CN105791311A - Security protection method and device for cloud platform firewall - Google Patents

Security protection method and device for cloud platform firewall Download PDF

Info

Publication number
CN105791311A
CN105791311A CN201610236924.0A CN201610236924A CN105791311A CN 105791311 A CN105791311 A CN 105791311A CN 201610236924 A CN201610236924 A CN 201610236924A CN 105791311 A CN105791311 A CN 105791311A
Authority
CN
China
Prior art keywords
cloud platform
virtual machine
address
predetermined period
address group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610236924.0A
Other languages
Chinese (zh)
Inventor
张辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Opzoon Technology Co Ltd
Original Assignee
Opzoon Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Opzoon Technology Co Ltd filed Critical Opzoon Technology Co Ltd
Priority to CN201610236924.0A priority Critical patent/CN105791311A/en
Publication of CN105791311A publication Critical patent/CN105791311A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a security protection method and a security protection device for a cloud platform firewall. The security protection method comprises the steps of: sending a login authentication request to a cloud platform according to configuration information of the cloud platform; acquiring virtual machine information of virtual machines in the cloud platform according to a preset period after receiving feedback information of success login authentication; filtering the virtual machine information acquired in the preset period according to a virtual machine parameter matching condition in each preset period, and acquiring IP addresses of the virtual machines in the cloud platform in the preset period; updating the IP addresses in a dynamic address group when judging that the IP addresses in the preset period are different from IP addresses which are obtained through filtering in the previous preset period and stored in the dynamic address group; and adjusting an access control list or a security policy according to the updated IP addresses in the dynamic address group. The security protection method and the security protection device do not need to modify the IP addresses manually, can adapt to network variation caused by address variation of the virtual machines in the cloud platform, and increase network security protection efficiency.

Description

The safety protecting method of cloud platform fire wall and device
Technical field
The present invention relates to network operation technical field, especially relate to safety protecting method and the device of a kind of cloud platform fire wall.
Background technology
At present, the development of cloud computing is very swift and violent, and along with the development of cloud computing, the security protection of cloud platform is also required to cause concern.But, traditional firewall security means of defence can not fully meet the demand of cloud platform, this is because traditional firewall is to carry out security protection for fixing IP address, IP network section or group of addresses, and the address change of virtual machine is more frequent in cloud platform, the network change of cloud platform is desirable that manual modification IP address each time, when carrying out security maintenance hence with traditional firewall security means of defence, motility is poor, needing substantial amounts of manpower to safeguard, work efficiency is relatively low.
Summary of the invention
For disadvantages described above, the present invention provides safety protecting method and the device of a kind of cloud platform fire wall, it is not necessary to manual modification IP address, it is possible to adapts to the address change of virtual machine in cloud platform and the network change brought, improves network safety prevention efficiency.
First aspect, the safety protecting method of cloud platform fire wall provided by the invention, including:
Configuration information according to cloud platform sends debarkation authentication request to described cloud platform;
After receiving the successful feedback information of debarkation authentication, obtain the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
In each predetermined period, according to virtual machine parameter matching condition, the virtual machine information obtained in this predetermined period is filtered, obtains the IP address of each virtual machine in cloud platform in this predetermined period;
If different in the IP address that a upper predetermined period inner filtration obtains through judging that the IP address in this predetermined period stores from dynamic address group, then the IP address in described dynamic address group is updated;
According to the IP address after updating in described dynamic address group, adjust Access Control List or security strategy.
Optionally, the method also includes:
In each predetermined period, after the virtual machine information obtained has been filtered, the virtual machine information that release obtains.
Optionally, according to the IP address after updating in described dynamic address group, adjust Access Control List or security strategy, including:
Described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
Optionally, described Access Control List or described security strategy are created by order line or web page.
Optionally, according to the configuration information of cloud platform to described cloud platform send debarkation authentication request before, described method also includes:
By order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured.
Second aspect, the safety device of cloud platform fire wall provided by the invention, including:
Authentication module, sends debarkation authentication request for the configuration information according to cloud platform to described cloud platform;
Acquisition module, for, after receiving the successful feedback information of debarkation authentication, obtaining the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
Filtering module, for, in each predetermined period, being filtered the virtual machine information obtained in this predetermined period according to virtual machine parameter matching condition, obtain the IP address of each virtual machine in cloud platform in this predetermined period;
More new module, for through judge that the IP address in this predetermined period stores from dynamic address group when the IP address that a upper predetermined period inner filtration obtains is different, the IP address in described dynamic address group is updated;
Adjusting module, for according to the IP address after updating in described dynamic address group, adjusting Access Control List or security strategy.
Optionally, this device also includes:
Release module, for, in each predetermined period, after the virtual machine information obtained has been filtered, discharging the virtual machine information obtained.
Optionally, described adjusting module specifically for: described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
Optionally, described Access Control List or described security strategy are created by order line or web page.
Optionally, this device also includes:
Configuration module, before sending debarkation authentication request to described cloud platform according to the configuration information of cloud platform at described authentication module, by order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured
In the safety protecting method of cloud platform fire wall provided by the invention and device, after debarkation authentication success, owing to periodically obtaining the virtual machine information in cloud platform, and the IP address of virtual machine can be filtrated to get according to virtual machine information, therefore when in cloud platform, the IP address of virtual machine changes, fire wall can perceive, and then dynamic address group is updated, and then according to the dynamic address group after updating, Access Control List or security strategy is adjusted.Visible, the safety protecting method of fire wall provided by the invention need not manual modification IP address, it is possible to adapts to the address change of virtual machine in cloud platform and the network change brought, improves network safety prevention efficiency.
Accompanying drawing explanation
Can be more clearly understood from inventive feature information and advantage by reference accompanying drawing, accompanying drawing is schematic and should not be construed as and the present invention is carried out any restriction, in the accompanying drawings:
Fig. 1 illustrates the deployment diagram of cloud platform and fire wall;
Fig. 2 illustrates the schematic flow sheet of safety protecting method one embodiment according to cloud platform fire wall of the present invention;
Fig. 3 illustrates the structured flowchart of safety device one embodiment according to cloud platform fire wall of the present invention.
Detailed description of the invention
In order to be more clearly understood that the above-mentioned purpose of the present invention, feature and advantage, below in conjunction with the drawings and specific embodiments, the present invention is further described in detail.It should be noted that when not conflicting, embodiments herein and the feature in embodiment can be mutually combined.
Elaborate a lot of detail in the following description so that fully understanding the present invention; but; the present invention can also adopt other to be different from other modes described here to implement, and therefore, protection scope of the present invention is by the restriction of following public specific embodiment.
As shown in Figure 1, fire wall FW and cloud platform are two independent platforms, fire wall FW is similar to client, cloud platform is similar to service end, fire wall FW is deployed in the port of export of cloud platform, in cloud platform, all of virtual machine (VM1, VM2, VM3, VM4, VM5) is required for the flow-control by fire wall FW and could access outer net, fire wall FW have interface can with the management node-routing SW of cloud platform up to.
For the cloud platform disposed in Fig. 1 and fire wall, the present invention provides the safety protecting method of a kind of cloud platform fire wall, as in figure 2 it is shown, specifically can be performed by the fire wall of cloud platform, the method includes:
S101, send debarkation authentication request according to the configuration information of cloud platform to described cloud platform;
Wherein, configuration information refers to the relevant information that cloud platform is configured by fire wall, for instance the type of cloud platform, debarkation authentication the information such as username and password.
S102, after receiving the successful feedback information of debarkation authentication, obtain the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
Wherein, virtual machine information refers to the information such as the network segment of virtual machine, the identification code (UniversallyUniqueIdentifier is called for short UUID) of cloud platform, operating system.Fire wall can pass through to call the external application programming interfaces of cloud platform and api interface acquisition.
Wherein, predetermined period can be arranged according to practical situation, for instance 10s.
S103, in each predetermined period, according to virtual machine parameter matching condition in this predetermined period obtain virtual machine information be filtered, obtain the IP address of each virtual machine in cloud platform in this predetermined period;
Wherein, virtual machine parameter matching condition can be configured in advance by fire wall, refers to the filtercondition of the IP address obtaining virtual machine according to virtual machine information.
If S104 is different in the IP address that a upper predetermined period inner filtration obtains through judging that the IP address in this predetermined period stores from dynamic address group, then the IP address in described dynamic address group is updated;
If it will be appreciated that the IP address obtained in a certain predetermined period did not change relative to a upper cycle, then dynamic address group need not be updated.And when the IP address that obtains in a certain predetermined period changes, then the IP address being updated in this predetermined period to obtain the IP address in dynamic address group.
If it will be appreciated that the current preset cycle is first predetermined period, then the IP address obtained in first predetermined period is stored to being in empty dynamic address group originally.
S105, according to the IP address after updating in described dynamic address group, adjust Access Control List or security strategy.
Wherein, described Access Control List or described security strategy can pass through order line or web page establishment.
In the safety protecting method of cloud platform fire wall provided by the invention, after debarkation authentication success, owing to periodically obtaining the virtual machine information in cloud platform, and the IP address of virtual machine can be filtrated to get according to virtual machine information, therefore when in cloud platform, the IP address of virtual machine changes, fire wall can perceive, and then dynamic address group is updated, and then according to the dynamic address group after updating, Access Control List or security strategy is adjusted.Visible, the safety protecting method of fire wall provided by the invention need not manual modification IP address, it is possible to adapts to the address change of virtual machine in cloud platform and the network change brought, improves network safety prevention efficiency.
In the specific implementation, safety protecting method provided by the invention can also include:
In each predetermined period, after the virtual machine information obtained has been filtered, the virtual machine information that release obtains.
Release to virtual machine information, it is possible to avoid the virtual machine information repeatedly obtained all to be suspended in virtual machine information chained list, reduces taking up room of virtual machine information, ensures that in firewall system, the virtual machine information of storage is all up-to-date simultaneously.
In the specific implementation, step S105 can specifically include:
Described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
After Access Control List or security strategy quote dynamic address group, can using the IP address of storage in dynamic address group as the traffic filtering condition of fire wall.Due in dynamic address group the IP address of storage as the traffic filtering condition of fire wall, therefore when fire wall receives a message, judge whether the source/destination address of message mates with the IP address in dynamic address group, if coupling illustrates this message match hit Access Control List or security strategy.
In the specific implementation, safety protecting method provided by the invention performs before being additionally included in S101:
By order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured.
Based on identical inventive concept, the present invention also provides for the safety device of a kind of cloud platform fire wall, as it is shown on figure 3, this device includes authentication module 201, acquisition module 202, filtering module 203, more new module 204 and adjusting module 205, wherein:
Authentication module 201 sends debarkation authentication request for the configuration information according to cloud platform to described cloud platform;
Acquisition module 202 is for, after receiving the successful feedback information of debarkation authentication, obtaining the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
Filtering module 203 is for, in each predetermined period, being filtered the virtual machine information obtained in this predetermined period according to virtual machine parameter matching condition, obtain the IP address of each virtual machine in cloud platform in this predetermined period;
More new module 204 for through judge that the IP address in this predetermined period stores from dynamic address group when the IP address that a upper predetermined period inner filtration obtains is different, the IP address in described dynamic address group is updated;
Adjusting module 205 is for according to the IP address after updating in described dynamic address group, adjusting Access Control List or security strategy.
In the specific implementation, as it is shown on figure 3, device provided by the invention may also include that
Release module 206, for, in each predetermined period, after the virtual machine information obtained has been filtered, discharging the virtual machine information obtained.
In the specific implementation, described adjusting module 205 specifically for: described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
In the specific implementation, described Access Control List or described security strategy are created by order line or web page.
In the specific implementation, as it is shown on figure 3, device provided by the invention also includes:
Configuration module 200, before sending debarkation authentication request to described cloud platform according to the configuration information of cloud platform at described authentication module, by order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured.
In the present invention, term " first ", " second " only for descriptive purposes, and it is not intended that instruction or hint relative importance.Term " multiple " refers to two or more, unless otherwise clear and definite restriction.
Although being described in conjunction with the accompanying embodiments of the present invention, but those skilled in the art can make various modifications and variations without departing from the spirit and scope of the present invention, and such amendment and modification each fall within the scope being defined by the appended claims.

Claims (10)

1. a safety protecting method for cloud platform fire wall, including:
Configuration information according to cloud platform sends debarkation authentication request to described cloud platform;
After receiving the successful feedback information of debarkation authentication, obtain the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
In each predetermined period, according to virtual machine parameter matching condition, the virtual machine information obtained in this predetermined period is filtered, obtains the IP address of each virtual machine in cloud platform in this predetermined period;
If different in the IP address that a upper predetermined period inner filtration obtains through judging that the IP address in this predetermined period stores from dynamic address group, then the IP address in described dynamic address group is updated;
According to the IP address after updating in described dynamic address group, adjust Access Control List or security strategy.
2. method according to claim 1, it is characterised in that also include:
In each predetermined period, after the virtual machine information obtained has been filtered, the virtual machine information that release obtains.
3. method according to claim 1, it is characterised in that according to the IP address after updating in described dynamic address group, adjusts Access Control List or security strategy, including:
Described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
4. method according to claim 1, it is characterised in that described Access Control List or described security strategy are created by order line or web page.
5. method according to claim 1, it is characterised in that according to the configuration information of cloud platform to described cloud platform send debarkation authentication request before, described method also includes:
By order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured.
6. a safety device for cloud platform fire wall, including:
Authentication module, sends debarkation authentication request for the configuration information according to cloud platform to described cloud platform;
Acquisition module, for, after receiving the successful feedback information of debarkation authentication, obtaining the virtual machine information of each virtual machine in described cloud platform according to predetermined period;
Filtering module, for, in each predetermined period, being filtered the virtual machine information obtained in this predetermined period according to virtual machine parameter matching condition, obtain the IP address of each virtual machine in cloud platform in this predetermined period;
More new module, for through judge that the IP address in this predetermined period stores from dynamic address group when the IP address that a upper predetermined period inner filtration obtains is different, the IP address in described dynamic address group is updated;
Adjusting module, for according to the IP address after updating in described dynamic address group, adjusting Access Control List or security strategy.
7. device according to claim 6, it is characterised in that also include:
Release module, for, in each predetermined period, after the virtual machine information obtained has been filtered, discharging the virtual machine information obtained.
8. device according to claim 6, it is characterized in that, described adjusting module specifically for: described Access Control List or described security strategy quote described dynamic address group, so that the IP address of storage is as the traffic filtering condition of fire wall in described dynamic address group.
9. device according to claim 6, it is characterised in that described Access Control List or described security strategy are created by order line or web page.
10. device according to claim 6, it is characterised in that also include:
Configuration module, before sending debarkation authentication request to described cloud platform according to the configuration information of cloud platform at described authentication module, by order line or web page, the type of cloud platform, the virtual machine IP address of cloud platform, the debarkation authentication user name of cloud platform, the debarkation authentication password of cloud platform, dynamic address group name and/or virtual machine parameter matching condition are configured.
CN201610236924.0A 2016-04-14 2016-04-14 Security protection method and device for cloud platform firewall Pending CN105791311A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610236924.0A CN105791311A (en) 2016-04-14 2016-04-14 Security protection method and device for cloud platform firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610236924.0A CN105791311A (en) 2016-04-14 2016-04-14 Security protection method and device for cloud platform firewall

Publications (1)

Publication Number Publication Date
CN105791311A true CN105791311A (en) 2016-07-20

Family

ID=56396705

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610236924.0A Pending CN105791311A (en) 2016-04-14 2016-04-14 Security protection method and device for cloud platform firewall

Country Status (1)

Country Link
CN (1) CN105791311A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110300091A (en) * 2018-03-23 2019-10-01 瞻博网络公司 Host in tracking network, which threatens and is directed to host and threatens, implements threat strategy movement
CN111641597A (en) * 2020-05-11 2020-09-08 紫光云技术有限公司 Firewall dynamic security protection system and method for cloud environment
CN112153003A (en) * 2020-08-26 2020-12-29 北京小顺科技有限公司 Remote automatic updating cloud system and method for security policy
CN112491822A (en) * 2020-11-13 2021-03-12 中盈优创资讯科技有限公司 Method and device for automatically issuing security policy
US11979415B2 (en) 2018-03-23 2024-05-07 Juniper Networks, Inc. Enforcing threat policy actions based on network addresses of host threats

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110300091A (en) * 2018-03-23 2019-10-01 瞻博网络公司 Host in tracking network, which threatens and is directed to host and threatens, implements threat strategy movement
CN110300091B (en) * 2018-03-23 2021-12-10 瞻博网络公司 Tracking host threats in a network and enforcing threat policy actions against the host threats
US11888877B2 (en) 2018-03-23 2024-01-30 Juniper Networks, Inc. Tracking host threats in a network and enforcing threat policy actions for the host threats
US11979415B2 (en) 2018-03-23 2024-05-07 Juniper Networks, Inc. Enforcing threat policy actions based on network addresses of host threats
CN111641597A (en) * 2020-05-11 2020-09-08 紫光云技术有限公司 Firewall dynamic security protection system and method for cloud environment
CN112153003A (en) * 2020-08-26 2020-12-29 北京小顺科技有限公司 Remote automatic updating cloud system and method for security policy
CN112491822A (en) * 2020-11-13 2021-03-12 中盈优创资讯科技有限公司 Method and device for automatically issuing security policy

Similar Documents

Publication Publication Date Title
CN105791311A (en) Security protection method and device for cloud platform firewall
CN109922121B (en) Method and apparatus for access and traffic differentiation using multiple credentials
CN106487556B (en) Service function SF deployment method and device
RU2012156449A (en) SYSTEM AND METHOD FOR DEPLOYING PRE-CONFIGURATED SOFTWARE
CN103825876A (en) Firewall policy auditing system in complex network environment
MY156127A (en) Controlling a packet flow from a user equipment
CN109474936A (en) Applied to the Internet of Things means of communication and system between multiple lora gateways
JP2015528261A (en) Data card APN lock state control method and apparatus, data card
CN103152343A (en) Method for establishing Internet protocol security virtual private network tunnel and network equipment
CN104753752A (en) As-needed connecting method suitable for VPN
CN109246765A (en) A kind of management method and device of user face data session
CN106535089A (en) Machine to machine virtual private network
CN104301449A (en) Method and device for modifying IP address
CN108377497B (en) Connection establishment method, device and system
CN105049546A (en) Client terminal IP address allocation method through DHCP server and device thereof
CN106231596A (en) A kind of access point apparatus configuration devices and methods therefor, a kind of access point apparatus
KR20140071744A (en) Method and apparatus for differentiated security control for smart communication device based on security policy negotiation
CN107317810A (en) A kind of data interception method and device
CN106203578B (en) A kind of smart card, application of IC cards security service call method and device
CN110505187B (en) Security rule management method, system, server and storage medium in hybrid cloud
CN103648126A (en) Fault processing method and device
WO2016201734A1 (en) Operation control method and system for application program, and terminal
CN108377493B (en) Connection establishment method, device and system
CN102316034B (en) Method for preventing manual Internet protocol (IP) address specification in local area network and device
JP2017531358A (en) Method for establishing OTA session between terminal and OTA server, corresponding OTA server and reverse proxy server

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination