CN115941365A - Protection method for terminal network security, all-in-one machine and server - Google Patents
Protection method for terminal network security, all-in-one machine and server Download PDFInfo
- Publication number
- CN115941365A CN115941365A CN202310246184.9A CN202310246184A CN115941365A CN 115941365 A CN115941365 A CN 115941365A CN 202310246184 A CN202310246184 A CN 202310246184A CN 115941365 A CN115941365 A CN 115941365A
- Authority
- CN
- China
- Prior art keywords
- network security
- network
- service
- protection
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 241000700605 Viruses Species 0.000 claims description 17
- 238000007726 management method Methods 0.000 claims description 16
- 230000002265 prevention Effects 0.000 claims description 16
- 238000001514 detection method Methods 0.000 claims description 8
- 238000013468 resource allocation Methods 0.000 claims description 5
- 230000003993 interaction Effects 0.000 claims description 3
- 230000007123 defense Effects 0.000 claims 1
- 239000000306 component Substances 0.000 description 97
- 238000005516 engineering process Methods 0.000 description 12
- 238000012423 maintenance Methods 0.000 description 12
- 230000006399 behavior Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 5
- 238000012550 audit Methods 0.000 description 4
- 238000010276 construction Methods 0.000 description 4
- 238000001914 filtration Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 239000002699 waste material Substances 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 239000002184 metal Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 238000012369 In process control Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 238000013527 convolutional neural network Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000010965 in-process control Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 235000013372 meat Nutrition 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
- -1 weak password Substances 0.000 description 1
Images
Abstract
The invention provides a protection method for terminal network security, an all-in-one machine and a server, wherein the protection method comprises the following steps: the network security server detects the service environment of a target service terminal, wherein the network security server provides a network security component for a plurality of service terminals, and the target service terminal is any one of the plurality of service terminals; the network security server generates a network security component package according to the network security protection conditions of the service environment, wherein the network security component package comprises at least one network security component, and the network security component is used for providing network security protection for the target service terminal; the network security server provides network security protection of the network security component package to the target service terminal. Different network safety protection services are provided for a plurality of different service terminals through the network safety all-in-one machine, the network safety protection requirements of different service terminals can be adapted, the software/hardware cost can be saved, and more reliable network safety protection services are provided.
Description
Technical Field
The invention relates to the field of network security, in particular to a protection method for terminal network security, an all-in-one machine and a server.
Background
As the construction of enterprise network security needs to set security products on standard systems such as network security law, network security level protection system and the like, a series of hardware products such as a firewall, an intrusion prevention wall, a virus wall, internet behavior management, a web application firewall and the like can be connected in series in the network at the network boundary, so that the construction requirement of network security is met.
With the rapid development of network cloud computing technology, the security requirements for enterprise data centers are higher and higher, not only many security hardware devices need to be arranged on the boundary, but also a security management center needs to be built, a large number of security software and hardware products still need to be deployed to meet the security construction requirements of enterprises, and the security devices connected in series to the network not only form fault points, but also for the industrial control field with higher real-time requirements, too many security products connected in series will greatly prolong the transmission delay of data packets, and affect the transmission efficiency of services. In addition, the level protection level of each system is different, the required security products are also different, personalized and customized security services are also gradually concerned by users, some users need firewalls with different levels, some users only need IDS (Internet data system), some users only need security audit products, some users have high requirements on security, and the users hope to deploy various types of security products at the same time. However, most hardware security products of mainstream manufacturers at present only have a single type of function, the cost of software and hardware is very high, and the comprehensive cost is very high from the viewpoints of purchase, deployment, implementation, operation and maintenance and the like, which is not favorable for the construction and popularization of the network security of enterprises at present.
Disclosure of Invention
The invention mainly aims to provide a protection method, an all-in-one machine and a server for network security of a terminal, so as to solve the problems of high network security software and hardware configuration and high operation and maintenance cost of enterprises in the prior art.
In order to achieve the above object, according to an aspect of the present invention, there is provided a method for protecting network security of a terminal, including: the method comprises the steps that a network security server detects the service environment of a target service terminal, wherein the network security server provides a network security component for a plurality of service terminals, and the target service terminal is any one of the plurality of service terminals; the network security server generates a network security component package according to the network security protection conditions of the service environment, wherein the network security component package comprises at least one network security component, and the network security component is used for providing network security protection for the target service terminal; and the network security server provides the network security protection of the network security component package to the target service terminal.
Further, the generating, by the network security server, the network security component package according to the network security protection condition of the service environment includes: and the network security server captures the service environment data of the target service terminal and generates the network security packet according to the service environment data.
Further, the generating, by the network security server, the network security component package according to the network security protection condition of the service environment includes: the network security server receives a security protection request from the target service terminal, wherein the security protection request comprises service environment data of the target service terminal; and the network security server generates the network security packet according to the service environment data.
Further, the generating, by the network security server, the network security component package according to the service environment data includes: when the service environment data is detected to be a virtual network boundary, providing a firewall and/or a bastion machine for the target service terminal; and when the service environment data is detected to be the internal network of the virtual machine, providing a virus searching and killing and/or industrial intrusion prevention component for the target service terminal.
In order to achieve the above object, according to one aspect of the present invention, there is provided a network security all-in-one machine, including: the basic hardware architecture layer comprises a computing board card, a switching board card and a storage board card, wherein the computing board card is used for providing computing resources, the switching board card is used for data interaction inside the switch, and the storage board card is used for providing storage resources; a virtualization architecture layer that performs software virtualization of computing resources, network resources, and storage resources based on the basic hardware architecture layer; and the safety resource pool architecture layer runs various network safety components based on the virtualization architecture layer and generates a network safety component packet according to the network safety protection conditions of the target service terminal, wherein the network safety component packet comprises at least one network safety component, the network safety component is used for providing network safety protection for the target service terminal, and the target service terminal is any one of the plurality of service terminals.
Further, the virtualization architecture layer includes at least one network interface, and each network interface is connected to one service terminal and is used for providing network security protection for the target service terminal.
Further, the secure resource pool architecture layer includes: the resource allocation platform is used for capturing the service environment data of the target service terminal and generating the network security component package according to the service environment data; or receiving service environment data from the target service terminal, and generating the network security component package according to the received service environment data.
Further, the resource allocation platform is used for providing a firewall and/or a bastion machine for the service environment of the virtual network boundary; and providing a virus searching and killing and/or industrial intrusion prevention component for the service environment of the virtual machine internal network.
In order to achieve the above object, according to one aspect of the present invention, there is provided a network security server including: the system comprises a detection unit, a service terminal and a network security server, wherein the detection unit is used for detecting the service environment of a target service terminal, the network security server provides a network security component for a plurality of service terminals, and the target service terminal is any one of the plurality of service terminals; a generating unit, configured to generate a network security component package according to a network security protection condition of the service environment, where the network security component package includes at least one network security component, and the network security component is configured to provide network security protection for the target service terminal; and the protection unit is used for providing the network security protection of the network security component package for the target service terminal.
Further, the network security server and the generating unit further include: the capturing module is used for capturing the service environment data of the target service terminal and generating the network security packet according to the service environment data; and/or a receiving module, configured to receive a security protection request from the target service terminal, and generate the network security packet according to the service environment data, where the security protection request includes the service environment data of the target service terminal.
By applying the technical scheme of the invention, the network security all-in-one machine provides hardware resources, and the hardware resources are subjected to software virtualization so as to provide network security services for a plurality of service terminals; meanwhile, the network security all-in-one machine can also operate various network security components, customize a network security protection scheme according to the requirements of different service terminals, and operate the customized scheme to provide network security protection service for the service terminals. Different network safety protection services are provided for a plurality of different service terminals through the network safety all-in-one machine, the network safety protection requirements of different service terminals can be adapted, the software/hardware cost can be saved, the network safety protection services can be managed in a unified mode, and more reliable network safety protection services are provided.
When the hardware required by the network security protection service is insufficient, pluggable hardware can be expanded on the network security all-in-one machine, the hardware support performance of the network security all-in-one machine is improved, and the expansion is convenient; meanwhile, resource waste caused by overhigh initial purchase hardware configuration can be avoided; in addition, software virtualization of hardware resources can better adapt to changes of a network environment, for example, when a certain service flow becomes large and an original scheme is not applicable, other resources can be uniformly allocated and managed, so that protection resources meet service requirements, the resources can be fully utilized, and resource scheduling is flexible.
In addition to the objects, features and advantages described above, other objects, features and advantages of the present invention are also provided. The present invention will be described in further detail below with reference to the drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, are included to provide a further understanding of the invention, and are included to illustrate an exemplary embodiment of the invention and not to limit the invention. In the drawings:
FIG. 1 shows an architecture diagram of a network security kiosk, according to an embodiment of the invention;
fig. 2 shows a flow chart of a method for protecting terminal network security according to an embodiment of the invention;
fig. 3 shows a schematic diagram of a network security server according to an embodiment of the invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments of the present invention may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances for describing embodiments of the invention described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
Interpretation of terms:
next generation virtual industrial firewall components:
the system has comprehensive protection and visualization capabilities before, during and after the business, identifies applications, users and contents to perform access control, aggregates multi-module safety processing boundary safety equipment on the premise of ensuring the performance, has management and analysis capabilities and links other data, systems and equipment scenes, and can provide perfect protection for the business.
An industrial intrusion prevention component:
the intrusion prevention component can timely and accurately discover various illegal intrusion attack behaviors and execute real-time accurate blocking through deep analysis of network traffic. Compare traditional intrusion prevention system, the intrusion prevention subassembly in the safety all-in-one emphasizes more through the detection technology of multidimension degree, contains the accuracy nature that realizes discernment based on technologies such as AI and sandbox, simultaneously, promotes the validity of management and fortune dimension through simple fortune dimension operation mode.
Industrial Web application firewall component:
the WAF component is dedicated to application layer professional security protection of a website and a Web application system, and the problem that traditional security products such as a network firewall, an intrusion prevention system and the like are difficult to deeply defend the application layer is solved. The activation of the WAF component can effectively relieve the common threats defined in e.g. 0WASP TOP 10 of a website and a Web application system, and can quickly cope with the impact of a malicious attacker on Web services, thereby realizing the safety and reliability of Web service application.
WAF (Web Application Firewall), website Application Firewall:
for example, the WAF can perform virus filtering and blocking on files uploaded through HTTP and FTP protocols through a built-in virus filtering engine and a virus feature library updated in real time, prevent websites from being maliciously utilized, and become a tool for spreading viruses and trojans. For another example, the WAF may detect, in real time, various elements of the HTTP request, such as header information, URL, WEB content, cookie, and form parameter, and discover and filter the WEB attack behavior therein, where the attack behavior includes, but is not limited to, SQL injection, cross-site scripting, cross-site request forgery, WEB Shell, command line injection, weak password, buffer overflow, CC attack, and the like.
Industry fort machine subassembly:
the bastion machine component is one of key components required by level protection compliance capability, and can provide operation and maintenance safety audit service integrating account management, identity authentication, single sign-on, resource authorization, access control and operation audit for a user. The operation and maintenance auditing system can effectively perform operation and maintenance operation auditing on the operation and maintenance operation process of assets such as a server, network equipment, safety equipment, an industrial control database and the like, so that the operation and maintenance auditing is promoted from event auditing to operation content auditing, and the operation and maintenance safety problem is comprehensively solved through pre-prevention, in-process control and post-audit of an internal control management platform.
The embodiment of the application provides a network security all-in-one machine, and the network security all-in-one machine is a self-adaptive security technology architecture which is realized by utilizing related technologies such as Overlay technology, service chain management, information security and the like based on software virtualization (including virtualization of computing, network, storage and the like) technology and can be predefined and freely selected according to system requirements. On the architecture, an all-in-one machine capable of providing convenient and fast network security automatic arrangement service for an end user is established, as shown in fig. 1, the architecture of the network security all-in-one machine is divided into three layers from bottom to top, which are respectively:
the basic hardware architecture layer 110 includes a computation board card, a switch board card and a storage board card, the computation board card is used for providing computation resources, the switch board card is used for data interaction inside the switch, and the storage board card is used for providing storage resources;
a virtualization architecture layer 120 that performs software virtualization of computing resources, network resources, and storage resources based on the underlying hardware architecture layer; the virtualization architecture layer performs software virtualization on computation, network and storage based on the bottom-layer basic hardware architectures of a computation board card, a switch board card and a storage board card which form the basic hardware architecture layer, and provides the upper-layer secure resource pool architecture with the needed resource units.
The security resource pool architecture layer 130 runs a plurality of network security components based on the virtualization architecture layer, and generates a network security component package according to the network security protection conditions of the target service terminal, where the network security component package includes at least one network security component, the network security component is configured to provide network security protection for the target service terminal, and the target service terminal is any one of the plurality of service terminals.
The security resource pool architecture layer utilizes the virtual resource units provided by the virtualization architecture layer to uniformly deploy and manage various security components, can freely combine any network security components by utilizing the security service chain internally, and provides free security arrangement service capability externally.
According to the embodiment of the application, the hardware resources are provided through the network security all-in-one machine, and the hardware resources are subjected to software virtualization so as to provide network security services for a plurality of service terminals; meanwhile, the network security all-in-one machine can also operate various network security components, customize a network security protection scheme according to the requirements of different service terminals, and operate the customized scheme to provide network security protection service for the service terminals. Different network safety protection services are provided for a plurality of different service terminals through the network safety all-in-one machine, the network safety protection requirements of different service terminals can be adapted, the software/hardware cost can be saved, the network safety protection services can be managed in a unified mode, and more reliable network safety protection services are provided.
When the hardware required by the network security protection service is insufficient, pluggable hardware can be expanded on the network security all-in-one machine, the hardware support performance of the network security all-in-one machine is improved, and the expansion is convenient; meanwhile, resource waste caused by overhigh initial purchase hardware configuration can be avoided; in addition, software virtualization of hardware resources can better adapt to changes of network environments, for example, when a certain service flow becomes large and an original scheme is not applicable, other resources can be uniformly allocated and managed, so that protection resources meet service requirements, the resources can be fully utilized, and resource scheduling is flexible.
Further, the virtualization architecture layer comprises at least one network interface, and each network interface is connected with one service terminal and used for providing network security protection for the target service terminal. The communication between the network interface and the service terminal provides a data transmission channel for the network security all-in-one machine to provide network security protection service for a plurality of service terminals, and the network security all-in-one machine is convenient to provide network security protection service for the plurality of service terminals.
Further, the secure resource pool architecture layer comprises: the resource allocation platform is used for capturing the service environment data of the target service terminal and generating a network security component package according to the service environment data; or, receiving the service environment data from the target service terminal, and generating a network security component package according to the received service environment data. The network security all-in-one machine can adapt to the network environment of different service terminals, and a network security component package suitable for the failed service terminal is customized for the failed service terminal so as to provide a corresponding server.
For example, if the service environment of the target service terminal is a virtual network boundary, the secure all-in-one machine provides a virtual next-generation firewall module for platform boundary network protection, so as to ensure that most attacks cannot enter the virtual network and are intercepted and killed at the source, and the generated network security component comprises a firewall and/or a bastion machine. If the service environment of the target service terminal is the service environment of the internal network of the virtual machine, in each internal protection of the virtual machine, the security all-in-one machine provides a terminal protection module to perform terminal protection such as terminal access relation control, virus checking and killing and the like, and the generated network security component comprises a virus checking and killing component and/or an industrial intrusion prevention component. The boundary network protection and the protection of the internal network of the virtual machine can be configured independently or in combination, and under the condition of combination configuration, even if an attacker bypasses the attack of the virtual next-generation firewall and enters the virtual machine, a layer of security protection is still provided for intercepting and killing. Further, for customized and personalized network security requirements, the security all-in-one machine carries out centralized deployment management on compliance security components such as the bastion machine, the log auditing equipment and the database auditing, and provides comprehensive security capability for services in a template deployment mode.
The virus killing and the industrial intrusion prevention can adopt a conventional mode, a method for discovering various illegal intrusion attack behaviors in network flow is taken as an example for explanation, and other prevention modes are not repeated:
1. based on the attack detection of rule matching, according to a built-in content filtering rule base including but not limited to character strings, malicious IP (Internet protocol), malicious domain names and the like contained in specific malicious traffic, when the rules in a content filtering engine are matched, network attacks can be accurately determined;
2. and constructing a detection model based on statistics or a machine learning method, and identifying the attack flow. For example, DDoS attacks in traffic can be identified by counting real-time bandwidth of network traffic and concurrent connection of each IP; for another example, a traffic classification model may be trained by machine learning techniques such as convolutional neural networks, random forests, and self-coders, so as to classify network traffic and identify network attacks.
3. Network attack identification based on interactive authentication: for a particular CC (Challenge Collapsar) attack, such as a SYN attack, it may be determined that the source IP is a real client or a "meat" initiating a CC attack by responding to the source IP with a SYN + ACK packet with an erroneous sequence number.
The network security all-in-one machine can acquire the network environment of the service terminal in an active or passive mode, the active mode can actively capture the service environment data of the target service terminal through a resource distribution platform of a security resource pool architecture layer, and a network security component package is generated according to the service environment data; the passive mode may be receiving the service environment data actively sent by the target service terminal, and generating a network security component packet after receiving the service environment data.
From the above description, it can be seen that the safety all-in-one machine provides systematic safety protection to deal with the attack paths with multiple attack points and complexity, so as to ensure that when the safety protection of a certain layer in the system is broken, the next layer of safety protection can continue to protect services, perform safety isolation among services, provide rapid service recovery and safety event traceability after a safety accident occurs, and ensure the integrity and effectiveness of protection.
The safety all-in-one machine software architecture mainly comprises three components (network equipment virtualization, computing virtualization and storage virtualization) and a WEB control platform (virtualization management platform). On the hardware architecture, the instant use during starting can be realized in a board centralized mode, and the bearing of the basic architecture is realized by the N +1 resource processing boards. A computing virtualization component in a safety all-in-one machine architecture is a core component in the whole safety all-in-one machine architecture, and computing resource virtualization technology is to form a standard virtual machine by utilizing virtualization components on all computing module board cards in the all-in-one machine. The virtual machines are provided with a series of hardware configurations and use the same driver program as a series of products produced by the same manufacturer.
A distributed storage system in the safety all-in-one machine utilizes a virtualization technology to pool local hard disks in storage board cards in a cluster storage volume, so that the unified integration, management and scheduling of all-in-one machine storage resources are realized, and finally, an NFS/iSCSI storage interface is provided for an upper layer, so that a virtual machine can freely allocate and use storage space in a resource pool according to the storage demand of the virtual machine.
The network virtualization component in the safety all-in-one machine constructs a big two-layer network and realizes user isolation between service systems in an Overlay mode, and various network function resources (including basic routing exchange, safety and the like) required in the network are distributed and flexibly scheduled according to needs through NFV, so that network virtualization in an all-in-one machine architecture is realized.
The super-fusion infrastructure takes a virtualization technology as a core, and utilizes modules such as computation virtualization, storage virtualization and network virtualization to fuse virtual resources such as computation, storage and network into one machine to form an infrastructure unit. And a plurality of sets of unit equipment can be aggregated through a network, so that modular seamless transverse expansion is realized, and a uniform safe all-in-one machine resource pool is formed.
Aiming at the scene of edge cloud computing, the safety service capability is provided for the access of each bottom layer service, for example, in the application scene of rail transit, a safety module can be selected and matched automatically according to different safety protection requirements of different specialties of rail transit, and meanwhile, the self-defined safety protection capability is supported, and various safety protection requirements are met. And a unified security management platform is adopted to perform centralized management and control on the security components, so that one-key deployment and automatic activation of security services are realized. The security component can be centralized in operation and maintenance through the security management platform, and the problems of difficulty in account management, complex operation and maintenance and the like caused by a large number of security devices are avoided. The large-screen page is monitored through operation and maintenance, the use condition of the safety resources and the safety risk of a service system are uniformly displayed, and operation and maintenance personnel can find performance alarms and safety threats in time conveniently. When the performance of the hardware equipment is sufficient, the upgrading and capacity expansion can be carried out through the expansion of software license, and the change of a service system can be adapted without greatly changing a network architecture. The network/service flow can be flexibly arranged by presetting the template. Different safety protection combinations are adopted for different types of flow, for example, web type flow can pass through a preset triple safety protection template of firewall-intrusion prevention-Web protection, and customized safety protection of services is realized.
In the embodiment of the application, hypervisor can be used to implement software virtualization of hardware resources, where Hypervisor is an intermediate software layer running between a physical server and an operating system, and can allow multiple operating systems and applications to share a set of basic physical hardware, and therefore, hypervisor can also be regarded as a "meta" operating system in a virtual environment, and can coordinate to access all physical devices and virtual machines on the server, also called a virtual monitor VMM.
Hypervisor is the core of all virtualization technologies. The uninterrupted capability of supporting multi-working load migration is the basic function of the Hypervisor, and when the server starts and executes the Hypervisor, it will allocate an appropriate amount of memory, CPU, network and disk to each virtual machine, and load the guest operating systems of all the virtual machines.
Bare metal type VMM operates on a bare computer directly, hardware resources of a bottom layer are used and managed, guestOS access to real hardware resources is completed through VMM, as a direct operator of bottom layer hardware, VMM possesses a driver of hardware, hypervisor in bare metal virtualization directly manages and calls the hardware resources, a bottom layer operating system is not needed, hypervisor can be understood to be made into a very thin operating system, due to the efficiency problem of the mainframe type Hypervisor, and by combining the hardware architecture of an intelligent all-in-one machine, linux KVM virtualization technology in the bare computer type Hypervisor is adopted
The KVM is based on a modified version of hardware virtualization extension (Intel VT-X) and QEMU, belongs to a module of Linux kernel, and can load a KWM module by a command modprobe. After the module is loaded, a virtual machine can be further created through the tool. But KM modules alone are not sufficient. Because the user cannot directly control the kernel to do things, a tool running in user space must be available. The tool of the user space selects the formed open source virtualization software QEMU, wherein the QEMU is also virtualization software, and the character of the virtualization software is that different CPUs can be virtualized, for example, a power CPU can be virtualized on an x86 CPU, and programs which can run on the power can be compiled by using the virtualization software QEMU. A common linux process has two modes of operation: a kernel and a user; kernel Mode (Kernel Mode) generally runs on Ring0, and User Mode (User Mode) generally runs on Ring 3. For a Linux system, a Linux kernel is a kernel mode program, and can directly manage all physical equipment and peripheral equipment; services on the Linux system, such as Apache, are user mode programs, and the services can be provided only by using an interface provided by a kernel. The KVM uses a part of QEMU, and becomes a user space tool capable of controlling the KVM by slightly modifying; this is the relationship between KVM and QEMU.
An embodiment of the present application further provides a method for protecting network security of a terminal, as shown in fig. 2, where the method for protecting network security of a terminal is executed by a network security server, and the method includes:
s201, a network security server detects a service environment of a target service terminal, wherein the network security server provides a network security component for a plurality of service terminals, and the target service terminal is any one of the plurality of service terminals;
the network security server may be the network security kiosk described above, and the protection scheme may be executed by the network security kiosk. The network security server comprises at least one network interface, and each network interface is connected with one service terminal and used for providing network security protection for the target service terminal. The communication between the network interface and the service terminal provides a data transmission channel for the network security server to provide network security protection service for a plurality of service terminals, and is convenient for one network security all-in-one machine to provide network security protection service for a plurality of service terminals.
S203, the network security server generates a network security component package according to the network security protection conditions of the service environment, wherein the network security component package comprises at least one network security component, and the network security component is used for providing network security protection for the target service terminal. The network security server can adapt to the network environment of different service terminals, and the network security component package suitable for the service terminal which does not pass through is customized for the service terminal so as to provide a corresponding server.
Further, the network security server generating the network security component package according to the service environment data includes: when the service environment data is detected to be the virtual network boundary, a firewall and/or a bastion machine is/are provided for the target service terminal; and when the service environment data is detected to be the internal network of the virtual machine, providing a virus searching and killing and/or industrial intrusion prevention component for the target service terminal.
The network security server can adapt to the network environment of different service terminals, and the network security component package suitable for the service terminals which do not pass through is customized for the service terminals so as to provide corresponding servers.
For example, if the service environment of the target service terminal is a virtual network boundary, the secure all-in-one machine provides a virtual next-generation firewall module for platform boundary network protection, so as to ensure that most attacks cannot enter the virtual network and are intercepted and killed at the source, and the generated network security component comprises a firewall and/or a bastion machine. If the service environment of the target service terminal is the service environment of the internal network of the virtual machines, in each internal protection of the virtual machines, the safety all-in-one machine provides a terminal protection module to perform terminal protection such as terminal access relation control, virus checking and killing and the like, and the generated network security component comprises a virus checking and killing component and/or an industrial intrusion prevention component. The boundary network protection and the protection of the internal network of the virtual machine can be configured independently or in combination, and under the condition of combination configuration, even if an attacker bypasses the attack of the virtual next-generation firewall and enters the virtual machine, a layer of security protection is still provided for intercepting and killing. Further, for the customized and personalized network security requirements, the security all-in-one machine carries out deployment management on compliance type security components such as the bastion machine, the log auditing equipment and the database auditing in a centralized mode, and provides comprehensive security capability for services in a template deployment mode.
S205, the network security server provides the network security protection of the network security component package to the target service terminal. And the network security component in the network security component packet generated by the network security server provides network security protection service for the service terminal.
Further, the network security server generating the network security component package according to the network security protection condition of the service environment includes: and the network security server captures the service environment data of the target service terminal and generates a network security packet according to the service environment data. And/or the network security server receives a security protection request from the target service terminal, wherein the security protection request comprises service environment data of the target service terminal; and the network security server generates a network security packet according to the service environment data.
The network security server can acquire the network environment of the service terminal in an active or passive mode, the active mode can actively capture the service environment data of the target service terminal through a resource distribution platform of a security resource pool architecture layer, and a network security component packet is generated according to the service environment data; the passive mode may be receiving the service environment data actively sent by the target service terminal, and generating a network security component packet after receiving the service environment data.
Providing hardware resources through the network security all-in-one machine, and performing software virtualization on the hardware resources so as to provide network security services for a plurality of service terminals; meanwhile, the network security all-in-one machine can also operate various network security components, customize a network security protection scheme according to the requirements of different service terminals, and operate the customized scheme to provide network security protection service for the service terminals. Different network safety protection services are provided for a plurality of different service terminals through the network safety all-in-one machine, the network safety protection requirements of different service terminals can be adapted, the software/hardware cost can be saved, the network safety protection services can be managed in a unified mode, and more reliable network safety protection services are provided.
When the hardware required by the network security protection service is insufficient, pluggable hardware can be expanded on the network security all-in-one machine, the hardware support performance of the network security all-in-one machine is improved, and the expansion is convenient; meanwhile, resource waste caused by overhigh initial purchase hardware configuration can be avoided; in addition, software virtualization of hardware resources can better adapt to changes of network environments, for example, when a certain service flow becomes large and an original scheme is not applicable, other resources can be uniformly allocated and managed, so that protection resources meet service requirements, the resources can be fully utilized, and resource scheduling is flexible.
An embodiment of the present application further provides a network security server, as shown in fig. 3, where the network security server includes:
a detecting unit 302, configured to detect a service environment of a target service terminal, where a network security server provides a network security component to a plurality of service terminals, and the target service terminal is any one of the plurality of service terminals; the network security server may be the network security kiosk described above, and the protection scheme may be executed by the network security kiosk. The network security server comprises at least one network interface, and each network interface is connected with one service terminal and used for providing network security protection for the target service terminal. The communication between the network interface and the service terminal provides a data transmission channel for the network security server to provide network security protection service for a plurality of service terminals, and is convenient for one network security server to provide network security protection service for a plurality of service terminals.
A generating unit 304, configured to generate a network security component package according to network security protection conditions of the service environment, where the network security component package includes at least one network security component, and the network security component is configured to provide network security protection for the target service terminal;
further, the generating unit further includes: the capturing module is used for capturing the service environment data of the target service terminal and generating a network security packet according to the service environment data; and/or the receiving module is used for receiving a safety protection request from the target service terminal and generating a network safety packet according to the service environment data, wherein the safety protection request comprises the service environment data of the target service terminal.
The network security server can adapt to the network environment of different service terminals, and the network security component package suitable for the service terminal which does not pass through is customized for the service terminal so as to provide a corresponding server.
For example, if the service environment of the target service terminal is a virtual network boundary, the secure all-in-one machine provides a virtual next-generation firewall module for platform boundary network protection, so as to ensure that most attacks cannot enter the virtual network and are intercepted and killed at the source, and the generated network security component comprises a firewall and/or a bastion machine. If the service environment of the target service terminal is the service environment of the internal network of the virtual machine, in each internal protection of the virtual machine, the security all-in-one machine provides a terminal protection module to perform terminal protection such as terminal access relation control, virus checking and killing and the like, and the generated network security component comprises a virus checking and killing component and/or an industrial intrusion prevention component. The boundary network protection and the protection of the internal network of the virtual machine can be configured independently or in combination, and under the condition of combination configuration, even if an attacker bypasses the attack of the virtual next-generation firewall and enters the virtual machine, a layer of security protection is still provided for intercepting and killing. Further, for the customized and personalized network security requirements, the security all-in-one machine carries out deployment management on compliance type security components such as the bastion machine, the log auditing equipment and the database auditing in a centralized mode, and provides comprehensive security capability for services in a template deployment mode.
A protection unit 306, configured to provide network security protection of the network security component package to the target service terminal.
Further, the step of generating, by the network security server, the network security component package according to the network security protection condition of the service environment includes: and the network security server captures the service environment data of the target service terminal and generates a network security packet according to the service environment data. And/or the network security server receives a security protection request from the target service terminal, wherein the security protection request comprises service environment data of the target service terminal; and the network security server generates a network security packet according to the service environment data.
The network security server can acquire the network environment of the service terminal in an active or passive mode, the active mode can actively capture the service environment data of the target service terminal through a resource distribution platform of a security resource pool architecture layer, and a network security component packet is generated according to the service environment data; the passive mode may be receiving the service environment data actively sent by the target service terminal, and generating a network security component packet after receiving the service environment data.
Providing hardware resources through a network security server, and performing software virtualization on the hardware resources so as to provide network security services for a plurality of service terminals; meanwhile, the network security server can also operate various network security components, customize a network security protection scheme according to the requirements of different service terminals, and operate the customized scheme to provide network security protection service for the service terminals. Different network safety protection services are provided for a plurality of different service terminals through the network safety server, the network safety protection requirements of different service terminals can be adapted, the software/hardware cost can be saved, the network safety protection services can be managed in a unified mode, and more reliable network safety protection services are provided.
When the hardware needed by the network security protection service is insufficient, pluggable hardware can be expanded on the network security server, the hardware support performance of the network security server is improved, and the expansion is convenient; meanwhile, resource waste caused by overhigh initial purchase hardware configuration can be avoided; in addition, software virtualization of hardware resources can better adapt to changes of network environments, for example, when a certain service flow becomes large and an original scheme is not applicable, other resources can be uniformly allocated and managed, so that protection resources meet service requirements, the resources can be fully utilized, and resource scheduling is flexible.
The relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise. Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description. Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate. In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be discussed further in subsequent figures.
For ease of description, spatially relative terms such as "over 8230 \ 8230;,"' over 8230;, \8230; upper surface "," above ", etc. may be used herein to describe the spatial relationship of one device or feature to another device or feature as shown in the figures. It will be understood that the spatially relative terms are intended to encompass different orientations of the device in use or operation in addition to the orientation depicted in the figures. For example, if a device in the figures is turned over, devices described as "above" or "on" other devices or configurations would then be oriented "below" or "under" the other devices or configurations. Thus, the exemplary terms "at 8230; \8230; 'above" may include both orientations "at 8230; \8230;' above 8230; 'at 8230;' below 8230;" above ". The device may be otherwise variously oriented (rotated 90 degrees or at other orientations) and the spatially relative descriptors used herein interpreted accordingly.
In the description of the present invention, it is to be understood that the orientation or positional relationship indicated by the orientation words such as "front, rear, upper, lower, left, right", "lateral, vertical, horizontal" and "top, bottom", etc. are usually based on the orientation or positional relationship shown in the drawings, and are only for convenience of description and simplicity of description, and in the case of not making a reverse description, these orientation words do not indicate and imply that the device or element being referred to must have a specific orientation or be constructed and operated in a specific orientation, and therefore, should not be considered as limiting the scope of the present invention; the terms "inner and outer" refer to the inner and outer relative to the profile of the respective component itself.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for protecting terminal network security is characterized by comprising the following steps:
the method comprises the steps that a network security server detects the service environment of a target service terminal, wherein the network security server provides a network security component for a plurality of service terminals, and the target service terminal is any one of the plurality of service terminals;
the network security server generates a network security component package according to the network security protection conditions of the service environment, wherein the network security component package comprises at least one network security component, and the network security component is used for providing network security protection for the target service terminal;
and the network security server provides the network security protection of the network security component package to the target service terminal.
2. The method for protecting network security of a terminal according to claim 1, wherein the network security server generating the network security component package according to the network security protection condition of the service environment comprises:
and the network security server captures the service environment data of the target service terminal and generates the network security packet according to the service environment data.
3. The method for protecting network security of a terminal according to claim 1, wherein the network security server generating the network security component package according to the network security protection condition of the service environment comprises:
the network security server receives a security protection request from the target service terminal, wherein the security protection request comprises service environment data of the target service terminal;
and the network security server generates the network security packet according to the service environment data.
4. The method for protecting network security of a terminal according to claim 2 or 3, wherein the network security server generating the network security component package according to the service environment data includes:
when the service environment data is detected to be a virtual network boundary, providing a firewall and/or a bastion machine for the target service terminal;
and when the service environment data is detected to be the internal network of the virtual machine, providing a virus searching and killing and/or industrial intrusion defense component for the target service terminal.
5. A network security all-in-one machine, comprising:
the basic hardware architecture layer comprises a computing board card, a switching board card and a storage board card, wherein the computing board card is used for providing computing resources, the switching board card is used for data interaction inside the switch, and the storage board card is used for providing storage resources;
a virtualization architecture layer that performs software virtualization of computing resources, network resources, and storage resources based on the basic hardware architecture layer;
and the safety resource pool architecture layer runs various network safety components based on the virtualization architecture layer and generates a network safety component packet according to the network safety protection conditions of the target service terminal, wherein the network safety component packet comprises at least one network safety component, the network safety component is used for providing network safety protection for the target service terminal, and the target service terminal is any one of a plurality of service terminals.
6. The all-in-one network security machine according to claim 5, wherein the virtualization framework layer comprises at least one network interface, and each network interface is connected with one service terminal and is used for providing network security protection for the target service terminal.
7. The all-in-one network security machine of claim 5, wherein the secure resource pool architecture layer comprises:
the resource allocation platform is used for capturing the service environment data of the target service terminal and generating the network security component package according to the service environment data; or receiving service environment data from the target service terminal, and generating the network security component package according to the received service environment data.
8. The all-in-one network security machine as claimed in claim 7, wherein the resource allocation platform is used for providing a firewall and/or a bastion machine for the service environment of the virtual network boundary; and providing a virus searching and killing and/or industrial intrusion prevention component for the service environment of the virtual machine internal network.
9. A network security server, comprising:
the system comprises a detection unit, a service environment detection unit and a service safety management unit, wherein the detection unit is used for detecting the service environment of a target service terminal, the network safety server provides a network safety component for a plurality of service terminals, and the target service terminal is any one of the plurality of service terminals;
a generating unit, configured to generate a network security component package according to a network security protection condition of the service environment, where the network security component package includes at least one network security component, and the network security component is configured to provide network security protection for the target service terminal;
and the protection unit is used for providing the network security protection of the network security component package for the target service terminal.
10. The network security server according to claim 9, wherein the network security server generating unit further comprises:
the capturing module is used for capturing the service environment data of the target service terminal and generating the network security packet according to the service environment data; and/or
And the receiving module is used for receiving a security protection request from the target service terminal and generating the network security packet according to the service environment data, wherein the security protection request comprises the service environment data of the target service terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310246184.9A CN115941365A (en) | 2023-03-15 | 2023-03-15 | Protection method for terminal network security, all-in-one machine and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310246184.9A CN115941365A (en) | 2023-03-15 | 2023-03-15 | Protection method for terminal network security, all-in-one machine and server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115941365A true CN115941365A (en) | 2023-04-07 |
Family
ID=86556268
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310246184.9A Pending CN115941365A (en) | 2023-03-15 | 2023-03-15 | Protection method for terminal network security, all-in-one machine and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941365A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105959275A (en) * | 2016-04-26 | 2016-09-21 | 北京启明星辰信息安全技术有限公司 | Security integrated machine system |
| CN107222451A (en) * | 2016-03-22 | 2017-09-29 | 中兴通讯股份有限公司 | data flow monitoring method and device |
| US20180159880A1 (en) * | 2015-06-16 | 2018-06-07 | Intel Corporation | Technologies for secure personalization of a security monitoring virtual network function |
| CN108809963A (en) * | 2018-05-24 | 2018-11-13 | 中国科学院计算机网络信息中心 | Secure resource sharing method, apparatus and storage medium |
| CN113986463A (en) * | 2021-10-27 | 2022-01-28 | 全球能源互联网研究院有限公司 | Electric power Internet of things security component virtualization construction method and system |
-
2023
- 2023-03-15 CN CN202310246184.9A patent/CN115941365A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180159880A1 (en) * | 2015-06-16 | 2018-06-07 | Intel Corporation | Technologies for secure personalization of a security monitoring virtual network function |
| CN107222451A (en) * | 2016-03-22 | 2017-09-29 | 中兴通讯股份有限公司 | data flow monitoring method and device |
| CN105959275A (en) * | 2016-04-26 | 2016-09-21 | 北京启明星辰信息安全技术有限公司 | Security integrated machine system |
| CN108809963A (en) * | 2018-05-24 | 2018-11-13 | 中国科学院计算机网络信息中心 | Secure resource sharing method, apparatus and storage medium |
| CN113986463A (en) * | 2021-10-27 | 2022-01-28 | 全球能源互联网研究院有限公司 | Electric power Internet of things security component virtualization construction method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200177552A1 (en) | Methods and apparatus for malware threat research | |
| US9166988B1 (en) | System and method for controlling virtual network including security function | |
| US10904277B1 (en) | Threat intelligence system measuring network threat levels | |
| US10560434B2 (en) | Automated honeypot provisioning system | |
| US11979428B1 (en) | Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints | |
| Fernandes et al. | Security issues in cloud environments: a survey | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| US20180191779A1 (en) | Flexible Deception Architecture | |
| Tupakula et al. | Intrusion detection techniques for infrastructure as a service cloud | |
| US20070266433A1 (en) | System and Method for Securing Information in a Virtual Computing Environment | |
| JP2019523949A (en) | Architecture that dynamically scales network security microservices based on load | |
| US10567395B2 (en) | Detection of potentially malicious web content by emulating user behavior and user environment | |
| CN106650425B (en) | A kind of control method and device of security sandbox | |
| CN113364750B (en) | Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method | |
| US20230370439A1 (en) | Network action classification and analysis using widely distributed honeypot sensor nodes | |
| CN110880983A (en) | Penetration testing method and device based on scene, storage medium and electronic device | |
| US20240028721A1 (en) | Utilizing Machine Learning to detect malicious executable files efficiently and effectively | |
| CN112235300B (en) | Cloud virtual network vulnerability detection method, system, device and electronic equipment | |
| Combe et al. | An sdn and nfv use case: Ndn implementation and security monitoring | |
| CN115941365A (en) | Protection method for terminal network security, all-in-one machine and server | |
| CN109218315A (en) | A kind of method for managing security and security control apparatus | |
| Haar et al. | Securing orchestrated containers with bsi module sys. 1.6 | |
| Ortiz et al. | Experimental Security Analysis of Controller Software in SDNs: A Review | |
| Wu et al. | Examples of mimic defense application | |
| WO2023141103A1 (en) | Deep learning pipeline to detect malicious command and control traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230407 |
|
| RJ01 | Rejection of invention patent application after publication |