CN114629853A

CN114629853A - Traffic classification control method based on security service chain analysis in security resource pool

Info

Publication number: CN114629853A
Application number: CN202210187759.XA
Authority: CN
Inventors: 刘紫千; 常力元; 孙福兴; 李金伟; 刘长波; 陈林
Original assignee: Tianyi Safety Technology Co Ltd
Current assignee: Tianyi Safety Technology Co Ltd
Priority date: 2022-02-28
Filing date: 2022-02-28
Publication date: 2022-06-14

Abstract

The embodiment of the invention provides a flow classification control method based on security service chain analysis in a security resource pool, wherein a security service chain control center determines a security service chain configured by a user, calls a cloud security management platform to establish at least one security virtual machine corresponding to the security service chain on at least one physical server of the security resource pool, and establishes a virtual switch on each physical server with the established security virtual machine; then the safety service chain control center generates a drainage strategy and correspondingly sends the drainage strategy to the flow classification controller and the virtual switch; the flow classification controller modifies the network information in the received data packet according to the drainage strategy and forwards the network information to the virtual switch, the virtual switch forwards the received data packet to the security virtual machine on the physical server according to the drainage strategy for security processing, and then the network information in the modified data packet according to the drainage strategy is forwarded to the virtual switch or the core switch of the next physical server.

Description

Traffic classification control method based on security service chain analysis in security resource pool

Technical Field

The invention relates to the technical field of information security, in particular to a flow classification control method based on security service chain analysis in a security resource pool.

Background

In the field of information security, with the development of cloud computing and virtualization technologies, a security resource pool based on a virtualization technology becomes a new solution for solving the problem of network security. The safety resource pool is based on virtualization technology, after a traditional safety product is virtualized, the traditional safety product is deployed and operated on a special safety resource pool virtualization server in a virtual machine mode, and the servers are connected through a special switch to form a safety resource pool. Because the security product is intensively deployed on the security resource pool, for the serially accessed network security devices such as firewall, etc., the serial access cannot be directly performed in the network environment of the user, and the network traffic needs to serially pass through the serial security devices in the security resource pool by the traffic diversion technology.

The security service chain is a description of a flow of a data message passing through a plurality of security service nodes according to a predetermined sequence required by business logic when the data message is transmitted in a network, wherein the security service nodes comprise a firewall, intrusion detection, a Web application firewall and the like. In an application scenario of a security resource pool, Software Defined Network (SDN) technology is used for traffic steering, which is one of common implementation schemes of a security service chain, and specifically, a physical SDN switch is used as an access switch of the security resource pool to implement traffic steering to a physical server in the security resource pool.

However, there are two problems with using physical SDN switches to build the secure resource pool: one is that the flow table chip of the SDN switch is expensive, and cannot store too many flow table items, and when the user network environment is large and complex, the flow table items are often exploded, so that the SDN switch cannot work normally. Secondly, OpenFlow protocol standards correspondingly implemented in the SDN switches of various manufacturers are not uniform, and some functions based on the high-version OpenFlow protocol cannot be implemented in many projects of specified manufacturers.

Disclosure of Invention

The embodiment of the invention provides a flow classification control method based on security service chain analysis in a security resource pool, which is used for solving the problems of flow table item quantity limitation and low compatibility when flow in the security resource pool is drained by an SDN physical switch in the prior art.

The embodiment of the invention provides a flow classification control method based on security service chain analysis in a security resource pool, which is applied to a security service chain control center and comprises the following steps:

according to a security service chain configured by a user, calling the cloud security management platform to create at least one security virtual machine corresponding to the security service chain on at least one physical server of a security resource pool, and calling the cloud security management platform to create a virtual switch on each physical server with the created security virtual machine; the virtual switch is connected with each safety virtual machine on the physical server, and each safety virtual machine is used for realizing one safety service process indicated by the safety service chain;

generating a first drainage strategy corresponding to a flow classification controller, a second drainage strategy corresponding to a virtual switch and a third drainage strategy according to the safety service chain and the network information corresponding to the safety virtual machine, and correspondingly issuing the first drainage strategy, the second drainage strategy and the third drainage strategy to the flow classification controller and the virtual switch; after modifying the received network information in the data packet sent by the core switch into the network information of the first virtual switch indicated by the first drainage policy according to the first drainage policy, the traffic classification controller sends the network information to the first virtual switch through the physical switch of the security resource pool; the virtual switch sends the received data packet to a corresponding security virtual machine for security service processing according to the second drainage strategy, modifies network information in the data packet subjected to the security service processing into network information of a next node indicated by the third drainage strategy according to the third drainage strategy, and sends the network information to the next node through a security resource pool physical switch;

the first virtual switch is a virtual switch connected with a security virtual machine for implementing the first security service processing indicated by the security service chain in each virtual switch.

Optionally, if the physical server where the virtual switch is located is not the physical server where the security virtual machine that implements the last security service processing indicated by the security service chain is located, the next node is the virtual switch corresponding to the security virtual machine that implements the next security service processing;

and if the physical server where the virtual switch is located is the physical server where the security virtual machine for realizing the last security service processing indicated by the security service chain is located, the next node is the core switch.

Optionally, the network information corresponding to the secure virtual machine includes a media access control bit MAC address of a physical server where the secure virtual machine is located and a port number of a virtual switch corresponding to the secure virtual machine.

Based on the same inventive concept, the embodiment of the present invention further provides a traffic classification control method based on security service chain analysis in a security resource pool, which is applied to a traffic classification controller, and includes:

receiving a data packet transmitted by a core switch;

when the data packet is determined to be matched with a first drainage strategy, modifying the network information in the data packet into the network information of a first virtual switch indicated by the first drainage strategy, and then forwarding the data packet to a physical switch of a security resource pool; enabling the security resource pool physical switch to send the data packet to a physical server where the first virtual switch is located;

the first drainage strategy is generated by a security service chain control center according to a security service chain set by a user and network information corresponding to the first virtual switch and is issued to the flow classification controller.

Optionally, before determining that the data packet matches the first drainage policy, the method further includes:

determining that the data packet belongs to north-south traffic;

the method further comprises the following steps:

and when determining that the data packet belongs to the east-west flow, decapsulating and decrypting the data packet of the east-west flow and then distributing the data packet to a physical server where the bypass safety equipment is located.

Optionally, determining that the data packet belongs to north-south traffic or east-west traffic includes:

and determining that the data packet belongs to the flow in the north-south direction or the flow in the east-west direction according to the virtual local area network identity identifier VLAN ID or the virtual expanded local area network identity identifier VXLAN ID of the data packet.

Optionally, it is determined that the data packet matches the first drainage policy according to the result of at least one of the following ways:

judging whether the VLAN ID in the data packet is the same as the VLAN ID configured in the first drainage strategy or not;

judging whether the VXLAN ID in the data packet is the same as the VXLAN ID configured in the first drainage strategy or not;

and judging whether the IP address of the internet protocol in the data packet is the same as the IP configured in the first drainage policy.

Optionally, modifying the network information in the data packet into the network information of the first virtual switch indicated by the first drainage policy includes:

and modifying the MAC address of the receiving end in the data packet into the MAC address of the physical server where the first virtual switch is located, wherein the MAC address is indicated by the first drainage policy.

Based on the same inventive concept, the embodiment of the present invention further provides a traffic classification control method based on security service chain analysis in a security resource pool, which is applied to a physical server in the security resource pool, and includes:

creating at least one security virtual machine according to the instruction of a cloud security management platform, and creating a virtual switch connected with the security virtual machine; the cloud security management platform indicates the physical server according to the calling of a security service chain control center, and the security service chain control center calls the cloud security service management platform according to a security service chain configured by a user; the security service chain is used for indicating security service processing which is required to be sequentially performed on the data packets in the security resource pool, and each security virtual machine is used for realizing one security service processing indicated by the security service chain;

receiving a data packet forwarded by a security resource pool switch through the virtual switch, and sending the data packet to a corresponding security virtual machine according to a second drainage strategy after determining that the data packet matches the second drainage strategy; after the security virtual machine carries out security service processing on the data packet sent by the virtual switch, returning the data packet to the virtual switch;

after the virtual switch determines that the data packet matches a third drainage strategy, modifying the network information in the data packet into the network information of the next node indicated by the third drainage strategy, and forwarding the data packet to a physical switch of a security resource pool; so that the security resource pool physical switch sends the data packet to the next node;

the second drainage strategy and the third drainage strategy are generated and issued to the virtual switch by the security service chain control center according to a security service chain set by a user and network information corresponding to a security virtual machine corresponding to the security service chain.

Optionally, if the physical server does not have a security virtual machine for implementing the last security service processing indicated by the security service chain, the next node is a virtual switch corresponding to the security virtual machine for implementing the next security service processing;

and if the physical server has a security virtual machine for realizing the last security service processing indicated by the security service chain, the next node is a core switch.

Optionally, it is determined that the data packet matches the second/third drainage policy for the same according to a result of at least one of the following:

judging whether the VLAN ID in the data packet is the same as the VLAN ID configured in the second drainage strategy/the third drainage strategy or not;

judging whether the VXLAN ID in the data packet is the same as the VXLAN ID configured in the second drainage strategy/the third drainage strategy or not;

judging whether the IP address in the data packet is the same as the IP configured in the second drainage strategy/the third drainage strategy or not;

and judging whether the port number of the data packet entering the virtual switch is the same as the port number configured in the second drainage strategy/the third drainage strategy or not.

Optionally, modifying, by the virtual switch, the network information in the data packet to the network information of the next node indicated by the third drainage policy, where the modifying includes:

and modifying the MAC address of the receiving end in the data packet into the MAC address of the physical server where the next node indicated by the third drainage strategy is located through the virtual switch.

Optionally, sending, by the virtual switch, the data packet to a corresponding secure virtual machine according to the second drainage policy, includes:

and sending the data packet to a corresponding security virtual machine through a virtual switch port indicated by the second drainage policy by the virtual switch according to the second drainage policy.

Based on the same inventive concept, the embodiment of the present invention further provides a security service chain control center, including:

the cloud security management platform is used for establishing a security service chain on a physical server of a security resource pool, and calling the physical server with the security service chain to establish a virtual switch; the virtual switch is connected with each safety virtual machine on the physical server, and each safety virtual machine is used for realizing one safety service process indicated by the safety service chain;

the flow guiding strategy configuration unit is used for generating a first flow guiding strategy corresponding to a flow classifying controller, a second flow guiding strategy corresponding to a virtual switch and a third flow guiding strategy according to the safety service chain and the network information corresponding to the safety virtual machine, and correspondingly issuing the first flow guiding strategy, the second flow guiding strategy and the third flow guiding strategy to the flow classifying controller and the virtual switch; after modifying the received network information in the data packet sent by the core switch into the network information of the first virtual switch indicated by the first drainage policy according to the first drainage policy, the traffic classification controller sends the network information to the first virtual switch through the physical switch of the security resource pool; the virtual switch sends the received data packet to a corresponding security virtual machine for security service processing according to the second drainage strategy, modifies network information in the data packet subjected to the security service processing into network information of a next node indicated by the third drainage strategy according to the third drainage strategy, and sends the network information to the next node through a security resource pool physical switch;

Based on the same inventive concept, an embodiment of the present invention further provides a traffic classification controller, including:

a data packet receiving unit, configured to receive a data packet transmitted by a core switch;

the serial flow guiding unit is used for modifying the network information in the data packet into the network information of the first virtual switch indicated by the first flow guiding strategy and then forwarding the data packet to a physical switch of a security resource pool when the data packet is determined to be matched with the first flow guiding strategy; enabling the security resource pool physical switch to send the data packet to a physical server where the first virtual switch is located;

the first drainage strategy is generated by a security service chain control center according to a security service chain set by a user and network information corresponding to the first virtual switch and is issued to the traffic classification controller.

Based on the same inventive concept, an embodiment of the present invention further provides a physical server, including:

the system comprises a security service configuration unit, a security service management unit and a virtual switch, wherein the security service configuration unit is used for creating at least one security virtual machine according to the instruction of a cloud security management platform and creating a virtual switch connected with the security virtual machine; the cloud security management platform indicates the physical server according to the calling of a security service chain control center, and the security service chain control center calls the cloud security service management platform according to a security service chain configured by a user; the security service chain is used for indicating security service processing which is required to be sequentially performed by a data packet in the security resource pool, and each security virtual machine is used for realizing one security service processing indicated by the security service chain;

the flow introducing unit is used for receiving a data packet forwarded by the security resource pool switch through the virtual switch, determining that the data packet matches a second drainage strategy, and then sending the data packet to a corresponding security virtual machine according to the second drainage strategy; after the security virtual machine carries out security service processing on the data packet sent by the virtual switch, returning the data packet to the virtual switch;

the flow leading-out unit is used for modifying the network information in the data packet into the network information of the next node indicated by the third drainage strategy after determining that the data packet is matched with the third drainage strategy through the virtual switch, and forwarding the data packet to a physical switch of a security resource pool; so that the security resource pool physical switch sends the data packet to the next node;

the second and third drainage policies are generated by the security service chain control center according to a security service chain set by a user and network information corresponding to a security virtual machine corresponding to the security service chain and issued to the virtual switch.

Based on the same inventive concept, an embodiment of the present invention further provides an electronic device, including: a processor and a memory for storing processor-executable instructions;

the processor is configured to execute the instructions to implement the traffic classification control method based on security service chain analysis in the security resource pool applied to the security service chain control center, or implement the traffic classification control method based on security service chain analysis in the security resource pool applied to the traffic classification controller, or implement the traffic classification control method based on security service chain analysis in the security resource pool applied to the physical server.

Based on the same inventive concept, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and the computer program is used to implement the traffic classification control method based on the security service chain analysis in the security resource pool applied to the security service chain control center, or implement the traffic classification control method based on the security service chain analysis in the security resource pool applied to the traffic classification controller, or implement the traffic classification control method based on the security service chain analysis in the security resource pool applied to the physical server.

The invention has the following beneficial effects:

according to the traffic classification control method based on the security service chain analysis in the security resource pool, provided by the embodiment of the invention, on the premise of not adopting an SDN physical switch, the traffic is controlled to enter the security resource pool switch according to the security service chain defined by fine-grained software, and then the traffic is distributed to the physical servers in the security resource pool. The problem that flow table items are not enough in a large complex network environment due to software-defined security service chain fine-grained flow drainage supported by an SDN physical switch is solved, and the system can support issuing and simultaneous use of more security service chains. Meanwhile, as the SDN physical switch is not adopted in the scheme, a common two-layer switch can be adopted for forwarding the data packet, so that the cost is reduced.

Drawings

Fig. 1 is a schematic structural diagram of a security service system applied in an embodiment of the present invention;

FIG. 2 is a schematic diagram illustrating the flow direction of data packets in the security service system according to an embodiment of the present invention;

fig. 3 is a schematic flowchart of a traffic classification control method based on security service chain analysis in a security resource pool applied to a security service chain control center according to an embodiment of the present invention;

fig. 4 is a flow classification control method based on security service chain analysis in a security resource pool applied to a flow classification controller according to an embodiment of the present invention;

fig. 5 is a flow classification control method based on security service chain analysis in a security resource pool applied to a physical server according to an embodiment of the present invention;

fig. 6 is a schematic structural diagram of a security service chain control center according to an embodiment of the present invention;

fig. 7 is a second schematic structural diagram of a security service chain control center according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of a traffic classification controller according to an embodiment of the present invention;

fig. 9 is a second schematic structural diagram of a traffic classification controller according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of a physical server according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the aforementioned objects, features and advantages of the present invention comprehensible, the present invention is further described in conjunction with the accompanying drawings and examples. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar structures, and thus their repetitive description will be omitted. The words expressing the position and direction described in the present invention are illustrated in the accompanying drawings, but may be changed as required and still be within the scope of the present invention. The drawings of the present invention are for illustrative purposes only and do not represent true scale.

It should be noted that in the following description, specific details are set forth in order to provide a thorough understanding of the present invention. The invention can be implemented in a number of ways different from those described herein and similar generalizations can be made by those skilled in the art without departing from the spirit of the invention. Therefore, the present invention is not limited to the specific embodiments disclosed below. The description which follows is a preferred embodiment of the present application, but is made for the purpose of illustrating the general principles of the application and not for the purpose of limiting the scope of the application. The protection scope of the present application shall be subject to the definitions of the appended claims.

The following describes a traffic classification control method based on security service chain analysis in a security resource pool according to an embodiment of the present invention with reference to the accompanying drawings.

The traffic classification control method based on security service chain analysis in the security resource pool provided by the embodiment of the present invention can be applied to the security service system shown in fig. 1, where the security service system includes a cloud security management platform, a core switch, a security service chain control center, a traffic classification controller, a security resource pool physical switch, and at least one physical server in the security resource pool. The physical server of the secure resource pool is used for realizing secure service processing on flow; the cloud security management platform, the security service chain control center, and the traffic classification controller may be respectively set as a single physical server in the form of hardware devices, or any device of the three may also be deployed in any physical server in the security resource pool in the form of a virtual machine.

The following explains the operation of each device by the procedure of each device in the security service system implementing traffic classification control.

In the configuration stage of the flow classification control:

and S10, the security service chain control center determines the security service chain configured by the user. And the security service chain is used for indicating that the data packets need to be sequentially processed by security services in the security resource pool.

In a specific implementation process, security service chains configured by different users may be different, so that various corresponding relationships among the physical server, the security virtual machine, and each other involved in subsequent steps are also different, and a security service chain configured by a certain user is mainly described as an example herein.

In the specific implementation process, the security service chain control center configures the security service chain by providing a visual interface for a user, including configuring security service processes corresponding to the security service chain, adjusting the sequence between the security service processes, and maintaining the corresponding relationship between the security service chain and the security service processes.

S11, the security service chain control center calls a cloud security management platform to create at least one security virtual machine corresponding to the security service chain on at least one physical server of a security resource pool according to the security service chain configured by a user, and creates a virtual switch on each physical server with the created security virtual machine; the virtual switch is connected with each safety virtual machine on the physical server, and each safety virtual machine is used for realizing one safety service process indicated by the safety service chain.

And S12, the cloud security management platform creates the security virtual machines and the virtual switch according to the call of the security service chain control center, and then returns the network information corresponding to each security virtual machine to the security service chain control center.

And S13, the security service chain control center generates a first drainage strategy corresponding to the traffic classification controller, a second drainage strategy corresponding to the virtual switch and a third drainage strategy according to the security service chain and the network information corresponding to each security virtual machine, and correspondingly sends the first drainage strategy, the second drainage strategy and the third drainage strategy to the traffic classification controller and the virtual switch.

And S14, the flow classification controller receives and stores the first drainage strategy, and the virtual switch receives and stores the second drainage strategy and the third drainage strategy.

In the implementation stage of flow classification control:

and S20, the core switch receives the data packet and sends the data packet to the traffic classification controller.

In the specific implementation process, the network card of the traffic classification controller is directly connected with the core switch, and the core switch sends the received data packet to the traffic classification controller through the policy routing.

S22, judging whether the data packet is matched with a first drainage strategy or not by the traffic classification controller; and if the data packet is matched with the network information of the next node indicated by the first drainage strategy, modifying the network information in the data packet into the network information of the next node indicated by the first drainage strategy, and then forwarding the data packet to a physical switch of a security resource pool. And the next node indicated by the first drainage policy is a first virtual switch, and the first virtual switch is a virtual switch connected with a security virtual machine for realizing the first security service processing indicated by the security service chain in each virtual switch.

It should be noted that, the flow classification control method is mainly described herein by taking a security service chain configured by a certain user as an example, and actually, the security service system may perform security service processing on data packets corresponding to multiple users at the same time, so that a first drainage policy of a security service chain corresponding to different users may be stored in the flow classification controller, and if the data packet is not matched with the first drainage policy, the data packet may be matched with a first drainage policy corresponding to another security service chain, and a description thereof is not repeated here.

S23, the physical switch of the security resource pool forwards the data packet to the node indicated by the network information carried in the data packet.

And S24, the physical server receives the data packet forwarded by the security resource pool switch through the virtual switch.

And S25, the physical server judges whether the data packet matches a second drainage strategy through the virtual switch.

If the result of the step S25 is YES, go to step S26.

And S26, the virtual switch of the physical server sends the data packet to the corresponding safe virtual machine according to the second drainage strategy.

And S27, the physical server returns the data packet to the virtual switch after performing security service processing on the data packet sent by the virtual switch through the security virtual machine.

In a specific implementation process, if a plurality of security virtual machines corresponding to the security service chain are created on the physical server, the process needs to return to the step S25 to determine whether the data packet returned to the virtual switch needs to be processed by another security service on the physical server, and the step S28 is executed when the data packet completes all security service processes that should be performed on the physical server.

And S28, the physical server judges whether the data packet matches a third drainage strategy through the virtual switch.

If the result of the step S28 is YES, go to step S29.

It should be noted that, this document mainly describes a traffic classification control method by taking a security service chain configured by a certain user as an example, and actually, the security service system may perform security service processing on data packets corresponding to multiple users at the same time, then a second drainage policy/third drainage policy of a security service chain corresponding to different users may be stored in the same virtual switch, and if the data packet is not matched with the second drainage policy/third drainage policy described above, the data packet may be matched with a second drainage policy/third drainage policy corresponding to another security service chain, and a description is not repeated here.

And S29, the physical server modifies the network information in the data packet into the network information of the next node indicated by the third drainage policy through the virtual switch, and then forwards the data packet to the physical switch of the security resource pool.

If the physical server is not the physical server where the security virtual machine for realizing the last security service processing indicated by the security service chain is located, the next node is a virtual switch corresponding to the security virtual machine for realizing the next security service processing; and if the physical server is the physical server where the security virtual machine for realizing the last security service processing indicated by the security service chain is located, the next node is the core switch. Return to the step S23.

Through the steps, the data packet enters the security resource pool from the core switch, and returns to the reinjection port of the core switch to leave the security resource pool after being processed by the security service of each security virtual machine on each physical server in the security resource pool according to the security service processing sequence indicated by the security service chain.

Thus, by the traffic classification control method provided by the embodiment of the invention, on the premise of not adopting an SDN physical switch, traffic distribution to the physical servers in the security resource pool is realized after the control traffic enters the security resource pool switch according to the security service chain defined by fine-grained software. The problem that flow table items are not enough in a large complex network environment due to software-defined security service chain fine-grained flow drainage supported by an SDN physical switch is solved, and the system can support issuing and simultaneous use of more security service chains. Meanwhile, as the SDN physical switch is not adopted in the scheme, a common two-layer switch can be adopted for forwarding the data packet, so that the cost is reduced.

Optionally, before the step S22, the traffic classification controller is further configured to perform the following steps:

and S21, the traffic classification controller judges whether the data packet belongs to the flow in the north-south direction or the east-west direction.

If the data packet belongs to the north-south traffic, executing the step S22; if the data packet belongs to the east-west traffic, step S30 is executed.

And S30, the flow classification controller unpacks and decrypts the data packet and distributes the data packet to a physical server where the bypass security device is located.

Thus, the flow classification controller can simultaneously support the bypass flow guiding processing requirement of east-west flow and the serial flow guiding processing requirement of north-south flow.

Optionally, the step S21, the determining, by the traffic classification controller, that the data packet belongs to north-south traffic or east-west traffic includes:

and the traffic classification controller judges whether the data packet belongs to the north-south traffic or the east-west traffic according to the virtual local area network identity identifier (VLAN ID) or the virtual expanded local area network identity identifier (VXLAN ID) of the data packet.

Optionally, the network information corresponding to the secure virtual machine includes a Media Access Control (MAC) address of a physical server where the secure virtual machine is located and a port number of a virtual switch corresponding to the secure virtual machine.

Optionally, the traffic classification controller determines that the data packet matches the first drainage policy according to the same result of at least one of the following modes:

(1) determining whether a Virtual Local Area Network (VLAN) Identifier (ID) in the packet is the same as the VLAN ID configured in the first drainage policy.

(2) And judging whether a Virtual Extensible Local Area Network (VXLAN) ID in the data packet is the same as a VXLAN ID configured in the first drainage policy.

(3) And judging whether an Internet Protocol (IP) address in the data packet is the same as the IP configured in the first drainage strategy.

Optionally, the physical server determines, by the virtual switch, that the data packet matches the second drainage policy/the third drainage policy according to the same result of at least one of the following manners:

(1) and judging whether the VLAN ID in the data packet is the same as the VLAN ID configured in the second drainage strategy/the third drainage strategy or not.

(2) And judging whether the VXLAN ID in the data packet is the same as the VXLAN ID configured in the second drainage strategy/the third drainage strategy.

(3) And judging whether the IP address in the data packet is the same as the IP configured in the second drainage strategy/the third drainage strategy or not.

(4) And judging whether the port number of the data packet entering the virtual switch is the same as the port number configured in the second drainage strategy/the third drainage strategy or not.

Optionally, the modifying, by the traffic classification controller/physical server, the network information in the data packet into the network information of the next node indicated by the first/third drainage policy through the virtual switch includes:

and the flow classification controller/the physical server modifies the MAC address of the receiving end in the data packet into the MAC address of the next node indicated by the first drainage strategy/the third drainage strategy through the virtual switch.

The step S23, where the security resource pool physical switch forwards the data packet to the node indicated by the network information carried in the data packet, includes:

and the security resource pool physical switch carries out two-layer forwarding on the data packet to a node indicated by the network information carried in the data packet.

Optionally, in step S26, the sending, by the virtual switch of the physical server, the data packet to the corresponding secure virtual machine according to the second drainage policy includes:

and the virtual switch of the physical server sends the data packet to a corresponding security virtual machine through a virtual switch port indicated by the second drainage policy according to the second drainage policy.

The above process is illustrated in a specific example as shown in fig. 2, where fig. 2 only marks some steps of data transmission between different devices for easy understanding.

In the configuration stage of the flow classification control:

【1】 The security service chain control center determines a security service chain configured by a user. The security service chain is used for indicating that the data packet needs to sequentially perform two security service processes of a Virtual Firewall (vFW) and a Virtual website Application level intrusion prevention system (vWAF) in the security resource pool.

【2】 The security service chain control center calls a cloud security management platform to create a security virtual machine vFW1 corresponding to the virtual firewall on a physical Server1 of a security resource pool according to a security service chain configured by a user, creates a security virtual machine vWAF1 corresponding to the virtual website application-level intrusion prevention system on a physical Server2 of the security resource pool, and creates virtual switches VS1 and VS2 on a physical Server1 and a Server2 respectively; the virtual switch VS1 of the physical Server1 is connected to the vFW1, and the virtual switch VS2 of the physical Server2 is connected to the vWAF 1.

【3】 After the cloud security management platform creates a security virtual machine vFW1, a vWAF1 and a virtual switch according to the call of a security service chain control center, the security virtual machine vFW 8932, the security virtual machine vWAF1 and the virtual switch return the MAC addresses MAC1 and MAC2 of a physical Server1 and a Server2 and the port numbers of VS1 and VS2 (wherein the input port of the vFW1 on the VS1 is port1, the output port is port2, the uplink port of the VS1 is port5, the input port of the vWAF1 on the VS2 is port3, the output port is port4, and the uplink port of the VS2 is port6) to the security service chain control center.

【4】 And the safety service chain control center generates a first drainage strategy corresponding to the traffic classification controller, a second drainage strategy corresponding to the virtual switch and a third drainage strategy according to the safety service chain, the MAC address of the physical Server1 and the MAC address of the Server1 and the port numbers of the VS1 and the VS2, and correspondingly sends the first drainage strategy, the second drainage strategy and the third drainage strategy to the traffic classification controller and the virtual switch.

For example, the second drainage strategy for VS1 is:

ovs-ofctl add-flow flow0,dl_vlan＝ID1,in_port＝port5,actions＝output:port1

that is, a packet whose ingress port is port5 and Vlan _ ID is ID1 is transmitted from egress port 1.

The third drainage strategy for VS1 is:

ovs-ofctl add-flow flow0,in_port＝port2,actions＝mod_dl_dst:MAC2,output:port5

that is, the MAC address of a packet whose ingress port is port2 is modified to MAC2 and sent out from egress port 5.

The second drainage strategy for VS2 is:

ovs-ofctl add-flow flow0,dl_vlan＝ID1,in_port＝port6,actions＝output:port3

that is, a packet whose ingress port is port6 and Vlan _ ID is ID1 is transmitted from egress port 3.

The third drainage strategy for VS2 is:

ovs-ofctl add-flow flow0,in_port＝port4,actions＝mod_dl_dst:MAC3,output:port6

that is, the MAC address of a packet whose ingress port is port4 is modified to MAC3 (the MAC address of the core switch), and issued from egress port 6.

【5】 And the flow classification controller receives and stores the first drainage strategy, and the virtual switch receives and stores the second drainage strategy and the third drainage strategy.

In the implementation stage of flow classification control:

【6】 And the core switch receives the data packet and sends the data packet to the traffic classification controller. And the network card of the flow classification controller is directly connected with the core switch, and the core switch sends the received data packet to the flow classification controller through the strategy routing.

【7】 And the traffic classification controller judges that the data packet belongs to the north-south traffic according to the VLAN ID in the data packet as the ID 1.

【8】 And the flow classification controller determines that the data packet is matched with a first drainage strategy according to the VLAN ID1 in the data packet, modifies the MAC address of the receiving end in the data packet into MAC1, and then forwards the data packet to a physical switch of a security resource pool.

【9】 The physical switch of the secure resource pool forwards the data packet to the physical network card of the physical Server1 in the second layer.

【10】 The physical Server1 receives the packet through port5 of virtual switch VS 1.

【11】 The physical Server1 determines a second drainage policy matching VS1 through the virtual switch VS1 according to the VLAN ID of the data packet being ID1 and the port number 5 of the data packet entering the virtual switch.

【12】 And the virtual switch VS1 of the physical Server1 sends the data packet to the security virtual machine vFW1 through the port1 according to a second drainage policy of the VS 1.

【13】 After the physical Server1 performs security service processing on the data packet sent by the virtual switch through the security virtual machine vFW1, the data packet is returned to the virtual switch VS1 through the port2 of the virtual switch VS 1.

【14】 The physical Server1 determines a third drainage policy matching VS1 according to the port number 2 of the virtual switch from which the packet enters through the virtual switch VS 1.

【15】 And the physical Server1 modifies the MAC address of the receiving end in the data packet into MAC2 through the virtual switch VS1, and then forwards the data packet to the physical switch of the security resource pool.

【16】 The physical switch of the secure resource pool forwards the data packet to the physical network card of the physical Server2 in the second layer.

【17】 Physical Server2 receives the packet through port6 of virtual switch VS 2.

【18】 The physical Server2 determines a second drainage policy matching VS2 through the virtual switch VS2 according to the VLAN ID of the packet being ID1 and the port number 6 of the packet entering the virtual switch.

【19】 And the virtual switch VS2 of the physical Server2 sends the data packet to the secure virtual machine vWAF1 through the port3 according to the second drainage policy of VS 2.

【20】 After the physical Server2 performs security service processing on the data packet sent by the virtual switch VS2 through the security virtual machine vWAF1, the data packet is returned to the virtual switch VS2 through the port3 of the virtual switch VS 2.

【21】 The physical Server2 determines a third drainage policy matching VS2 according to the port number 3 of the virtual switch VS2, where the port number is entered by the virtual switch VS2 according to the data packet.

【22】 And the physical Server2 modifies the MAC address of the receiving end in the data packet into MAC3 through the virtual switch VS2, and then forwards the data packet to the physical switch of the security resource pool.

【23】 And the security resource pool physical switch transmits the data packet to a reinjection port of the core switch in a second layer.

Based on the above inventive concept, an embodiment of the present invention further provides a traffic classification control method based on security service chain analysis in a security resource pool, which is applied to a security service chain control center, and as shown in fig. 3, the method includes:

s101, according to a security service chain configured by a user, calling a cloud security management platform to create at least one security virtual machine corresponding to the security service chain on at least one physical server of a security resource pool, and calling the cloud security management platform to create a virtual switch on each physical server with the created security virtual machine; the virtual switch is connected with each safety virtual machine on the physical server, and each safety virtual machine is used for realizing one safety service process indicated by the safety service chain.

S102, generating a first drainage strategy corresponding to a flow classification controller, a second drainage strategy corresponding to a virtual switch and a third drainage strategy according to the safety service chain and the network information corresponding to the safety virtual machine, and correspondingly issuing the first drainage strategy, the second drainage strategy and the third drainage strategy to the flow classification controller and the virtual switch; after modifying the received network information in the data packet sent by the core switch into the network information of the first virtual switch indicated by the first drainage policy according to the first drainage policy, the traffic classification controller sends the network information to the first virtual switch through the physical switch of the security resource pool; the virtual switch sends the received data packet to a corresponding security virtual machine for security service processing according to the second drainage strategy, modifies network information in the data packet subjected to the security service processing into network information of a next node indicated by the third drainage strategy according to the third drainage strategy, and sends the network information to the next node through a security resource pool physical switch;

Optionally, the network information corresponding to the secure virtual machine includes a MAC address of a physical server where the secure virtual machine is located and a port number of a virtual switch corresponding to the secure virtual machine.

Based on the same inventive concept, an embodiment of the present invention further provides a traffic classification control method based on security service chain analysis in a security resource pool, which is applied to a traffic classification controller, as shown in fig. 4, and includes:

s201, receiving the data packet transmitted by the core switch.

S203, judging whether the data packet is matched with a first drainage strategy.

If the result of step S203 is yes, step S204 is executed.

S204, after the network information in the data packet is modified into the network information of the first virtual switch indicated by the first drainage strategy, the data packet is forwarded to a physical switch of a security resource pool; enabling the security resource pool physical switch to send the data packet to a physical server where the first virtual switch is located;

Optionally, before step S203, the method further includes:

s202, judging whether the data packet belongs to the flow in the north-south direction or the flow in the east-west direction.

If the result of the step S202 is that the data packet belongs to the north-south traffic, the step S203 is executed; if the result of step S202 is that the data packet belongs to the east-west traffic, step S205 is executed.

And S205, decapsulating and decrypting the data packet of the east-west flow and then distributing the data packet to a physical server where the bypass safety equipment is located.

Optionally, the step S202 of determining that the data packet belongs to north-south traffic or east-west traffic includes:

and judging whether the data packet belongs to the flow in the north-south direction or the flow in the east-west direction according to the VLAN ID or the VXLAN ID of the data packet.

Optionally, in step S204, modifying the network information in the data packet to the network information of the first virtual switch indicated by the first drainage policy includes:

Based on the same inventive concept, an embodiment of the present invention further provides a traffic classification control method based on security service chain analysis in a security resource pool, which is applied to a physical server in the security resource pool, as shown in fig. 5, and includes:

s301, creating at least one secure virtual machine according to the instruction of the cloud security management platform, and creating a virtual switch connected with the secure virtual machine; the cloud security management platform indicates the physical server according to the calling of a security service chain control center, and the security service chain control center calls the cloud security service management platform according to a security service chain configured by a user; the security service chain is used for indicating security service processing which is required to be sequentially performed by a data packet in the security resource pool, and each security virtual machine is used for realizing one security service processing indicated by the security service chain.

S302, receiving the data packet forwarded by the security resource pool switch through the virtual switch.

S303, judging whether the data packet is matched with a second drainage strategy or not through the virtual switch.

If the result of step S303 is yes, step S304 is executed.

S304, the data packet is sent to the corresponding safe virtual machine through the virtual switch according to the second drainage strategy.

S305, after the security virtual machine carries out security service processing on the data packet sent by the virtual switch, returning the data packet to the virtual switch.

In a specific implementation process, if a plurality of security virtual machines corresponding to the security service chain are created in the physical server, the step S303 needs to be returned to determine whether the data packet returned to the virtual switch needs to be further processed by another security service on the physical server, and the step S306 is executed when the data packet completes all security service processes that should be performed on the physical server.

S306, judging whether the data packet is matched with a third drainage strategy or not through the virtual switch.

If the result of the step S306 is yes, step S307 is executed.

S307, modifying the network information in the data packet into the network information of the next node indicated by the third drainage policy through the virtual switch.

S308, the data packet is forwarded to a physical switch of a security resource pool through the virtual switch; so that the security resource pool physical switch sends the data packet to the next node;

Optionally, in the step S307, modifying, by the virtual switch, the network information in the data packet to the network information of the next node indicated by the third drainage policy, where the modifying includes:

Optionally, the step S304 of sending, by the virtual switch, the data packet to a corresponding secure virtual machine according to the second drainage policy includes:

Based on the same inventive concept, an embodiment of the present invention further provides a security service chain control center, as shown in fig. 6, including:

the security service chain configuration unit U101 is configured to invoke, according to a security service chain configured by a user, the cloud security management platform to create at least one security virtual machine corresponding to the security service chain on at least one physical server in a security resource pool, and invoke the cloud security management platform to create a virtual switch on each physical server created with a security virtual machine; the virtual switch is connected with each safety virtual machine on the physical server, and each safety virtual machine is used for realizing one safety service process indicated by the safety service chain;

the flow guiding strategy configuration unit U102 is configured to generate a first flow guiding strategy corresponding to a flow classification controller, a second flow guiding strategy corresponding to a virtual switch, and a third flow guiding strategy according to the security service chain and the network information corresponding to the security virtual machine, and correspondingly send the first flow guiding strategy, the second flow guiding strategy, and the third flow guiding strategy to the flow classification controller and the virtual switch; after modifying the received network information in the data packet sent by the core switch into the network information of the first virtual switch indicated by the first drainage policy according to the first drainage policy, the traffic classification controller sends the network information to the first virtual switch through the physical switch of the security resource pool; the virtual switch sends the received data packet to a corresponding security virtual machine for security service processing according to the second drainage strategy, modifies network information in the data packet subjected to the security service processing into network information of a next node indicated by the third drainage strategy according to the third drainage strategy, and sends the network information to the next node through a security resource pool physical switch;

In the embodiments provided in the present application, it should be understood that the above-described security service chain control center embodiment is only illustrative, for example, the division of the units is only one logical function division, and there may be other division ways in actual implementation, for example, a plurality of units may be combined or may be integrated into another system, or some features may be omitted, or not executed. The modules described as separate parts may or may not be physically separate, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment. In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer storage medium.

For example, in a specific implementation process, as shown in fig. 7, the security service chain control center includes a security service chain management module, a security resource topology management module, a security service chain parsing execution engine, and a traffic classification control policy distribution engine, where:

the safety service chain management module is used for managing the safety service chain and the corresponding relation between the safety service chain and the safety virtual machine; the method includes the steps of configuring the safety service chain by providing a visual interface for a user, configuring safety service processes corresponding to the safety service chain, adjusting the sequence of the safety service processes, and maintaining the corresponding relation between the safety service chain and the safety service processes.

The safety resource topology management module is used for managing the network information of the safety virtual machine; the method comprises the following steps of managing the MAC address of a physical server, managing the corresponding relation between security service processing and the physical server, managing the corresponding relation between a security virtual machine and the physical server, and managing the corresponding relation between the security virtual machine and a connection port number of a virtual switch;

the security service chain analysis execution engine is used for generating a first drainage strategy corresponding to the flow classification controller, a second drainage strategy corresponding to the virtual switch and a third drainage strategy according to the security service chain and the network information corresponding to the security virtual machine;

the flow classification control strategy distribution engine is used for correspondingly issuing a first flow guiding strategy corresponding to the flow classification controller, a second flow guiding strategy corresponding to the virtual switch and a third flow guiding strategy to the flow classification controller and the virtual switch.

Still further, the traffic classification control policy distribution engine comprises a traffic classification policy adapter, an SDN policy adapter, wherein:

the flow classification strategy adapter is used for issuing a first flow guiding strategy corresponding to the flow classification controller;

and the SDN strategy adapter in the flow classification control strategy distribution engine is used for correspondingly issuing a second drainage strategy and a third drainage strategy corresponding to the virtual switch.

Since the working principle of the security service chain control center is basically consistent with the traffic classification control method based on security service chain analysis in the security resource pool, reference may be made to the implementation of the method, which is not described herein again.

Based on the same inventive concept, an embodiment of the present invention further provides a traffic classification controller, as shown in fig. 8, including:

a data packet receiving unit U201, configured to receive a data packet transmitted by a core switch;

the serial flow guiding unit U203 is configured to modify network information in the data packet into network information of the first virtual switch indicated by the first flow guiding policy when it is determined that the data packet matches the first flow guiding policy, and forward the data packet to a physical switch of a security resource pool; enabling the security resource pool physical switch to send the data packet to a physical server where the first virtual switch is located;

Optionally, the traffic classification controller further includes:

the flow classification unit U202 is used for judging whether the data packet belongs to the flow in the north-south direction or the flow in the east-west direction;

and the bypass drainage unit U204 is used for decapsulating and decrypting the data packet of the east-west flow and then distributing the decapsulated and decrypted data packet to a physical server where the bypass safety equipment is located when determining that the data packet belongs to the east-west flow.

In the embodiments provided in the present application, it should be understood that the above-described traffic classification controller embodiments are merely illustrative, for example, the division of the units is only one logical function division, and there may be other division manners in actual implementation, for example, a plurality of units may be combined or may be integrated into another system, or some features may be omitted or not executed. The modules described as separate parts may or may not be physically separate, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment. In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer storage medium.

In a specific implementation process, as shown in fig. 9, the traffic classification controller includes a traffic data transceiver module and a security service chain traffic distribution module, where:

the flow data transceiver module is used for receiving a data packet transmitted by the core switch and forwarding the data packet to the physical switch of the security resource pool;

the security service chain flow distribution module comprises a flow classification engine, a flow replication engine, a serial service chain processing engine, a protocol de-encapsulation engine, a security socket protocol (SSL) uninstalling engine and a bypass service chain processing engine;

the flow classification engine is used for judging whether the data packet belongs to the flow in the north-south direction or the flow in the east-west direction;

the flow replication engine is used for replicating the data packet of the north-south flow;

the serial service chain processing engine is used for modifying the network information in the data packet into the network information of the first virtual switch indicated by the first drainage policy;

the protocol decapsulation engine application decapsulates the data packet of the east-west flow;

the SSL unloading engine is used for decrypting the data packet of the east-west flow;

and the bypass service chain processing engine is used for distributing the data packet of the east-west flow to the physical server where the bypass safety equipment is positioned.

Since the working principle of the traffic classification controller is basically consistent with the traffic classification control method based on the security service chain analysis in the security resource pool, reference may be made to the implementation of the method, which is not described herein again.

Based on the same inventive concept, an embodiment of the present invention further provides a physical server, as shown in fig. 10, including:

the system comprises a security service configuration unit U301, a security service configuration unit and a virtual switch, wherein the security service configuration unit U301 is used for creating at least one security virtual machine according to an instruction of a cloud security management platform and creating a virtual switch connected with the security virtual machine; the cloud security management platform indicates the physical server according to the calling of a security service chain control center, and the security service chain control center calls the cloud security service management platform according to a security service chain configured by a user; the security service chain is used for indicating security service processing which is required to be sequentially performed by a data packet in the security resource pool, and each security virtual machine is used for realizing one security service processing indicated by the security service chain;

the flow introducing unit U302 is used for receiving a data packet forwarded by a security resource pool switch through the virtual switch, and after determining that the data packet matches a second drainage policy, sending the data packet to a corresponding security virtual machine according to the second drainage policy; after the security virtual machine carries out security service processing on the data packet sent by the virtual switch, returning the data packet to the virtual switch;

the flow extraction unit U303 is configured to, after determining that the data packet matches a third drainage policy through the virtual switch, modify network information in the data packet to network information of a next node indicated by the third drainage policy, and forward the data packet to a physical switch in a security resource pool; so that the security resource pool physical switch sends the data packet to the next node;

In the embodiments provided in the present application, it should be understood that the above-described physical server embodiment is only illustrative, for example, the division of the units is only one logical function division, and there may be other division ways in actual implementation, for example, a plurality of units may be combined or may be integrated into another system, or some features may be omitted, or not executed. The modules described as separate parts may or may not be physically separate, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment. In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer storage medium.

Since the working principle of the physical server is basically consistent with the traffic classification control method based on the security service chain analysis in the security resource pool, reference may be made to the implementation of the method, which is not described herein again.

Based on the same inventive concept, an embodiment of the present invention further provides an electronic device, as shown in fig. 11, including: a processor and a memory for storing processor-executable instructions;

In particular implementations, the apparatus may vary significantly depending on configuration or performance, and may include one or more processors 110, a memory 120, a computer-readable storage medium 130, with one or more applications 131 or data 132 included in the memory 120 and/or the computer-readable storage medium 130. The memory 120 and/or computer-readable storage medium 130 may also include one or more operating systems 133, such as Windows, Mac OS, Linux, IOS, Android, Unix, FreeBSD, and the like. Memory 120 and computer-readable storage medium 130 may be, among other things, transient storage or persistent storage. The application 131 may include one or more of the modules (not shown in fig. 11), each of which may include a series of instruction operations. Still further, the processor 110 may be configured to communicate with a computer-readable storage medium 130, on which a series of instruction operations in the storage medium 130 are executed. The apparatus may also include one or more power supplies (not shown in FIG. 11); one or more network interfaces 140, the network interfaces 140 comprising a wired network interface 141 and/or a wireless network interface 142; one or more input/output interfaces 143.

Based on the same inventive concept, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and the computer program is used to implement the traffic classification control method based on security service chain analysis in a security resource pool applied to a security service chain control center, or implement the traffic classification control method based on security service chain analysis in a security resource pool applied to a traffic classification controller, or implement the traffic classification control method based on security service chain analysis in a security resource pool applied to a physical server.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A traffic classification control method based on security service chain analysis in a security resource pool is characterized by being applied to a security service chain control center and comprising the following steps:

2. The method according to claim 1, wherein if the physical server where the virtual switch is located is not the physical server where the secure virtual machine that implements the last secure service processing indicated by the secure service chain is located, the next node is the virtual switch corresponding to the secure virtual machine that implements the next secure service processing;

3. The method according to claim 1, wherein the network information corresponding to the secure virtual machine includes a media access control bit MAC address of a physical server where the secure virtual machine is located and a port number of a virtual switch corresponding to the secure virtual machine.

4. A traffic classification control method based on security service chain analysis in a security resource pool is characterized in that the traffic classification control method is applied to a traffic classification controller and comprises the following steps:

receiving a data packet transmitted by a core switch;

5. The method of claim 4, wherein prior to determining that the packet matches the first drainage policy, further comprising:

determining that the data packet belongs to north-south traffic;

the method further comprises the following steps:

and when the data packet is determined to belong to the east-west flow, the data packet of the east-west flow is distributed to a physical server where the bypass safety equipment is located after being unpacked and decrypted.

6. The method of claim 5, wherein determining that the packet belongs to north-south traffic or east-west traffic comprises:

7. The method of claim 4, wherein the data packet is determined to match the first drainage policy for being identical based on a result of at least one of:

8. The method of claim 4, wherein modifying the network information in the packet to the network information of the first virtual switch indicated by the first steering policy comprises:

9. A traffic classification control method based on security service chain analysis in a security resource pool is characterized in that the traffic classification control method is applied to a physical server in the security resource pool and comprises the following steps:

creating at least one security virtual machine according to the instruction of a cloud security management platform, and creating a virtual switch connected with the security virtual machine; the cloud security management platform indicates the physical server according to the calling of a security service chain control center, and the security service chain control center calls the cloud security service management platform according to a security service chain configured by a user; the security service chain is used for indicating security service processing which is required to be sequentially performed by a data packet in the security resource pool, and each security virtual machine is used for realizing one security service processing indicated by the security service chain;

10. The method of claim 9, wherein if the physical server does not have a security virtual machine for implementing a last security service process indicated by the security service chain, the next node is a virtual switch corresponding to a security virtual machine for implementing a next security service process;

11. The method of claim 9, wherein the data packet is determined to match the second/third drainage policy for the same as a result of at least one of:

12. The method of claim 9, wherein modifying, by the virtual switch, the network information in the packet to the network information of the next node indicated by the third steering policy comprises:

13. The method of claim 9, wherein sending, by the virtual switch, the data packet to the corresponding secure virtual machine according to the second drainage policy comprises:

14. A secure service chaining control center, comprising:

15. A traffic classification controller, comprising:

16. A physical server, comprising:

the system comprises a security service configuration unit, a cloud security management platform and a virtual switch, wherein the security service configuration unit is used for creating at least one security virtual machine according to the instruction of the cloud security management platform and creating the virtual switch connected with the security virtual machine; the cloud security management platform indicates the physical server according to the calling of a security service chain control center, and the security service chain control center calls the cloud security service management platform according to a security service chain configured by a user; the security service chain is used for indicating security service processing which is required to be sequentially performed by a data packet in the security resource pool, and each security virtual machine is used for realizing one security service processing indicated by the security service chain;

the traffic leading-out unit is used for modifying the network information in the data packet into the network information of the next node indicated by the third drainage strategy after determining that the data packet is matched with the third drainage strategy through the virtual switch, and forwarding the data packet to a physical switch of a security resource pool; so that the security resource pool physical switch sends the data packet to the next node;

17. An electronic device, comprising: a processor and a memory for storing processor-executable instructions;

wherein the processor is configured to execute the instructions to implement a traffic classification control method based on security service chain resolution in a security resource pool according to any one of claims 1 to 3, or to implement a traffic classification control method based on security service chain resolution in a security resource pool according to any one of claims 4 to 8, or to implement a traffic classification control method based on security service chain resolution in a security resource pool according to any one of claims 9 to 13.

18. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, which is used to implement the traffic classification control method based on security service chain resolution in the security resource pool according to any one of claims 1 to 3, or implement the traffic classification control method based on security service chain resolution in the security resource pool according to any one of claims 4 to 8, or implement the traffic classification control method based on security service chain resolution in the security resource pool according to any one of claims 9 to 13.