CN114499970B - Network security service configuration method and device and electronic equipment - Google Patents

Network security service configuration method and device and electronic equipment Download PDF

Info

Publication number
CN114499970B
CN114499970B CN202111617972.1A CN202111617972A CN114499970B CN 114499970 B CN114499970 B CN 114499970B CN 202111617972 A CN202111617972 A CN 202111617972A CN 114499970 B CN114499970 B CN 114499970B
Authority
CN
China
Prior art keywords
address
rule
firewall
crd
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111617972.1A
Other languages
Chinese (zh)
Other versions
CN114499970A (en
Inventor
阮兆银
李永隆
吴建国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Cloud Technology Co Ltd
Original Assignee
Tianyi Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Cloud Technology Co Ltd filed Critical Tianyi Cloud Technology Co Ltd
Priority to CN202111617972.1A priority Critical patent/CN114499970B/en
Publication of CN114499970A publication Critical patent/CN114499970A/en
Application granted granted Critical
Publication of CN114499970B publication Critical patent/CN114499970B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network security service configuration method, which comprises the following steps: when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule; when the firewall CRD rule resource is monitored, judging whether the application service corresponding to the firewall CRD rule resource is deployed to a local container or not; when the application service corresponding to the firewall CRD rule resource is deployed to the local container, the firewall CRD rule resource is written into the kernel module through a ct_filter tool. According to the method, the firewall black-and-white list configuration rules on each host are defined in a K8S operator programmable mode, the configuration rules are deployed on the designated node of the K8S, the K8S operator controls the firewall configuration in a final state mode to update and refresh, the firewall configuration can be configured along with the deployed working nodes of the application service container, and meanwhile, the firewall configuration method has higher flexibility and expansibility.

Description

Network security service configuration method and device and electronic equipment
Technical Field
The present invention relates to the field of big data analysis technologies, and in particular, to a network security service configuration method, a device, and an electronic device.
Background
Using iptables commands to maintain host firewall rules in the k8s environment, there are three problems: when the number of the applied iptables list items and the firewall list items on the machine is large, operation conflicts exist at a certain probability, and after the operation conflicts, the service abnormality of a firewall background can be caused, or the network rule of a kube-proxy daemon container is lost, so that the service abnormality on an external request machine is finally caused; the distributed entry of the container network shunt in the protocol stack netfilter framework is earlier than the filtering entry of the firewall, so that the data message entering the container network cannot be effectively managed and controlled by the firewall; k8s has performed a unified scheduling of virtualization and services for working nodes, through which stateless or stateful application services are deployed, it is possible to drift over different working nodes, which also makes service-exposed firewall rules difficult to manually maintain.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to overcome the defects that the existing host firewall collides with the k8s component, the host firewall cannot manage the container network message, and the firewall rule cannot follow the destination node scheduled by the k8s, so as to provide a network security service configuration method, a network security service configuration device and electronic equipment.
According to a first aspect, an embodiment of the present invention discloses a network security service configuration method, including: when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule; when the firewall CRD rule resource is monitored, judging whether the application service corresponding to the firewall CRD rule resource is deployed to a local container or not; when the application service corresponding to the firewall CRD rule resource is deployed to the local container, the firewall CRD rule resource is written into the kernel module through the ct_filter tool.
Optionally, after the application service corresponding to the firewall CRD rule resource is deployed to the native container and the firewall CRD rule resource is written into the kernel module through the ct_filter tool, the method further includes: when a service request message of a client is received, matching the service request message with a firewall CRD rule written in the kernel module; and determining whether the service request message of the client is released or discarded according to the matching result.
Optionally, the matching the service request packet with the firewall CRD rule written by the kernel module includes: resolving the service request message of the client to obtain the IP address of the client; matching the IP address with a preset blacklist rule; when the IP address is successfully matched with a preset blacklist rule, intercepting a service request message corresponding to the IP address; when the IP address is not successfully matched with a preset blacklist rule, judging whether the IP address is in an ESTABLISHED state or not; when the IP address data is in an ESTABLISHED state, sending a service request message corresponding to the IP address to the next hook point of Netfilter; when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule; discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule; and when the IP address is successfully matched with a preset list rule, sending a service request message corresponding to the IP address to the next hook point of the Netfilter.
Optionally, determining whether the IP address is in an ESTABLISHED state includes: determining whether the IP address is in a connection state according to a connrack table; and when the IP address is in a connection state, the IP address is in an ESTABLISHED state.
Optionally, the determining whether the IP address is in a connection state according to the connrack table includes: and when connrack is not started, sending the service request message corresponding to the IP address to the next hook point of Netfilter.
According to a second aspect, the embodiment of the invention also discloses a network security service configuration device, which comprises: the generation module is used for generating firewall CRD rule resources corresponding to the application service according to a preset black-and-white list configuration rule when the application service created by any user is acquired; the first judging module is used for judging whether the application service corresponding to the firewall CRD rule resource is deployed to the local container or not when the firewall CRD rule resource is monitored; and the writing module is used for writing the firewall CRD rule resources into the kernel module through the ct_filter tool when the application service corresponding to the firewall CRD rule resources is deployed to the local container.
Optionally, the apparatus further comprises: the matching module is used for matching the service request message with the firewall CRD rule written in the kernel module when receiving the service request message of the client; and the processing module is used for determining whether the service request message of the client is released or discarded according to the matching result.
Optionally, the matching module further includes: the analysis module is used for analyzing the service request message of the client to obtain the IP address of the client; the first matching sub-module is used for matching the IP address with a preset blacklist rule; the interception module is used for intercepting the service request message corresponding to the IP address when the IP address is successfully matched with a preset blacklist rule; the second judging module is used for judging whether the IP address is in an ESTABLISHED state or not when the IP address is not successfully matched with a preset blacklist rule; a first sending module, configured to send a service request packet corresponding to the IP address to a next hook point of Netfilter when the IP address data is in an ESTABLISHED state; when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule; the second matching sub-module is used for discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule; and the second sending module sends the service request message corresponding to the IP address to the next hook point of Netfilter when the IP address is successfully matched with a preset list rule.
According to a third aspect, an embodiment of the present invention further discloses an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform steps of the network security service configuration method according to the first aspect or any alternative implementation of the first aspect.
According to a fourth aspect, the embodiments of the present invention also disclose a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the network security service configuration method according to the first aspect or any of the alternative embodiments of the first aspect.
The technical scheme of the invention has the following advantages:
the network security service configuration method/device provided by the invention comprises the following steps: when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule; when the firewall CRD rule resource is monitored, judging whether the application service corresponding to the firewall CRD rule resource is deployed to a local container or not; when the application service corresponding to the firewall CRD rule resource is deployed to the local container, the firewall CRD rule resource is written into the kernel module through the ct_filter tool. According to the method, the firewall black-and-white list configuration rules on each host are defined in a K8S operator programmable mode, the configuration rules are deployed on the designated node of the K8S, the K8 operator controls the firewall configuration in a final state mode to update and refresh, the firewall configuration can be configured along with the deployed working nodes of the application service container, and meanwhile, the firewall configuration method has higher flexibility and expansibility.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a specific example of a network security service configuration method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a specific example of a network security service configuration method according to an embodiment of the present invention;
FIG. 3 is a flowchart of a specific example of a network security service configuration method according to an embodiment of the present invention;
FIG. 4 is a schematic block diagram of a specific example of a network security service configuration device in an embodiment of the present invention;
fig. 5 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made apparent and fully in view of the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the description of the present invention, it should be noted that the directions or positional relationships indicated by the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; the two components can be directly connected or indirectly connected through an intermediate medium, or can be communicated inside the two components, or can be connected wirelessly or in a wired way. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
In addition, the technical features of the different embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
The embodiment of the invention discloses a network security service configuration method, as shown in fig. 1, which comprises the following steps:
and step 101, when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule.
Illustratively, the firewall rules are abstracted into k8s CRD resources, and each CRD resource describes firewall rules required by service of an application service; a CRD may describe a plurality of firewall black-and-white list rules of a service, and an attribute of a rule in the CRD template includes: an Action indicates whether the description object is a blacklist or a whitelist type; the Protocol is a 4-layer Protocol matched with the firewall rules; port is the matched 4-layer Port of the firewall rule; ipRange is the ip segment matched by the firewall rule; a firewall configuration resource is ultimately loaded onto the machine on which the service is deployed for deployment and configuration.
Step 102, when the firewall CRD rule resource is monitored, judging whether the application service corresponding to the firewall CRD rule resource is deployed to the local container.
Illustratively, the firewall CRD rule resource is monitored through ct-filter-daemon, whether the service corresponding to the resource has a container deployed to the local or not is judged, and if not, the service is ignored.
And step 103, when the application service corresponding to the firewall CRD rule resource is deployed to the local container, writing the firewall CRD rule resource into the kernel module through a ct_filter tool.
Illustratively, the firewall rules are written into the kernel module through the ct_filter tool through the ct_filter-daemon; meanwhile, when the firewall CRD rule resource is written, an interface for configuring rules for an application layer user needs to be provided, and the interface is provided in a binary command mode. In this embodiment, the binary command of the configuration interface is ct_filter-A|I|D-t < white|black > -4|6-p < tcp: udp > -s < ip/mask > -D < ip/mask > -dport > -sport < port >; specifically, after a user deploys a service through k8s, when access to the service is required to be limited, a CRD resource corresponding to the service can be deployed, and finally the CRD resource can be acquired by a custom operator controller, and the CRD resource is refreshed and written into the kernel module through the custom kernel module; the operator can be deployed to all the worker nodes in a workload mode of k8s daemonset type, each machine can be deployed with a container of ct_filter, and when the container is restarted, a self-defined firewall kernel module is inserted into the kernel, and two functions are mainly born in the follow-up container operation process: the ct_filter initiates a listwatch request to the apiserver to monitor a whistelist resource, and filters the whistelist resource which is currently deployed to the whistelist resource of the local machine by the back-end pod of the service corresponding to the whistelist; writing CRD resources of the filtered whistelist into a custom kernel module through a ct_filter, wherein the kernel module specifically works on pre-routing of the netfilter, and the priority is between conntrack and mangle; the execution flow of the three steps of the method is shown in fig. 3.
The network security service configuration method provided by the invention comprises the following steps: when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule; when the firewall CRD rule resource is monitored, judging whether the application service corresponding to the firewall CRD rule resource is deployed to a local container or not; when the application service corresponding to the firewall CRD rule resource is deployed to the local container, the firewall CRD rule resource is written into the kernel module through the ct_filter tool. According to the method, the firewall black-and-white list configuration rules on each host are defined in a K8S operator programmable mode, the configuration rules are deployed on the designated node of the K8S, the K8 operator controls the firewall configuration in a final state mode to update and refresh, the firewall configuration can be configured along with the deployed working nodes of the application service container, and meanwhile, the firewall configuration method has higher flexibility and expansibility.
As an optional implementation manner of the present invention, after the application service corresponding to the firewall CRD rule resource is deployed to the local container and the firewall CRD rule resource is written into the kernel module through the ct_filter tool, the method further includes: when a service request message of a client is received, matching the service request message with a firewall CRD rule written in the kernel module; and determining whether the service request message of the client is released or discarded according to the matching result.
Illustratively, when the local machine receives a service request message of the client, matching the received request message with a firewall CRD rule written in the kernel module; specifically, when the received client service request message passes through a hook on a netfilter by the kernel module, whether the message matches a black-and-white list rule is judged, and the message is selected to be released or discarded.
As an optional implementation manner of the present invention, the matching the service request packet with the firewall CRD rule written in the kernel module includes: resolving the service request message of the client to obtain the IP address of the client; matching the IP address with a preset blacklist rule; when the IP address is successfully matched with a preset blacklist rule, intercepting a service request message corresponding to the IP address; when the IP address is not successfully matched with a preset blacklist rule, judging whether the IP address is in an ESTABLISHED state or not; when the IP address data is in an ESTABLISHED state, sending a service request message corresponding to the IP address to the next hook point of Netfilter; when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule; discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule; and when the IP address is successfully matched with a preset list rule, sending a service request message corresponding to the IP address to the next hook point of the Netfilter.
Illustratively, netfilter frame is a packet processing framework of one of the linux kernels, and is used for resolving a service request message of a client to obtain an IP address of the client; firstly, matching the analyzed client IP address with a blacklist rule written in the kernel module in advance, and intercepting if the matching is successful; judging whether the IP address is in an ESTABLISHED state or not when the IP address is not matched with the blacklist, and if the IP address is in the ESTABLISHED state, releasing the IP address and sending the IP address to the next hook point of Netfilter; and when the IP address is not in the ESTABLISHED state, matching the IP address with a pre-written white list rule in the kernel module, if the matching is successful, releasing, and if the matching is not successful, carrying out interception operation, wherein the execution flow is shown in figure 2.
As an optional embodiment of the present invention, determining whether the IP address is in an ESTABLISHED state includes: determining whether the IP address is in a connection state according to a connrack table; and when the IP address is in a connection state, the IP address is in an ESTABLISHED state.
Illustratively, linux generates a new Connection entry (Connection entry) for each packet that traverses the network stack by consulting the conntrack table to determine if the corresponding IP address is in the ESTABLISHED state, and Linux uniquely assigns all packets belonging to the Connection and identifies the state of the Connection.
As an optional embodiment of the present invention, determining whether the IP address is in a connection state according to a connrack table includes: and when connrack is not started, sending the service request message corresponding to the IP address to the next hook point of Netfilter.
Illustratively, if connection tracking is not on, then the query of the connrack table will fail, and the IP address is released, i.e., the flow of non-connection tracking is released.
The embodiment of the invention also discloses a network security service configuration device, as shown in fig. 4, which comprises: the generating module 201 is configured to generate a firewall CRD rule resource corresponding to an application service according to a preset black-and-white list configuration rule when the application service created by any user is obtained; a first judging module 202, configured to judge, when the firewall CRD rule resource is monitored, whether an application service corresponding to the firewall CRD rule resource is deployed to a local container; and the writing module 203 is configured to, when an application service corresponding to the firewall CRD rule resource is deployed to the native container, write the firewall CRD rule resource into the kernel module through the ct_filter tool.
The network security service configuration device provided by the invention comprises: the generation module is used for generating firewall CRD rule resources corresponding to the application service according to a preset black-and-white list configuration rule when the application service created by any user is acquired; the first judging module is used for judging whether the application service corresponding to the firewall CRD rule resource is deployed to the local container or not when the firewall CRD rule resource is monitored; and the writing module is used for writing the firewall CRD rule resources into the kernel module through the ct_filter tool when the application service corresponding to the firewall CRD rule resources is deployed to the local container. The device of the invention defines the configuration rules of the firewall black-and-white list on each host computer in a K8S operator programmable mode, deploys the configuration rules on the designated node of the K8S, and the K8S operator controls the firewall configuration in a final state mode to update and refresh, so that the firewall configuration can be configured along with the deployed working node of the application service container, and has higher flexibility and expansibility.
As an alternative embodiment of the present invention, the apparatus further comprises: the matching module is used for matching the service request message with the firewall CRD rule written in the kernel module when receiving the service request message of the client; and the processing module is used for determining whether the service request message of the client is released or discarded according to the matching result.
As an optional embodiment of the present invention, the matching module further includes: the analysis module is used for analyzing the service request message of the client to obtain the IP address of the client; the first matching sub-module is used for matching the IP address with a preset blacklist rule; the interception module is used for intercepting the service request message corresponding to the IP address when the IP address is successfully matched with a preset blacklist rule; the second judging module is used for judging whether the IP address is in an ESTABLISHED state or not when the IP address is not successfully matched with a preset blacklist rule; a first sending module, configured to send a service request packet corresponding to the IP address to a next hook point of Netfilter when the IP address data is in an ESTABLISHED state; when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule; the second matching sub-module is used for discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule; and the second sending module is used for sending the service request message corresponding to the IP address to the next hook point of Netfilter when the IP address is successfully matched with a preset list rule.
As an optional embodiment of the present invention, the second determining module includes: the determining module is used for determining whether the IP address is in a connection state according to the connrack table; and the determining submodule is used for enabling the IP address to be in an ESTABLISHED state when the IP address is in a connection state.
As an optional embodiment of the present invention, the determining module includes: and the third sending module is used for sending the service request message corresponding to the IP address to the next hook point of the Netfilter when the conntrack is not started.
The embodiment of the present invention further provides an electronic device, as shown in fig. 5, where the electronic device may include a processor 401 and a memory 402, where the processor 401 and the memory 402 may be connected by a bus or other means, and in fig. 5, the connection is exemplified by a bus.
The processor 401 may be a central processing unit (Central Processing Unit, CPU). The processor 401 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 402, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the network security service configuration method in the embodiment of the present invention. The processor 401 executes various functional applications of the processor and data processing by running non-transitory software programs, instructions and modules stored in the memory 402, i.e., implements the network security service configuration method in the above-described method embodiments.
Memory 402 may include a storage program area that may store an operating system, at least one application program required for functionality, and a storage data area; the storage data area may store data created by the processor 401, or the like. In addition, memory 402 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 402 may optionally include memory located remotely from processor 401, such remote memory being connectable to processor 401 through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 402 and when executed by the processor 401, perform the network security service configuration method in the embodiment shown in fig. 1.
The specific details of the electronic device may be understood correspondingly with respect to the corresponding related descriptions and effects in the embodiment shown in fig. 1, which are not repeated herein.
It will be appreciated by those skilled in the art that implementing all or part of the above-described embodiment method may be implemented by a computer program to instruct related hardware, where the program may be stored in a computer readable storage medium, and the program may include the above-described embodiment method when executed. Wherein the storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations are within the scope of the invention as defined by the appended claims.

Claims (8)

1. A network security service configuration method, comprising:
when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule;
when the firewall CRD rule resource is monitored, judging whether the application service corresponding to the firewall CRD rule resource is deployed to a local container or not;
when the application service corresponding to the firewall CRD rule resource is deployed to a local container, writing the firewall CRD rule resource into a kernel module through a ct_filter tool;
after the application service corresponding to the firewall CRD rule resource is deployed to the local container and the firewall CRD rule resource is written into the kernel module through the ct_filter tool, the method further includes:
when a service request message of a client is received, matching the service request message with a firewall CRD rule written in the kernel module;
and determining whether the service request message of the client is released or discarded according to the matching result.
2. The method of claim 1, wherein matching the service request message with the firewall CRD rules to which the kernel module is written comprises:
resolving the service request message of the client to obtain the IP address of the client;
matching the IP address with a preset blacklist rule;
when the IP address is successfully matched with a preset blacklist rule, intercepting a service request message corresponding to the IP address;
when the IP address is not successfully matched with a preset blacklist rule, judging whether the IP address is in an ESTABLISHED state or not;
when the IP address data is in an ESTABLISHED state, sending a service request message corresponding to the IP address to the next hook point of Netfilter;
when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule;
discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule;
and when the IP address is successfully matched with a preset list rule, sending a service request message corresponding to the IP address to the next hook point of the Netfilter.
3. The method of claim 2, wherein determining whether the IP address is in an ESTABLISHED state comprises:
determining whether the IP address is in a connection state according to a connrack table;
and when the IP address is in a connection state, the IP address is in an ESTABLISHED state.
4. A method according to claim 3, said determining whether the IP address is in a connected state from a connrack table, comprising:
and when connrack is not started, sending the service request message corresponding to the IP address to the next hook point of Netfilter.
5. A network security service configuration apparatus, comprising:
the generation module is used for generating firewall CRD rule resources corresponding to the application service according to a preset black-and-white list configuration rule when the application service created by any user is acquired;
the first judging module is used for judging whether the application service corresponding to the firewall CRD rule resource is deployed to the local container or not when the firewall CRD rule resource is monitored;
the writing module is used for writing the firewall CRD rule resources into the kernel module through a ct_filter tool when the application services corresponding to the firewall CRD rule resources are deployed to the local container;
the apparatus further comprises:
the matching module is used for matching the service request message with the firewall CRD rule written in the kernel module when receiving the service request message of the client;
and the processing module is used for determining whether the service request message of the client is released or discarded according to the matching result.
6. The apparatus of claim 5, wherein the matching module further comprises:
the analysis module is used for analyzing the service request message of the client to obtain the IP address of the client;
the first matching sub-module is used for matching the IP address with a preset blacklist rule;
the interception module is used for intercepting the service request message corresponding to the IP address when the IP address is successfully matched with a preset blacklist rule;
the second judging module is used for judging whether the IP address is in an ESTABLISHED state or not when the IP address is not successfully matched with a preset blacklist rule;
a first sending module, configured to send a service request packet corresponding to the IP address to a next hook point of Netfilter when the IP address data is in an ESTABLISHED state;
when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule;
the second matching sub-module is used for discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule;
and the second sending module is used for sending the service request message corresponding to the IP address to the next hook point of Netfilter when the IP address is successfully matched with a preset list rule.
7. An electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform the steps of the network security service configuration method of any of claims 1-4.
8. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the network security service configuration method according to any of claims 1-4.
CN202111617972.1A 2021-12-27 2021-12-27 Network security service configuration method and device and electronic equipment Active CN114499970B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111617972.1A CN114499970B (en) 2021-12-27 2021-12-27 Network security service configuration method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111617972.1A CN114499970B (en) 2021-12-27 2021-12-27 Network security service configuration method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN114499970A CN114499970A (en) 2022-05-13
CN114499970B true CN114499970B (en) 2023-06-23

Family

ID=81496447

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111617972.1A Active CN114499970B (en) 2021-12-27 2021-12-27 Network security service configuration method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN114499970B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102790758A (en) * 2011-05-18 2012-11-21 海尔集团公司 Firewall system and processing method thereof
CN105471907A (en) * 2015-12-31 2016-04-06 云南大学 Openflow based virtual firewall transmission control method and system
CN107147693A (en) * 2017-03-30 2017-09-08 潘杰 A kind of remote control type electronic communication device
US10484334B1 (en) * 2013-02-26 2019-11-19 Zentera Systems, Inc. Distributed firewall security system that extends across different cloud computing networks
CN111600852A (en) * 2020-04-27 2020-08-28 中国舰船研究设计中心 Firewall design method based on programmable data plane
CN113645223A (en) * 2021-08-09 2021-11-12 杭州安恒信息技术股份有限公司 Network protection management method, system, device and storage medium
WO2021226781A1 (en) * 2020-05-11 2021-11-18 深圳市欢太科技有限公司 Firewall rule updating method and apparatus, server, and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10951582B2 (en) * 2018-02-09 2021-03-16 Comcast Cable Communications, Llc Dynamic firewall configuration
US11489730B2 (en) * 2018-12-18 2022-11-01 Storage Engine, Inc. Methods, apparatuses and systems for configuring a network environment for a server
US20210314299A1 (en) * 2020-04-07 2021-10-07 Vmware, Inc. Methods for revalidating fqdn rulesets in a firewall
FR3110795A1 (en) * 2020-05-25 2021-11-26 Orange Method for configuring firewall equipment in a communication network, method for updating a configuration for firewall equipment, device, access equipment, firewall equipment and corresponding computer programs .

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102790758A (en) * 2011-05-18 2012-11-21 海尔集团公司 Firewall system and processing method thereof
US10484334B1 (en) * 2013-02-26 2019-11-19 Zentera Systems, Inc. Distributed firewall security system that extends across different cloud computing networks
CN105471907A (en) * 2015-12-31 2016-04-06 云南大学 Openflow based virtual firewall transmission control method and system
CN107147693A (en) * 2017-03-30 2017-09-08 潘杰 A kind of remote control type electronic communication device
CN111600852A (en) * 2020-04-27 2020-08-28 中国舰船研究设计中心 Firewall design method based on programmable data plane
WO2021226781A1 (en) * 2020-05-11 2021-11-18 深圳市欢太科技有限公司 Firewall rule updating method and apparatus, server, and storage medium
CN113645223A (en) * 2021-08-09 2021-11-12 杭州安恒信息技术股份有限公司 Network protection management method, system, device and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Design and implementation of Linux firewall based on the frame of Netfilter/IPtable;Baoliang Wang; Kaining Lu; Peng Chang;《2016 11th International Conference on Computer Science & Education (ICCSE)》;949-953页 *
多数据中心的安全服务按需适配机制研究;李畅;《中国优秀硕士学位论文全文数据库 信息科技辑》;I137-7页 *

Also Published As

Publication number Publication date
CN114499970A (en) 2022-05-13

Similar Documents

Publication Publication Date Title
US10038594B2 (en) Centralized management of access points
EP4245057A1 (en) Active assurance for virtualized services
US11641308B2 (en) Software defined networking orchestration method and SDN controller
US20200162589A1 (en) Intent based network data path tracing and instant diagnostics
EP3024175B1 (en) Method and system for remote management of network devices
CN109960634B (en) Application program monitoring method, device and system
US20210135967A1 (en) Intelligent in-band telemetry auto-configuration for ip networks
CN111277457A (en) Method, device and equipment for switching network environment and readable storage medium
CN113259162B (en) Network fault determination method and device, electronic equipment and storage medium
CN112751947B (en) Communication system and method
CN112564994B (en) Flow monitoring method and device, cloud server and storage medium
CN108270591B (en) Method for configuring network equipment and related equipment
CN115514667A (en) Access service processing method, system, device, electronic equipment and storage medium
CN114499970B (en) Network security service configuration method and device and electronic equipment
CN111901395A (en) Multi-cluster switching method and device
CN107070725B (en) A kind of method that server two-level management intermodule communication is shaken hands
US20150106490A1 (en) Automatic notification of isolation
CN114513419A (en) Security policy configuration method and system
CN112994942A (en) SDN control method and device
CN109960645B (en) Script test method and device and script test system
CN113472599B (en) Data communication method and system of network node
CN115037664B (en) Network connection testing method and device, repeater and storage medium
US11563640B2 (en) Network data extraction parser-model in SDN
WO2023056826A1 (en) Network connection method, electronic device, and storage medium
CN116319292A (en) BMC network configuration method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant