation protocol, the implementation steps of which are as follows: (1) the monitoring system performs secondary login or proxy to the SSH protocol , the client initiates a request to the monitoring system to enable session replication, and requests an identifier, and the monitoring system responds to the session replication request. After the negotiation is completed, a new independent virtual session is established between the monitoring system and the client; (2) the monitoring system simultaneously Initiate a session replication request to the server, and the server responds to the session replication request and requests an identifier. After the negotiation is completed, a new independent virtual session is also established between the server and the monitoring system; The incoming session data finds the corresponding server-oriented session channel and sends the data to the server through this session channel. The data is sent to the client, and all the virtual sessions at both ends are mapped one by one; (4) draw the virtual memory screen in the memory, and capture the operation of each session in this screen, so as to track each session individually the goal of.
作为优选,所述步骤⑶中,监控系统对虚拟会话的映射建立为一个链表,并在这个链表上分别建立以客户端会话为索引的hash表和以服务器端会话为索引的hash表,当接收到客户端会话数据时在以客户端会话为索引的hash表中检索,当接收到服务器端会话数据时在以服务器端会话为索引的hash表中检索。 As preferably, in the step (3), the monitoring system establishes a linked list to the mapping of the virtual session, and respectively establishes a hash table indexed by the client session and a hash table indexed by the server session on this linked list, when receiving When the client session data is received, it is retrieved in the hash table indexed by the client session, and when the server-side session data is received, it is retrieved in the hash table indexed by the server-side session.
作为优选,所述步骤⑷中,监控系统对每个会话均维持一个会话节点,虚拟内存屏幕作为会话节点的一个成员,每当接收到会话数据时,查找到会话节点并绘制这个屏幕,同时截取相应的操作。 As preferably, in the described step (4), the monitoring system maintains a session node for each session, and the virtual memory screen is as a member of the session node, whenever session data is received, the session node is found and the screen is drawn, and the screen is intercepted at the same time corresponding operation.
本发明克服了现有安全终端仿真协议技术中对会话复制功能的转发和对每个会话的全过程跟踪不能实现的缺陷,通过本发明的技术手段在满足了对安全终端仿真协议进行监控的前提下,还实现了在对安全终端仿真协议监控时进行会话复制和跟踪,操作简单易行。 The present invention overcomes the defect that the forwarding of the session replication function and the whole process tracking of each session cannot be realized in the existing security terminal emulation protocol technology, and satisfies the premise of monitoring the security terminal emulation protocol through the technical means of the present invention It also implements session duplication and tracking when monitoring the security terminal emulation protocol, and the operation is simple and easy.
具体实施方式 Detailed ways
下面通过实施例,对本发明的技术方案作进一步具体的说明。 The technical solutions of the present invention will be further specifically described below through examples.
实施例:本发明一种安全终端仿真协议监控时实现会话复制和跟踪的方法,其实现步骤为:⑴监控系统对SSH协议进行二次登录或代理,客户端向监控系统发起开启会话复制的请求,并请求一个标识,监控系统响应该会话复制请求,协商完成后在监控系统和客户端之间建立一个新的独立的虚拟会话;⑵监控系统同时向服务器端发起开启会话复制请求,服务器端响应该会话复制请求,并请求一个标识,协商完成后在服务器端和监控系统之间也建立一个新的独立的虚拟会话;⑶监控系统根据客户端发送来的会话数据查找出对应的面向服务器端的会话通道并通过这个会话通道将数据发送给服务器,同时监控系统根据服务器端发送来的会话数据查找出对应的面向客户端的会话通道并通过这个会话通道将数据发送给客户端,将两端所有的虚拟会话一一对应地映射起来;⑷在内存中绘制虚拟内存屏幕,并在这个屏幕中截取每个会话的操作,达到了对每个会话进行单独跟踪的目的。 Embodiment: the method for realizing session duplication and tracking when a kind of security terminal emulation protocol monitoring of the present invention, its realization step is: (1) monitoring system carries out secondary login or agent to SSH agreement, and client initiates the request of opening session duplication to monitoring system , and request an identifier, the monitoring system responds to the session replication request, and after the negotiation is completed, a new independent virtual session is established between the monitoring system and the client; (2) The monitoring system simultaneously initiates a session replication request to the server, and the server responds Respond to the session copy request and request an identifier, and after the negotiation is completed, a new independent virtual session is also established between the server and the monitoring system; (3) The monitoring system finds out the corresponding server-oriented session according to the session data sent by the client channel and send data to the server through this session channel, and at the same time, the monitoring system finds out the corresponding client-oriented session channel based on the session data sent by the server and sends the data to the client through this session channel, and all virtual Sessions are mapped one by one; (4) Draw a virtual memory screen in memory, and capture the operation of each session in this screen, achieving the purpose of tracking each session individually.
在对SSH协议进行二次登陆和代理的过程中,由于需要对整个连接过程的操作进行监控,然而在协议传输过程中被解密出来的数据采用的是NVT方式传输。所谓NVT是指网络虚拟终端,其中不仅包含了用户的操作数据,还包含了很多格式信息,因此仅仅记录数据包是不够的,要对数据包进行反解析,同时由于异构环境的复杂性和操作的不确定性,仅仅通过过滤格式数据是无法正确解析出操作的。本发明采用在内存中绘制虚拟内存屏幕的方法来得到输入的操作,也就相当于在内存中模拟一个和用户真实看到的操作终端一样的屏幕,并在这个屏幕中截取用户所进行的操作,这样就满足了操作还原的正确性和及时性。由于用户可以在每个复制出来的会话中进行相对独立的操作,因此对每个会话进行跟踪时都需要建立一个独立的虚拟内存屏幕,并在每个屏幕中独立地截取每个会话的操作,这样就达到了对每个会话进行单独跟踪的目的。 In the process of secondary login and proxy for the SSH protocol, since the operation of the entire connection process needs to be monitored, the data decrypted during the protocol transmission process is transmitted in NVT mode. The so-called NVT refers to the network virtual terminal, which not only contains the user's operation data, but also contains a lot of format information, so it is not enough to only record the data packet, and it is necessary to de-analyze the data packet. Due to the uncertainty of the operation, the operation cannot be correctly parsed only by filtering the format data. The present invention adopts the method of drawing a virtual memory screen in the memory to obtain the input operation, which is equivalent to simulating a screen in the memory that is the same as the operation terminal actually seen by the user, and intercepting the operation performed by the user in this screen , thus satisfying the correctness and timeliness of operation restoration. Since the user can perform relatively independent operations in each copied session, it is necessary to establish an independent virtual memory screen when tracking each session, and intercept the operations of each session independently in each screen, This achieves the purpose of tracking each session individually.
为了提高传输效率,步骤⑶中监控系统对虚拟会话的映射建立为一个链表,并在这个链表上分别建立以客户端会话为索引的hash表和以服务器端会话为索引的hash表,当接收到客户端会话数据时在以客户端会话为索引的hash表中检索,当接收到服务器端会话数据时在以服务器端会话为索引的hash表中检索;步骤⑷中,监控系统对每个会话均维持一个会话节点,虚拟内存屏幕作为会话节点的一个成员,每当接收到会话数据时,查找到会话节点并绘制这个屏幕,同时截取相应的操作。 In order to improve the transmission efficiency, in step (3), the monitoring system sets up a linked list to the mapping of the virtual session, and respectively establishes a hash table indexed by the client session and a hash table indexed by the server session on this linked list. The client session data is retrieved in the hash table indexed by the client session, and retrieved in the hash table indexed by the server session when receiving the server session data; in step (4), the monitoring system is used for each session A session node is maintained, and the virtual memory screen is a member of the session node. Whenever session data is received, the session node is found and the screen is drawn, and corresponding operations are intercepted.
最后,应当指出,以上实施例仅是本发明较有代表性的例子。显然,本发明的技术方案并不限于上述实施例,还可以有许多变形。本领域的普通技术人员能从本发明公开的内容直接导出或联想到的所有变形,均应认为是本发明的保护范围。 Finally, it should be pointed out that the above embodiments are only representative examples of the present invention. Apparently, the technical solutions of the present invention are not limited to the above-mentioned embodiments, and many variations are possible. All deformations that can be directly derived or associated by those skilled in the art from the content disclosed in the present invention should be considered as the protection scope of the present invention.
Claims (3)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010533530 CN101980481B (en) | 2010-11-05 | 2010-11-05 | Method for realizing session replication and tracking during security terminal emulation protocol monitoring |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010533530 CN101980481B (en) | 2010-11-05 | 2010-11-05 | Method for realizing session replication and tracking during security terminal emulation protocol monitoring |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101980481A CN101980481A (en) | 2011-02-23 |
| CN101980481B true CN101980481B (en) | 2012-12-05 |
Family
ID=43600966
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010533530 Active CN101980481B (en) | 2010-11-05 | 2010-11-05 | Method for realizing session replication and tracking during security terminal emulation protocol monitoring |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101980481B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302586A (en) * | 2015-05-25 | 2017-01-04 | 中兴通讯股份有限公司 | A kind of realization method and system of remote terminal instrument |
| CN111143736B (en) * | 2018-11-06 | 2024-02-06 | 广东万丈金数信息技术股份有限公司 | Data transmission method, device, main page server and storage medium |
| CN111884833A (en) * | 2020-07-04 | 2020-11-03 | 中国人民解放军海军航空大学航空作战勤务学院 | Simulation system integration method based on network virtualization technology |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080031141A1 (en) * | 2006-08-01 | 2008-02-07 | Tekelec | Methods, systems, and computer program products for monitoring tunneled internet protocol (IP) traffic on a high bandwidth IP network |
| CN101420432A (en) * | 2008-12-01 | 2009-04-29 | 华为技术有限公司 | Implementing method, system and apparatus for IMS listening |
| US20100220609A1 (en) * | 2009-02-27 | 2010-09-02 | Ascendent Telecommunications Inc. | System and method for reducing call latency in monitored calls |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100531074C (en) * | 2007-08-24 | 2009-08-19 | 中兴通讯股份有限公司 | Method and system for legally monitoring IP multimedia subsystem network |
| CN101114952A (en) * | 2007-08-28 | 2008-01-30 | 飞思达技术(北京)有限公司 | Data flow redirection based VOIP/NGN monitoring, inspecting method and system |
-
2010
- 2010-11-05 CN CN 201010533530 patent/CN101980481B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080031141A1 (en) * | 2006-08-01 | 2008-02-07 | Tekelec | Methods, systems, and computer program products for monitoring tunneled internet protocol (IP) traffic on a high bandwidth IP network |
| CN101420432A (en) * | 2008-12-01 | 2009-04-29 | 华为技术有限公司 | Implementing method, system and apparatus for IMS listening |
| US20100220609A1 (en) * | 2009-02-27 | 2010-09-02 | Ascendent Telecommunications Inc. | System and method for reducing call latency in monitored calls |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101980481A (en) | 2011-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10630784B2 (en) | Facilitating a secure 3 party network session by a network device | |
| CN111447276B (en) | Encryption continuous transmission method with key agreement function | |
| US10038693B2 (en) | Facilitating secure network traffic by an application delivery controller | |
| US7987359B2 (en) | Information communication system, information communication apparatus and method, and computer program | |
| WO2019148562A1 (en) | Acceleration method for handshake request in content delivery network, device and edge node | |
| US20070274525A1 (en) | Encrypted communication system, communication status management server, encrypted communication method, and communication status management method | |
| CN101729543B (en) | Method for improving performance of mobile SSL VPN by utilizing remote Socks5 technology | |
| CN104270334A (en) | A monitoring method for SSH network security access protocol | |
| CN102546666B (en) | The method preventing IGMP from cheating and to attack and device | |
| WO2009082889A1 (en) | A method for internet key exchange negotiation and device, system thereof | |
| WO2014173365A1 (en) | Ftp application layer packet filtering method, device and computer storage medium | |
| US20140337967A1 (en) | Data Transmission Method, System, and Apparatus | |
| CN104065731A (en) | FTP file transfer system and transfer method | |
| WO2016202007A1 (en) | Device operation and maintenance method and system | |
| CN106230587A (en) | Long connection anti-replay attack method | |
| WO2023010839A1 (en) | Access control method, client proxy apparatus, gateway device, and related system | |
| WO2016065787A1 (en) | Rdp data collection apparatus and method | |
| WO2019237683A1 (en) | Protocol packet, and method for managing virtual client terminal device | |
| CN101980481B (en) | Method for realizing session replication and tracking during security terminal emulation protocol monitoring | |
| CN111614596A (en) | A remote device control method and system based on IPv6 tunnel technology | |
| WO2016109404A1 (en) | System and method of authenticating a live video stream | |
| CN201657020U (en) | Mobile SSL VPN system based on remote Socks 5 agent | |
| CN113949730B (en) | Communication method and device for equipment | |
| CN110049024A (en) | A kind of data transmission method, transfer server and access site server | |
| CN112333088B (en) | Compatible instant messaging transmission method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |