CN106027569A - Firewall management methods, master node, slave node, and cluster - Google Patents
Firewall management methods, master node, slave node, and cluster Download PDFInfo
- Publication number
- CN106027569A CN106027569A CN201610570399.6A CN201610570399A CN106027569A CN 106027569 A CN106027569 A CN 106027569A CN 201610570399 A CN201610570399 A CN 201610570399A CN 106027569 A CN106027569 A CN 106027569A
- Authority
- CN
- China
- Prior art keywords
- node
- target
- firewall
- firewall policy
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Abstract
The present invention provides firewall management methods, a master node, a slave node, and a cluster. The firewall management methods are applied to the master node in the cluster and include steps of receiving an external input management command, wherein the management command includes target slave node information and a firewall policy; determining a target slave node according to the target slave node information; and sending the firewall policy to the target slave node. Through adoption of the method, firewalls on all nodes can be managed in a uniform manner.
Description
Technical field
The present invention relates to field of computer technology, particularly to a kind of firewall management method, host node,
From node and cluster.
Background technology
Along with the development of information technology, the server system of distributed deployment framework is used to get more and more, for
Improve the safety of server system, it usually needs arrange on each node in server system or
Safeguard corresponding firewall policy.
At present, main by each node position, arrange or be respectively provided with and safeguard this position
Firewall policy (such as, iptables, firewalld) on corresponding present node, can not be to each
Fire wall on node is managed collectively.
Summary of the invention
Embodiments provide a kind of firewall management method, host node, from node and cluster, energy
Enough the fire wall on each node is managed collectively.
First aspect, embodiments provides a kind of firewall management method, is applied in cluster
Host node, including:
Receiving the administration order of outside input, described administration order includes: target is from nodal information and fire prevention
Wall strategy;
According to described target from nodal information, determine that target is from node;
Send described firewall policy to described target from node.
Preferably, the method farther includes: the host node in described cluster passes through message-oriented middleware with each
Individual connected from node;
The described firewall policy of described transmission to described target from node, including: send described fire wall plan
Slightly give described message-oriented middleware;
Control described message-oriented middleware to monitor in real time with described target from the connection status of node;
When described connection status is normal, then controls described message-oriented middleware and directly transmit described fire wall plan
Slightly give described target from node;
When described connection status exception, then control described message-oriented middleware and store described firewall policy;
And/or,
Farther include: host node IP white list is set;
Before the described administration order receiving outside input, farther include: receive what terminal sent
Connection request;
When terminal IP carried in described connection request is present in described host node IP white list, build
Vertical connection between described terminal and described host node;
The described administration order receiving outside input, including: receive the administration order that described terminal sends.
Preferably, described firewall policy, including:
Obtain and protect state from the current safety of node, open from the security protection of node, closedown from node
Security protection, obtain from internodal mutual trust strategy, amendment from internodal mutual trust strategy, acquisition
From the IP white list of node, any one or more from the IP white list of node of amendment.
Second aspect, inventive embodiments provides another kind of firewall management method, is applied in cluster
Each is from node, including:
Described each from node each from node as target from node time, perform:
Receive firewall policy;
According to described firewall policy, manage the fire wall self existed.
Preferably, the method farther includes: arrange the fire prevention of correspondence for each fire wall from node
Wall interface;
At least one safeguard function is configured for described firewall interface;
The fire wall that described management self exists, including:
Call described target from firewall interface corresponding to node;
According to described firewall policy, determine the Target Protection function in described firewall interface;
Utilize described Target Protection function, manage the fire wall that described firewall interface is corresponding.
Preferably, at least one safeguard function described, including:
Place is provided to protect state from the current safety of node, open place from the security protection of node, pass
Close place from the security protection of node, provide place from node with its place from the IP white list of node, repair
Change any one or more from the IP white list of node of place.
The third aspect, embodiments provides a kind of host node, is connected from node with each of peripheral hardware,
Including:
Receiving unit, for receiving the administration order of outside input, described administration order includes: target from
Nodal information and firewall policy;
Processing unit, for according to described target from nodal information, at each of described peripheral hardware from node,
Determine that the target of peripheral hardware from node, and sends firewall policy that described reception unit receives to described mesh
Mark is from node.
Preferably, described processing unit, including: control subelement and message-oriented middleware, wherein,
Described control subelement, is used for controlling described message-oriented middleware;
Described message-oriented middleware, is connected from node with each of peripheral hardware, for determining that the target of peripheral hardware is from joint
Point, and receive described firewall policy, when receiving the control of described control subelement, monitor in real time
With the target of described peripheral hardware from the connection status of node, when described connection status is normal, then send described
Firewall policy gives the target of described peripheral hardware from node;When described connection status exception, then storage is described
Firewall policy;
And/or,
Farther include: unit is set and connects unit, wherein,
Described unit is set, is used for arranging host node IP white list;
Described connection unit, for receiving the connection request that the terminal of peripheral hardware sends, when described connection please
When asking terminal IP carried to be present in described setting in the host node IP white list that unit is arranged, set up
And the connection between the terminal of described peripheral hardware;
Described reception unit, for by described connection unit, receiving the pipe that the terminal of described peripheral hardware sends
Reason order.
Fourth aspect, embodiments provides a kind of from node, including: receive unit, fire wall
Interface and fire wall, wherein,
Described reception unit, is used for receiving firewall policy;
Described firewall interface, connects described reception unit and described fire wall, is used for configuring at least one
Safeguard function, the firewall policy received according to described reception unit, determine at least one protection described
Target Protection function in function, utilizes described Target Protection function, manages described firewall interface corresponding
Fire wall.
5th aspect, embodiments provides a kind of cluster, including: described host node and at least one
Described from node, wherein,
Described host node includes message-oriented middleware, by described message-oriented middleware with described at least one from joint
Point is connected, and receives the administration order that the terminal of peripheral hardware sends;
Described at least one from node each from node comprise correspondence firewall interface, by described
The fire wall that firewall interface protection exists self.
Embodiments provide a kind of firewall management method, host node, from node and cluster, should
Firewall management method, during the host node being applied in cluster, by receiving the administration order of outside input,
Described administration order includes: target is from nodal information and firewall policy;Believe from node according to described target
Breath, determines that target is from node;Send described firewall policy to described target from node, i.e. in cluster
Each from node as target from node time, the host node in cluster can be sent to firewall policy,
And need not arrive the most specially and log in from node to safeguard firewall policy from node position, it is possible to respectively
Fire wall on individual node is managed collectively.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to reality
Execute the required accompanying drawing used in example or description of the prior art to be briefly described, it should be apparent that below,
Accompanying drawing in description is some embodiments of the present invention, for those of ordinary skill in the art, not
On the premise of paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of a kind of firewall management method that one embodiment of the invention provides;
Fig. 2 is the flow chart of the another kind of firewall management method that one embodiment of the invention provides;
Fig. 3 is the flow chart of another firewall management method that one embodiment of the invention provides;
Fig. 4 is the structural representation of a kind of host node that one embodiment of the invention provides;
Fig. 5 is a kind of structural representation from node that one embodiment of the invention provides;
Fig. 6 is the structural representation of a kind of cluster that one embodiment of the invention provides.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with this
Accompanying drawing in bright embodiment, is clearly and completely described the technical scheme in the embodiment of the present invention,
Obviously, described embodiment is a part of embodiment of the present invention rather than whole embodiments, based on
Embodiment in the present invention, those of ordinary skill in the art are institute on the premise of not making creative work
The every other embodiment obtained, broadly falls into the scope of protection of the invention.
As it is shown in figure 1, embodiments provide a kind of firewall management method, it is applied in cluster
Host node, including:
Step 101, receives the administration order of outside input, and described administration order includes: target is from node
Information and firewall policy;
Step 102, according to described target from nodal information, determines that target is from node;
Step 103, sends described firewall policy to described target from node.
The firewall management method provided by above-described embodiment, during the host node being applied in cluster,
By receiving the administration order of outside input, described administration order includes: target is from nodal information and fire prevention
Wall strategy;According to described target from nodal information, determine that target is from node;Send described firewall policy
To each from node, i.e. cluster of described target from node as target from node time, the master in cluster
Node can be sent to firewall policy, gets final product the security strategy of each node in synchronized update cluster, and
Need not arrive the most specially and log in from node to safeguard firewall policy from node position, it is possible to each
Fire wall on node is managed collectively, and also effectively reduces the workload that security strategy is safeguarded simultaneously.
In one embodiment of the invention, the host node in cluster is connected from node with each by message-oriented middleware;
The detailed description of the invention of step 103, including: send described firewall policy to described message-oriented middleware;
Control described message-oriented middleware to monitor in real time with described target from the connection status of node;When described connection shape
When state is normal, then controls described message-oriented middleware and directly transmit described firewall policy to described target from joint
Point;When described connection status exception, then control described message-oriented middleware and store described firewall policy.
In the above-described embodiments, the host node in cluster is connected from node with each by message-oriented middleware,
Firewall policy is sent to target from node by host node by message-oriented middleware, and this is more beneficial for host node
With target from internodal intercommunication;Such as, when target is in off-mode from node, host node
Directly described firewall policy cannot be sent to target from node, in the presence of having message-oriented middleware, main joint
Firewall policy can be sent to message-oriented middleware by point, under described firewall policy is stored by message-oriented middleware
Coming, message-oriented middleware monitors it with target in real time from the connection status of node, waits that target is started shooting from node
After being normally connected with message-oriented middleware, described firewall policy is sent to target from joint by message-oriented middleware again
Point;As can be seen here, when message-oriented middleware makes the fire wall of maintenance cluster, management end only need to send once orders
Order can manage each from node, operates easier, be more beneficial for being managed collectively each joint when making fire wall safeguard
The fire wall of point.
In one embodiment of the invention, farther include: host node IP white list is set;In step 101
Before, farther include: receive the connection request that terminal sends;When what described connection request carried
When terminal IP is present in described host node IP white list, set up between described terminal and described host node
Connection;The described administration order receiving outside input, including: receive the management life that described terminal sends
Order.
In above-described embodiment, IP white list is set in the master node, cluster can be made to pass through IP white list
Mode is authenticated with the access outside cluster, i.e. the IP of peripheral hardware terminal when this IP white list, main joint
Point accepts the connection request of this peripheral hardware terminal transmission and establishes a connection, then this peripheral hardware terminal can be to main joint
Point sends administration order, if the IP of peripheral hardware terminal is not in this list, then host node directly refuses this peripheral hardware
The connection request of terminal;As can be seen here, arrange host node IP white list to be more beneficial for improving cluster at network
On safety.
In one embodiment of the invention, described firewall policy, including: obtain and prevent from the current safety of node
Protect state, open from the security protection of node, close from the security protection of node, obtain from internodal
Mutual trust strategy, amendment from internodal mutual trust strategy, obtain from the IP white list of node, amendment from joint
Point IP white list in any one or more.
As in figure 2 it is shown, one embodiment of the invention provides another kind of firewall management method, it is applied to collection
Each in Qun from node, including:
Step 201, described each from node each from node as target from node time, perform:
Step 202, receives firewall policy;
Step 203, according to described firewall policy, manages the fire wall self existed.
In above-described embodiment, respectively when node sends the target of firewall policy from node as host node,
Receive this firewall policy the fire wall self existed according to the management of described firewall policy;Host node is sent out
When sending firewall policy, can be sent simultaneously to multiple target from node, this makes host node only send once to prevent
Wall with flues management request can manage multiple fire wall from node simultaneously, thus realizes being managed collectively each node
Fire wall.
In another embodiment of the present invention, said method farther includes: for each fire wall from node
The firewall interface of correspondence is set;At least one safeguard function is configured for described firewall interface;Step 203
Detailed description of the invention, including: call described target from firewall interface corresponding to node;According to described
Firewall policy, determines the Target Protection function in described firewall interface;Utilize described Target Protection merit
Can, manage the fire wall that described firewall interface is corresponding.
In the above embodiment of the present invention, the fire wall for each node arranges corresponding firewall interface, and is
Each firewall interface configures at least one safeguard function and such as prevents from node by malicious access etc., from node
Receiving after firewall policy, invocation target is from firewall interface corresponding to node, and in slave firewall strategy
Determine the Target Protection function of this firewall interface, utilize the corresponding firewall interface of this safeguard function management
Fire wall;Such as, firewall interface can be write by shell, python, C, real according to firewall policy
Existing iptables, firewall-cmd order;By each from node firewall interface management respective anti-
Wall with flues, easier when this makes the fire wall of unified management each node.
In one embodiment of the invention, at least one safeguard function of firewall interface, including: place is provided
Protect state from the current safety of node, open place from the security protection of node, closedown place from node
Security protection, provide place from node with other from internodal mutual trust strategy, amendment place from node
With other from internodal mutual trust strategy, provide place from the IP white list of node, amendment place from node
IP white list in any one or more.
In above-described embodiment, the safeguard function of firewall interface is relative with the protecting wall strategy that host node sends
Should, the firewall policy that i.e. host node sends, firewall interface is respectively provided with corresponding safeguard function and gives reality
Existing, this fire wall being conducive to respectively utilizing firewall interface management self from node.
Below with host node A, message-oriented middleware B and as a example by node C, D and E, to the present invention
Embodiment firewall management method is described in detail, as it is shown on figure 3, one embodiment of the invention provides
Another firewall management method, including:
Step 301, arranges the IP white list of host node A in cluster;
In this step, arrange host node A IP white list be conducive to ensure host node A only with mutual trust
Peripheral hardware terminal is set up and is connected, thus the safety that effective guarantee cluster is on network.
Step 302, arranges message-oriented middleware B on host node A;
In this step, message-oriented middleware can be arranged on host node, it is also possible to the most on the primary node,
Arranged and be more beneficial for message-oriented middleware on host node and be connected host node with each from node.
Step 303, the host node A in cluster is connected from node with each by message-oriented middleware B;
In this step, connect host node A by message-oriented middleware B and each from node C, D and E, have
The request of A, as the communication media between A and C, D and E, is transferred to by beneficially message-oriented middleware respectively
C, D and E.
Step 304, arranges the firewall interface of correspondence for each fire wall from node;
In this step, for from node C, D and E be respectively configured respective firewall interface C1, D1 and
E1, is conducive to respectively utilizing the fire wall of the firewall interface management correspondence of self from node.
Step 305, configures at least one safeguard function for described firewall interface;
In this step, it is anti-that the safeguard function of firewall interface C1, D1 and E1 and host node A send
Wall with flues strategy is corresponding, the firewall policy i.e. sent for A, firewall interface C1, D1 and E1
Being respectively provided with corresponding safeguard function to be achieved, this is respectively to call firewall interface management from node self to prevent
The basis of wall with flues, the safeguard function of each firewall interface includes: provide place to prevent from the current safety of node
Protect state, open place from the security protection of node, closedown place from the security protection of node, offer institute
From node with other from internodal mutual trust strategy, amendment place from node with other from internodal mutually
Letter strategy, offer place are from the IP white list of node, amendment place appointing from the IP white list of node
Anticipate one or more.
Step 306, host node A receives the connection request that terminal sends;
In this step, the connection request that peripheral hardware terminal sends comprises the IP of described terminal, it is simple to host node
The IP of this terminal is contrasted by A with self IP white list, thus judges whether to set up with this terminal
Connect.
Step 307, when terminal IP carried in described connection request is present in the IP white list of described A
Time middle, set up the connection between described terminal and A;
In this step, host node is only set up with the peripheral hardware terminal in IP white list and is connected, and is conducive to ensureing collection
Group's safety in networking.
Step 308, host node A receives the administration order that described terminal sends;
In this step, described administration order includes: target, from nodal information and firewall policy, is passed through
Target can position target from node accurately from nodal information, this firewall policy realize with from node
Fire wall communication.
Step 309, host node A from nodal information, determines that target is from node according to described target;
In this step, host node A first determines that the target needing to carry out firewall management, from node, i.e. determines
Sending the target of firewall policy, such as, host node A determines that target is C from node.
Step 310, host node A sends described firewall policy to message-oriented middleware B;
Step 311, host node A controls middleware B and monitors in real time with described target from the connection shape of node
State, it is judged that described connection status is the most normal, if it is, perform step 312, otherwise, performs step
Rapid 313;
In this step, middleware is monitored in real time and judges that it is the most normal with the connection status from node, has
It is beneficial to middleware and in the suitable time, the firewall policy that host node sends is transferred to from node, such as,
From node C as target from node, then A controls the connection shape that B monitors in real time and judges between B and C
State is the most normal..
Step 312, controls message-oriented middleware B and directly transmits described firewall policy to described target from joint
Point, performs step 314;
In this step, the connection status of B and C is normal, then the firewall policy that A sends directly is sent out by B
Give C.
Step 313, host node A controls message-oriented middleware B and stores described firewall policy, performs step
311;
In this step, B Yu C is currently without annexation, and this is likely due to C and is in off-mode,
Or the mutual trust between B and C is broken down, the firewall policy that now A is sent by B stores,
When the connection of wait B Yu C is normal, more described firewall policy is sent to C.
Step 314, target receives firewall policy from node;
In this step, such as when C as target from node time, then C receives the fire wall plan that sends of A
Slightly.
Step 315, target calls described target from firewall interface corresponding to node from node;
In this step, target calls the firewall interface C1 of self from node C, prepares according to fire wall
The fire wall of tactical management self.
Step 316, target, determines in described firewall interface according to described firewall policy from node
Target Protection function;
In this step, C, determines as target after node receives the firewall policy that host node A sends
The Target Protection function of self firewall interface C1;Such as, the life that host node sends according to peripheral hardware terminal
Order, it is desirable to be respectively modified from node C and mutual trust strategy between node D and E, then from node C
After the order receiving A, call corresponding firewall interface C1, and determine that its Target Protection function is for " to repair
Change place from node with other from internodal mutual trust strategy ", prepare utilize this function management correspondence to prevent fires
Wall.
Step 317, target utilizes described Target Protection function from node, manages described firewall interface pair
The fire wall answered.
In this step, according to the Target Protection function of firewall interface C1 " amendment place from node and its
It is from internodal mutual trust strategy ", revise from node C and mutual trust plan between node D and E simultaneously
Slightly, the firewall management request that host node A sends is completed.
In the above embodiment of the present invention, host node utilizes the IP white list peripheral hardware terminal only with mutual trust to set up even
Connecing, receive its administration order and send information to message-oriented middleware, this is prevented fires wall coil by message-oriented middleware
Reason request is sent to target in the suitable time and calls the firewall interface of self from node, target from node
The fire wall that management is corresponding, has multiple target immediately when node, and host node the most only need to send a subcommand
Multiple fire wall from node can be managed collectively, ensureing that cluster reduces while safety on network
The workload that firewall cluster is safeguarded.
As shown in Figure 4, one embodiment of the invention provides a kind of host node, with peripheral hardware from node phase
Even, including: reception unit 401, for receiving the administration order of outside input, described administration order bag
Include: target is from nodal information and firewall policy;
Processing unit 402, for according to described target from nodal information, at each of described peripheral hardware from joint
In point, determine that the target of peripheral hardware, from node, and sends the fire wall plan that described reception unit 401 receives
Slightly give described target from node.
In the above embodiment of the present invention, received the administration order of outside input, described management by host node
Order includes: target is from nodal information and firewall policy;According to described target from nodal information, determine
Target is from node;Send described firewall policy to each from node, i.e. cluster of described target from joint
Point as target from node time, the host node in cluster can be sent to firewall policy, can synchronize
Update the security strategy of each node in cluster, and need not distinguish and arrive specially from the login of node position from joint
Point safeguards firewall policy, it is possible to being managed collectively the fire wall on each node, this not only may be used
To improve cluster safety on network, also effectively reduce the workload that security strategy is safeguarded simultaneously.
In one embodiment of the invention, described processing unit, including: control subelement and message-oriented middleware (figure
Not shown in), wherein,
Described control subelement, is used for controlling described message-oriented middleware;
Described message-oriented middleware, is connected from node with each of peripheral hardware, for determining that the target of peripheral hardware is from joint
Point, and receive described firewall policy, when receiving the control of described control subelement, monitor in real time
With the target of described peripheral hardware from the connection status of node, when described connection status is normal, then send described
Firewall policy gives the target of described peripheral hardware from node;When described connection status exception, then storage is described
Firewall policy;
In above-described embodiment, firewall policy is sent to target from node by message-oriented middleware by host node,
This is more beneficial for host node with target from internodal intercommunication;Such as, it is in shutdown shape when target from node
State or other faults cause when mutual trust exception between node and host node, and host node cannot be directly by institute
Stating firewall policy to send to target from node, in the presence of having message-oriented middleware, host node can be by fire wall
Strategy is sent to message-oriented middleware, and described firewall policy is first stored by message-oriented middleware, then is closing
Described firewall policy is sent to target from node by the suitable time;As can be seen here, message-oriented middleware makes dimension
When protecting the fire wall of cluster, operate easier, be more beneficial for being managed collectively the fire wall of each node.
In one embodiment of the invention, described host node farther includes: arranges unit and connects unit (in figure
Not shown), wherein,
Described unit is set, is used for arranging host node IP white list;
Described connection unit, for receiving the connection request that the terminal of peripheral hardware sends, when described connection please
When asking terminal IP carried to be present in described setting in the host node IP white list that unit is arranged, set up
And the connection between the terminal of described peripheral hardware;
In above-described embodiment, IP white list is set in the master node, makes host node only whole with the peripheral hardware of mutual trust
End is set up and is connected, and can ensure that cluster is safety on network.
In one embodiment of the invention, described reception unit, specifically for by described connection unit, receive
The administration order that the terminal of described peripheral hardware sends.
In above-described embodiment, host node accepts the administration order that peripheral hardware terminal sends, root by receiving unit
The fire wall of each node it is managed collectively according to described administration order.
As it is shown in figure 5, another embodiment of the present invention provides a kind of from node, including: receive unit
501, firewall interface 502 and fire wall 503, wherein,
Described reception unit 501, is used for receiving firewall policy;
Described firewall interface 502, connects described reception unit 501 and described fire wall 503, is used for joining
Put at least one safeguard function, the firewall policy received according to described reception unit, determine described in extremely
Target Protection function in few a kind of safeguard function, utilizes described Target Protection function, manages described fire prevention
The fire wall that wall interface is corresponding.
In the above embodiment of the present invention, respectively send the target of firewall policy from joint from node as host node
During point, receive this firewall policy and call the fire wall that the management of self firewall interface is corresponding;Host node
When sending firewall policy, can be sent simultaneously to multiple target from node, this makes host node only send once
Firewall management request can manage multiple fire wall from node simultaneously, thus realizes being managed collectively each joint
The fire wall of point.
As shown in Figure 6, one embodiment of the invention provides a kind of cluster 60, including described host node 601,
At least one is from node 602, wherein,
Described host node includes message-oriented middleware 603, by described message-oriented middleware with described at least one
It is connected from node, receives the administration order that the terminal of peripheral hardware sends;
Described at least one from node each from node comprise correspondence firewall interface 6021, pass through
The fire wall 6022 that the protection of described firewall interface exists self.
In above-described embodiment, cluster includes host node and at least one is from node, host node and from node
Between connected by message-oriented middleware, the protecting wall management request that host node sends according to the peripheral hardware terminal of mutual trust,
The each target of unified call is from firewall interface corresponding to node, and then realizes the unification to each node fire wall
Management, reduces the workload that fire wall is safeguarded.
Each embodiment of the present invention at least has the advantages that
1, received the administration order of outside input by host node, described administration order includes: target is from joint
Dot information and firewall policy;According to described target from nodal information, determine that target is from node;Send institute
State firewall policy to each from node, i.e. cluster of described target from node as target from node time,
Host node in cluster can be sent to firewall policy, and need not distinguish and arrive specially from node institute in place
Put login from node to safeguard firewall policy, it is possible to the fire wall on each node is managed collectively.
2, utilize message-oriented middleware to connect host node and each is from node, when target is in the middle of node with message
When part connection status is normal, message-oriented middleware directly transmit firewall policy that host node sends to target from
Node, when message-oriented middleware and target are from the connection status exception of node, message-oriented middleware is by described anti-
Wall with flues policy store is got off, and message-oriented middleware monitors it with target in real time from the connection status of node, waits
Target is after node start is normally connected with message-oriented middleware, and message-oriented middleware is again by described firewall policy
Send to target from node;This is more beneficial for host node and the intercommunication between node, makes management end
Only need to send a subcommand and can manage each from node, operate easier, be more beneficial for being managed collectively each joint
The fire wall of point.
3, by arranging IP white list on the primary node, host node is made only to be connected with the peripheral hardware terminal of mutual trust,
The safety on network of the effective guarantee cluster.
It should be noted that in this article, the relational terms of such as first and second etc be used merely to by
One entity or operation separate with another entity or operating space, and not necessarily require or imply this
Relation or the order of any this reality is there is between a little entities or operation.And, term " includes ",
" comprise " or its any other variant is intended to comprising of nonexcludability, so that include that one is
The process of row key element, method, article or equipment not only include those key elements, but also include the brightest
Other key elements really listed, or also include intrinsic for this process, method, article or equipment
Key element.In the case of there is no more restriction, statement " include one " and limit
Key element, it is not excluded that there is also another in including the process of described key element, method, article or equipment
Outer same factor.
One of ordinary skill in the art will appreciate that: realize all or part of step of said method embodiment
Can be completed by the hardware that programmed instruction is relevant, aforesaid program can be stored in embodied on computer readable
Storage medium in, this program upon execution, performs to include the step of said method embodiment;And it is aforementioned
Storage medium include: various Jie that can store program code such as ROM, RAM, magnetic disc or CD
In matter.
Last it should be understood that the foregoing is only presently preferred embodiments of the present invention, it is merely to illustrate this
The technical scheme of invention, is not intended to limit protection scope of the present invention.All spirit in the present invention and former
Any modification, equivalent substitution and improvement etc. done within then, are all contained in protection scope of the present invention.
Claims (10)
1. a firewall management method, it is characterised in that the host node being applied in cluster, including:
Receiving the administration order of outside input, described administration order includes: target is from nodal information and fire prevention
Wall strategy;
According to described target from nodal information, determine that target is from node;
Send described firewall policy to described target from node.
Method the most according to claim 1, it is characterised in that
Farther include: the host node in described cluster is connected from node with each by message-oriented middleware;
The described firewall policy of described transmission to described target from node, including: send described fire wall plan
Slightly give described message-oriented middleware;
Control described message-oriented middleware to monitor in real time with described target from the connection status of node;
When described connection status is normal, then controls described message-oriented middleware and directly transmit described fire wall plan
Slightly give described target from node;
When described connection status exception, then control described message-oriented middleware and store described firewall policy;
And/or,
Farther include: host node IP white list is set;
Before the described administration order receiving outside input, farther include: receive what terminal sent
Connection request;
When terminal IP carried in described connection request is present in described host node IP white list, build
Vertical connection between described terminal and described host node;
The described administration order receiving outside input, including: receive the administration order that described terminal sends.
Method the most according to claim 1 and 2, it is characterised in that described firewall policy, bag
Include:
Obtain and protect state from the current safety of node, open from the security protection of node, closedown from node
Security protection, obtain from internodal mutual trust strategy, amendment from internodal mutual trust strategy, acquisition
From the IP white list of node, any one or more from the IP white list of node of amendment.
4. a firewall management method, it is characterised in that each being applied in cluster is from node, bag
Include:
Described each from node each from node as target from node time, perform:
Receive firewall policy;
According to described firewall policy, manage the fire wall self existed.
Method the most according to claim 4, it is characterised in that farther include: for each from joint
Fire wall in point arranges the firewall interface of correspondence;
At least one safeguard function is configured for described firewall interface;
The fire wall that described management self exists, including:
Call described target from firewall interface corresponding to node;
According to described firewall policy, determine the Target Protection function in described firewall interface;
Utilize described Target Protection function, manage the fire wall that described firewall interface is corresponding.
Method the most according to claim 5, it is characterised in that at least one safeguard function described,
Including:
Place is provided to protect state from the current safety of node, open place from the security protection of node, pass
Close place from the security protection of node, provide place from node with other from internodal mutual trust strategy, repair
Change place from node with other from internodal mutual trust strategy, provide place from the IP white list of node, repair
Change any one or more from the IP white list of node of place.
7. a host node, it is characterised in that be connected from node with each of peripheral hardware, including:
Receiving unit, for receiving the administration order of outside input, described administration order includes: target from
Nodal information and firewall policy;
Processing unit, for according to described target from nodal information, at each of described peripheral hardware from node,
Determine that the target of peripheral hardware from node, and sends firewall policy that described reception unit receives to described mesh
Mark is from node.
Host node the most according to claim 7, it is characterised in that
Described processing unit, including: control subelement and message-oriented middleware, wherein,
Described control subelement, is used for controlling described message-oriented middleware;
Described message-oriented middleware, is connected from node with each of peripheral hardware, for determining that the target of peripheral hardware is from joint
Point, and receive described firewall policy, when receiving the control of described control subelement, monitor in real time
With the target of described peripheral hardware from the connection status of node, when described connection status is normal, then send described
Firewall policy gives the target of described peripheral hardware from node;When described connection status exception, then storage is described
Firewall policy;
And/or,
Farther include: unit is set and connects unit, wherein,
Described unit is set, is used for arranging host node IP white list;
Described connection unit, for receiving the connection request that the terminal of peripheral hardware sends, when described connection please
When asking terminal IP carried to be present in described setting in the host node IP white list that unit is arranged, set up
And the connection between the terminal of described peripheral hardware;
Described reception unit, for by described connection unit, receiving the pipe that the terminal of described peripheral hardware sends
Reason order.
9. one kind from node, it is characterised in that including: receive unit, firewall interface and fire wall,
Wherein,
Described reception unit, is used for receiving firewall policy;
Described firewall interface, connects described reception unit and described fire wall, is used for configuring at least one
Safeguard function, the firewall policy received according to described reception unit, determine at least one protection described
Target Protection function in function, utilizes described Target Protection function, manages described firewall interface corresponding
Fire wall.
10. a cluster, it is characterised in that including: host node described in claim 7 or 8 and extremely
Described in few claim 9 from node, wherein,
Described host node includes message-oriented middleware, by described message-oriented middleware with described at least one from joint
Point is connected, and receives the administration order that the terminal of peripheral hardware sends;
Described at least one from node each from node comprise correspondence firewall interface, by described
The fire wall that firewall interface protection exists self.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610570399.6A CN106027569A (en) | 2016-07-19 | 2016-07-19 | Firewall management methods, master node, slave node, and cluster |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610570399.6A CN106027569A (en) | 2016-07-19 | 2016-07-19 | Firewall management methods, master node, slave node, and cluster |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106027569A true CN106027569A (en) | 2016-10-12 |
Family
ID=57116689
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610570399.6A Pending CN106027569A (en) | 2016-07-19 | 2016-07-19 | Firewall management methods, master node, slave node, and cluster |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106027569A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108494766A (en) * | 2018-03-21 | 2018-09-04 | 北京知道创宇信息技术有限公司 | WAF regulation managements method and WAF groups |
CN109218415A (en) * | 2018-08-28 | 2019-01-15 | 浪潮电子信息产业股份有限公司 | A kind of method, node and the storage medium of distributed node management |
CN109413043A (en) * | 2018-09-25 | 2019-03-01 | 聚好看科技股份有限公司 | Realize method and device, the electronic equipment, storage medium of Database Dynamic configuration |
CN109587239A (en) * | 2018-12-03 | 2019-04-05 | 群蜂信息技术(上海)有限公司 | A kind of processing method of access request, server and storage medium |
CN110493064A (en) * | 2019-08-30 | 2019-11-22 | 深圳壹账通智能科技有限公司 | Firewall management method, apparatus, computer equipment and storage medium |
CN110532789A (en) * | 2019-08-13 | 2019-12-03 | 南京芯驰半导体科技有限公司 | A kind of the system firewall and configuration method of stratification |
CN113949537A (en) * | 2021-09-26 | 2022-01-18 | 杭州谐云科技有限公司 | Firewall management method and system based on eBPF |
CN115134212A (en) * | 2022-06-29 | 2022-09-30 | 中国工商银行股份有限公司 | Policy pushing method and device, computer equipment and storage medium |
CN116614318A (en) * | 2023-07-20 | 2023-08-18 | 深圳市中科云科技开发有限公司 | Network security protection method and system based on firewall |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060095497A1 (en) * | 1996-11-29 | 2006-05-04 | Ellis Frampton E Iii | Global network computers |
CN103763310A (en) * | 2013-12-31 | 2014-04-30 | 曙光云计算技术有限公司 | Firewall service system and method based on virtual network |
CN105024855A (en) * | 2015-07-13 | 2015-11-04 | 浪潮(北京)电子信息产业有限公司 | Distributed cluster management system and method |
US9264301B1 (en) * | 2012-09-20 | 2016-02-16 | Wiretap Ventures, LLC | High availability for software defined networks |
CN105516081A (en) * | 2015-11-25 | 2016-04-20 | 浪潮电子信息产业股份有限公司 | Method and system for issuing safety strategy by server and message queue middleware |
-
2016
- 2016-07-19 CN CN201610570399.6A patent/CN106027569A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060095497A1 (en) * | 1996-11-29 | 2006-05-04 | Ellis Frampton E Iii | Global network computers |
US9264301B1 (en) * | 2012-09-20 | 2016-02-16 | Wiretap Ventures, LLC | High availability for software defined networks |
CN103763310A (en) * | 2013-12-31 | 2014-04-30 | 曙光云计算技术有限公司 | Firewall service system and method based on virtual network |
CN105024855A (en) * | 2015-07-13 | 2015-11-04 | 浪潮(北京)电子信息产业有限公司 | Distributed cluster management system and method |
CN105516081A (en) * | 2015-11-25 | 2016-04-20 | 浪潮电子信息产业股份有限公司 | Method and system for issuing safety strategy by server and message queue middleware |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108494766A (en) * | 2018-03-21 | 2018-09-04 | 北京知道创宇信息技术有限公司 | WAF regulation managements method and WAF groups |
CN109218415B (en) * | 2018-08-28 | 2021-06-29 | 浪潮电子信息产业股份有限公司 | Distributed node management method, node and storage medium |
CN109218415A (en) * | 2018-08-28 | 2019-01-15 | 浪潮电子信息产业股份有限公司 | A kind of method, node and the storage medium of distributed node management |
CN109413043A (en) * | 2018-09-25 | 2019-03-01 | 聚好看科技股份有限公司 | Realize method and device, the electronic equipment, storage medium of Database Dynamic configuration |
CN109413043B (en) * | 2018-09-25 | 2022-04-12 | 聚好看科技股份有限公司 | Method and device for realizing dynamic configuration of database, electronic equipment and storage medium |
CN109587239A (en) * | 2018-12-03 | 2019-04-05 | 群蜂信息技术(上海)有限公司 | A kind of processing method of access request, server and storage medium |
CN110532789A (en) * | 2019-08-13 | 2019-12-03 | 南京芯驰半导体科技有限公司 | A kind of the system firewall and configuration method of stratification |
CN110493064A (en) * | 2019-08-30 | 2019-11-22 | 深圳壹账通智能科技有限公司 | Firewall management method, apparatus, computer equipment and storage medium |
CN113949537A (en) * | 2021-09-26 | 2022-01-18 | 杭州谐云科技有限公司 | Firewall management method and system based on eBPF |
CN113949537B (en) * | 2021-09-26 | 2023-11-21 | 杭州谐云科技有限公司 | Firewall management method and system based on eBPF |
CN115134212A (en) * | 2022-06-29 | 2022-09-30 | 中国工商银行股份有限公司 | Policy pushing method and device, computer equipment and storage medium |
CN115134212B (en) * | 2022-06-29 | 2024-04-19 | 中国工商银行股份有限公司 | Policy pushing method, device, computer equipment and storage medium |
CN116614318A (en) * | 2023-07-20 | 2023-08-18 | 深圳市中科云科技开发有限公司 | Network security protection method and system based on firewall |
CN116614318B (en) * | 2023-07-20 | 2023-10-03 | 深圳市中科云科技开发有限公司 | Network security protection method and system based on firewall |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106027569A (en) | Firewall management methods, master node, slave node, and cluster | |
CN101340444B (en) | Fireproof wall and server policy synchronization method, system and apparatus | |
US10798218B2 (en) | Environment isolation method and device | |
CN107241360A (en) | A kind of data safety shares exchange method and data safety shares switching plane system | |
CN112615856B (en) | Multi-cluster network security policy management and control method and system | |
CN104202303A (en) | Policy conflict detection method and system for SDN (Software Defined Network) application | |
CN111404924B (en) | Security management and control method, device, equipment and storage medium of cluster system | |
CN104506513B (en) | Fire wall flow table backup method, fire wall and firewall system | |
CN105684391A (en) | Automated generation of label-based access control rules | |
US10880332B2 (en) | Enterprise security management tool | |
CN104135378B (en) | The method and things-internet gateway management and control entity of control are managed to things-internet gateway | |
US10652280B2 (en) | User interface features for enterprise security management | |
CN1988478A (en) | Integrated tactic managing system based on expandable label language | |
CN109474936A (en) | Applied to the Internet of Things means of communication and system between multiple lora gateways | |
CN107257332A (en) | Time control in large-scale firewall cluster | |
CN104969517A (en) | Automated control plane for limited user destruction | |
US20210278823A1 (en) | Device and Method for Setting Up and/or Providing a Working Environment | |
CN109547502A (en) | Firewall ACL management method and device | |
CN104660449A (en) | Method and equipment for preventing generation of multiple masters through IRF (intelligent resilient framework) splitting | |
CN107797859A (en) | A kind of dispatching method of timed task and a kind of dispatch server | |
CN110557318A (en) | Method for realizing safe remote operation of IOT equipment | |
US10979455B2 (en) | Solution definition for enterprise security management | |
CN110324415B (en) | Method, device, equipment and medium for realizing routing of peer-to-peer network | |
CN103810419B (en) | One kind applies anti-uninstall method and apparatus | |
CN115865537B (en) | Privacy computing method based on centralized system management, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20161012 |
|
WD01 | Invention patent application deemed withdrawn after publication |