CN107426252B - The method and apparatus of web application firewall service is provided - Google Patents
The method and apparatus of web application firewall service is provided Download PDFInfo
- Publication number
- CN107426252B CN107426252B CN201710840573.9A CN201710840573A CN107426252B CN 107426252 B CN107426252 B CN 107426252B CN 201710840573 A CN201710840573 A CN 201710840573A CN 107426252 B CN107426252 B CN 107426252B
- Authority
- CN
- China
- Prior art keywords
- waf
- instruction
- waf container
- mirror image
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present invention provides a kind of method and apparatus of offer web application firewall service, incipient fault for data security is be easy to cause for solving the problem of that dns resolution is first pointed to third party by user's needs when wanting to the web application progress security protection run in the more virtual machines operated on cloud.Wherein method includes receiving WAF container mirror image;The first preset instructions are executed, WAF container mirror image is installed in virtual machine indicated by user;The second preset instructions configuration virtual machine is executed, the WAF container virtual machine generated based on WAF container mirror image is made to provide WAF service.As shown from the above technical solution, the present invention describes WAF deployment way, does not need flow being resolved to third party, so that incipient fault for data security caused by avoiding therefore, also avoids the access speed for therefore influencing end user.
Description
Technical field
The present invention relates to the communication technology/computer technologies, and in particular to web application firewall building method and manager
Method.
Background technique
WEB application firewall (WAF) is that integrate WEB protection, Web wrap, load balancing, the WEB of application delivery whole
A product of body safety protection equipment.It integrates completely new security concepts and advanced innovation framework, ensures that user kernel is answered
With the operation continual and steady with business.
Under cloud computing environment, user if it is desired to operate on cloud more virtual machines (such as based on linux or
The virtual machine of windows system) in the web application that runs carry out security protection or some third-party web applications of purchase are anti-
Wall with flues service, third party's somewhat expensive are not said, and dns resolution is needed first to point to third party, be easy to cause data safety hidden
Suffer from, has an effect on the access speed of end user.
Summary of the invention
In view of the above problems, the invention proposes overcome the above problem or at least be partially solved the web of the above problem
Application firewall building method and management method.
For this purpose, in a first aspect, the present invention propose it is a kind of provide the service of web application firewall method, including,
Receive WAF container mirror image;
The first preset instructions are executed, WAF container mirror image is installed in virtual machine indicated by user;
The second preset instructions configuration virtual machine is executed, the WAF container virtual machine generated based on WAF container mirror image is provided
WAF service.
Optionally, second preset instructions include following set of or multiple groups instruction:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
Optionally, web application firewall service broker is run in the calculate node where the virtual machine, the web is answered
It is detected with firewall services agency for importing flow to be detected in WAF container.
Optionally, web application firewall service broker collects the letter of the virtual port of virtual machine according to default Collection Rules
Breath;
The web application firewall service broker is used to import flow to be detected in WAF container and detect, and wraps
Include: web application firewall service broker calls the ovs interface in calculate node to add flow to be detected to WAF container;
Optionally, the WAF container mirror image is to indicate selection according to the first of user.
Optionally, the web application firewall agency service executes the first preset instructions and control executes for controlling
Two preset instructions.
Second aspect, the present invention provide a kind of web application firewall management method, comprising:
WAF container mirror image A is sent in the virtual machine of user's instruction;
The first preset instructions corresponding with WAF container mirror image A and second are sent to the calculate node where virtual machine to preset
Instruction;
First preset instructions are for WAF container mirror image to be installed in virtual machine indicated by user;
Second preset instructions make the WAF container user's generated based on WAF container mirror image for configuring virtual machine
Virtual machine provides WAF service.
Optionally, before in the virtual machine for sending WAF container mirror image A to user's instruction, comprising:
The corresponding WAF container mirror image A selected in mirror image management system according to the first of user the instruction;The mirror image pipe
The mutually different WAF container mirror image of at least two or more is stored in reason system.Optionally, second preset instructions include with
Under one or more groups of instructions:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
Optionally, after second preset instructions are used to configure virtual machine, comprising: receive WAF container in virtual machine
The monitoring record information of transmission;
According to monitoring record information dynamic generation firewall rule;
The calculate node firewall rule being sent to where virtual machine;
Firewall rule is applied to the firewall of calculate node.
The third aspect, the present invention provide a kind of computer equipment, including memory, processor and are stored in the storage
On device and the computer program that can execute on the processor, the processor execute described program constantly realizes it is as above any
The step of the method.
Fourth aspect, the present invention provide a kind of computer equipment, including memory, processor and are stored in the storage
On device and the computer program that can execute on the processor, the processor realize as above any institute when executing described program
The step of stating method.
As shown from the above technical solution, the present invention describes WAF deployment way, does not need flow being resolved to third party, from
And incipient fault for data security caused by avoiding therefore, also avoid the access speed for therefore influencing end user.
Front is to provide the simplified summary of the understanding to some aspects of the present invention.This part neither the present invention and
The detailed statement of its various embodiment is also not the statement of exhaustion.Its neither important or key feature of the invention for identification
Do not limit the scope of the invention, but provide selected principle of the invention with a kind of reduced form, as to it is given below more
The brief introduction specifically described.It should be appreciated that either alone or in combination using one for being set forth above or being detailed below or
Multiple features, other embodiments of the invention are also possible.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention
Some embodiments for those of ordinary skill in the art without creative efforts, can also basis
These attached drawings obtain other attached drawings.
Fig. 1 is the schematic diagram of method described in one embodiment of the present of invention.
Fig. 2 is system structure diagram of the invention in one embodiment of the present of invention.
Specific embodiment
Below in conjunction with the illustrative System describe present invention.
Docker is initially in the company that dotCloud company founder Solomon Hykes is initiated during France
Portion's project, it is the primary innovation based on dotCloud company many years cloud service technology.Docker is released using Google company
Go language carry out exploitation realization, the skills such as Union FS of cgroup, namespace and AUFS class based on linux kernel
Art is packaged isolation to process, belongs to the virtualization technology of operating system level.Due to isolation process independently of host and
The process of others isolation, therefore also referred to as container.
Be herein disclosed technical solution be based on Docker technology be web server dispose WAF.At of the invention one
It include calculate node, web server (also referred to as virtual server or virtual machine or server), a calculate node in embodiment
On be usually deployed multiple web servers.User is bought and is configured web server by cloud management platform, and in cloud management platform
UI on execute management operation, to dispose WAF in calculate node/web server.User selects on the UI of cloud management platform
The web application firewall function of selecting needs automatically selects corresponding WAF according to the web application firewall function that user selects and holds
Device mirror image.And web server or calculate node run following web application firewall building method, thus realize calculate node/
WAF function is realized in web server.
As shown in Figure 1, built in calculate node or web services web application firewall the step of include:
S101, WAF container mirror image is received;
S102, the first preset instructions are executed, WAF container mirror image is installed in virtual machine indicated by user;
S103, the second preset instructions configuration virtual machine is executed, keeps the WAF container generated based on WAF container mirror image virtual
Machine provides WAF service.
The movement that calculate node or web server receive WAF container mirror image can be by calculate node or web server touching
Hair, it is also possible to cloud management platform and actively sends WAF container mirror image to calculate node or web server.
WAF container mirror image refers to the docker mirror image for being deployed with WAF application program or monitoring modular.Existed according to user demand
WAF container installs WAF application program or monitoring modular, for example, if user needs anti-Trojan to upload, then accordingly in container mirror
Corresponding detected rule or revocation rule are disposed as in, can accurately identify wooden horse and backdoor file;In another example user
It needs to prevent website by SQL injection, then needs to establish all data ways of submission (get, post, cookie etc.) filtering rule
Then, the defence to SQL injection is strengthened to greatest extent.It can be understood that in addition to this can also be realized in WAF container
Firewall functionality includes but is not limited to: systematic account protection, remote desktop protection, information monitoring, resource door chain, online broadcasting
Anti- downloading, downloading flow control, anti-CC attack, proxy server access control, anti-PHP UDP attack, IP address blacklist, IP
Address white list, anti-buffer overflow attack, is forbidden running malicious script, URL access privilege control, free field advertisement implantation
Name etc..
It, can be by disposing following mould in WAF container when stating WAF in realization in order to realize above-mentioned firewall functionality
Block is realized:
1.1 engine rules administration modules:
There is provided API for cloud management platform the interface UI call, the API be used for by user in management system about detection
Relevant configuration is mapped in WAF system, for the foundation of data packet detection, for example which data packet is detected, when discovery is invaded such as
Where reason etc.;
1.2 event generation modules:
The pretreatment of crawl/recombination and data including data packet;
1.3 event analysis modules:
Event responds unit is issued if it is known attack according to the data that the analysis of preset intrusion rule grabs;
If it is unknown attack, record log learns to form new inbreak detection rule for affair character processor;
By dynamic learning to inbreak detection rule be reported to cloud management platform or mirror image management system;Here dynamics
It practises can be and be realized by preset machine learning algorithm.
1.4 affair character database management modules:
Various intrusion rules are recorded to use for event analysis module;
1.5 event responds unit modules:
According to the configuration information of user, intrusion event alarm/hair mail/short message is found, and notify under cloud management platform
Send out safety regulation connection is broken etc., the dynamic virtual network for protecting user.
It is understood that above-mentioned each module be only for illustrating a kind of design method of WAF container, in other embodiments
In, can also design in this way: WAF includes five modules, respectively configuration module, protocol resolution module, rule module, movement
Module, error handling module.
It can be understood that disposing WAF service in the server in a manner of container, related configuration-direct compares
Complexity, and the content of different application scenarios institute WAF services is different, leading to WAF container mirror image difference, (this results in correspondence again
The first preset instructions and the second preset instructions content on difference), therefore be intended merely to be explained with some examples herein
The function of one preset instructions and the second preset instructions, rather than limit interior included by the first preset instructions and the second preset instructions
Hold.
WAF deployment way described in above-described embodiment does not need flow being resolved to third party, to avoid therefore drawing
The incipient fault for data security risen also avoids the access speed for therefore influencing end user.
The step of making WAF container mirror image may is that one basic Docker system of downloading, install each of WAF container
A module is fabricated to new Docker mirror image, calls the interface of cloud computing management platform to be registered to mirror new Docker mirror image
As in management system.Mirror image management system is used for storage and management container mirror image, can be and cooperates together with cloud management platform
To install and managing the WAF container on virtual machine.
Mirror image management system and cloud management platform can be independent mutually in some embodiments, such as mirror image management system
It is the warehouse git, the server application that cloud management platform is to provide for user's web server management.In other embodiments
In, it can also be using mirror image management system as a part of cloud management platform.
WAF deployment way described in above-described embodiment only needs user can be complete in the UI interface operation of cloud management platform
At, without the WAF installation instruction that user's study is complicated, the Quick labor-saving for the user for needing to dispose WAF.On the other hand
Cloud computing service quotient can provide WAF service according to user demand, and (i.e. differentiation designs WAF container mirror image, according to user demand
Suitable WAF container mirror image is therefrom selected to be installed), different web server application layers is quickly provided different users
The data protection in face increases the operation mode of safety increase output service, possesses preferable market value.And the WAF of above-mentioned customization
Service can realize by the WAF container mirror image that is pre-designed, the user with same requirements is only needed by same or
Similar WAF container mirror image, to save operation cost.
In one embodiment of the invention, second preset instructions include following set of or multiple groups instruction:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
I.e. in one embodiment of the invention, WAF container mirrored storage is in mirror image management system, the mirror image management
The mutually different WAF container mirror image of at least two or more is stored in system.User passes through cloud management platform configuration web server,
And the WAF service that operation selection needs on the UI of cloud management platform (operates life according to user on the UI of cloud management platform
At the first instruction, the corresponding WAF container mirror image A selected in mirror image management system according to the first instruction), cloud management platform root
According to the corresponding WAF container mirror image of the selection Auto-matching of user, the WAF container mirror image A that will match to is sent to user's instruction
In virtual machine;The first preset instructions starting WAF container mirror image is run, setting WAF container expansion rule is arranged in WAF container and answers
With the update rule of program, virtual machine and/or WAF container are set, so that WAF container is provided corresponding WAF service, WAF container is set
The detected rule of middle application program;
WAF container expansion rule includes but is not limited to the resource according to used in the size of flow extension WAF container, described
Resource includes but is not limited to CPU, memory and disk etc..The configuration file of modification container or the finger of other configurations docker can be led to
It enables and realizes above-mentioned extension.
By the way that the instruction of WAF container expansion rule is arranged so that WAF container can be according to user configuration and virtual machine
Network state automatically stretch.
In one embodiment, WAF container expansion rule can also include using number model for the preset resource of WAF container
It encloses.The smallest number of resources is used when creating WAF container, when the internal monitoring systems inspection container of container has processing not come
When request, the resource of the extension current container of notice cloud management platform automatic dynamic uses number, to make calculate node/virtual machine
In other application can use resource to greatest extent, avoid the waste of resource, improve the utilization rate of resource.
It in one embodiment, further include the update rule that application program in WAF container is set, the application program can also
To be URL coding checkout module, JSON correction verification module, so that the rule of above-mentioned module or application program according to user setting
It updates, to improve the applicability and stability of WAF container.
In one embodiment, further include setting virtual machine and/or WAF container, WAF container is made to provide corresponding WAF service
Required instruction;Such as instruction needed for can be installation protocol analysis functional module, installation URI white list/black list module
Instruction needed for required instruction, installation intercept/reset module.Described instruction can also be the finger of configuration alarm and response message
It enables, for example record alarm log/transmission mail/short message/FW issues the connection that rule blocks invasion;Above-mentioned configuration WAF container
The WAF function being pre-designed in mode and WAF container mirror image is related.WAF container mirror image is designed by differentiation, and according to user
Application and module in demand installation configuration WAF container, solve and quickly provide different users different web servers
The data protection problem of application.
It in one embodiment, further include the instruction that the detected rule of application program in WAF container is set.The setting
The detected rule of application program in WAF container refers to the particular content of such as URI white list in setting WAF container, can also be with
The rank and sensitivity log filter type for referring to setting log recording, may also refer to the detection of polling character in request variable
Rule may also mean that the instruction for configuring various engines and rule, and the purpose for configuring various engines and rule is for various associations
View is done different strategies and is checked.
In one embodiment of the invention, web application firewall service broker is run in calculate node (also to write
WAFaas agency), the web application firewall service broker is used to import flow to be detected in WAF container and detect.
Increase WAFaas agency i.e. in calculate node, WAFaas agency is responsible for the WAFaas container of management user's selection, and will be current
The virtual network of tenant needs the flow for carrying out safety detection to imported into WAF container.
Described import flow in WAF container can be accomplished in the following manner: when user configuration virtual network is invaded
When safety detection, by the WAFaas agent communication on the network management platform and network node of cloud computing management platform, WAFaas
Agency starts WAF container, and the safety detection that user is selected according to user configuration downloading/creation/deletion/modification WAFaas/
The api interface of engine and rule invocation container is configured on WAF container.
In one embodiment of the invention, web application firewall service broker collects virtual according to default Collection Rules
The information of the virtual port of machine;
Above-mentioned default Collection Rules can be on the UI of cloud management platform define or be arranged.
The web application firewall service broker is used to import flow to be detected in WAF container and detect, and wraps
Include: web application firewall service broker calls the ovs interface in calculate node to add flow to be detected to WAF container.
As shown in Fig. 2, the correlative flow in calculate node is imported WAF container by WAFaas agency, WAF container passes through
Flow is imported in virtual machine and is handled by virtual bridge.
It is understood that setting flow can be passed through if WAF container is deployed in calculate node rather than when in virtual machine
Guidance rule, makes more virtual machines in the WAF container calculate node provide web application firewall service.
The WAF container mirror image is to indicate selection according to the first of user.Shown not on the UI of cloud management platform
With the web application firewall function that WAF container mirror image provides, user according to their own needs, selects corresponding WAF container mirror
Picture.WAF deployment way described in above-described embodiment only needs user in the UI interface operation of cloud management platform with regard to achievable, and
It does not need user and learns complicated WAF installation instruction, the Quick labor-saving for the user for needing to dispose WAF.
The present invention also provides a kind of web application firewall management methods, comprising: by cloud management platform be deploying virtual machine
The method of web application firewall, this method comprises:
WAF container mirror image A is sent in calculate node/virtual machine of user's instruction;
The first preset instructions corresponding with WAF container mirror image A and second are sent to the calculate node where virtual machine to preset
Instruction;
First preset instructions are for WAF container mirror image to be installed in virtual machine indicated by user;
Second preset instructions make the WAF container user's generated based on WAF container mirror image for configuring virtual machine
Virtual machine provides WAF service.
I.e. in one embodiment of the invention, in WAF container mirrored storage and mirror image management system, the mirror image management
The mutually different WAF container mirror image of at least two or more is stored in system.User passes through cloud management platform configuration web server,
And the WAF service that operation selection needs on the UI of cloud management platform (operates life according to user on the UI of cloud management platform
At the first instruction, the corresponding WAF container mirror image A selected in mirror image management system according to the first instruction), cloud management platform root
According to the corresponding WAF container mirror image of the selection Auto-matching of user, the WAF container mirror image A that will match to is sent to user's instruction
In virtual machine;
Corresponding instruction configuration virtual machine and WAF container are executed in calculate node, so that the WAF container mirror image after starting
WAF service is provided.
The instruction for wherein configuring virtual machine can be the required instruction of configuration WAF service, be also possible to direct traffic to WAF
The instruction detected in container.
To deployment and WAF in calculate node/web server.User selects needs on the UI of cloud management platform
Web application firewall function automatically selects corresponding WAF container mirror image according to the web application firewall function that user selects.And
The method that web server or calculate node run following offer web application firewall, to realize in calculate node/web services
WAF function is realized on device.
It includes the first preset instructions and the second preset instructions, the first preset instructions that corresponding instruction is executed in calculate node
For WAF container mirror image to be installed in virtual machine indicated by user;In some embodiments, the first preset instructions are containers
Enabled instruction.It can be understood that the first preset instructions of execution and the second preset instructions here refer to that triggering executes first and presets
Instruction and the second preset instructions, without referring to that the operation object of these instructions can only be calculate node.
Second preset instructions include following set of or multiple groups instruction:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
The instruction of above-mentioned multiple groups can be and be generated by cloud management platform, be also possible to user input setting give birth to automatically
At.
WAF container expansion rule includes but is not limited to the resource according to used in the size of flow extension WAF container, described
Resource includes but is not limited to CPU, memory and disk etc..The configuration file of modification container or the finger of other configurations docker can be led to
It enables and realizes above-mentioned extension.
By the way that the instruction of WAF container expansion rule is arranged so that WAF container can be according to user configuration and virtual machine
Network state automatically stretch.
In one embodiment, WAF container expansion rule can also include using number model for the preset resource of WAF container
It encloses.The smallest number of resources is used when creating WAF container, when the internal monitoring systems inspection container of container has processing not come
When request, the resource of the extension current container of notice cloud management platform automatic dynamic uses number, to make calculate node/virtual machine
In other application can use resource to greatest extent, avoid the waste of resource, improve the utilization rate of resource.
It in one embodiment, further include the update rule that application program in WAF container is set, the application program can also
To be such as URL coding checkout module, JSON correction verification module, so that above-mentioned module or application program are according to user setting
Policy Updates, to improve the applicability and stability of WAF container.
In one embodiment, further include setting virtual machine and/or WAF container, WAF container is made to provide corresponding WAF service
Required instruction;Such as instruction needed for can be installation protocol analysis functional module, installation URI white list/black list module
Instruction needed for required instruction, installation intercept/reset module.Described instruction can also be the finger of configuration alarm and response message
It enables, for example record alarm log/transmission mail/short message/FW issues the connection that rule blocks invasion;Above-mentioned configuration WAF container
The WAF function being pre-designed in mode and WAF container mirror image is related.WAF container mirror image is designed by differentiation, and according to user
Application and module in demand installation configuration WAF container, solve and quickly provide different users different web servers
The data protection problem of application.
In one embodiment of the invention, after second preset instructions are used to configure virtual machine, comprising: receive
The monitoring record information that WAF container is sent in virtual machine;
According to monitoring record information dynamic generation firewall rule;
The calculate node firewall rule being sent to where virtual machine;
Firewall rule is applied to the firewall of calculate node.
I.e. will be in embodiment in of the invention, WAF container mirrored storage is in mirror image management system, the mirror image management
The mutually different WAF container mirror image of at least two or more is stored in system.User passes through cloud management platform configuration web server,
And the WAF service that operation selection needs on the UI of cloud management platform (operates life according to user on the UI of cloud management platform
At the first instruction, the corresponding WAF container mirror image A selected in mirror image management system according to the first instruction), cloud management platform root
According to the corresponding WAF container mirror image of the selection Auto-matching of user, the WAF container mirror image A that will match to is sent to user's instruction
In virtual machine;The first preset instructions starting WAF container mirror image is run, setting WAF container expansion rule is arranged in WAF container and answers
With the update rule of program, virtual machine and/or WAF container are set, so that WAF container is provided corresponding WAF service, WAF container is set
The detected rule of middle application program;It can be understood that the execution sequence of the first preset instructions and the second preset instructions is according to finger
What the particular content of order determined, in some cases in the second preset instructions certain instructions needs in container enabled instruction (i.e. the
One preset instructions) execution before is executed, other instructions in the second preset instructions need to open in container in other cases
It is executed after dynamic instruction.
It can be understood that WAF service is disposed in server/calculate node in a manner of container, related configuration
Instruct more complicated, and the content of different application scenarios institute WAF service is different, and leading to WAF container mirror image difference, (this leads again
Cause the difference in corresponding first preset instructions and the second preset instructions content), therefore be intended merely to give with some examples herein
To illustrate the function of the first preset instructions and the second preset instructions, rather than the first preset instructions of limitation and the second preset instructions are wrapped
The content included.
The third aspect, the present invention provide a kind of computer equipment, including memory, processor and are stored in the storage
On device and the computer program that can execute on the processor, the processor execute described program constantly realizes it is as above any
The step of the method.
Fourth aspect, the present invention provide a kind of computer equipment, including memory, processor and are stored in the storage
On device and the computer program that can execute on the processor, the processor realize as above any institute when executing described program
The step of stating method.
" monitoring " used herein includes and observes, records or detect related any kind of function with instrument,
These instruments do not have any influence to the operation of monitored component or component group or state.
"at least one" used herein, " one or more " and "and/or" are open statements, when in use
It can be united and separation.For example, " at least one of A, B and C ", " at least one of A, B or C ", " in A, B and C
One or more " and " one or more of A, B or C " refer to only A, only B, only C, A and B together, A and C together,
B and C together or A, B and C together.
"one" entity of term refers to one or more entities.Thus term "one", " one or more " and " extremely
Few one " be herein defined as may be used interchangeably.It should also be noted that the terms "include", "comprise" and " having " are also can be mutual
It changes and uses.
Term " automatic " used herein and its modification refer to do not have when executing processing or operation it is tangible artificial
Any processing or operation completed in the case where input.However, even if having used the execution place when executing processing or operation
The essence received before reason or operation or immaterial artificial input, the processing or operation are also possible to automatically.If
Input influences how the processing or operation will carry out, then is substantive depending on the artificial input.The processing or operation are not influenced
The artificial input carried out is not to be taken as substantive.
Term " computer-readable medium " used herein refers to that participation provides instructions to any of processor execution
Tangible storage device and/or transmission medium.Computer-readable medium can be in network transmission (such as SOAP) on ip networks
The serial command collection of coding.Such medium can take many forms, and including but not limited to non-volatile media, volatibility is situated between
Matter and transmission medium.Non-volatile media disk including such as NVRAM or magnetically or optically.Volatile media includes such as main memory
Dynamic memory (such as RAM).The common form of computer-readable medium includes such as floppy disk, flexible disk, hard disk, tape or appoints
What its magnetic medium, magnet-optical medium, CD-ROM, any other optical medium, punched card, paper tape, it is any other have hole shape pattern
Physical medium, RAM, PROM, EPROM, FLASH-EPROM, the solid state medium of such as storage card, any other storage chip or
Any other medium that cassette, the carrier wave described below or computer can be read.The digital file attachment of Email or
Other self-contained news files or archive set are considered as the distribution medium for being equivalent to tangible media.Work as computer-readable medium
When being configured as database, it should be appreciated that the database can be any kind of database, such as relational database, number of levels
According to library, OODB Object Oriented Data Base etc..Correspondingly, it is believed that the present invention includes tangible media or distribution medium and existing skill
Equivalent well known to art and the medium of the following exploitation, store software implementation of the invention in these media.
Term " determination ", " operation " and " calculating " used herein and its modification may be used interchangeably, and including appointing
Method, processing, mathematical operation or the technology of what type.More specifically, such term may include the explanation rule of such as BPEL
Then or rule language, wherein logic is not hard coded but can be by table in the rule file of reading, explanation, compiling and execution
Show.
Term " module " used herein or " tool " refer to hardware that is any of or developing later, software, consolidate
Part, artificial intelligence, fuzzy logic or be able to carry out function relevant to the element hardware and software combination.In addition, though
The present invention is described with illustrative embodiments, it is to be understood that each aspect of the present invention can individually be claimed.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or the terminal device that include a series of elements not only include those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or end
The intrinsic element of end equipment.In the absence of more restrictions, being limited by sentence " including ... " or " including ... "
Element, it is not excluded that there is also other elements in process, method, article or the terminal device for including the element.This
Outside, herein, " being greater than ", " being less than ", " being more than " etc. are interpreted as not including this number;" more than ", " following ", " within " etc. understand
Being includes this number.
Although the various embodiments described above are described, once a person skilled in the art knows basic wounds
The property made concept, then additional changes and modifications can be made to these embodiments, so the above description is only an embodiment of the present invention,
It is not intended to limit scope of patent protection of the invention, it is all to utilize equivalent structure made by description of the invention and accompanying drawing content
Or equivalent process transformation, being applied directly or indirectly in other relevant technical fields, similarly includes in patent of the invention
Within protection scope.
Claims (11)
1. providing the method for web application firewall service characterized by comprising
Receive WAF container mirror image;
The first preset instructions are executed, WAF container mirror image is installed in virtual machine indicated by user;
The second preset instructions configuration virtual machine is executed, the WAF container virtual machine generated based on WAF container mirror image is made to provide WAF
Service;
Second preset instructions include following set of or multiple groups instruction:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
2. the method according to claim 1, wherein operation web is answered in calculate node where the virtual machine
It is acted on behalf of with firewall services, the web application firewall service broker is used to import flow to be detected in WAF container and carry out
Detection.
3. according to the method described in claim 2, it is characterized in that, the web application firewall service broker is according to default receipts
Collection rule collects the information of the virtual port of virtual machine.
4. according to the method described in claim 2, it is characterized in that, the web application firewall service broker is for will be to be checked
The flow of survey is imported in WAF container and is detected, comprising: web application firewall service broker calls the ovs in calculate node to connect
Mouth adds flow to be detected to WAF container;The WAF container mirror image is to indicate according to the first of user from WAF mirror image management
It is selected in system.
5. the method according to claim 1, wherein the web application firewall service broker holds for controlling
The first preset instructions of row and control execute the second preset instructions.
6.web application firewall management method characterized by comprising
WAF container mirror image A is sent in the virtual machine of user's instruction;
The first preset instructions corresponding with WAF container mirror image A and the second preset instructions are sent to the calculate node where virtual machine;
First preset instructions are for WAF container mirror image to be installed in calculate node/virtual machine indicated by user;
Second preset instructions make that the WAF container user's generated based on WAF container mirror image is virtual for configuring virtual machine
Machine provides WAF service.
7. according to the method described in claim 6, it is characterized in that, sending the virtual of user's instruction for WAF container mirror image A
Before in machine, comprising:
The corresponding WAF container mirror image A selected in mirror image management system according to the first of user the instruction;Mirror image management system
The mutually different WAF container mirror image of at least two or more is stored in system.
8. management method according to claim 6, which is characterized in that
Second preset instructions include following set of or multiple groups instruction:
First group of instruction: the instruction of setting WAF container expansion rule;
Second group of instruction: the instruction of the update rule of application program in setting WAF container;
Third group instruction: setting virtual machine and/or WAF container, instruction needed for making WAF container provide corresponding WAF service;
4th group of instruction: the detected rule of application program in setting WAF container.
9. management method according to claim 6, which is characterized in that in second preset instructions for configuring virtual machine
Later, comprising:
Receive the monitoring record information that WAF container is sent in virtual machine;
According to monitoring record information dynamic generation firewall rule;
The calculate node firewall rule being sent to where virtual machine;
Firewall rule is applied to the firewall of calculate node.
10. a kind of computer equipment, including memory, processor and it is stored on the memory and can be in the processor
The computer program of upper execution, which is characterized in that the processor executes described program and constantly realizes such as claim 1 to 5 times
The step of one the method.
11. a kind of computer equipment, including memory, processor and it is stored on the memory and can be in the processor
The computer program of upper execution, which is characterized in that the processor is realized when executing described program as claim 6 to 9 is any
The step of the method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710840573.9A CN107426252B (en) | 2017-09-15 | 2017-09-15 | The method and apparatus of web application firewall service is provided |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710840573.9A CN107426252B (en) | 2017-09-15 | 2017-09-15 | The method and apparatus of web application firewall service is provided |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107426252A CN107426252A (en) | 2017-12-01 |
CN107426252B true CN107426252B (en) | 2019-10-25 |
Family
ID=60433127
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710840573.9A Active CN107426252B (en) | 2017-09-15 | 2017-09-15 | The method and apparatus of web application firewall service is provided |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107426252B (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109413069B (en) * | 2018-10-29 | 2021-11-12 | 北京百悟科技有限公司 | Application method and device of virtual website firewall based on block chain |
CN109413070A (en) * | 2018-10-30 | 2019-03-01 | 郑州市景安网络科技股份有限公司 | A kind of WAF service activating method and relevant apparatus |
CN111131026B (en) * | 2019-12-26 | 2022-06-21 | 深信服科技股份有限公司 | Communication method, device, equipment and storage medium |
CN112134844A (en) * | 2020-08-20 | 2020-12-25 | 广东网堤信息安全技术有限公司 | Framework of Web application firewall system |
CN112367290A (en) * | 2020-09-11 | 2021-02-12 | 浙江大学 | Endogenous safe WAF construction method |
CN112383528B (en) * | 2020-11-09 | 2021-09-24 | 浙江大学 | Method for constructing mimicry WAF executive body |
KR102229613B1 (en) * | 2021-01-11 | 2021-03-18 | 펜타시큐리티시스템 주식회사 | Method and apparatus for web firewall maintenance based on non-face-to-face authentication using maching learning self-check function |
CN113010897B (en) * | 2021-03-19 | 2023-06-13 | 中国联合网络通信集团有限公司 | Cloud computing security management method and system |
CN113347258B (en) * | 2021-06-04 | 2023-02-07 | 上海天旦网络科技发展有限公司 | Method and system for data acquisition, monitoring and analysis under cloud flow |
CN114237738A (en) * | 2021-12-08 | 2022-03-25 | 山石网科通信技术股份有限公司 | Device management method, device, electronic device and computer-readable storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105389243A (en) * | 2015-10-26 | 2016-03-09 | 华为技术有限公司 | Container monitoring method and apparatus |
CN105978904A (en) * | 2016-06-30 | 2016-09-28 | 联想(北京)有限公司 | Intrusion detect system and electronic device |
CN106534346A (en) * | 2016-12-07 | 2017-03-22 | 北京奇虎科技有限公司 | Virtual WAF-based flow control method, apparatus and system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9853940B2 (en) * | 2015-09-24 | 2017-12-26 | Microsoft Technology Licensing, Llc | Passive web application firewall |
-
2017
- 2017-09-15 CN CN201710840573.9A patent/CN107426252B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105389243A (en) * | 2015-10-26 | 2016-03-09 | 华为技术有限公司 | Container monitoring method and apparatus |
CN105978904A (en) * | 2016-06-30 | 2016-09-28 | 联想(北京)有限公司 | Intrusion detect system and electronic device |
CN106534346A (en) * | 2016-12-07 | 2017-03-22 | 北京奇虎科技有限公司 | Virtual WAF-based flow control method, apparatus and system |
Also Published As
Publication number | Publication date |
---|---|
CN107426252A (en) | 2017-12-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107426252B (en) | The method and apparatus of web application firewall service is provided | |
US11343268B2 (en) | Detection of network anomalies based on relationship graphs | |
US10854059B2 (en) | Wireless sensor network | |
US10419465B2 (en) | Data retrieval in security anomaly detection platform with shared model state between real-time and batch paths | |
CN102332072B (en) | System and method for detection of malware and management of malware-related information | |
US11863580B2 (en) | Modeling application dependencies to identify operational risk | |
CN102254111B (en) | Malicious site detection method and device | |
US20180137306A1 (en) | Container update system | |
US11750642B1 (en) | Automated threat modeling using machine-readable threat models | |
EP3111322A2 (en) | Distributed rules engines for robust sensor networks | |
CN111404937B (en) | Method and device for detecting server vulnerability | |
EP4033349A1 (en) | Method and apparatus for generating mirror image file, and computer-readable storage medium | |
US20220191250A1 (en) | Computer-implemented methods, systems comprising computer-readable media, and electronic devices for autonomous cybersecurity within a network computing environment | |
CN101657793A (en) | Method, system and computer program for configuring firewalls | |
US20220188359A1 (en) | Computer-implemented methods, systems comprising computer-readable media, and electronic devices for expanded entity and activity mapping within a network computing environment | |
CN113961245A (en) | Security protection system, method and medium based on micro-service application | |
CN103235918B (en) | The collection method of trusted file and system | |
CN116601630A (en) | Generating defensive target database attacks through dynamic honey database responses | |
Reyhani Hamedani et al. | AndroClass: An effective method to classify Android applications by applying deep neural networks to comprehensive features | |
Zammit | A machine learning based approach for intrusion prevention using honeypot interaction patterns as training data | |
CN116566629A (en) | Security testing method and device, computer equipment and storage medium | |
CN105610908B (en) | A kind of samba service implementing method and system based on Android device | |
CN110266710A (en) | A kind of cluster safety means of defence, device, server and storage medium | |
JP7470769B1 (en) | How to analyze cloud API changes | |
US11240107B1 (en) | Validation and governance of a cloud computing platform based datacenter |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |