CN106572120A - Access control method and system based on mixed cloud - Google Patents

Access control method and system based on mixed cloud Download PDF

Info

Publication number
CN106572120A
CN106572120A CN201610998443.3A CN201610998443A CN106572120A CN 106572120 A CN106572120 A CN 106572120A CN 201610998443 A CN201610998443 A CN 201610998443A CN 106572120 A CN106572120 A CN 106572120A
Authority
CN
China
Prior art keywords
http
dpi
access control
certificate server
safety means
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610998443.3A
Other languages
Chinese (zh)
Inventor
张思拓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Southern Power Grid Co Ltd
Original Assignee
China Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Southern Power Grid Co Ltd filed Critical China Southern Power Grid Co Ltd
Priority to CN201610998443.3A priority Critical patent/CN106572120A/en
Publication of CN106572120A publication Critical patent/CN106572120A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an access control method and system based on mixed cloud; the method comprises the following steps: using the software definition network (SDN) technology to tract HTTP flow into a certificate server; using a service chain to tract the HTTP flow into preset virtual depth detection (DPI) safety equipment after the certificate server authentication successes, wherein the DPI safety equipment refers to equipment pre-deployed on a virtual or physical position; informing a firewall to adjust and control the HTTP flow size in real time when the DPI safety equipment detects suspected attack behaviors in the HTTP flow, thus solving the problems that an existing access mechanism cannot defense directional high-grade attacks by only using an ACL, thus having severe safety problems.

Description

A kind of access control method and system based on mixed cloud
Technical field
The present invention relates to network safety filed, more particularly to a kind of access control method and system based on mixed cloud.
Background technology
Mixed cloud has merged public cloud and private clound, is the Main Patterns and developing direction of cloud computing in recent years.We are If Jing knows private entrepreneur towards enterprise customer, for security consideration, enterprise is more willing to place the data in private clound, but It is again to wish that the computing resource of public cloud can be obtained simultaneously, in this case mixed cloud is more and more adopted, and it will Public cloud and private clound are mixed and matched, and to obtain optimal effect, this personalized solution has reached and both saved The again safe purpose of money.
At present the common deployment way of mixed cloud is by client's original system and cloud system phase by tunneling techniques such as VPN Connection, Fig. 1 is Overlay (temporary facility) network of a typical hybrid cloud, the physical gateway/fire prevention of tenant's A enterprise networks Tenant A virtual routers/fire wall FWaaS1 after gateways of the wall FW1 by tunneling techniques such as VPN with public cloud is connected, cloud system The physical gateway fire wall FW2 of system is connected with the management network of cloud system and the virtual gateway/fire wall FWaaS of each tenant.
Thus, if to dispose unified access control policy, should be by the gateway of user's enterprise network, cloud physics network Gateway, tenant's virtual gateway rule consistent with the fire wall setting at tenant's virtual subnet differential section:(1) enterprise of tenant A Industry network firewall FW1 should be consistent with the rule of virtual firewall FWaaS1;(2) enterprise network fire wall FW1 should be with enterprise BYOD Verification Systems are associated, it is ensured that the equipment in public wireless network can provide respective identity, and it is authorized to be only capable of access High in the clouds VM;(3) cloud physics network firewall FW2 should ensure that the isolation of controlling network and data network, particularly strictly control Flow of the internet to cloud management network;(4) user need to be according to the corresponding differential section of delineation of activities, and by FWaaS1 and safety Group is controlled from the intersegmental East and West direction flow of the north-south flow and difference differential of the turnover of tenant's enterprise network, to such as database DB etc. The flow of section is strictly limited.
Additionally, tradition is laid down a regulation by the method for RBAC or ABAC, but these rules are more fixed in general, are lacked Context-aware, control rule cannot be quickly adjusted when threatening.In the scene that many APT are attacked, malicious attacker is led to Social worker or wooden horse are crossed, the identity of user is obtained, bounds checking mechanism can also be now bypassed, internal resource is accessed.So existing Some access mechanisms rely solely on ACL and can not clearly resist the senior attack of these orientations, there is serious potential safety hazard.
The content of the invention
The embodiment of the present invention provides a kind of access control method and system based on mixed cloud, to solve existing access Mechanism relies solely on ACL and can not resist the senior attack of these orientations, there is a problem of serious potential safety hazard.
The inventive method includes a kind of access control method based on mixed cloud, and the method includes:
Using software defined network SDN technologies by HTTP flow leads to certificate server;
After the certificate server certification passes through, using service chaining by the HTTP flow leads to default virtual depth Degree detection DPI safety means, the DPI safety means are the equipment disposed on virtually or physically position in advance;
When the DPI safety means detect suspected attack behavior in the HTTP flows, notify that fire wall is adjusted in real time The whole control to HTTP uninterrupteds.
Based on same inventive concept, the embodiment of the present invention further provides a kind of access control system based on mixed cloud System, the system includes:
Authentication unit, for using software defined network SDN technologies by HTTP flow leads to certificate server;
Detector unit, for after the certificate server certification passes through, using service chaining by the HTTP flow leads DPI safety means are detected to default virtual depth, the DPI safety means are to dispose on virtually or physically position in advance Equipment;
Access control unit, for when the DPI safety means detect suspected attack behavior in the HTTP flows, Notify control of the fire wall real-time adjustment to HTTP uninterrupteds.
The control platform that the embodiment of the present invention passes through software definition, on the one hand sets up unified access control mechanisms, covers The border everywhere of BYOD, enterprise network and cloud virtual network;On the other hand can be with reference to service chaining, dynamic based on context risk Adjustment protection level.In cloud environment in common hybrid network, by the access of the network boundary everywhere on Overlay networks Control, with reference to BYOD and cloud environment thing, the feature of north-south flow, builds unified access control mechanisms, and can be according to upper Hereafter environment, dynamic sensing realizes adaptive access control, efficiently solve security protection means in cloud environment it is limited, The problem of security protection inefficiency.
Description of the drawings
Technical scheme in order to be illustrated more clearly that the embodiment of the present invention, below will be to making needed for embodiment description Accompanying drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this For the those of ordinary skill in field, on the premise of not paying creative work, can be obtaining other according to these accompanying drawings Accompanying drawing.
Fig. 1 is a kind of access control configuration diagram of mixed cloud of the prior art;
Fig. 2 is a kind of access control method schematic flow sheet based on mixed cloud provided in an embodiment of the present invention;
Fig. 3 is a kind of network architecture schematic diagram of mixed cloud provided in an embodiment of the present invention;
Fig. 4 is a kind of access control system architecture schematic diagram based on mixed cloud provided in an embodiment of the present invention.
Specific embodiment
In order that the object, technical solutions and advantages of the present invention are clearer, below in conjunction with accompanying drawing the present invention is made into One step ground is described in detail, it is clear that described embodiment is only present invention some embodiments, rather than the enforcement of whole Example.Based on the embodiment in the present invention, what those of ordinary skill in the art were obtained under the premise of creative work is not made All other embodiment, belongs to the scope of protection of the invention.
Before method and step in the embodiment of the present invention is introduced, first the vocabulary of terms to hereinafter occurring is carried out Explain, content is as follows:
VPN (Virtual Private Network, VPN), belongs to remote access technology, briefly It is to set up dedicated network using public network network.
BYOD (Become Your Office Device carry the equipment office of oneself), i.e., on the equipment of yourself The software of many companies is installed, so as to allow you to use the resource of company.
Differential section (Micro-Segmentation), as a kind of thinking of solution East and West direction flow access control, differential Duan Jinnian is suggested, and its core is to allow that and for the multiple virtual machines in tenant network to be divided into a segmentation, and then at these Access control mechanisms are disposed in section boundaries.Because segmentation can be a virtual machine relatively flexibly, or meet certain The set of multiple virtual machines of condition, so just can desirably mark off several microampere of universe in a subnet.This and biography Unlike the boundary demarcation of system, differential section is any part of a virtual network, if in the intersegmental deployment secure of differential Strategy, then can monitor the flow in double layer network.
Service chaining, inside security domain, or on security domain boundaries, generally require dispose multiple safe mechanism, such as For Web server, need once through anti-DDoS (Distributed Denial of Service, distributed refusal clothes Business) cleaning, access control and Web application protection;And for intranet data storehouse, then need through access control, intrusion detection and The mechanism such as database audit, so needing from physical network to virtual network, from gateway side to server side, to dispose successively some The service node of safety, this is referred to as service chaining.
RBAC:The traditional access control of access control based roles (Role-Based Access Control) conduct (from Main access, force access) promising replacement widely paid close attention to.In RBAC, authority is associated with role, Yong Hutong Crossing becomes the member of appropriate role and obtains the authority of these roles.This just greatly simplifies the management of authority.In a group In knitting, role is created to complete various work, user then according to its responsibility and qualification being assigned corresponding role, User easily can be assigned to another role from a role.The demand of role Ke Yixin and the merging of system and assign New authority is given, and authority is reclaimed also dependent on needs from certain role.The relation of role and role can set up with Include wider objective circumstances.
ABAC, ABAC are a kind of to solve industry distribution formula application trusted relationships access control model, and it is using related real The attribute of body (such as main body, object, environment) studies the control that how to conduct interviews as the basis for authorizing.Based on such mesh , entity attributes can be divided into body attribute, object attribute and environment attribute.
(Advanced Persistent Threat, senior continuation is threatened APT, is referred to using advanced attack meanses pair Specific objective carries out the attack form of long duration network attack, and the principle that APT is attacked attacks forms more relative to other Senior and advanced, its senior property is mainly reflected in APT needed the operation flow to object of attack and target before offensive attack System is accurately collected.During here is collected, this is attacked actively can excavate by object of attack trusted system and application The leak of program, using these leaks the network needed for attacker is set up, and is attacked using 0day leaks.
ACL (Access Control List, accesses control list) is the instruction list of router and exchange interface, For the packet of control port turnover.ACL is applied to all of by Routing Protocol, such as IP, IPX, AppleTalk.
SDN (Software Defined Network, software defined network), is a kind of new network wound of Emulex networks New architecture, is a kind of implementation of network virtualization, and its core technology OpenFlow is by by network equipment chain of command and number Separate according to face, it is achieved thereby that the flexible control of network traffics, makes network become more intelligent as pipeline.
NFV (Network Function Virtualization, network function virtualization).It is general by using x86 etc. Property hardware and Intel Virtualization Technology are carrying very multi-functional software processing.The equipment cost expensive so as to reduce network.Can be with By software and hardware decoupling and function modeling, network equipment function is set to be no longer dependent on specialized hardware, resource can fully flexibly altogether Enjoy, realize the quick exploitation and deployment of new business, and based on practical business demand carry out automatic deployment, elastic telescopic, failure every From with self-healing etc..
DPI (Deep Packet Inspection, virtual depth detection) is to carry out depth detection for network message Technology provides strong support scientific network advanced in years based on the safe of DPI technologies, optimization and management service, the fast development for internet The DPI technologies that network is accumulated for many years good application in flow management apparatus, applied performance analysis equipment, and with the form of plug-in unit In being widely used in various Intelligent Network Elements.
Shown in Figure 2, the embodiment of the present invention provides a kind of access control method schematic flow sheet based on mixed cloud, tool Body ground implementation method includes:
Step S101, using software defined network SDN technologies by HTTP flow leads to certificate server.
Step S102, after the certificate server certification passes through, using service chaining by the HTTP flow leads in advance If virtual depth detection DPI safety means, the DPI safety means are setting of disposing on virtually or physically position in advance It is standby.
Step S103, when the DPI safety means detect suspected attack behavior in the HTTP flows, notifies fire prevention Control of the wall real-time adjustment to HTTP uninterrupteds.
Specifically, the corresponding network architecture of said method is as shown in figure 3, be divided into enterprise network, internet in the network architecture With the part of cloud system network three.Wherein:
Enterprise network includes:(1) SDN switch, is connected with the wireless router bridge joint being deployed in physical environment, separately has Linking Internet, can be got through with tenant's virtual gateway of cloud environment by tunnel;(2) certificate server, provides in enterprise network Certification such as LDAP, database employee's user name password is supported;
Cloud environment network includes:(1) tenant's virtual gateway, is connected with enterprise network by tunnel, while for cloud environment Internal virtual network provides route and three layers of access control service;(2) differential section, provides two layers and accesses control inside virtual subnet Uniform business;(3) NFV, fire wall, IDS and other application layer fire wall, there is provided the controlling mechanism of DPI and behavior aspect.
Access control method main flow provided in an embodiment of the present invention is divided into two parts:User authentication and access control System, the former is to access the user on HTTP flow leads to certificate server, realized on global network using SDN technologies to recognize Card;The latter disposes unified access control policy in enterprise network and cloud environment by service chaining for the user.
In initial phase, SDN controllers to SDN switch in (1) issues following OpenFlow flow instruction:1) institute is allowed There is the packet of DHCP and DNS;2) packet of all HTTP is drawn to into certificate server auth.server in (2);3) refuse Exhausted other all packets.
Wherein, operationally, in user's connection after wireless router, by any HTTP websites of browser access, all can Certificate server is redirected to, the latter is such as former to ask http by the way that requests for page is rewritten as into certification page:// www.a.com/hello.phpKey=value is rewritten as http://auth.server/loginKey=value.From And the user name password that user can input oneself in the page is authenticated, in theory any agreement, institute are supported in certification rear end With can be with the original authentication service of compatible enterprise.
Further, after user realizes certification, the terminal is set to certification by SDN controllers in policy library, together When issue the instruction of following OpenFlow flow:(1) flow sent by the user terminal of certification process behavior is set to into action =CONTROLLER;(2) packet that the next terminal sends occurs that SDN controllers can be sent to first, and the latter judges:2.1 such as Fruit destination address for cloud environment Intranet General Virtual Machine, then allow to pass through, and according to security strategy by flow through some peaces Full equipment;If 2.2 destination addresses are internet, allow to pass through;If 2.3 destination addresses are corporate intranet server or cloud The Intranet valuable source of environment, then judge whether it has the authority for accessing the resource according to the identity of certification user;(3) SDN controls Result is pushed to related network device by device processed, and the latter can process the follow-up all packets of the stream;(4) by SDN and NFV technologies, according to access type polytype protection or testing equipment, group are disposed on demand on demand after virtual router Into service chaining;(5) degree of safety of the terminal environments is based on context perceived, around the discovery in DPI or behavioral analysis engine There is doubtful attack, security system is then correspondingly tight by access control policy tune by SDN controllers, otherwise adjusts pine, realizes certainly The access control of adaptation.
It can be seen that, this adaptive access control is consistent with the adaptive access control that Gartner is proposed, is such as introduced IDS is capable of achieving the detection of packet payload, and data complete to enter back into a sandbox after checking, in virtual operation in environment Behavioral value is carried out, it is such, after certain security mechanism triggering alarm, the current level of security of adjustable height, to correlation Access control is limited even blocking.
So, attacking in cloud environment can occur in very short time, it is desirable to which Developing Tactics are very fast.By service Chain, desirably can dispose various virtual DPI safety means in virtually or physically position, and flow sequentially passes through some according to upper strata Equipment, when DPI equipment finds suspected attack, by notifying control of the fire wall real-time adjustment to HTTP flows.
By the control platform of software definition, on the one hand safety applications can set up unified access control mechanisms, cover The border everywhere of BYOD, enterprise network and cloud virtual network;On the other hand can be with reference to service chaining, dynamic based on context risk Adjustment protection level.
In sum, in the common hybrid network in cloud environment of the embodiment of the present invention, by each on Overlay networks The access control of place's network boundary, with reference to BYOD and cloud environment thing, the feature of north-south flow, builds unified access control Mechanism, and can based on context environment, dynamic sensing realizes adaptive access control.And safety in effectively solving cloud environment Preventive means is limited, the problem of security protection inefficiency.
Based on identical technology design, the embodiment of the present invention also provides a kind of access control system based on mixed cloud, should The executable said method embodiment of system.Base station provided in an embodiment of the present invention as shown in figure 4, including:Authentication unit 301, inspection Unit 302, access control unit 303 are surveyed, wherein:
Authentication unit 301, for using software defined network SDN technologies by HTTP flow leads to certificate server;
Detector unit 302, for after the certificate server certification passes through, being led the HTTP flows using service chaining Default virtual depth detection DPI safety means are guided to, the DPI safety means are to dispose on virtually or physically position in advance Equipment;
Access control unit 303, for suspected attack behavior in detecting the HTTP flows when the DPI safety means When, notify control of the fire wall real-time adjustment to HTTP uninterrupteds.
Further, the access control unit 303, for detecting the HTTP flows when the DPI safety means During middle suspected attack behavior, correspondingly access control policy is adjusted into tight by SDN controllers;When the DPI safety means are not examined When measuring suspected attack behavior in the HTTP flows, access control policy is correspondingly adjusted by pine by SDN controllers.
Further, signal generating unit 304, for by SDN and NFV technologies, according to access type after virtual router Polytype protection or testing equipment are disposed on demand, generate service chaining.
Further, the authentication unit 301 specifically for:Judge if destination address is commonly empty as the Intranet of cloud environment Plan machine, then certification passes through;
Or, if judging that destination address is internet, certification passes through;
Or, if judging destination address as corporate intranet server or the Intranet valuable source of cloud environment, further Whether the identity of certification user has the authority for accessing the resource, if having, certification passes through.
Further, the authentication unit 301 specifically for:SDN controllers to SDN switch sends stream instruction, described Stream instruction includes for the packet of all HTTP flows being drawn to certificate server.
The present invention is the flow process with reference to method according to embodiments of the present invention, equipment (system) and computer program Figure and/or block diagram are describing.It should be understood that can be by computer program instructions flowchart and/or each stream in block diagram The combination of journey and/or square frame and flow chart and/or the flow process in block diagram and/or square frame.These computer programs can be provided The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices The device of the function of specifying in present one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy In determining the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory is produced to be included referring to Make the manufacture of device, the command device realize in one flow process of flow chart or one square frame of multiple flow processs and/or block diagram or The function of specifying in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing devices so that in meter Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented process, so as in computer or The instruction performed on other programmable devices is provided for realizing in one flow process of flow chart or multiple flow processs and/or block diagram one The step of function of specifying in individual square frame or multiple square frames.
, but those skilled in the art once know basic creation although preferred embodiments of the present invention have been described Property concept, then can make other change and modification to these embodiments.So, claims are intended to be construed to include excellent Select embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out the essence of various changes and modification without deviating from the present invention to the present invention God and scope.So, if these modifications of the present invention and modification belong to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprising these changes and modification.

Claims (10)

1. a kind of access control method based on mixed cloud, it is characterised in that the method includes:
Using software defined network SDN technologies by HTTP flow leads to certificate server;
After the certificate server certification passes through, the HTTP flow leads are examined to default virtual depth using service chaining DPI safety means are surveyed, the DPI safety means are the equipment disposed on virtually or physically position in advance;
When the DPI safety means detect suspected attack behavior in the HTTP flows, fire wall real-time adjustment pair is notified The control of HTTP uninterrupteds.
2. the method for claim 1, it is characterised in that described when the DPI safety means detect the HTTP streams In amount during suspected attack behavior, control of the fire wall real-time adjustment to HTTP uninterrupteds is notified, including:
When the DPI safety means detect suspected attack behavior in the HTTP flows, correspondingly will by SDN controllers Access control policy is adjusted tight;
When the DPI safety means are not detected by suspected attack behavior in the HTTP flows, by SDN controllers correspondingly Access control policy is adjusted into pine.
3. the method for claim 1, it is characterised in that the utilization service chaining is by the HTTP flow leads to default Virtual depth detection DPI safety means before, also include:
By SDN and NFV technologies, polytype protection is disposed on demand after virtual router according to access type or detection sets It is standby, generate service chaining.
4. the method for claim 1, it is characterised in that the utilization software defined network SDN technologies are by HTTP flows After being drawn to certificate server, also include:
If the certificate server judges destination address as the Intranet General Virtual Machine of cloud environment, certification passes through;
Or, if the certificate server judges that destination address is internet, certification passes through;
Or, the certificate server judge if destination address as corporate intranet server or cloud environment the important money of Intranet Source, then the identity of further certification user whether have access the resource authority, if having, certification passes through.
5. the method for claim 1, it is characterised in that the utilization software defined network SDN technologies are by HTTP flows Certificate server is drawn to, including:
SDN controllers to SDN switch sends stream instruction, and the stream instruction includes being drawn to the packet of all HTTP flows Certificate server.
6. a kind of access control system based on mixed cloud, it is characterised in that the system includes:
Authentication unit, for using software defined network SDN technologies by HTTP flow leads to certificate server;
Detector unit, for after the certificate server certification passes through, using service chaining by the HTTP flow leads in advance If virtual depth detection DPI safety means, the DPI safety means are setting of disposing on virtually or physically position in advance It is standby;
Access control unit, for when the DPI safety means detect suspected attack behavior in the HTTP flows, notifying Control of the fire wall real-time adjustment to HTTP uninterrupteds.
7. system as claimed in claim 6, it is characterised in that the access control unit, for when the DPI safety means When detecting suspected attack behavior in the HTTP flows, correspondingly access control policy is adjusted into tight by SDN controllers;Work as institute When stating DPI safety means and being not detected by suspected attack behavior in the HTTP flows, control will correspondingly be accessed by SDN controllers System strategy adjusts pine.
8. system as claimed in claim 6, it is characterised in that also include:
Signal generating unit, for by SDN and NFV technologies, according to access type polytype being disposed on demand after virtual router Protection or testing equipment, generate service chaining.
9. system as claimed in claim 6, it is characterised in that the authentication unit specifically for:
If judge destination address as cloud environment Intranet General Virtual Machine, certification passes through;
Or, if judging that destination address is internet, certification passes through;
Or, if judging destination address as corporate intranet server or the Intranet valuable source of cloud environment, further certification Whether the identity of user has the authority for accessing the resource, if having, certification passes through.
10. system as claimed in claim 6, it is characterised in that the authentication unit specifically for:
SDN controllers to SDN switch sends stream instruction, and the stream instruction includes being drawn to the packet of all HTTP flows Certificate server.
CN201610998443.3A 2016-11-11 2016-11-11 Access control method and system based on mixed cloud Pending CN106572120A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610998443.3A CN106572120A (en) 2016-11-11 2016-11-11 Access control method and system based on mixed cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610998443.3A CN106572120A (en) 2016-11-11 2016-11-11 Access control method and system based on mixed cloud

Publications (1)

Publication Number Publication Date
CN106572120A true CN106572120A (en) 2017-04-19

Family

ID=58541841

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610998443.3A Pending CN106572120A (en) 2016-11-11 2016-11-11 Access control method and system based on mixed cloud

Country Status (1)

Country Link
CN (1) CN106572120A (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107612932A (en) * 2017-10-20 2018-01-19 广东电网有限责任公司电力科学研究院 A kind of cloud security Rights Management System
CN107888597A (en) * 2017-11-16 2018-04-06 杭州迪普科技股份有限公司 A kind of FWaaS security domains collocation method and device
CN108040067A (en) * 2017-12-26 2018-05-15 北京星河星云信息技术有限公司 A kind of cloud platform intrusion detection method, apparatus and system
CN108156153A (en) * 2017-12-22 2018-06-12 国家电网公司 A kind of differential section means of defence based on distributed security domain
CN108366068A (en) * 2018-02-26 2018-08-03 浙江大学 Cloud network resource management control system based on policy language under a kind of software defined network
CN109495469A (en) * 2018-11-09 2019-03-19 南京医渡云医学技术有限公司 Flow analysis security management and control system, method and device
CN109617873A (en) * 2018-12-06 2019-04-12 中山大学 A kind of flow attacking system of defense based on SDN cloud security function services tree-model
CN109729089A (en) * 2019-01-02 2019-05-07 中国电子科技网络信息安全有限公司 A kind of intelligent network security function management method and system based on container
CN110086841A (en) * 2018-01-26 2019-08-02 广东亿迅科技有限公司 Construct the method and device of MPP public cloud and local private clound
CN110311838A (en) * 2019-07-24 2019-10-08 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of security service traffic statistics
CN110912869A (en) * 2019-10-15 2020-03-24 合肥科技职业学院 Big data-based monitoring and reminding method
CN111026525A (en) * 2019-10-30 2020-04-17 哈尔滨安天科技集团股份有限公司 Scheduling method and device of cloud platform virtual diversion technology
CN111107099A (en) * 2019-12-28 2020-05-05 北京工业大学 Self-adaptive access control method suitable for mixed cloud environment
CN112104490A (en) * 2020-09-03 2020-12-18 杭州安恒信息安全技术有限公司 Network communication method and device based on cloud server and electronic device
CN113542160A (en) * 2021-05-27 2021-10-22 贵州电网有限责任公司 SDN-based method and system for pulling east-west flow in cloud
CN113824692A (en) * 2021-08-25 2021-12-21 中国人寿保险股份有限公司上海数据中心 Mixed cloud integrated protection system
CN114124585A (en) * 2022-01-28 2022-03-01 奇安信科技集团股份有限公司 Security defense method, device, electronic equipment and medium
CN114285629A (en) * 2021-12-22 2022-04-05 中国人民银行清算总中心 SDN same-region data flow access control method and SDN network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350781A (en) * 2008-07-31 2009-01-21 成都市华为赛门铁克科技有限公司 Method, equipment and system for monitoring flux
CN104468253A (en) * 2013-09-23 2015-03-25 中兴通讯股份有限公司 Deep packet inspection control method and device
CN104618379A (en) * 2015-02-04 2015-05-13 北京天地互连信息技术有限公司 IDC service scene-oriented security service arranging method and network structure

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101350781A (en) * 2008-07-31 2009-01-21 成都市华为赛门铁克科技有限公司 Method, equipment and system for monitoring flux
CN104468253A (en) * 2013-09-23 2015-03-25 中兴通讯股份有限公司 Deep packet inspection control method and device
CN104618379A (en) * 2015-02-04 2015-05-13 北京天地互连信息技术有限公司 IDC service scene-oriented security service arranging method and network structure

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘文懋: "《软件定义安全:SDN/NFV新型网络的安全揭秘》", 31 October 2016 *

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107612932A (en) * 2017-10-20 2018-01-19 广东电网有限责任公司电力科学研究院 A kind of cloud security Rights Management System
CN107888597A (en) * 2017-11-16 2018-04-06 杭州迪普科技股份有限公司 A kind of FWaaS security domains collocation method and device
CN108156153A (en) * 2017-12-22 2018-06-12 国家电网公司 A kind of differential section means of defence based on distributed security domain
CN108156153B (en) * 2017-12-22 2021-07-30 国家电网公司 Distributed security domain-based differential section protection method
CN108040067A (en) * 2017-12-26 2018-05-15 北京星河星云信息技术有限公司 A kind of cloud platform intrusion detection method, apparatus and system
CN108040067B (en) * 2017-12-26 2021-07-06 北京星河星云信息技术有限公司 Cloud platform intrusion detection method, device and system
CN110086841B (en) * 2018-01-26 2022-02-22 广东亿迅科技有限公司 Method and device for constructing MPP public cloud and local private cloud
CN110086841A (en) * 2018-01-26 2019-08-02 广东亿迅科技有限公司 Construct the method and device of MPP public cloud and local private clound
CN108366068B (en) * 2018-02-26 2020-10-13 浙江大学 Policy language-based cloud network resource management control system in software defined network
CN108366068A (en) * 2018-02-26 2018-08-03 浙江大学 Cloud network resource management control system based on policy language under a kind of software defined network
CN109495469A (en) * 2018-11-09 2019-03-19 南京医渡云医学技术有限公司 Flow analysis security management and control system, method and device
CN109495469B (en) * 2018-11-09 2021-05-11 南京医渡云医学技术有限公司 Flow analysis safety management and control system, method and device
CN109617873A (en) * 2018-12-06 2019-04-12 中山大学 A kind of flow attacking system of defense based on SDN cloud security function services tree-model
CN109729089B (en) * 2019-01-02 2021-04-27 中国电子科技网络信息安全有限公司 Container-based intelligent network security function management method and system
CN109729089A (en) * 2019-01-02 2019-05-07 中国电子科技网络信息安全有限公司 A kind of intelligent network security function management method and system based on container
CN110311838B (en) * 2019-07-24 2021-05-04 绿盟科技集团股份有限公司 Method and device for counting safety service flow
CN110311838A (en) * 2019-07-24 2019-10-08 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of security service traffic statistics
CN110912869A (en) * 2019-10-15 2020-03-24 合肥科技职业学院 Big data-based monitoring and reminding method
CN111026525A (en) * 2019-10-30 2020-04-17 哈尔滨安天科技集团股份有限公司 Scheduling method and device of cloud platform virtual diversion technology
CN111026525B (en) * 2019-10-30 2024-02-13 安天科技集团股份有限公司 Scheduling method and device for cloud platform virtual diversion technology
CN111107099A (en) * 2019-12-28 2020-05-05 北京工业大学 Self-adaptive access control method suitable for mixed cloud environment
CN112104490A (en) * 2020-09-03 2020-12-18 杭州安恒信息安全技术有限公司 Network communication method and device based on cloud server and electronic device
CN113542160A (en) * 2021-05-27 2021-10-22 贵州电网有限责任公司 SDN-based method and system for pulling east-west flow in cloud
CN113824692A (en) * 2021-08-25 2021-12-21 中国人寿保险股份有限公司上海数据中心 Mixed cloud integrated protection system
CN113824692B (en) * 2021-08-25 2023-08-18 中国人寿保险股份有限公司上海数据中心 Hybrid cloud integrated protection system
CN114285629A (en) * 2021-12-22 2022-04-05 中国人民银行清算总中心 SDN same-region data flow access control method and SDN network
CN114124585A (en) * 2022-01-28 2022-03-01 奇安信科技集团股份有限公司 Security defense method, device, electronic equipment and medium

Similar Documents

Publication Publication Date Title
CN106572120A (en) Access control method and system based on mixed cloud
Kene et al. A review on intrusion detection techniques for cloud computing and security challenges
Karmakar et al. Mitigating attacks in software defined networks
Brooks et al. A Man-in-the-Middle attack against OpenDayLight SDN controller
Deng et al. DoS vulnerabilities and mitigation strategies in software-defined networks
KR101812403B1 (en) Mitigating System for DoS Attacks in SDN
US20070266433A1 (en) System and Method for Securing Information in a Virtual Computing Environment
CA2955066C (en) Method and system for providing a virtual asset perimeter
Hawedi et al. Security as a service for public cloud tenants (SaaS)
CN108156079B (en) Data packet forwarding system and method based on cloud service platform
CN106797378B (en) Apparatus and method for controlling a communication network
Alosaimi et al. An enhanced economical denial of sustainability mitigation system for the cloud
Khan et al. FML: A novel forensics management layer for software defined networks
Krit et al. Overview of firewalls: Types and policies: Managing windows embedded firewall programmatically
Dua et al. Iisr: A secure router for iot networks
Rao et al. SEDoS-7: a proactive mitigation approach against EDoS attacks in cloud computing
CN107204980A (en) A kind of security service delivery method and system
Ahmed et al. Security & privacy in software defined networks, issues, challenges and cost of developed solutions: a systematic literature review
Akbaş et al. A preliminary survey on the security of software-defined networks
Combe et al. An sdn and nfv use case: Ndn implementation and security monitoring
Kilari et al. A novel approach to protect cloud environments against DDOS attacks
Narwal et al. Game-theory based detection and prevention of DoS attacks on networking node in open stack private cloud
Ali et al. Byod cyber forensic eco-system
KR101901628B1 (en) Integrated network sharing system having security function
KR20090116206A (en) System for defending client distribute denial of service and method therefor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170419

RJ01 Rejection of invention patent application after publication