CN106790091A - A kind of cloud security guard system and flow cleaning method - Google Patents

A kind of cloud security guard system and flow cleaning method Download PDF

Info

Publication number
CN106790091A
CN106790091A CN201611207710.7A CN201611207710A CN106790091A CN 106790091 A CN106790091 A CN 106790091A CN 201611207710 A CN201611207710 A CN 201611207710A CN 106790091 A CN106790091 A CN 106790091A
Authority
CN
China
Prior art keywords
cloud
security
flow
virtual machine
secure resources
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611207710.7A
Other languages
Chinese (zh)
Other versions
CN106790091B (en
Inventor
张结辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Shenxinfu Electronic Technology Co Ltd
Original Assignee
Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Shenxinfu Electronic Technology Co Ltd filed Critical Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority to CN201611207710.7A priority Critical patent/CN106790091B/en
Publication of CN106790091A publication Critical patent/CN106790091A/en
Application granted granted Critical
Publication of CN106790091B publication Critical patent/CN106790091B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a kind of cloud security guard system and flow cleaning method, the system includes cloud platform, cloud safety service platform, the cloud platform is used to dispose virtual machine, the cloud safety service platform is used to dispose terminal security on the virtual machine, the cloud security guard system also includes secure resources pond, and the secure resources pond is used to check and/or manage the terminal security.Cloud security guard system shown in the present embodiment can realize centralized management and secure visual, and can be uniformly controlled all security components, there is provided cloud platform safe condition shows function, convenient for the user to operate and management.

Description

A kind of cloud security guard system and flow cleaning method
Technical field
The present invention relates to flow cleaning technical field, more particularly to the flow cleaning method based on cloud computing and Yunan County Full protection system and flow cleaning method.
Background technology
Global cloud computing service market keeps high growth in recent years.According to statistics, global cloud computing service market rule in 2014 , up to 152,800,000,000 dollars, growth rate is up to 17.9% for mould, wherein typical infrastructure is service (English full name: Infrastructure as a Service, English abbreviation:IaaS), platform is service (English full name:Platform as a Service, English abbreviation:PaaS), software is service (English full name:Software as a Service, English abbreviation: SaaS) market scale of service is up to 42,500,000,000 dollars.Cloud service speedup is 4 times of global IT expenditures, it is contemplated that in global IT expenditures Accounting will bring up to 6.6% in 2018 from 3.6% in 2013.Cloud computing service is just increasingly developing into new information base Infrastructure.
Cloud computing is one of whole IT field change, computing resource scale, intensive makes production work efficiency Significant increase has been arrived, but bring therewith is the new challenge for protecting enterprise assets, sensitive data etc., Canadian Standards Association CSA in the 12 big cloud computings in 2016 announced by the end of February are threatened, leaking data, the prestige that weak identity information or Access Management Access are caused The side of body is come out top.It is us when using cloud service to cause these behind principal elements for threatening, and it is for tenant It is opaque and tenant lacks control power for cloud service, at the same time conventional security solution is difficult to be deployed in cloud again Before service.Therefore these safety difficulties can be solved, one of prerequisite migrated to cloud as enterprise.
The security solution in cloud computing environment, is roughly divided into two classes at present, and a Lei Shi cloud platforms manufacturer provides base This security capabilities, solves the safety problem of podium level, and the safety of operation layer is ensured by tenant oneself.Another kind of pacified by tradition Full manufacturer is transplanted to security hardware software implementation cloud platform to ensure the safety of cloud computing environment, but in cloud computing ring It is different from legacy network under border, under cloud computing environment, client traffic resource can resilient expansion, so require safety is also required to Resilient expansion, cannot only be realized by conventional security hardware device software implementation.Under cloud computing environment, same physical main frame can be same The business datum of Shi Yunhang multiple clients, does not have conventional physical border, and secure border thickens, empty machine East and West direction flow control Turn into problem with visual.Be to ensure business continuance under cloud computing environment, client traffic can multiple difference cloud platform business it Between migrate, customer demand one is unified, simpler safe operation platform, and at present cloud security scheme cannot meet.
The content of the invention
The invention provides a kind of cloud security guard system and flow cleaning method, its security higher, and can Realize the resilient expansion of client traffic resource.
Embodiment of the present invention first aspect provides a kind of cloud security guard system, including cloud platform, cloud security service are put down Platform, the cloud platform is used to dispose virtual machine, and the cloud safety service platform is used to dispose terminal security on the virtual machine, The cloud security guard system also includes secure resources pond, and the secure resources pond is used to checking and/or managing the terminal peace Entirely.
The secure resources pond includes at least one component as shown below:
Virtual next generation's application firewall vNGAF, virtual internet behavior management vAC and virtual SSL VPN.
The secure resources pond is concentrated and is deployed on multiple cloud computing nodes, or included by the collection of the secure resources pond extremely On the cloud computing node, the cloud computing node includes multiple virtual machines to a few deployment of components.
The secure resources pond includes at least one shown in following functions:
For providing the security protection ability of north-south flow to the cloud platform, for providing use for the terminal security Family management function, for for the terminal security provide the visual function of flow, for for the terminal security provide safely Visual function;
The security protection ability includes at least one as shown below:
The Backdoor Tools webshell of website protects, kills virus and anti-tamper.
The cloud safety service platform includes at least one shown in following functions:
For providing, management to cloud platform, flow be visual and security service.
The terminal security includes at least one shown in following functions:
For providing the security protection ability of network, the safety for providing main frame for the virtual machine for the virtual machine Protective capacities and the security protection ability for providing the cloud platform East and West direction flow;
The security protection ability includes at least one as shown below:
The Backdoor Tools webshell of website protects, kills virus and anti-tamper.
The cloud safety service platform includes user interactive system, right discriminating system, security component system, real time information system System, log system and warning system;
The user interactive system is used to provide control panel and/or state transfer interface REST API, the chain of command Plate is used to realizing interacting for user and cloud security guard system, the cloud safety service platform by the REST api interfaces and The cloud platform is interacted;
The right discriminating system is used to verify user identity;
The security component system is used to be docked with the cloud platform, and the security component system is used to manage the cloud Platform and the terminal security;
The real time information system is used to feed back to the real time information of the secure resources pond and/or the terminal security User;
The log system is used to obtain the security log of the secure resources pond and/or the terminal security, the day Aspiration system is additionally operable to be analyzed the security log to generate analysis result, and the log system is additionally operable to the analysis Result is to user feedback;
The warning system is used for user feedback warning message.
At least one of the right discriminating system also including function as shown below:
Token management, the service catalogue that access resource is provided, offer access control corresponding with user identity, service endpoints Registration.
The real time information includes at least one as shown below:
Flow, running status, guard mode, CPU usage and memory usage.
The analysis result is in the form of visual chart and/or Security Report to user feedback.
Embodiment of the present invention second aspect provides a kind of flow cleaning method, based on embodiment of the present invention first aspect institute The cloud security guard system of offer, the flow cleaning method includes:
According to configured drainage way by the flow lead of target virtual machine to secure resources pond, the target virtual machine Number be at least one, and the target virtual machine is the virtual machine by distributed denial of service ddos attack;
Determined according to configured flow lead rule by the secure resources pond corresponding with the target virtual machine Secure resources;
The flow of the target virtual machine is cleaned by the secure resources corresponding with the target virtual machine To generate the flow after cleaning;
Flow after the cleaning is recycled into by the target virtual machine by the secure resources pond.
It is described to be determined and the target virtual machine pair according to configured flow lead rule by the secure resources pond Before the secure resources answered, methods described also includes:
Control the cloud safety service platform that the target tenant's information belonging to the target virtual machine is obtained by cloud platform;
The cloud safety service platform is controlled to create described on the secure resources pond by the target tenant information Secure resources, and the secure resources are corresponding with the target virtual machine;
The cloud safety service platform is controlled to generate the flow lead rule according to the target tenant information, and it is described Flow lead is regular corresponding with the target virtual machine;
Control the cloud safety service platform that the flow lead rule is sent into the secure resources pond.
It is described according to configured drainage way by before the flow lead of target virtual machine to secure resources pond, the side Method also includes:
Receive the drainage way configuration information of user input;
The drainage way is configured according to the drainage way configuration information.
The secure resources corresponding with the target virtual machine are cleaned to the flow of the target virtual machine After with the flow after generation cleaning, methods described also includes:
By the secure resources pond generate flow cleaning security log, the flow cleaning security log be used for indicate with The situation that the corresponding secure resources of the target virtual machine are cleaned to the flow of the target virtual machine;
The flow cleaning security log is sent to by cloud safety service platform CSSP by the secure resources pond.
The invention provides a kind of cloud security guard system and flow cleaning method, the system includes cloud platform, cloud Safety service platform, the cloud security guard system shown in the present embodiment can realize centralized management and secure visual, and can unite The one all security components of control, there is provided cloud platform safe condition shows function, convenient for the user to operate and management.And the present embodiment institute The cloud security guard system for showing has security higher, and can realize the resilient expansion of client traffic resource.
Brief description of the drawings
Fig. 1 is a kind of example structure schematic diagram of cloud security guard system provided by the present invention;
Fig. 2 is a kind of set-up mode structural representation in secure resources pond provided by the present invention;
Fig. 3 is another set-up mode structural representation in secure resources pond provided by the present invention;
Fig. 4 is a kind of set-up mode structural representation of cloud safety service platform provided by the present invention;
Fig. 5 is a kind of embodiment flow chart of steps of flow cleaning method provided by the present invention.
Specific embodiment
The concrete structure of the cloud security guard system for below being provided the embodiment of the present invention first with reference to shown in Fig. 1 is carried out Explanation:
As shown in figure 1, the cloud security guard system shown in the embodiment of the present invention includes:
(the English full name of cloud safety service platform 102:Cloud Security Service Platform, English abbreviation: CSSP), the cloud safety service platform 102 is used in cloud environment, there is provided unified management, stream to each security component of cloud platform The functions such as amount is visual, security service.
Cloud platform 103, for disposing virtual machine 106.
Specifically, the Intel Virtualization Technology to virtual machine 106 can be realized in cloud platform 103, wherein, Intel Virtualization Technology is exactly Separated with the physical equipment of bottom by decoupled conjunction operating system application software and thereon.
The present embodiment is not limited the cloud platform 103, the present embodiment with the cloud platform be OpenStack cloud computings Cloud platform of cloud platform or Huawei Company of management platform or Wei Rui VMware companies etc..
Cloud safety service platform 102 shown in the present embodiment is additionally operable to dispose terminal security on the virtual machine 106 of tenant 105 (English full name:Endpoint Security, English abbreviation:EPS), EPS105 be used for for virtual machine 106 provide network and The security protection ability such as main frame.
Specifically, in the present embodiment, the EPS105 can provide the protection to the East and West direction flow of cloud platform 103, including The function of safety protection such as webshell protection, antivirus, anti-tamper.
Secure resources pond 104, in the present embodiment, secure resources pond 104 provides prevents the north-south flow of cloud platform 103 Shield.
The present embodiment is not limited the security component included by the secure resources pond 104, for example, the secure resources Pond 104 includes security component next generation's fire wall vNGAF, virtual network log-in management vAC or virtual SSL VPN vSSL.
Specifically, the tenant management unified for EPS105 is provided of secure resources pond 104, visually, secure visual is safe for flow The functions such as service;Tenant can check and manage the EPS105 for belonging to this tenant by secure resources pond 104, to realize checking this The functions such as flow composition, the safe condition of the virtual machine of tenant.
Core router 101, the forwarding for realizing data.
Illustrated below in conjunction with the set-up mode shown in Fig. 2 and Fig. 3 to the secure resources pond 104:
It is a kind of as shown in Fig. 2 the existence form in secure resources pond 104 can be concentrate be deployed in several cloud computing nodes On 201, specifically, the security component included by the secure resources pond 104 is concentrated and is deployed on several cloud computing nodes 201.
Another kind is as shown in figure 3, the existence form in secure resources pond 104 can be each cloud computing section for being distributed cloud platform On point 301, specifically, the security component included by the secure resources pond 104 is respectively distributed to the cloud computing node 301 On.
Specifically, illustrative below in conjunction with the concrete structure shown in Fig. 4 to cloud safety service platform CSSP.
The cloud safety service platform CSSP shown in the present embodiment includes:
User interactive system 401, right discriminating system 402, security component system 403, real time information system 404, log system 405th, warning system 406.
Specifically, the user interactive system 401 provides control panel DashBoard and/or the REST API of web access Interface.
Specifically, the control panel provides tenant logs in management security component, tenant look at panel described in can The function of realization includes but is not limited to check security log, system configuration etc..
Specifically, REST (English full name:REpresentational State Transfer, Chinese full name:State is passed It is defeated);
The REST api interfaces are supplied to Third party system to do secondary development and integrated use.
The mainly responsible function of the right discriminating system 402 includes but is not limited to authentication, token management, the offer of user Access the service catalogue of resource, and the function such as the access control based on user role.
Specifically, the right discriminating system 402 can detect, whether user name and user login code are normal, and token is issued Whether hair, the registration of service endpoints, and the user have authority of access certain resources etc., all by the right discriminating system 402 Complete.
The security component system 403 is mainly responsible for being docked with OpenStack, VMware, vNGAF, EPS, there is provided right The management function of cloud platform and security component, for example, create vNGAF, create EPS etc..
Specifically, cloud platform API is provided with the security component system 403, so that the security component system 403 is logical Cross the cloud platform API carries out data interaction with the cloud platform.
VNGAF API are provided with the security component system 403, so that the security component system 403 is by described VNGAF API carry out data interaction with the secure resources.
EPS API are provided with the security component system 403, so that the security component system 403 passes through the EPS API carries out data interaction with the virtual machine for being deployed with EPS.
The real time information system 404 is responsible for collecting real-time status information feedback from the security components such as vNGAF, EPS To tenant, such as:The information such as flow, running status, guard mode, CPU usage, memory usage.
The log system 405 is responsible for collecting security log from the security components such as vNGAF, EPS, and security log is entered Row comprehensive analysis, the related visual chart of output or output Security Report feed back to tenant.
The warning system 406 is responsible for sending security alarm, system exception alarm etc., including but not limited to mail to tenant Alarm, short message alarm, wechat alarm etc..
Beneficial effect using the cloud security guard system shown in the present embodiment is:
The cloud security guard system that the present embodiment is provided can realize various functions, such as flow cleaning, and including many The cleaning of laminar flow amount, such as fire wall WAF flow cleanings, intrusion prevention system IPS flow cleanings, security gateway UTM flows are clear Wash;Also including the cleaning of north and south flow and east-west traffic etc..
Cloud security guard system shown in the present embodiment can also realize the extension of security capabilities, i.e., shown in the present embodiment Cloud security guard system supports various security components, including fire wall vNGAF of future generation, safety behavior control vAC, data safety Encryption vSSL, endpoint security EPS WebShell protection, anti-tamper and antivirus etc..
Cloud security guard system shown in the present embodiment can also realize centralized management and secure visual, and CSSP can also All security components are uniformly controlled, there is provided the function such as cloud platform safe condition displaying, consequently facilitating user's operation and management.
Cloud security guard system shown in the present embodiment can also realize multi-tenant management function, so as to realize tenant's safety Resource Self management, so that cloud security guard system is controllable, easy care.
Optionally, the cloud security guard system for being provided the embodiment of the present invention below realizes the process of flow cleaning, enters Row exemplary illustration:
The method of the flow cleaning shown in the present embodiment is based on the cloud security guard system shown in above-described embodiment, this implementation Example is not repeated the concrete structure of the cloud security guard system.
Illustrated below in conjunction with the flow cleaning method provided the present embodiment shown in Fig. 5:
Step 501, the core router receive the drainage way configuration information of user input.
When needing to carry out flow cleaning, user can be input into drainage way configuration information, institute by the core router Drainage way configuration information is stated for indicating the core router will to need the flow lead of cleaning to the secure resources pond.
The drainage way configuration information shown in the present embodiment can be the information or other energy for configuration strategy route Enough realize the configuration information of drainage.
Step 502, the core router configure drainage way according to the drainage way configuration information.
The core router is after the drainage way configuration information for receiving user input, you can configuration drainage side Formula, so that the core router can draw according to the drainage way to the flow of virtual machine.
Specifically, the detailed process of the core router configuration drainage way shown in the present embodiment can be, the core road As the route table items of device core router according to the drainage way configuration information update of user input realizing drainage The configuration of mode.
Step 503, the core router extremely pacify the flow lead of target virtual machine according to configured drainage way Full resource pool.
In the present embodiment, the number of the target virtual machine is at least one, and the target virtual machine is to be distributed Formula refuses the virtual machine of service DDoS attack, i.e., the target virtual machine shown in the present embodiment is to need to carry out flow cleaning Virtual machine.
Specifically, being provided with terminal security EPS clients, the destination virtual on target virtual machine shown in the present embodiment The EPS clients of machine are linked into cloud safety service platform CSSP.
Step 504, the cloud safety service platform CSSP obtain the target belonging to the target virtual machine by cloud platform Tenant's information.
Specifically, the cloud safety service platform CSSP shown in the present embodiment is by the cloud safety service platform CSSP Interface REST API interacted with cloud platform so that the cloud safety service platform CSSP can get cloud platform Target tenant's information.
Specifically, the target tenant information is to need to carry out tenant's information of flow cleaning.
Need it is clear that, execution sequential elder generation is had no between the step 504 and step 501 and step 503 shown in the present embodiment Restriction afterwards.
Step 505, the cloud safety service platform CSSP are by the target tenant information on the secure resources pond Create secure resources.
Specifically, the secure resources and the target virtual machine pair that the cloud safety service platform CSSP is created Should.
The flow that virtual machine is capable of in the secure resources pond shown in the present embodiment is cleaned.
Step 506, the cloud safety service platform CSSP generate flow lead rule according to the target tenant information.
The flow lead shown in the present embodiment is regular corresponding with the target virtual machine.
The flow lead rule is for indicating secure resources corresponding with the target virtual machine.
The flow lead rule is sent to the secure resources pond by step 507, the cloud safety service platform CSSP.
Step 508, the secure resources pond determine and the destination virtual according to configured flow lead rule The corresponding secure resources of machine.
In the present embodiment, determined and the target virtual machine pair according to flow lead rule in the secure resources pond The secure resources answered.
The present embodiment is not limited flow lead rule, as long as the secure resources pond is according to the flow lead Rule can determine secure resources corresponding with the target virtual machine.
Step 509 secure resources corresponding with the target virtual machine are carried out to the flow of the target virtual machine Clean to generate the flow after cleaning.
Specifically, the flow that the secure resources are capable of pair virtual machine corresponding with the secure resources carries out attack message Filtering, so as to accurate detection and block the distributed denial of service DDoS and unknown malicious traffic stream of various Internets and application layer.
The secure resources support abundant attack defending function, e.g., SYN Flood, UDP Flood, ICMP Flood, The defence of the common attacks such as ACK Flood, RST Flood, DNS Query Flood, HTTP Get Flood.
Flow after the cleaning is recycled into the target virtual machine by step 510, the secure resources pond.
Specifically, during flow re-injection is carried out, the secure resources pond and built between the core router The tunnel for transmitting flow is found, after the secure resources pond completes to clean the flow of virtual machine, the safety money Flow after cleaning can be sent to the core router, the core router by source pond by the tunnel set up Flow after cleaning is transmitted to virtual machine.
Need it is clear that, the present embodiment is optional example to the explanation of flow re-injection, is not limited, as long as the safety Flow after cleaning can be sent to the target virtual machine by resource pool, and concrete mode is not limited.
Step 511, secure resources pond generation flow cleaning security log.
It is corresponding with the target virtual machine described that the flow cleaning security log shown in the present embodiment is used for instruction The situation that secure resources are cleaned to the flow of the target virtual machine.
The flow cleaning security log is sent to cloud safety service platform CSSP by step 512, the secure resources pond.
The cloud safety service platform CSSP can show the flow cleaning security log, so that user grasps the mesh Mark the situation that the flow of virtual machine is cleaned.
Beneficial effect using the flow cleaning method shown in the present embodiment is:
By the Safety software under all of cloud computing environment and resource, and can provide to secure resources Unified management, using the flow cleaning method shown in the present embodiment, core router can be incited somebody to action according to configured drainage way , to secure resources pond, secure resources corresponding with the target virtual machine can be to destination virtual for the flow lead of target virtual machine The flow of machine is cleaned to generate the flow after cleaning, and the flow after cleaning can be also recycled into mesh by the secure resources pond Mark virtual machine, it is seen then that the flow that effectively can be attacked virtual machine using the flow cleaning method shown in the present embodiment Cleaned, and when business demand changes, only by the configuration of drainage way and the config update of flow lead rule , it is not necessary to re-start network configuration, deployment and change hardware device, so as to simply, neatly realize to virtual machine stream The cleaning of amount.
It is apparent to those skilled in the art that, for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method can be with Realize by another way.For example, device embodiment described above is only schematical, for example, the unit Divide, only a kind of division of logic function there can be other dividing mode when actually realizing, for example multiple units or component Can combine or be desirably integrated into another system, or some features can be ignored, or do not perform.It is another, it is shown or The coupling each other for discussing or direct-coupling or communication connection can be the indirect couplings of device or unit by some interfaces Close or communicate to connect, can be electrical, mechanical or other forms.
The unit that is illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit The part for showing can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be according to the actual needs selected to realize the mesh of this embodiment scheme 's.
In addition, during each functional unit in each embodiment of the invention can be integrated in a processing unit, it is also possible to It is that unit is individually physically present, it is also possible to which two or more units are integrated in a unit.Above-mentioned integrated list Unit can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If the integrated unit is to realize in the form of SFU software functional unit and as independent production marketing or use When, can store in a computer read/write memory medium.Based on such understanding, technical scheme is substantially The part for being contributed to prior art in other words or all or part of the technical scheme can be in the form of software products Embody, the computer software product is stored in a storage medium, including some instructions are used to so that a computer Equipment (can be personal computer, server, or network equipment etc.) performs the complete of each embodiment methods described of the invention Portion or part steps.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can store journey The medium of sequence code.
The above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to preceding Embodiment is stated to be described in detail the present invention, it will be understood by those within the art that:It still can be to preceding State the technical scheme described in each embodiment to modify, or equivalent is carried out to which part technical characteristic;And these Modification is replaced, and does not make the spirit and scope of the essence disengaging various embodiments of the present invention technical scheme of appropriate technical solution.

Claims (14)

1. a kind of cloud security guard system, it is characterised in that including cloud platform, cloud safety service platform, the cloud platform is used for Deployment virtual machine, the cloud safety service platform is used to dispose terminal security, Yunan County's full protection system on the virtual machine System also includes secure resources pond, and the secure resources pond is used to check and/or manage the terminal security.
2. system according to claim 1, it is characterised in that the secure resources pond includes at least one as shown below Component:
Virtual next generation's application firewall vNGAF, virtual internet behavior management vAC and virtual SSLVPN.
3. system according to claim 2, it is characterised in that concentrate and be deployed in multiple cloud computing sections in the secure resources pond On point, or included by the collection of the secure resources pond at least one described in deployment of components on the cloud computing node, the cloud Calculate node includes multiple virtual machines.
4. system according to claim 3, it is characterised in that the secure resources pond is included shown in following functions at least One:
For providing the security protection ability of north-south flow to the cloud platform, for being managed for the terminal security provides user The function of reason, for providing the visual function of flow for the terminal security, for for the terminal security provides secure visual Function;
The security protection ability includes at least one as shown below:
The Backdoor Tools webshell of website protects, kills virus and anti-tamper.
5. system according to claim 1, it is characterised in that the cloud safety service platform is included shown in following functions At least one:
For providing, management to cloud platform, flow be visual and security service.
6. system according to claim 1, it is characterised in that the terminal security includes at least shown in following functions :
For providing the security protection ability of network, the security protection for providing main frame for the virtual machine for the virtual machine Ability and the security protection ability for providing the cloud platform East and West direction flow;
The security protection ability includes at least one as shown below:
The Backdoor Tools webshell of website protects, kills virus and anti-tamper.
7. the system according to any one of claim 1 to 6, it is characterised in that the cloud safety service platform includes user Interactive system, right discriminating system, security component system, real time information system, log system and warning system;
The user interactive system is used to provide control panel and/or state transfer interface REST API, and the control panel is used In realizing interacting for user and cloud security guard system, the cloud safety service platform by the REST api interfaces with it is described Cloud platform is interacted;
The right discriminating system is used to verify user identity;
The security component system is used to be docked with the cloud platform, and the security component system is used to manage the cloud platform With the terminal security;
The real time information system is used to for the real time information of the secure resources pond and/or the terminal security to feed back to use Family;
The log system is used to obtain the security log of the secure resources pond and/or the terminal security, the day aspiration System is additionally operable to be analyzed the security log to generate analysis result, and the log system is additionally operable to the analysis result To user feedback;
The warning system is used for user feedback warning message.
8. system according to claim 7, it is characterised in that the right discriminating system also includes function as shown below extremely One item missing:
Token management, the service catalogue that access resource is provided, offer access control corresponding with user identity, the note of service endpoints Volume.
9. system according to claim 7, it is characterised in that the real time information includes at least one as shown below:
Flow, running status, guard mode, CPU usage and memory usage.
10. system according to claim 7, it is characterised in that the analysis result is with visual chart and/or Security Report Form to user feedback.
A kind of 11. flow cleaning methods, it is characterised in that based on the cloud security guard system shown in power 1 to 10 any one of power, institute Stating flow cleaning method includes:
According to configured drainage way by the flow lead of target virtual machine to secure resources pond, the number of the target virtual machine Mesh is at least one, and the target virtual machine is the virtual machine by distributed denial of service ddos attack;
Safety corresponding with the target virtual machine is determined according to configured flow lead rule by the secure resources pond Resource;
The flow of the target virtual machine is cleaned with life by the secure resources corresponding with the target virtual machine Into the flow after cleaning;
Flow after the cleaning is recycled into by the target virtual machine by the secure resources pond.
12. methods according to claim 11, it is characterised in that it is described by the secure resources pond according to configured Before flow lead rule determines secure resources corresponding with the target virtual machine, methods described also includes:
Control the cloud safety service platform that the target tenant's information belonging to the target virtual machine is obtained by cloud platform;
The cloud safety service platform is controlled to create the safety on the secure resources pond by the target tenant information Resource, and the secure resources are corresponding with the target virtual machine;
The cloud safety service platform is controlled to generate the flow lead rule, and the flow according to the target tenant information Traction is regular corresponding with the target virtual machine;
Control the cloud safety service platform that the flow lead rule is sent into the secure resources pond.
13. methods according to claim 11, it is characterised in that it is described according to configured drainage way by destination virtual Before the flow lead of machine to secure resources pond, methods described also includes:
Receive the drainage way configuration information of user input;
The drainage way is configured according to the drainage way configuration information.
14. methods according to claim 11, it is characterised in that the safety corresponding with the target virtual machine Resource the flow of the target virtual machine is cleaned with generate cleaning after flow after, methods described also includes:
By the secure resources pond generate flow cleaning security log, the flow cleaning security log be used for indicate with it is described The situation that the corresponding secure resources of target virtual machine are cleaned to the flow of the target virtual machine;
The flow cleaning security log is sent to by cloud safety service platform CSSP by the secure resources pond.
CN201611207710.7A 2016-12-23 2016-12-23 Cloud safety protection system and flow cleaning method Active CN106790091B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611207710.7A CN106790091B (en) 2016-12-23 2016-12-23 Cloud safety protection system and flow cleaning method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611207710.7A CN106790091B (en) 2016-12-23 2016-12-23 Cloud safety protection system and flow cleaning method

Publications (2)

Publication Number Publication Date
CN106790091A true CN106790091A (en) 2017-05-31
CN106790091B CN106790091B (en) 2020-10-27

Family

ID=58919175

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611207710.7A Active CN106790091B (en) 2016-12-23 2016-12-23 Cloud safety protection system and flow cleaning method

Country Status (1)

Country Link
CN (1) CN106790091B (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107454082A (en) * 2017-08-07 2017-12-08 中国人民解放军信息工程大学 Secure cloud service construction method and device based on mimicry defence
CN108040067A (en) * 2017-12-26 2018-05-15 北京星河星云信息技术有限公司 A kind of cloud platform intrusion detection method, apparatus and system
CN108173694A (en) * 2017-12-29 2018-06-15 深信服科技股份有限公司 The secure resources pond cut-in method and system of a kind of data center
CN108449314A (en) * 2018-02-02 2018-08-24 杭州迪普科技股份有限公司 A kind of flow lead method and apparatus
CN108809963A (en) * 2018-05-24 2018-11-13 中国科学院计算机网络信息中心 Secure resource sharing method, apparatus and storage medium
CN109167795A (en) * 2018-09-27 2019-01-08 深信服科技股份有限公司 A kind of safety defense system and method
CN109688242A (en) * 2018-12-27 2019-04-26 深信服科技股份有限公司 A kind of cloud guard system and method
CN109787939A (en) * 2017-11-14 2019-05-21 北京星河星云信息技术有限公司 A kind of cloud security system of defense and its user's method for building up
CN109922021A (en) * 2017-12-12 2019-06-21 中国电信股份有限公司 Security protection system and safety protecting method
CN110365577A (en) * 2019-07-24 2019-10-22 北京神州绿盟信息安全科技股份有限公司 A kind of drainage system in secure resources pond
CN110611637A (en) * 2018-06-14 2019-12-24 北京安天网络安全技术有限公司 Online network threat detection method and system based on VPN flow traction
CN110855714A (en) * 2019-11-29 2020-02-28 广州鲁邦通物联网科技有限公司 Secure connection method and system for multi-tenant equipment
CN111224922A (en) * 2018-11-26 2020-06-02 顺丰科技有限公司 Distributed security group module access control method and system
CN111431914A (en) * 2020-03-30 2020-07-17 贵州电网有限责任公司 Energy internet cloud platform safety protection method and system
CN111556047A (en) * 2020-04-24 2020-08-18 杭州安恒信息技术股份有限公司 Deployment method of security service in private cloud environment
CN111970242A (en) * 2020-07-15 2020-11-20 深信服科技股份有限公司 Cloud security protection method and device and storage medium
CN112291232A (en) * 2020-10-27 2021-01-29 中国联合网络通信有限公司深圳市分公司 Safety capability and safety service chain management platform based on tenants
CN112364342A (en) * 2020-11-04 2021-02-12 深圳供电局有限公司 Safety protection system based on cloud platform
CN114386944A (en) * 2022-01-11 2022-04-22 南方电网数字电网研究院有限公司 System for distributing cloud security resources
CN114448674A (en) * 2021-12-27 2022-05-06 天翼云科技有限公司 Distributed flow cleaning method and system
CN114760152A (en) * 2022-06-14 2022-07-15 湖南警察学院 Cloud data center virtualization node network security early warning method
CN115664948A (en) * 2022-12-28 2023-01-31 北京六方云信息技术有限公司 Method, device, system and storage medium for automatic configuration and issuing of virtual resources

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243569A (en) * 2014-09-09 2014-12-24 安徽四创电子股份有限公司 City operation system
CN104378387A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Method for protecting information security under virtualization platform
CN104917653A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Virtual flow monitoring method based on cloud platform and device thereof
CN105245504A (en) * 2015-09-10 2016-01-13 北京汉柏科技有限公司 North-south flow safety protection system in cloud computing network
CN105376246A (en) * 2015-11-30 2016-03-02 中国电子科技网络信息安全有限公司 Adaptive generation management system and method of security strategy based on SDN

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243569A (en) * 2014-09-09 2014-12-24 安徽四创电子股份有限公司 City operation system
CN104378387A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Method for protecting information security under virtualization platform
CN104917653A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Virtual flow monitoring method based on cloud platform and device thereof
CN105245504A (en) * 2015-09-10 2016-01-13 北京汉柏科技有限公司 North-south flow safety protection system in cloud computing network
CN105376246A (en) * 2015-11-30 2016-03-02 中国电子科技网络信息安全有限公司 Adaptive generation management system and method of security strategy based on SDN

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107454082A (en) * 2017-08-07 2017-12-08 中国人民解放军信息工程大学 Secure cloud service construction method and device based on mimicry defence
CN109787939A (en) * 2017-11-14 2019-05-21 北京星河星云信息技术有限公司 A kind of cloud security system of defense and its user's method for building up
CN109922021B (en) * 2017-12-12 2022-03-08 中国电信股份有限公司 Safety protection system and safety protection method
CN109922021A (en) * 2017-12-12 2019-06-21 中国电信股份有限公司 Security protection system and safety protecting method
CN108040067A (en) * 2017-12-26 2018-05-15 北京星河星云信息技术有限公司 A kind of cloud platform intrusion detection method, apparatus and system
CN108040067B (en) * 2017-12-26 2021-07-06 北京星河星云信息技术有限公司 Cloud platform intrusion detection method, device and system
CN108173694A (en) * 2017-12-29 2018-06-15 深信服科技股份有限公司 The secure resources pond cut-in method and system of a kind of data center
CN108173694B (en) * 2017-12-29 2021-05-04 深信服科技股份有限公司 Security resource pool access method and system of data center
CN108449314B (en) * 2018-02-02 2020-12-29 杭州迪普科技股份有限公司 Flow traction method and device
CN108449314A (en) * 2018-02-02 2018-08-24 杭州迪普科技股份有限公司 A kind of flow lead method and apparatus
CN108809963A (en) * 2018-05-24 2018-11-13 中国科学院计算机网络信息中心 Secure resource sharing method, apparatus and storage medium
CN110611637A (en) * 2018-06-14 2019-12-24 北京安天网络安全技术有限公司 Online network threat detection method and system based on VPN flow traction
CN109167795B (en) * 2018-09-27 2022-03-22 深信服科技股份有限公司 Security defense system and method
CN109167795A (en) * 2018-09-27 2019-01-08 深信服科技股份有限公司 A kind of safety defense system and method
CN111224922A (en) * 2018-11-26 2020-06-02 顺丰科技有限公司 Distributed security group module access control method and system
CN109688242A (en) * 2018-12-27 2019-04-26 深信服科技股份有限公司 A kind of cloud guard system and method
CN110365577A (en) * 2019-07-24 2019-10-22 北京神州绿盟信息安全科技股份有限公司 A kind of drainage system in secure resources pond
CN110365577B (en) * 2019-07-24 2021-10-15 绿盟科技集团股份有限公司 Drainage system of safety resource pool and safety inspection method
CN110855714A (en) * 2019-11-29 2020-02-28 广州鲁邦通物联网科技有限公司 Secure connection method and system for multi-tenant equipment
CN110855714B (en) * 2019-11-29 2021-09-14 广州鲁邦通物联网科技有限公司 Secure connection method and system for multi-tenant equipment
CN111431914A (en) * 2020-03-30 2020-07-17 贵州电网有限责任公司 Energy internet cloud platform safety protection method and system
CN111556047B (en) * 2020-04-24 2022-07-12 杭州安恒信息技术股份有限公司 Deployment method of security service in private cloud environment
CN111556047A (en) * 2020-04-24 2020-08-18 杭州安恒信息技术股份有限公司 Deployment method of security service in private cloud environment
CN111970242A (en) * 2020-07-15 2020-11-20 深信服科技股份有限公司 Cloud security protection method and device and storage medium
CN111970242B (en) * 2020-07-15 2022-09-30 深信服科技股份有限公司 Cloud security protection method and device and storage medium
CN112291232B (en) * 2020-10-27 2021-06-04 中国联合网络通信有限公司深圳市分公司 Safety capability and safety service chain management platform based on tenants
CN112291232A (en) * 2020-10-27 2021-01-29 中国联合网络通信有限公司深圳市分公司 Safety capability and safety service chain management platform based on tenants
CN112364342A (en) * 2020-11-04 2021-02-12 深圳供电局有限公司 Safety protection system based on cloud platform
CN114448674A (en) * 2021-12-27 2022-05-06 天翼云科技有限公司 Distributed flow cleaning method and system
CN114386944A (en) * 2022-01-11 2022-04-22 南方电网数字电网研究院有限公司 System for distributing cloud security resources
CN114760152A (en) * 2022-06-14 2022-07-15 湖南警察学院 Cloud data center virtualization node network security early warning method
CN114760152B (en) * 2022-06-14 2022-08-19 湖南警察学院 Cloud data center virtualization node network security early warning method
CN115664948A (en) * 2022-12-28 2023-01-31 北京六方云信息技术有限公司 Method, device, system and storage medium for automatic configuration and issuing of virtual resources

Also Published As

Publication number Publication date
CN106790091B (en) 2020-10-27

Similar Documents

Publication Publication Date Title
CN106790091A (en) A kind of cloud security guard system and flow cleaning method
US9906557B2 (en) Dynamically generating a packet inspection policy for a policy enforcement point in a centralized management environment
WO2021017279A1 (en) Cluster security management method and apparatus based on kubernetes and network domain, and storage medium
CN107925589B (en) Method and medium for processing remote device data messages entering a logical overlay network
US11265292B1 (en) Graph based management of virtualized infrastructures
US10979452B2 (en) Blockchain-based malware containment in a network resource
CN105100026B (en) A kind of safe retransmission method of message and device
US20180191838A1 (en) Virtual network function migration
US20130298184A1 (en) System and method for monitoring application security in a network environment
Das et al. Blockchain enabled sdn framework for security management in 5g applications
KR20210022732A (en) Automated packetless network reachability analysis
CN108040055A (en) A kind of fire wall combined strategy and safety of cloud service protection
WO2007056691A2 (en) Systems and methods for remote rogue protocol enforcement
US9917775B2 (en) Intelligent devices in a software-defined network
US20190052669A1 (en) Biology Based Techniques for Handling Information Security and Privacy
CN104113522A (en) Design of virtual firewall assembly acting on cloud computing data center security domain
CN105592016B (en) The protective device of virtual machine under a kind of cloud environment of power information system
US20240205243A1 (en) Intelligent quarantine on switch fabric for physical and virtualized infrastructure
CN108881299A (en) The safe O&M method and device thereof of private clound platform information system
Majhi et al. A study on security vulnerability on cloud platforms
Mishra et al. Efficient approaches for intrusion detection in cloud environment
TaheriMonfared et al. Handling compromised components in an IaaS cloud installation
CN112511562A (en) Cross-network data transmission system based on one-way isolation all-in-one machine and cloud desktop technology
Ali et al. Network architecture and security issues in campus networks
Shukla et al. Discerning the threats in cloud computing security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518052 No. 1001 Nanshan Chi Park building A1 layer

Applicant after: SANGFOR TECHNOLOGIES Inc.

Address before: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518055 No. 1001 Nanshan Chi Park building A1 layer

Applicant before: Sangfor Technologies Co.,Ltd.

GR01 Patent grant
GR01 Patent grant