CN103164647B - Access control method of network security group and security computer - Google Patents
Access control method of network security group and security computer Download PDFInfo
- Publication number
- CN103164647B CN103164647B CN201310066392.7A CN201310066392A CN103164647B CN 103164647 B CN103164647 B CN 103164647B CN 201310066392 A CN201310066392 A CN 201310066392A CN 103164647 B CN103164647 B CN 103164647B
- Authority
- CN
- China
- Prior art keywords
- network security
- security group
- access control
- group
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000003993 interaction Effects 0.000 claims abstract description 54
- 238000010586 diagram Methods 0.000 claims description 45
- 239000013643 reference control Substances 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 6
- 238000001914 filtration Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 9
- 239000012467 final product Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
Abstract
The invention is suitable for the field of information security, and provides an access control method and a device for a network security group, wherein the method comprises the following steps: displaying all network security groups in the system in the same human-computer interaction interface; detecting mouse dragging operation of a user in the human-computer interaction interface; and establishing the access relation of the network security group corresponding to the initial position of the mouse dragging operation to the network security group corresponding to the end position. The access control method of the network security group provided by the invention can enable a user to quickly, accurately and efficiently establish the access control relationship among the network security groups from the global aspect, and improve the access control efficiency among the network security groups.
Description
Technical field
The invention belongs to information security field, particularly relate to a kind of access control method and fail-safe computer of secure group.
Background technology
In the infrastructure service (IaaS) of cloud computing, can dynamically add and delete virtual machine instance, like this in security, bring the impact of great management complexity and efficiency aspect to the configuration of fire wall and change.And, traditional firewall method is the target reaching carrier-class reliability and lean operation not, Amazon proposes network security group (SecurityGroup for this reason, SG) concept, network security group is that virtual machine defines firewall rule, which network traffics is these rules determine can enter virtual machine, can add to dynamically in network security group with stylish firewall rule, to strengthen the security of the virtual machine just started at operating virtual machine or future.
Referring to Fig. 1, is the schematic diagram of the practice of network security group in cloud computing that prior art provides.Comprising 3 network security groups, be respectively: webservergroup(web page server group), appservergroup(third party application server group) and dbservergroup(database servers group).Wherein be webserver(web page server in webservergroup), appservergroup is appserver(third party application server), be dbserver(database server in dbservergroup).Access control method between above-mentioned network security group is as follows:
The tcp80 port of open webserver gives all IP(0.0.0.0);
The access that appserver allows webserver to initiate, the access that dbserver allows appserver to initiate.
And the as above access control that will realize between above-mentioned network security group, then need to pre-set the above-mentioned access control rule between above-mentioned network security group.Wherein access control rule comprises access control and IP authorization control between group.Wherein between group, access control comprises access, interviewed and exchanging visit.Wherein access refers to the authority of other network security groups of network security group access, the interviewed authority referring to other these network security groups of network security group access, exchanges visits and refers to the authority of access mutually between two or more network security group.
Prior art provides the access control method between a kind of network security group, be summarized as follows: when needs be a network security group (as SG1) add access control between a group time, want first from network security Groups List one by one find this network security group SG1, then the user ID (user ID) of bipartite network secure group is inputted, and input the mark (as SG2) of bipartite network secure group, network security group SG2 could be set up like this to access control relation between the group of network security group SG1.This access control method cannot from the access relation between each network security group of overall general view, and this method can only centered by certain network security group, add the rule of other these network security groups of network security group access, when there is access rule between a large amount of network security group and a large amount of group, one-way only operation allocative efficiency is low, cannot set up the exchanging visit relation between each network security group fast.As SG1 and SG2 will set up exchanging visit relation, then need the angle first standing in SG1, SG2 is added, then again stands in the angle of SG2, SG1 is added.The access control method of this network security group will have a strong impact on the access control efficiency between network security group.
Summary of the invention
The embodiment of the present invention provides a kind of access control method and device of network security group, is intended to the inefficient problem of access control solving network security group.
First aspect, provide a kind of access control method of network security group, described method comprises:
All-network secure group in same human-computer interaction interface in display system;
Detect the mouse drag operation of user in this human-computer interaction interface;
Network security group corresponding to reference position setting up the operation of this mouse drag is to the access control relation of network security group corresponding to end position.
In the first possible implementation of first aspect, the access control relation of described network security group corresponding to reference position setting up the operation of described mouse drag to network security group corresponding to end position specifically comprises:
Follow the operation of described mouse drag and generate the figure for the access between marked network secure group, interviewed or exchanging visit relation be connected between network security group.
In conjunction with the first possible implementation of first aspect, in the implementation that the second of first aspect is possible, the described connecting line comprising band arrow for the access between marked network secure group, figure that is interviewed or exchanging visit relation be connected between network security group, the connecting line of described band arrow comprises single arrow connecting line and double-head arrow connecting line, described single arrow connecting line represents access between network security group or interviewed relation, and described double-head arrow connecting line represents the exchanging visit relation between network security group.
In the third possible implementation of first aspect, the access relation of described network security group corresponding to reference position setting up the operation of described mouse drag to network security group corresponding to end position specifically comprises:
Determine the network segment of the network security group that reference position that described mouse drag operates is corresponding;
The rule allowing the network segment of network security group corresponding to the reference position of described mouse drag operation to access described virtual machine is increased in each virtual machine in the network security group that the end position operated in described mouse drag is corresponding.
In the 4th kind of possible implementation of first aspect, described method also comprises:
Adopt the access control relation between each network security group in the mode display systems of topological diagram.
In conjunction with the 4th kind of possible implementation of first aspect, in the 5th kind of possible implementation of first aspect, the access control relation in the mode display systems of described employing topological diagram between each network security group specifically comprises:
In topological diagram, with the unique identification of network security group be connected to and show access control relation between network security group for the access between marked network secure group, figure that is interviewed or exchanging visit relation between network security group, to the multiple network security groups that there is interleaving access control planning with bunch mode assemble.
In the 6th kind of possible implementation of first aspect, before the mouse drag of described detection user in this human-computer interaction interface operates, described method also comprises:
Create or select network security group;
Filter out other network security groups needing to set up vertical access control relation with the network security created or select.
In the 7th kind of possible implementation of first aspect, described method also comprises:
Receive the delete instruction of access control relation that user is inputted by human-computer interaction interface, according to this delete instruction, delete the access control relation between network security group that this delete instruction specifies;
The mode of the delete instruction of access control relation that wherein user's input is inputted by human-computer interaction interface is: user selects click right on the figure of the access between marked network secure group in topological diagram, interviewed or exchanging visit relation to carry out the delete instruction of input reference control planning, and the network security group that the delete instruction of described access control relation is specified is the described network security group connected for the access between marked network secure group, figure that is interviewed or exchanging visit relation.
In the 8th kind of possible implementation of first aspect, described method also comprises:
Receive user and add instruction for the IP granted access of the network security group input of selection, described IP granted access is added instruction and is comprised IP scope, both port of origination and end port;
For each virtual machine in the network security group of selection increases the rule allowing the both port of origination within the scope of described IP and the network segment terminated in port to access described virtual machine.
Second aspect, provides a kind of fail-safe computer, and described device comprises:
Secure group display unit, for the all-network secure group in display system in same human-computer interaction interface;
Operation detection unit, for detecting the mouse drag operation of user in this human-computer interaction interface;
Access control unit, for network security group corresponding to reference position of setting up the operation of this mouse drag access control relation to network security group corresponding to end position
In the first possible implementation of second aspect, described access control unit generates specifically for following the operation of described mouse drag the figure for the access between marked network secure group, interviewed or exchanging visit relation be connected between network security group.
In the implementation that the second of second aspect is possible, described access control unit comprises:
Network segment acquisition module, for determining the network segment of the network security group that reference position that described mouse drag operates is corresponding;
Rule adds module, increases the rule allowing the network segment of network security group corresponding to the reference position of described mouse drag operation to access described virtual machine in each virtual machine in the network security group that the end position for operating in described mouse drag is corresponding.
In the third possible implementation of second aspect, described device also comprises:
Topology exhibits unit, for adopting the access control relation in the mode display systems of topological diagram between each network security group.
In the 4th kind of possible implementation of second aspect, described topology exhibits unit is specifically in topological diagram, with the unique identification of network security group be connected to and show access control relation between network security group for the access between marked network secure group, figure that is interviewed or exchanging visit relation between network security group, to the multiple network security groups that there is interleaving access control planning with bunch mode assemble.
In the 5th kind of possible implementation of second aspect, described device also comprises:
Secure group creating unit, creating instruction for receiving secure group, creating instruction create new network security group according to described secure group;
Secure group filter element, for filtering out other network security groups needing to set up vertical access control relation with the network security created or select.
In the 6th kind of possible implementation of second aspect, described device also comprises:
Secure group creating unit, creating instruction for receiving secure group, creating instruction create new network security group according to described secure group;
Secure group filter element, for filtering out other network security groups needing to set up vertical access control relation with the network security created or select.
In the 7th kind of possible implementation of second aspect, described device also comprises:
IP granted unit, instruction is added for the IP granted access of the network security group input selected for receiving user, described IP granted access is added instruction and is comprised IP scope, both port of origination and end port, for each virtual machine in the network security group of selection increases the rule allowing the network segment in the both port of origination within the scope of described IP and end port to access described virtual machine.
In embodiments of the present invention, by the all-network secure group in output system in same human-computer interaction interface, detect the mouse drag operation of user in this human-computer interaction interface, network security group corresponding to reference position setting up the operation of this mouse drag is to the access relation of network security group corresponding to end position, and add IP granted access for the access relation between the network security group set up, thus user can be proceeded from the situation as a whole, fast, accurately, set up the access control relation between each network security group efficiently, improve the access control efficiency between network security group.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic diagram of the practice of network security group in cloud computing that prior art provides;
Fig. 2 is the realization flow figure of the access control method of the network security group that the embodiment of the present invention provides;
Fig. 3 is that the operation of this mouse drag generates following of providing of the embodiment of the present invention is used to indicate the schematic diagram of access relation between network security group that user sets up;
Fig. 4 be the embodiment of the present invention provide add the schematic diagram of IP granted access for the access relation between the network security group set up;
Fig. 5 is the realization flow figure of the access control method of the network security group that another embodiment of the present invention provides;
Fig. 6 is the schematic diagram by the access control relation between network security group each in the mode display systems of topological diagram that the embodiment of the present invention provides;
Fig. 7 is the exemplary plot of the details by secure group list window display all-network secure group that the embodiment of the present invention provides;
Fig. 8 is the structured flowchart of the fail-safe computer that the embodiment of the present invention provides;
Fig. 9 is the hardware structure diagram of the fail-safe computer that the embodiment of the present invention provides.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
In embodiments of the present invention, all-network secure group in same human-computer interaction interface in output system, detect the mouse drag operation of user in this human-computer interaction interface, network security group corresponding to reference position setting up the operation of this mouse drag is to the access relation of network security group corresponding to end position, thus user can be proceeded from the situation as a whole, set up the access control relation between each network security group fast, accurately and efficiently, improve the access control efficiency between network security group.
In order to technical solutions according to the invention are described, be described below by specific embodiment.
Fig. 2 shows the realization flow of the access control method of the network security group that the embodiment of the present invention provides, and details are as follows:
S201, the all-network secure group in same human-computer interaction interface in display system.
In the present embodiment, by the all-network secure group in display system in same human-computer interaction interface, thus user can check all secure group system from the overall situation.
When showing all-network secure group, the information of each network security groups of energy unique identification such as the title of this network security group, unique identification or icon can be shown.
S202, detects the mouse drag operation of user in this human-computer interaction interface, and network security group corresponding to reference position setting up the operation of this mouse drag is to the access control relation of network security group corresponding to end position.
In the present embodiment, after the all-network secure group in same human-computer interaction interface in display system, if user needs to set up the access control relation between each network security group, then user can be undertaken by the mode of mouse drag.Detailed process is as follows:
User clicks a network security group SG1 in this human-computer interaction interface with mouse after, mouse is dragged to needing another network security group SG2 setting up vertical access control relation with this network security, when mouse arrives SG2, unclamp mouse, now, detect user's operating from network security group SG1 to the mouse drag of network security group SG2 in human-computer interaction interface, determine the network security group that reference position that this mouse drag operates is corresponding, be SG1, and the network security group that the end position of this mouse drag operation is corresponding, be SG2.
After the network security group that the end position determining network security group corresponding to reference position that the mouse drag of user at human-computer interaction interface operate and mouse drag operation is corresponding, network security group corresponding to reference position can setting up the operation of this mouse drag is to the access control relation of network security group corresponding to end position, and the network security group namely setting up the reference position of this mouse drag operation corresponding can access network security group corresponding to end position.
And this access control relation in order to make user can see foundation intuitively, the operation of this mouse drag can be followed and generate the figure for the access between marked network secure group, interviewed or exchanging visit relation be connected between network security group.
Wherein be connected to the connecting line including but not limited to be with arrow for the access between marked network secure group, figure that is interviewed or exchanging visit relation between network security group.Connecting line wherein with arrow comprises single arrow connecting line and double-head arrow connecting line.Wherein single arrow connecting line represents access between network security group or interviewed relation.Double-head arrow connecting line represents the exchanging visit relation between network security group.
The line of the band arrow between the network security group corresponding to reference position of this mouse drag operation and network security group corresponding to end position is connected as generated, and the network security group corresponding to end position of this mouse drag of arrow points operation, thus to be used to indicate this access relation that user sets up be that network security group corresponding to the reference position of this mouse drag operation can access network security group corresponding to end position.
Refer to Fig. 3, be the schematic diagram of the access control relation between the network security group being used to indicate user's foundation of following this mouse drag operation generation that the embodiment of the present invention provides, but be not limited with this schematic diagram.In figure 3, user unclamps mouse by clicking network security group SG6 and dragging mouse to network security group SG3, can set up the access relation of network security group SG6 accesses network secure group SG3; To network security group SG4, mouse is unclamped by first clicking network security group SG3 and dragging mouse, click network security group SG4 again and drag mouse and unclamp mouse to network security group SG3, exchanging visit relation between network security group SG3 and network security group SG4 can be set up.
The detailed process of network security group corresponding to reference position wherein setting up the operation of this mouse drag to the access control relation of network security group corresponding to end position is as follows:
A1, determine the network segment of the network security group that reference position that this mouse drag operates is corresponding;
The rule allowing the network segment of network security group corresponding to the reference position of this mouse drag operation to access this virtual machine is increased in each virtual machine in the network security group that A2, the end position operated in this mouse drag are corresponding.
In the present embodiment, by the all-network secure group in output system in same human-computer interaction interface, and detect the mouse drag operation of user in this human-computer interaction interface, user can be made to proceed from the situation as a whole, even if when there is a large amount of network security group, also can set up the access control relation between each network security group fast, accurately and efficiently, comprise access, interviewed and/or exchanging visit control planning, improve the access control efficiency between network security group.
In an alternative embodiment of the invention, the method also comprises the steps:
For network security group adds IP granted access.
The detailed process of adding IP granted access for network security group is as follows:
B1, selection need the network security group of adding IP granted access.
B2, reception user add instruction for the IP granted access of the network security group input selected.Wherein IP granted access interpolation instruction comprises IP scope, also comprises transport layer protocol, both port of origination and end port etc.Wherein IP scope refers to the scope that can allow the IP address accessed.Both port of origination and end port refer to the port range of the allowed access in the IP address range that can allow access.Any one mode that the concrete mode that wherein user inputs IP granted access interpolation instruction can adopt prior art to provide.
The rule allowing the both port of origination within the scope of this IP and the network segment terminated in port to access this virtual machine is increased in B3, the network selected for the user each virtual machine completely in group.
Refer to Fig. 4, be the schematic diagram for network security group interpolation IP granted access that the embodiment of the present invention provides, but be not limited with this schematic diagram.
Fig. 5 shows the realization flow of the access control method of the network security group that another embodiment of the present invention provides, and the S201 to S202 wherein shown in S501 to S502 with Fig. 2 is identical, does not repeat them here, and the present embodiment also comprises the steps, details are as follows:
Access control relation in the mode display systems of S503, employing topological diagram between each network security group.
Wherein adopt the detailed process of the access control relation in the mode display systems of topological diagram between each network security group as follows:
In topological diagram, with the unique identification of network security group be connected to and show access control relation between network security group for the access between marked network secure group, figure etc. that is interviewed or exchanging visit relation between network security group, to the multiple network security groups that there is interleaving access control planning with bunch mode assemble.
The wherein each network security group of unique identification energy unique identification of network security group, the unique identification of this network security group includes but not limited to the title, icon, mark etc. of network security group, also can be the combination in any of the title of network security group, icon, mark.
Wherein access between marked network secure group, mark that is interviewed or exchanging visit relation can include but not limited to the connecting line etc. being with arrow.Connecting line wherein with arrow comprises single arrow connecting line and double-head arrow connecting line.Wherein single arrow connecting line is for representing access between network security group or interviewed relation, and the network security group of arrow points is interviewed network security group.Double-head arrow connecting line is for representing the exchanging visit relation between network security group.
Refer to Fig. 6, be the schematic diagram by the access control relation between network security group each in the mode display systems of topological diagram that the embodiment of the present invention provides, but be not limited with this schematic diagram.Pass through Fig. 6, user can see the access control relation in system between each network security group intuitively, and by the multiple network security groups that there is interleaving access control planning with bunch mode assemble, thus user can see the access control relation between multiple network security group more intuitively.
In the present embodiment, by the access control relation in the mode display systems of employing topological diagram between each network security group, and to the multiple network security groups that there is interleaving access control planning with bunch mode assemble, thus make user can know access control relation system between each network security group intuitively from the overall situation.
During in the present invention, another is implemented, in order to the access control relation of checking between network security group making user more convenient, the method also comprises the steps:
Receive switching command by the change-over switch be arranged in this human-computer interaction interface, according to the access control relation between this switching command display all-network secure group, or the access control relation of network security group is chosen in display.For the ease of understanding, illustrate as follows:
When the instruction of this switching command shows the access control relation between all-network secure group, then by this human-computer interaction interface with the access control relation between the all-network secure group existed in the mode output system of topological diagram so that the access control relation that user checks whole system from the overall situation between network security group;
When the access control relation of network security group is chosen in this switching command instruction display, then by this human-computer interaction interface with exist in the mode output system of topological diagram choose the access control relation of network security group (comprising this network security group access, interviewed and exchange visits access control relation), so that user can check separately the access control relation of its network security group paid close attention to.
In an alternative embodiment of the invention, check the more detailed information of network security group for the ease of user, the method also comprises the steps:
Secure group details idsplay order is received, according to the details of all-network secure group of this secure group details idsplay order by existing in secure group list window display system by being arranged at secure group list window in this human-computer interaction interface.Wherein the details of network security group include but not limited to the mark of network security group, the owning user etc. of network security group.Refer to Fig. 7, be the exemplary plot of the details by secure group list window display all-network secure group that the embodiment of the present invention provides, but be not limited with this exemplary plot.
In an alternative embodiment of the invention, before detecting the mouse drag operation of user in this human-computer interaction interface, the method also comprises the steps:
C1, establishment or selection network security group.
The detailed process wherein creating network security group can be as follows: user sends establishment instruction by the mode of click right in the human-computer interaction interface for output network secure group, after receiving this establishment instruction, output network secure group creates window, formed the configuration information of network security group to be created building window reception user input by this network security, and create a new network security group according to this configuration information.
Wherein select the concrete mode of network security group can be click by left button the network security group exported, this network security group can be selected.
C2, filter out and need and to create or the network security selected sets up other network security groups founding access control relation.
Wherein filtercondition includes but not limited to the owning user etc. of network security group, or user's other filterconditions self-defining in advance, as:
Wherein filter out and need the detailed process of other network security groups setting up vertical access control relation with the network security created or select as follows:
When filtercondition is the owning user of network security group, then obtain the owning user of the network security group created or select, filter out other network security groups that owning user is the owning user of the network security group creating or select.
In an alternative embodiment of the invention, also can carry out sequencing display according to owning user to network security group, so that user selects network group completely.
In the present embodiment, new network security group can be created as required at any time, when needing to set up the access control relation between the network security group created of user's selection and other secure group, in order to avoid user selects from a large amount of network security group, can first self-defined filtercondition, the network security group needing the network security selected with user to set up vertical access control relation is filtered out again according to this filtercondition, like this, the Operating Complexity of user when creating the access control relation between network security group can be reduced, and time consumption when reducing the access control relation created between network security group.
In an alternative embodiment of the invention, the method also comprises the steps:
Receive the delete instruction of access control relation that user is inputted by human-computer interaction interface, according to this delete instruction, delete the access control relation between network security group that this delete instruction specifies.
Wherein the mode of the delete instruction of access control relation that inputted by human-computer interaction interface of user's input is as follows:
User selects click right on the figure of the access between marked network secure group in topological diagram, interviewed or exchanging visit relation to carry out the delete instruction of input reference control planning, and the network security group that the delete instruction of this access control relation is specified is this network security group connected for the access between marked network secure group, figure that is interviewed or exchanging visit relation.When being the line of band arrow for the access between marked network secure group, figure that is interviewed or exchanging visit relation, then user's click right input delete instruction on the line of band arrow, the access control relation between the network security group that the line can deleting this band arrow connects.
Be appreciated that, the mode of the delete instruction of user's input reference control planning is not illustrated as limit with above-mentioned, can also be other a variety of modes, as a delete button can be arranged in human-computer interaction interface, after user selects to be used for the figure of access between marked network secure group, interviewed or exchanging visit relation, click this delete button, get final product the delete instruction of input reference control planning.
Wherein, according to this delete instruction, the detailed process of deleting the access control relation between network security group that this delete instruction specifies illustrates as follows:
Suppose need delete be the access control relation of network security group SG1 addressable network secure group SG2 time, then user selects the arrow pointing to SG2 from SG1 in topological diagram, with the delete instruction of input reference control planning, after the delete instruction of access control relation that user inputs being detected, delete the rule allowing the network segment of network security group SG1 to access this virtual machine in each virtual machine in network security group SG2, in topological diagram, delete the arrow pointing to SG2 from SG1 simultaneously.
In the present embodiment, by selecting to be used for access between marked network secure group in topological diagram, the mode of figure of interviewed or exchanging visit relation inputs delete instruction, can delete the access control relation between the network security group set up fast, accurately and efficiently, adjust the access control relation between existing network security group easily, thus can increase work efficiency greatly.
Fig. 8 shows the structure of the fail-safe computer that the embodiment of the present invention provides, and illustrate only the part relevant to the embodiment of the present invention for convenience of explanation.
This fail-safe computer may be used for cloud computing server, can be the software unit run in cloud computing server, the unit that combines of hardware cell or software and hardware, also can be integrated in cloud computing server as independently suspension member or run in the application system of cloud computing server, wherein:
The all-network secure group of secure group display unit 1 in same human-computer interaction interface in display system.
When showing all-network secure group, the information that the title of this network security group, unique identification or icon etc. can be used for each network security group of unique identification can be shown.
Operation detection unit 2 detects the mouse drag operation of user in this human-computer interaction interface.
Access control unit 3 network security group corresponding to reference position of setting up the operation of this mouse drag is to the access control relation of network security group corresponding to end position.
In the present embodiment, in order to this access control relation making user can see foundation intuitively, access control unit 3 generates specifically for following the operation of this mouse drag the figure for the access between marked network secure group, interviewed or exchanging visit relation be connected between network security group.
Wherein be connected to the line including but not limited to be with arrow for the access between marked network secure group, figure that is interviewed or exchanging visit relation between network security group.Connecting line with arrow comprises single arrow connecting line and double-head arrow connecting line, and described single arrow connecting line represents access between network security group or interviewed relation, and described double-head arrow connecting line represents the exchanging visit relation between network security group.
Wherein access control unit 3 comprises network segment acquisition module 31 Sum fanction interpolation module 32.Wherein:
Network segment acquisition module 31 determines the network segment of the network security group that reference position that this mouse drag operates is corresponding.
Each virtual machine in the network security group that the end position that rule interpolation module 32 operates in this mouse drag is corresponding increases the rule allowing the network segment of network security group corresponding to the reference position of this mouse drag operation to access this virtual machine.
In an alternative embodiment of the invention, this device also comprises IP granted unit 4.This IP granted unit 4 is network security group interpolation IP granted access.This IP granted unit 4 adds instruction specifically for receiving user for the IP granted access of the network security group input selected, described IP granted access is added instruction and is comprised IP scope, both port of origination and end port, for each virtual machine in the network security group of selection increases the rule allowing the network segment in the both port of origination within the scope of described IP and end port to access described virtual machine.
In an alternative embodiment of the invention, this device also comprises topology exhibits unit 5.This topology exhibits unit 5 adopts the access control relation in the mode display systems of topological diagram between each network security group.
This topology exhibits unit 5 is specifically in topological diagram, with the unique identification of network security group be connected to and show access control relation between network security group for the access between marked network secure group, figure etc. that is interviewed or exchanging visit relation between network security group, to the multiple network security groups that there is interleaving access control planning with bunch mode assemble.
The wherein each network security group of unique identification energy unique identification of network security group, the unique identification of this network security group includes but not limited to the title, icon, mark etc. of network security group, also can be the combination in any of the title of network security group, icon, mark.
Wherein be connected to the connecting line etc. including but not limited to be with arrow for the access between marked network secure group, mark that is interviewed or exchanging visit relation between network security group.Connecting line wherein with arrow comprises single arrow connecting line and double-head arrow connecting line.Wherein single arrow connecting line is for representing access between network security group or interviewed relation, and the network security group of arrow points is interviewed network security group.Double-head arrow connecting line is for representing the exchanging visit relation between network security group.
During in the present invention, another is implemented, in order to the access control relation of checking between network security group making user more convenient, this device also comprises shows switch unit 6.This displaying switch unit 6 receives switching command by the change-over switch be arranged in this human-computer interaction interface, and according to the access control relation between this switching command display all-network secure group, or the access control relation of network security group is chosen in display.
When the instruction of this switching command shows the access control relation between all-network secure group, then by this human-computer interaction interface with the access control relation between the all-network secure group existed in the mode output system of topological diagram so that the access control relation that user checks whole system from the overall situation between network security group;
When the access control relation of network security group is chosen in this switching command instruction display, then by this human-computer interaction interface with exist in the mode output system of topological diagram choose the access control relation of network security group (comprising this network security group access, interviewed and exchange visits access control relation), so that user can check separately the access control relation of its network security group paid close attention to.
In an alternative embodiment of the invention, check the more detailed information of network security group for the ease of user, this device also comprises details display unit 7.This details display unit 7 receives secure group details idsplay order by being arranged at secure group list window in this human-computer interaction interface, according to the details of all-network secure group of this secure group details idsplay order by existing in secure group list window display system.Wherein the details of network security group include but not limited to the mark of network security group, the owning user etc. of network security group.
In an alternative embodiment of the invention, this device also comprises secure group creating unit 8 and secure group filter element 9.Wherein:
Secure group creating unit 8 receives secure group and creates instruction, creates instruction create new network security group according to secure group.
The detailed process wherein creating network security group can be as follows: user sends establishment instruction by the mode of click right in the human-computer interaction interface for output network secure group, after receiving this establishment instruction, output network secure group creates window, formed the configuration information of network security group to be created building window reception user input by this network security, and create a new network security group according to this configuration information.
Secure group filter element 9 filters out other network security groups needing to set up vertical access control relation with the network security created or select.
Wherein filtercondition includes but not limited to the owning user etc. of network security group, or user's other filterconditions self-defining in advance.
Wherein filter out and need the detailed process of other network security groups setting up vertical access control relation with the network security created or select as follows:
When filtercondition is the owning user of network security group, then obtain the owning user of the network security group created or select, filter out other network security groups that owning user is the owning user of the network security group creating or select.
In an alternative embodiment of the invention, this device also comprises the delete instruction that access relation delete cells 10 receives the access control relation that user is inputted by human-computer interaction interface, according to this delete instruction, delete the access control relation between network security group that this delete instruction specifies.
Wherein the mode of the delete instruction of access control relation that inputted by human-computer interaction interface of user's input is as follows:
User selects click right on the figure of the access between marked network secure group in topological diagram, interviewed or exchanging visit relation to carry out the delete instruction of input reference control planning, and the network security group that the delete instruction of this access control relation is specified is this network security group connected for the access between marked network secure group, figure that is interviewed or exchanging visit relation.When being the line of band arrow for the access between marked network secure group, figure that is interviewed or exchanging visit relation, then user's click right input delete instruction on the line of band arrow, the access control relation between the network security group that the line can deleting this band arrow connects.
Be appreciated that, the mode of the delete instruction of user's input reference control planning is not illustrated as limit with above-mentioned, can also be other a variety of modes, as a delete button can be arranged in human-computer interaction interface, after user selects to be used for the figure of access between marked network secure group, interviewed or exchanging visit relation, click this delete button, get final product the delete instruction of input reference control planning.The functional unit described in above-described embodiment or module can be used for implementing the method for above-mentioned Fig. 2-Fig. 7.It should be noted that the unit included by said apparatus is carry out dividing according to function logic, but be not limited to above-mentioned division, as long as corresponding function can be realized; In addition, the concrete title of each functional unit, also just for the ease of mutual differentiation, is not limited to protection scope of the present invention.
One of ordinary skill in the art will appreciate that, the all or part of step realized in above-described embodiment method is that the hardware that can carry out instruction relevant by program has come, described program can be stored in a computer read/write memory medium, described storage medium, as ROM/RAM, disk, CD etc.
Please refer to Fig. 9, embodiments provide a kind of schematic diagram of fail-safe computer 700.Fail-safe computer 700 may be the host server comprising computing power, or personal computer PC, or portable portable computer or terminal etc., and the specific embodiment of the invention does not limit the specific implementation of computing node.Fail-safe computer 700 comprises:
Processor (processor) 710, storer (memory) 720, bus 730.
Processor 710, storer 720 completes mutual communication by bus 730.
Processor 710, for executive routine 722.
Particularly, program 722 can comprise program code, and described program code comprises computer-managed instruction.
Processor 710 may be a central processor CPU, or specific integrated circuit ASIC(ApplicationSpecificIntegratedCircuit), or be configured to the one or more integrated circuit implementing the embodiment of the present invention.
Storer 700, for depositing program 722.Storer 720 may comprise high-speed RAM storer, still may comprise nonvolatile memory (non-volatilememory), such as at least one magnetic disk memory.Program 722 specifically can comprise:
Secure group display unit 1, for the all-network secure group in display system in same human-computer interaction interface;
Operation detection unit 2, for detecting the mouse drag operation of user in described human-computer interaction interface;
Access control unit 3, for network security group corresponding to reference position of setting up the operation of this mouse drag access relation to network security group corresponding to end position.
Corresponding units in program 722 in the specific implementation of each unit embodiment shown in Figure 8, is not repeated herein.
In embodiments of the present invention, all-network secure group in same human-computer interaction interface in output system, detect the mouse drag operation of user in this human-computer interaction interface, network security group corresponding to reference position setting up the operation of this mouse drag is to the access relation of network security group corresponding to end position, and add IP granted access for the access relation between the network security group set up, thus user can be proceeded from the situation as a whole, fast, accurately, set up the access control relation between each network security group efficiently, improve the access control efficiency between network security group.By the access control relation in the mode display systems of employing topological diagram between each network security group, and to the multiple network security groups that there is interleaving access control planning with bunch mode assemble, thus make user can know access control relation system between each network security group intuitively from the overall situation.By filtering out needs according to filtercondition and user selects or set up the network security group of access control relation between the network security group that creates, thus the Operating Complexity of user when creating the access control relation between network security group can be reduced, and time consumption when reducing the access control relation created between network security group.By selecting to be used for access between marked network secure group in topological diagram, the mode of figure of interviewed or exchanging visit relation inputs delete instruction, can delete the access control relation between the network security group set up fast, accurately and efficiently, adjust the access control relation between existing network security group easily, thus can increase work efficiency greatly.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (15)
1. an access control method for network security group, is characterized in that, described method comprises:
All-network secure group in same human-computer interaction interface in display system;
Detect the mouse drag operation of user in described human-computer interaction interface;
Network security group corresponding to reference position setting up the operation of described mouse drag, to the access control relation of network security group corresponding to end position, comprising:
Determine the network segment of the network security group that reference position that described mouse drag operates is corresponding;
The rule allowing the network segment of network security group corresponding to the reference position of described mouse drag operation to access described virtual machine is increased in each virtual machine in the network security group that the end position operated in described mouse drag is corresponding.
2. the access control method of network security group as claimed in claim 1, is characterized in that, the access control relation of network security group corresponding to the described reference position setting up the operation of described mouse drag to network security group corresponding to end position specifically comprises:
Follow the operation of described mouse drag and generate the figure for the access between marked network secure group, interviewed or exchanging visit relation be connected between network security group.
3. the access control method of network security group as claimed in claim 2, it is characterized in that, the described connecting line comprising band arrow for the access between marked network secure group, figure that is interviewed or exchanging visit relation be connected between network security group, the connecting line of described band arrow comprises single arrow connecting line and double-head arrow connecting line, described single arrow connecting line represents access between network security group or interviewed relation, and described double-head arrow connecting line represents the exchanging visit relation between network security group.
4. the access control method of network security group as claimed in claim 1, it is characterized in that, described method also comprises:
Adopt the access control relation between each network security group in the mode display systems of topological diagram.
5. the access control method of network security group as claimed in claim 4, it is characterized in that, the access control relation in the mode display systems of described employing topological diagram between each network security group specifically comprises:
In topological diagram, with the unique identification of network security group be connected to and show access control relation between network security group for the access between marked network secure group, figure that is interviewed or exchanging visit relation between network security group, to the multiple network security groups that there is interleaving access control planning with bunch mode assemble.
6. the access control method of network security group as claimed in claim 1, is characterized in that, before the mouse drag of described detection user in this human-computer interaction interface operates, described method also comprises:
Create or select network security group;
Filter out other network security groups needing to set up vertical access control relation with the network security created or select.
7. the access control method of network security group as claimed in claim 1, it is characterized in that, described method also comprises:
Receive the delete instruction of access control relation that user is inputted by human-computer interaction interface, according to this delete instruction, delete the access control relation between network security group that this delete instruction specifies;
The mode of the delete instruction of access control relation that wherein user's input is inputted by human-computer interaction interface is: user selects click right on the figure of the access between marked network secure group in topological diagram, interviewed or exchanging visit relation to carry out the delete instruction of input reference control planning, and the network security group that the delete instruction of described access control relation is specified is the described network security group connected for the access between marked network secure group, figure that is interviewed or exchanging visit relation.
8. the method for claim 1, is characterized in that, described method also comprises:
Receive user and add instruction for the IP granted access of the network security group input of selection, described IP granted access is added instruction and is comprised IP scope, both port of origination and end port;
For each virtual machine in the network security group of selection increases the rule allowing the both port of origination within the scope of described IP and the network segment terminated in port to access described virtual machine.
9. a fail-safe computer, is characterized in that, described fail-safe computer comprises:
Secure group display unit, for the all-network secure group in display system in same human-computer interaction interface;
Operation detection unit, for detecting the mouse drag operation of user in described human-computer interaction interface;
Access control unit, for network security group corresponding to reference position of setting up the operation of the described mouse drag access control relation to network security group corresponding to end position;
Described access control unit comprises:
Network segment acquisition module, for determining the network segment of the network security group that reference position that described mouse drag operates is corresponding;
Rule adds module, increases the rule allowing the network segment of network security group corresponding to the reference position of described mouse drag operation to access described virtual machine in each virtual machine in the network security group that the end position for operating in described mouse drag is corresponding.
10. fail-safe computer as claimed in claim 9, it is characterized in that, described access control unit generates specifically for following the operation of described mouse drag the figure for the access between marked network secure group, interviewed or exchanging visit relation be connected between network security group.
11. fail-safe computers as claimed in claim 9, it is characterized in that, described fail-safe computer also comprises:
Topology exhibits unit, for adopting the access control relation in the mode display systems of topological diagram between each network security group.
12. fail-safe computers as claimed in claim 11, it is characterized in that, described topology exhibits unit is specifically in topological diagram, with the unique identification of network security group be connected to and show access control relation between network security group for the access between marked network secure group, figure that is interviewed or exchanging visit relation between network security group, to the multiple network security groups that there is interleaving access control planning with bunch mode assemble.
13. fail-safe computers as claimed in claim 9, it is characterized in that, described fail-safe computer also comprises:
Secure group creating unit, creating instruction for receiving secure group, creating instruction create new network security group according to described secure group;
Secure group filter element, for filtering out other network security groups needing to set up vertical access control relation with the network security created or select.
14. fail-safe computers as claimed in claim 9, it is characterized in that, described fail-safe computer also comprises:
Access relation delete cells, for receiving the delete instruction of the access control relation that user is inputted by human-computer interaction interface, according to this delete instruction, deletes the access control relation between network security group that this delete instruction specifies;
The mode of the delete instruction of access control relation that wherein user's input is inputted by human-computer interaction interface is: user selects click right on the figure of the access between marked network secure group in topological diagram, interviewed or exchanging visit relation to carry out the delete instruction of input reference control planning, and the network security group that the delete instruction of described access control relation is specified is the described network security group connected for the access between marked network secure group, figure that is interviewed or exchanging visit relation.
15. fail-safe computers as claimed in claim 9, it is characterized in that, described fail-safe computer also comprises:
IP granted unit, instruction is added for the IP granted access of the network security group input selected for receiving user, described IP granted access is added instruction and is comprised IP scope, both port of origination and end port, for each virtual machine in the network security group of selection increases the rule allowing the network segment in the both port of origination within the scope of described IP and end port to access described virtual machine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310066392.7A CN103164647B (en) | 2013-02-28 | 2013-02-28 | Access control method of network security group and security computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310066392.7A CN103164647B (en) | 2013-02-28 | 2013-02-28 | Access control method of network security group and security computer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103164647A CN103164647A (en) | 2013-06-19 |
| CN103164647B true CN103164647B (en) | 2016-03-30 |
Family
ID=48587726
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310066392.7A Active CN103164647B (en) | 2013-02-28 | 2013-02-28 | Access control method of network security group and security computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103164647B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368862B (en) * | 2013-06-21 | 2015-01-21 | 北京京东尚科信息技术有限公司 | Load balance dispatching method and load balance dispatching device |
| CN105989296B (en) * | 2015-01-27 | 2019-03-19 | 华为技术有限公司 | The method and apparatus for controlling application access |
| EP3522460B1 (en) * | 2016-03-09 | 2021-12-01 | Huawei Technologies Co., Ltd. | Flow table processing method and apparatus |
| CN111224922A (en) * | 2018-11-26 | 2020-06-02 | 顺丰科技有限公司 | Distributed security group module access control method and system |
| CN110233837A (en) * | 2019-06-06 | 2019-09-13 | 上海思询信息科技有限公司 | One kind being based on cloud platform user network safeguard construction |
| CN112003877B (en) * | 2020-09-03 | 2023-04-18 | 度小满科技(北京)有限公司 | Network isolation method and device, electronic equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101136778A (en) * | 2006-08-02 | 2008-03-05 | 美国凹凸微系有限公司 | Policy based vpn configuration for firewall/vpn security gateway appliance |
| CN102855135A (en) * | 2012-04-23 | 2013-01-02 | 苏州大学 | Graphical component-based sensing network development platform and method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007318514A (en) * | 2006-05-26 | 2007-12-06 | Sony Corp | Information processor, processing method and program |
-
2013
- 2013-02-28 CN CN201310066392.7A patent/CN103164647B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101136778A (en) * | 2006-08-02 | 2008-03-05 | 美国凹凸微系有限公司 | Policy based vpn configuration for firewall/vpn security gateway appliance |
| CN102855135A (en) * | 2012-04-23 | 2013-01-02 | 苏州大学 | Graphical component-based sensing network development platform and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103164647A (en) | 2013-06-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103164647B (en) | Access control method of network security group and security computer | |
| CN105549904B (en) | A kind of data migration method and storage equipment applied in storage system | |
| CN103329106B (en) | ALUA preference and the detecting host of State Transferring and process | |
| WO2020181937A1 (en) | Method and system for modifying blockchain network configuration | |
| CN104238877B (en) | Control figure calibration method and terminal | |
| CN103109271A (en) | Inter-platform application migration realization method and system | |
| CN102801656B (en) | Realize condition control method, the equipment and system of instant messaging application | |
| CN102316043B (en) | Port virtualization method, switch and communication system | |
| CN104685507A (en) | Providing a virtual security appliance architecture to a virtual cloud infrastructure | |
| CN103475722A (en) | Implement system for business collaboration platform | |
| US11595473B2 (en) | Ad hoc decentralized cloud infrastructure | |
| CN103345361A (en) | Group joining method and relevant devices and systems | |
| US20180013697A1 (en) | Software defined visibility fabric | |
| CN105389173A (en) | Interface switching display method and device based on long connection tasks | |
| CN102369714A (en) | Method of cloud terminal accessing cloud server in cloud computing system and cloud computing system | |
| CN110808857B (en) | Network intercommunication method, device, equipment and storage medium for realizing Kubernetes cluster | |
| CN102663162A (en) | Method and device for constructing topology model of power grid | |
| CN105095103A (en) | Storage device management method and device used for cloud environment | |
| CN111371608B (en) | Method, device and medium for deploying SFC service chain | |
| CN105791073B (en) | The method and apparatus of service deployment in a kind of virtualization network | |
| CN103841255A (en) | Mobile terminal and mobile terminal data access method | |
| CN105791094A (en) | User state setting method, device and system | |
| KR101426994B1 (en) | Apparatus and method of sharing data using topology of mobile portable devices | |
| WO2021195888A1 (en) | Control method for unmanned aerial vehicle, control terminal, server, and storage medium | |
| US10652326B2 (en) | Pointing device router for smooth collaboration between devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20170519 Address after: 510640 Guangdong City, Tianhe District Province, No. five, road, public education building, unit 371-1, unit 2401 Patentee after: Guangdong Gaohang Intellectual Property Operation Co., Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: Huawei Technologies Co., Ltd. |
|
| TR01 | Transfer of patent right | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Yan Dongmei Inventor before: Pan Jianmin Inventor before: Li Li |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20170914 Address after: Peace Street South 034000 Shanxi province Xinzhou Xinfu District two lane 26 No. three unit three floor West Patentee after: Yan Dongmei Address before: 510640 Guangdong City, Tianhe District Province, No. five, road, public education building, unit 371-1, unit 2401 Patentee before: Guangdong Gaohang Intellectual Property Operation Co., Ltd. |
|
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: 541199 Lingui County, Guilin, Lingui County, Lingui Town, Xinglin Road, No. 1, unit 202, Room 202 Patentee after: Yan Dongmei Address before: Peace Street South 034000 Shanxi province Xinzhou Xinfu District two lane 26 No. three unit three floor West Patentee before: Yan Dongmei |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20180808 Address after: 510000 A5, building 48-50, Jianzhong Road, Tianhe District, Guangzhou, Guangdong (for office use only) Patentee after: Guangzhou Jia Chen Mdt InfoTech Ltd Address before: 541199 room 2, unit 8, Xinglin Road, Lingui Town, Lingui, the Guangxi Zhuang Autonomous Region, 202, Guilin, 202 Patentee before: Yan Dongmei |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190926 Address after: 233000 Xianghe Home Floor No.9, Xinhuai Road, Dongsheng Street, Longzihu District, Bengbu City, Anhui Province Patentee after: Bengbu Qibang Science and Technology Information Consulting Co., Ltd. Address before: 510000 A5, building 48-50, Jianzhong Road, Tianhe District, Guangzhou, Guangdong (for office use only) Patentee before: Guangzhou Jia Chen Mdt InfoTech Ltd |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210528 Address after: 210000 Gulou District and 63 Yanlu Road, Nanjing, Jiangsu Province Patentee after: Nanjing Huirong Electric System Co.,Ltd. Address before: 233000 No.9, 1st floor, Xianghe Jiayuan, Xinhuai Road, Dongsheng Street, Longzihu District, Bengbu City, Anhui Province Patentee before: Bengbu Qibang Science and Technology Information Consulting Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 210000 Gulou District and 63 Yanlu Road, Nanjing, Jiangsu Province Patentee after: Nanjing Huirong Information Technology Co.,Ltd. Address before: 210000 Gulou District and 63 Yanlu Road, Nanjing, Jiangsu Province Patentee before: Nanjing Huirong Electric System Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |