CN104580225A - Cloud platform safety protection encryption device and method - Google Patents
Cloud platform safety protection encryption device and method Download PDFInfo
- Publication number
- CN104580225A CN104580225A CN201510019487.2A CN201510019487A CN104580225A CN 104580225 A CN104580225 A CN 104580225A CN 201510019487 A CN201510019487 A CN 201510019487A CN 104580225 A CN104580225 A CN 104580225A
- Authority
- CN
- China
- Prior art keywords
- module
- cloud platform
- uri
- load
- safety protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Abstract
The invention discloses a cloud platform safety protection encryption device. The cloud platform safety protection encryption device comprises a WEB server configuration module, a safety protection control and NAT module, an enhanced protection strategy module, a URI access control module, a certificate signing and issuing module, a load balancing module, a load distribution module and a log audit module. The independent certificate signing and issuing module of the cloud platform safety protection encryption device provides autonomous CA certificate signing and issuing external members, so on the premise of guaranteeing basic protective limiting functions, multiple sets of identical or different actual services can be connected to one virtual service oriented to the Internet as required, an optional configuration of multiple virtual services can meet the service requirements of a larger cloud platform; the safety of supplying WEB services outwards will be further guaranteed by the adoption of WEB access restrictions based on an enhanced protection module and a URI. In the internal and external docking process, complete SSL encryption seamless connection is adopted for the cloud platform safety protection encryption device, and therefore the safety level is further improved.
Description
Technical field
The invention discloses a kind of cloud platform safety protection encryption device, relate to computer network security technology field.
Background technology
The Internet era of entering now, the utilization of the Internet is all the more universal, and become based on the management of the cloud platform environment of the Internet the emphasis that unit of each large enterprises is concerned about, and safety problem is the most important thing, necessity work of the unit of safe Shi Ge large enterprises of full-scope safeguards cloud platform.
For guaranteeing the fail safe of cloud platform, soft hardware equipment on market is extremely many, fire compartment wall, intrusion prevention system, AAA system, and other kinds safety protection equipment etc. occurs like the mushrooms after rain, their appearance can ensure the fail safe of cluster really to a certain extent.But this series products is expensive, and the diversification because of function brings the complexity of operative configuration, the custodian of certain network foundation is not had to configure by complete independently, more crucially the key point of different product protection is also different (only does security protection, only do traffic monitoring, only do Viral diagnosis, attack detecting etc.), there is larger limitation.
In addition, perhaps, this kind of firewall box can be accomplished based on IP, access control based on port completely, but do not enough based on the WEB service security protection aspect of HTTP, many times self can only remove by actual WEB terminal configuration module the Prevention-Security as far as possible completing WEB layer, and truly not accomplish the protection based on WEB engineering in real server front end.
Although cloud computing platform can have numerous hardware facilities as guarantee, but more only can guarantee is externally carried out IP or limits based on the safety of port, but the vulnerability information that the WEB service externally provided exists is the source that frequently occurs of the Internet leak now, even if can not ensure that WEB leak does not exist completely to very strong, that awareness of safety the is outstanding programmer of WEB security protection code capacity.Now, the WEB service that cloud platform externally provides is much rely on the NAT provided with safeguard to change, therefore different WEB engineerings have to provide externally different a few cover NAT to map, the object of attack externally exposed in such cluster is more, and this is also the awareness of safety problem existed present stage.
The WEB engineering of service is externally provided now, little then common forum, mhkc, large then the real name login system of some important concerning security matters, or on-line authentication system, all involve logging in of personal account password, and on the internet can be directly also relatively less with the system of https access, this has to watch out for regard to let us, and awareness of safety is also very weak under public network environment with protection.
Summary of the invention
Technical problem to be solved by this invention is: for the defect of prior art, a kind of cloud platform safety is provided to protect encryption device, make under low cost condition, there is provided a kind of not only based on the centralized management of the visual WEB form of security protection control to cloud platform, and provide the strategy load balancing based on HTTP or load assignment configuration, and carry out the efficient behavior based on SSL encryption on this basis.The present invention had both ensured the access control of cloud platform cluster, and actual WEB terminal configuration module can be allowed again to be in the LAN environment of a safe enough, and each docking link of this device adopts SSL cipher mode to access simultaneously, further ensures fail safe.And, the actual WEB service of more Internet can be docked to device by load balancing module or load distribution module, both cloud platform practical business demand had been met efficiently, exposed point can be reduced as much as possible again, and on this device, accomplish enough security protections and audit work.
The present invention is for solving the problems of the technologies described above by the following technical solutions:
A kind of cloud platform safety protection encryption device, comprise WEB service end configuration module, security protection controls and NAT module, enhancement mode prevention policies module, URI access control module, certificate issuance module, load balancing module, load distribution module and log audit module, wherein
Described WEB terminal configuration module, in order to carry out visualized management configuration to the function of device;
Described security protection controls and NAT module, in order to provide cloud platform based on IP or the safe access control of port restriction and the NAT mapping function of respective service;
Described enhancement mode prevention policies module, in order to log in trial, the frequency of failure controls, access frequency controls, access linking number controls and carry out strategy protection in flowing of access control, and carries out log audit record to violating access client IP, the access certificate information that strategy protects;
Described certificate issuance module, externally provides the certificate issuance of SSL encrypted access in order to virtual servers all on implement device;
Described load balancing module, in order to share different service units by load;
Described load distribution module, in order to the strategy distributed as load by URI, in the aspect of access resources to the division of Web load;
Described URI access control module depends on load balancing module and load distribution module, in configuring in the Virtual Service of device and the mapping of actual WEB service, to the access control of each HTTP request;
Described log audit module, in order to resource audit and the log analysis of implement device.
As present invention further optimization scheme, described load balancing module is realized by the ngx_http_upstream_module module in Nginx system, the method realized comprises operational administrative WEB page and configures that virtual server to be achieved is corresponding with the load balancing of real server to be shown, and selection load balancing.
As present invention further optimization scheme, described load balancing comprises built-in strategy and expanding policy, and wherein, described built-in strategy comprises poll, WRR and ip_hash; Described expanding policy comprises fair, general hash and consistenthash;
Described load balancing module belongs to the load balancing of application layer, and the function of realization comprises:
(1) server that data traffic is guided into corresponding contents by the data type that basis flows through processes;
(2), guide request accordingly into corresponding service according to the type of connection request to carry out processing;
(3), by the inspection to http header, detect the error message of HTTP 400,500 and 600 series, connection request is redirected to another station server, avoid application layer fault.
As present invention further optimization scheme, in described load distribution module, the flow process of allocation strategy is as follows:
The first step, management WEB page complete the available URI of each reality and corresponding real server correspondence configuration;
Second step, generate a hash value for the URI of each configuration;
3rd step, load distribution module check in allocation table LIST_A whether there is this hash value, if exist, then ignore, do not exist, add;
In the active service that device externally provides, HTTP request is all forwarded to corresponding rear end real server after the process of overload distribution module each time, and period is completed comparison and the verification of the URI of resource being carried out to character string hash value by load distribution module.
As present invention further optimization scheme, in described URI access control module, the flow process of access control comprises:
Step one, user externally serve transmission resource request to this device;
The request of step 2, user is accepted by WEB terminal configuration module and delivers to the load divider in WEB terminal configuration module;
Step 3, load divider are first for the URI of request generates a hash value;
Step 4, load divider check in allocation table LIST_A whether there is this hash value, if exist, then search the real server of corresponding hash value in LIST_A table fast; If do not exist, this resource URI and requesting client IP address are passed to the process of URI access control module by load distribution module;
Step 5, this client of URI access control module record send the request time of URI, when exceeding the threshold value of setting, this client ip being passed to security protection and to control and NAT module does restrict access process, and doing log audit.
As present invention further optimization scheme, described security protection controls and NAT module collection has securing software.
As present invention further optimization scheme, described securing software is securing software, independent development firewall functionality software based on ACL technology or the soft fire compartment wall IPTABLES that increases income.
As present invention further optimization scheme, be also provided with security strategy in described enhancement mode prevention policies module, be specially: in the mapped mode of Virtual Service and active service, select access connection mode according to the actual requirements.
As present invention further optimization scheme, described access connection mode comprises long connection, short connection and self-defined connection.
As present invention further optimization scheme, in described certificate issuance module, grant a certificate, based on PKCS#11 standard interface, has independently CA certificate, service end certificate and client certificate or importing third party CA certificate.
The present invention adopts above technical scheme compared with prior art, there is following technique effect: the present invention uses separate certificate to sign and issue module provides autonomous CA certificate to sign and issue external member, outside guarantee basic protection limitation function, further by the security improvement of WEB terminal configuration module to new height, simultaneously can correspond to overlapping identical or different service active service more a Virtual Service and be intended for the Internet as required, and the option and installment of many cover Virtual Service can meet the business demand of more great Yun platform.Finally, the safety that WEB service is externally provided will further be ensured based on enhancement mode protection module with based on the WEB restrict access of URI.This device, in internal and external docking operation, adopts SSL to encrypt slitless connection completely, further improves safe class.
Accompanying drawing explanation
Fig. 1 is device integral module design of graphics in the present invention.
Fig. 2 is apparatus body system structure figure in the present invention.
Fig. 3 is the load divider scheme schematic diagram based on URI in the present invention.
Fig. 4 is the safe protective covering ideograph of device.
Embodiment
Be described below in detail embodiments of the present invention, the example of described execution mode is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Being exemplary below by the execution mode be described with reference to the drawings, only for explaining the present invention, and can not limitation of the present invention being interpreted as.
Below in conjunction with accompanying drawing, technical scheme of the present invention is described in further detail:
In the present invention, device integral module design of graphics as shown in Figure 1, the security protection encryption device of described cloud platform, it comprises the configuration of WEB terminal configuration module end, security protection controls and NAT module, certificate issuance module, enhancement mode prevention policies module, load balancing module, load distribution module, URI access control module, a few part of log audit module.
Described WEB service end, page function comprises the setting (i.e. gateway mode and non-gateway pattern) of plant running pattern, configuration management Virtual Service and overlaps actual Virtual Service more, configures Safeguard tactics and NAT mapping policy, selectivity and add load balancing or load distribution function strategy, configure visual configuration and the operation such as editor, mandate of downloading openssl certificate, configuring WEB access control policy based on URI and keeper's account.
Namely described security protection control and NAT module are incorporate the open interface after IPTABLES software and corresponding module, complete protection rule and the configuration of NAT strategy, directly call the loading of open interface transmission policy dynamic state of parameters and come into force by WEB terminal.Certificate issuance module is then that independent shell script completes signing and issuing of the external member certificates such as CA according to the configuration parameter of WEB terminal, and provides download link by WEB terminal.Described enhancement mode prevention policies module and described URI access control module are all performed on load balancing and load distribution function, only have after the corresponding relation of the Virtual Service and active service group that are configured with device, can select coming into force of this 2 partial function.
Described load balancing module and load distribution module, being then the mapping mode in order to load the active service of many covers in Virtual Service, then selecting load balancing module to configure when being same services pattern when between the active service of many covers; Then select load distribution module function when being independent WEB service group when between the active service of many covers, complete man-to-man accurate transmission according to URI.
In the present invention, apparatus body system structure figure is as shown in Figure 2:
According to the type of cloud platform web bundle of services, option and installment load-balancing function or load distribution function in a device: when real server is similar, then option and installment load-sharing mode, otherwise then configuration load allocation model.Wherein load allocating mode distinguishes mapping relations according to the URI of difference service, such as:
https://192.168.1.1/server1--->https://192.168.1.10/server1
https://192.168.1.1/server2--->https://192.168.1.100/server2
https://192.168.1.1/server3--->https://192.168.1.200/server3
According to actual business requirement option and installment many covers Virtual Service, separate between many cover Virtual Service, the external member certificate even signing and issuing configuration is also separate.Often overlap Virtual Service correspondence and specify active service group, complete alone the mapping relations of one-to-many.And the restriction of option and installment enhancement mode prevention policies and URI access control policy in each Virtual Service, every class active service is mined massively and uses independently restrict access strategy, often overlapping Virtual Service provides unique access mode to be published in the Internet, for client access.User sends request flow process and is described below:
Step 1, user browser has access to the appointment Virtual Service of device by specified URL;
Step 2, enhancement mode prevention policies and the verification of URI access control module Dynamic Matching in Virtual Service;
Step 3, verification succeeds, then send HTTP message to active service according to the load model of Virtual Service and active service and named policer (as poll, poll weighting etc.); Otherwise, then abandon request message, and log audit done to the message exceeding decision threshold.
Wherein managing WEB is also independent operating, externally provides independent two-way SSL access mode in keeper, and keeper is by the maintenance management of link entering device.In a word, namely the core of the whole system protection of device is cloud center cluster and active service group.
In the present invention based on the load divider scheme schematic diagram of URI as shown in Figure 3, concrete steps comprise:
The first step: user externally serves transmission resource request to this device;
Second step: the request of user is accepted by WEB terminal configuration module and delivers to the load divider in WEB terminal configuration module;
3rd step: load divider is first for the URI of request generates a hash value hash;
4th step: load divider checks in allocation table LIST_A whether there is this hash value, if exist, then searches the real server of corresponding hash value in LIST_A table fast; If do not exist, this resource URI and requesting client IP address are passed to the process of URI access control module by load distribution module;
5th step: this client of URI access control module record sends the request time of URI, as same client has the Visitor Logs more than 15 times in 5mins, then this client ip is passed to the security protection that relates in second step to control and NAT module does restrict access process, and do log audit.
In the present invention, the safe protective covering ideograph of device as shown in Figure 4:
This device is as the security protection encryption device being applied to cloud platform, and security control is crucial, and the whole architecture of device is made up of 5 layers of overcoat:
Ground floor, based on the https encrypted access of SSL, HTTP encrypted access herein comprises the external practical business service of user's access means, also comprises that docking mode between Virtual Service with active service is also alternative to be docked for HTTPS encrypts.Its whole docking mode is as follows:
Subscription client 1--->https: // 202.34.94.32:8443/server--->https: // 192.168.1.10/server1
Subscription client 2--->https: // 202.34.94.32:8443/server--->https: // 192.168.1.100/server2
Subscription client 3--->https: // 202.34.94.32:8443/server--->https: // 192.168.1.200/server3
The second layer, safe access control and NAT strategic layer, this part all fours and common firewall functionality.Integrate the strictly all rules chain command set of 3 rule lists (filter, nat, mangle) of IPTABLES acquiescence, complete the configuration to protection rule by management WEB terminal, to be controlled by security protection and NAT module completes dynamic load and comes into force.
Access control as based on Port IP:
iptables -I INPUT -s 202.34.113.12 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
Port repeat Sample Rules:
iptables -t nat -A PREROUTING -d 219.239.11.22 -p tcp --dport 8080 -j DNAT--to-destination 192.168.0.21:80
iptables -t nat-A POSTROUTING -d 192.168.0.21 -p tcp -m tcp --dport 80 -j SNAT--to-source 192.168.0.29
iptables -A FORWARD -o eth0 -d 192.168.0.21 -p tcp –dport 80 -j ACCEPT
These numerous and diverse command sets are controlled by security protection and NAT module dynamic load comes into force, and the visual configuration that WEB terminal provides is as follows:
NAT transformation rule:
Translation type | source region/source port/source IP| COS | target area/destination interface/object IP| destination service
Example: object is changed | eth1/219.239.11.22|HTTP (8080) | eth0/192.168.0.21|HTTP (80)
Access control rule:
Source region/source port/source IP| target area/destination interface/object IP| destination service | strategy
Example: eth1/219.239.11.22|eth0/192.168.0.21|HTTP (80) | ACCEPT
Third layer (enhancement mode MAC layer) and the 4th layer (URI MAC layer) are implemented in every suit Virtual Service configuration to active service group docking, can load coupling prevention policies to each HTTP request.Enhancement mode MAC layer logs in the frequency of failure (system-level trial logs in number of times), access frequency control, the control of access linking number, flowing of access control in trial and has made tactful protection, and to exceeding the access client IP of threshold values of setting, access certificate information carries out log audit record, and can add connection mode; URI MAC layer, then according to the legal URI allowed of configured in advance, carries out filtration audit process to illegal URI.
Layer 5 is also the key business layer that device realizes the protection of actual WEB service, relies on the Nginx functional module of Integration of Extended to complete the load capacity of Virtual Service and the reality service of overlapping more.Specific embodiment is as follows:
Load balancing example:
First set Virtual Service:
Virtual Service 1:https: // 202.34.94.32:9443/index.php--->https: // 192.168.1.10/index.php
Virtual Service 1:https: // 202.34.94.32:9443/index.php--->https: // 192.168.1.11/index.php
Virtual Service 1:https: // 202.34.94.32:9443/index.php--->https: // 192.168.1.12/index.php
Second cover Virtual Service:
Virtual Service 2:https: // 202.34.94.32:10443/default.php--->https: // 192.168.10.10/default.php
Virtual Service 2:https: // 202.34.94.32:10443/default.php--->https: // 192.168.10.11/default.php
Virtual Service 3:https: // 202.34.94.32:10443/default.php--->https: // 192.168.10.12/default.php
Load allocation example:
Virtual Service 3:https: // 202.34.94.32:8443/web1.php--->https: // 192.168.100.10/web1.php
Virtual Service 3:https: // 202.34.94.32:8443/web2.php--->https: // 192.168.100.11/web2.php
Virtual Service 3:https: // 202.34.94.32:8443/web3.php--->https: // 192.168.100.12/web3.php
By reference to the accompanying drawings embodiments of the present invention are explained in detail above, but the present invention is not limited to above-mentioned execution mode, in the ken that those of ordinary skill in the art possess, can also makes a variety of changes under the prerequisite not departing from present inventive concept.The above, it is only preferred embodiment of the present invention, not any pro forma restriction is done to the present invention, although the present invention discloses as above with preferred embodiment, but and be not used to limit the present invention, any those skilled in the art, do not departing within the scope of technical solution of the present invention, make a little change when the technology contents of above-mentioned announcement can be utilized or be modified to the Equivalent embodiments of equivalent variations, in every case be do not depart from technical solution of the present invention content, according to technical spirit of the present invention, within the spirit and principles in the present invention, any similar techniques that above embodiment is done simply is revised, equivalent replacement and improvement etc., within the protection range all still belonging to technical solution of the present invention.
Claims (10)
1. a cloud platform safety protection encryption device, it is characterized in that: comprise WEB service end configuration module, security protection controls and NAT module, enhancement mode prevention policies module, URI access control module, certificate issuance module, load balancing module, load distribution module and log audit module, wherein
Described WEB terminal configuration module, in order to carry out visualized management configuration to the function of device;
Described security protection controls and NAT module, in order to provide cloud platform based on IP or the safe access control of port restriction and the NAT mapping function of respective service;
Described enhancement mode prevention policies module, in order to log in trial, the frequency of failure controls, access frequency controls, access linking number controls and carry out strategy protection in flowing of access control, and carries out log audit record to violating access client IP, the access certificate information that strategy protects;
Described certificate issuance module, externally provides the certificate issuance of SSL encrypted access in order to virtual servers all on implement device;
Described load balancing module, in order to share different service units by load;
Described load distribution module, in order to the strategy distributed as load by URI, in the aspect of access resources to the division of Web load;
Described URI access control module depends on load balancing module and load distribution module, in configuring in the Virtual Service of device and the mapping of actual WEB service, to the access control of each HTTP request;
Described log audit module, in order to resource audit and the log analysis of implement device.
2. a kind of cloud platform safety protection encryption device as claimed in claim 1, it is characterized in that: described load balancing module is realized by the ngx_http_upstream_module module in Nginx system, the method realized comprises operational administrative WEB page and configures that virtual server to be achieved is corresponding with the load balancing of real server to be shown, and selection load balancing.
3. a kind of cloud platform safety protection encryption device as claimed in claim 2, it is characterized in that: described load balancing comprises built-in strategy and expanding policy, wherein, described built-in strategy comprises poll, WRR and ip_hash; Described expanding policy comprises fair, general hash and consistent hash;
Described load balancing module belongs to the load balancing of application layer, and the function of realization comprises:
(1) server that data traffic is guided into corresponding contents by the data type that basis flows through processes;
(2), guide request accordingly into corresponding service according to the type of connection request to carry out processing;
(3), by the inspection to http header, detect the error message of HTTP 400,500 and 600 series, connection request is redirected to another station server, avoid application layer fault.
4. a kind of cloud platform safety protection encryption device as claimed in claim 1, is characterized in that: in described load distribution module, the flow process of allocation strategy is as follows:
The first step, management WEB page complete the available URI of each reality and corresponding real server correspondence configuration;
Second step, generate a hash value for the URI of each configuration;
3rd step, load distribution module check in allocation table LIST_A whether there is this hash value, if exist, then ignore, do not exist, add;
In the active service that device externally provides, HTTP request is all forwarded to corresponding rear end real server after the process of overload distribution module each time, and period is completed comparison and the verification of the URI of resource being carried out to character string hash value by load distribution module.
5. a kind of cloud platform safety protection encryption device as claimed in claim 1, is characterized in that: in described URI access control module, the flow process of access control comprises:
Step one, user externally serve transmission resource request to this device;
The request of step 2, user is accepted by WEB terminal configuration module and delivers to the load divider in WEB terminal configuration module;
Step 3, load divider are first for the URI of request generates a hash value;
Step 4, load divider check in allocation table LIST_A whether there is this hash value, if exist, then search the real server of corresponding hash value in LIST_A table fast; If do not exist, this resource URI and requesting client IP address are passed to the process of URI access control module by load distribution module;
Step 5, this client of URI access control module record send the request time of URI, when exceeding the threshold value of setting, this client ip being passed to security protection and to control and NAT module does restrict access process, and doing log audit.
6. a kind of cloud platform safety protection encryption device as claimed in claim 1, is characterized in that: described security protection controls and NAT module collection has securing software.
7. a kind of cloud platform safety protection encryption device as claimed in claim 6, is characterized in that: described securing software is securing software, independent development firewall functionality software based on ACL technology or the soft fire compartment wall IPTABLES that increases income.
8. a kind of cloud platform safety protection encryption device as claimed in claim 1, it is characterized in that, also be provided with security strategy in described enhancement mode prevention policies module, be specially: in the mapped mode of Virtual Service and active service, select access connection mode according to the actual requirements.
9. a kind of cloud platform safety protection encryption device as claimed in claim 8, is characterized in that: described access connection mode comprises long connection, short connection and self-defined connection.
10. a kind of cloud platform safety protection encryption device as claimed in claim 1, it is characterized in that: in described certificate issuance module, grant a certificate, based on PKCS#11 standard interface, has independently CA certificate, service end certificate and client certificate or importing third party CA certificate.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510019487.2A CN104580225B (en) | 2015-01-14 | 2015-01-14 | A kind of cloud platform security protection encryption device and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510019487.2A CN104580225B (en) | 2015-01-14 | 2015-01-14 | A kind of cloud platform security protection encryption device and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104580225A true CN104580225A (en) | 2015-04-29 |
| CN104580225B CN104580225B (en) | 2017-11-03 |
Family
ID=53095405
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510019487.2A Active CN104580225B (en) | 2015-01-14 | 2015-01-14 | A kind of cloud platform security protection encryption device and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104580225B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262760A (en) * | 2015-10-30 | 2016-01-20 | 北京奇虎科技有限公司 | Method and device for preventing action of maliciously visiting login/register interface |
| CN108023860A (en) * | 2016-11-03 | 2018-05-11 | 中国电信股份有限公司 | Means of defence, system and the Web application firewalls of Web applications |
| CN109257449A (en) * | 2018-11-22 | 2019-01-22 | 四川长虹电器股份有限公司 | A method of the Web in Nginx based on URI loads distribution |
| CN109391693A (en) * | 2018-10-24 | 2019-02-26 | 国云科技股份有限公司 | A kind of method that fort machine supports audit web application |
| CN109981531A (en) * | 2017-12-27 | 2019-07-05 | 航天信息股份有限公司 | A kind of tax outer net safety access method and system based on tax digital certificate |
| CN110855796A (en) * | 2019-11-22 | 2020-02-28 | 北京浪潮数据技术有限公司 | Cloud platform web protection method, system, equipment and computer medium |
| CN115334136A (en) * | 2022-07-05 | 2022-11-11 | 北京天融信网络安全技术有限公司 | Connection aging control method, system, equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697397A (en) * | 2004-05-13 | 2005-11-16 | 华为技术有限公司 | Method for guarding against attack realized for networked devices |
| US7392391B2 (en) * | 2001-11-01 | 2008-06-24 | International Business Machines Corporation | System and method for secure configuration of sensitive web services |
| CN102111349A (en) * | 2009-12-25 | 2011-06-29 | 上海格尔软件股份有限公司 | Security certificate gateway |
| CN102244664A (en) * | 2011-08-29 | 2011-11-16 | 浙江中烟工业有限责任公司 | Multistage interconnection safety management centre subsystem of multistage safety interconnection platform |
| US8201252B2 (en) * | 2002-09-03 | 2012-06-12 | Alcatel Lucent | Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks |
| CN103368973A (en) * | 2013-07-25 | 2013-10-23 | 浪潮(北京)电子信息产业有限公司 | Safety system for cloud operating system |
| CN103685329A (en) * | 2012-08-30 | 2014-03-26 | 华耀(中国)科技有限公司 | System and method for advanced access control based on load balance |
| CN104023033A (en) * | 2014-06-24 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Safety production method for cloud services |
-
2015
- 2015-01-14 CN CN201510019487.2A patent/CN104580225B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7392391B2 (en) * | 2001-11-01 | 2008-06-24 | International Business Machines Corporation | System and method for secure configuration of sensitive web services |
| US8201252B2 (en) * | 2002-09-03 | 2012-06-12 | Alcatel Lucent | Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks |
| CN1697397A (en) * | 2004-05-13 | 2005-11-16 | 华为技术有限公司 | Method for guarding against attack realized for networked devices |
| CN102111349A (en) * | 2009-12-25 | 2011-06-29 | 上海格尔软件股份有限公司 | Security certificate gateway |
| CN102244664A (en) * | 2011-08-29 | 2011-11-16 | 浙江中烟工业有限责任公司 | Multistage interconnection safety management centre subsystem of multistage safety interconnection platform |
| CN103685329A (en) * | 2012-08-30 | 2014-03-26 | 华耀(中国)科技有限公司 | System and method for advanced access control based on load balance |
| CN103368973A (en) * | 2013-07-25 | 2013-10-23 | 浪潮(北京)电子信息产业有限公司 | Safety system for cloud operating system |
| CN104023033A (en) * | 2014-06-24 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Safety production method for cloud services |
Non-Patent Citations (1)
| Title |
|---|
| 袁林,高夏生,赵田红: "安徽电力调度内网安全监控平台功能与实施", 《2013电力行业信息化年会论文集》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262760A (en) * | 2015-10-30 | 2016-01-20 | 北京奇虎科技有限公司 | Method and device for preventing action of maliciously visiting login/register interface |
| CN108023860A (en) * | 2016-11-03 | 2018-05-11 | 中国电信股份有限公司 | Means of defence, system and the Web application firewalls of Web applications |
| CN109981531A (en) * | 2017-12-27 | 2019-07-05 | 航天信息股份有限公司 | A kind of tax outer net safety access method and system based on tax digital certificate |
| CN109391693A (en) * | 2018-10-24 | 2019-02-26 | 国云科技股份有限公司 | A kind of method that fort machine supports audit web application |
| CN109257449A (en) * | 2018-11-22 | 2019-01-22 | 四川长虹电器股份有限公司 | A method of the Web in Nginx based on URI loads distribution |
| CN110855796A (en) * | 2019-11-22 | 2020-02-28 | 北京浪潮数据技术有限公司 | Cloud platform web protection method, system, equipment and computer medium |
| CN115334136A (en) * | 2022-07-05 | 2022-11-11 | 北京天融信网络安全技术有限公司 | Connection aging control method, system, equipment and storage medium |
| CN115334136B (en) * | 2022-07-05 | 2024-02-02 | 北京天融信网络安全技术有限公司 | Connection aging control method, system, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104580225B (en) | 2017-11-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104580225A (en) | Cloud platform safety protection encryption device and method | |
| US20220198047A1 (en) | Process Control Software Security Architecture Based On Least Privileges | |
| Tsuchiya et al. | Software defined networking firewall for industry 4.0 manufacturing systems | |
| EP1955516B1 (en) | Network access control for many-core systems | |
| US10999328B2 (en) | Tag-based policy architecture | |
| EP2545680B1 (en) | Behavior-based security system | |
| CN106471783A (en) | Business system certification and mandate via gateway | |
| CN108881299A (en) | The safe O&M method and device thereof of private clound platform information system | |
| US20210176125A1 (en) | Programmable switching device for network infrastructures | |
| EP3451608A1 (en) | Filter unit based data communication system including a blockchain platform | |
| CN113114632A (en) | Can peg graft formula intelligence financial audit platform | |
| CN105162763A (en) | Method and device for processing communication data | |
| CN110035076A (en) | Trusted access method, trusted client and server towards energy internet | |
| Muzzi et al. | Using Botnets to provide security for safety critical embedded systems-a case study focused on UAVs | |
| de Albuquerque et al. | Formal validation of automated policy refinement in the management of network security systems | |
| CN115314257A (en) | Authentication method and device of file system, electronic equipment and computer storage medium | |
| Simpson et al. | Resolving Network Defense Conflicts with Zero Trust Architectures and Other End-to-End Paradigms | |
| Tkachuk et al. | Towards a secure proxy-based architecture for collaborative ai engineering | |
| CN113395258A (en) | Industrial internet authentication gateway test development system and authentication process thereof | |
| KR20210027038A (en) | Proxy apparatus and method for processing information executed on proxy apparatus | |
| Guo et al. | Simulation Implementation and Verification of a Security Framework for ICS Based on SPD | |
| Praus et al. | Secure Control Applications in Smart Homes and Buildings. | |
| Tusing et al. | Access Control Requirements for Autonomous Robotic Fleets | |
| Stöcklin | Evaluating SSH for modern deployments | |
| Bitebo et al. | Design and Implementation of Distributed Identity and Access Management Framework for Internet of Things (IoT) Enabled Distribution Automation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |