CN109981355A - Security defend method and system, computer readable storage medium for cloud environment - Google Patents
Security defend method and system, computer readable storage medium for cloud environment Download PDFInfo
- Publication number
- CN109981355A CN109981355A CN201910182074.4A CN201910182074A CN109981355A CN 109981355 A CN109981355 A CN 109981355A CN 201910182074 A CN201910182074 A CN 201910182074A CN 109981355 A CN109981355 A CN 109981355A
- Authority
- CN
- China
- Prior art keywords
- network element
- virtual
- standby
- secure network
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/22—Alternate routing
Abstract
This application discloses a kind of security defend method and systems for cloud environment, computer readable storage medium, the system comprises the first virtual secure network element module, the first virtual interacting network element module and first detection modules, first virtual secure network element module includes one or more virtual secure network element groups, and virtual secure network element group includes active and standby two virtual secures network element;First virtual interacting network element module carries out flow forwarding in cloud platform and the first defence service interchain, and the first defence service chaining is to connect the Prevention-Security circuit of each virtual secure network element group in a designated order;First detection module detects whether each active and standby virtual secure network element can be used by the first detection service chain, and the first detection service chain is the available test loop for connecting first detection module and each virtual secure network element.The application realizes the serial defence capability of High Availabitity and the fault identification and recovery capability of automation, low delay by the way that active and standby two virtual secures network element is arranged and by detection service chain detection node failure.
Description
Technical field
The present invention relates to computer security technical fields, and in particular to a kind of safety defense method for cloud environment and is
System, computer readable storage medium.
Background technique
With the continuous development of networked information era, cloud computing is increasingly becoming the mainstream deployment side of all kinds of industries and business
Formula, however traditional security problems can not only be amplified after cloud in business, it can also bring new security risk.Existing mainstream vendor
Way be in such a way that side is hung by virtual secure network element deployment in external secure resources pond, and external money is drained in cloud
Virtualization is realized in source pond.After flow introduces secure resources pond, serially product will be defendd to lead to by constructing software service chain
It crosses certain sequence and carries out layout, form complete Prevention-Security function.
However, for serially defending product, other than security defense capability, most importantly High Availabitity ability, one
A serial defence product without High Availabitity ability is after security node damage, for the flow all by protection node
It can be blocked, to form network paralysis, consequence is extremely serious.
Main-standby nodes are arranged in the solution of some mainstream vendors, are cut manually when user perceives Network Abnormal
It changes, this mode is based on the behavior of user's subjectivity to abnormal judgement, and by restoring manually, network recovery speed is very slow, effect
Fruit is bad.There are also some manufacturers by judging that security node on-off electricity condition is judged, this mode can not judge seemingly-dead shape
State (i.e. security node is powered, but internal without flow processing and forwarding, to block flow), monitoring effect is poor, once
There is torpor in node, still may cause network paralysis.
Summary of the invention
The embodiment of the invention provides a kind of security defend method and systems for cloud environment, computer-readable storage medium
Matter can automatically and accurately detect the state of each virtual secure network element, realize the high availability of network.
In order to reach the object of the invention, the technical solution of the embodiment of the present invention is achieved in that
The embodiment of the invention provides a kind of safety defense systems for cloud environment, including the first virtual secure network element mould
Block, the first virtual interacting network element module and first detection module, in which:
The first virtual secure network element module includes one or more virtual secures for realizing Prevention-Security function
Network element group, the virtual secure network element group include active and standby two virtual secure network elements;
The first virtual interacting network element module, for receiving the service traffics of cloud platform, and is forwarded to the first broigne
Business chain entrance;The service traffics of the first defence service chaining outlet are received, and are forwarded to cloud platform, the first defence service chaining is
According to the Prevention-Security circuit of specified one or more virtual secure network element groups that are linked in sequence;
First detection module, for detecting active and standby two in the virtual secure network element group by the first detection service chain
Whether virtual secure network element can be used, and the first detection service chain is connection first detection module and the virtual secure network element
Test loop can be used.
In one embodiment, when the main virtual secure network element in the virtual secure network element group is available, described the is accessed
The virtual secure network element of one defence service chaining is the main virtual secure network element;
When the main virtual secure network element in the virtual secure network element group is unavailable but standby virtual secure network element is available, connect
The virtual secure network element for entering the first defence service chaining is the standby virtual secure network element;
When the active and standby virtual secure network element in the virtual secure network element group is unavailable, the first defence service chaining
Bypass passes through the virtual secure network element group.
In one embodiment, each virtual secure network element includes at least four virtual network ports: ingress for service, business go out
Mouth, the first management mouth and HA mouthfuls of dual-computer redundancy, wherein the disengaging of ingress for service and business outlet for service traffics, the first pipe
Reason mouth is for being managed the virtual secure network element, and HA mouthfuls for shape synchronous between active and standby two virtual secure network elements
State information.
In one embodiment, the first virtual interacting network element module includes active and standby two virtual datas interaction network element, institute
State active and standby two virtual datas interaction, one internet Protocol IP address of virtual group of network-element share.
In one embodiment, active and standby two virtual datas interaction whether available method of network element is detected, comprising:
Test bag is sent to active and standby two virtual datas interaction network element by first detection module and detects whether energy
Enough receive the test bag that active and standby two virtual datas interaction network element returns;Alternatively,
By the way that respectively deployment is used to indicate itself whether online heart on active and standby two virtual datas interaction network element
Jump submodule.
In one embodiment, each virtual data interaction network element includes at least four virtual network ports: functional area, serial
Give out a contract for a project mouth, serial packet receiving mouth and the second management mouth, wherein functional area is for receiving the service traffics in cloud platform and be forwarded to string
Capable mouth of giving out a contract for a project, the service traffics for receiving the serial packet receiving mouth transmission are simultaneously forwarded to cloud platform, and mouth of serially giving out a contract for a project is for receiving industry
The service traffics of business mouth transmission and the entrance for being forwarded to the first defence service chaining, serial packet receiving mouth is for receiving described first
It defends the service traffics of the outlet of service chaining and is forwarded to the functional area, the second management mouth is used for virtual data interaction
Network element is managed.
In one embodiment, the virtual secure network element includes at least one of: firewall, intrusion prevention system IPS,
Intruding detection system IDS, Virtual Private Network VPN, fort machine.
In one embodiment, the safety defense system further includes management module and network module, in which:
The management module, for by tenant and/or by the first virtual secure network element module described in service creation, described the
One virtual interacting network element module, the first detection module;
The network module, for by tenant and/or by the first defence service chaining described in service creation and first inspection
Survey service chaining.
The embodiment of the invention also provides a kind of safety defense systems for cloud environment, including the second virtual secure network element
Module, the second virtual interacting network element module and the second detection module, in which:
The second virtual secure network element module includes one or more virtual secures for realizing Prevention-Security function
Network element;
The second virtual interacting network element module, active and standby two virtual datas including sharing a virtual group IP address are handed over
Mutual network element for receiving the service traffics of cloud platform, and is forwarded to the second defence service chaining entrance;Receive the second defence service chaining
The service traffics of outlet, and it is forwarded to cloud platform, the second defence service chaining is one or more according to specified sequential connection
The Prevention-Security circuit of the virtual secure network element;
Second detection module, for being by the second detection service chain detection active and standby two virtual datas interaction network element
It is no available, the second detection service chain be connect the second detection module and active and standby two virtual datas interact network element can
Use test loop.
In one embodiment, when the main virtual data interaction network element in active and standby two virtual datas interaction network element is available
When, flow forwarding is carried out between cloud platform and the second defence service chaining by the main virtual data interaction network element;
When the main virtual data interaction network element in active and standby two virtual datas interaction network element is unavailable but counts for virtual
According to interaction network element can with when, by the standby virtual data interaction network element between cloud platform and the second defence service chaining into
The forwarding of row flow;
When the interactive network element of active and standby two virtual datas is unavailable, the service traffics of cloud platform institute is not forwarded to
State the second defence service chaining entrance.
The embodiment of the invention also provides a kind of safety defense methods for cloud environment, comprising:
First virtual interacting network element module receives the service traffics of cloud platform, and is forwarded to the first defence service chaining entrance,
The first defence service chaining is to return according to the specified Prevention-Security for being linked in sequence one or more virtual secure network element groups
Road, the virtual secure network element group include active and standby two virtual secure network elements, are detected by the first detection service chain described virtual
Whether active and standby two virtual secure network elements in safety net tuple can be used, and the first detection service chain is connection the first detection mould
The available test loop of block and the virtual secure network element;
First virtual interacting network element module receives the service traffics of the first defence service chaining outlet, and is forwarded to cloud platform.
The embodiment of the invention also provides a kind of safety defense methods for cloud environment, comprising:
Second virtual interacting network element module receives the service traffics of cloud platform, and is forwarded to the second defence service chaining entrance,
The second defence service chaining be according to the Prevention-Security circuit of specified one or more virtual secure network elements that are linked in sequence,
The second virtual interacting network element module includes the active and standby two virtual datas interaction network element for sharing a virtual group IP address, is led to
Cross whether the second detection service chain detection active and standby two virtual datas interaction network element can be used, the second detection service chain is
Connect the available test loop of the second detection module and active and standby two virtual datas interaction network element;
Second virtual interacting network element module receives the service traffics of the second defence service chaining outlet, and is forwarded to cloud platform.
The embodiment of the invention also provides a kind of computer readable storage medium, deposited on the computer readable storage medium
One or more program is contained, one or more of programs can be executed by one or more processor, to realize such as
The step of safety defense method for cloud environment of any description above.
The embodiment of the invention also provides a kind of safety defense system for cloud environment, including processor and memory,
The processor is for executing the program stored in the memory, to realize the peace for cloud environment such as any description above
The step of full defence method.
The technical solution of the embodiment of the present invention, has the following beneficial effects:
Security defend method and system provided in an embodiment of the present invention for cloud environment, computer readable storage medium,
By the way that active and standby two virtual secure network elements are arranged in each virtual secure network element group, and detection module and detection service are set
Chain realizes the active-standby switch in virtual secure network element group, realizes the serial defence of High Availabitity when detecting node failure
Ability and automation, the fault identification of low delay and failover capability, to ensure that customer service and network are normally transported
Row;
Further, the application can not reduce other safety by active-standby switch and bypass pass-through mode in group
Under the premise of function, ensureing the communication of user, (as soon as existing mode is usually to have a node to be broken on chain, the bypass of whole chain is logical
It crosses, intact security capabilities can be lost in this way, reduce overall security).
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes part of this application, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of structural schematic diagram of safety defense system for cloud environment of the embodiment of the present invention;
Fig. 2 is the structural schematic diagram that the another kind of the embodiment of the present invention is used for the safety defense system of cloud environment;
Fig. 3 is the structural schematic diagram of one kind the first virtual interacting network element module of the embodiment of the present invention;
Fig. 4 is a kind of flow diagram of safety defense method for cloud environment of the embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention
Embodiment be described in detail.It should be noted that in the absence of conflict, in the embodiment and embodiment in the application
Feature can mutual any combination.
As shown in Figure 1, a kind of safety defense system for cloud environment according to an embodiment of the present invention, including first virtual
Security network element module 101, the first virtual interacting network element module 102 and first detection module 103, in which:
The first virtual secure network element module 101 includes one or more virtual peaces for realizing Prevention-Security function
The whole network tuple, the virtual secure network element group include active and standby two virtual secure network elements;
The first virtual interacting network element module 102, for receiving the service traffics of cloud platform, and is forwarded to the first defence
Service chaining entrance;The service traffics of the first defence service chaining outlet are received, and are forwarded to cloud platform, the first defence service chaining
For according to the Prevention-Security circuit of specified one or more virtual secure network element groups that are linked in sequence;
First detection module 103, it is active and standby in the virtual secure network element group for being detected by the first detection service chain
Whether two virtual secure network elements can be used, and the first detection service chain is connection first detection module 103 and the virtual peace
The available test loop of the whole network member.
When using the safety defense system for cloud environment of the application, it is necessary first to according to tenant's demand configuration first
Virtual secure network element module 101, the first virtual interacting network element module 102, first detection module 103, first defend service chaining and
First detection service chain.The safety defense system passes through strategy by the service traffics in cloud platform by tenant and/or by business
Routing mode leads to the first virtual interacting network element module 102 of tenant resource pool Nei, the first 102 turns of virtual interacting network element module
The entrance that sending service flow defends service chaining to first;The service traffics of entrance are led to each void by the first defence service chaining step by step
Quasi- safety net tuple, default Virtual safety net tuple realizes security function by main virtual secure network element, when first detection module 103
It was found that automatically switching to standby virtual secure network element after main virtual secure network element exception.
In one embodiment of this invention, the virtual secure network element includes but is not limited to: firewall, intrusion prevention system
(Intrusion Prevention System, IPS), intruding detection system (Intrusion Detection System,
IDS), Virtual Private Network (Virtual Private Network, VPN), fort machine.
In an example of the present embodiment, the firewall includes but is not limited to basic firewall, Web application guard system
(Web Application Firewall, WAF), database firewall etc..
In one embodiment of this invention, as shown in Fig. 2, the first virtual interacting network element module 102 includes active and standby two
A virtual data interaction network element, described active and standby two virtual datas interaction, one virtual group Internet protocol of network-element share
The address (Internet Protocol, IP).
In an example of the present embodiment, Virtual Router Redundacy Protocol (Virtual Router can be passed through
Redundancy Protocol, VRRP) height of active and standby two virtual datas interaction network element drag flow amount can described in protocol realization
With.
It in this example, can respectively deployment be used to indicate itself and be on active and standby two virtual datas interaction network element
No online heartbeat submodule, heartbeat submodule send heartbeat data packets periodically to judge active and standby two virtual datas interaction
The availability of network element realizes virtual ip address by main virtual data interaction network element when both can be used, when standby virtual data is handed over
When mutual network element does not receive the heartbeat data packets of main virtual data interaction network element within the specified period, standby virtual data interaction is enabled
Network element realizes the node switching of automatic High Availabitity, guarantees that the first virtual interacting network element module 102 operates normally.
In another embodiment of the invention, active and standby two virtual datas interaction whether available side of network element is detected
Method, it may also is that sending test bag to active and standby two virtual datas interaction network element by first detection module 103 and detecting
Whether test bag that the active and standby two virtual data interaction network element return can be received.
In another embodiment of the invention, when the main virtual data in active and standby two virtual datas interaction network element is handed over
When mutual network element can be used, flowed between cloud platform and the second defence service chaining by the main virtual data interaction network element
Amount forwarding;
When the main virtual data interaction network element in active and standby two virtual datas interaction network element is unavailable but counts for virtual
According to interaction network element can with when, by the standby virtual data interaction network element between cloud platform and the second defence service chaining into
The forwarding of row flow;
When the interactive network element of active and standby two virtual datas is unavailable, the service traffics of cloud platform institute is not forwarded to
State the second defence service chaining entrance.
The safety defense system for cloud environment of the application passes through active and standby two virtual datas interaction network-element share one
Virtual group IP designs 1 layer of High Availabitity ability at drainage, eliminates Single Point of Faliure risk when drainage;Then by anti-first
Virtual secure network element group is constructed at each node of imperial service chaining, active and standby two are arranged in each virtual secure network element group virtually
Security network element is connected each virtual secure network element group by flow entry, realizes 2 layers of High Availabitity energy at the first defence service chaining
Power.First detection module 103 is set simultaneously, by the first detection service chain by first detection module 103 and each virtual secure
Network element connection, first detection module 103 send test bag and judge whether each virtual secure network element breaks down, and work as failure
Shi Xiugai first defends the content of service chaining, realizes the switching of active and standby virtual secure network element, while detecting active and standby virtual interacting net
The state of member, when main virtual interacting network element breaks down, modification the first defence service chaining return flow flow table realizes virtual hand over
The active-standby switch of mutual network element, ensures business normal operation, the serial defence capability of High Availabitity is realized, to realize on the whole
Automatic detection and automatic recovery capability, realize the fault recovery of low delay, and complete since drainage under aforementioned capabilities
High Availabitity function of safety protection comprehensively whole in resource pool.
In one embodiment of this invention, each virtual data interaction network element includes at least four virtual network ports: industry
Business mouth, mouth of serially giving out a contract for a project, serial packet receiving mouth and the second management mouth, wherein functional area is used to receive the service traffics in cloud platform
And be forwarded to mouth of serially giving out a contract for a project, receive the service traffics of the serial packet receiving mouth transmission and be forwarded to cloud platform, mouth of serially giving out a contract for a project
For receiving the service traffics of functional area transmission and being forwarded to the described first entrance for defending service chaining, serial packet receiving mouth is for connecing
It receives the service traffics of the outlet of the first defence service chaining and is forwarded to the functional area, the second management mouth is used for the void
Quasi- data interaction network element is managed.
The received tenant's flow in functional area is forwarded to mouth of serially giving out a contract for a project by the virtual data interaction network element, by serial packet receiving
The received data traffic modification target MAC (Media Access Control) address of mouth, which drains opposite end MAC Address for strategy and is forwarded to functional area, to be exported, and industry is formed
Business flow link.
For OpenvSwitch (a kind of open virtual switch standard), setting source IP address is 192.168.100.20
To purpose IP address be 192.168.30.50 or source IP is the stream that 192.168.30.50 is 192.168.100.20 to destination IP
Amount, the first defence service chaining by virtual secure network element group, the mouth difference wherein active and standby virtual data interaction network element is serially given out a contract for a project
It is 1,3, serial packet receiving mouth is respectively 2,4, and active and standby virtual secure net element business entrance is respectively 50,52, and business outlet is respectively
51,53, the flow entry added on the virtual switch being connected with the virtual secure network element group is as follows:
A) in_port=1, nw_src=192.168.100.20/32, nw_dst=192.168.30.50/32,
Actions=group:666
B) in_port=1, nw_src=192.168.30.50/32, nw_dst=192.168.100.20/32,
Actions=group:666
C) in_port=3, nw_src=192.168.100.20/32, nw_dst=192.168.30.50/32,
Actions=group:666
D) in_port=3, nw_src=192.168.30.50/32, nw_dst=192.168.100.20/32,
Actions=group:666
E) group_id=666, type=all, bucket=output:50
F) in_port=51, nw_src=192.168.100.20/32, nw_dst=192.168.30.50/32,
Actions=group:688
G) in_port=51, nw_src=192.168.30.50/32, nw_dst=192.168.100.20/32,
Actions=group:688
H) in_port=53, nw_src=192.168.100.20/32, nw_dst=192.168.30.50/32,
Actions=group:688
I) in_port=53, nw_src=192.168.30.50/32, nw_dst=192.168.100.20/32,
Actions=group:688
J) group_id=688, type=all, bucket=output:2
Wherein, it a) matches to e) flow entry from main or standby virtual interacting network element and issues source IP as 192.168.100.20 to mesh
IP be 192.168.30.50 or source IP is the service traffics that 192.168.30.50 is 192.168.100.20 to destination IP, if
Setting its ID is 666, and checks that ID is 666 group, and flow is forwarded to 50 mouthfuls in group 666, and 50 mouthfuls are virtual secure network element group
In main virtual secure network element.F) matching to j) flow entry and issuing source from main or standby virtual secure network element is 192.168.100.20
To destination IP be 192.168.30.50 or source IP is the Business Stream that 192.168.30.50 is 192.168.100.20 to destination IP
Amount, it is 688 that its ID, which is arranged, and checks that ID is 688 group, and flow is forwarded to main virtual interacting network element receiving port in group 688
In.
In one embodiment of this invention, the first detection module 103 includes at least three virtual network port: mouth of giving out a contract for a project is received
Packet mouth and third manage mouth, when carrying out state-detection to each virtual secure network element, by mouth of giving out a contract for a project to each virtual secure
Network element sends test bag, and by whether can receive whether the test bag issued judges corresponding virtual secure network element from packet receiving mouth
It can use.Third management mouth is for being managed the first detection module 103 and carrying out heartbeat inspection to virtual interacting network element
It surveys.
In one embodiment of this invention, as shown in figure 3, the first detection module 103 can be placed in the first virtual friendship
In mutual network element module 102, the monitoring to virtual secure network element is realized by the first virtual interacting network element module 102.By by first
Detection module 103 is placed among the first virtual interacting network element module 102, is reduced the resource consumption of system host, is realized
The unified management of component improves system global controllability.
First detection service chain sends and receives test to specified virtual secure network element for first detection module 103
Packet, construct flow table with realize to first detection module 103 give out a contract for a project mouth sending test bag match, and according to test order will
Test bag leads to the ingress for service of specified virtual secure network element, still carries out to the data packet of the business outlet of virtual secure network element
Matching, leads to first detection module 103 for specified test bag, to form test bag in first detection module 103 and virtual
Available test loop in security network element.
For adding the state of test bag detection virtual secure network element group in OpenvSwitch, the flow entry of addition
It is as follows:
K) in_port=101, nw_src=1.0.0.1/32, nw_dst=1.0.0.2/32, actions=output:
50
L) in_port=101, nw_src=1.0.0.3/32, nw_dst=1.0.0.4/32, actions=output:
52
M) in_port=51, nw_src=1.0.0.1/32, nw_dst=1.0.0.2/32, actions=output:
102
N) in_port=53, nw_src=1.0.0.3/32, nw_dst=1.0.0.4/32, actions=output:
102
Wherein k), l) by the test bag issued by first detection module 103, (source IP is 1.0.0.1 destination IP to flow table respectively
Be 1.0.0.3 destination IP for 1.0.0.2 and source IP it is 1.0.0.4) it is forwarded to main virtual secure network element and standby virtual secure network element,
And flow table m), the test bag that n) then transfers active and standby virtual secure network element return to first detection module 103, the first detection mould
Block 103 then by whether the test bag that can receive return judges whether tested virtual secure network element effective, it should be noted that
, different virtual secure network elements may use different types of test bag, such as WAF to use HTTP packet.In this way
Test bag detection mode can solve existing method can not judge virtual secure network element it is seemingly-dead (network element be powered starting but flow turn
Hair failure) the problem of.
It should be noted that detecting the active and standby whether available side of two virtual secure network elements in the embodiment of the present invention
Method, can also be by the way that respectively deployment is used to indicate itself whether online heartbeat on active and standby two virtual secure network elements
The method of module is detected.But detected by the method for heartbeat detection, it cannot differentiate that seemingly-dead feelings occurs in egress
Condition.It is detected by first detection module 103 and the first detection service chain, can accurately and effectively detect each virtual peace
The state of the whole network member, to realize the high availability of network.
First defends the implementation of service chaining to configure flow table in the virtual switch that virtual secure network element is connected
Rule realizes flow lead.Group is set by virtual secure network element group, and according to specified sequence by each virtual secure net
Tuple is connected, the mode of connection to configure flow entry in the virtual switch that virtual secure network element is connected, flow entry
Content be the data packet that exports business each in upper virtual secure network element group according to 5 tuples (source IP, source port, destination IP,
Destination port, agreement) match cognization flow, the flow orientation that match cognization goes out is led to the business of next virtual secure network element group
Entrance, under default situations, the ingress for service of next virtual secure network element group is the main virtual secure of next virtual secure network element group
The ingress for service of network element.Wherein the inlet flow rate of first virtual secure network element group is from the first virtual interacting network element module 102
The flow of mouth sending of serially giving out a contract for a project match cognization and drain.
In one embodiment of this invention, when the main virtual secure network element in virtual secure network element group is available, access the
The virtual secure network element of one defence service chaining is main virtual secure network element;
When the main virtual secure network element in virtual secure network element group is unavailable but standby virtual secure network element is available, access the
The virtual secure network element of one defence service chaining is standby virtual secure network element;
When the active and standby virtual secure network element in virtual secure network element group is unavailable, the first defence service chaining bypass
Pass through virtual secure network element group described in this.
Inlet flow rate is led to each virtual secure network element group by the first defence service chaining step by step, virtual under default situations
Safety net tuple realizes Prevention-Security function by main virtual secure network element, when first detection module 103 finds main virtual secure net
After first exception, virtual secure network element group Group flow table is modified, flow in the Group is led into standby virtual secure network element, thus real
Existing High Availabitity function, Logistics networks normal communication.
Still by taking the first defence service chaining added in above-mentioned OpenvSwitch as an example, when main virtual secure network element is unavailable
When, it is as follows to modify above-mentioned e) flow entry:
E) group_id=666, type=all, bucket=output:52
Former flow table e) is revised as above-mentioned flow table, service traffics are changed to the standby virtual secure network element for being 52 to entrance, it is real
Existing active-standby switch.
When main virtual data interaction network element is unavailable, it is as follows to modify above-mentioned j) flow entry:
J) group_id=688, type=all, bucket=output:4
Former flow table j) is revised as above-mentioned flow table, virtual secure network element return flow is forwarded to standby virtual data interactive network
Member realizes the active-standby switch of virtual data interaction network element.
In one embodiment of this invention, each virtual secure network element includes at least four virtual network ports: business enters
Mouthful, business outlet, the first management mouth and HA mouthful of dual-computer redundancy, wherein ingress for service and business outlet be used for service traffics into
Out, for the first management mouth for being managed to the virtual secure network element, HA mouthfuls are used for active and standby two virtual secure network elements
Between Synchronization Status Message.
In one embodiment of this invention, the safety defense system further includes management module and network module, in which:
The management module, for by tenant and/or by the first virtual secure network element module 101, institute described in service creation
State the first virtual interacting network element module 102, the first detection module 103;
The network module, for by tenant and/or by the first defence service chaining described in service creation and first inspection
Survey service chaining.
In this embodiment, the safety defense system leads to by the service traffics in cloud platform by tenant and/or by business
Cross the first virtual interacting network element module 102 that policybased routing mode leads to tenant resource pool Nei, the first virtual interacting network element mould
Block 102 forwards the service traffics of the tenant to the entrance of the first defence service chaining.
In an example of the embodiment, the management module configuration strategy routing drainage, both ends address is respectively that cloud is flat
The virtual group IP address of the docking IP address of platform and the first virtual interacting network element module 102;
The inlet flow rate of functional area is forwarded to by the first virtual interacting network element module 102 configuration flow table strategy serially gives out a contract for a project
Mouthful, the flows modification target MAC (Media Access Control) address of serial packet receiving mouth for the corresponding MAC Address of docking IP address of cloud platform and is forwarded to
The outlet of functional area.
In another embodiment of the invention, the management module is also used to manage each other modules in resource pool, including
But it is not limited to communication interaction, order is issued and parsed, log recording etc..
In one embodiment of this invention, the network module is also used to tissue and building resource pool internal network intercommunication,
Including but not limited to multimachine interaction, Network Isolation etc., and for creating, managing the first defence service chaining and the first detection service
Chain, and automatically switch the content of the first defence service chaining according to testing result, to realize cutting automatically for active and standby virtual secure network element
It changes.
The embodiment of the invention also provides a kind of safety defense systems for cloud environment, including the second virtual secure network element
Module, the second virtual interacting network element module and the second detection module, in which:
The second virtual secure network element module includes one or more virtual secures for realizing Prevention-Security function
Network element;
The second virtual interacting network element module, active and standby two virtual datas including sharing a virtual group IP address are handed over
Mutual network element for receiving the service traffics of cloud platform, and is forwarded to the second defence service chaining entrance;Receive the second defence service chaining
The service traffics of outlet, and it is forwarded to cloud platform, the second defence service chaining is one or more according to specified sequential connection
The Prevention-Security circuit of the virtual secure network element;
Second detection module, for being by the second detection service chain detection active and standby two virtual datas interaction network element
It is no available, the second detection service chain be connect the second detection module and active and standby two virtual datas interact network element can
Use test loop.
When using the safety defense system for cloud environment of the application, it is necessary first to according to tenant's demand configuration second
Virtual secure network element module, the second virtual interacting network element module, the second detection module, the second defence service chaining and the second detection clothes
Business chain.The safety defense system is drawn by the service traffics in cloud platform by tenant and/or by business by policybased routing mode
The second virtual interacting network element module of the tenant, the second virtual interacting network element module forwards service traffics to second in resource pool
Defend the entrance of service chaining;The service traffics of entrance are led to each virtual secure network element by the second defence service chaining step by step, are defaulted
Second virtual interacting network element module realizes service traffics forwarding capability by main virtual data interaction network element, when the second detection module is sent out
Now after main virtual data interaction network element exception, standby virtual data interaction network element is automatically switched to.
In one embodiment of this invention, the interaction network element of active and standby two virtual datas described in VRRP protocol realization can be passed through
Draw the High Availabitity of flow.
It should be noted that whether detect active and standby two virtual datas interaction network element in the embodiment of the present invention available
Method, can also be by the way that respectively whether online for deployment if being used to indicate itself on active and standby two virtual datas interaction network element
The method of heartbeat submodule is detected.But detected by the method for heartbeat detection, it is false cannot to differentiate that egress occurs
Dead situation.It is detected by the second detection module and the second detection service chain, can accurately and effectively detect each void
The state of quasi- virtual data interaction network element, to realize the high availability of network.The application is handed over by active and standby two virtual datas
One virtual group IP of mutual network-element share, designs 1 layer of High Availabitity ability at drainage, eliminates Single Point of Faliure risk when drainage.
In another embodiment of the invention, when the main virtual data in active and standby two virtual datas interaction network element is handed over
When mutual network element can be used, flowed between cloud platform and the second defence service chaining by the main virtual data interaction network element
Amount forwarding;
When the main virtual data interaction network element in active and standby two virtual datas interaction network element is unavailable but counts for virtual
According to interaction network element can with when, by the standby virtual data interaction network element between cloud platform and the second defence service chaining into
The forwarding of row flow;
When the interactive network element of active and standby two virtual datas is unavailable, the service traffics of cloud platform institute is not forwarded to
State the second defence service chaining entrance.
As shown in figure 4, including the following steps: the embodiment of the invention also provides a kind of safety defense method
Step 401: the first virtual interacting network element module receives the service traffics of cloud platform, and is forwarded to the first defence service
Chain entrance, the first defence service chaining are the safety according to specified one or more virtual secure network element groups that are linked in sequence
Circuit is defendd, the virtual secure network element group includes active and standby two virtual secure network elements, detects institute by the first detection service chain
Whether the active and standby two virtual secure network elements stated in virtual secure network element group can be used, and the first detection service chain is connection first
The available test loop of detection module and the virtual secure network element;
In one embodiment of this invention, before the step 401, the method also includes:
According to tenant's demand configure the first virtual interacting network element module, virtual secure network element group, first defence service chaining with
And the first detection service chain.
Active and standby two virtual secure network elements are respectively configured in each virtual secure network element group, as shown in Figure 1, each virtual secure
Network element includes at least 4 virtual network ports, including the outlet of ingress for service, business, the first management mouth, HA mouthfuls.Functional area is used for business
The disengaging of flow, the first management mouth are used for management equipment, and HA mouthfuls are used for synchronous safety network element state information.
Optionally, virtual secure network element includes but is not limited to firewall, WAF, IPS, database firewall, IDS, VPN, fort
Base machine etc..
In this embodiment, as shown in Fig. 2, active and standby 2 virtual datas can be configured for the first virtual interacting network element module
Interaction network element, each virtual data interaction network element at least configure 4 network interfaces, including functional area, mouth of serially giving out a contract for a project, serial packet receiving mouth
With the second management mouth.Functional area IP address is respectively configured in active and standby virtual data interaction network element, configures virtual data interactive network tuple
Virtual IP address is based on 1 layer of High Availabitity of VRRP protocol realization the first virtual interacting network element module.
In another embodiment of the invention, when the main virtual data in active and standby two virtual datas interaction network element is handed over
When mutual network element can be used, flowed between cloud platform and the second defence service chaining by the main virtual data interaction network element
Amount forwarding;
When the main virtual data interaction network element in active and standby two virtual datas interaction network element is unavailable but counts for virtual
According to interaction network element can with when, by the standby virtual data interaction network element between cloud platform and the second defence service chaining into
The forwarding of row flow;
When the interactive network element of active and standby two virtual datas is unavailable, the service traffics of cloud platform institute is not forwarded to
State the second defence service chaining entrance.
In one embodiment of this invention, the first detection module include at least 3 virtual network ports, including mouth of giving out a contract for a project,
Packet receiving mouth and third manage mouth, for carrying out state-detection to each virtual secure network element, send to each virtual secure network element
Test bag, and by judging whether to receive the test bag issued judges whether respective fictional security network element effective.
The High Availabitity security service chain of the application includes the first defence service chaining and the first detection service chain, completes 2 layers
High Availabitity function, in which:
First defends the implementation of service chaining to configure flow table in the virtual switch that virtual secure network element is connected
Rule realizes flow lead.Group is set by virtual secure network element group, and according to specified sequence by each virtual secure net
Tuple connection, the mode of connection to configure flow entry in the virtual switch that virtual secure network element is connected, flow entry it is interior
Hold the data packet to export business each in upper virtual secure network element group according to 5 tuples (source IP, source port, destination IP, mesh
Port, agreement) match cognization flow, the flow orientation that match cognization goes out is led into the business of next virtual secure network element group and is entered
Mouthful, under default situations, the ingress for service of next virtual secure network element group is the main virtual secure net of next virtual secure network element group
The ingress for service of member.Wherein, the inlet flow rate of first virtual secure network element group is the string from the first virtual interacting network element module
The capable flow for giving out a contract for a project mouth sending carries out match cognization and drains.
With added in OpenvSwitch source IP be 192.168.100.20 to destination IP be 192.168.30.50 or source
IP is the flow that 192.168.30.50 is 192.168.100.20 to destination IP, and the service chaining by virtual secure network element group is
Example, wherein active and standby virtual data interaction network element is serially given out a contract for a project, mouth is respectively 1,3, and serial packet receiving mouth is respectively 2,4, active and standby virtual peace
The whole network member ingress for service is respectively 50,52, and business outlet is respectively 51,53, and the flow entry of addition is as follows:
A) in_port=1, nw_src=192.168.100.20/32, nw_dst=192.168.30.50/32,
Actions=group:666
B) in_port=1, nw_src=192.168.30.50/32, nw_dst=192.168.100.20/32,
Actions=group:666
C) in_port=3, nw_src=192.168.100.20/32, nw_dst=192.168.30.50/32,
Actions=group:666
D) in_port=3, nw_src=192.168.30.50/32, nw_dst=192.168.100.20/32,
Actions=group:666
E) group_id=666, type=all, bucket=output:50
F) in_port=51, nw_src=192.168.100.20/32, nw_dst=192.168.30.50/32,
Actions=group:688
G) in_port=51, nw_src=192.168.30.50/32, nw_dst=192.168.100.20/32,
Actions=group:688
H) in_port=53, nw_src=192.168.100.20/32, nw_dst=192.168.30.50/32,
Actions=group:688
I) in_port=53, nw_src=192.168.30.50/32, nw_dst=192.168.100.20/32,
Actions=group:688
J) group_id=688, type=all, bucket=output:2
Wherein, it a) matches to e) flow entry from main or standby virtual interacting network element and issues source IP as 192.168.100.20 to mesh
IP be 192.168.30.50 or source IP is the service traffics that 192.168.30.50 is 192.168.100.20 to destination IP, if
Setting its ID is 666, and checks that ID is 666 group, and flow is forwarded to 50 mouthfuls in group 666, and 50 mouthfuls are virtual secure network element group
In main virtual secure network element.F) matching to j) flow entry and issuing source from main or standby virtual secure network element is 192.168.100.20
To destination IP be 192.168.30.50 or source IP is the Business Stream that 192.168.30.50 is 192.168.100.20 to destination IP
Amount, it is 688 that its ID, which is arranged, and checks that ID is 688 group, and flow is forwarded to main virtual interacting network element receiving port in group 688
In.
First detection service chain sends and receives test bag, structure to specified virtual secure network element for first detection module
It makes flow table and is matched with the test bag for realizing the mouth sending of giving out a contract for a project to first detection module, and according to test order by test bag
The ingress for service for leading to specified virtual secure network element, the data packet still progress to the business outlet of virtual secure network element
Match, specified test bag is led into first detection module, to form test bag in first detection module and virtual secure network element
In test loop.
For adding the state of test bag detecting visual safety net tuple in OpenvSwitch, the flow entry of addition
It is as follows:
K) in_port=101, nw_src=1.0.0.1/32, nw_dst=1.0.0.2/32, actions=output:
50
L) in_port=101, nw_src=1.0.0.3/32, nw_dst=1.0.0.4/32, actions=output:
52
M) in_port=51, nw_src=1.0.0.1/32, nw_dst=1.0.0.2/32, actions=output:
102
N) in_port=53, nw_src=1.0.0.3/32, nw_dst=1.0.0.4/32, actions=output:
102
Wherein k), l) by the test bag issued by first detection module, (source IP is that 1.0.0.1 destination IP is to flow table respectively
1.0.0.2 be 1.0.0.3 destination IP with source IP it is 1.0.0.4) it is forwarded to main virtual secure network element and standby virtual secure network element, and
Flow table m), the test bag for n) then transferring active and standby virtual secure network element return to first detection module, and first detection module then leads to
Whether cross, which can receive the test bag of return, judges whether tested virtual secure network element is effective, it should be noted that different
Virtual secure network element may use different types of test bag, such as WAF use HTTP packet.Test bag detection in this way
Mode, which can solve existing method, can not judge virtual secure network element seemingly-dead (network element, which is powered, starts still flow forwarding failure)
Problem.
In one embodiment of this invention, as shown in figure 3, the first detection module can be placed in the first virtual interacting net
In element module, the monitoring of virtual secure network element is realized by the first virtual interacting network element module.By the way that first detection module is placed in
In first virtual interacting network element module, it is possible to reduce system host resource consumption realizes the unified management for component, improves
System global controllability.
In one embodiment of this invention, the height based on VRRP protocol realization the first virtual interacting network element module traction flow
Can use, further includes: configure heartbeat module in the first virtual interacting network element module, heartbeat module periodically send heartbeat data packets with
The availability for judging active and standby two virtual datas interaction network element in the first virtual interacting network element module, when both can be used,
Virtual ip address is realized by main virtual data interaction network element, when standby virtual data interaction network element does not receive master in predetermined period
When the heartbeat data packets of virtual data interaction network element, standby virtual data interaction Network Element Function is enabled, realizes the section of automatic High Availabitity
Point switching, guarantees the normal operation of virtual data function of exchange.
Inlet flow rate is led to each virtual secure network element group, default Virtual peace by the first defence service chaining of the application step by step
The whole network tuple realizes Prevention-Security function by main virtual secure network element, when first detection module finds that main virtual secure network element is abnormal
Afterwards, standby virtual secure network element is automatically switched to;
Under the action of the first defence service chaining, tenant's flow leads to each virtual secure network element group step by step, and default by
Main virtual secure network element in virtual secure network element group realizes Prevention-Security function, when first detection module passes through the first detection clothes
After business chain detects that Network Abnormal occurs for main virtual secure network element, flow entry is modified, automatically by flow from main virtual secure network element
Switch to standby virtual secure network element.
With added in OpenvSwitch source IP be 192.168.100.20 to destination IP be 192.168.30.50 or source
IP is the flow that 192.168.30.50 is 192.168.100.20 to destination IP, and the service chaining by virtual secure network element group is
Example, when main virtual secure network element is unavailable, the flow entry of modification is as follows:
E) group_id=666, type=all, bucket=output:52
Former flow entry e) is revised as above-mentioned flow table, and flow is forwarded to the standby virtual secure network element that entrance is 52, realizes master
Standby switching.
When main virtual data interaction network element is unavailable, it is as follows to modify above-mentioned j) flow entry:
J) group_id=688, type=all, bucket=output:4
Former flow table j) is revised as above-mentioned flow table, virtual secure network element return flow is forwarded to standby virtual data interactive network
Member realizes the active-standby switch of virtual data interaction network element.
Step 402: the first virtual interacting network element module receives the service traffics of the first defence service chaining outlet, and is forwarded to
Cloud platform.
The application can be led to tenant's business datum in cloud platform in resource pool by tenant by policybased routing mode
The first virtual interacting network element module of the tenant, first virtual interacting network element module forwards tenant's flow to the first defence service
The traffic ingress of chain.When configuration strategy is routed and drained, the first virtual interacting network element module is docked with cloud platform, secure resources pond
It provides and receives flow IP, in the present embodiment, configure a first virtual interacting network element module for each tenant, each first is empty
Quasi- interactive network element module externally provides a virtual group IP, distinguishes tenant using virtual group IP and receives policybased routing drainage number
According to.Meanwhile configuring cloud platform in the first virtual interacting network element module and docking IP, realizing will protect return flow to return in resource pool
It is back in cloud platform.
The embodiment of the invention also provides a kind of safety defense methods, comprising:
Second virtual interacting network element module receives the service traffics of cloud platform, and is forwarded to the second defence service chaining entrance,
The second defence service chaining be according to the Prevention-Security circuit of specified one or more virtual secure network elements that are linked in sequence,
The second virtual interacting network element module includes the active and standby two virtual datas interaction network element for sharing a virtual group IP address, is led to
Cross whether the second detection service chain detection active and standby two virtual datas interaction network element can be used, the second detection service chain is
Connect the available test loop of the second detection module and active and standby two virtual datas interaction network element;
Second virtual interacting network element module receives the service traffics of the second defence service chaining outlet, and is forwarded to cloud platform.
In one embodiment of this invention, when the main virtual data interaction in active and standby two virtual datas interaction network element
When network element can be used, flow is carried out between cloud platform and the second defence service chaining by the main virtual data interaction network element
Forwarding;
When the main virtual data interaction network element in active and standby two virtual datas interaction network element is unavailable but counts for virtual
According to interaction network element can with when, by the standby virtual data interaction network element between cloud platform and the second defence service chaining into
The forwarding of row flow;
When the interactive network element of active and standby two virtual datas is unavailable, the service traffics of cloud platform institute is not forwarded to
State the second defence service chaining entrance.
When using the safety defense method of the application, it is necessary first to configure the second virtual secure network element according to tenant's demand
Module, the second virtual interacting network element module, the second detection module, the second defence service chaining and the second detection service chain.The peace
Full defence method is by the service traffics in cloud platform are by tenant and/or led in resource pool by business by policybased routing mode should
The second virtual interacting network element module of tenant, the second virtual interacting network element module forwards service traffics to the second defence service chaining
Entrance;The service traffics of entrance are led to each virtual secure network element by the second defence service chaining step by step, default the second virtual interacting
Network element module realizes service traffics forwarding capability by main virtual data interaction network element, when the second detection module finds main virtual data
After interaction network element exception, standby virtual data interaction network element is automatically switched to.
In one embodiment of this invention, the interaction network element of active and standby two virtual datas described in VRRP protocol realization can be passed through
Draw the High Availabitity of flow.
It should be noted that whether detect active and standby two virtual datas interaction network element in the embodiment of the present invention available
Method, can also be by the way that respectively whether online for deployment if being used to indicate itself on active and standby two virtual datas interaction network element
The method of heartbeat submodule is detected.But detected by the method for heartbeat detection, it is false cannot to differentiate that egress occurs
Dead situation.It is detected by the second detection module and the second detection service chain, can accurately and effectively detect each void
The state of quasi- virtual data interaction network element, to realize the high availability of network.The application is handed over by active and standby two virtual datas
One virtual group IP of mutual network-element share, designs 1 layer of High Availabitity ability at drainage, eliminates Single Point of Faliure risk when drainage.
The embodiment of the invention also provides a kind of computer readable storage medium, deposited on the computer readable storage medium
One or more program is contained, one or more of programs can be executed by one or more processor, to realize such as
The step of safety defense method described in any of the above item.
The embodiment of the invention also provides a kind of safety defense system for cloud environment, including processor and memory,
The processor for executing the program stored in the memory, with realize as described in above one be used for cloud environment
The step of safety defense method.
Security defend method and system disclosed by the embodiments of the present invention, computer readable storage medium, are first each rent
Family configures virtual interacting network element module (the first virtual interacting network element module or the second virtual interacting network element module), then according to rent
Family demand for security configure respective fictional safety net tuple, defence service chaining (first defence service chaining or second defence service chaining) and
Detection service chain (the first detection service chain or the second detection service chain) then leads to tenant's flow configuration strategy routing in cloud
Virtual interacting network element module in secure resources pond, virtual interacting network element module is again by flow by defending service chaining to lead in order
Each virtual secure network element group realizes serial protection.Whole process realizes the double-deck High Availabitity defence method, in virtual interacting network element
Module configures virtual group IP, realizes that one layer of virtual data exchanges network element High Availabitity based on VRRP, realizes the High Availabitity energy of drainage
Power.Then the protection high availability scheme of two layers of service chaining realization, the High Availabitity security service chain of the application are defendd by High Availabitity
It is divided into and defends service chaining and detection service chain, each virtual secure network element group of defence service chaining series connection, and responsible pair of detection service chain
The availability of each virtual secure network element realizes monitoring, when the main virtual secure network element failure that virtual secure network element group default uses
Afterwards, flow is forwarded to standby virtual secure network element automatically, to realize two layers of defence High Availabitity ability.By the above-mentioned means,
High Availabitity function of safety protection comprehensively whole in resource pool is completed since drainage, and passes through detection module (the first detection
Module or the second detection module) validation checking to each virtual secure network element may be implemented, solving existing scheme can not identify
Seemingly-dead problem, while the high availability scheme automated is realized based on detection module, to ensure business normal operation, in above-mentioned energy
The fault recovery of low delay is realized under power.
Those of ordinary skill in the art will appreciate that all or part of the steps in the above method can be instructed by program
Related hardware is completed, and described program can store in computer readable storage medium, such as read-only memory, disk or CD
Deng.Optionally, one or more integrated circuits also can be used to realize, accordingly in all or part of the steps of above-described embodiment
Ground, each module/unit in above-described embodiment can take the form of hardware realization, can also use the shape of software function module
Formula is realized.The present invention is not limited to the combinations of the hardware and software of any particular form.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field
For art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, made any to repair
Change, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.
Claims (14)
1. a kind of safety defense system for cloud environment, which is characterized in that including the first virtual secure network element module, the first void
Quasi- interactive network element module and first detection module, in which:
The first virtual secure network element module includes one or more virtual secure network elements for realizing Prevention-Security function
Group, the virtual secure network element group include active and standby two virtual secure network elements;
The first virtual interacting network element module for receiving the service traffics of cloud platform, and is forwarded to the first defence service chaining
Entrance;The service traffics for receiving the first defence service chaining outlet, and are forwarded to cloud platform, the first defence service chaining be according to
The Prevention-Security circuit of specified one or more virtual secure network element groups that are linked in sequence;
First detection module, it is virtual for detecting active and standby two in the virtual secure network element group by the first detection service chain
Whether security network element can be used, and the first detection service chain is connect first detection module and the virtual secure network element available
Test loop.
2. safety defense system according to claim 1, which is characterized in that the main void in the virtual secure network element group
When quasi- security network element can be used, the virtual secure network element for accessing the first defence service chaining is the main virtual secure network element;
When the main virtual secure network element in the virtual secure network element group is unavailable but standby virtual secure network element is available, institute is accessed
The virtual secure network element for stating the first defence service chaining is the standby virtual secure network element;
When the active and standby virtual secure network element in the virtual secure network element group is unavailable, the first defence service chaining bypass
Pass through virtual secure network element group described in this.
3. safety defense system according to claim 1, which is characterized in that each virtual secure network element includes at least
Four virtual network ports: ingress for service, business outlet, the first management mouth and HA mouthfuls of dual-computer redundancy, wherein ingress for service and business go out
Mouth is used for the disengaging of service traffics, and for the first management mouth for being managed to the virtual secure network element, HA mouthfuls are used for the master
Synchronization Status Message between standby two virtual secure network elements.
4. safety defense system according to claim 1, which is characterized in that the first virtual interacting network element module includes
Active and standby two virtual datas interaction network element, described active and standby two virtual datas interaction, one internet protocol IP of virtual group of network-element share
Address.
5. safety defense system according to claim 4, which is characterized in that detection active and standby two virtual datas interaction
The whether available method of network element, comprising:
Test bag is sent to active and standby two virtual datas interaction network element by first detection module and detects whether to connect
Receive the test bag that active and standby two virtual datas interaction network element returns;Alternatively,
By the way that respectively deployment is used to indicate itself whether online heartbeat on active and standby two virtual datas interaction network element
Module.
6. safety defense system according to claim 4, which is characterized in that each virtual data interacts network element and includes
At least four virtual network ports: functional area, mouth of serially giving out a contract for a project, serial packet receiving mouth and the second management mouth, wherein functional area is for receiving
Service traffics in cloud platform are simultaneously forwarded to mouth of serially giving out a contract for a project, receive service traffics that the serial packet receiving mouth is sent and be forwarded to
Cloud platform, mouth of serially giving out a contract for a project are used to receive the service traffics of functional area transmission and are forwarded to entering for the first defence service chaining
Mouthful, serial packet receiving mouth is used to receive the service traffics of the outlet of the first defence service chaining and is forwarded to the functional area, the
Two management mouths are used to be managed virtual data interaction network element.
7. safety defense system according to claim 1, which is characterized in that the virtual secure network element include it is following at least
One of: firewall, intrusion prevention system IPS, intruding detection system IDS, Virtual Private Network VPN, fort machine.
8. safety defense system according to any one of claims 1 to 7, which is characterized in that further include management module and network
Module, in which:
The management module, for by tenant and/or by the first virtual secure network element module described in service creation, first void
Quasi- interactive network element module, the first detection module;
The network module, for by tenant and/or by the first defence service chaining described in service creation and the first detection clothes
Business chain.
9. a kind of safety defense system for cloud environment, which is characterized in that including the second virtual secure network element module, the second void
Quasi- interactive network element module and the second detection module, in which:
The second virtual secure network element module includes one or more virtual secure network elements for realizing Prevention-Security function;
The second virtual interacting network element module, active and standby two virtual data interactive networks including sharing a virtual group IP address
Member for receiving the service traffics of cloud platform, and is forwarded to the second defence service chaining entrance;Receive the second defence service chaining outlet
Service traffics, and be forwarded to cloud platform, the second defence service chaining be according to specified sequentials connection it is one or more described in
The Prevention-Security circuit of virtual secure network element;
Whether the second detection module may be used for detecting active and standby two virtual datas interaction network element by the second detection service chain
With the second detection service chain is the available survey for connecting the second detection module and active and standby two virtual datas interaction network element
Try circuit.
10. safety defense system according to claim 9, which is characterized in that when active and standby two virtual datas interaction
When main virtual data interaction network element in network element can be used, by the main virtual data interaction network element in cloud platform and described second
It defends to carry out flow forwarding between service chaining;
When the unavailable but standby virtual data of main virtual data interaction network element in active and standby two virtual datas interaction network element is handed over
When mutual network element can be used, flowed between cloud platform and the second defence service chaining by the standby virtual data interaction network element
Amount forwarding;
When active and standby two virtual datas interaction network element is unavailable, the service traffics of cloud platform are not forwarded to described the
Two defence service chaining entrances.
11. a kind of safety defense method for cloud environment characterized by comprising
First virtual interacting network element module receives the service traffics of cloud platform, and is forwarded to the first defence service chaining entrance, described
First defence service chaining is according to the Prevention-Security circuit of specified one or more virtual secure network element groups that are linked in sequence, institute
Stating virtual secure network element group includes active and standby two virtual secure network elements, detects the virtual secure net by the first detection service chain
Whether active and standby two virtual secure network elements in tuple can be used, and the first detection service chain is connection first detection module and institute
State the available test loop of virtual secure network element;
First virtual interacting network element module receives the service traffics of the first defence service chaining outlet, and is forwarded to cloud platform.
12. a kind of safety defense method for cloud environment characterized by comprising
Second virtual interacting network element module receives the service traffics of cloud platform, and is forwarded to the second defence service chaining entrance, described
Second defence service chaining be according to the Prevention-Security circuit of specified one or more virtual secure network elements that are linked in sequence, it is described
Second virtual interacting network element module includes the active and standby two virtual datas interaction network element for sharing virtual group IP address, by the
Whether two detection service chains detection active and standby two virtual datas interaction network element can be used, and the second detection service chain is connection
The available test loop of second detection module and active and standby two virtual datas interaction network element;
Second virtual interacting network element module receives the service traffics of the second defence service chaining outlet, and is forwarded to cloud platform.
13. a kind of computer readable storage medium, which is characterized in that be stored on the computer readable storage medium one or
The multiple programs of person, one or more of programs can be executed by one or more processor, to realize such as claim 11
The step of described safety defense method for cloud environment any to claim 12.
14. a kind of safety defense system for cloud environment, which is characterized in that including processor and memory, the processor
For executing the program stored in the memory, with realize such as claim 11 to claim 12 it is any as described in for cloud
The step of safety defense method of environment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910182074.4A CN109981355A (en) | 2019-03-11 | 2019-03-11 | Security defend method and system, computer readable storage medium for cloud environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910182074.4A CN109981355A (en) | 2019-03-11 | 2019-03-11 | Security defend method and system, computer readable storage medium for cloud environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109981355A true CN109981355A (en) | 2019-07-05 |
Family
ID=67078455
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910182074.4A Pending CN109981355A (en) | 2019-03-11 | 2019-03-11 | Security defend method and system, computer readable storage medium for cloud environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109981355A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110311838A (en) * | 2019-07-24 | 2019-10-08 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of security service traffic statistics |
| CN110365577A (en) * | 2019-07-24 | 2019-10-22 | 北京神州绿盟信息安全科技股份有限公司 | A kind of drainage system in secure resources pond |
| CN111131319A (en) * | 2019-12-30 | 2020-05-08 | 北京天融信网络安全技术有限公司 | Security capability expansion method and device, electronic equipment and storage medium |
| CN111147449A (en) * | 2019-12-09 | 2020-05-12 | 杭州迪普科技股份有限公司 | Method, device, system, equipment and medium for testing packet filtering strategy |
| CN112187533A (en) * | 2020-09-18 | 2021-01-05 | 北京浪潮数据技术有限公司 | Virtual network equipment defense method, device, electronic equipment and medium |
| CN113810348A (en) * | 2020-06-17 | 2021-12-17 | 华为技术有限公司 | Network security detection method, system, equipment and controller |
| CN114070639A (en) * | 2021-11-19 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Message secure forwarding method and device and network security equipment |
| CN115484208A (en) * | 2022-09-16 | 2022-12-16 | 杭州安恒信息技术股份有限公司 | Distributed drainage system and method based on cloud security resource pool |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105337971A (en) * | 2015-10-20 | 2016-02-17 | 上海电机学院 | Electric power information system cloud safety guarantee system and implementation method thereof |
| CN106612312A (en) * | 2015-10-23 | 2017-05-03 | 中兴通讯股份有限公司 | Virtualized data center scheduling system and method |
| CN106789542A (en) * | 2017-03-03 | 2017-05-31 | 清华大学 | A kind of implementation method of cloud data center security service chain |
| CN107566440A (en) * | 2016-06-30 | 2018-01-09 | 丛林网络公司 | The automatic discovery that is serviced in the network environment of software definition and automatic scalable |
| CN108199958A (en) * | 2017-12-29 | 2018-06-22 | 深信服科技股份有限公司 | A kind of general secure resources pond service chaining realization method and system |
| CN108234223A (en) * | 2018-04-19 | 2018-06-29 | 郑州云海信息技术有限公司 | A kind of security service design method of data center's total management system |
-
2019
- 2019-03-11 CN CN201910182074.4A patent/CN109981355A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105337971A (en) * | 2015-10-20 | 2016-02-17 | 上海电机学院 | Electric power information system cloud safety guarantee system and implementation method thereof |
| CN106612312A (en) * | 2015-10-23 | 2017-05-03 | 中兴通讯股份有限公司 | Virtualized data center scheduling system and method |
| CN107566440A (en) * | 2016-06-30 | 2018-01-09 | 丛林网络公司 | The automatic discovery that is serviced in the network environment of software definition and automatic scalable |
| CN106789542A (en) * | 2017-03-03 | 2017-05-31 | 清华大学 | A kind of implementation method of cloud data center security service chain |
| CN108199958A (en) * | 2017-12-29 | 2018-06-22 | 深信服科技股份有限公司 | A kind of general secure resources pond service chaining realization method and system |
| CN108234223A (en) * | 2018-04-19 | 2018-06-29 | 郑州云海信息技术有限公司 | A kind of security service design method of data center's total management system |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110311838A (en) * | 2019-07-24 | 2019-10-08 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of security service traffic statistics |
| CN110365577A (en) * | 2019-07-24 | 2019-10-22 | 北京神州绿盟信息安全科技股份有限公司 | A kind of drainage system in secure resources pond |
| CN110311838B (en) * | 2019-07-24 | 2021-05-04 | 绿盟科技集团股份有限公司 | Method and device for counting safety service flow |
| CN110365577B (en) * | 2019-07-24 | 2021-10-15 | 绿盟科技集团股份有限公司 | Drainage system of safety resource pool and safety inspection method |
| CN111147449A (en) * | 2019-12-09 | 2020-05-12 | 杭州迪普科技股份有限公司 | Method, device, system, equipment and medium for testing packet filtering strategy |
| CN111131319A (en) * | 2019-12-30 | 2020-05-08 | 北京天融信网络安全技术有限公司 | Security capability expansion method and device, electronic equipment and storage medium |
| CN113810348A (en) * | 2020-06-17 | 2021-12-17 | 华为技术有限公司 | Network security detection method, system, equipment and controller |
| CN113810348B (en) * | 2020-06-17 | 2023-04-07 | 华为技术有限公司 | Network security detection method, system, equipment and controller |
| CN112187533A (en) * | 2020-09-18 | 2021-01-05 | 北京浪潮数据技术有限公司 | Virtual network equipment defense method, device, electronic equipment and medium |
| CN114070639A (en) * | 2021-11-19 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Message secure forwarding method and device and network security equipment |
| CN114070639B (en) * | 2021-11-19 | 2024-04-23 | 北京天融信网络安全技术有限公司 | Message security forwarding method and device and network security equipment |
| CN115484208A (en) * | 2022-09-16 | 2022-12-16 | 杭州安恒信息技术股份有限公司 | Distributed drainage system and method based on cloud security resource pool |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109981355A (en) | Security defend method and system, computer readable storage medium for cloud environment | |
| US11716265B2 (en) | Anomaly detection and reporting in a network assurance appliance | |
| CN106375384B (en) | The management system and control method of image network flow in a kind of virtual network environment | |
| US10158533B2 (en) | System and method for base topology selection | |
| US9942623B2 (en) | Data center network architecture | |
| US9204207B2 (en) | Hierarchy of control in a data center network | |
| US9301026B2 (en) | Affinity modeling in a data center network | |
| CN104468181B (en) | The detection and processing of virtual network device failure | |
| CN1761240B (en) | Intelligent integrated network security device for high-availability applications | |
| CN107210959A (en) | Router logic with multiple route parts | |
| CN104025513B (en) | Apparatus and method for the control level in data center network | |
| CN103493434B (en) | Fault protecting method and fail-safe system in multiple-domain network | |
| CN109644157A (en) | Use the fringe node cluster network redundancy and fast convergence of bottom anycast VTEP IP | |
| CN108353006A (en) | Non-invasive methods for testing and dissecting network service function | |
| CN107852368A (en) | Highly usable service chaining for network service | |
| CN106953788A (en) | A kind of Virtual Network Controller and control method | |
| CN107395445A (en) | The network architecture with middleboxes | |
| CN101981560A (en) | Load-balancing bridge cluster for network node | |
| CN107077579A (en) | Stateful service on stateless cluster edge | |
| CN106850459A (en) | A kind of method and device for realizing virtual network load balancing | |
| CN109981613A (en) | A kind of flow rate testing methods and resource pool system for cloud environment | |
| CN107181623A (en) | Information network equipment fault handling method and device | |
| Wang et al. | Efficient network security policy enforcement with policy space analysis | |
| CN109889533A (en) | Security defend method and system, computer readable storage medium under cloud environment | |
| CN107659582A (en) | A kind of depth defense system for successfully managing APT attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190705 |
|
| RJ01 | Rejection of invention patent application after publication |