CN106302466B - A kind of management method and system of firewall - Google Patents
A kind of management method and system of firewall Download PDFInfo
- Publication number
- CN106302466B CN106302466B CN201610679647.0A CN201610679647A CN106302466B CN 106302466 B CN106302466 B CN 106302466B CN 201610679647 A CN201610679647 A CN 201610679647A CN 106302466 B CN106302466 B CN 106302466B
- Authority
- CN
- China
- Prior art keywords
- firewall
- request
- virtual router
- virtual
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides a kind of management method of firewall and systems, wherein system includes: virtual router card module, FWaaS plug-in unit proxy module, firewall drive module and safety management module;Wherein, safety management module, the creation demand information for being sent according to virtual router card module, selects configurable calculate node from secure resources pond, creates virtual router in selected calculate node in the form of virtual machine;Safety management module, it is also used to the firewall security rule configuration information of firewall drive module transmission and the identification information of the virtual router selected, for searching virtual router according to the identification information, the firewall security rule configuration information is written in the virtual router found.Method and system provided by the invention is based on identical technical thought, and therefore, both schemes can be dynamically according to the actual demand of different user, and creation has the virtual router of firewall functionality.
Description
Technical field
The present embodiments relate to firewall technology fields, and in particular to the firewall based on Openstack cloud platform
Management method and system.
Background technique
Openstack is the cloud computing framework of an open source, is capable of providing that implementation is simple, can extend, enrich on a large scale, marking
Quasi- unified cloud computing management service.Openstack is included in product system by more and more cloud computing manufacturers, cloud meter
It calculates manufacturer and is proposed the cloud computing products and solutions based on Openstack one after another.
Openstack is even more important as a kind of cloud computing framework, Security solution, although Openstack is mentioned
It has supplied firewall component (firewall services (FireWall as a Service, FWaaS)), but its Security solution
And it is immature, function is very simple, can't have the specialized security capabilities that next generation firewall has.
Currently, the firewall implementation of Openstack is to realize virtual flow-line based on Linux namespace technology
Device carries firewall functionality based on IPtable in virtual router.In this scenario, a data packet is from host-physical net
Card is transmitted to virtual router, needs by virtual switch, the upper virtual port equipment of namespace, therefore, virtual port is set
Standby, virtual switch bandwidth will become the limiting factor of virtual router flow bandwidth, once it is virtual port equipment, virtual
After interchanger configures, its port bandwidth just optionally can not be dynamically adjusted, is difficult to meet the dynamic north and south net of multi-user
The demand of network changes in flow rate.
Summary of the invention
It, being capable of dynamically root the embodiment of the invention provides the management method of the firewall based on Openstack cloud platform
According to the actual demand of different user, creation has the virtual router of firewall functionality, can dynamically manage the virtual of user
Router.
In addition, the embodiment of the invention also provides a kind of management system of firewall, for guaranteeing the above method in reality
In application and realize.
A kind of management system of firewall is provided in first aspect of the embodiment of the present invention, the system comprises:
Virtual router card module, FWaaS plug-in unit proxy module, firewall drive module and safety management module;
Wherein, the virtual router card module, for receiving the first request, first request is about virtual road
By the request to create of device, parses first request and obtain the creation demand information of virtual router, the creation demand is believed
Breath is sent to the safety management module;
The FWaaS plug-in unit proxy module, for receiving the second request, second request is the creation about firewall
Second request is sent to the firewall drive module by request;
The firewall drive module, for parse it is described second request obtain firewall security rule configuration information and by
The identification information of the virtual router of selection, and the firewall security rule configuration information and the identification information are sent to
The safety management module;
The safety management module, for according to the creation demand information, selection to be can configure from secure resources pond
Calculate node creates virtual router in the calculate node in the form of virtual machine;And it is searched according to the identification information empty
Quasi- router, the firewall security rule configuration information is written in the virtual router found.
Optionally, the virtual router is additionally configured to support the advanced security defense function of firewall;
The then safety management module is also used to receive third request, is uniformly controlled user's according to third request
The advanced security defense function of virtual router;Third request is asked about the management of firewall advanced security defense function
It asks.
Optionally, the advanced security defense function includes following one or more kinds of functions:
Anti-virus function, protection distributed denial of service function, Unified Threat Management function, anti-spam functionality at wire-speed.
Optionally, the virtual router is realized using the single I/O virtualization technology of support network interface card.
Optionally, the virtual router card module, is also used to:
The 4th request is received, the 4th request is sent to the safety management module;It is described 4th request be about
The operation requests of virtual router;The identification information and the of the virtual router in need operated is carried in 4th request
One action type;First action type includes: deletion or update;
The then safety management module, is also used to:
Corresponding virtual router is searched according to the identification information carried in the 4th request, according to first operation
Type executes corresponding operating to the virtual router found.
Optionally, FWaaS plug-in unit proxy module, is also used to:
The 5th request is received, the 5th request is sent to the firewall drive module;5th request is to close
In the operation requests of firewall;Pair between the firewall and virtual router in need operated is carried in 5th request
It should be related to and the second action type;Second action type includes: deletion or update;
The then firewall drive module, is also used to:
Parse the 5th request and obtain the corresponding relationship and second action type, and by the corresponding relationship and
Second action type is sent to the safety management module;
The then safety management module, is also used to:
Corresponding virtual router is found according to the corresponding relationship, according to second action type to finding
Firewall in virtual router executes corresponding operating.
Optionally, the creation demand information includes one or more of combination:
Handling capacity, CPU, memory or bandwidth.
A kind of management method of firewall is provided in second aspect of the embodiment of the present invention, which comprises
The first request is received, first request is parsed and obtains the creation demand information of virtual router;Described first asks
Request to create of the Seeking Truth about virtual router;
According to the creation demand information, configurable calculate node is selected from secure resources pond, in the form of virtual machine
Virtual router is created in the calculate node;
The second request is received, second request is the request to create about firewall;
It parses second request and obtains the mark of firewall security rule configuration information and the virtual router selected
Information;
Virtual router is searched according to the identification information, firewall security rule configuration information write-in is found
Virtual router in.
Optionally, the virtual router is additionally configured to support the advanced security defense function of firewall, the method
Further include:
Third request is received, function is defendd according to the advanced security that third request is uniformly controlled the virtual router of user
Energy;The third request is the management request about firewall advanced security defense function.
Optionally, the advanced security defense function includes following one or more kinds of functions:
Anti-virus function, protection distributed denial of service function, Unified Threat Management function, anti-spam functionality at wire-speed.
Optionally, the virtual router is realized using the single I/O virtualization technology of support network interface card.
Optionally, the method also includes:
The 4th request is received, the 4th request is sent to the safety management module;It is described 4th request be about
The operation requests of virtual router;The identification information and the of the virtual router in need operated is carried in 4th request
One action type;First action type includes: deletion or update;
Corresponding virtual router is searched according to the identification information carried in the 4th request, according to first operation
Type executes corresponding operating to the virtual router found.
Optionally, the method also includes:
The 5th request is received, the 5th request is the operation requests about firewall, is carried in the 5th request
The corresponding relationship and the second action type between firewall and virtual router for needing to be operated;The second action type packet
It includes: deleting or update;
It parses the 5th request and obtains the corresponding relationship and second action type;
Corresponding virtual router is found according to the corresponding relationship, according to second action type to finding
Firewall in virtual router executes corresponding operating.
Optionally, the creation demand information includes one or more of combination:
Handling capacity, CPU, memory or bandwidth.
Compared with prior art, technical solution provided by the invention has the advantages that
Technical solution provided in an embodiment of the present invention, for it is of the existing technology can not be dynamically according to the practical need of user
The problem of seeking custom firewall, not being able to satisfy user demand proposes a kind of management system of firewall, which is mainly benefit
With safety management module, the calculate node being managed collectively in secure resources pond, according to the creation demand information that user proposes, from peace
Configurable calculate node is selected in full resource pool, creates virtual router in the calculate node in the form of virtual machine;So
Afterwards, which configures firewall on the virtual router of user's selection again, to realize the packet filtering function of firewall
Energy.
It can be seen that technical solution provided in an embodiment of the present invention, is the channel for the Dynamic Customization firewall that user provides,
User can determine the creation demand information of virtual router according to actual needs, so as to realize Dynamic Customization meet demand
Virtual router, create the firewall of meet demand again on the virtual router.
Further, the embodiment of the present application also proposed based on SR-IOV technology, enable virtual machine directly from physics
Network interface card sending and receiving data packet gets around the bandwidth limitation of virtual switch, virtual port, gives full play to the high performance nature of virtual machine.
Further, the embodiment of the present application also proposed the deployment virtual router in the form of virtual machine, so that virtually
Router can carry advanced security defense function.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The some embodiments recorded in invention, for those of ordinary skill in the art, without creative efforts,
It is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of structure chart of the management system of firewall provided in an embodiment of the present invention;
Fig. 2 is a kind of Application Scenarios-Example figure of the management system of firewall provided in an embodiment of the present invention;
Fig. 3 is a kind of management system hardware structure diagram of firewall provided in an embodiment of the present invention;
Fig. 4 is a kind of flow chart of the management method of firewall provided in an embodiment of the present invention.
Specific embodiment
Thought of the invention is illustrated first.
It is to realize virtual router on namespace (NameSpace) in the prior art, is carried on virtual router
The packet filtering function (the basic defense function of firewall) of firewall, this mode can not user oriented, consider different use
The different demands at family can not support the firewall of the management user of dynamic on-demand.
For of the existing technology user's need can not be able to satisfy dynamically according to user's actual need custom firewall
The problem of asking, the invention proposes the management system of firewall, the system can user oriented, provide determining creation for user
The channel of demand, the system mainly utilize safety management module, the calculate node being managed collectively in secure resources pond, according to
The creation demand information that family proposes, selects configurable calculate node from secure resources pond, by virtual machine form in terms of described
Virtual router is created on operator node;Then, which configures fire prevention on the virtual router of user's selection again
Wall, to realize the packet filtering function of firewall.In this way, the system can be realized as the virtual flow-line of the management user of dynamic on-demand
Device.
Inventor is the other container of linux operating system grade by the namespace of the research discovery prior art
Technology, and high performance firewall belongs to professional equipment, has advanced security defense function abundant, specialized safe energy
Power, when firewall vendor develops these functions, due to the particularity of its hardware and software platform, complexity, so that advanced security is defendd
Function can be hardly grafted directly in Linux system, therefore, can not be grafted directly on linux namespace.
Based on this, inventor just proposes the technical solution that virtual router and firewall are realized by virtual machine technique.
The management method of firewall provided by the invention is again based on above-mentioned technical thought to realize, can reach same
The technical effect of sample.
Technical solution in order to enable those skilled in the art to better understand the present invention, below in conjunction with of the invention real
The attached drawing in example is applied, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described implementation
Example is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, this field is common
Technical staff's every other embodiment obtained without making creative work, all should belong to protection of the present invention
Range.
First a kind of management system of firewall provided by the invention is explained below with reference to Fig. 1.
It is a kind of structure chart of the management system of firewall provided in an embodiment of the present invention referring to Fig. 1, Fig. 1, such as Fig. 1 institute
Show, which may include: virtual router card module 101, FWaaS plug-in unit proxy module 102, firewall drive module
103 and safety management module 104.Below based on function and its company of the working principle to its inside modules of the system
The relationship of connecing is explained.
Wherein, virtual router card module 101, for receiving the first request, parsing first request obtains virtual
The creation demand information is sent to safety management module 104 by the creation demand information of router;Wherein, it described first asks
Request to create of the Seeking Truth about virtual router, it is described first request at least carry virtual router creation demand letter
Breath.
User is when using the system, in the user interface that the system provides, triggers the creation about virtual router
Operation, and determine the creation demand information of virtual router, creation demand information here can be handling up for virtual router
Amount, CPU, memory, bandwidth etc. be any or multiple performance require information.Operation of the system according to user on a user interface,
The first request is generated, the creation demand information about virtual router is carried in the first request.
User again the system provide user interface on determine to create firewall on which virtual router, and really
Determine firewall security rule configuration information, the firewall security rule configuration information may include: source IP, destination IP, source port,
Destination port, movement (allow or refuse);Operation of the system according to user on a user interface generates the second request,
The identification information of firewall security rule configuration information and the virtual router selected is carried in second request.It is inserted by FWaaS
Part proxy module handles second request.
Wherein, second request is sent to firewall for receiving the second request by FWaaS plug-in unit proxy module 102
Drive module 103;Second request is the request to create about firewall.Firewall drive module 103, it is described for parsing
Second request obtains the identification information of firewall security rule configuration information and the virtual router selected, and by the fire prevention
Wall safety regulation configuration information and the identification information are sent to the safety management module 104.What needs to be explained here is that this
FWaaS plug-in unit proxy module in application is to provide firewall component based on Openstack to require realized plug-in unit.
Wherein, safety management module 104, for selecting to match from secure resources pond according to the creation demand information
The calculate node set creates virtual router in the calculate node in the form of virtual machine;The safety management module is also used
In searching virtual router according to the identification information, firewall security rule configuration information write-in is found virtual
In router.
What needs to be explained here is that the safety management module in the system when realizing, can pass through calling Openstack
Nova API realizes that creation, deletion, update of virtual router etc. are handled.
Further, inventor is also contemplated that current Openstack also in development, and various mechanism are also not
It is enough sound, the setting of firewall is also only rested on packet filtering function, but in practical applications, demand of the user to firewall
And not only rest on packet filtering function, but have more and more advanced firewall demand, therefore, in order to be pushed further into
The development of Openstack, meets demand of the user to the advanced defense function of firewall, and inventor also proposes preferred solution party
Case is explained the preferred embodiment below with reference to Fig. 2.
Referring to fig. 2, Fig. 2 is a kind of Application Scenarios-Example figure of the management system of firewall provided in an embodiment of the present invention,
In scene shown in Fig. 2, safety management module is provided about advanced security defense function in the management system of firewall
Control channel, user pass through the control channel, it will be able to control the advanced security defense function of virtual router.
When realizing, increase the advanced security defense function of firewall in virtual router.Here advanced security is anti-
Imperial function refers to the Prevention-Security function in addition to packet filtering function, such as: anti-virus (Anti-Virus, AV) preventing distributed is refused
Service (Distributed Denial of Service, DDOS), Unified Threat Management (Unified Threat absolutely
Management, UTM), the security function that has of the next generation firewalls such as anti-spam functionality at wire-speed.
On the basis of the configuration of above-mentioned virtual router, then the safety management module 104 is also used to:
Third request is received, function is defendd according to the advanced security that third request is uniformly controlled the virtual router of user
Energy;Wherein, the third request is the management request about firewall advanced security defense function.
If safety management module is separately configured on one server, then the server provides user interface for user,
User can trigger third request on the user interface, for example, user selects relevant virtual router on the surface, with
And the advanced security defense function for needing to enable, the then third that the server generates request the just virtual router comprising being selected
Information and the information of advanced security defense function that enables of needs, safety management module can be united according to third request
The advanced security defense function of the virtual router of one control user.
The system provides the channel of active control advanced security defense function according to actual needs for user, can satisfy
The different demands of different users, for a user, the system have preferable user experience.
Further, inventor is also contemplated that the virtual flow-line realized based on namespace in the prior art
In the scheme of device, general data packet is transmitted to virtual router from host-physical network interface card, need by virtual switch,
The upper virtual port equipment of namespace, therefore, the bandwidth of the virtual port equipment on virtual switch, namespace is with regard to direct
The amount of bandwidth of virtual router is limited, also, in namespace, once virtual switch installation just can not with postponing
The bandwidth of its port is dynamically adjusted again, it is thus impossible to enough adapt to the north and south network flow variation of multi-user's high-throughput.This hair
It is bright to inventors herein propose following scheme:
When realizing, configuration virtual router supports the single I/O virtualization technology (SR-IOV) of network;The SR-IOV is empty
Quasi- network interface card technology makes firewall virtual machine directly read the data packet on physical network card, so as to get around virtual switch,
The bandwidth of virtual port limits, this just greatly improves the bandwidth of firewall, can adapt to the north and south of multi-user's high-throughput
Network flow variation.
Further, inventor is additionally contemplates that user disposes after virtual router on Openstack, may be to virtual
The demand of router changes, and the virtual router disposed is revised in order to facilitate user, the present invention also provides with lower section
Case:
When realizing, the virtual router card module 101 is also used to:
The 4th request is received, the 4th request is the operation requests about virtual router, and the 4th request is sent out
It send to the safety management module;The identification information and the of the virtual router in need operated is carried in 4th request
One action type;First action type includes: deletion or update;
The then safety management module 104, is also used to:
Corresponding virtual router is searched according to the identification information carried in the 4th request, according to first operation
Type executes corresponding operating to the virtual router found.
Further, inventor is additionally contemplates that user disposes after firewall on Openstack, may be to firewall
Demand changes, and the firewall disposed is revised in order to facilitate user, the present invention also provides following scheme:
When realizing, the FWaaS plug-in unit proxy module 102 is also used to:
The 5th request is received, the 5th request is the operation requests about firewall, and the 5th request is sent
To the firewall drive module;It is carried between the firewall and virtual router in need operated in 5th request
Corresponding relationship and the second action type;Second action type includes: deletion or update;
The then firewall drive module 103, is also used to:
Parse the 5th request and obtain the corresponding relationship and second action type, and by the corresponding relationship and
Second action type is sent to the safety management module;
The then safety management module 104, is also used to:
Corresponding virtual router is found according to the corresponding relationship, according to second action type to finding
Firewall in virtual router executes corresponding operating.
When realizing, user's selection in the user interface that the server where safety management module provides needs to be operated
Firewall and virtual router identification information between corresponding relationship and action type, trigger about firewall correlation behaviour
Make, server generates the 5th request, carries between the firewall and virtual router in need operated in the 5th request
Corresponding relationship and the second action type;Second action type includes: deletion or update;
When action type is to delete, then safety management module is according to the corresponding pass carried in the 5th request received
System finds the virtual router for carrying the firewall, and then deletes the firewall in the virtual router.
When action type is to update, then safety management module is according to the corresponding pass carried in the 5th request received
System finds the virtual router for carrying the firewall, and then according to the new configuration information carried in the 5th request, updating should
The configuring condition of firewall in virtual router.
By foregoing description, it is known that system provided by the invention has the advantages that
(1) system provided by the invention can not be customized dynamically according to user's actual need for of the existing technology
Firewall, the problem of not being able to satisfy user demand, propose the meter using safety management module, being managed collectively in secure resources pond
Operator node selects configurable calculate node, from secure resources pond according to the creation demand information that user proposes with virtual machine
Form creates virtual router in the calculate node;Then, the safety management module is again in the virtual flow-line of user's selection
Firewall is configured on device, to realize the packet filtering function of firewall.It can be seen that technical solution provided in an embodiment of the present invention, be
The channel for the Dynamic Customization firewall that user provides, user can determine the creation demand letter of virtual router according to actual needs
Breath, so as to realize the virtual router of Dynamic Customization meet demand, creates meet demand on the virtual router again
Firewall.In this way, the secure resources pond of safety management module management can regard the defense system of user north and south flow as.
It can be seen that system provided by the invention, for the channel for the Dynamic Customization firewall that user provides, user can root
The creation demand information of virtual router is determined according to actual demand, to realize dynamic using the technical solution of the embodiment of the present invention
The virtual router of state customization meet demand.Safety management module can network demand according to user to north and south flow, such as
Handling capacity, bandwidth etc. dynamically choose calculate node in secure resources pond when disposing virtual machine, by virtual router portion
Administration is in the calculate node for meeting user demand, such as the higher situation of performance requirement of the user to virtual router, peace
Virtual router can be deployed in high performance calculate node by full administrative center.
(2) further, system provided by the invention also proposed based on SR-IOV technology, enable virtual machine direct
From physical network card sending and receiving data packet, the bandwidth limitation of virtual switch, virtual port is got around, the high-performance of virtual machine is given full play to
Characteristic.
(3) further, system provided by the invention also proposed the deployment virtual router in the form of virtual machine, so that
Virtual router carries advanced security defense function.By safety management module to the more of the firewall disposed on virtual router
Kind advanced security defense function is managed collectively, and the missing of original FWaaS enhanced security feature is made up.
The deployment feelings of the management system of firewall provided by the invention are further appreciated that in order to facilitate those skilled in the art
Next condition combines Fig. 3 to explain the hardware deployment scenario of the management system of firewall shown in FIG. 1 provided by the invention
Explanation.
Referring to Fig. 3, Fig. 3 is a kind of management system hardware structure diagram of firewall provided in an embodiment of the present invention.In Fig. 3 institute
In the system shown, virtual router card module 101, FWaaS plug-in unit proxy module 102, firewall drive module 103 are integrated in
In server 1, safety management module 104 is integrated in server 2, what needs to be explained here is that, server 1 shown in Fig. 3
Nothing can also be passed through for indicating that server 1 and server 2 can be communicated by wired mode with the connection of server 2
Line mode is communicated.In addition, the safety management module 104 in server 2 is for managing secure resources pond, secure resources Chi Bao
Include multiple calculate nodes, wherein N refers to the positive integer more than or equal to 2.
Wherein, calculate node is the calculate node in Openstack cloud platform, and calculate node is typically all with server
Example, in hardware exists.In actual deployment, it can also be communicated by wired mode between calculate node and safety management module,
It can communicate wirelessly.Safety management module manages calculate node, mainly periodically or in real time obtains secure resources pond
In the performance state informations such as resource size, working performance, the network state of calculate node, record these of each calculate node
Performance state information, to be based on these performance state information dynamic configuration calculate nodes.
When realizing, safety management module periodically can send inquiry request to calculate node, and safety management module can be with
Inquiry request is sent to some calculate node using mode one to one, certainly, safety management module can also be using mass-sending ground
All calculate nodes of the mode into secure resources pond send inquiry request, and calculate node is in response to inquiry request, to bursting tube
Manage the performance state information of module feedback itself.
Certainly, when realizing, the calculate node in secure resources pond initiatively can also be reported periodically to safety management module
The performance state information of itself, so that safety management module understands the real work performance state situation of calculate node in time.
Certainly, Fig. 3 is only a kind of example, the virtual router card module when realizing, in system provided by the invention
101, FWaaS plug-in unit proxy module 102, firewall drive module 103, safety management module 104 also can integrate in same clothes
It is engaged in device, which needs to provide user interface for user, and user triggers the first request and the by the user interface respectively
Two requests.
But inventor is it is considered that safety management module 104 needs to manage secure resources pond, with secure resources pond
In all calculate nodes communication, safeguard the performance state of these calculate nodes.Also, the working performance of whole system mainly takes
Certainly in the working performance of safety management module, therefore, in order to ensure the runnability of the safety management module, it is preferable that can be with
The safety management module is independently disposed in a server using mode shown in Fig. 3.In this way, whole system is exactly logical
Cross the function of communicating to realize modules between server.Certainly, the virtual router card module when realizing, in system
101, this four modules of FWaaS plug-in unit proxy module 102, firewall drive module 103, safety management module 104 can also divide
It is not deployed in independently in four servers.
Operating technology principle based on above system, the present invention also provides a kind of management methods of firewall, next
This method is explained.
A kind of flow chart of the management method of firewall provided in an embodiment of the present invention shown referring to fig. 4, such as Fig. 4 institute
Show, this method comprises: step 401 is to step 405.
Step 401: receiving the first request, parse first request and obtain the creation demand information of virtual router;Institute
Stating the first request is the request to create about virtual router.
Step 402: according to the creation demand information, selecting configurable calculate node, from secure resources pond with void
Quasi- machine form creates virtual router in the calculate node.
Step 403: receiving the second request, second request is the request to create about firewall.
Step 404: the virtual flow-line that parsing second request obtains firewall security rule configuration information and selected
The identification information of device.
Step 405: virtual router being searched according to the identification information, the firewall security rule configuration information is write
Enter in the virtual router found.
When realizing, optionally, the virtual router is additionally configured to support the advanced security defense function of firewall,
The method also includes:
Third request is received, function is defendd according to the advanced security that third request is uniformly controlled the virtual router of user
Energy;The third request is the management request about firewall advanced security defense function.
When realizing, optionally, the advanced security defense function includes following one or more kinds of functions:
Anti-virus function, protection distributed denial of service function, Unified Threat Management function, anti-spam functionality at wire-speed.
When realizing, optionally, the virtual router is using the single I/O virtualization technology realization for supporting network interface card
's.
When realizing, optionally, the method also includes:
The 4th request is received, the 4th request is sent to the safety management module;It is described 4th request be about
The operation requests of virtual router;The identification information and the of the virtual router in need operated is carried in 4th request
One action type;First action type includes: deletion or update;
Corresponding virtual router is searched according to the identification information carried in the 4th request, according to first operation
Type executes corresponding operating to the virtual router found.
When realizing, optionally, the method also includes:
The 5th request is received, the 5th request is the operation requests about firewall, is carried in the 5th request
The corresponding relationship and the second action type between firewall and virtual router for needing to be operated;The second action type packet
It includes: deleting or update;
It parses the 5th request and obtains the corresponding relationship and second action type;
Corresponding virtual router is found according to the corresponding relationship, according to second action type to finding
Firewall in virtual router executes corresponding operating.
When realizing, optionally, the creation demand information includes one or more of combination:
Handling capacity, CPU, memory or bandwidth.
When realizing, method shown in Fig. 4 can system as shown in Figure 1 realize, wherein different steps may be by being
Different functional modules is realized in system, specifically may refer to the specific descriptions above for functional module each in Fig. 1, this time
It repeats no more.
It will be appreciated by persons skilled in the art that the management method to a kind of firewall and system embodiment carry out above
Exemplary illustration, is not intended as limitation of the present invention, those skilled in the art are not making the creative labor lower acquisition above
Other implementations all belong to the scope of protection of the present invention.
It should be noted that, in this document, such as first, second or the like relational terms are used merely to an entity
Or operation is distinguished with another entity or operation, is existed without necessarily requiring or implying between these entities or operation
Any actual relationship or order.Moreover, the terms "include", "comprise" or its any other variant be intended to it is non-
It is exclusive to include, so that the process, method, article or equipment for including a series of elements not only includes those elements,
It but also including other elements that are not explicitly listed, or further include solid by this process, method, article or equipment
Some elements.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including
There is also other identical elements in the process, method, article or equipment of the element.The present invention can be held by computer
The general described in the text, such as program module up and down of capable computer executable instructions.Generally, program module includes executing spy
Determine task or realize the routine of particular abstract data type, programs, objects, component, data structure etc..It can also be in distribution
It calculates and practices the present invention in environment, in these distributed computing environments, by passing through the connected long-range processing of communication network
Equipment executes task.In a distributed computing environment, program module can be located at include storage equipment including local and far
In journey computer storage medium.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality
For applying example, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to embodiment of the method
Part explanation.The apparatus embodiments described above are merely exemplary, wherein described be used as separate part description
Module may or may not be physically separated, the component shown as module may or may not be
Physical module, it can it is in one place, or may be distributed on multiple network modules.It can be according to the actual needs
Some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying
In the case where creative work, it can understand and implement.The above is only a specific embodiment of the invention, should be referred to
Out, for those skilled in the art, without departing from the principle of the present invention, can also make several
Improvements and modifications, these modifications and embellishments should also be considered as the scope of protection of the present invention.
Claims (14)
1. a kind of management system of firewall, which is characterized in that the system comprises:
Virtual router card module, FWaaS plug-in unit proxy module, firewall drive module and safety management module;
Wherein, the virtual router card module parses first request and obtains virtual flow-line for receiving the first request
The creation demand information is sent to the safety management module by the creation demand information of device;It is described first request be about
The request to create of virtual router;
The FWaaS plug-in unit proxy module, for receiving the second request, second request is asked about the creation of firewall
It asks, second request is sent to the firewall drive module;
The firewall drive module obtains firewall security rule configuration information and is selected for parsing second request
Virtual router identification information, and the firewall security rule configuration information and the identification information be sent to described
Safety management module;
The safety management module, for selecting configurable calculating from secure resources pond according to the creation demand information
Node creates virtual router in the calculate node in the form of virtual machine;And virtual road is searched according to the identification information
By device, in the virtual router that firewall security rule configuration information write-in is found.
2. the management system of firewall according to claim 1, which is characterized in that
The virtual router is additionally configured to support the advanced security defense function of firewall;
The then safety management module is also used to receive third request, is uniformly controlled the virtual of user according to third request
The advanced security defense function of router;The third request is the management request about firewall advanced security defense function.
3. the management system of firewall according to claim 2, which is characterized in that
The advanced security defense function includes following one or more kinds of functions:
Advanced threat defence, anti-virus function, the service of preventing distributed refusal, Unified Threat Management function, anti-spam functionality at wire-speed.
4. the management system of firewall according to claim 1 or 2, which is characterized in that the virtual router is to use
Support what the single I/O virtualization technology of network interface card was realized.
5. the management system of firewall according to claim 1, which is characterized in that the virtual router card module,
It is also used to:
The 4th request is received, the 4th request is sent to the safety management module;4th request is about virtual
The operation requests of router;Identification information and the first behaviour of the virtual router in need operated are carried in 4th request
Make type;First action type includes: deletion or update;
The then safety management module, is also used to:
Corresponding virtual router is searched according to the identification information carried in the 4th request, according to first action type
Corresponding operating is executed to the virtual router found.
6. the management system of firewall according to claim 1, which is characterized in that the FWaaS plug-in unit proxy module, also
For:
The 5th request is received, and the 5th request is sent to the firewall drive module;It is carried in 5th request
Corresponding relationship and the second action type between the firewall and virtual router in need operated;Second action type
It include: deletion or update;5th request is the operation requests about firewall;
The then firewall drive module, is also used to:
It parses the 5th request and obtains the corresponding relationship and second action type, and by the corresponding relationship and described
Second action type is sent to the safety management module;
The then safety management module, is also used to:
Corresponding virtual router is found according to the corresponding relationship, it is virtual to what is found according to second action type
Firewall in router executes corresponding operating.
7. the management system of firewall according to claim 1, which is characterized in that the creation demand information includes following
One or more combinations:
Handling capacity, CPU, memory or bandwidth.
8. a kind of management method of firewall, which is characterized in that the described method includes:
The first request is received, first request is parsed and obtains the creation demand information of virtual router;It is described first request be
Request to create about virtual router;
According to the creation demand information, configurable calculate node is selected from secure resources pond, in institute in the form of virtual machine
It states and creates virtual router in calculate node;
The second request is received, second request is the request to create about firewall;
It parses second request and obtains the identification information of firewall security rule configuration information and the virtual router selected;
Virtual router is searched according to the identification information, the firewall security rule configuration information is written to the void found
In quasi- router.
9. the management method of firewall according to claim 8, which is characterized in that the virtual router is additionally configured to
The advanced security defense function for supporting firewall, the method also includes:
Third request is received, the advanced security defense function of the virtual router of user is uniformly controlled according to third request;
The third request is the management request about firewall advanced security defense function.
10. the management method of firewall according to claim 8 or claim 9, which is characterized in that the virtual router is to use
Support what the single I/O virtualization technology of network interface card was realized.
11. the management method of firewall according to claim 9, which is characterized in that the advanced security defense function packet
Include following one or more kinds of functions:
Anti-virus function, protection distributed denial of service function, Unified Threat Management function, anti-spam functionality at wire-speed.
12. the management method of firewall according to claim 8, which is characterized in that the method also includes:
Receive the 4th request;4th request is the operation requests about virtual router;It is carried in 4th request
The identification information for the virtual router for needing to be operated and the first action type;First action type include: delete or
It updates;
Corresponding virtual router is searched according to the identification information carried in the 4th request, according to first action type
Corresponding operating is executed to the virtual router found.
13. the management method of firewall according to claim 8, which is characterized in that the method also includes:
The 5th request is received, the 5th request is the operation requests about firewall, is carried in the 5th request in need
The corresponding relationship and the second action type between firewall and virtual router operated;Second action type includes:
It deletes or updates;
It parses the 5th request and obtains the corresponding relationship and second action type;
Corresponding virtual router is found according to the corresponding relationship, it is virtual to what is found according to second action type
Firewall in router executes corresponding operating.
14. the management method of firewall according to claim 8, which is characterized in that the creation demand information include with
A kind of lower or multiple combinations:
Handling capacity, CPU, memory or bandwidth.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610679647.0A CN106302466B (en) | 2016-08-17 | 2016-08-17 | A kind of management method and system of firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610679647.0A CN106302466B (en) | 2016-08-17 | 2016-08-17 | A kind of management method and system of firewall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106302466A CN106302466A (en) | 2017-01-04 |
| CN106302466B true CN106302466B (en) | 2019-04-26 |
Family
ID=57679502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610679647.0A Active CN106302466B (en) | 2016-08-17 | 2016-08-17 | A kind of management method and system of firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106302466B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911723B (en) * | 2017-04-26 | 2020-03-03 | 北京启明星辰信息安全技术有限公司 | Flow safety processing method and safety virtualization system |
| CN109120577B (en) * | 2017-06-23 | 2020-10-27 | 华为技术有限公司 | Firewall deployment method and device |
| CN108173842B (en) * | 2017-12-26 | 2022-01-14 | 国家电网公司 | Deployment optimization method of software defined firewall based on openstack cloud platform |
| CN109889530B (en) * | 2019-03-05 | 2020-10-27 | 北京长亭未来科技有限公司 | Web application firewall system and computer storage medium |
| CN109918173B (en) * | 2019-03-06 | 2021-11-19 | 苏州浪潮智能科技有限公司 | Openstack-based virtual machine health check method and system |
| CN109962914B (en) * | 2019-03-12 | 2021-07-23 | 杭州迪普科技股份有限公司 | Firewall configuration method and device |
| CN110365699B (en) * | 2019-07-29 | 2021-11-26 | 北京奇艺世纪科技有限公司 | Traffic processing method, device and system and gateway equipment |
| CN111147467A (en) * | 2019-12-19 | 2020-05-12 | 紫光云技术有限公司 | Security policy setting method and device for PaaS products under cloud platform |
| CN113765885B (en) * | 2021-07-30 | 2023-08-15 | 广东浪潮智慧计算技术有限公司 | Firewall rule synchronization method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101656670A (en) * | 2008-08-14 | 2010-02-24 | 丛林网络公司 | Routing device having integrated MPLS-aware firewall |
| CN101668022A (en) * | 2009-09-14 | 2010-03-10 | 陈博东 | Virtual network isolation system established on virtual machine and implementation method thereof |
| CN102857416A (en) * | 2012-09-18 | 2013-01-02 | 中兴通讯股份有限公司 | Method for implementing virtual network and virtual network |
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| CN103986662A (en) * | 2014-05-22 | 2014-08-13 | 浪潮电子信息产业股份有限公司 | Cross-virtualization-platform virtual router achieving method |
| CN204334621U (en) * | 2014-11-25 | 2015-05-13 | 甘肃省科学技术情报研究所 | A kind of network security management device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7231462B2 (en) * | 2001-12-21 | 2007-06-12 | International Business Machines Corporation | Method of preserving symmetrical routing in a communication system based upon a server farm |
-
2016
- 2016-08-17 CN CN201610679647.0A patent/CN106302466B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101656670A (en) * | 2008-08-14 | 2010-02-24 | 丛林网络公司 | Routing device having integrated MPLS-aware firewall |
| CN101668022A (en) * | 2009-09-14 | 2010-03-10 | 陈博东 | Virtual network isolation system established on virtual machine and implementation method thereof |
| CN102857416A (en) * | 2012-09-18 | 2013-01-02 | 中兴通讯股份有限公司 | Method for implementing virtual network and virtual network |
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| CN103986662A (en) * | 2014-05-22 | 2014-08-13 | 浪潮电子信息产业股份有限公司 | Cross-virtualization-platform virtual router achieving method |
| CN204334621U (en) * | 2014-11-25 | 2015-05-13 | 甘肃省科学技术情报研究所 | A kind of network security management device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106302466A (en) | 2017-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106302466B (en) | A kind of management method and system of firewall | |
| US11842207B2 (en) | Centralized networking configuration in distributed systems | |
| US8571040B2 (en) | Apparatus, method, manufacture, and system for providing network services from building blocks | |
| US20170104790A1 (en) | Security policy based on risk | |
| CN109716726B (en) | Credential management in cloud-based application deployment | |
| US9712390B2 (en) | Encoding traffic classification information for networking configuration | |
| US11956280B2 (en) | Method for providing wireless application privilege management | |
| CN105683918B (en) | Centralized networking configuration in distributed systems | |
| KR102082282B1 (en) | Method and system for managing resource objects | |
| US20160087871A1 (en) | Application topology based on network traffic | |
| CN112134741A (en) | Client-directed networking restrictions in distributed systems | |
| EP3281111A1 (en) | Method and entities for service availability management | |
| US10437883B2 (en) | Efficient graph database traversal | |
| CN108989438A (en) | Implementation method, the device and system of data distribution network | |
| CN110198333B (en) | Data acquisition method and device, storage medium and electronic device | |
| CN105281987B (en) | Router and data uploading method, device, system | |
| US10382483B1 (en) | User-customized deceptions and their deployment in networks | |
| US20110289160A1 (en) | Mail Service Management System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |