CN107426252B - The method and apparatus of web application firewall service is provided - Google Patents

The method and apparatus of web application firewall service is provided Download PDF

Info

Publication number
CN107426252B
CN107426252B CN201710840573.9A CN201710840573A CN107426252B CN 107426252 B CN107426252 B CN 107426252B CN 201710840573 A CN201710840573 A CN 201710840573A CN 107426252 B CN107426252 B CN 107426252B
Authority
CN
China
Prior art keywords
waf
instruction
waf container
mirror image
virtual machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710840573.9A
Other languages
Chinese (zh)
Other versions
CN107426252A (en
Inventor
靳春孟
刘建
朱新超
邓林青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Hundred Enlightenment Technology Co Ltd
Original Assignee
Beijing Hundred Enlightenment Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Hundred Enlightenment Technology Co Ltd filed Critical Beijing Hundred Enlightenment Technology Co Ltd
Priority to CN201710840573.9A priority Critical patent/CN107426252B/en
Publication of CN107426252A publication Critical patent/CN107426252A/en
Application granted granted Critical
Publication of CN107426252B publication Critical patent/CN107426252B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The present invention provides a kind of method and apparatus of offer web application firewall service, incipient fault for data security is be easy to cause for solving the problem of that dns resolution is first pointed to third party by user's needs when wanting to the web application progress security protection run in the more virtual machines operated on cloud.Wherein method includes receiving WAF container mirror image;The first preset instructions are executed, WAF container mirror image is installed in virtual machine indicated by user;The second preset instructions configuration virtual machine is executed, the WAF container virtual machine generated based on WAF container mirror image is made to provide WAF service.As shown from the above technical solution, the present invention describes WAF deployment way, does not need flow being resolved to third party, so that incipient fault for data security caused by avoiding therefore, also avoids the access speed for therefore influencing end user.

Description

The method and apparatus of web application firewall service is provided
Technical field
The present invention relates to the communication technology/computer technologies, and in particular to web application firewall building method and manager Method.
Background technique
WEB application firewall (WAF) is that integrate WEB protection, Web wrap, load balancing, the WEB of application delivery whole A product of body safety protection equipment.It integrates completely new security concepts and advanced innovation framework, ensures that user kernel is answered With the operation continual and steady with business.
Under cloud computing environment, user if it is desired to operate on cloud more virtual machines (such as based on linux or The virtual machine of windows system) in the web application that runs carry out security protection or some third-party web applications of purchase are anti- Wall with flues service, third party's somewhat expensive are not said, and dns resolution is needed first to point to third party, be easy to cause data safety hidden Suffer from, has an effect on the access speed of end user.
Summary of the invention
In view of the above problems, the invention proposes overcome the above problem or at least be partially solved the web of the above problem Application firewall building method and management method.
For this purpose, in a first aspect, the present invention propose it is a kind of provide the service of web application firewall method, including,
Receive WAF container mirror image;
The first preset instructions are executed, WAF container mirror image is installed in virtual machine indicated by user;
The second preset instructions configuration virtual machine is executed, the WAF container virtual machine generated based on WAF container mirror image is provided WAF service.
Optionally, second preset instructions include following set of or multiple groups instruction:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
Optionally, web application firewall service broker is run in the calculate node where the virtual machine, the web is answered It is detected with firewall services agency for importing flow to be detected in WAF container.
Optionally, web application firewall service broker collects the letter of the virtual port of virtual machine according to default Collection Rules Breath;
The web application firewall service broker is used to import flow to be detected in WAF container and detect, and wraps Include: web application firewall service broker calls the ovs interface in calculate node to add flow to be detected to WAF container;
Optionally, the WAF container mirror image is to indicate selection according to the first of user.
Optionally, the web application firewall agency service executes the first preset instructions and control executes for controlling Two preset instructions.
Second aspect, the present invention provide a kind of web application firewall management method, comprising:
WAF container mirror image A is sent in the virtual machine of user's instruction;
The first preset instructions corresponding with WAF container mirror image A and second are sent to the calculate node where virtual machine to preset Instruction;
First preset instructions are for WAF container mirror image to be installed in virtual machine indicated by user;
Second preset instructions make the WAF container user's generated based on WAF container mirror image for configuring virtual machine Virtual machine provides WAF service.
Optionally, before in the virtual machine for sending WAF container mirror image A to user's instruction, comprising:
The corresponding WAF container mirror image A selected in mirror image management system according to the first of user the instruction;The mirror image pipe The mutually different WAF container mirror image of at least two or more is stored in reason system.Optionally, second preset instructions include with Under one or more groups of instructions:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
Optionally, after second preset instructions are used to configure virtual machine, comprising: receive WAF container in virtual machine The monitoring record information of transmission;
According to monitoring record information dynamic generation firewall rule;
The calculate node firewall rule being sent to where virtual machine;
Firewall rule is applied to the firewall of calculate node.
The third aspect, the present invention provide a kind of computer equipment, including memory, processor and are stored in the storage On device and the computer program that can execute on the processor, the processor execute described program constantly realizes it is as above any The step of the method.
Fourth aspect, the present invention provide a kind of computer equipment, including memory, processor and are stored in the storage On device and the computer program that can execute on the processor, the processor realize as above any institute when executing described program The step of stating method.
As shown from the above technical solution, the present invention describes WAF deployment way, does not need flow being resolved to third party, from And incipient fault for data security caused by avoiding therefore, also avoid the access speed for therefore influencing end user.
Front is to provide the simplified summary of the understanding to some aspects of the present invention.This part neither the present invention and The detailed statement of its various embodiment is also not the statement of exhaustion.Its neither important or key feature of the invention for identification Do not limit the scope of the invention, but provide selected principle of the invention with a kind of reduced form, as to it is given below more The brief introduction specifically described.It should be appreciated that either alone or in combination using one for being set forth above or being detailed below or Multiple features, other embodiments of the invention are also possible.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention Some embodiments for those of ordinary skill in the art without creative efforts, can also basis These attached drawings obtain other attached drawings.
Fig. 1 is the schematic diagram of method described in one embodiment of the present of invention.
Fig. 2 is system structure diagram of the invention in one embodiment of the present of invention.
Specific embodiment
Below in conjunction with the illustrative System describe present invention.
Docker is initially in the company that dotCloud company founder Solomon Hykes is initiated during France Portion's project, it is the primary innovation based on dotCloud company many years cloud service technology.Docker is released using Google company Go language carry out exploitation realization, the skills such as Union FS of cgroup, namespace and AUFS class based on linux kernel Art is packaged isolation to process, belongs to the virtualization technology of operating system level.Due to isolation process independently of host and The process of others isolation, therefore also referred to as container.
Be herein disclosed technical solution be based on Docker technology be web server dispose WAF.At of the invention one It include calculate node, web server (also referred to as virtual server or virtual machine or server), a calculate node in embodiment On be usually deployed multiple web servers.User is bought and is configured web server by cloud management platform, and in cloud management platform UI on execute management operation, to dispose WAF in calculate node/web server.User selects on the UI of cloud management platform The web application firewall function of selecting needs automatically selects corresponding WAF according to the web application firewall function that user selects and holds Device mirror image.And web server or calculate node run following web application firewall building method, thus realize calculate node/ WAF function is realized in web server.
As shown in Figure 1, built in calculate node or web services web application firewall the step of include:
S101, WAF container mirror image is received;
S102, the first preset instructions are executed, WAF container mirror image is installed in virtual machine indicated by user;
S103, the second preset instructions configuration virtual machine is executed, keeps the WAF container generated based on WAF container mirror image virtual Machine provides WAF service.
The movement that calculate node or web server receive WAF container mirror image can be by calculate node or web server touching Hair, it is also possible to cloud management platform and actively sends WAF container mirror image to calculate node or web server.
WAF container mirror image refers to the docker mirror image for being deployed with WAF application program or monitoring modular.Existed according to user demand WAF container installs WAF application program or monitoring modular, for example, if user needs anti-Trojan to upload, then accordingly in container mirror Corresponding detected rule or revocation rule are disposed as in, can accurately identify wooden horse and backdoor file;In another example user It needs to prevent website by SQL injection, then needs to establish all data ways of submission (get, post, cookie etc.) filtering rule Then, the defence to SQL injection is strengthened to greatest extent.It can be understood that in addition to this can also be realized in WAF container Firewall functionality includes but is not limited to: systematic account protection, remote desktop protection, information monitoring, resource door chain, online broadcasting Anti- downloading, downloading flow control, anti-CC attack, proxy server access control, anti-PHP UDP attack, IP address blacklist, IP Address white list, anti-buffer overflow attack, is forbidden running malicious script, URL access privilege control, free field advertisement implantation Name etc..
It, can be by disposing following mould in WAF container when stating WAF in realization in order to realize above-mentioned firewall functionality Block is realized:
1.1 engine rules administration modules:
There is provided API for cloud management platform the interface UI call, the API be used for by user in management system about detection Relevant configuration is mapped in WAF system, for the foundation of data packet detection, for example which data packet is detected, when discovery is invaded such as Where reason etc.;
1.2 event generation modules:
The pretreatment of crawl/recombination and data including data packet;
1.3 event analysis modules:
Event responds unit is issued if it is known attack according to the data that the analysis of preset intrusion rule grabs;
If it is unknown attack, record log learns to form new inbreak detection rule for affair character processor;
By dynamic learning to inbreak detection rule be reported to cloud management platform or mirror image management system;Here dynamics It practises can be and be realized by preset machine learning algorithm.
1.4 affair character database management modules:
Various intrusion rules are recorded to use for event analysis module;
1.5 event responds unit modules:
According to the configuration information of user, intrusion event alarm/hair mail/short message is found, and notify under cloud management platform Send out safety regulation connection is broken etc., the dynamic virtual network for protecting user.
It is understood that above-mentioned each module be only for illustrating a kind of design method of WAF container, in other embodiments In, can also design in this way: WAF includes five modules, respectively configuration module, protocol resolution module, rule module, movement Module, error handling module.
It can be understood that disposing WAF service in the server in a manner of container, related configuration-direct compares Complexity, and the content of different application scenarios institute WAF services is different, leading to WAF container mirror image difference, (this results in correspondence again The first preset instructions and the second preset instructions content on difference), therefore be intended merely to be explained with some examples herein The function of one preset instructions and the second preset instructions, rather than limit interior included by the first preset instructions and the second preset instructions Hold.
WAF deployment way described in above-described embodiment does not need flow being resolved to third party, to avoid therefore drawing The incipient fault for data security risen also avoids the access speed for therefore influencing end user.
The step of making WAF container mirror image may is that one basic Docker system of downloading, install each of WAF container A module is fabricated to new Docker mirror image, calls the interface of cloud computing management platform to be registered to mirror new Docker mirror image As in management system.Mirror image management system is used for storage and management container mirror image, can be and cooperates together with cloud management platform To install and managing the WAF container on virtual machine.
Mirror image management system and cloud management platform can be independent mutually in some embodiments, such as mirror image management system It is the warehouse git, the server application that cloud management platform is to provide for user's web server management.In other embodiments In, it can also be using mirror image management system as a part of cloud management platform.
WAF deployment way described in above-described embodiment only needs user can be complete in the UI interface operation of cloud management platform At, without the WAF installation instruction that user's study is complicated, the Quick labor-saving for the user for needing to dispose WAF.On the other hand Cloud computing service quotient can provide WAF service according to user demand, and (i.e. differentiation designs WAF container mirror image, according to user demand Suitable WAF container mirror image is therefrom selected to be installed), different web server application layers is quickly provided different users The data protection in face increases the operation mode of safety increase output service, possesses preferable market value.And the WAF of above-mentioned customization Service can realize by the WAF container mirror image that is pre-designed, the user with same requirements is only needed by same or Similar WAF container mirror image, to save operation cost.
In one embodiment of the invention, second preset instructions include following set of or multiple groups instruction:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
I.e. in one embodiment of the invention, WAF container mirrored storage is in mirror image management system, the mirror image management The mutually different WAF container mirror image of at least two or more is stored in system.User passes through cloud management platform configuration web server, And the WAF service that operation selection needs on the UI of cloud management platform (operates life according to user on the UI of cloud management platform At the first instruction, the corresponding WAF container mirror image A selected in mirror image management system according to the first instruction), cloud management platform root According to the corresponding WAF container mirror image of the selection Auto-matching of user, the WAF container mirror image A that will match to is sent to user's instruction In virtual machine;The first preset instructions starting WAF container mirror image is run, setting WAF container expansion rule is arranged in WAF container and answers With the update rule of program, virtual machine and/or WAF container are set, so that WAF container is provided corresponding WAF service, WAF container is set The detected rule of middle application program;
WAF container expansion rule includes but is not limited to the resource according to used in the size of flow extension WAF container, described Resource includes but is not limited to CPU, memory and disk etc..The configuration file of modification container or the finger of other configurations docker can be led to It enables and realizes above-mentioned extension.
By the way that the instruction of WAF container expansion rule is arranged so that WAF container can be according to user configuration and virtual machine Network state automatically stretch.
In one embodiment, WAF container expansion rule can also include using number model for the preset resource of WAF container It encloses.The smallest number of resources is used when creating WAF container, when the internal monitoring systems inspection container of container has processing not come When request, the resource of the extension current container of notice cloud management platform automatic dynamic uses number, to make calculate node/virtual machine In other application can use resource to greatest extent, avoid the waste of resource, improve the utilization rate of resource.
It in one embodiment, further include the update rule that application program in WAF container is set, the application program can also To be URL coding checkout module, JSON correction verification module, so that the rule of above-mentioned module or application program according to user setting It updates, to improve the applicability and stability of WAF container.
In one embodiment, further include setting virtual machine and/or WAF container, WAF container is made to provide corresponding WAF service Required instruction;Such as instruction needed for can be installation protocol analysis functional module, installation URI white list/black list module Instruction needed for required instruction, installation intercept/reset module.Described instruction can also be the finger of configuration alarm and response message It enables, for example record alarm log/transmission mail/short message/FW issues the connection that rule blocks invasion;Above-mentioned configuration WAF container The WAF function being pre-designed in mode and WAF container mirror image is related.WAF container mirror image is designed by differentiation, and according to user Application and module in demand installation configuration WAF container, solve and quickly provide different users different web servers The data protection problem of application.
It in one embodiment, further include the instruction that the detected rule of application program in WAF container is set.The setting The detected rule of application program in WAF container refers to the particular content of such as URI white list in setting WAF container, can also be with The rank and sensitivity log filter type for referring to setting log recording, may also refer to the detection of polling character in request variable Rule may also mean that the instruction for configuring various engines and rule, and the purpose for configuring various engines and rule is for various associations View is done different strategies and is checked.
In one embodiment of the invention, web application firewall service broker is run in calculate node (also to write WAFaas agency), the web application firewall service broker is used to import flow to be detected in WAF container and detect. Increase WAFaas agency i.e. in calculate node, WAFaas agency is responsible for the WAFaas container of management user's selection, and will be current The virtual network of tenant needs the flow for carrying out safety detection to imported into WAF container.
Described import flow in WAF container can be accomplished in the following manner: when user configuration virtual network is invaded When safety detection, by the WAFaas agent communication on the network management platform and network node of cloud computing management platform, WAFaas Agency starts WAF container, and the safety detection that user is selected according to user configuration downloading/creation/deletion/modification WAFaas/ The api interface of engine and rule invocation container is configured on WAF container.
In one embodiment of the invention, web application firewall service broker collects virtual according to default Collection Rules The information of the virtual port of machine;
Above-mentioned default Collection Rules can be on the UI of cloud management platform define or be arranged.
The web application firewall service broker is used to import flow to be detected in WAF container and detect, and wraps Include: web application firewall service broker calls the ovs interface in calculate node to add flow to be detected to WAF container.
As shown in Fig. 2, the correlative flow in calculate node is imported WAF container by WAFaas agency, WAF container passes through Flow is imported in virtual machine and is handled by virtual bridge.
It is understood that setting flow can be passed through if WAF container is deployed in calculate node rather than when in virtual machine Guidance rule, makes more virtual machines in the WAF container calculate node provide web application firewall service.
The WAF container mirror image is to indicate selection according to the first of user.Shown not on the UI of cloud management platform With the web application firewall function that WAF container mirror image provides, user according to their own needs, selects corresponding WAF container mirror Picture.WAF deployment way described in above-described embodiment only needs user in the UI interface operation of cloud management platform with regard to achievable, and It does not need user and learns complicated WAF installation instruction, the Quick labor-saving for the user for needing to dispose WAF.
The present invention also provides a kind of web application firewall management methods, comprising: by cloud management platform be deploying virtual machine The method of web application firewall, this method comprises:
WAF container mirror image A is sent in calculate node/virtual machine of user's instruction;
The first preset instructions corresponding with WAF container mirror image A and second are sent to the calculate node where virtual machine to preset Instruction;
First preset instructions are for WAF container mirror image to be installed in virtual machine indicated by user;
Second preset instructions make the WAF container user's generated based on WAF container mirror image for configuring virtual machine Virtual machine provides WAF service.
I.e. in one embodiment of the invention, in WAF container mirrored storage and mirror image management system, the mirror image management The mutually different WAF container mirror image of at least two or more is stored in system.User passes through cloud management platform configuration web server, And the WAF service that operation selection needs on the UI of cloud management platform (operates life according to user on the UI of cloud management platform At the first instruction, the corresponding WAF container mirror image A selected in mirror image management system according to the first instruction), cloud management platform root According to the corresponding WAF container mirror image of the selection Auto-matching of user, the WAF container mirror image A that will match to is sent to user's instruction In virtual machine;
Corresponding instruction configuration virtual machine and WAF container are executed in calculate node, so that the WAF container mirror image after starting WAF service is provided.
The instruction for wherein configuring virtual machine can be the required instruction of configuration WAF service, be also possible to direct traffic to WAF The instruction detected in container.
To deployment and WAF in calculate node/web server.User selects needs on the UI of cloud management platform Web application firewall function automatically selects corresponding WAF container mirror image according to the web application firewall function that user selects.And The method that web server or calculate node run following offer web application firewall, to realize in calculate node/web services WAF function is realized on device.
It includes the first preset instructions and the second preset instructions, the first preset instructions that corresponding instruction is executed in calculate node For WAF container mirror image to be installed in virtual machine indicated by user;In some embodiments, the first preset instructions are containers Enabled instruction.It can be understood that the first preset instructions of execution and the second preset instructions here refer to that triggering executes first and presets Instruction and the second preset instructions, without referring to that the operation object of these instructions can only be calculate node.
Second preset instructions include following set of or multiple groups instruction:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
The instruction of above-mentioned multiple groups can be and be generated by cloud management platform, be also possible to user input setting give birth to automatically At.
WAF container expansion rule includes but is not limited to the resource according to used in the size of flow extension WAF container, described Resource includes but is not limited to CPU, memory and disk etc..The configuration file of modification container or the finger of other configurations docker can be led to It enables and realizes above-mentioned extension.
By the way that the instruction of WAF container expansion rule is arranged so that WAF container can be according to user configuration and virtual machine Network state automatically stretch.
In one embodiment, WAF container expansion rule can also include using number model for the preset resource of WAF container It encloses.The smallest number of resources is used when creating WAF container, when the internal monitoring systems inspection container of container has processing not come When request, the resource of the extension current container of notice cloud management platform automatic dynamic uses number, to make calculate node/virtual machine In other application can use resource to greatest extent, avoid the waste of resource, improve the utilization rate of resource.
It in one embodiment, further include the update rule that application program in WAF container is set, the application program can also To be such as URL coding checkout module, JSON correction verification module, so that above-mentioned module or application program are according to user setting Policy Updates, to improve the applicability and stability of WAF container.
In one embodiment, further include setting virtual machine and/or WAF container, WAF container is made to provide corresponding WAF service Required instruction;Such as instruction needed for can be installation protocol analysis functional module, installation URI white list/black list module Instruction needed for required instruction, installation intercept/reset module.Described instruction can also be the finger of configuration alarm and response message It enables, for example record alarm log/transmission mail/short message/FW issues the connection that rule blocks invasion;Above-mentioned configuration WAF container The WAF function being pre-designed in mode and WAF container mirror image is related.WAF container mirror image is designed by differentiation, and according to user Application and module in demand installation configuration WAF container, solve and quickly provide different users different web servers The data protection problem of application.
In one embodiment of the invention, after second preset instructions are used to configure virtual machine, comprising: receive The monitoring record information that WAF container is sent in virtual machine;
According to monitoring record information dynamic generation firewall rule;
The calculate node firewall rule being sent to where virtual machine;
Firewall rule is applied to the firewall of calculate node.
I.e. will be in embodiment in of the invention, WAF container mirrored storage is in mirror image management system, the mirror image management The mutually different WAF container mirror image of at least two or more is stored in system.User passes through cloud management platform configuration web server, And the WAF service that operation selection needs on the UI of cloud management platform (operates life according to user on the UI of cloud management platform At the first instruction, the corresponding WAF container mirror image A selected in mirror image management system according to the first instruction), cloud management platform root According to the corresponding WAF container mirror image of the selection Auto-matching of user, the WAF container mirror image A that will match to is sent to user's instruction In virtual machine;The first preset instructions starting WAF container mirror image is run, setting WAF container expansion rule is arranged in WAF container and answers With the update rule of program, virtual machine and/or WAF container are set, so that WAF container is provided corresponding WAF service, WAF container is set The detected rule of middle application program;It can be understood that the execution sequence of the first preset instructions and the second preset instructions is according to finger What the particular content of order determined, in some cases in the second preset instructions certain instructions needs in container enabled instruction (i.e. the One preset instructions) execution before is executed, other instructions in the second preset instructions need to open in container in other cases It is executed after dynamic instruction.
It can be understood that WAF service is disposed in server/calculate node in a manner of container, related configuration Instruct more complicated, and the content of different application scenarios institute WAF service is different, and leading to WAF container mirror image difference, (this leads again Cause the difference in corresponding first preset instructions and the second preset instructions content), therefore be intended merely to give with some examples herein To illustrate the function of the first preset instructions and the second preset instructions, rather than the first preset instructions of limitation and the second preset instructions are wrapped The content included.
The third aspect, the present invention provide a kind of computer equipment, including memory, processor and are stored in the storage On device and the computer program that can execute on the processor, the processor execute described program constantly realizes it is as above any The step of the method.
Fourth aspect, the present invention provide a kind of computer equipment, including memory, processor and are stored in the storage On device and the computer program that can execute on the processor, the processor realize as above any institute when executing described program The step of stating method.
" monitoring " used herein includes and observes, records or detect related any kind of function with instrument, These instruments do not have any influence to the operation of monitored component or component group or state.
"at least one" used herein, " one or more " and "and/or" are open statements, when in use It can be united and separation.For example, " at least one of A, B and C ", " at least one of A, B or C ", " in A, B and C One or more " and " one or more of A, B or C " refer to only A, only B, only C, A and B together, A and C together, B and C together or A, B and C together.
"one" entity of term refers to one or more entities.Thus term "one", " one or more " and " extremely Few one " be herein defined as may be used interchangeably.It should also be noted that the terms "include", "comprise" and " having " are also can be mutual It changes and uses.
Term " automatic " used herein and its modification refer to do not have when executing processing or operation it is tangible artificial Any processing or operation completed in the case where input.However, even if having used the execution place when executing processing or operation The essence received before reason or operation or immaterial artificial input, the processing or operation are also possible to automatically.If Input influences how the processing or operation will carry out, then is substantive depending on the artificial input.The processing or operation are not influenced The artificial input carried out is not to be taken as substantive.
Term " computer-readable medium " used herein refers to that participation provides instructions to any of processor execution Tangible storage device and/or transmission medium.Computer-readable medium can be in network transmission (such as SOAP) on ip networks The serial command collection of coding.Such medium can take many forms, and including but not limited to non-volatile media, volatibility is situated between Matter and transmission medium.Non-volatile media disk including such as NVRAM or magnetically or optically.Volatile media includes such as main memory Dynamic memory (such as RAM).The common form of computer-readable medium includes such as floppy disk, flexible disk, hard disk, tape or appoints What its magnetic medium, magnet-optical medium, CD-ROM, any other optical medium, punched card, paper tape, it is any other have hole shape pattern Physical medium, RAM, PROM, EPROM, FLASH-EPROM, the solid state medium of such as storage card, any other storage chip or Any other medium that cassette, the carrier wave described below or computer can be read.The digital file attachment of Email or Other self-contained news files or archive set are considered as the distribution medium for being equivalent to tangible media.Work as computer-readable medium When being configured as database, it should be appreciated that the database can be any kind of database, such as relational database, number of levels According to library, OODB Object Oriented Data Base etc..Correspondingly, it is believed that the present invention includes tangible media or distribution medium and existing skill Equivalent well known to art and the medium of the following exploitation, store software implementation of the invention in these media.
Term " determination ", " operation " and " calculating " used herein and its modification may be used interchangeably, and including appointing Method, processing, mathematical operation or the technology of what type.More specifically, such term may include the explanation rule of such as BPEL Then or rule language, wherein logic is not hard coded but can be by table in the rule file of reading, explanation, compiling and execution Show.
Term " module " used herein or " tool " refer to hardware that is any of or developing later, software, consolidate Part, artificial intelligence, fuzzy logic or be able to carry out function relevant to the element hardware and software combination.In addition, though The present invention is described with illustrative embodiments, it is to be understood that each aspect of the present invention can individually be claimed.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or the terminal device that include a series of elements not only include those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or end The intrinsic element of end equipment.In the absence of more restrictions, being limited by sentence " including ... " or " including ... " Element, it is not excluded that there is also other elements in process, method, article or the terminal device for including the element.This Outside, herein, " being greater than ", " being less than ", " being more than " etc. are interpreted as not including this number;" more than ", " following ", " within " etc. understand Being includes this number.
Although the various embodiments described above are described, once a person skilled in the art knows basic wounds The property made concept, then additional changes and modifications can be made to these embodiments, so the above description is only an embodiment of the present invention, It is not intended to limit scope of patent protection of the invention, it is all to utilize equivalent structure made by description of the invention and accompanying drawing content Or equivalent process transformation, being applied directly or indirectly in other relevant technical fields, similarly includes in patent of the invention Within protection scope.

Claims (11)

1. providing the method for web application firewall service characterized by comprising
Receive WAF container mirror image;
The first preset instructions are executed, WAF container mirror image is installed in virtual machine indicated by user;
The second preset instructions configuration virtual machine is executed, the WAF container virtual machine generated based on WAF container mirror image is made to provide WAF Service;
Second preset instructions include following set of or multiple groups instruction:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
2. the method according to claim 1, wherein operation web is answered in calculate node where the virtual machine It is acted on behalf of with firewall services, the web application firewall service broker is used to import flow to be detected in WAF container and carry out Detection.
3. according to the method described in claim 2, it is characterized in that, the web application firewall service broker is according to default receipts Collection rule collects the information of the virtual port of virtual machine.
4. according to the method described in claim 2, it is characterized in that, the web application firewall service broker is for will be to be checked The flow of survey is imported in WAF container and is detected, comprising: web application firewall service broker calls the ovs in calculate node to connect Mouth adds flow to be detected to WAF container;The WAF container mirror image is to indicate according to the first of user from WAF mirror image management It is selected in system.
5. the method according to claim 1, wherein the web application firewall service broker holds for controlling The first preset instructions of row and control execute the second preset instructions.
6.web application firewall management method characterized by comprising
WAF container mirror image A is sent in the virtual machine of user's instruction;
The first preset instructions corresponding with WAF container mirror image A and the second preset instructions are sent to the calculate node where virtual machine;
First preset instructions are for WAF container mirror image to be installed in calculate node/virtual machine indicated by user;
Second preset instructions make that the WAF container user's generated based on WAF container mirror image is virtual for configuring virtual machine Machine provides WAF service.
7. according to the method described in claim 6, it is characterized in that, sending the virtual of user's instruction for WAF container mirror image A Before in machine, comprising:
The corresponding WAF container mirror image A selected in mirror image management system according to the first of user the instruction;Mirror image management system The mutually different WAF container mirror image of at least two or more is stored in system.
8. management method according to claim 6, which is characterized in that
Second preset instructions include following set of or multiple groups instruction:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
9. management method according to claim 6, which is characterized in that in second preset instructions for configuring virtual machine Later, comprising:
Receive the monitoring record information that WAF container is sent in virtual machine;
According to monitoring record information dynamic generation firewall rule;
The calculate node firewall rule being sent to where virtual machine;
Firewall rule is applied to the firewall of calculate node.
10. a kind of computer equipment, including memory, processor and it is stored on the memory and can be in the processor The computer program of upper execution, which is characterized in that the processor executes described program and constantly realizes such as claim 1 to 5 times The step of one the method.
11. a kind of computer equipment, including memory, processor and it is stored on the memory and can be in the processor The computer program of upper execution, which is characterized in that the processor is realized when executing described program as claim 6 to 9 is any The step of the method.
CN201710840573.9A 2017-09-15 2017-09-15 The method and apparatus of web application firewall service is provided Active CN107426252B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710840573.9A CN107426252B (en) 2017-09-15 2017-09-15 The method and apparatus of web application firewall service is provided

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710840573.9A CN107426252B (en) 2017-09-15 2017-09-15 The method and apparatus of web application firewall service is provided

Publications (2)

Publication Number Publication Date
CN107426252A CN107426252A (en) 2017-12-01
CN107426252B true CN107426252B (en) 2019-10-25

Family

ID=60433127

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710840573.9A Active CN107426252B (en) 2017-09-15 2017-09-15 The method and apparatus of web application firewall service is provided

Country Status (1)

Country Link
CN (1) CN107426252B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413069B (en) * 2018-10-29 2021-11-12 北京百悟科技有限公司 Application method and device of virtual website firewall based on block chain
CN109413070A (en) * 2018-10-30 2019-03-01 郑州市景安网络科技股份有限公司 A kind of WAF service activating method and relevant apparatus
CN111131026B (en) * 2019-12-26 2022-06-21 深信服科技股份有限公司 Communication method, device, equipment and storage medium
CN112134844A (en) * 2020-08-20 2020-12-25 广东网堤信息安全技术有限公司 Framework of Web application firewall system
CN112367290A (en) * 2020-09-11 2021-02-12 浙江大学 Endogenous safe WAF construction method
CN112383528B (en) * 2020-11-09 2021-09-24 浙江大学 Method for constructing mimicry WAF executive body
KR102229613B1 (en) * 2021-01-11 2021-03-18 펜타시큐리티시스템 주식회사 Method and apparatus for web firewall maintenance based on non-face-to-face authentication using maching learning self-check function
CN113010897B (en) * 2021-03-19 2023-06-13 中国联合网络通信集团有限公司 Cloud computing security management method and system
CN113347258B (en) * 2021-06-04 2023-02-07 上海天旦网络科技发展有限公司 Method and system for data acquisition, monitoring and analysis under cloud flow
CN114237738A (en) * 2021-12-08 2022-03-25 山石网科通信技术股份有限公司 Device management method, device, electronic device and computer-readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105389243A (en) * 2015-10-26 2016-03-09 华为技术有限公司 Container monitoring method and apparatus
CN105978904A (en) * 2016-06-30 2016-09-28 联想(北京)有限公司 Intrusion detect system and electronic device
CN106534346A (en) * 2016-12-07 2017-03-22 北京奇虎科技有限公司 Virtual WAF-based flow control method, apparatus and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9853940B2 (en) * 2015-09-24 2017-12-26 Microsoft Technology Licensing, Llc Passive web application firewall

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105389243A (en) * 2015-10-26 2016-03-09 华为技术有限公司 Container monitoring method and apparatus
CN105978904A (en) * 2016-06-30 2016-09-28 联想(北京)有限公司 Intrusion detect system and electronic device
CN106534346A (en) * 2016-12-07 2017-03-22 北京奇虎科技有限公司 Virtual WAF-based flow control method, apparatus and system

Also Published As

Publication number Publication date
CN107426252A (en) 2017-12-01

Similar Documents

Publication Publication Date Title
CN107426252B (en) The method and apparatus of web application firewall service is provided
US11343268B2 (en) Detection of network anomalies based on relationship graphs
US10854059B2 (en) Wireless sensor network
US10419465B2 (en) Data retrieval in security anomaly detection platform with shared model state between real-time and batch paths
CN102332072B (en) System and method for detection of malware and management of malware-related information
US11863580B2 (en) Modeling application dependencies to identify operational risk
CN102254111B (en) Malicious site detection method and device
US20180137306A1 (en) Container update system
US11750642B1 (en) Automated threat modeling using machine-readable threat models
EP3111322A2 (en) Distributed rules engines for robust sensor networks
CN111404937B (en) Method and device for detecting server vulnerability
EP4033349A1 (en) Method and apparatus for generating mirror image file, and computer-readable storage medium
US20220191250A1 (en) Computer-implemented methods, systems comprising computer-readable media, and electronic devices for autonomous cybersecurity within a network computing environment
CN101657793A (en) Method, system and computer program for configuring firewalls
US20220188359A1 (en) Computer-implemented methods, systems comprising computer-readable media, and electronic devices for expanded entity and activity mapping within a network computing environment
CN113961245A (en) Security protection system, method and medium based on micro-service application
CN103235918B (en) The collection method of trusted file and system
CN116601630A (en) Generating defensive target database attacks through dynamic honey database responses
Reyhani Hamedani et al. AndroClass: An effective method to classify Android applications by applying deep neural networks to comprehensive features
Zammit A machine learning based approach for intrusion prevention using honeypot interaction patterns as training data
CN116566629A (en) Security testing method and device, computer equipment and storage medium
CN105610908B (en) A kind of samba service implementing method and system based on Android device
CN110266710A (en) A kind of cluster safety means of defence, device, server and storage medium
JP7470769B1 (en) How to analyze cloud API changes
US11240107B1 (en) Validation and governance of a cloud computing platform based datacenter

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant