CN108092934A - Safety service system and method - Google Patents
Safety service system and method Download PDFInfo
- Publication number
- CN108092934A CN108092934A CN201611028861.6A CN201611028861A CN108092934A CN 108092934 A CN108092934 A CN 108092934A CN 201611028861 A CN201611028861 A CN 201611028861A CN 108092934 A CN108092934 A CN 108092934A
- Authority
- CN
- China
- Prior art keywords
- safety
- business
- security
- node
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present invention discloses a kind of safety service system and method, the system comprises:Secure resources pond, the safety equipment including providing safe handling, wherein, the safety equipment includes providing the virtual secure equipment of virtualization security function and/or itself provides the physical security apparatus of safe handling;Safety control platform, for receiving user demand, according to the user demand, the related information of generation safety service chain.Safety control platform is introduced in the present embodiment, the related information of safety service chain will be generated according to user demand, security control is carried out to corresponding business by the related information, so the service security control of user class is realized by by the safety equipment of previous security resource pool using the data of safety service chain transmission.
Description
Technical field
The present invention relates to the safe practice of information technology field more particularly to a kind of safety service system and methods.
Background technology
Data center is used for centrally stored data, is formed with the database of one or more storage data.In order to realize stream
Amount control and the safety management of data, can set software defined network (Software Defined Network, SDN) controller
Realize the scheduling and centralized management to flow;The safety control platform of virtualization or the virtualization of other network functions can be also set
(Network Function Virtualization, NFV) entity carries out security control.
However find in use, existing safety control platform has the following problems at least the security control of database
One of them:
1) some security functions only provide security service to north-south flow.Such as distributed denial of service (Distributed
Denial of Service, DDoS) data center's entrance is deployed in, only the rental equipment for user provides data center south
North orientation flow DDoS protection, there is no for the user rent virtual machine whether have by internal ddos attack detection and
Protection, i.e., be not detected and protect to transmeridional flow in data center.
2) flow and security control etc. are caused there is no interaction between SDN, NFC entity and safety control platform
Processing ossify, very flexible.
3) the individual character demand for security of user can not be met.
The content of the invention
In view of this, an embodiment of the present invention is intended to provide a kind of safety service system and method, at least can be used for solving
State a problem.
In order to achieve the above objectives, the technical proposal of the invention is realized in this way:
First aspect of the embodiment of the present invention provides a kind of safety service system, including:
Secure resources pond, the safety equipment including providing safe handling;Wherein, the safety equipment includes providing virtualization
The virtual secure equipment of security function and/or the physical security apparatus that safe handling is provided itself.
Safety control platform, for receiving user demand, according to the user demand, the association letter of generation safety service chain
Breath;Wherein, the related information includes at least one of attribute information, configuration information, policy information and metadata, is used for
Generate the safety service chain;Wherein, the safety service chain includes forward-path, and the forward-path is at least through part institute
State safety equipment;The security function that the attribute information is used to indicate the security feature of the safety service chain and/or uses;Institute
State the operating parameter that configuration information is used to indicate the progress security control of the safety service chain;The policy information is used to generate
Flow classification policy and/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used to carry out
The encapsulation of data packet;The information for the data packet that the metadata is transmitted for the description safety service chain.
Based on said program, the system also includes:
Software defined network SDN controllers, for receiving the related information, and according to determining the related information
Forward-path and/or the generation stream classification policy and/or the assembly strategy, and the forward-path is sent into routing section
Point and/or, will stream classification policy be sent to business classification feature node and/or, by the assembly strategy be sent to business turn
Send out functional node.
Based on said program, the SDN controllers are connected with the safety control platform by northbound interface, pass through south
It is connected to interface with the routing node, the business classification feature node and the business forwarding capability node.
Based on said program, the safety control platform is additionally operable to determine the forward-path according to the related information,
And/or the generation stream classification policy and/or assembly strategy, and by the forward-path send routing node and/or,
Will stream classification policy be sent to business classification feature node and/or, the assembly strategy is sent to business forwarding capability section
Point.
Based on said program, the system also includes:
Management and layout MANO subsystems, are connected with the safety control platform, for creating the virtual secure equipment.
Second aspect of the embodiment of the present invention provides a kind of method for providing security service, including:
Safety control platform receives user demand;
According to the user demand, the related information of generation safety service chain;Wherein, the related information is believed including attribute
At least one of breath, configuration information, policy information and metadata, for generating the safety service chain;Wherein, the peace
Full-service chain includes forward-path, and the forward-path provides the safety equipment of safe handling at least through part;The safety
Equipment includes:The virtual secure equipment of virtualization security function is provided and/or the physical security apparatus of safe handling is provided itself;
The security function that the attribute information is used to indicate the security feature of the safety service chain and/or uses;The configuration information
It is used to indicate the operating parameter of the progress security control of the safety service chain;The policy information flows classification policy for generating
And/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used to carry out the envelope of data packet
Dress;The information for the data packet that the metadata is transmitted for the description safety service chain.
Based on said program, the method further includes:
The related information is sent software defined network SDN controllers by the safety control platform,
The SDN controls and receives the related information, and according to the related information determine the forward-path and/or
Generate the stream classification policy and/or assembly strategy, and by the forward-path send routing node and/or, by flow point
Class strategy be sent to business classification feature node and/or, the assembly strategy is sent to business forwarding capability node.
Based on said program, the SDN controllers are connected with the safety control platform by northbound interface, pass through south
It is connected to interface with routing node, the business classification feature node and the business forwarding capability node.
Based on said program, the method further includes:
The safety control platform determines the forward-path and/or the generation flow point class according to the related information
Tactful and/or described assembly strategy, and the forward-path is sent into routing node;
Will stream classification policy be sent to business classification feature node and/or, by the assembly strategy be sent to business forwarding
Functional node.
Based on said program, the method further includes:
Management and layout MANO subsystems create the virtual secure equipment.
Safety service system provided in an embodiment of the present invention and method, create safety control platform in system, the peace
Full control platform can receive user demand, and related information is generated according to user demand, and carry out security control according to related information,
It thereby realizes and provides security service according to different user demand, it is achieved thereby that targetedly user security demand
Meet.At the same time, in same platform there may be multiple users, can be arranged between these users identical or different
Physical equipment on, since related information is generated based on user demand, even if equipment in so same platform or flat
An equipment carries out data transmission in platform, it is also desirable to meet user demand, it is clear that so security control is no longer to be limited only to put down
The security control in the north-south of platform, East and West direction (i.e. in platform between different physical equipments or virtual unit) data flow in platform
Also security control is carried out, can be used for defending described ddos attack etc., improve security.
Description of the drawings
Fig. 1 is the structure diagram of the first safety service system provided in an embodiment of the present invention;
Fig. 2 is the structure diagram of second of safety service system provided in an embodiment of the present invention;
Fig. 3 for it is provided in an embodiment of the present invention the first provide security service method flow diagram;
Fig. 4 is the flow diagram of the second provided in an embodiment of the present invention method for providing security service;
Fig. 5 for it is provided in an embodiment of the present invention the third provide security service method flow diagram;
Fig. 6 is a kind of forwarding schematic diagram of data packet provided in an embodiment of the present invention.
Specific embodiment
Technical scheme is further elaborated below in conjunction with Figure of description and specific embodiment.
As shown in Figure 1, the present embodiment provides a kind of safety service system, including:
Secure resources pond 110, the safety equipment including providing safe handling;Wherein, the safety equipment includes providing empty
The virtual secure equipment of planization security function and/or the physical security apparatus that safe handling is provided itself.
Safety control platform 120, for receiving user demand, according to the user demand, the pass of generation safety service chain
Join information;Wherein, the related information includes at least one of attribute information, configuration information, policy information and metadata,
For generating the safety service chain;Wherein, the safety service chain includes forward-path, and the forward-path is at least through portion
Divide the safety equipment;The safe work(that the attribute information is used to indicate the security feature of the safety service chain and/or uses
Energy;The configuration information is used to indicate the operating parameter of the progress security control of the safety service chain;The policy information is used
In generation stream classification policy and/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used
In the encapsulation for carrying out data packet;The information for the data packet that the metadata is transmitted for the description safety service chain.
What secure resources pond described in the present embodiment 110 can be made of a variety of safety equipments in data center, such as invade
System of defense (Intrusion Prevention System, IPS), intruding detection system (Intrusion Detecion
System, IDS), load balancing (Load Balance, LB) device, web application grade fire wall (Web Application
Firewall, WAF) and fire wall etc., these safety equipments can be the security function that physical equipment can also be virtualization
Virtual secure equipment.Secure resources pond 110 can be a physical entity or one in logic or virtual void
Planization entity.And these safety equipments can be deployed in the different position of data center, deployment can also be concentrated, by security control
Platform 120 carries out unified management and configuration.
The safety control platform 120, will receive user demand, for example, being connected with terminal device, receives user and utilizes root
The user demand sent according to terminal device.Safety control platform 120, will be according to user demand (specifically as user indicates its subscription
Or generation Business Stream demand for security user security demand), generate safety service chain related information.In the present embodiment
Described in related information will be for carrying out corresponding security control of the business in the transmission process of data packet.Institute in the present embodiment
Related information is stated to can be used for determining safety service chain.Here safety service chain includes at least forward-path.Here forwarding road
The data packet in footpath an including business needed in transmission process by path, for example, it is desired to by which routing node.
Forward-path described in the present embodiment is at least through the Partial security equipment in the secure resources pond 110, the forward-path
The safety equipment of process can be the virtual secure equipment of the physical security apparatus or virtualization.
Like this, using safety service system described in the present embodiment, can targetedly be carried according to user demand
For security service, meet demand of the different user to the security of the business of transmission.On the other hand, if some business corresponds to
Data packet, be transmitted in a platform A between two users, even this data packet be in same platform (i.e.
Platform A) or same physical equipment (entity device in platform A) transmission, since safety chain is based on according to user
The related information generation that demand is formulated, corresponding safety equipment is will also pass through, it is such to ensure the security of data flow
Words, can not only realize the safety assurance of north-south data flow, even if transmeridional flow (the i.e. described data in platform
Bag) safety assurance can also be obtained, so as to avoid transmeridional ddos attack in platform as the aforementioned, improve safety
Property.
The purposes of each information and/or definition in the related information explained further below.
The attribute of safety service chain refers to:The security feature or security function of safety service chain requirement, such as will
It asks with firewall filtering, deep message detection (Deep Packet Inspection, DPI) detection function etc..The attribute
Information is the information for the attribute for describing the safety service chain.
The configuration of safety service chain refers to some security configurations of the security function in the safety service chain, for example prevents fires
Wall filtering will check procotol (Internet Protocol, IP) address, protocol port number etc..The configuration information is
The information of the configuration of the safety service chain is described.
The strategy of safety service chain includes assembly strategy of stream classification policy and safety service chain etc..In the present embodiment
The policy information is the information for the strategy for describing the safety service chain.
The classification that the stream classification policy generally refers to corresponding Business Stream is classified according to what dimension, always
It, can be the information for the foundation for providing the business classification for carrying out Business Stream.Such as can according to five-tuple, transport layer single or
Information in the multiple ports of person, IP bag payloads etc. is classified, can also the result based on the application inspection of higher.
The forward-path:The path passed through when stream is forwarded, may be used to indicate need by which communication node or which
Class communication node.
The metadata can be the information for the data packet for describing the safety service chain transmission.The metadata is also known as intermediary
Data, relaying data, to describe the data (data about data) of data, mainly describe data attribute (property)
Information, for support such as indicate storage location, historical data, resource lookup, file record function.The metadata except
It can be transferred between service processing function node and business classification feature node outside shared information, it can also be in external system and industry
Data are transferred between business processing function node.Can be understood as metadata is to carry to pass between some business functions and business classification feature
A kind of mode for the information passed.Here service processing function node may include the data packet for providing the safety service chain transmission
Communication node and/or routing node and/or to the data packet carry out specific function processing communication node and/or routing
Node.
In specific implementation, the forward-path can be represented by the form of forwarding table.The forwarding table:Referring to will
Forward-path, which changes into business forwarding capability node, can identify forwarding table, and the forward-path is represented by forwarding table, this
Sample business forwarding capability node can just identify the forward-path.
Business classification feature node:The entity is responsible for based on policy selection stream and business chain, when some data flow meets certain
During the strategy of a business chain, the processing path for entering the business chain can be flow backwards, so as to fulfill the stream.
Business forwarding capability node:It is responsible for that the message received from network is sent to industry according to business function chain packaging information
Business functional node.The complete message of service processing function node processing can still send message back to same business forwarding capability node, industry
Business forwarding capability node is responsible for message to send traditional network back to again.Safety is provided in some service processing function nodes to set
Standby, for example fire wall etc., may directly destroy message in classification processing, need not send business forwarding capability section back to again at this time
Point.
Service processing function node:According to the functional entity that specific function requirement is handled for data message, this paper
In include at least secure resources pond in virtualization safety equipment.
As shown in Fig. 2, in some embodiments, the system also includes:
Software defined network SDN controllers 130 for receiving the related information, and are determined according to the related information
The forward-path and/or the generation stream classification policy and/or the assembly strategy, and the forward-path is sent into road
By node and/or, will stream classification policy be sent to business classification feature node and/or, the assembly strategy is sent to industry
Business forwarding capability node.
Specifically such as, on the one hand SDN controllers 130 can be received by northbound interface from the pass of safety control platform 120
Join information, and by these related informations change into suitable flow table item be handed down to corresponding interchanger (i.e. described routing node
One kind, in specific implementation, the routing node may also include router and realize the business classification feature node and/
Or the business forwarding capability node).On the other hand, SDN controllers are managed routing node by southbound interface.
In the present embodiment, the safety control platform 120 carries out the safety equipment in the secure resources pond 110
Management, after SDN controllers 130 are introduced, the safety control platform 120 is to the peace in the secure resources pond 110
The management information that full equipment is managed, can be issued to the safety equipment by the SDN controllers 130.The management
Information may include management instruction and/or order parameter.
Certainly, the safety control platform 120 can be used for generation management strategy, and management strategy is sent to SDN controls
Device 130 processed, the SDN controllers 130 will also be used to receive the management strategy, and according to management strategy generation
Management information, then the safety equipment is issued to, to realize the management of the safety equipment.The safety is set in the present embodiment
Standby management, it may include the management of the operating status of the safety equipment, maintenance of the failure of safety equipment etc..The operation shape
State may include working condition and off working state etc..
In some embodiments, the SDN controllers 130 are connected by northbound interface and the safety control platform 120
It connects, is connected by southbound interface with the routing node, the business classification feature node and the business forwarding capability node.
Using this connection mode, have it is easy to connect, with prior art compatibility it is big the features such as, it is special without special definition or exploitation
Interface, for the connection of the SDN controllers 130 and safety control platform 120 and the upstream device of SDN controllers 130.Here
Upstream device may include the routing node, business classification feature node and business forwarding capability node.
On the one hand the SDN controllers 130 are connected with safety control platform 120 by northbound interface, pass through southbound interface
It connects with routing node, so as to obtain the user demand by northbound interface, by southbound interface to forward node, sends out
Various control information are sent, control information here may include the various letters such as the related information, assembly strategy or stream classification policy
Breath.
In some embodiments, the safety control platform 120 is additionally operable to determine the forwarding according to the related information
Path and/or the generation stream classification policy and/or the assembly strategy, and the forward-path is sent into routing node,
And/or will stream classification policy be sent to business classification feature node and/or, by the assembly strategy be sent to business forwarding work(
It can node.
The safety control platform 120 in the present embodiment oneself performs stream classification policy, assembly strategy, forward-path
Generation, and be sent to corresponding communication node, thus can SDN be reduced with the function of SDN controllers 130 in sharing system
The load of controller 130, congestion caused by avoiding the load weight of SDN controlled entities 130 or needs to carry out HardwareUpgring or hardware
The problem of of high cost.
In some embodiments, the system also includes:
Management and layout MANO subsystems 140, are connected with the safety control platform 120, for creating the virtual peace
Full equipment.
The MANO is the abbreviation of Management and Orchestrator, and corresponding Chinese is management and layout system
It unites, pipe is responsible for specially in network virtual virtualization of function (Network Function Virtualization, NFV) framework
The subsystem of reason and layout virtualization network function (Virtualized Network Function, VNF).
The MANO subsystems 140 mainly include network function virtualization composer (Network Function
Virtualization Orchestrator, NFVO), virtual network administrative unit (Virtualized Network
Function Manager, VNFM) and virtualized infrastructure administrative unit (Virtualized Infrastructure
Manager, VIM).MANO subsystems can receive the service request from safety control platform 120, be created for secure resources pond
The fire wall (virtualized FireWall, vFW) of the safety equipment of new virtualization, such as virtualization.For example, security control
Platform 120 finds that a new Business Stream introduces or has new user demand, it is necessary to which formulating one meets particular user requirements
Safety equipment passes through the introducing of the MANO subsystems 140 in the present embodiment, it is possible to by set physical security apparatus or
On the basis of the safe handling function of being provided in existing physical security apparatus, the generation of virtual secure equipment is carried out, it is clear that realize
The flexible configuration of secure resources and adjustment.
As described in Figure 3, the present embodiment provides it is a kind of provide security service method, including:
Step S110:Safety control platform receives user demand;
Step S120:According to the user demand, the related information of generation safety service chain;Wherein, the related information
Include at least one of attribute information, configuration information, policy information and metadata, for generating the safety service chain;
Wherein, the safety service chain includes forward-path, and the safety that the forward-path provides safe handling at least through part is set
It is standby;The safety equipment includes:The virtual secure equipment of virtualization security function is provided and/or the object of safe handling is provided itself
Manage safety equipment;The security function that the attribute information is used to indicate the security feature of the safety service chain and/or uses;Institute
State the operating parameter that configuration information is used to indicate the progress security control of the safety service chain;The policy information is used to generate
Flow classification policy and/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used to carry out
The encapsulation of data packet;The information for the data packet that the metadata is transmitted for the description safety service chain.
The method for providing security service provided in this embodiment can be the side applied to the safety control platform
Method.In the present embodiment, the safety control platform can receive user demand, and finally generate the pass according to user demand
Join information.For example, the safety control platform receives the processing request that user terminal is sent.Processing request may include to describe institute
State the various information of user demand.And the related information at least will be used to generate the life of the safety service chain of corresponding Business Stream
Into, so as to meet the service security demand of different user, realize that the demand for security of user class is handled, like this, phase
For the processing of the demand for security of platform rank, the safety control between different business stream in same platform can also be realized
System, so as to fulfill defence and/or monitoring of transmeridional ddos attack etc..
In some embodiments, the method further includes:
The related information is sent software defined network SDN controllers by the safety control platform,
The SDN controls and receives the related information, and according to the related information determine the forward-path and/or
Generate the stream classification policy and/or assembly strategy, and by the forward-path send routing node and/or, by flow point
Class strategy be sent to business classification feature node and/or, the assembly strategy is sent to business forwarding capability node.
In the present embodiment by the SDN controllers, generate the stream classification policy and/or the package-side and omit and turn
Send out path.In concrete implementation, the SDN controllers will also obtain the metadata from the safety control platform, and will
The metadata is sent to corresponding routing node, so as to fulfill in platform with outside platform between data packet transmission or not
The transmission of data packet between the functional entity of same type, functional entity here may include service processing function node and business
Forwarding capability node.
In some embodiments, the SDN controllers are connected with the safety control platform by northbound interface, passed through
Southbound interface is connected with routing node, the business classification feature node and the business forwarding capability node.Specific connection
It may refer to shown in Fig. 2.
In addition, the method further includes:
The safety control platform determines the forward-path and/or the generation flow point class according to the related information
Tactful and/or described assembly strategy, and the forward-path is sent into routing node;
Will stream classification policy be sent to business classification feature node and/or, by the assembly strategy be sent to business forwarding
Functional node.
The generation and forwarding of various strategies and forward-path in the present embodiment, is realized by safety control platform itself, this
Sample can be to avoid the load of exacerbation SDN controllers, data transmission caused by reducing SDN controllers or processing bottleneck.
In some embodiments, the method further includes:Virtual secure equipment described in management and layout MANO system creations.
MANO subsystems can flexible convenient virtual secure equipment, like this, it is possible to which current business demand or physical security are set
Standby operating status and/or the device parameter of physical security apparatus flexibly edit virtual secure equipment, realize the peace of user class
Full control.
Several specific examples are provided below in conjunction with above-described embodiment:
Example one:
As shown in figure 4, this example provides a kind of method for providing security service, including:
Step 1:Safety control platform receives the demand for security of user.The demand for security can be that user directly passes through safety
The Application Programming Interface (Application Programming Interface, API) that user opens is submitted in control platform
Or user submitted by cloud security management platform, then cloud security management platform sends out the demand for security of the user
Give safety control platform.Safety control platform is received after the demand for security of user, it is necessary to which demand for security is converted into specifically
Security function and security strategy.Such as the demand for security of user be the rental for him virtual network provide DDoS monitoring, then
Whether DDoS monitoring devices (including physics and virtual) resource that safety control platform is first looked in secure resources pond is sufficient
It is enough, if the DDoS monitor device resources in secure resources pond are inadequate, perform step 2;It is if enough, then safety control platform
The demand for security of user is changed into security strategy, is such as that the flow copy of xx.xx.x.xxx is a to all purposes IP address
It is sent to DDoS monitoring devices A and performs monitoring.
Step 2:Safety control platform asks instantiation virtual secure functions of the equipments to MANO subsystems, specifically may include:
When safety control platform finds that security function needed for the user in secure resources pond is inadequate, the NFVO into MANO subsystems please be realistic
Security function needed for exampleization.After NFVO receives request, according to the instantiation flow instance of VNF together with VNFM and VIM etc.
Required security function.
Step 3:Configure safety equipment, it may include:According to the operating status and equipment of the safety equipment in secure resources pond
Parameter, with reference to attribute information, configuration information and the policy information of user security demand generation safety service chain.The step can wrap
It includes:Safety control platform need to be by the safety equipment (virtualization security function or physical security apparatus) involved in safety service chain
IP address is registered on SDN controllers so that SDN controllers can identify these safety equipments.
Step 4:Safety control platform issues the attribute information, configuration information and strategy of safety service chain to SDN controllers
Information.
Step 5:SDN controllers generate and issue stream classification policy, assembly strategy and forward-path, specifically may include:SDN
Controller according to the safety service chain attribute information, configuration information and policy information of user generate stream classification policy, forward-path,
Relevant metadata is handed down to business classification feature node and the service processing function node (void i.e. in secure resources pond respectively
The security function of planization).If virtualization security function do not support SFC, then can in the security function of virtualization or
Installation agent before person is only needed by agency's processing SFC correlations packaging information and metadata, the security function of virtualization according to peace
The security strategy of full control platform configuration carries out safe handling to message.
After completing above-mentioned processing, business classification feature node, the customer traffic of desampler forwarding, SDN can be right
Corresponding customer traffic carries out various processing, and process flow can be as shown in fig. 6, specifically may include:
Step 21:Service processing function node carries out flow point class, matching business function path;Specifically it may include:By basis
The stream classification policy convection current that SDN controllers issue carries out flow point class, and matches corresponding forward-path, determines business function path
(i.e. the order for the virtualization security function that the user's data needs pass through);
Step 22:Carry out message encapsulation, it may include:Business classification feature node according to assembly strategy, to data message into
Row encapsulation, that is, update the header of message, the header information of the insertion information such as including forward-path, and metadata and business processing
Strategy is encapsulated in message;The SFC messages that message encapsulation is formed after finishing are sent to business transponder 1, and (business here turns
It can be foregoing business forwarding capability node to send out device 1).
Step 23:Analytic message head E-Packets and gives DDoS monitoring function entities, it may include:Business transponder 1 solves phase separation
The packet header of SFC messages is answered, according to forward-path, SFC messages are sent to business function DDoS monitoring function entities.Here
DDoS monitoring functions entity can be the DDoS functional entitys of virtualization, can be one kind of aforementioned virtual safety equipment.
Step 24:DDoS monitors entity handles message, and to 1 returned packet of business transponder, it may include:DDoS monitors work(
Can entity SFC messages are handled after message returned to business forwarding capability node 1.Obviously like this, above-mentioned message
It has passed through the processing of the safety equipments such as DDoS monitoring entities, it is ensured that the security of the message subsequently forwarded.
Step 25:Business transponder 1 E-Packets to business transponder 2, it may include:Business forwarding capability device 1 receives SFC
After the SFC messages of encapsulation, the business forwarding capability device 2 on forward-path is given according to SFC messages;
Step 26:2 analytic message head of business transponder, E-Packets and gives IDS functional entitys, IDS functional entitys here
To perform the physical security apparatus of IDS safe handlings or virtual secure equipment to message.The step 26 may include:Business forwards
Effector 2 receives the message of business forwarding capability device 1, according to where the header information of SFC messages finds next-hop business function
Business forward node, and next-hop service processing function node is given message, it is real for the IDS functions in Fig. 6 in this example
Body, the IDS functional entitys herein can be the IDS functional entitys virtualized.
Step 27:IDS functional entitys handle message sheet, and to 2 returned packet of business transponder, specifically may include:Virtually
Message is sent back business forwarding capability device 2 by the IDS functional entitys of change after handling SFC messages.
Step 28:Business transponder 2 is decapsulated and E-Packeted, and specifically may include:Business forwarding capability device 2 is according to SFC
Packaging information in the head of message learns that this message has been completed for the business processing path of message selection in flow point class, then right
Message carries out SFC decapsulations, and message information is dealt into traditional network.
In above-mentioned example, SFC packaged types can also use the mode of the extended field of virtual LAN (VxLAN) to carry out
It substitutes.It is packaged according to the extended field of VxLAN, then needs deployment endpoint of a tunnel VTEP (VXLAN Tunnel End
Point)), the encapsulation and decapsulation of message are realized by VTEP, is not required to deployment stream classification feature.
Example two:
In order to reduce the influence to SDN controllers, safety control platform can also be allowed to replace SDN controllers in this example
Realize the control function of business chain, SDN controllers only need to forward the traffic to safety service classification feature, such as Fig. 5 institutes
Show, this example provides security service method in providing, it may include:
Step 11:Safety control platform receives the demand for security of user;
Step 12:Safety control platform asks instantiation virtual secure functions of the equipments to MANO subsystems;
Step 13:Safety control platform issues stream classification policy, assembly strategy and metadata and gives secure resources pond, so as to really
The safety equipment in resource pool that ensures safety can receive the stream classification policy, assembly strategy and metadata, so as to carry out safety
Processing.The step 13 specifically may include:Safety control platform is except the security strategy of the security function equipment of configuration virtualization
Outside, the control plane function of safety service chain is acted also as, is believed the relevant attribute of safety service chain according to the demand for security of user
Breath, configuration information and policy information change into stream classification policy, forward-path, metadata be handed down to business classification feature node,
Business forwarding capability node and the security function of virtualization.
Step 14:Forward-path is issued to SDN controllers, it may include:Safety governor platform is only needed in SDN controllers
The IP address and connected switch address of upper registration business classification feature, and issued to SDN controllers and draw user data
The forward-path being directed on the business classification feature.
Step 15:SDN controllers generate and issue flow table item, specifically may include:SDN controllers are according to the forward-path
Flow table item is directly generated to be issued in associated switch.
In embodiments of the present invention, the forward-path may include instruction needs the forwarding strategy by which kind equipment,
It can be the transmission path for specifically thering is the transmission path between multiple equipment to be formed.
In several embodiments provided herein, it should be understood that disclosed device and method can pass through it
Its mode is realized.Apparatus embodiments described above are only schematical, for example, the division of the unit, is only
A kind of division of logic function can have other dividing mode, such as in actual implementation:Multiple units or component can combine or
It is desirably integrated into another system or some features can be ignored or does not perform.In addition, shown or discussed each composition portion
Point mutual coupling or direct-coupling or communication connection can be the INDIRECT COUPLINGs by some interfaces, equipment or unit
Or communication connection, can be electrical, mechanical or other forms.
The above-mentioned unit illustrated as separating component can be or may not be physically separate, be shown as unit
The component shown can be or may not be physical location, you can be located at a place, can also be distributed to multiple network lists
In member;Part or all of unit therein can be selected to realize the purpose of this embodiment scheme according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated into a processing module, also may be used
To be each unit individually as a unit, can also two or more units integrate in a unit;It is above-mentioned
The form that hardware had both may be employed in integrated unit is realized, can also be realized in the form of hardware adds SFU software functional unit.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through
The relevant hardware of program instruction is completed, and foregoing program can be stored in a computer read/write memory medium, the program
Upon execution, the step of execution includes above method embodiment;And foregoing storage medium includes:It is movable storage device, read-only
Memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or
The various media that can store program code such as person's CD.
The above description is merely a specific embodiment, but protection scope of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can readily occur in change or replacement, should all contain
Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.
Claims (10)
1. a kind of safety service system, which is characterized in that including:
Secure resources pond, the safety equipment including providing safe handling, wherein, the safety equipment includes providing virtualization safety
The virtual secure equipment of function and/or the physical security apparatus that safe handling is provided itself;
Safety control platform, for receiving user demand, according to the user demand, the related information of generation safety service chain;
Wherein, the related information includes at least one of attribute information, configuration information, policy information and metadata, for giving birth to
Into the safety service chain;Wherein, the safety service chain includes forward-path, and the forward-path is at least through described in part
Safety equipment;The security function that the attribute information is used to indicate the security feature of the safety service chain and/or uses;It is described
Configuration information is used to indicate the operating parameter of the progress security control of the safety service chain;The policy information flows for generating
Classification policy and/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used for into line number
According to the encapsulation of bag;The information for the data packet that the metadata is transmitted for the description safety service chain.
2. system according to claim 1, which is characterized in that
The system also includes:
Software defined network SDN controllers for receiving the related information, and determine the forwarding according to the related information
Path and/or the generation stream classification policy and/or the assembly strategy, and the forward-path is sent to routing node,
And/or will stream classification policy be sent to business classification feature node and/or, by the assembly strategy be sent to business forwarding work(
It can node.
3. system according to claim 2, which is characterized in that
The SDN controllers are connected by northbound interface with the safety control platform, are saved by southbound interface and the routing
Point, the business classification feature node and business forwarding capability node connection.
4. system according to claim 1, which is characterized in that
The safety control platform is additionally operable to determine the forward-path and/or the generation flow point according to the related information
Class strategy and/or the assembly strategy, and by the forward-path be sent to routing node and/or, will stream classification policy send
And/or, the assembly strategy is sent to business forwarding capability node to business classification feature node.
5. system according to any one of claims 1 to 4, which is characterized in that
The system also includes:
Management and layout MANO subsystems, are connected with the safety control platform, for creating the virtual secure equipment.
A kind of 6. method that security service is provided, which is characterized in that including:
Safety control platform receives user demand;
According to the user demand, the related information of generation safety service chain;Wherein, the related information include attribute information,
At least one of configuration information, policy information and metadata, for generating the safety service chain;Wherein, the safety
Business chain includes forward-path, and the forward-path provides the safety equipment of safe handling at least through part;The safety is set
It is standby to include:The virtual secure equipment of virtualization security function is provided and/or the physical security apparatus of safe handling is provided itself;Institute
State the security function that attribute information is used to indicate the security feature of the safety service chain and/or uses;The configuration information is used
In the operating parameter for the progress security control for indicating the safety service chain;The policy information flows classification policy for generating
And/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used to carry out the envelope of data packet
Dress;The information for the data packet that the metadata is transmitted for the description safety service chain.
7. according to the method described in claim 6, it is characterized in that,
The method further includes:
The related information is sent software defined network SDN controllers by the safety control platform,
The SDN controls and receives the related information, and determines the forward-path and/or generation according to the related information
The stream classification policy and/or assembly strategy, and by the forward-path be sent to routing node and/or, by flow point class
Strategy be sent to business classification feature node and/or, the assembly strategy is sent to business forwarding capability node.
8. the method according to the description of claim 7 is characterized in that
The SDN controllers are connected by northbound interface with the safety control platform, by southbound interface and routing node,
The business classification feature node and business forwarding capability node connection.
9. according to the method described in claim 6, it is characterized in that,
The method further includes:
The safety control platform determines the forward-path and/or the generation stream classification policy according to the related information
And/or the assembly strategy, and the forward-path is sent to routing node;
Will stream classification policy be sent to business classification feature node and/or, the assembly strategy is sent to business forwarding capability
Node.
10. according to claim 6 to 9 any one of them method, which is characterized in that
The method further includes:
Management and layout MANO subsystems create the virtual secure equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611028861.6A CN108092934A (en) | 2016-11-21 | 2016-11-21 | Safety service system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611028861.6A CN108092934A (en) | 2016-11-21 | 2016-11-21 | Safety service system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108092934A true CN108092934A (en) | 2018-05-29 |
Family
ID=62169419
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611028861.6A Pending CN108092934A (en) | 2016-11-21 | 2016-11-21 | Safety service system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108092934A (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900551A (en) * | 2018-08-16 | 2018-11-27 | 中国联合网络通信集团有限公司 | SDN/NFV network safety protection method and device |
CN109361675A (en) * | 2018-10-30 | 2019-02-19 | 深信服科技股份有限公司 | A kind of method of information safety protection, system and associated component |
CN109547437A (en) * | 2018-11-23 | 2019-03-29 | 北京奇安信科技有限公司 | A kind of drainage processing method and processing device in secure resources pond |
WO2020103840A1 (en) * | 2018-11-19 | 2020-05-28 | 中兴通讯股份有限公司 | Method and apparatus for loading service |
CN111404860A (en) * | 2019-01-02 | 2020-07-10 | 中国移动通信有限公司研究院 | Method and device for realizing security service chain and computer readable storage medium |
CN112039854A (en) * | 2020-08-13 | 2020-12-04 | 深圳市信锐网科技术有限公司 | Data transmission method, device and storage medium |
CN112242925A (en) * | 2020-09-30 | 2021-01-19 | 新华三信息安全技术有限公司 | Safety management method and equipment |
CN114024746A (en) * | 2021-11-04 | 2022-02-08 | 北京天融信网络安全技术有限公司 | Network message processing method, virtual switch and processing system |
CN114244576A (en) * | 2021-11-24 | 2022-03-25 | 中盈优创资讯科技有限公司 | Flow protection method and device in cloud environment |
CN114422180A (en) * | 2021-12-07 | 2022-04-29 | 深信服科技股份有限公司 | Data security detection method and device and storage medium |
CN114666161A (en) * | 2022-04-29 | 2022-06-24 | 深信服科技股份有限公司 | Component security policy management method, device, equipment and storage medium |
CN114827045A (en) * | 2022-06-23 | 2022-07-29 | 天津天睿科技有限公司 | Method and device for flow arrangement |
CN115296842A (en) * | 2022-06-27 | 2022-11-04 | 深信服科技股份有限公司 | Method and device for arranging service flow, application delivery equipment and medium |
WO2024012240A1 (en) * | 2022-07-11 | 2024-01-18 | 中国移动通信有限公司研究院 | Function orchestration method and apparatus, and device and storage medium |
CN114422180B (en) * | 2021-12-07 | 2024-05-28 | 深信服科技股份有限公司 | Data security detection method, device and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104869065A (en) * | 2014-02-26 | 2015-08-26 | 中兴通讯股份有限公司 | Method and device for processing data message |
CN105406992A (en) * | 2015-10-28 | 2016-03-16 | 浙江工商大学 | Business requirement transformation and deployment method for SDN (Software Defined Network) |
US20160226913A1 (en) * | 2015-02-04 | 2016-08-04 | Kapil Sood | Technologies for scalable security architecture of virtualized networks |
-
2016
- 2016-11-21 CN CN201611028861.6A patent/CN108092934A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104869065A (en) * | 2014-02-26 | 2015-08-26 | 中兴通讯股份有限公司 | Method and device for processing data message |
US20160226913A1 (en) * | 2015-02-04 | 2016-08-04 | Kapil Sood | Technologies for scalable security architecture of virtualized networks |
CN105406992A (en) * | 2015-10-28 | 2016-03-16 | 浙江工商大学 | Business requirement transformation and deployment method for SDN (Software Defined Network) |
Non-Patent Citations (2)
Title |
---|
ZHANG CATHY,ET AL: "L4-L7_Service_Function_Chaining_Solution_Architecture", 《WWW.OPENNETWORKING.ORG》 * |
刘文懋等: "《软件定义安全SDN-NFV新型网络的安全揭秘》", 30 September 2016 * |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900551A (en) * | 2018-08-16 | 2018-11-27 | 中国联合网络通信集团有限公司 | SDN/NFV network safety protection method and device |
CN109361675A (en) * | 2018-10-30 | 2019-02-19 | 深信服科技股份有限公司 | A kind of method of information safety protection, system and associated component |
CN109361675B (en) * | 2018-10-30 | 2021-08-13 | 深信服科技股份有限公司 | Information security protection method, system and related components |
WO2020103840A1 (en) * | 2018-11-19 | 2020-05-28 | 中兴通讯股份有限公司 | Method and apparatus for loading service |
CN109547437A (en) * | 2018-11-23 | 2019-03-29 | 北京奇安信科技有限公司 | A kind of drainage processing method and processing device in secure resources pond |
CN109547437B (en) * | 2018-11-23 | 2021-05-25 | 奇安信科技集团股份有限公司 | Drainage processing method and device for safe resource pool |
CN111404860A (en) * | 2019-01-02 | 2020-07-10 | 中国移动通信有限公司研究院 | Method and device for realizing security service chain and computer readable storage medium |
CN112039854A (en) * | 2020-08-13 | 2020-12-04 | 深圳市信锐网科技术有限公司 | Data transmission method, device and storage medium |
CN112242925A (en) * | 2020-09-30 | 2021-01-19 | 新华三信息安全技术有限公司 | Safety management method and equipment |
CN112242925B (en) * | 2020-09-30 | 2022-04-01 | 新华三信息安全技术有限公司 | Safety management method and equipment |
CN114024746B (en) * | 2021-11-04 | 2023-11-28 | 北京天融信网络安全技术有限公司 | Processing method, virtual switch and processing system of network message |
CN114024746A (en) * | 2021-11-04 | 2022-02-08 | 北京天融信网络安全技术有限公司 | Network message processing method, virtual switch and processing system |
CN114244576A (en) * | 2021-11-24 | 2022-03-25 | 中盈优创资讯科技有限公司 | Flow protection method and device in cloud environment |
CN114422180A (en) * | 2021-12-07 | 2022-04-29 | 深信服科技股份有限公司 | Data security detection method and device and storage medium |
CN114422180B (en) * | 2021-12-07 | 2024-05-28 | 深信服科技股份有限公司 | Data security detection method, device and storage medium |
CN114666161A (en) * | 2022-04-29 | 2022-06-24 | 深信服科技股份有限公司 | Component security policy management method, device, equipment and storage medium |
CN114666161B (en) * | 2022-04-29 | 2024-04-09 | 深信服科技股份有限公司 | Component security policy management method, device, equipment and storage medium |
CN114827045A (en) * | 2022-06-23 | 2022-07-29 | 天津天睿科技有限公司 | Method and device for flow arrangement |
CN114827045B (en) * | 2022-06-23 | 2022-09-13 | 天津天睿科技有限公司 | Method and device for flow arrangement |
CN115296842A (en) * | 2022-06-27 | 2022-11-04 | 深信服科技股份有限公司 | Method and device for arranging service flow, application delivery equipment and medium |
WO2024012240A1 (en) * | 2022-07-11 | 2024-01-18 | 中国移动通信有限公司研究院 | Function orchestration method and apparatus, and device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108092934A (en) | Safety service system and method | |
CN104780088B (en) | A kind of transmission method and equipment of service message | |
CN107911258B (en) | SDN network-based security resource pool implementation method and system | |
US10148517B2 (en) | Systems and methods for topology discovery and application in a border gateway protocol based data center | |
EP3058687B1 (en) | Configurable service proxy mapping | |
CN106789542B (en) | A kind of implementation method of cloud data center security service chain | |
CN103947160B (en) | Method to carry FCOE frames over a TRILL based network | |
CN104685507B (en) | Virtual secure device architecture is provided to virtual cloud foundation structure | |
CN104618194B (en) | Software defined network monitoring messages method and SDN controllers, switching equipment | |
US9414136B2 (en) | Methods and apparatus to route fibre channel frames using reduced forwarding state on an FCoE-to-FC gateway | |
CN107948086A (en) | A kind of data packet sending method, device and mixed cloud network system | |
US10050859B2 (en) | Apparatus for processing network packet using service function chaining and method for controlling the same | |
CN105051688A (en) | Extended tag networking | |
CN107959654A (en) | A kind of data transmission method, device and mixing cloud system | |
CN107409089A (en) | Business function login mechanism and ability authorized index | |
CN104521195A (en) | Method and system for creating software defined ordered service patterns in communications network | |
CN104717137A (en) | Managing data flows in overlay networks | |
CN110290093A (en) | The SD-WAN network architecture and network-building method, message forwarding method | |
CN107864061A (en) | A kind of method of virtual machine port speed constraint and mirror image in private clound | |
CN104852840B (en) | A kind of method and device exchanged visits between control virtual machine | |
CN105681198B (en) | A kind of business chain processing method, equipment and system | |
CN103081418A (en) | Computer system and communication method in computer system | |
CN107395481A (en) | The Egress node protection of broadcast, unknown unicast or multicast service in EVPN topologys | |
CN105939240B (en) | Load-balancing method and device | |
CN107733795B (en) | Ethernet virtual private network EVPN and public network intercommunication method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180529 |
|
RJ01 | Rejection of invention patent application after publication |