CN108092934A - Safety service system and method - Google Patents

Safety service system and method Download PDF

Info

Publication number
CN108092934A
CN108092934A CN201611028861.6A CN201611028861A CN108092934A CN 108092934 A CN108092934 A CN 108092934A CN 201611028861 A CN201611028861 A CN 201611028861A CN 108092934 A CN108092934 A CN 108092934A
Authority
CN
China
Prior art keywords
safety
business
security
node
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611028861.6A
Other languages
Chinese (zh)
Inventor
庄小君
左敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611028861.6A priority Critical patent/CN108092934A/en
Publication of CN108092934A publication Critical patent/CN108092934A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present invention discloses a kind of safety service system and method, the system comprises:Secure resources pond, the safety equipment including providing safe handling, wherein, the safety equipment includes providing the virtual secure equipment of virtualization security function and/or itself provides the physical security apparatus of safe handling;Safety control platform, for receiving user demand, according to the user demand, the related information of generation safety service chain.Safety control platform is introduced in the present embodiment, the related information of safety service chain will be generated according to user demand, security control is carried out to corresponding business by the related information, so the service security control of user class is realized by by the safety equipment of previous security resource pool using the data of safety service chain transmission.

Description

Safety service system and method
Technical field
The present invention relates to the safe practice of information technology field more particularly to a kind of safety service system and methods.
Background technology
Data center is used for centrally stored data, is formed with the database of one or more storage data.In order to realize stream Amount control and the safety management of data, can set software defined network (Software Defined Network, SDN) controller Realize the scheduling and centralized management to flow;The safety control platform of virtualization or the virtualization of other network functions can be also set (Network Function Virtualization, NFV) entity carries out security control.
However find in use, existing safety control platform has the following problems at least the security control of database One of them:
1) some security functions only provide security service to north-south flow.Such as distributed denial of service (Distributed Denial of Service, DDoS) data center's entrance is deployed in, only the rental equipment for user provides data center south North orientation flow DDoS protection, there is no for the user rent virtual machine whether have by internal ddos attack detection and Protection, i.e., be not detected and protect to transmeridional flow in data center.
2) flow and security control etc. are caused there is no interaction between SDN, NFC entity and safety control platform Processing ossify, very flexible.
3) the individual character demand for security of user can not be met.
The content of the invention
In view of this, an embodiment of the present invention is intended to provide a kind of safety service system and method, at least can be used for solving State a problem.
In order to achieve the above objectives, the technical proposal of the invention is realized in this way:
First aspect of the embodiment of the present invention provides a kind of safety service system, including:
Secure resources pond, the safety equipment including providing safe handling;Wherein, the safety equipment includes providing virtualization The virtual secure equipment of security function and/or the physical security apparatus that safe handling is provided itself.
Safety control platform, for receiving user demand, according to the user demand, the association letter of generation safety service chain Breath;Wherein, the related information includes at least one of attribute information, configuration information, policy information and metadata, is used for Generate the safety service chain;Wherein, the safety service chain includes forward-path, and the forward-path is at least through part institute State safety equipment;The security function that the attribute information is used to indicate the security feature of the safety service chain and/or uses;Institute State the operating parameter that configuration information is used to indicate the progress security control of the safety service chain;The policy information is used to generate Flow classification policy and/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used to carry out The encapsulation of data packet;The information for the data packet that the metadata is transmitted for the description safety service chain.
Based on said program, the system also includes:
Software defined network SDN controllers, for receiving the related information, and according to determining the related information Forward-path and/or the generation stream classification policy and/or the assembly strategy, and the forward-path is sent into routing section Point and/or, will stream classification policy be sent to business classification feature node and/or, by the assembly strategy be sent to business turn Send out functional node.
Based on said program, the SDN controllers are connected with the safety control platform by northbound interface, pass through south It is connected to interface with the routing node, the business classification feature node and the business forwarding capability node.
Based on said program, the safety control platform is additionally operable to determine the forward-path according to the related information, And/or the generation stream classification policy and/or assembly strategy, and by the forward-path send routing node and/or, Will stream classification policy be sent to business classification feature node and/or, the assembly strategy is sent to business forwarding capability section Point.
Based on said program, the system also includes:
Management and layout MANO subsystems, are connected with the safety control platform, for creating the virtual secure equipment.
Second aspect of the embodiment of the present invention provides a kind of method for providing security service, including:
Safety control platform receives user demand;
According to the user demand, the related information of generation safety service chain;Wherein, the related information is believed including attribute At least one of breath, configuration information, policy information and metadata, for generating the safety service chain;Wherein, the peace Full-service chain includes forward-path, and the forward-path provides the safety equipment of safe handling at least through part;The safety Equipment includes:The virtual secure equipment of virtualization security function is provided and/or the physical security apparatus of safe handling is provided itself; The security function that the attribute information is used to indicate the security feature of the safety service chain and/or uses;The configuration information It is used to indicate the operating parameter of the progress security control of the safety service chain;The policy information flows classification policy for generating And/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used to carry out the envelope of data packet Dress;The information for the data packet that the metadata is transmitted for the description safety service chain.
Based on said program, the method further includes:
The related information is sent software defined network SDN controllers by the safety control platform,
The SDN controls and receives the related information, and according to the related information determine the forward-path and/or Generate the stream classification policy and/or assembly strategy, and by the forward-path send routing node and/or, by flow point Class strategy be sent to business classification feature node and/or, the assembly strategy is sent to business forwarding capability node.
Based on said program, the SDN controllers are connected with the safety control platform by northbound interface, pass through south It is connected to interface with routing node, the business classification feature node and the business forwarding capability node.
Based on said program, the method further includes:
The safety control platform determines the forward-path and/or the generation flow point class according to the related information Tactful and/or described assembly strategy, and the forward-path is sent into routing node;
Will stream classification policy be sent to business classification feature node and/or, by the assembly strategy be sent to business forwarding Functional node.
Based on said program, the method further includes:
Management and layout MANO subsystems create the virtual secure equipment.
Safety service system provided in an embodiment of the present invention and method, create safety control platform in system, the peace Full control platform can receive user demand, and related information is generated according to user demand, and carry out security control according to related information, It thereby realizes and provides security service according to different user demand, it is achieved thereby that targetedly user security demand Meet.At the same time, in same platform there may be multiple users, can be arranged between these users identical or different Physical equipment on, since related information is generated based on user demand, even if equipment in so same platform or flat An equipment carries out data transmission in platform, it is also desirable to meet user demand, it is clear that so security control is no longer to be limited only to put down The security control in the north-south of platform, East and West direction (i.e. in platform between different physical equipments or virtual unit) data flow in platform Also security control is carried out, can be used for defending described ddos attack etc., improve security.
Description of the drawings
Fig. 1 is the structure diagram of the first safety service system provided in an embodiment of the present invention;
Fig. 2 is the structure diagram of second of safety service system provided in an embodiment of the present invention;
Fig. 3 for it is provided in an embodiment of the present invention the first provide security service method flow diagram;
Fig. 4 is the flow diagram of the second provided in an embodiment of the present invention method for providing security service;
Fig. 5 for it is provided in an embodiment of the present invention the third provide security service method flow diagram;
Fig. 6 is a kind of forwarding schematic diagram of data packet provided in an embodiment of the present invention.
Specific embodiment
Technical scheme is further elaborated below in conjunction with Figure of description and specific embodiment.
As shown in Figure 1, the present embodiment provides a kind of safety service system, including:
Secure resources pond 110, the safety equipment including providing safe handling;Wherein, the safety equipment includes providing empty The virtual secure equipment of planization security function and/or the physical security apparatus that safe handling is provided itself.
Safety control platform 120, for receiving user demand, according to the user demand, the pass of generation safety service chain Join information;Wherein, the related information includes at least one of attribute information, configuration information, policy information and metadata, For generating the safety service chain;Wherein, the safety service chain includes forward-path, and the forward-path is at least through portion Divide the safety equipment;The safe work(that the attribute information is used to indicate the security feature of the safety service chain and/or uses Energy;The configuration information is used to indicate the operating parameter of the progress security control of the safety service chain;The policy information is used In generation stream classification policy and/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used In the encapsulation for carrying out data packet;The information for the data packet that the metadata is transmitted for the description safety service chain.
What secure resources pond described in the present embodiment 110 can be made of a variety of safety equipments in data center, such as invade System of defense (Intrusion Prevention System, IPS), intruding detection system (Intrusion Detecion System, IDS), load balancing (Load Balance, LB) device, web application grade fire wall (Web Application Firewall, WAF) and fire wall etc., these safety equipments can be the security function that physical equipment can also be virtualization Virtual secure equipment.Secure resources pond 110 can be a physical entity or one in logic or virtual void Planization entity.And these safety equipments can be deployed in the different position of data center, deployment can also be concentrated, by security control Platform 120 carries out unified management and configuration.
The safety control platform 120, will receive user demand, for example, being connected with terminal device, receives user and utilizes root The user demand sent according to terminal device.Safety control platform 120, will be according to user demand (specifically as user indicates its subscription Or generation Business Stream demand for security user security demand), generate safety service chain related information.In the present embodiment Described in related information will be for carrying out corresponding security control of the business in the transmission process of data packet.Institute in the present embodiment Related information is stated to can be used for determining safety service chain.Here safety service chain includes at least forward-path.Here forwarding road The data packet in footpath an including business needed in transmission process by path, for example, it is desired to by which routing node. Forward-path described in the present embodiment is at least through the Partial security equipment in the secure resources pond 110, the forward-path The safety equipment of process can be the virtual secure equipment of the physical security apparatus or virtualization.
Like this, using safety service system described in the present embodiment, can targetedly be carried according to user demand For security service, meet demand of the different user to the security of the business of transmission.On the other hand, if some business corresponds to Data packet, be transmitted in a platform A between two users, even this data packet be in same platform (i.e. Platform A) or same physical equipment (entity device in platform A) transmission, since safety chain is based on according to user The related information generation that demand is formulated, corresponding safety equipment is will also pass through, it is such to ensure the security of data flow Words, can not only realize the safety assurance of north-south data flow, even if transmeridional flow (the i.e. described data in platform Bag) safety assurance can also be obtained, so as to avoid transmeridional ddos attack in platform as the aforementioned, improve safety Property.
The purposes of each information and/or definition in the related information explained further below.
The attribute of safety service chain refers to:The security feature or security function of safety service chain requirement, such as will It asks with firewall filtering, deep message detection (Deep Packet Inspection, DPI) detection function etc..The attribute Information is the information for the attribute for describing the safety service chain.
The configuration of safety service chain refers to some security configurations of the security function in the safety service chain, for example prevents fires Wall filtering will check procotol (Internet Protocol, IP) address, protocol port number etc..The configuration information is The information of the configuration of the safety service chain is described.
The strategy of safety service chain includes assembly strategy of stream classification policy and safety service chain etc..In the present embodiment The policy information is the information for the strategy for describing the safety service chain.
The classification that the stream classification policy generally refers to corresponding Business Stream is classified according to what dimension, always It, can be the information for the foundation for providing the business classification for carrying out Business Stream.Such as can according to five-tuple, transport layer single or Information in the multiple ports of person, IP bag payloads etc. is classified, can also the result based on the application inspection of higher.
The forward-path:The path passed through when stream is forwarded, may be used to indicate need by which communication node or which Class communication node.
The metadata can be the information for the data packet for describing the safety service chain transmission.The metadata is also known as intermediary Data, relaying data, to describe the data (data about data) of data, mainly describe data attribute (property) Information, for support such as indicate storage location, historical data, resource lookup, file record function.The metadata except It can be transferred between service processing function node and business classification feature node outside shared information, it can also be in external system and industry Data are transferred between business processing function node.Can be understood as metadata is to carry to pass between some business functions and business classification feature A kind of mode for the information passed.Here service processing function node may include the data packet for providing the safety service chain transmission Communication node and/or routing node and/or to the data packet carry out specific function processing communication node and/or routing Node.
In specific implementation, the forward-path can be represented by the form of forwarding table.The forwarding table:Referring to will Forward-path, which changes into business forwarding capability node, can identify forwarding table, and the forward-path is represented by forwarding table, this Sample business forwarding capability node can just identify the forward-path.
Business classification feature node:The entity is responsible for based on policy selection stream and business chain, when some data flow meets certain During the strategy of a business chain, the processing path for entering the business chain can be flow backwards, so as to fulfill the stream.
Business forwarding capability node:It is responsible for that the message received from network is sent to industry according to business function chain packaging information Business functional node.The complete message of service processing function node processing can still send message back to same business forwarding capability node, industry Business forwarding capability node is responsible for message to send traditional network back to again.Safety is provided in some service processing function nodes to set Standby, for example fire wall etc., may directly destroy message in classification processing, need not send business forwarding capability section back to again at this time Point.
Service processing function node:According to the functional entity that specific function requirement is handled for data message, this paper In include at least secure resources pond in virtualization safety equipment.
As shown in Fig. 2, in some embodiments, the system also includes:
Software defined network SDN controllers 130 for receiving the related information, and are determined according to the related information The forward-path and/or the generation stream classification policy and/or the assembly strategy, and the forward-path is sent into road By node and/or, will stream classification policy be sent to business classification feature node and/or, the assembly strategy is sent to industry Business forwarding capability node.
Specifically such as, on the one hand SDN controllers 130 can be received by northbound interface from the pass of safety control platform 120 Join information, and by these related informations change into suitable flow table item be handed down to corresponding interchanger (i.e. described routing node One kind, in specific implementation, the routing node may also include router and realize the business classification feature node and/ Or the business forwarding capability node).On the other hand, SDN controllers are managed routing node by southbound interface.
In the present embodiment, the safety control platform 120 carries out the safety equipment in the secure resources pond 110 Management, after SDN controllers 130 are introduced, the safety control platform 120 is to the peace in the secure resources pond 110 The management information that full equipment is managed, can be issued to the safety equipment by the SDN controllers 130.The management Information may include management instruction and/or order parameter.
Certainly, the safety control platform 120 can be used for generation management strategy, and management strategy is sent to SDN controls Device 130 processed, the SDN controllers 130 will also be used to receive the management strategy, and according to management strategy generation Management information, then the safety equipment is issued to, to realize the management of the safety equipment.The safety is set in the present embodiment Standby management, it may include the management of the operating status of the safety equipment, maintenance of the failure of safety equipment etc..The operation shape State may include working condition and off working state etc..
In some embodiments, the SDN controllers 130 are connected by northbound interface and the safety control platform 120 It connects, is connected by southbound interface with the routing node, the business classification feature node and the business forwarding capability node. Using this connection mode, have it is easy to connect, with prior art compatibility it is big the features such as, it is special without special definition or exploitation Interface, for the connection of the SDN controllers 130 and safety control platform 120 and the upstream device of SDN controllers 130.Here Upstream device may include the routing node, business classification feature node and business forwarding capability node.
On the one hand the SDN controllers 130 are connected with safety control platform 120 by northbound interface, pass through southbound interface It connects with routing node, so as to obtain the user demand by northbound interface, by southbound interface to forward node, sends out Various control information are sent, control information here may include the various letters such as the related information, assembly strategy or stream classification policy Breath.
In some embodiments, the safety control platform 120 is additionally operable to determine the forwarding according to the related information Path and/or the generation stream classification policy and/or the assembly strategy, and the forward-path is sent into routing node, And/or will stream classification policy be sent to business classification feature node and/or, by the assembly strategy be sent to business forwarding work( It can node.
The safety control platform 120 in the present embodiment oneself performs stream classification policy, assembly strategy, forward-path Generation, and be sent to corresponding communication node, thus can SDN be reduced with the function of SDN controllers 130 in sharing system The load of controller 130, congestion caused by avoiding the load weight of SDN controlled entities 130 or needs to carry out HardwareUpgring or hardware The problem of of high cost.
In some embodiments, the system also includes:
Management and layout MANO subsystems 140, are connected with the safety control platform 120, for creating the virtual peace Full equipment.
The MANO is the abbreviation of Management and Orchestrator, and corresponding Chinese is management and layout system It unites, pipe is responsible for specially in network virtual virtualization of function (Network Function Virtualization, NFV) framework The subsystem of reason and layout virtualization network function (Virtualized Network Function, VNF).
The MANO subsystems 140 mainly include network function virtualization composer (Network Function Virtualization Orchestrator, NFVO), virtual network administrative unit (Virtualized Network Function Manager, VNFM) and virtualized infrastructure administrative unit (Virtualized Infrastructure Manager, VIM).MANO subsystems can receive the service request from safety control platform 120, be created for secure resources pond The fire wall (virtualized FireWall, vFW) of the safety equipment of new virtualization, such as virtualization.For example, security control Platform 120 finds that a new Business Stream introduces or has new user demand, it is necessary to which formulating one meets particular user requirements Safety equipment passes through the introducing of the MANO subsystems 140 in the present embodiment, it is possible to by set physical security apparatus or On the basis of the safe handling function of being provided in existing physical security apparatus, the generation of virtual secure equipment is carried out, it is clear that realize The flexible configuration of secure resources and adjustment.
As described in Figure 3, the present embodiment provides it is a kind of provide security service method, including:
Step S110:Safety control platform receives user demand;
Step S120:According to the user demand, the related information of generation safety service chain;Wherein, the related information Include at least one of attribute information, configuration information, policy information and metadata, for generating the safety service chain; Wherein, the safety service chain includes forward-path, and the safety that the forward-path provides safe handling at least through part is set It is standby;The safety equipment includes:The virtual secure equipment of virtualization security function is provided and/or the object of safe handling is provided itself Manage safety equipment;The security function that the attribute information is used to indicate the security feature of the safety service chain and/or uses;Institute State the operating parameter that configuration information is used to indicate the progress security control of the safety service chain;The policy information is used to generate Flow classification policy and/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used to carry out The encapsulation of data packet;The information for the data packet that the metadata is transmitted for the description safety service chain.
The method for providing security service provided in this embodiment can be the side applied to the safety control platform Method.In the present embodiment, the safety control platform can receive user demand, and finally generate the pass according to user demand Join information.For example, the safety control platform receives the processing request that user terminal is sent.Processing request may include to describe institute State the various information of user demand.And the related information at least will be used to generate the life of the safety service chain of corresponding Business Stream Into, so as to meet the service security demand of different user, realize that the demand for security of user class is handled, like this, phase For the processing of the demand for security of platform rank, the safety control between different business stream in same platform can also be realized System, so as to fulfill defence and/or monitoring of transmeridional ddos attack etc..
In some embodiments, the method further includes:
The related information is sent software defined network SDN controllers by the safety control platform,
The SDN controls and receives the related information, and according to the related information determine the forward-path and/or Generate the stream classification policy and/or assembly strategy, and by the forward-path send routing node and/or, by flow point Class strategy be sent to business classification feature node and/or, the assembly strategy is sent to business forwarding capability node.
In the present embodiment by the SDN controllers, generate the stream classification policy and/or the package-side and omit and turn Send out path.In concrete implementation, the SDN controllers will also obtain the metadata from the safety control platform, and will The metadata is sent to corresponding routing node, so as to fulfill in platform with outside platform between data packet transmission or not The transmission of data packet between the functional entity of same type, functional entity here may include service processing function node and business Forwarding capability node.
In some embodiments, the SDN controllers are connected with the safety control platform by northbound interface, passed through Southbound interface is connected with routing node, the business classification feature node and the business forwarding capability node.Specific connection It may refer to shown in Fig. 2.
In addition, the method further includes:
The safety control platform determines the forward-path and/or the generation flow point class according to the related information Tactful and/or described assembly strategy, and the forward-path is sent into routing node;
Will stream classification policy be sent to business classification feature node and/or, by the assembly strategy be sent to business forwarding Functional node.
The generation and forwarding of various strategies and forward-path in the present embodiment, is realized by safety control platform itself, this Sample can be to avoid the load of exacerbation SDN controllers, data transmission caused by reducing SDN controllers or processing bottleneck.
In some embodiments, the method further includes:Virtual secure equipment described in management and layout MANO system creations. MANO subsystems can flexible convenient virtual secure equipment, like this, it is possible to which current business demand or physical security are set Standby operating status and/or the device parameter of physical security apparatus flexibly edit virtual secure equipment, realize the peace of user class Full control.
Several specific examples are provided below in conjunction with above-described embodiment:
Example one:
As shown in figure 4, this example provides a kind of method for providing security service, including:
Step 1:Safety control platform receives the demand for security of user.The demand for security can be that user directly passes through safety The Application Programming Interface (Application Programming Interface, API) that user opens is submitted in control platform Or user submitted by cloud security management platform, then cloud security management platform sends out the demand for security of the user Give safety control platform.Safety control platform is received after the demand for security of user, it is necessary to which demand for security is converted into specifically Security function and security strategy.Such as the demand for security of user be the rental for him virtual network provide DDoS monitoring, then Whether DDoS monitoring devices (including physics and virtual) resource that safety control platform is first looked in secure resources pond is sufficient It is enough, if the DDoS monitor device resources in secure resources pond are inadequate, perform step 2;It is if enough, then safety control platform The demand for security of user is changed into security strategy, is such as that the flow copy of xx.xx.x.xxx is a to all purposes IP address It is sent to DDoS monitoring devices A and performs monitoring.
Step 2:Safety control platform asks instantiation virtual secure functions of the equipments to MANO subsystems, specifically may include: When safety control platform finds that security function needed for the user in secure resources pond is inadequate, the NFVO into MANO subsystems please be realistic Security function needed for exampleization.After NFVO receives request, according to the instantiation flow instance of VNF together with VNFM and VIM etc. Required security function.
Step 3:Configure safety equipment, it may include:According to the operating status and equipment of the safety equipment in secure resources pond Parameter, with reference to attribute information, configuration information and the policy information of user security demand generation safety service chain.The step can wrap It includes:Safety control platform need to be by the safety equipment (virtualization security function or physical security apparatus) involved in safety service chain IP address is registered on SDN controllers so that SDN controllers can identify these safety equipments.
Step 4:Safety control platform issues the attribute information, configuration information and strategy of safety service chain to SDN controllers Information.
Step 5:SDN controllers generate and issue stream classification policy, assembly strategy and forward-path, specifically may include:SDN Controller according to the safety service chain attribute information, configuration information and policy information of user generate stream classification policy, forward-path, Relevant metadata is handed down to business classification feature node and the service processing function node (void i.e. in secure resources pond respectively The security function of planization).If virtualization security function do not support SFC, then can in the security function of virtualization or Installation agent before person is only needed by agency's processing SFC correlations packaging information and metadata, the security function of virtualization according to peace The security strategy of full control platform configuration carries out safe handling to message.
After completing above-mentioned processing, business classification feature node, the customer traffic of desampler forwarding, SDN can be right Corresponding customer traffic carries out various processing, and process flow can be as shown in fig. 6, specifically may include:
Step 21:Service processing function node carries out flow point class, matching business function path;Specifically it may include:By basis The stream classification policy convection current that SDN controllers issue carries out flow point class, and matches corresponding forward-path, determines business function path (i.e. the order for the virtualization security function that the user's data needs pass through);
Step 22:Carry out message encapsulation, it may include:Business classification feature node according to assembly strategy, to data message into Row encapsulation, that is, update the header of message, the header information of the insertion information such as including forward-path, and metadata and business processing Strategy is encapsulated in message;The SFC messages that message encapsulation is formed after finishing are sent to business transponder 1, and (business here turns It can be foregoing business forwarding capability node to send out device 1).
Step 23:Analytic message head E-Packets and gives DDoS monitoring function entities, it may include:Business transponder 1 solves phase separation The packet header of SFC messages is answered, according to forward-path, SFC messages are sent to business function DDoS monitoring function entities.Here DDoS monitoring functions entity can be the DDoS functional entitys of virtualization, can be one kind of aforementioned virtual safety equipment.
Step 24:DDoS monitors entity handles message, and to 1 returned packet of business transponder, it may include:DDoS monitors work( Can entity SFC messages are handled after message returned to business forwarding capability node 1.Obviously like this, above-mentioned message It has passed through the processing of the safety equipments such as DDoS monitoring entities, it is ensured that the security of the message subsequently forwarded.
Step 25:Business transponder 1 E-Packets to business transponder 2, it may include:Business forwarding capability device 1 receives SFC After the SFC messages of encapsulation, the business forwarding capability device 2 on forward-path is given according to SFC messages;
Step 26:2 analytic message head of business transponder, E-Packets and gives IDS functional entitys, IDS functional entitys here To perform the physical security apparatus of IDS safe handlings or virtual secure equipment to message.The step 26 may include:Business forwards Effector 2 receives the message of business forwarding capability device 1, according to where the header information of SFC messages finds next-hop business function Business forward node, and next-hop service processing function node is given message, it is real for the IDS functions in Fig. 6 in this example Body, the IDS functional entitys herein can be the IDS functional entitys virtualized.
Step 27:IDS functional entitys handle message sheet, and to 2 returned packet of business transponder, specifically may include:Virtually Message is sent back business forwarding capability device 2 by the IDS functional entitys of change after handling SFC messages.
Step 28:Business transponder 2 is decapsulated and E-Packeted, and specifically may include:Business forwarding capability device 2 is according to SFC Packaging information in the head of message learns that this message has been completed for the business processing path of message selection in flow point class, then right Message carries out SFC decapsulations, and message information is dealt into traditional network.
In above-mentioned example, SFC packaged types can also use the mode of the extended field of virtual LAN (VxLAN) to carry out It substitutes.It is packaged according to the extended field of VxLAN, then needs deployment endpoint of a tunnel VTEP (VXLAN Tunnel End Point)), the encapsulation and decapsulation of message are realized by VTEP, is not required to deployment stream classification feature.
Example two:
In order to reduce the influence to SDN controllers, safety control platform can also be allowed to replace SDN controllers in this example Realize the control function of business chain, SDN controllers only need to forward the traffic to safety service classification feature, such as Fig. 5 institutes Show, this example provides security service method in providing, it may include:
Step 11:Safety control platform receives the demand for security of user;
Step 12:Safety control platform asks instantiation virtual secure functions of the equipments to MANO subsystems;
Step 13:Safety control platform issues stream classification policy, assembly strategy and metadata and gives secure resources pond, so as to really The safety equipment in resource pool that ensures safety can receive the stream classification policy, assembly strategy and metadata, so as to carry out safety Processing.The step 13 specifically may include:Safety control platform is except the security strategy of the security function equipment of configuration virtualization Outside, the control plane function of safety service chain is acted also as, is believed the relevant attribute of safety service chain according to the demand for security of user Breath, configuration information and policy information change into stream classification policy, forward-path, metadata be handed down to business classification feature node, Business forwarding capability node and the security function of virtualization.
Step 14:Forward-path is issued to SDN controllers, it may include:Safety governor platform is only needed in SDN controllers The IP address and connected switch address of upper registration business classification feature, and issued to SDN controllers and draw user data The forward-path being directed on the business classification feature.
Step 15:SDN controllers generate and issue flow table item, specifically may include:SDN controllers are according to the forward-path Flow table item is directly generated to be issued in associated switch.
In embodiments of the present invention, the forward-path may include instruction needs the forwarding strategy by which kind equipment, It can be the transmission path for specifically thering is the transmission path between multiple equipment to be formed.
In several embodiments provided herein, it should be understood that disclosed device and method can pass through it Its mode is realized.Apparatus embodiments described above are only schematical, for example, the division of the unit, is only A kind of division of logic function can have other dividing mode, such as in actual implementation:Multiple units or component can combine or It is desirably integrated into another system or some features can be ignored or does not perform.In addition, shown or discussed each composition portion Point mutual coupling or direct-coupling or communication connection can be the INDIRECT COUPLINGs by some interfaces, equipment or unit Or communication connection, can be electrical, mechanical or other forms.
The above-mentioned unit illustrated as separating component can be or may not be physically separate, be shown as unit The component shown can be or may not be physical location, you can be located at a place, can also be distributed to multiple network lists In member;Part or all of unit therein can be selected to realize the purpose of this embodiment scheme according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated into a processing module, also may be used To be each unit individually as a unit, can also two or more units integrate in a unit;It is above-mentioned The form that hardware had both may be employed in integrated unit is realized, can also be realized in the form of hardware adds SFU software functional unit.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through The relevant hardware of program instruction is completed, and foregoing program can be stored in a computer read/write memory medium, the program Upon execution, the step of execution includes above method embodiment;And foregoing storage medium includes:It is movable storage device, read-only Memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or The various media that can store program code such as person's CD.
The above description is merely a specific embodiment, but protection scope of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, can readily occur in change or replacement, should all contain Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.

Claims (10)

1. a kind of safety service system, which is characterized in that including:
Secure resources pond, the safety equipment including providing safe handling, wherein, the safety equipment includes providing virtualization safety The virtual secure equipment of function and/or the physical security apparatus that safe handling is provided itself;
Safety control platform, for receiving user demand, according to the user demand, the related information of generation safety service chain; Wherein, the related information includes at least one of attribute information, configuration information, policy information and metadata, for giving birth to Into the safety service chain;Wherein, the safety service chain includes forward-path, and the forward-path is at least through described in part Safety equipment;The security function that the attribute information is used to indicate the security feature of the safety service chain and/or uses;It is described Configuration information is used to indicate the operating parameter of the progress security control of the safety service chain;The policy information flows for generating Classification policy and/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used for into line number According to the encapsulation of bag;The information for the data packet that the metadata is transmitted for the description safety service chain.
2. system according to claim 1, which is characterized in that
The system also includes:
Software defined network SDN controllers for receiving the related information, and determine the forwarding according to the related information Path and/or the generation stream classification policy and/or the assembly strategy, and the forward-path is sent to routing node, And/or will stream classification policy be sent to business classification feature node and/or, by the assembly strategy be sent to business forwarding work( It can node.
3. system according to claim 2, which is characterized in that
The SDN controllers are connected by northbound interface with the safety control platform, are saved by southbound interface and the routing Point, the business classification feature node and business forwarding capability node connection.
4. system according to claim 1, which is characterized in that
The safety control platform is additionally operable to determine the forward-path and/or the generation flow point according to the related information Class strategy and/or the assembly strategy, and by the forward-path be sent to routing node and/or, will stream classification policy send And/or, the assembly strategy is sent to business forwarding capability node to business classification feature node.
5. system according to any one of claims 1 to 4, which is characterized in that
The system also includes:
Management and layout MANO subsystems, are connected with the safety control platform, for creating the virtual secure equipment.
A kind of 6. method that security service is provided, which is characterized in that including:
Safety control platform receives user demand;
According to the user demand, the related information of generation safety service chain;Wherein, the related information include attribute information, At least one of configuration information, policy information and metadata, for generating the safety service chain;Wherein, the safety Business chain includes forward-path, and the forward-path provides the safety equipment of safe handling at least through part;The safety is set It is standby to include:The virtual secure equipment of virtualization security function is provided and/or the physical security apparatus of safe handling is provided itself;Institute State the security function that attribute information is used to indicate the security feature of the safety service chain and/or uses;The configuration information is used In the operating parameter for the progress security control for indicating the safety service chain;The policy information flows classification policy for generating And/or assembly strategy;The stream classification policy is used to carry out the classification of business;The assembly strategy is used to carry out the envelope of data packet Dress;The information for the data packet that the metadata is transmitted for the description safety service chain.
7. according to the method described in claim 6, it is characterized in that,
The method further includes:
The related information is sent software defined network SDN controllers by the safety control platform,
The SDN controls and receives the related information, and determines the forward-path and/or generation according to the related information The stream classification policy and/or assembly strategy, and by the forward-path be sent to routing node and/or, by flow point class Strategy be sent to business classification feature node and/or, the assembly strategy is sent to business forwarding capability node.
8. the method according to the description of claim 7 is characterized in that
The SDN controllers are connected by northbound interface with the safety control platform, by southbound interface and routing node, The business classification feature node and business forwarding capability node connection.
9. according to the method described in claim 6, it is characterized in that,
The method further includes:
The safety control platform determines the forward-path and/or the generation stream classification policy according to the related information And/or the assembly strategy, and the forward-path is sent to routing node;
Will stream classification policy be sent to business classification feature node and/or, the assembly strategy is sent to business forwarding capability Node.
10. according to claim 6 to 9 any one of them method, which is characterized in that
The method further includes:
Management and layout MANO subsystems create the virtual secure equipment.
CN201611028861.6A 2016-11-21 2016-11-21 Safety service system and method Pending CN108092934A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611028861.6A CN108092934A (en) 2016-11-21 2016-11-21 Safety service system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611028861.6A CN108092934A (en) 2016-11-21 2016-11-21 Safety service system and method

Publications (1)

Publication Number Publication Date
CN108092934A true CN108092934A (en) 2018-05-29

Family

ID=62169419

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611028861.6A Pending CN108092934A (en) 2016-11-21 2016-11-21 Safety service system and method

Country Status (1)

Country Link
CN (1) CN108092934A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900551A (en) * 2018-08-16 2018-11-27 中国联合网络通信集团有限公司 SDN/NFV network safety protection method and device
CN109361675A (en) * 2018-10-30 2019-02-19 深信服科技股份有限公司 A kind of method of information safety protection, system and associated component
CN109547437A (en) * 2018-11-23 2019-03-29 北京奇安信科技有限公司 A kind of drainage processing method and processing device in secure resources pond
WO2020103840A1 (en) * 2018-11-19 2020-05-28 中兴通讯股份有限公司 Method and apparatus for loading service
CN111404860A (en) * 2019-01-02 2020-07-10 中国移动通信有限公司研究院 Method and device for realizing security service chain and computer readable storage medium
CN112039854A (en) * 2020-08-13 2020-12-04 深圳市信锐网科技术有限公司 Data transmission method, device and storage medium
CN112242925A (en) * 2020-09-30 2021-01-19 新华三信息安全技术有限公司 Safety management method and equipment
CN114024746A (en) * 2021-11-04 2022-02-08 北京天融信网络安全技术有限公司 Network message processing method, virtual switch and processing system
CN114244576A (en) * 2021-11-24 2022-03-25 中盈优创资讯科技有限公司 Flow protection method and device in cloud environment
CN114422180A (en) * 2021-12-07 2022-04-29 深信服科技股份有限公司 Data security detection method and device and storage medium
CN114666161A (en) * 2022-04-29 2022-06-24 深信服科技股份有限公司 Component security policy management method, device, equipment and storage medium
CN114827045A (en) * 2022-06-23 2022-07-29 天津天睿科技有限公司 Method and device for flow arrangement
CN115296842A (en) * 2022-06-27 2022-11-04 深信服科技股份有限公司 Method and device for arranging service flow, application delivery equipment and medium
WO2024012240A1 (en) * 2022-07-11 2024-01-18 中国移动通信有限公司研究院 Function orchestration method and apparatus, and device and storage medium
CN114422180B (en) * 2021-12-07 2024-05-28 深信服科技股份有限公司 Data security detection method, device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104869065A (en) * 2014-02-26 2015-08-26 中兴通讯股份有限公司 Method and device for processing data message
CN105406992A (en) * 2015-10-28 2016-03-16 浙江工商大学 Business requirement transformation and deployment method for SDN (Software Defined Network)
US20160226913A1 (en) * 2015-02-04 2016-08-04 Kapil Sood Technologies for scalable security architecture of virtualized networks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104869065A (en) * 2014-02-26 2015-08-26 中兴通讯股份有限公司 Method and device for processing data message
US20160226913A1 (en) * 2015-02-04 2016-08-04 Kapil Sood Technologies for scalable security architecture of virtualized networks
CN105406992A (en) * 2015-10-28 2016-03-16 浙江工商大学 Business requirement transformation and deployment method for SDN (Software Defined Network)

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ZHANG CATHY,ET AL: "L4-L7_Service_Function_Chaining_Solution_Architecture", 《WWW.OPENNETWORKING.ORG》 *
刘文懋等: "《软件定义安全SDN-NFV新型网络的安全揭秘》", 30 September 2016 *

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900551A (en) * 2018-08-16 2018-11-27 中国联合网络通信集团有限公司 SDN/NFV network safety protection method and device
CN109361675A (en) * 2018-10-30 2019-02-19 深信服科技股份有限公司 A kind of method of information safety protection, system and associated component
CN109361675B (en) * 2018-10-30 2021-08-13 深信服科技股份有限公司 Information security protection method, system and related components
WO2020103840A1 (en) * 2018-11-19 2020-05-28 中兴通讯股份有限公司 Method and apparatus for loading service
CN109547437A (en) * 2018-11-23 2019-03-29 北京奇安信科技有限公司 A kind of drainage processing method and processing device in secure resources pond
CN109547437B (en) * 2018-11-23 2021-05-25 奇安信科技集团股份有限公司 Drainage processing method and device for safe resource pool
CN111404860A (en) * 2019-01-02 2020-07-10 中国移动通信有限公司研究院 Method and device for realizing security service chain and computer readable storage medium
CN112039854A (en) * 2020-08-13 2020-12-04 深圳市信锐网科技术有限公司 Data transmission method, device and storage medium
CN112242925A (en) * 2020-09-30 2021-01-19 新华三信息安全技术有限公司 Safety management method and equipment
CN112242925B (en) * 2020-09-30 2022-04-01 新华三信息安全技术有限公司 Safety management method and equipment
CN114024746B (en) * 2021-11-04 2023-11-28 北京天融信网络安全技术有限公司 Processing method, virtual switch and processing system of network message
CN114024746A (en) * 2021-11-04 2022-02-08 北京天融信网络安全技术有限公司 Network message processing method, virtual switch and processing system
CN114244576A (en) * 2021-11-24 2022-03-25 中盈优创资讯科技有限公司 Flow protection method and device in cloud environment
CN114422180A (en) * 2021-12-07 2022-04-29 深信服科技股份有限公司 Data security detection method and device and storage medium
CN114422180B (en) * 2021-12-07 2024-05-28 深信服科技股份有限公司 Data security detection method, device and storage medium
CN114666161A (en) * 2022-04-29 2022-06-24 深信服科技股份有限公司 Component security policy management method, device, equipment and storage medium
CN114666161B (en) * 2022-04-29 2024-04-09 深信服科技股份有限公司 Component security policy management method, device, equipment and storage medium
CN114827045A (en) * 2022-06-23 2022-07-29 天津天睿科技有限公司 Method and device for flow arrangement
CN114827045B (en) * 2022-06-23 2022-09-13 天津天睿科技有限公司 Method and device for flow arrangement
CN115296842A (en) * 2022-06-27 2022-11-04 深信服科技股份有限公司 Method and device for arranging service flow, application delivery equipment and medium
WO2024012240A1 (en) * 2022-07-11 2024-01-18 中国移动通信有限公司研究院 Function orchestration method and apparatus, and device and storage medium

Similar Documents

Publication Publication Date Title
CN108092934A (en) Safety service system and method
CN104780088B (en) A kind of transmission method and equipment of service message
CN107911258B (en) SDN network-based security resource pool implementation method and system
US10148517B2 (en) Systems and methods for topology discovery and application in a border gateway protocol based data center
EP3058687B1 (en) Configurable service proxy mapping
CN106789542B (en) A kind of implementation method of cloud data center security service chain
CN103947160B (en) Method to carry FCOE frames over a TRILL based network
CN104685507B (en) Virtual secure device architecture is provided to virtual cloud foundation structure
CN104618194B (en) Software defined network monitoring messages method and SDN controllers, switching equipment
US9414136B2 (en) Methods and apparatus to route fibre channel frames using reduced forwarding state on an FCoE-to-FC gateway
CN107948086A (en) A kind of data packet sending method, device and mixed cloud network system
US10050859B2 (en) Apparatus for processing network packet using service function chaining and method for controlling the same
CN105051688A (en) Extended tag networking
CN107959654A (en) A kind of data transmission method, device and mixing cloud system
CN107409089A (en) Business function login mechanism and ability authorized index
CN104521195A (en) Method and system for creating software defined ordered service patterns in communications network
CN104717137A (en) Managing data flows in overlay networks
CN110290093A (en) The SD-WAN network architecture and network-building method, message forwarding method
CN107864061A (en) A kind of method of virtual machine port speed constraint and mirror image in private clound
CN104852840B (en) A kind of method and device exchanged visits between control virtual machine
CN105681198B (en) A kind of business chain processing method, equipment and system
CN103081418A (en) Computer system and communication method in computer system
CN107395481A (en) The Egress node protection of broadcast, unknown unicast or multicast service in EVPN topologys
CN105939240B (en) Load-balancing method and device
CN107733795B (en) Ethernet virtual private network EVPN and public network intercommunication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180529

RJ01 Rejection of invention patent application after publication