GSM交换网元安全接入平台设计与实现
摘要
随着移动通信技术的不断发展,新的技术、新的设备、新的业务不断出现,使得GSM(Global System for Mobile Communications)移动通信网的维护和管理变得日趋复杂。××集团公司在去年开始进行安全建设的六项试点工作,大力开展安全建设,提升移动网络的安全水平,提供对网络攻击、病毒入侵、网络窃密的防范能力,防止有害信息的传播,保证移动网络的安全运行。同时随着GSM移动通信网体系架构的演变,核心网络设备逐渐由电路交换向IP交换演进。大量基于TCP/IP协议的交换设备底层操作系统采用Windows NT,网络传输协议采用TCP/IP协议。由于Windows NT平台的自身缺陷以及TCP/IP协议本身的脆弱性,很容易导致GSM移动通信网网元设备受到病毒的攻击感染,造成系统宕机。目前全网爱立信有5个网元设备曾经被病毒感染。
基于TCP/IP协议交换设备的出现,导致了现有GSM移动通信网的安全问题日益突出。为了满足不断变化和发展的GSM移动通信网安全管理需求,提高服务水平和服务质量,××公司决定进行交换网元安全接入平台的建设。
本课题针对GSM移动通信网的实际情况,就如何构建GSM交换网元安全接入平台,提高GSM移动通信网的安全性,多种安全技术整合集成等方面进行研究。本文就GSM交换网元安全接入平台的设计和实现,对平台的总体架构,平台的设计要求,平台的功能系统,平台的整合部署方案等进行了深入的探讨,主要做了以下几个方面的研究工作:
(1)移动交换网元安全接入的关键技术和发展趋势研究;
(2)移动交换网元安全接入系统建设的可行性研究与需求分析;
(3)移动交换网元安全接入系统的系统设计,包括体系结构设计,安全措施,设备、软件的选型等;
本课题以“先进、实时、安全、稳定、灵活、实用”为总体设计目标,技术上采用“分布式应用,集中式采集和处理”的体系结构和高效集成的、可扩展的程序设计思想,即各地市网对本系统的使用是基于分布式的,而数据采集、数据处理、功能提供是集中式的。从设计到开发全都采用当前主流的面向对象方法理论,将分布式系统的设计模式、面向对象等先进技术贯穿在分析、设计、实施的全过程,保障了系统与国际先进技术标准接轨。系统将灵活的模板数据处理机制、快速的告警实时监控、方便的客户业务处理集中操作维护、完备的性能管理、全方位的安全机制等功能有机地揉和在一起,为电信网贡献了一个功能强大的综合网管安全接入平台。
GSM交换网元安全接入平台的建立,是一个有效的提高移动通信网络安全防护和检测能力的过程,也是传统型信息化向现代型信息化转变的一个过程,具有较强的使用价值和推广价值。
With the development of the mobile communications technology, the emergences of new technology, new equipment, and new business make the preservation and management of GSM mobile communication network more complicated. Initiated by xxx Group last year, six experimental projects aims for security construction to raise security level of mobile network, with defensibility against internet attack, virus invasion, and information stealing to prevent the spread of vicious information and ensure the safe operation of mobile network. Meanwhile along with the evolution of GSM mobile communication network system, the core network equipment gradually evolves from electro-circuit exchange from IP exchange. Most of the exchange equipment adopts the Windows NT as the basic operation system, and the TCP/IP protocol as the internet transmission protocol. Due to the defects of the Windows NT platform and the fragility of the TCP/IP protocol itself, the network element equipment of the GSM mobile communication network can be easily attacked by virus, which will consequently lead to the system breakdown. So far five of Ericsson’s network elements have once been infected.
The invention of the exchange equipment of TCP/IP protocol intensifies the security problems of the existing GSM mobile communication network. To keep up with the ever changing and developing need for security management of the GSM mobile communication network as well as to raise the level and quality of service, xxx Group has decided to start the security access of exchange network elements project.
Based on the real situation of GSM mobile communication network, this paper researches into aspects like the construction of platform for GSM exchange network elements security access, the security enforcement of the GSM mobile communication network, and the integration of various security technologies. At the same time, it elaborates on the design and implementation of the platform for GSM exchange network elements security access, while exploring into the framework, the requirements for design, the functional system, and the integration plan of the platform. Mainly it focuses on the following aspects:
(1) The research on the key technologies and development trend of mobile exchange internet elements security access;
(2) The research on the feasibility and the demand analysis of the construction of mobile exchange internet elements security access;
(3) The systematic design for the mobile exchange internet elements security access, including the design of systematic structure, security measures, and the selection among many types of equipment and software.
With“advanced, real-time, security, stability, flexible, practical”as the guidelines for the general goal, this paper technically adopts a systematic structure of“Distributed applications and centralized collection and processing”and an efficient and expandable conception for program designing. That is, the utilization of this system of every city network is distributive while the data collection, data processing, and functional provision are centralized. The currently popular object-oriented methodology is adopted during the process of designing to developing, putting in advanced technologies like the design pattern of distributive system and object-oriented methodology throughout the entire process of analyzing, designing, and applying of the system so as to keep up with internal advanced technological standards. This system integrates functions like the flexible model data-processing mechanism, the fast alarm real-time monitor, the convenient centralized operational preservation of customer business processing, the complete functional management, and the all-round security mechanism, contributing to the telecommunication network a functionally strong security access platform of comprehensive network management.
The construction of platform for GSM exchange network elements security access is a process of effectively raising the security defensibility and monitoring competence of the mobile communication network, as well as a process of transformation from traditional informationalizaion to modern informationalization, which is well worth utilization and promotion.
基于TCP/IP协议交换设备的出现,导致了现有GSM移动通信网的安全问题日益突出。为了满足不断变化和发展的GSM移动通信网安全管理需求,提高服务水平和服务质量,××公司决定进行交换网元安全接入平台的建设。
本课题针对GSM移动通信网的实际情况,就如何构建GSM交换网元安全接入平台,提高GSM移动通信网的安全性,多种安全技术整合集成等方面进行研究。本文就GSM交换网元安全接入平台的设计和实现,对平台的总体架构,平台的设计要求,平台的功能系统,平台的整合部署方案等进行了深入的探讨,主要做了以下几个方面的研究工作:
(1)移动交换网元安全接入的关键技术和发展趋势研究;
(2)移动交换网元安全接入系统建设的可行性研究与需求分析;
(3)移动交换网元安全接入系统的系统设计,包括体系结构设计,安全措施,设备、软件的选型等;
本课题以“先进、实时、安全、稳定、灵活、实用”为总体设计目标,技术上采用“分布式应用,集中式采集和处理”的体系结构和高效集成的、可扩展的程序设计思想,即各地市网对本系统的使用是基于分布式的,而数据采集、数据处理、功能提供是集中式的。从设计到开发全都采用当前主流的面向对象方法理论,将分布式系统的设计模式、面向对象等先进技术贯穿在分析、设计、实施的全过程,保障了系统与国际先进技术标准接轨。系统将灵活的模板数据处理机制、快速的告警实时监控、方便的客户业务处理集中操作维护、完备的性能管理、全方位的安全机制等功能有机地揉和在一起,为电信网贡献了一个功能强大的综合网管安全接入平台。
GSM交换网元安全接入平台的建立,是一个有效的提高移动通信网络安全防护和检测能力的过程,也是传统型信息化向现代型信息化转变的一个过程,具有较强的使用价值和推广价值。
With the development of the mobile communications technology, the emergences of new technology, new equipment, and new business make the preservation and management of GSM mobile communication network more complicated. Initiated by xxx Group last year, six experimental projects aims for security construction to raise security level of mobile network, with defensibility against internet attack, virus invasion, and information stealing to prevent the spread of vicious information and ensure the safe operation of mobile network. Meanwhile along with the evolution of GSM mobile communication network system, the core network equipment gradually evolves from electro-circuit exchange from IP exchange. Most of the exchange equipment adopts the Windows NT as the basic operation system, and the TCP/IP protocol as the internet transmission protocol. Due to the defects of the Windows NT platform and the fragility of the TCP/IP protocol itself, the network element equipment of the GSM mobile communication network can be easily attacked by virus, which will consequently lead to the system breakdown. So far five of Ericsson’s network elements have once been infected.
The invention of the exchange equipment of TCP/IP protocol intensifies the security problems of the existing GSM mobile communication network. To keep up with the ever changing and developing need for security management of the GSM mobile communication network as well as to raise the level and quality of service, xxx Group has decided to start the security access of exchange network elements project.
Based on the real situation of GSM mobile communication network, this paper researches into aspects like the construction of platform for GSM exchange network elements security access, the security enforcement of the GSM mobile communication network, and the integration of various security technologies. At the same time, it elaborates on the design and implementation of the platform for GSM exchange network elements security access, while exploring into the framework, the requirements for design, the functional system, and the integration plan of the platform. Mainly it focuses on the following aspects:
(1) The research on the key technologies and development trend of mobile exchange internet elements security access;
(2) The research on the feasibility and the demand analysis of the construction of mobile exchange internet elements security access;
(3) The systematic design for the mobile exchange internet elements security access, including the design of systematic structure, security measures, and the selection among many types of equipment and software.
With“advanced, real-time, security, stability, flexible, practical”as the guidelines for the general goal, this paper technically adopts a systematic structure of“Distributed applications and centralized collection and processing”and an efficient and expandable conception for program designing. That is, the utilization of this system of every city network is distributive while the data collection, data processing, and functional provision are centralized. The currently popular object-oriented methodology is adopted during the process of designing to developing, putting in advanced technologies like the design pattern of distributive system and object-oriented methodology throughout the entire process of analyzing, designing, and applying of the system so as to keep up with internal advanced technological standards. This system integrates functions like the flexible model data-processing mechanism, the fast alarm real-time monitor, the convenient centralized operational preservation of customer business processing, the complete functional management, and the all-round security mechanism, contributing to the telecommunication network a functionally strong security access platform of comprehensive network management.
The construction of platform for GSM exchange network elements security access is a process of effectively raising the security defensibility and monitoring competence of the mobile communication network, as well as a process of transformation from traditional informationalizaion to modern informationalization, which is well worth utilization and promotion.
引文
[1] 巴继东. IP 技术与综合带宽网. 北京邮电大学出版社,1999
[2] 周明天. TCP/IP 网络原理与技术. 清华大学出版社,1993
[3] 孙亚民. 计算机通信网络. 上海交通大学出版社,1997
[4] 汪成为. 面向对象分析、设计及应用. 国防工业出版社,1992
[5] 邱仲藩. JavaSript 从入门到精通. 北京电子工业出版社,1999
[6] 冯博琴. HTML 开发人员指南. 北京机械工业出版社,1998
[7] S.Tanenbaum. Distributed Systems: Principles and Paradigms. 北京:清华大学出版社,2002
[8] 钱鸿生. 上海电信网集中维护管理系统的方案研究. 电信快报,1995 年总第 283 期
[9] 李东亮, 范春晓. CORBA 技术在综合网络管理中的应用. 中国数据通信,2004-12-16
[10] 范春晓, 邹俊伟, 马飞飞. 一个移动应用综合发布平台的研究与设计. 无线电通信技术,1999 年
[11] Mechael Palmer,Robert Bruce Sinclair. 局域网与广域网设计与实现. 清华大学出版社,2000 年
[12] Mani Subramanian. 网络管理. 清华大学出版社,2000 年
[13] 杨家海. 网络管理原理与实现技术. 清华大学出版社,1997 年
[14] 项目开发组. 天津长途电信局综合业务网管系统技术方案,1999 年 11 月
[15] AidarousS,PlevyakT主编. 吴锡根,王晓初,冯揆清等译. 跨世纪的电信网络管理. 电子工业出版社,1997
[16] 胡谷雨. 网络管理系统的综合. 电信科学,1999 年 9 月
[17] 朱其亮,郑斌. CORBA 原理及应用[M]:CORBA 原理. 北京邮电大学出版社,2001
[18] ITU-T M.3010[2]SEAN HARNEDY. 简单网络管理协议教程,第二版. 电子工业出版社,1999:385
[19] 项目组. 广电综合业务网络集成网管系统的设计与实现:设计案例. <<电信技术>>杂志出版社,2002-02-07
[20] 毛云峰,董金祥. 基于分布环境的电信网络管理系统的设计和实现:网管系统新需求. 万方数据网,1999 年 12 月
[21] 张春, 侯晓霞. 综合网络管理及其实现方案:实现技术. 南京邮电学院通讯世界,2003年 6 月(总103 期)
[22] 田莉. 电信综合网管发展方向探析:技术方案探讨. 万方数据网,2001 年
[23] 侯喆, 赵捷. 综合网络管理及其解决方案探讨. <<电信技术>>杂志出版社,2001 年 7 月
[24] 申文俊, 周函. 电信综合网络管理系统. 上海怡杰电子通讯器材有限公司. <<电信科学>>杂志出版社,2001 年
[25] 周珊, 盖雁飞. 天津长途综合网络管理系统的设计与实现. 天津长途电信局天津 300052,1999 年
[26] 钱鸿生. 现代化电信网络管理方式的研究. <<电信科学>>杂志出版社,2002 年
[27] 侯喆. 综合网络管理的现状与发展趋势:综合网络管理现状. <<现代电信科技>>杂志出版社 030411,2003 年 10 月 29 日
[28] Clements PC. From subroutines to subsystems: component-based software development. In: Brown AW, ed. Component-Based Software Engineering: Selected Papers from the Software Engineering Institute. Los Alamitos, CA: IEEE Computer Society Press, 1996. 3~6.
[29] Meyer B, Mingins C. Component-Based development: From buzz to spark. IEEE Computer, 1999,32(7):35~37.
[30] Jacobson I, Booch G, Rumbaugh J. The Unified Software Development Process. Boston, MA: Addison-Wesley, 1999.
[31] D’Souza DF, Wills AC. Objects, Components, and Frameworks: The Catalysis Approach. Boston, MA: Addison-Wesley, 1999.
[32] Edwin Margulies. Client Server Computer Telephony . CMP Books, 1998
[33] ITU-T(International Telecommunication Union Telecommunication standardization sector) Recommendation M.3000: Overview of TMN Recommendations. ITU-T, 1994
[34] ITU-T Recommendation M.3010: Principles for TMN. ITU-T, 1996
[35] ITU-T Recommendation M.3020: TMN Interface Specification Methodology. ITU-T, 1995
[36] ITU-T Recommendation M.3200: TMN Management Services Overview. ITU-T, 1996
[37] ITU-T Recommendation M.3400: TMN Management Functions. ITU-T, 1996
[38] Glitho RH, Hayes S. Telecommunications management network: vision vs. reality. IEEE Communication Magazine , 1995
[39] Sidor D. Managing telecommunications networks using TMN interface standards. IEEE Communication Magazine, 1995;33:54
[40] ITU-T Recommendation X. 780. TMN guidelines for defining CORBA managed objects [S] , 2001
[41] Mazumdar S. Inter-domain management: CORBA, OSI, SNMP. New Orleans,LA, 1998
[42] Thomas Plevyak 《Telecommunications Network Management info The 21st Century》
[43] Object Management Group. Corba_based Telecomunication. Network MANAGEMENT System, May 1996
[44] OMG CORBA/TMN Interworking TMN interaction translation [S] , 1998
[45] ITU-T Recommendation X. 780.TMN guidelines for defining CORBA managed objects [S] ,2001
[46] Olkkonen, R., Tikkanen, H., & Alajoutsija¨rvi, K.. The role of communication in business relationships and networks. Management Decision, 2000
[2] 周明天. TCP/IP 网络原理与技术. 清华大学出版社,1993
[3] 孙亚民. 计算机通信网络. 上海交通大学出版社,1997
[4] 汪成为. 面向对象分析、设计及应用. 国防工业出版社,1992
[5] 邱仲藩. JavaSript 从入门到精通. 北京电子工业出版社,1999
[6] 冯博琴. HTML 开发人员指南. 北京机械工业出版社,1998
[7] S.Tanenbaum. Distributed Systems: Principles and Paradigms. 北京:清华大学出版社,2002
[8] 钱鸿生. 上海电信网集中维护管理系统的方案研究. 电信快报,1995 年总第 283 期
[9] 李东亮, 范春晓. CORBA 技术在综合网络管理中的应用. 中国数据通信,2004-12-16
[10] 范春晓, 邹俊伟, 马飞飞. 一个移动应用综合发布平台的研究与设计. 无线电通信技术,1999 年
[11] Mechael Palmer,Robert Bruce Sinclair. 局域网与广域网设计与实现. 清华大学出版社,2000 年
[12] Mani Subramanian. 网络管理. 清华大学出版社,2000 年
[13] 杨家海. 网络管理原理与实现技术. 清华大学出版社,1997 年
[14] 项目开发组. 天津长途电信局综合业务网管系统技术方案,1999 年 11 月
[15] AidarousS,PlevyakT主编. 吴锡根,王晓初,冯揆清等译. 跨世纪的电信网络管理. 电子工业出版社,1997
[16] 胡谷雨. 网络管理系统的综合. 电信科学,1999 年 9 月
[17] 朱其亮,郑斌. CORBA 原理及应用[M]:CORBA 原理. 北京邮电大学出版社,2001
[18] ITU-T M.3010[2]SEAN HARNEDY. 简单网络管理协议教程,第二版. 电子工业出版社,1999:385
[19] 项目组. 广电综合业务网络集成网管系统的设计与实现:设计案例. <<电信技术>>杂志出版社,2002-02-07
[20] 毛云峰,董金祥. 基于分布环境的电信网络管理系统的设计和实现:网管系统新需求. 万方数据网,1999 年 12 月
[21] 张春, 侯晓霞. 综合网络管理及其实现方案:实现技术. 南京邮电学院通讯世界,2003年 6 月(总103 期)
[22] 田莉. 电信综合网管发展方向探析:技术方案探讨. 万方数据网,2001 年
[23] 侯喆, 赵捷. 综合网络管理及其解决方案探讨. <<电信技术>>杂志出版社,2001 年 7 月
[24] 申文俊, 周函. 电信综合网络管理系统. 上海怡杰电子通讯器材有限公司. <<电信科学>>杂志出版社,2001 年
[25] 周珊, 盖雁飞. 天津长途综合网络管理系统的设计与实现. 天津长途电信局天津 300052,1999 年
[26] 钱鸿生. 现代化电信网络管理方式的研究. <<电信科学>>杂志出版社,2002 年
[27] 侯喆. 综合网络管理的现状与发展趋势:综合网络管理现状. <<现代电信科技>>杂志出版社 030411,2003 年 10 月 29 日
[28] Clements PC. From subroutines to subsystems: component-based software development. In: Brown AW, ed. Component-Based Software Engineering: Selected Papers from the Software Engineering Institute. Los Alamitos, CA: IEEE Computer Society Press, 1996. 3~6.
[29] Meyer B, Mingins C. Component-Based development: From buzz to spark. IEEE Computer, 1999,32(7):35~37.
[30] Jacobson I, Booch G, Rumbaugh J. The Unified Software Development Process. Boston, MA: Addison-Wesley, 1999.
[31] D’Souza DF, Wills AC. Objects, Components, and Frameworks: The Catalysis Approach. Boston, MA: Addison-Wesley, 1999.
[32] Edwin Margulies. Client Server Computer Telephony . CMP Books, 1998
[33] ITU-T(International Telecommunication Union Telecommunication standardization sector) Recommendation M.3000: Overview of TMN Recommendations. ITU-T, 1994
[34] ITU-T Recommendation M.3010: Principles for TMN. ITU-T, 1996
[35] ITU-T Recommendation M.3020: TMN Interface Specification Methodology. ITU-T, 1995
[36] ITU-T Recommendation M.3200: TMN Management Services Overview. ITU-T, 1996
[37] ITU-T Recommendation M.3400: TMN Management Functions. ITU-T, 1996
[38] Glitho RH, Hayes S. Telecommunications management network: vision vs. reality. IEEE Communication Magazine , 1995
[39] Sidor D. Managing telecommunications networks using TMN interface standards. IEEE Communication Magazine, 1995;33:54
[40] ITU-T Recommendation X. 780. TMN guidelines for defining CORBA managed objects [S] , 2001
[41] Mazumdar S. Inter-domain management: CORBA, OSI, SNMP. New Orleans,LA, 1998
[42] Thomas Plevyak 《Telecommunications Network Management info The 21st Century》
[43] Object Management Group. Corba_based Telecomunication. Network MANAGEMENT System, May 1996
[44] OMG CORBA/TMN Interworking TMN interaction translation [S] , 1998
[45] ITU-T Recommendation X. 780.TMN guidelines for defining CORBA managed objects [S] ,2001
[46] Olkkonen, R., Tikkanen, H., & Alajoutsija¨rvi, K.. The role of communication in business relationships and networks. Management Decision, 2000