CN114499970B - Network security service configuration method and device and electronic equipment - Google Patents
Network security service configuration method and device and electronic equipment Download PDFInfo
- Publication number
- CN114499970B CN114499970B CN202111617972.1A CN202111617972A CN114499970B CN 114499970 B CN114499970 B CN 114499970B CN 202111617972 A CN202111617972 A CN 202111617972A CN 114499970 B CN114499970 B CN 114499970B
- Authority
- CN
- China
- Prior art keywords
- address
- rule
- firewall
- crd
- request message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network security service configuration method, which comprises the following steps: when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule; when the firewall CRD rule resource is monitored, judging whether the application service corresponding to the firewall CRD rule resource is deployed to a local container or not; when the application service corresponding to the firewall CRD rule resource is deployed to the local container, the firewall CRD rule resource is written into the kernel module through a ct_filter tool. According to the method, the firewall black-and-white list configuration rules on each host are defined in a K8S operator programmable mode, the configuration rules are deployed on the designated node of the K8S, the K8S operator controls the firewall configuration in a final state mode to update and refresh, the firewall configuration can be configured along with the deployed working nodes of the application service container, and meanwhile, the firewall configuration method has higher flexibility and expansibility.
Description
Technical Field
The present invention relates to the field of big data analysis technologies, and in particular, to a network security service configuration method, a device, and an electronic device.
Background
Using iptables commands to maintain host firewall rules in the k8s environment, there are three problems: when the number of the applied iptables list items and the firewall list items on the machine is large, operation conflicts exist at a certain probability, and after the operation conflicts, the service abnormality of a firewall background can be caused, or the network rule of a kube-proxy daemon container is lost, so that the service abnormality on an external request machine is finally caused; the distributed entry of the container network shunt in the protocol stack netfilter framework is earlier than the filtering entry of the firewall, so that the data message entering the container network cannot be effectively managed and controlled by the firewall; k8s has performed a unified scheduling of virtualization and services for working nodes, through which stateless or stateful application services are deployed, it is possible to drift over different working nodes, which also makes service-exposed firewall rules difficult to manually maintain.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to overcome the defects that the existing host firewall collides with the k8s component, the host firewall cannot manage the container network message, and the firewall rule cannot follow the destination node scheduled by the k8s, so as to provide a network security service configuration method, a network security service configuration device and electronic equipment.
According to a first aspect, an embodiment of the present invention discloses a network security service configuration method, including: when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule; when the firewall CRD rule resource is monitored, judging whether the application service corresponding to the firewall CRD rule resource is deployed to a local container or not; when the application service corresponding to the firewall CRD rule resource is deployed to the local container, the firewall CRD rule resource is written into the kernel module through the ct_filter tool.
Optionally, after the application service corresponding to the firewall CRD rule resource is deployed to the native container and the firewall CRD rule resource is written into the kernel module through the ct_filter tool, the method further includes: when a service request message of a client is received, matching the service request message with a firewall CRD rule written in the kernel module; and determining whether the service request message of the client is released or discarded according to the matching result.
Optionally, the matching the service request packet with the firewall CRD rule written by the kernel module includes: resolving the service request message of the client to obtain the IP address of the client; matching the IP address with a preset blacklist rule; when the IP address is successfully matched with a preset blacklist rule, intercepting a service request message corresponding to the IP address; when the IP address is not successfully matched with a preset blacklist rule, judging whether the IP address is in an ESTABLISHED state or not; when the IP address data is in an ESTABLISHED state, sending a service request message corresponding to the IP address to the next hook point of Netfilter; when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule; discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule; and when the IP address is successfully matched with a preset list rule, sending a service request message corresponding to the IP address to the next hook point of the Netfilter.
Optionally, determining whether the IP address is in an ESTABLISHED state includes: determining whether the IP address is in a connection state according to a connrack table; and when the IP address is in a connection state, the IP address is in an ESTABLISHED state.
Optionally, the determining whether the IP address is in a connection state according to the connrack table includes: and when connrack is not started, sending the service request message corresponding to the IP address to the next hook point of Netfilter.
According to a second aspect, the embodiment of the invention also discloses a network security service configuration device, which comprises: the generation module is used for generating firewall CRD rule resources corresponding to the application service according to a preset black-and-white list configuration rule when the application service created by any user is acquired; the first judging module is used for judging whether the application service corresponding to the firewall CRD rule resource is deployed to the local container or not when the firewall CRD rule resource is monitored; and the writing module is used for writing the firewall CRD rule resources into the kernel module through the ct_filter tool when the application service corresponding to the firewall CRD rule resources is deployed to the local container.
Optionally, the apparatus further comprises: the matching module is used for matching the service request message with the firewall CRD rule written in the kernel module when receiving the service request message of the client; and the processing module is used for determining whether the service request message of the client is released or discarded according to the matching result.
Optionally, the matching module further includes: the analysis module is used for analyzing the service request message of the client to obtain the IP address of the client; the first matching sub-module is used for matching the IP address with a preset blacklist rule; the interception module is used for intercepting the service request message corresponding to the IP address when the IP address is successfully matched with a preset blacklist rule; the second judging module is used for judging whether the IP address is in an ESTABLISHED state or not when the IP address is not successfully matched with a preset blacklist rule; a first sending module, configured to send a service request packet corresponding to the IP address to a next hook point of Netfilter when the IP address data is in an ESTABLISHED state; when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule; the second matching sub-module is used for discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule; and the second sending module sends the service request message corresponding to the IP address to the next hook point of Netfilter when the IP address is successfully matched with a preset list rule.
According to a third aspect, an embodiment of the present invention further discloses an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform steps of the network security service configuration method according to the first aspect or any alternative implementation of the first aspect.
According to a fourth aspect, the embodiments of the present invention also disclose a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the network security service configuration method according to the first aspect or any of the alternative embodiments of the first aspect.
The technical scheme of the invention has the following advantages:
the network security service configuration method/device provided by the invention comprises the following steps: when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule; when the firewall CRD rule resource is monitored, judging whether the application service corresponding to the firewall CRD rule resource is deployed to a local container or not; when the application service corresponding to the firewall CRD rule resource is deployed to the local container, the firewall CRD rule resource is written into the kernel module through the ct_filter tool. According to the method, the firewall black-and-white list configuration rules on each host are defined in a K8S operator programmable mode, the configuration rules are deployed on the designated node of the K8S, the K8 operator controls the firewall configuration in a final state mode to update and refresh, the firewall configuration can be configured along with the deployed working nodes of the application service container, and meanwhile, the firewall configuration method has higher flexibility and expansibility.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a specific example of a network security service configuration method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a specific example of a network security service configuration method according to an embodiment of the present invention;
FIG. 3 is a flowchart of a specific example of a network security service configuration method according to an embodiment of the present invention;
FIG. 4 is a schematic block diagram of a specific example of a network security service configuration device in an embodiment of the present invention;
fig. 5 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made apparent and fully in view of the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the description of the present invention, it should be noted that the directions or positional relationships indicated by the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; the two components can be directly connected or indirectly connected through an intermediate medium, or can be communicated inside the two components, or can be connected wirelessly or in a wired way. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
In addition, the technical features of the different embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
The embodiment of the invention discloses a network security service configuration method, as shown in fig. 1, which comprises the following steps:
and step 101, when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule.
Illustratively, the firewall rules are abstracted into k8s CRD resources, and each CRD resource describes firewall rules required by service of an application service; a CRD may describe a plurality of firewall black-and-white list rules of a service, and an attribute of a rule in the CRD template includes: an Action indicates whether the description object is a blacklist or a whitelist type; the Protocol is a 4-layer Protocol matched with the firewall rules; port is the matched 4-layer Port of the firewall rule; ipRange is the ip segment matched by the firewall rule; a firewall configuration resource is ultimately loaded onto the machine on which the service is deployed for deployment and configuration.
Illustratively, the firewall CRD rule resource is monitored through ct-filter-daemon, whether the service corresponding to the resource has a container deployed to the local or not is judged, and if not, the service is ignored.
And step 103, when the application service corresponding to the firewall CRD rule resource is deployed to the local container, writing the firewall CRD rule resource into the kernel module through a ct_filter tool.
Illustratively, the firewall rules are written into the kernel module through the ct_filter tool through the ct_filter-daemon; meanwhile, when the firewall CRD rule resource is written, an interface for configuring rules for an application layer user needs to be provided, and the interface is provided in a binary command mode. In this embodiment, the binary command of the configuration interface is ct_filter-A|I|D-t < white|black > -4|6-p < tcp: udp > -s < ip/mask > -D < ip/mask > -dport > -sport < port >; specifically, after a user deploys a service through k8s, when access to the service is required to be limited, a CRD resource corresponding to the service can be deployed, and finally the CRD resource can be acquired by a custom operator controller, and the CRD resource is refreshed and written into the kernel module through the custom kernel module; the operator can be deployed to all the worker nodes in a workload mode of k8s daemonset type, each machine can be deployed with a container of ct_filter, and when the container is restarted, a self-defined firewall kernel module is inserted into the kernel, and two functions are mainly born in the follow-up container operation process: the ct_filter initiates a listwatch request to the apiserver to monitor a whistelist resource, and filters the whistelist resource which is currently deployed to the whistelist resource of the local machine by the back-end pod of the service corresponding to the whistelist; writing CRD resources of the filtered whistelist into a custom kernel module through a ct_filter, wherein the kernel module specifically works on pre-routing of the netfilter, and the priority is between conntrack and mangle; the execution flow of the three steps of the method is shown in fig. 3.
The network security service configuration method provided by the invention comprises the following steps: when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule; when the firewall CRD rule resource is monitored, judging whether the application service corresponding to the firewall CRD rule resource is deployed to a local container or not; when the application service corresponding to the firewall CRD rule resource is deployed to the local container, the firewall CRD rule resource is written into the kernel module through the ct_filter tool. According to the method, the firewall black-and-white list configuration rules on each host are defined in a K8S operator programmable mode, the configuration rules are deployed on the designated node of the K8S, the K8 operator controls the firewall configuration in a final state mode to update and refresh, the firewall configuration can be configured along with the deployed working nodes of the application service container, and meanwhile, the firewall configuration method has higher flexibility and expansibility.
As an optional implementation manner of the present invention, after the application service corresponding to the firewall CRD rule resource is deployed to the local container and the firewall CRD rule resource is written into the kernel module through the ct_filter tool, the method further includes: when a service request message of a client is received, matching the service request message with a firewall CRD rule written in the kernel module; and determining whether the service request message of the client is released or discarded according to the matching result.
Illustratively, when the local machine receives a service request message of the client, matching the received request message with a firewall CRD rule written in the kernel module; specifically, when the received client service request message passes through a hook on a netfilter by the kernel module, whether the message matches a black-and-white list rule is judged, and the message is selected to be released or discarded.
As an optional implementation manner of the present invention, the matching the service request packet with the firewall CRD rule written in the kernel module includes: resolving the service request message of the client to obtain the IP address of the client; matching the IP address with a preset blacklist rule; when the IP address is successfully matched with a preset blacklist rule, intercepting a service request message corresponding to the IP address; when the IP address is not successfully matched with a preset blacklist rule, judging whether the IP address is in an ESTABLISHED state or not; when the IP address data is in an ESTABLISHED state, sending a service request message corresponding to the IP address to the next hook point of Netfilter; when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule; discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule; and when the IP address is successfully matched with a preset list rule, sending a service request message corresponding to the IP address to the next hook point of the Netfilter.
Illustratively, netfilter frame is a packet processing framework of one of the linux kernels, and is used for resolving a service request message of a client to obtain an IP address of the client; firstly, matching the analyzed client IP address with a blacklist rule written in the kernel module in advance, and intercepting if the matching is successful; judging whether the IP address is in an ESTABLISHED state or not when the IP address is not matched with the blacklist, and if the IP address is in the ESTABLISHED state, releasing the IP address and sending the IP address to the next hook point of Netfilter; and when the IP address is not in the ESTABLISHED state, matching the IP address with a pre-written white list rule in the kernel module, if the matching is successful, releasing, and if the matching is not successful, carrying out interception operation, wherein the execution flow is shown in figure 2.
As an optional embodiment of the present invention, determining whether the IP address is in an ESTABLISHED state includes: determining whether the IP address is in a connection state according to a connrack table; and when the IP address is in a connection state, the IP address is in an ESTABLISHED state.
Illustratively, linux generates a new Connection entry (Connection entry) for each packet that traverses the network stack by consulting the conntrack table to determine if the corresponding IP address is in the ESTABLISHED state, and Linux uniquely assigns all packets belonging to the Connection and identifies the state of the Connection.
As an optional embodiment of the present invention, determining whether the IP address is in a connection state according to a connrack table includes: and when connrack is not started, sending the service request message corresponding to the IP address to the next hook point of Netfilter.
Illustratively, if connection tracking is not on, then the query of the connrack table will fail, and the IP address is released, i.e., the flow of non-connection tracking is released.
The embodiment of the invention also discloses a network security service configuration device, as shown in fig. 4, which comprises: the generating module 201 is configured to generate a firewall CRD rule resource corresponding to an application service according to a preset black-and-white list configuration rule when the application service created by any user is obtained; a first judging module 202, configured to judge, when the firewall CRD rule resource is monitored, whether an application service corresponding to the firewall CRD rule resource is deployed to a local container; and the writing module 203 is configured to, when an application service corresponding to the firewall CRD rule resource is deployed to the native container, write the firewall CRD rule resource into the kernel module through the ct_filter tool.
The network security service configuration device provided by the invention comprises: the generation module is used for generating firewall CRD rule resources corresponding to the application service according to a preset black-and-white list configuration rule when the application service created by any user is acquired; the first judging module is used for judging whether the application service corresponding to the firewall CRD rule resource is deployed to the local container or not when the firewall CRD rule resource is monitored; and the writing module is used for writing the firewall CRD rule resources into the kernel module through the ct_filter tool when the application service corresponding to the firewall CRD rule resources is deployed to the local container. The device of the invention defines the configuration rules of the firewall black-and-white list on each host computer in a K8S operator programmable mode, deploys the configuration rules on the designated node of the K8S, and the K8S operator controls the firewall configuration in a final state mode to update and refresh, so that the firewall configuration can be configured along with the deployed working node of the application service container, and has higher flexibility and expansibility.
As an alternative embodiment of the present invention, the apparatus further comprises: the matching module is used for matching the service request message with the firewall CRD rule written in the kernel module when receiving the service request message of the client; and the processing module is used for determining whether the service request message of the client is released or discarded according to the matching result.
As an optional embodiment of the present invention, the matching module further includes: the analysis module is used for analyzing the service request message of the client to obtain the IP address of the client; the first matching sub-module is used for matching the IP address with a preset blacklist rule; the interception module is used for intercepting the service request message corresponding to the IP address when the IP address is successfully matched with a preset blacklist rule; the second judging module is used for judging whether the IP address is in an ESTABLISHED state or not when the IP address is not successfully matched with a preset blacklist rule; a first sending module, configured to send a service request packet corresponding to the IP address to a next hook point of Netfilter when the IP address data is in an ESTABLISHED state; when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule; the second matching sub-module is used for discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule; and the second sending module is used for sending the service request message corresponding to the IP address to the next hook point of Netfilter when the IP address is successfully matched with a preset list rule.
As an optional embodiment of the present invention, the second determining module includes: the determining module is used for determining whether the IP address is in a connection state according to the connrack table; and the determining submodule is used for enabling the IP address to be in an ESTABLISHED state when the IP address is in a connection state.
As an optional embodiment of the present invention, the determining module includes: and the third sending module is used for sending the service request message corresponding to the IP address to the next hook point of the Netfilter when the conntrack is not started.
The embodiment of the present invention further provides an electronic device, as shown in fig. 5, where the electronic device may include a processor 401 and a memory 402, where the processor 401 and the memory 402 may be connected by a bus or other means, and in fig. 5, the connection is exemplified by a bus.
The processor 401 may be a central processing unit (Central Processing Unit, CPU). The processor 401 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 402, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the network security service configuration method in the embodiment of the present invention. The processor 401 executes various functional applications of the processor and data processing by running non-transitory software programs, instructions and modules stored in the memory 402, i.e., implements the network security service configuration method in the above-described method embodiments.
The one or more modules are stored in the memory 402 and when executed by the processor 401, perform the network security service configuration method in the embodiment shown in fig. 1.
The specific details of the electronic device may be understood correspondingly with respect to the corresponding related descriptions and effects in the embodiment shown in fig. 1, which are not repeated herein.
It will be appreciated by those skilled in the art that implementing all or part of the above-described embodiment method may be implemented by a computer program to instruct related hardware, where the program may be stored in a computer readable storage medium, and the program may include the above-described embodiment method when executed. Wherein the storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations are within the scope of the invention as defined by the appended claims.
Claims (8)
1. A network security service configuration method, comprising:
when an application service created by any user is obtained, generating a firewall CRD rule resource corresponding to the application service according to a preset black-and-white list configuration rule;
when the firewall CRD rule resource is monitored, judging whether the application service corresponding to the firewall CRD rule resource is deployed to a local container or not;
when the application service corresponding to the firewall CRD rule resource is deployed to a local container, writing the firewall CRD rule resource into a kernel module through a ct_filter tool;
after the application service corresponding to the firewall CRD rule resource is deployed to the local container and the firewall CRD rule resource is written into the kernel module through the ct_filter tool, the method further includes:
when a service request message of a client is received, matching the service request message with a firewall CRD rule written in the kernel module;
and determining whether the service request message of the client is released or discarded according to the matching result.
2. The method of claim 1, wherein matching the service request message with the firewall CRD rules to which the kernel module is written comprises:
resolving the service request message of the client to obtain the IP address of the client;
matching the IP address with a preset blacklist rule;
when the IP address is successfully matched with a preset blacklist rule, intercepting a service request message corresponding to the IP address;
when the IP address is not successfully matched with a preset blacklist rule, judging whether the IP address is in an ESTABLISHED state or not;
when the IP address data is in an ESTABLISHED state, sending a service request message corresponding to the IP address to the next hook point of Netfilter;
when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule;
discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule;
and when the IP address is successfully matched with a preset list rule, sending a service request message corresponding to the IP address to the next hook point of the Netfilter.
3. The method of claim 2, wherein determining whether the IP address is in an ESTABLISHED state comprises:
determining whether the IP address is in a connection state according to a connrack table;
and when the IP address is in a connection state, the IP address is in an ESTABLISHED state.
4. A method according to claim 3, said determining whether the IP address is in a connected state from a connrack table, comprising:
and when connrack is not started, sending the service request message corresponding to the IP address to the next hook point of Netfilter.
5. A network security service configuration apparatus, comprising:
the generation module is used for generating firewall CRD rule resources corresponding to the application service according to a preset black-and-white list configuration rule when the application service created by any user is acquired;
the first judging module is used for judging whether the application service corresponding to the firewall CRD rule resource is deployed to the local container or not when the firewall CRD rule resource is monitored;
the writing module is used for writing the firewall CRD rule resources into the kernel module through a ct_filter tool when the application services corresponding to the firewall CRD rule resources are deployed to the local container;
the apparatus further comprises:
the matching module is used for matching the service request message with the firewall CRD rule written in the kernel module when receiving the service request message of the client;
and the processing module is used for determining whether the service request message of the client is released or discarded according to the matching result.
6. The apparatus of claim 5, wherein the matching module further comprises:
the analysis module is used for analyzing the service request message of the client to obtain the IP address of the client;
the first matching sub-module is used for matching the IP address with a preset blacklist rule;
the interception module is used for intercepting the service request message corresponding to the IP address when the IP address is successfully matched with a preset blacklist rule;
the second judging module is used for judging whether the IP address is in an ESTABLISHED state or not when the IP address is not successfully matched with a preset blacklist rule;
a first sending module, configured to send a service request packet corresponding to the IP address to a next hook point of Netfilter when the IP address data is in an ESTABLISHED state;
when the IP address is not in the ESTABLISHED state, matching the IP address data with a preset white list rule;
the second matching sub-module is used for discarding the service request message corresponding to the IP address when the IP address is not successfully matched with a preset white list rule;
and the second sending module is used for sending the service request message corresponding to the IP address to the next hook point of Netfilter when the IP address is successfully matched with a preset list rule.
7. An electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform the steps of the network security service configuration method of any of claims 1-4.
8. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the network security service configuration method according to any of claims 1-4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111617972.1A CN114499970B (en) | 2021-12-27 | 2021-12-27 | Network security service configuration method and device and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111617972.1A CN114499970B (en) | 2021-12-27 | 2021-12-27 | Network security service configuration method and device and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114499970A CN114499970A (en) | 2022-05-13 |
CN114499970B true CN114499970B (en) | 2023-06-23 |
Family
ID=81496447
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111617972.1A Active CN114499970B (en) | 2021-12-27 | 2021-12-27 | Network security service configuration method and device and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114499970B (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102790758A (en) * | 2011-05-18 | 2012-11-21 | 海尔集团公司 | Firewall system and processing method thereof |
CN105471907A (en) * | 2015-12-31 | 2016-04-06 | 云南大学 | Openflow based virtual firewall transmission control method and system |
CN107147693A (en) * | 2017-03-30 | 2017-09-08 | 潘杰 | A kind of remote control type electronic communication device |
US10484334B1 (en) * | 2013-02-26 | 2019-11-19 | Zentera Systems, Inc. | Distributed firewall security system that extends across different cloud computing networks |
CN111600852A (en) * | 2020-04-27 | 2020-08-28 | 中国舰船研究设计中心 | Firewall design method based on programmable data plane |
CN113645223A (en) * | 2021-08-09 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Network protection management method, system, device and storage medium |
WO2021226781A1 (en) * | 2020-05-11 | 2021-11-18 | 深圳市欢太科技有限公司 | Firewall rule updating method and apparatus, server, and storage medium |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10951582B2 (en) * | 2018-02-09 | 2021-03-16 | Comcast Cable Communications, Llc | Dynamic firewall configuration |
US11489730B2 (en) * | 2018-12-18 | 2022-11-01 | Storage Engine, Inc. | Methods, apparatuses and systems for configuring a network environment for a server |
US20210314299A1 (en) * | 2020-04-07 | 2021-10-07 | Vmware, Inc. | Methods for revalidating fqdn rulesets in a firewall |
FR3110795A1 (en) * | 2020-05-25 | 2021-11-26 | Orange | Method for configuring firewall equipment in a communication network, method for updating a configuration for firewall equipment, device, access equipment, firewall equipment and corresponding computer programs . |
-
2021
- 2021-12-27 CN CN202111617972.1A patent/CN114499970B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102790758A (en) * | 2011-05-18 | 2012-11-21 | 海尔集团公司 | Firewall system and processing method thereof |
US10484334B1 (en) * | 2013-02-26 | 2019-11-19 | Zentera Systems, Inc. | Distributed firewall security system that extends across different cloud computing networks |
CN105471907A (en) * | 2015-12-31 | 2016-04-06 | 云南大学 | Openflow based virtual firewall transmission control method and system |
CN107147693A (en) * | 2017-03-30 | 2017-09-08 | 潘杰 | A kind of remote control type electronic communication device |
CN111600852A (en) * | 2020-04-27 | 2020-08-28 | 中国舰船研究设计中心 | Firewall design method based on programmable data plane |
WO2021226781A1 (en) * | 2020-05-11 | 2021-11-18 | 深圳市欢太科技有限公司 | Firewall rule updating method and apparatus, server, and storage medium |
CN113645223A (en) * | 2021-08-09 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Network protection management method, system, device and storage medium |
Non-Patent Citations (2)
Title |
---|
Design and implementation of Linux firewall based on the frame of Netfilter/IPtable;Baoliang Wang; Kaining Lu; Peng Chang;《2016 11th International Conference on Computer Science & Education (ICCSE)》;949-953页 * |
多数据中心的安全服务按需适配机制研究;李畅;《中国优秀硕士学位论文全文数据库 信息科技辑》;I137-7页 * |
Also Published As
Publication number | Publication date |
---|---|
CN114499970A (en) | 2022-05-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10038594B2 (en) | Centralized management of access points | |
EP4245057A1 (en) | Active assurance for virtualized services | |
US11641308B2 (en) | Software defined networking orchestration method and SDN controller | |
US20200162589A1 (en) | Intent based network data path tracing and instant diagnostics | |
EP3024175B1 (en) | Method and system for remote management of network devices | |
CN109960634B (en) | Application program monitoring method, device and system | |
US20210135967A1 (en) | Intelligent in-band telemetry auto-configuration for ip networks | |
CN111277457A (en) | Method, device and equipment for switching network environment and readable storage medium | |
CN113259162B (en) | Network fault determination method and device, electronic equipment and storage medium | |
CN112751947B (en) | Communication system and method | |
CN112564994B (en) | Flow monitoring method and device, cloud server and storage medium | |
CN108270591B (en) | Method for configuring network equipment and related equipment | |
CN115514667A (en) | Access service processing method, system, device, electronic equipment and storage medium | |
CN114499970B (en) | Network security service configuration method and device and electronic equipment | |
CN111901395A (en) | Multi-cluster switching method and device | |
CN107070725B (en) | A kind of method that server two-level management intermodule communication is shaken hands | |
US20150106490A1 (en) | Automatic notification of isolation | |
CN114513419A (en) | Security policy configuration method and system | |
CN112994942A (en) | SDN control method and device | |
CN109960645B (en) | Script test method and device and script test system | |
CN113472599B (en) | Data communication method and system of network node | |
CN115037664B (en) | Network connection testing method and device, repeater and storage medium | |
US11563640B2 (en) | Network data extraction parser-model in SDN | |
WO2023056826A1 (en) | Network connection method, electronic device, and storage medium | |
CN116319292A (en) | BMC network configuration method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |