CN105791311A - Security protection method and device for cloud platform firewall - Google Patents
Security protection method and device for cloud platform firewall Download PDFInfo
- Publication number
- CN105791311A CN105791311A CN201610236924.0A CN201610236924A CN105791311A CN 105791311 A CN105791311 A CN 105791311A CN 201610236924 A CN201610236924 A CN 201610236924A CN 105791311 A CN105791311 A CN 105791311A
- Authority
- CN
- China
- Prior art keywords
- cloud platform
- virtual machine
- address
- predetermined period
- address group
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a security protection method and a security protection device for a cloud platform firewall. The security protection method comprises the steps of: sending a login authentication request to a cloud platform according to configuration information of the cloud platform; acquiring virtual machine information of virtual machines in the cloud platform according to a preset period after receiving feedback information of success login authentication; filtering the virtual machine information acquired in the preset period according to a virtual machine parameter matching condition in each preset period, and acquiring IP addresses of the virtual machines in the cloud platform in the preset period; updating the IP addresses in a dynamic address group when judging that the IP addresses in the preset period are different from IP addresses which are obtained through filtering in the previous preset period and stored in the dynamic address group; and adjusting an access control list or a security policy according to the updated IP addresses in the dynamic address group. The security protection method and the security protection device do not need to modify the IP addresses manually, can adapt to network variation caused by address variation of the virtual machines in the cloud platform, and increase network security protection efficiency.
Description
Technical field
The present invention relates to network operation technical field, especially relate to safety protecting method and the device of a kind of cloud platform fire wall.
Background technology
At present, the development of cloud computing is very swift and violent, and along with the development of cloud computing, the security protection of cloud platform is also required to cause concern.But, traditional firewall security means of defence can not fully meet the demand of cloud platform, this is because traditional firewall is to carry out security protection for fixing IP address, IP network section or group of addresses, and the address change of virtual machine is more frequent in cloud platform, the network change of cloud platform is desirable that manual modification IP address each time, when carrying out security maintenance hence with traditional firewall security means of defence, motility is poor, needing substantial amounts of manpower to safeguard, work efficiency is relatively low.
Summary of the invention
For disadvantages described above, the present invention provides safety protecting method and the device of a kind of cloud platform fire wall, it is not necessary to manual modification IP address, it is possible to adapts to the address change of virtual machine in cloud platform and the network change brought, improves network safety prevention efficiency.
First aspect, the safety protecting method of cloud platform fire wall provided by the invention, including:
Configuration information according to cloud platform sends debarkation authentication request to described cloud platform;
After receiving the successful feedback information of debarkation authentication, obtain the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
In each predetermined period, according to virtual machine parameter matching condition, the virtual machine information obtained in this predetermined period is filtered, obtains the IP address of each virtual machine in cloud platform in this predetermined period;
If different in the IP address that a upper predetermined period inner filtration obtains through judging that the IP address in this predetermined period stores from dynamic address group, then the IP address in described dynamic address group is updated;
According to the IP address after updating in described dynamic address group, adjust Access Control List or security strategy.
Optionally, the method also includes:
In each predetermined period, after the virtual machine information obtained has been filtered, the virtual machine information that release obtains.
Optionally, according to the IP address after updating in described dynamic address group, adjust Access Control List or security strategy, including:
Described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
Optionally, described Access Control List or described security strategy are created by order line or web page.
Optionally, according to the configuration information of cloud platform to described cloud platform send debarkation authentication request before, described method also includes:
By order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured.
Second aspect, the safety device of cloud platform fire wall provided by the invention, including:
Authentication module, sends debarkation authentication request for the configuration information according to cloud platform to described cloud platform;
Acquisition module, for, after receiving the successful feedback information of debarkation authentication, obtaining the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
Filtering module, for, in each predetermined period, being filtered the virtual machine information obtained in this predetermined period according to virtual machine parameter matching condition, obtain the IP address of each virtual machine in cloud platform in this predetermined period;
More new module, for through judge that the IP address in this predetermined period stores from dynamic address group when the IP address that a upper predetermined period inner filtration obtains is different, the IP address in described dynamic address group is updated;
Adjusting module, for according to the IP address after updating in described dynamic address group, adjusting Access Control List or security strategy.
Optionally, this device also includes:
Release module, for, in each predetermined period, after the virtual machine information obtained has been filtered, discharging the virtual machine information obtained.
Optionally, described adjusting module specifically for: described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
Optionally, described Access Control List or described security strategy are created by order line or web page.
Optionally, this device also includes:
Configuration module, before sending debarkation authentication request to described cloud platform according to the configuration information of cloud platform at described authentication module, by order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured
In the safety protecting method of cloud platform fire wall provided by the invention and device, after debarkation authentication success, owing to periodically obtaining the virtual machine information in cloud platform, and the IP address of virtual machine can be filtrated to get according to virtual machine information, therefore when in cloud platform, the IP address of virtual machine changes, fire wall can perceive, and then dynamic address group is updated, and then according to the dynamic address group after updating, Access Control List or security strategy is adjusted.Visible, the safety protecting method of fire wall provided by the invention need not manual modification IP address, it is possible to adapts to the address change of virtual machine in cloud platform and the network change brought, improves network safety prevention efficiency.
Accompanying drawing explanation
Can be more clearly understood from inventive feature information and advantage by reference accompanying drawing, accompanying drawing is schematic and should not be construed as and the present invention is carried out any restriction, in the accompanying drawings:
Fig. 1 illustrates the deployment diagram of cloud platform and fire wall;
Fig. 2 illustrates the schematic flow sheet of safety protecting method one embodiment according to cloud platform fire wall of the present invention;
Fig. 3 illustrates the structured flowchart of safety device one embodiment according to cloud platform fire wall of the present invention.
Detailed description of the invention
In order to be more clearly understood that the above-mentioned purpose of the present invention, feature and advantage, below in conjunction with the drawings and specific embodiments, the present invention is further described in detail.It should be noted that when not conflicting, embodiments herein and the feature in embodiment can be mutually combined.
Elaborate a lot of detail in the following description so that fully understanding the present invention; but; the present invention can also adopt other to be different from other modes described here to implement, and therefore, protection scope of the present invention is by the restriction of following public specific embodiment.
As shown in Figure 1, fire wall FW and cloud platform are two independent platforms, fire wall FW is similar to client, cloud platform is similar to service end, fire wall FW is deployed in the port of export of cloud platform, in cloud platform, all of virtual machine (VM1, VM2, VM3, VM4, VM5) is required for the flow-control by fire wall FW and could access outer net, fire wall FW have interface can with the management node-routing SW of cloud platform up to.
For the cloud platform disposed in Fig. 1 and fire wall, the present invention provides the safety protecting method of a kind of cloud platform fire wall, as in figure 2 it is shown, specifically can be performed by the fire wall of cloud platform, the method includes:
S101, send debarkation authentication request according to the configuration information of cloud platform to described cloud platform;
Wherein, configuration information refers to the relevant information that cloud platform is configured by fire wall, for instance the type of cloud platform, debarkation authentication the information such as username and password.
S102, after receiving the successful feedback information of debarkation authentication, obtain the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
Wherein, virtual machine information refers to the information such as the network segment of virtual machine, the identification code (UniversallyUniqueIdentifier is called for short UUID) of cloud platform, operating system.Fire wall can pass through to call the external application programming interfaces of cloud platform and api interface acquisition.
Wherein, predetermined period can be arranged according to practical situation, for instance 10s.
S103, in each predetermined period, according to virtual machine parameter matching condition in this predetermined period obtain virtual machine information be filtered, obtain the IP address of each virtual machine in cloud platform in this predetermined period;
Wherein, virtual machine parameter matching condition can be configured in advance by fire wall, refers to the filtercondition of the IP address obtaining virtual machine according to virtual machine information.
If S104 is different in the IP address that a upper predetermined period inner filtration obtains through judging that the IP address in this predetermined period stores from dynamic address group, then the IP address in described dynamic address group is updated;
If it will be appreciated that the IP address obtained in a certain predetermined period did not change relative to a upper cycle, then dynamic address group need not be updated.And when the IP address that obtains in a certain predetermined period changes, then the IP address being updated in this predetermined period to obtain the IP address in dynamic address group.
If it will be appreciated that the current preset cycle is first predetermined period, then the IP address obtained in first predetermined period is stored to being in empty dynamic address group originally.
S105, according to the IP address after updating in described dynamic address group, adjust Access Control List or security strategy.
Wherein, described Access Control List or described security strategy can pass through order line or web page establishment.
In the safety protecting method of cloud platform fire wall provided by the invention, after debarkation authentication success, owing to periodically obtaining the virtual machine information in cloud platform, and the IP address of virtual machine can be filtrated to get according to virtual machine information, therefore when in cloud platform, the IP address of virtual machine changes, fire wall can perceive, and then dynamic address group is updated, and then according to the dynamic address group after updating, Access Control List or security strategy is adjusted.Visible, the safety protecting method of fire wall provided by the invention need not manual modification IP address, it is possible to adapts to the address change of virtual machine in cloud platform and the network change brought, improves network safety prevention efficiency.
In the specific implementation, safety protecting method provided by the invention can also include:
In each predetermined period, after the virtual machine information obtained has been filtered, the virtual machine information that release obtains.
Release to virtual machine information, it is possible to avoid the virtual machine information repeatedly obtained all to be suspended in virtual machine information chained list, reduces taking up room of virtual machine information, ensures that in firewall system, the virtual machine information of storage is all up-to-date simultaneously.
In the specific implementation, step S105 can specifically include:
Described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
After Access Control List or security strategy quote dynamic address group, can using the IP address of storage in dynamic address group as the traffic filtering condition of fire wall.Due in dynamic address group the IP address of storage as the traffic filtering condition of fire wall, therefore when fire wall receives a message, judge whether the source/destination address of message mates with the IP address in dynamic address group, if coupling illustrates this message match hit Access Control List or security strategy.
In the specific implementation, safety protecting method provided by the invention performs before being additionally included in S101:
By order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured.
Based on identical inventive concept, the present invention also provides for the safety device of a kind of cloud platform fire wall, as it is shown on figure 3, this device includes authentication module 201, acquisition module 202, filtering module 203, more new module 204 and adjusting module 205, wherein:
Authentication module 201 sends debarkation authentication request for the configuration information according to cloud platform to described cloud platform;
Acquisition module 202 is for, after receiving the successful feedback information of debarkation authentication, obtaining the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
Filtering module 203 is for, in each predetermined period, being filtered the virtual machine information obtained in this predetermined period according to virtual machine parameter matching condition, obtain the IP address of each virtual machine in cloud platform in this predetermined period;
More new module 204 for through judge that the IP address in this predetermined period stores from dynamic address group when the IP address that a upper predetermined period inner filtration obtains is different, the IP address in described dynamic address group is updated;
Adjusting module 205 is for according to the IP address after updating in described dynamic address group, adjusting Access Control List or security strategy.
In the specific implementation, as it is shown on figure 3, device provided by the invention may also include that
Release module 206, for, in each predetermined period, after the virtual machine information obtained has been filtered, discharging the virtual machine information obtained.
In the specific implementation, described adjusting module 205 specifically for: described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
In the specific implementation, described Access Control List or described security strategy are created by order line or web page.
In the specific implementation, as it is shown on figure 3, device provided by the invention also includes:
Configuration module 200, before sending debarkation authentication request to described cloud platform according to the configuration information of cloud platform at described authentication module, by order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured.
In the present invention, term " first ", " second " only for descriptive purposes, and it is not intended that instruction or hint relative importance.Term " multiple " refers to two or more, unless otherwise clear and definite restriction.
Although being described in conjunction with the accompanying embodiments of the present invention, but those skilled in the art can make various modifications and variations without departing from the spirit and scope of the present invention, and such amendment and modification each fall within the scope being defined by the appended claims.
Claims (10)
1. a safety protecting method for cloud platform fire wall, including:
Configuration information according to cloud platform sends debarkation authentication request to described cloud platform;
After receiving the successful feedback information of debarkation authentication, obtain the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
In each predetermined period, according to virtual machine parameter matching condition, the virtual machine information obtained in this predetermined period is filtered, obtains the IP address of each virtual machine in cloud platform in this predetermined period;
If different in the IP address that a upper predetermined period inner filtration obtains through judging that the IP address in this predetermined period stores from dynamic address group, then the IP address in described dynamic address group is updated;
According to the IP address after updating in described dynamic address group, adjust Access Control List or security strategy.
2. method according to claim 1, it is characterised in that also include:
In each predetermined period, after the virtual machine information obtained has been filtered, the virtual machine information that release obtains.
3. method according to claim 1, it is characterised in that according to the IP address after updating in described dynamic address group, adjusts Access Control List or security strategy, including:
Described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
4. method according to claim 1, it is characterised in that described Access Control List or described security strategy are created by order line or web page.
5. method according to claim 1, it is characterised in that according to the configuration information of cloud platform to described cloud platform send debarkation authentication request before, described method also includes:
By order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured.
6. a safety device for cloud platform fire wall, including:
Authentication module, sends debarkation authentication request for the configuration information according to cloud platform to described cloud platform;
Acquisition module, for, after receiving the successful feedback information of debarkation authentication, obtaining the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
Filtering module, for, in each predetermined period, being filtered the virtual machine information obtained in this predetermined period according to virtual machine parameter matching condition, obtain the IP address of each virtual machine in cloud platform in this predetermined period;
More new module, for through judge that the IP address in this predetermined period stores from dynamic address group when the IP address that a upper predetermined period inner filtration obtains is different, the IP address in described dynamic address group is updated;
Adjusting module, for according to the IP address after updating in described dynamic address group, adjusting Access Control List or security strategy.
7. device according to claim 6, it is characterised in that also include:
Release module, for, in each predetermined period, after the virtual machine information obtained has been filtered, discharging the virtual machine information obtained.
8. device according to claim 6, it is characterized in that, described adjusting module specifically for: described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
9. device according to claim 6, it is characterised in that described Access Control List or described security strategy are created by order line or web page.
10. device according to claim 6, it is characterised in that also include:
Configuration module, before sending debarkation authentication request to described cloud platform according to the configuration information of cloud platform at described authentication module, by order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610236924.0A CN105791311A (en) | 2016-04-14 | 2016-04-14 | Security protection method and device for cloud platform firewall |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610236924.0A CN105791311A (en) | 2016-04-14 | 2016-04-14 | Security protection method and device for cloud platform firewall |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105791311A true CN105791311A (en) | 2016-07-20 |
Family
ID=56396705
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610236924.0A Pending CN105791311A (en) | 2016-04-14 | 2016-04-14 | Security protection method and device for cloud platform firewall |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105791311A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110300091A (en) * | 2018-03-23 | 2019-10-01 | 瞻博网络公司 | Host in tracking network, which threatens and is directed to host and threatens, implements threat strategy movement |
CN111641597A (en) * | 2020-05-11 | 2020-09-08 | 紫光云技术有限公司 | Firewall dynamic security protection system and method for cloud environment |
CN112153003A (en) * | 2020-08-26 | 2020-12-29 | 北京小顺科技有限公司 | Remote automatic updating cloud system and method for security policy |
CN112491822A (en) * | 2020-11-13 | 2021-03-12 | 中盈优创资讯科技有限公司 | Method and device for automatically issuing security policy |
US11979415B2 (en) | 2018-03-23 | 2024-05-07 | Juniper Networks, Inc. | Enforcing threat policy actions based on network addresses of host threats |
-
2016
- 2016-04-14 CN CN201610236924.0A patent/CN105791311A/en active Pending
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110300091A (en) * | 2018-03-23 | 2019-10-01 | 瞻博网络公司 | Host in tracking network, which threatens and is directed to host and threatens, implements threat strategy movement |
CN110300091B (en) * | 2018-03-23 | 2021-12-10 | 瞻博网络公司 | Tracking host threats in a network and enforcing threat policy actions against the host threats |
US11888877B2 (en) | 2018-03-23 | 2024-01-30 | Juniper Networks, Inc. | Tracking host threats in a network and enforcing threat policy actions for the host threats |
US11979415B2 (en) | 2018-03-23 | 2024-05-07 | Juniper Networks, Inc. | Enforcing threat policy actions based on network addresses of host threats |
CN111641597A (en) * | 2020-05-11 | 2020-09-08 | 紫光云技术有限公司 | Firewall dynamic security protection system and method for cloud environment |
CN112153003A (en) * | 2020-08-26 | 2020-12-29 | 北京小顺科技有限公司 | Remote automatic updating cloud system and method for security policy |
CN112491822A (en) * | 2020-11-13 | 2021-03-12 | 中盈优创资讯科技有限公司 | Method and device for automatically issuing security policy |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105791311A (en) | Security protection method and device for cloud platform firewall | |
CN109922121B (en) | Method and apparatus for access and traffic differentiation using multiple credentials | |
CN106487556B (en) | Service function SF deployment method and device | |
RU2012156449A (en) | SYSTEM AND METHOD FOR DEPLOYING PRE-CONFIGURATED SOFTWARE | |
CN103825876A (en) | Firewall policy auditing system in complex network environment | |
MY156127A (en) | Controlling a packet flow from a user equipment | |
CN109474936A (en) | Applied to the Internet of Things means of communication and system between multiple lora gateways | |
JP2015528261A (en) | Data card APN lock state control method and apparatus, data card | |
CN103152343A (en) | Method for establishing Internet protocol security virtual private network tunnel and network equipment | |
CN104753752A (en) | As-needed connecting method suitable for VPN | |
CN109246765A (en) | A kind of management method and device of user face data session | |
CN106535089A (en) | Machine to machine virtual private network | |
CN104301449A (en) | Method and device for modifying IP address | |
CN108377497B (en) | Connection establishment method, device and system | |
CN105049546A (en) | Client terminal IP address allocation method through DHCP server and device thereof | |
CN106231596A (en) | A kind of access point apparatus configuration devices and methods therefor, a kind of access point apparatus | |
KR20140071744A (en) | Method and apparatus for differentiated security control for smart communication device based on security policy negotiation | |
CN107317810A (en) | A kind of data interception method and device | |
CN106203578B (en) | A kind of smart card, application of IC cards security service call method and device | |
CN110505187B (en) | Security rule management method, system, server and storage medium in hybrid cloud | |
CN103648126A (en) | Fault processing method and device | |
WO2016201734A1 (en) | Operation control method and system for application program, and terminal | |
CN108377493B (en) | Connection establishment method, device and system | |
CN102316034B (en) | Method for preventing manual Internet protocol (IP) address specification in local area network and device | |
JP2017531358A (en) | Method for establishing OTA session between terminal and OTA server, corresponding OTA server and reverse proxy server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |