Disclosure of Invention
In order to make up for the defects of the prior art, the invention provides a simple and efficient automatic management method for the full life cycle of the cloud firewall.
The invention is realized by the following technical scheme:
the cloud firewall full-life-cycle automatic management method is characterized by comprising a management area, a service area and a resource recovery area, wherein the management area is provided with a cloud management platform and authorized services of cloud firewalls of third parties, the service area is provided with the cloud firewall and resources required by user service operation, and the resource recovery area is used for temporarily storing logout resources; the cloud management platform is used for providing a visual interface for a user and issuing and recovering cloud firewall service authorization through an API (application program interface) provided by a third-party cloud firewall authorization service; the cloud firewall is a virtual machine used for bearing cloud firewall service, and safety protection is performed on the cloud server and cloud load balance through the cloud firewall service.
The cloud management platform carries out full-life-cycle management on all resources in the cloud platform through a visual interface, and all operation information and configuration data are stored in a database.
The cloud management platform sets the retention time of the logout resources, and the resources logged out by the user through the cloud management platform are retained in the resource recovery area until the set time, and then the resources are thoroughly released.
The invention discloses a cloud firewall full life cycle automatic management method which is characterized by comprising the following steps:
(1) the method comprises the steps that a third-party cloud firewall authorization service is deployed in a management area under a cloud environment, and a cloud management platform issues and recovers cloud firewall service authorization through an API (application programming interface) provided by the third-party cloud firewall authorization service;
(2) configuring protected resources and strategies of a cloud firewall through a cloud management platform;
(3) the cloud firewall checks the flow and executes a releasing or discarding action and simultaneously generates monitoring summary of performance and attack conditions so that a user can know the service using effect;
(4) after the cloud firewall is used, the cloud management platform automatically places the cloud firewall service in a resource recovery area and releases authorization, the resources bearing the cloud firewall service are temporarily stored according to the retention period set by the platform, and the cloud management platform automatically destroys the cloud firewall service resources through an API when the retention period is over.
In the step (1), the cloud management platform provides visual pages for users to select the specification, the number, the use duration, the network and whether the available elements are high, and calls the cloud management platform API to create cloud firewall service and allocate management addresses according to the elements determined by page selection; the cloud management platform acquires the authorization code from the authorization service through the management network and issues the authorization code to the cloud firewall service.
In the step (1), the issuing of the cloud firewall service authorization includes the following steps:
(A) the cloud management platform deploys a carrier for bearing cloud firewall services through an API (application programming interface);
(B) after the carrier is successfully created, the cloud management platform binds management and a service network for the cloud firewall service through an API (application programming interface), allocates network addresses in the technical form of DHCP (dynamic host configuration protocol) or ISO (international standardization organization) file mounting or VMware Tools, and staticizes the allocated network addresses;
(C) after the network address is successfully distributed, the cloud management platform obtains available authorization at the authorization service and issues the authorization to the cloud firewall service, and after the authorization is successfully issued, the cloud firewall service can normally provide a safety protection function.
In the step (2), the user adds protected resources to the cloud firewall service through the cloud management platform according to actual application scene requirements, and the user configures a strategy for the added protected resources through the cloud management platform according to actual security protection requirements.
In the step (3), after the cloud firewall is put into use, monitoring data including performance, attack and log records can be checked at any time through the cloud management platform, and a user performs configuration adjustment according to the using effect to enable the firewall service function to be in an optimal state.
In the step (4), the cloud management platform periodically and automatically judges the service use deadline after the deployment and use of the cloud firewall, if the service expiration is monitored, a notification is sent to a user, and the user performs service renewal or automatic processing of the cloud management platform after any service expires through the cloud management platform.
In the step (4), the cloud management platform migrates the monitored expired service resources to a resource recovery area and releases authorization, temporarily stores the retention time set by the cloud management platform, if the user wants to continue to use within the retention time, the resources are migrated back to the service area again, and if the user does not need the retention time, the cloud management platform automatically destroys the released resources when the retention time is up, so that the third-party cloud firewall full-life-cycle automatic management is completed.
The invention has the beneficial effects that: according to the cloud firewall full-life-cycle automatic management method, operation and maintenance personnel can be liberated from the complicated work of the existing manual configuration management, the difference between third-party manufacturers does not need to be concerned, and only the automatic deployment, configuration, monitoring and destruction are carried out according to the unified page trigger button provided by the cloud management platform, so that the workload of the operation and maintenance personnel is reduced, the management efficiency is improved, and the system safety of cloud service is guaranteed.
Detailed Description
In order to make the technical problems, technical solutions and advantageous effects to be solved by the present invention more clearly apparent, the present invention is described in detail below with reference to the accompanying drawings and embodiments. It should be noted that the specific embodiments described herein are only for explaining the present invention and are not used to limit the present invention.
The cloud firewall full-life-cycle automatic management system comprises a management area, a service area and a resource recovery area, wherein the management area is provided with a cloud management platform and authorization services of cloud firewalls of third parties, the service area is provided with the cloud firewall and resources required by user service operation, and the resource recovery area is used for temporarily storing logout resources; the cloud management platform is used for providing a visual interface for a user and issuing and recovering cloud firewall service authorization through an API (application program interface) provided by a third-party cloud firewall authorization service; the cloud firewall is a virtual machine used for bearing cloud firewall service, and safety protection is performed on the cloud server and cloud load balance through the cloud firewall service.
The cloud management platform carries out full-life-cycle management on all resources in the cloud platform through a visual interface, and all operation information and configuration data are stored in a database.
The cloud management platform sets the retention time of the logout resources, and the resources logged out by the user through the cloud management platform are retained in the resource recovery area until the set time, and then the resources are thoroughly released.
The cloud firewall full life cycle automatic management method comprises the following steps:
(1) the method comprises the steps that a third-party cloud firewall authorization service is deployed in a management area under a cloud environment, and a cloud management platform issues and recovers cloud firewall service authorization through an API (application programming interface) provided by the third-party cloud firewall authorization service;
(2) configuring protected resources and strategies of a cloud firewall through a cloud management platform;
(3) the cloud firewall checks the flow and executes a releasing or discarding action and simultaneously generates monitoring summary of performance and attack conditions so that a user can know the service using effect;
(4) after the cloud firewall is used, the cloud management platform automatically places the cloud firewall service in a resource recovery area and releases authorization, the resources bearing the cloud firewall service are temporarily stored according to the retention period set by the platform, and the cloud management platform automatically destroys the cloud firewall service resources through an API when the retention period is over.
In the step (1), the cloud management platform provides visual pages for users to select the specification, the number, the use duration, the network and whether high available elements exist, and the elements determined by page selection are used for calling the cloud management platform API to create cloud firewall services and distributing management addresses without manual operation of operation and maintenance personnel for one time; the cloud management platform acquires the authorization code from the authorization service through the management network and issues the authorization code to the cloud firewall service.
In the step (1), the issuing of the cloud firewall service authorization includes the following steps:
(A) the cloud management platform deploys a carrier for bearing cloud firewall services through an API (application programming interface);
(B) after the carrier is successfully created, the cloud management platform binds management and a service network for cloud firewall service through an API (application programming interface), allocates network addresses in a DHCP (Dynamic Host Configuration Protocol) or ISO (optical disk image file format) file mounting or VMware Tools technical form, and staticizes the allocated network addresses without the risk of agents built in the service;
(C) after the network address is successfully distributed, the cloud management platform obtains available authorization at the authorization service and issues the authorization to the cloud firewall service, and after the authorization is successfully issued, the cloud firewall service can normally provide a safety protection function.
In the step (2), the user adds protected resources to the cloud firewall service through the cloud management platform according to actual application scene requirements, and the user configures a strategy for the added protected resources through the cloud management platform according to actual security protection requirements.
In the step (3), after the cloud firewall is put into use, monitoring data including performance, attack and log records can be checked at any time through the cloud management platform, and a user performs configuration adjustment according to the using effect to enable the firewall service function to be in an optimal state.
In the step (4), the cloud management platform periodically and automatically judges the service use deadline after the deployment and use of the cloud firewall, if the service expiration is monitored, a notification (in the form of a short message, a mail and the like) is sent to the user, and the user performs service renewal or automatic processing by the cloud management platform after the service expiration.
In the step (4), the cloud management platform migrates the monitored expired service resources to a resource recovery area and releases authorization, temporarily stores the retention time set by the cloud management platform, if the user wants to continue to use within the retention time, the resources are migrated back to the service area again, and if the user does not need the retention time, the cloud management platform automatically destroys the released resources when the retention time is up, so that the third-party cloud firewall full-life-cycle automatic management is completed.
In summary, the cloud firewall full-life-cycle automated management method includes the following steps:
1) deploying and debugging all infrastructures and networks of the cloud management platform;
2) accessing a visual page of a cloud management platform, selecting elements such as specification type, quantity, use duration, network and high availability of a cloud firewall, and triggering an implementation button to automatically deploy cloud firewall service;
3) the cloud management platform deploys a carrier for bearing cloud firewall services through an API (application programming interface);
4) after the creation is successful, the cloud management platform binds management and a service network for the cloud firewall service through an API (application programming interface), allocates network addresses in the form of DHCP (dynamic host configuration protocol) or iso file mounting or vmtools technology, and staticizes the allocated addresses;
5) after address allocation is successful, the cloud management platform acquires available authorization at an authorization service and issues the authorization to the cloud firewall service, and the cloud firewall service can normally provide a safety protection function after the authorization is successful;
6) a user adds protected resources to the cloud firewall service through the cloud management platform according to the actual application scene requirements;
7) the user performs a protection function of the cloud firewall by adding a protected resource configuration strategy and the like through the cloud management platform according to the actual safety protection requirement;
8) after the cloud firewall is put into use, monitoring data including performance, attack, log record and the like can be checked at any time through the cloud management platform, and according to the using effects, a user can carry out configuration adjustment to enable the functions to be played to the best state;
9) the cloud management platform periodically and automatically judges service use deadline after deployment and use of the cloud firewall, if the service expiration is monitored, a notice (in the form of short messages, mails and the like) is sent to a user, and the user performs service renewal or automatic processing of the cloud management platform after any service expires through the cloud management platform;
10) the cloud management platform migrates the monitored expired service resources to a resource recovery area and releases authorization, temporarily stores the retention time set by the cloud management platform, migrates the resources back to the service area if the user wants to continue using within the retention time, and automatically destroys the released resources when the retention time is up if the user does not need the retention time, so that the third-party cloud firewall full life cycle automatic management is completed.
Compared with the prior art, the cloud firewall full-life-cycle automatic management method has the following beneficial effects:
(1) the third-party cloud firewall authorization service is deployed in a management area, and pre-purchase authorization is stored in the authorization service without external network attack risk;
(2) unified, popular and simple and easy-to-understand pages are provided through the cloud management platform pages for configuration and monitoring, operation and maintenance personnel do not need to worry about learning and operation among products of multiple manufacturers, only the operation and maintenance personnel need to be familiar with the cloud management platform, the operation and maintenance personnel select and fill basic configuration through the pages, and the cloud management platform is automatically issued to a cloud firewall;
(3) the cloud management platform automatically sends the requested flow to a cloud firewall and sends the flow released by the cloud firewall to the protected resource according to the network configuration selected during automatic deployment, and meanwhile, the information returned by the protected resource is sent to the request client through the firewall, the cloud firewall supports vlan and vxlan technologies, and the virtual platform supported by flow guidance comprises vmware and KVM;
(4) triggering automatic deployment, network distribution, authorization issuing and service activation; the cloud management platform automatically realizes flow guidance according to network configuration, automatically monitors service expiration conditions, releases permission after service expiration and temporarily stores resources for a certain retention time, and the retention time can automatically destroy and release the resources after the retention time is up.