CN107332851A - Flow is controlled in a kind of virtual environment collocation method and system - Google Patents
Flow is controlled in a kind of virtual environment collocation method and system Download PDFInfo
- Publication number
- CN107332851A CN107332851A CN201710552136.7A CN201710552136A CN107332851A CN 107332851 A CN107332851 A CN 107332851A CN 201710552136 A CN201710552136 A CN 201710552136A CN 107332851 A CN107332851 A CN 107332851A
- Authority
- CN
- China
- Prior art keywords
- information
- access
- master agent
- server
- sent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
This application discloses the collocation method that flow in a kind of virtual environment is controlled, including:Server host information and service port information that management server Receiving Host agency sends;According to the server host information and the serve port information, corresponding business domains are divided to the corresponding application role of service configuration, and to server host;Configure the access strategy rule of the application role and the business domains;Access strategy rule is sent to the master agent, the master agent is performed the access strategy rule.Divided by the port information configuration to fictitious host computer and apply role and business domains, it is reconfigured at the access strategy rule performed for master agent, the control function to flowing of access and application role is realized, control of authority can be carried out the Operational Visit fictitious host computer, to prevent the intrusion of unauthorized access.Disclosed herein as well is the configuration system that flow in a kind of virtual environment is controlled, with above-mentioned beneficial effect.
Description
Technical field
The application is related to virtual environment control field, the flow access control method of more particularly to a kind of virtual environment and is
System.
Background technology
With the fast development of information technology, increasing tissue enterprise needs informationization technology to solve in actual production
Some problems serviced accordingly on server or main frame, it is necessary to dispose, and due to main frame cost, tissue enterprise must not
Other settling modes are not found.Therefore, cloud computing and big data application technology arise, in thing followed virtualization data
The heart has also obtained unprecedented development.Because cloud computing technology is built a station fast, and adequate and systematic service is complete, the advantages of cost performance is higher, greatly
Amount tissue corporate client completes the construction of Visualized data centre, and the safety that supporting also being bought on border deploys correlation is set
It is standby.
But, due to the construction of virtualization service, original IT service business is reconstructed, has broken original IT foundation rings
Border, it is multiple virtual that the mode for providing service from multiple service hosts for being physically present is changed into fictionalizing on a few main frame
Main frame provides the mode of service.The Managed Solution of original safety method is caused not apply to, and because multiple fictitious host computers are all deposited
With a physical host on, also introduce new safety problem.
In traditional IT solutions, security boundary can provide main frame using main frame as minimum management unit
Different demarcation is serviced into the security domain of different business, the access control policy carried out between domain and domain is configured.Because minimum
Management unit be can be physically present between physical host, physical host access control policy configuration.But current institute
Some business services are all on the platform of Visualized data centre, it is impossible to carry out the division of the business domains of physical layer, so
The access control policy configuration between domain and domain can not be carried out.
Meanwhile, have no idea to carry out the access control policy between domain and domain and configure, inside control of also just having no idea
Safety management.When attack is complicated, border defence can not effectively resist all attacks, as long as border fall again, then
Great potential safety hazard just occurs in server internal.Especially there is the phase between different fictitious host computers on same physical host
Mutually attack, is even more to resist.
At the same time there is the problem of Visualized data centre is migrated, it is corresponding anti-that different virtual machine platform is equipped with oneself
Wall with flues technology, but when carrying out platform migration, has to reconfigure corresponding fire wall, and due to technology it is different its
Protection effect is also had any different, and has great potential safety hazard.
Therefore, the collocation method of the flow access control of Visualized data centre, is the research of those skilled in the art
Hot issue.
The content of the invention
The purpose of the application is to provide the collocation method and system that flow is controlled in a kind of virtual environment, by empty to obtaining
Intend the serve port information of main frame, and by the corresponding application role of fictitious host computer configuration and business domains, while configuration supplies main frame
The access strategy rule performed is acted on behalf of, is realized to flow and the control function of application, therefore can be the business fictitious host computer
Access is controlled, to filter unsafe access.
In order to solve the above technical problems, the application provides the collocation method that flow is controlled in a kind of virtual environment, including:
Server host information and service port information that management server Receiving Host agency sends;
According to the server host information and the serve port information, to the corresponding application role of service configuration, and
Corresponding business domains are divided to server host;
Configure the access strategy rule of the application role and the business domains;
Access strategy rule is sent to the master agent, the master agent is performed the access strategy rule
Then.
Optionally, the master agent is sent server host information and service port information, including:
The master agent obtains the server host by the port for scanning the service and the server host
Information and the serve port information;
The server host information and the serve port information are sent to the management server.
Optionally, the master agent performs the access strategy rule, including:
Receive the access strategy rule that the management server is sent;
Using host firewall Access Events are detected and are controlled according to access strategy rule.
Optionally, in addition to:
The management server receives the log information that the master agent is sent;
Log information progress dissection process is obtained into daily record;
According to the content of the daily record, the warning message of the Access Events is shown.
Optionally, the generation of the log information, including:
The master agent is according to access strategy rule generation Access Events daily record;
The information that the Access Events log acquisition needs is parsed, and is encapsulated as log information;
The log information is sent to the management server.
The application also provides the configuration system that flow is controlled in a kind of virtual environment, and the system includes:
Master agent, for obtaining server host information and service port information, the clothes are sent to management server
Business device host information and the serve port information;Perform the access strategy rule that the management server is sent;
Management server, for according to the server host information and the serve port information, to service configuration phase
The application role answered, and corresponding business domains are divided to server host;Configure the visit of the application role and the business domains
Ask policing rule;Access strategy rule is sent to the master agent.
Optionally, the master agent is specifically for by the port for scanning the service and the server host, obtaining
Take the server host information and the serve port information.
Optionally, the master agent is advised specifically for receiving the access strategy that the management server is sent
Then;Using host firewall Access Events are detected and are controlled according to access strategy rule.
Optionally,
The master agent, is additionally operable to send log information to the management server;
The management server, is additionally operable to log information progress dissection process obtaining daily record;According to the daily record
Content, show the warning message of the Access Events.
Optionally, the master agent is specifically for according to access strategy rule generation Access Events daily record;Parsing
The information that the Access Events log acquisition needs, and it is encapsulated as log information;The log information is sent to the management
Server.
The collocation method that flow is controlled in a kind of virtual environment provided herein, including:Management server receives master
Server host information and service port information that machine agency sends;According to the server host information and the serve port
Information, corresponding business domains are divided to the corresponding application role of service configuration, and to server host;Configure the application role
With the access strategy rule of the business domains;Access strategy rule is sent to the master agent, makes the main frame generation
Reason performs the access strategy rule.
By way of management server and master agent cooperate, to the application in fictitious host computer and fictitious host computer
Service carries out the division in domain, and the control to the flowing of access between domain and domain is realized using the fire wall of fictitious host computer, can be with
Control of authority is carried out the Operational Visit fictitious host computer, to prevent the intrusion of unauthorized access.The application also provides a kind of virtual
The configuration system that flow is controlled in environment, with above beneficial effect, therefore not to repeat here.
Brief description of the drawings
, below will be to embodiment or existing in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
The embodiment of application, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
The accompanying drawing of offer obtains other accompanying drawings.
The flow chart for the collocation method that Fig. 1 provides for the embodiment of the present application;
Fig. 2 divides schematic diagram for the domain that the embodiment of the present application is provided;
Fig. 3 divides schematic diagram for the multiple domain that the embodiment of the present application is provided;
Fig. 4 obtains the flow chart of information for the master agent that the embodiment of the present application is provided;
The flow chart for the master agent executing rule that Fig. 5 provides for the embodiment of the present application;
The flow chart for the management servers process daily record that Fig. 6 provides for the embodiment of the present application;
Fig. 7 handles the flow chart of daily record for the master agent that the embodiment of the present application is provided;
The flow chart for the configuration system that Fig. 8 provides for the embodiment of the present application;
The Organization Chart for the systemic-function that Fig. 9 provides for the embodiment of the present application.
Embodiment
The core of the application is to provide the collocation method that flow is controlled in a kind of virtual environment, passes through the end to fictitious host computer
Mouth information configuration, which is divided, applies role and business domains, and the access strategy for being reconfigured at supplying master agent to perform is regular, realizes to accessing
Flow and the control function of application role, can carry out control of authority to the Operational Visit fictitious host computer, to prevent illegal visit
The intrusion asked.
To make the purpose, technical scheme and advantage of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application
In accompanying drawing, the technical scheme in the embodiment of the present application is clearly and completely described, it is clear that described embodiment is
Some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art
The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of the application protection.
It refer to Fig. 1, the flow chart for the collocation method that Fig. 1 provides for the embodiment of the present application.
The present embodiment may comprise steps of:
S100, server host information and service port information that management server Receiving Host agency sends;
Wherein, management server can receive the information of master agent transmission by Intranet, can be effectively protected letter
Breath safety prevents from leaking.The serve port refers to the port information in the fictitious host computer where application service, such as Http, 80
Or TCP, 3306, it may be determined that protocol type and port information of the application service in its fictitious host computer.The server host
Information can determine the position of the fictitious host computer in virtual environment where being served by, and the identifier of its position can be by void
The manager unified management and explanation in near-ring border, rather than fictitious host computer is positioned simply by IP address.
S200, according to server host information and service port information, to the corresponding application role of service configuration, and to clothes
Business device main frame divides corresponding business domains;
The access strategy rule of S300, configuration application role and business domains;
S400, access strategy rule is sent to master agent, master agent is performed access strategy rule.
It should be noted that the application service provided in step s 200 fictitious host computer and fictitious host computer carries out domain
Divide, classification division can be carried out to its different feature, as long as domain scope can effectively can be performed to access control
The dividing mode that the division methods of the least unit of system can be implemented as it, is not limited herein.
In the present embodiment, division tenant domain, then root are first carried out according to the server apparatus of different tenant's account applications
Logical partitioning business domains are pressed according to different business purposes, the application service provided in business domains according to server host is configured not
It is same to apply role.
After the division for determining tenant domain, business domains and application role through the above way, corresponding access plan can be configured
It is slightly regular, can also be without configuration, the access strategy rule between that each domain now is exactly that the access strategy given tacit consent to is advised
Then, the access strategy rule of its acquiescence is to forbid accessing.
The content of its access strategy rule, can do and set accordingly according to actual service condition and required function simultaneously
It is fixed, do not limit herein.
For example, can be with as shown in table 1 below to the collocation form of the access strategy rule of application role.
Table 1
Meanwhile, Fig. 2 is refer to, Fig. 2 divides schematic diagram for the domain that the embodiment of the present application is provided.
Wherein, i.e. include service security domain business domains using role, and application role service supplier, with
And application service information and apply user, also corresponding policy action.
For upper table, the access strategy between portal website's business domains and OA business domains is the denied access of acquiescence, industry
It is also the access strategy of acquiescence between fictitious host computer in business domain, it is necessary to configure the access strategy of permission.For example, in portal website
The server host group of WEB application role in business domains provides Apache application services, and the strategy of correspondence application user is moved
Work is to allow, that is, allows the access of the All hosts in the business domains.And the DB in portal website's business domains applies role
The MySQL application services of offer, access strategy only allows the main frame for belonging to WEB application role in the business domains to access.
When different business domain occur and needing to access same business domains, related access strategy rule can be configured such as table 2 below
Then.
Table 2
Fig. 3 is refer to, Fig. 3 divides schematic diagram for the multiple domain that the embodiment of the present application is provided.
It should be noted that the access plan between two of which business domains OA business domains and research and development business domains still for acquiescence
Slightly, it is impossible to access.And now it is desirable that OA business domains and research and development business domains are required for accessing the application in data bank service domain
Service, therefore it is configured to the access strategy rule of upper table.
It should be noted that management server is configured after access strategy rule, the access strategy rule is stored as matching somebody with somebody
File is put, configuration center is stored in.Meanwhile, the configuration file send to during master agent, it is necessary to be converted into master agent
Support file format, configuration file will be stored in locally in master agent.Specific format content can be according to application
Environment is designed, and is not limited herein.
In the present embodiment, the configuration file at management server end is named as micro_segmentation.ini, its lattice
Formula is as follows:
/config
Policy_num=2//strategy number
The tactful title of Policy0=xxx//the first
The tactful service of Service0=httpd//the first
The tactful port of port0=443//the first
The equipment or the quantity of cluster tool of the tactful offer service of Provider_num0=2//the first
The equipment of first tactful offer service of Provider0_0=web//the first
The equipment of second tactful offer service of Provider0_1=computer1//the first
The equipment or the quantity of cluster tool of the tactful use service of Visitor_num0=1//the first
The first tactful equipment using service of Visitor0_0=db//the first
The tactful title of Policy1=xxx//the second
Service1=tomcat
Port1=8080
Provider_num1=1
Provider1_0=web
Visitor_num1=2
Visitor1_0=db
Visitor1_1=computer1
The form that corresponding master agent is supported is as follows:
Action:allow/prevent
Direction:in/out
Priority:0/1/2/3/4
Local_Port:443/3389-3392/
Remont_port:443/123-345
Host:1.1.1.1/2.2.2.2-3.3.3.3
App:tomcat
For arrangement above, the visual page that manager can be shown by management server is configured and grasped
Make, while the flow that master agent is detected and controlled can also graphically be shown in visual page, pole
The big operation for facilitating manager.Meanwhile, visual page can be WEB page can also be mobile phone terminal the APP pages,
This is not limited.
The technical scheme of the application, by the division in business domains and application role to fictitious host computer, and uses main frame
The control to flowing of access is acted on behalf of, realizes to the access privilege control between application role and business domains, prevents unauthorized access
Intrusion.
Fig. 4 is refer to, Fig. 4 obtains the flow chart of information for the master agent that the embodiment of the present application is provided.
Based on above-described embodiment, the present embodiment can include:
S110, port and server host of the master agent by scan service obtain server host information and service
Port information;
S120, server host information and service port information are sent to management server.
, wherein it is desired to install master agent in fictitious host computer, configured accordingly, so that master agent can be normal
Operation.
It should be noted that master agent obtains server host information and service port information, can be master agent
Active scan fictitious host computer is obtained or master agent reads original information, is directly transmitted.When master agent is needed
Want iteration upgrade when, original port information can be preserved, carry out updating operation, after the completion of read original information.
When newly increasing fictitious host computer or increase service in server, the information of fictitious host computer can be manually added,
Master agent can be made to rescan the port of fictitious host computer and application service.
It refer to Fig. 5, the flow chart for the master agent executing rule that Fig. 5 provides for the embodiment of the present application.
Based on above-described embodiment, the present embodiment can include:
S410, receives the access strategy rule of management server transmission;
S420, Access Events are detected and are controlled using host firewall according to access strategy rule.
It should be noted that the access strategy rule that master agent is received is in the form of strategy file, to the strategy
Rule content in file is parsed.
Generally, in master agent, new Rule content can directly replace old Rule content.In the present embodiment
In, original Rule content can be backed up, new Rule content is reapplied.
Wherein, master agent can realize the execution to access control policy using the technology of host firewall, and correspondence is not
Same main frame can use different host firewalls, for example:Windows WPF, Linux iptables firewall access
Control technology, is not limited herein.
Therefore, when being migrated, master agent is only needed to identical access strategy rule use in different main frames
In fire wall, it is possible to effectively solve the problem of different platform when Visualized data centre is migrated coexists.
It refer to Fig. 6, the flow chart for the management servers process daily record that Fig. 6 provides for the embodiment of the present application.
Based on above-described embodiment, the present embodiment can include:
S500, the log information that management server Receiving Host agency sends;
S600, daily record is obtained by log information progress dissection process;
S700, according to the content of daily record, shows the warning message of Access Events.
Wherein, the particular content of daily record and the display format of daily record can be according to the problem of specific solve and actual conditions
Setting, while being also required to the readability in view of manager, is not limited herein.
Wherein, correlation log information can be transmitted by Intranet between management server and master agent, can be based on
Http is sent, and can also be sent, not limited herein based on TCP.Management server needs to parse the log information received
Corresponding database is arrived into the daily record read using storage and administrative staff, and by daily record storage.
It should be noted that management server can configure the screening rule of correlation, according to the rule management server meeting
Screen corresponding information to be illustrated on the display platform of management server, can be page presentation or use mobile phone A PP
It is shown, does not limit herein.
Fig. 7 is refer to, Fig. 7 handles the flow chart of daily record for the master agent that the embodiment of the present application is provided.
Based on above-described embodiment, the present embodiment can include:
S510, master agent is according to access strategy rule generation Access Events daily record;
S520, the information that parsing Access Events log acquisition needs, and it is encapsulated as log information;
S530, log information is sent to management server.
Wherein, the generating mode of daily record, is generated according to access strategy rule.When access time occurs, record is related
Information, for example, the time, whom port, requestor is, in whether can access in rule, records its access process.
This, has obtained the log content of Access Events, to it parse the log content needed, and be encapsulated as corresponding in Intranet
The log information of transmission, its form can correspond to the form for sending the protocol requirement that information is used.
The embodiment of the present application provides the collocation method of the flow control in virtual environment, passes through the port to fictitious host computer
Information configuration, which is divided, applies role and business domains, is reconfigured at the access strategy rule performed for master agent, realizes and flowed to accessing
Amount and the control function of application role, can carry out control of authority, to prevent unauthorized access to the Operational Visit fictitious host computer
Intrusion.
The compounding system of flow control in the virtual environment provided below the embodiment of the present application is introduced, and hereafter retouches
The compounding system of flow control in the virtual environment stated and the collocation method of the flow control in above-described virtual environment
Can be mutually to should refer to.
It refer to Fig. 8, the flow chart for the configuration system that Fig. 8 provides for the embodiment of the present application.
The present embodiment provides a kind of configuration system of the flow control in virtual environment, and the system can include:Management clothes
Business device and master agent, wherein master agent distributed deployment perform access strategy rule in each virtual machine.Management platform
The Unified Policy management configuration for supporting different Visualized data centres on the internet can be disposed.
Master agent, for obtaining server host information and service port information, server is sent to management server
Host information and service port information;Perform the access strategy rule that management server is sent;
Management server, for according to server host information and service port information, to the corresponding application of service configuration
Role, and corresponding business domains are divided to server host;Configuration application role and the access strategy rule of business domains;It will access
Policing rule is sent to master agent.
Based on above-described embodiment, the present embodiment, master agent is specifically for the port by scan service and server master
Machine, obtains server host information and service port information.
Based on above-described embodiment, the present embodiment, master agent is specifically for receiving the access plan that management server is sent
It is slightly regular;Using host firewall Access Events are detected and are controlled according to access strategy rule.
Based on above-described embodiment, the present embodiment, master agent is additionally operable to send log information to management server;
Management server, is additionally operable to log information progress dissection process obtaining daily record;According to the content of daily record, displaying is visited
Ask the warning message of event.
Based on above-described embodiment, the present embodiment, master agent is specifically for according to access strategy rule generation Access Events
Daily record;The information that Access Events log acquisition needs is parsed, and is encapsulated as log information;Log information is sent to management service
Device.
It refer to Fig. 9, the Organization Chart for the systemic-function that Fig. 9 provides for the embodiment of the present application.
Wherein, the management platform refers to operation management system in management server.
The management platform, including policing rule module and log pattern.Wherein, policing rule module be responsible for strategy configuration,
Policy store and policy distribution, log pattern are responsible for daily record displaying, daily record storage and daily record parsing.Plan is included i.e. in management platform
Rule module and log pattern are omited, policing rule module carries out applying role to the demand according to business in the front-end configuration page
Access strategy rule configuration, and the access strategy that configure is regular is stored, then uniformly issue access strategy rule to
Corresponding host A gent.Host A gent is received after the corresponding file of access strategy rule, to the file of access strategy rule
In Rule content parsed, then back up original Rule content, and apply new Rule content.Wherein, closed in system
The file of the access strategy rule of key, will be stored in and match somebody with somebody in the configuration file (i.e. the file of access strategy rule) of management platform
Center is put, agent configuration file will be stored in locally., can be flat by management if the file format content on both sides is different
Platform is unified, and strategy file is converted into the rule of agent supports by such as management platform, is then issued to Agent and uses.
The master agent (Agent), including policing rule module, log pattern and scan module.Wherein, policing rule mould
Block is responsible for regular backup, policing rule parsing and regular application/parsing, and log pattern is responsible for daily record parsing, log package and day
Will is sent, and scan module is responsible for scan service application and service port and also has main frame configuration.That is the log pattern on host A gent
According to the Access Events daily record of rule generation, log content is parsed, the log information needed is obtained, daily record letter is then Resealed
Breath, and log information is sent to management platform using communication module.Management platform receives and information is solved after log information
Analysis is handled, and daily record storage is arrived into corresponding database, and is shown on the page of platform.
Specifically, management platform is responsible for the configuration to above-mentioned various access strategy rules, the action for storing, issuing,
And the processing parsed, stored to the event log reported, shown.Management platform by capturing virtual machine between service
(i.e. application service) access information, collects and analyzes the data communication between empty machine, is that user is shown in whole cloud platform
Traffic conditions between discharge model, including virtual machine and between different application service, set up basic access view.According to pipe
The new flow increasing of finger in platform accesses view, so as to analyze the slight change of inside, fast and easy configures corresponding access plan
Omit rule action.And the concrete application type in virtual machine traffic can be identified, and flow is provided on this basis with answering
With control function, fine-grained control of authority can be carried out the Operational Visit virtual machine, to filter unauthorized access.
The implementation process of the business of i.e. micro- isolation is:Fictitious host computer is installed after host A gent, can automatically scanning discovery application
The port of service, and server host information and service port information are reported to management platform.In management platform, keeper can
To apply role according to the configuration of the application purpose of server host, then server host is divided again and belongs to corresponding business
Domain.Keeper is needed in micro- isolation configuration page, according to the access relation configuration service access strategy of business.Under strategy is automatic
Host A gent is issued, Agent is received after strategy file, be parsed into executable Rule rules, and according to the flow between empty machine
Access strategy reported event daily record, management platform is received after event log information, shows event alarm information.
It should be noted that there is title identical functional module in management platform and master agent, but its work(is not represented
Can be identical.
The embodiment of each in specification is described by the way of progressive, and what each embodiment was stressed is and other realities
Apply the difference of example, between each embodiment identical similar portion mutually referring to.For device disclosed in embodiment
Speech, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part is referring to method part illustration
.
Professional further appreciates that, with reference to the unit of each example of the embodiments described herein description
And algorithm steps, can be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software, generally describes the composition and step of each example according to function in the above description.These
Function is performed with hardware or software mode actually, depending on the application-specific and design constraint of technical scheme.Specialty
Technical staff can realize described function to each specific application using distinct methods, but this realization should not
Think to exceed scope of the present application.
Directly it can be held with reference to the step of the method or algorithm that the embodiments described herein is described with hardware, processor
Capable software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
The collocation method and system of the flow control in a kind of virtual environment provided herein have been carried out in detail above
It is thin to introduce.Specific case used herein is set forth to the principle and embodiment of the application, and above example is said
It is bright to be only intended to help and understand the present processes and its core concept.It should be pointed out that for the ordinary skill of the art
For personnel, on the premise of the application principle is not departed from, some improvement and modification can also be carried out to the application, these improvement
Also fallen into modification in the application scope of the claims.
Claims (10)
1. the collocation method that flow is controlled in a kind of virtual environment, it is characterised in that methods described includes:
Server host information and service port information that management server Receiving Host agency sends;
According to the server host information and the serve port information, to the corresponding application role of service configuration, and to clothes
Business device main frame divides corresponding business domains;
Configure the access strategy rule of the application role and the business domains;
Access strategy rule is sent to the master agent, the master agent is performed the access strategy rule.
2. according to the method described in claim 1, it is characterised in that the server host information kimonos that the master agent is sent
Business port information, including:
The master agent obtains the server host information by the port for scanning the service and the server host
With the serve port information;
The server host information and the serve port information are sent to the management server.
3. method according to claim 2, it is characterised in that the master agent performs the access strategy rule, bag
Include:
Receive the access strategy rule that the management server is sent;
Using host firewall Access Events are detected and are controlled according to access strategy rule.
4. the method according to any one of claims 1 to 3, it is characterised in that also include:
The management server receives the log information that the master agent is sent;
Log information progress dissection process is obtained into daily record;
According to the content of the daily record, the warning message of the Access Events is shown.
5. method according to claim 4, it is characterised in that the generation of the log information, including:
The master agent is according to access strategy rule generation Access Events daily record;
The information that the Access Events log acquisition needs is parsed, and is encapsulated as log information;
The log information is sent to the management server.
6. the configuration system that flow is controlled in a kind of virtual environment, it is characterised in that the system includes:
Master agent, for obtaining server host information and service port information, the server is sent to management server
Host information and the serve port information;Perform the access strategy rule that the management server is sent;
Management server, it is corresponding to service configuration for according to the server host information and the serve port information
Corresponding business domains are divided using role, and to server host;Configure the access plan of the application role and the business domains
It is slightly regular;Access strategy rule is sent to the master agent.
7. system according to claim 6, it is characterised in that the master agent is specifically for by scanning the service
Port and the server host, obtain the server host information and the serve port information.
8. the system according to claim 7, it is characterised in that the master agent takes specifically for receiving the management
The access strategy rule that business device is sent;Detected and controlled to visit according to access strategy rule using host firewall
Ask event.
9. the system according to any one of claim 6 to 8, it is characterised in that
The master agent, is additionally operable to send log information to the management server;
The management server, is additionally operable to log information progress dissection process obtaining daily record;According in the daily record
Hold, show the warning message of the Access Events.
10. system according to claim 9, it is characterised in that the master agent is specifically for according to the access plan
Slightly rule generation Access Events daily record;The information that the Access Events log acquisition needs is parsed, and is encapsulated as log information;Will
The log information is sent to the management server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710552136.7A CN107332851A (en) | 2017-07-07 | 2017-07-07 | Flow is controlled in a kind of virtual environment collocation method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710552136.7A CN107332851A (en) | 2017-07-07 | 2017-07-07 | Flow is controlled in a kind of virtual environment collocation method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107332851A true CN107332851A (en) | 2017-11-07 |
Family
ID=60196335
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710552136.7A Pending CN107332851A (en) | 2017-07-07 | 2017-07-07 | Flow is controlled in a kind of virtual environment collocation method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107332851A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109150860A (en) * | 2018-08-02 | 2019-01-04 | 郑州云海信息技术有限公司 | A kind of method and system for realizing the micro- isolation of network under OpenStack environment |
CN111443986A (en) * | 2020-01-09 | 2020-07-24 | 武汉思普崚技术有限公司 | Micro-isolation protection method and system for distributed virtual environment |
CN111866100A (en) * | 2020-07-06 | 2020-10-30 | 北京天空卫士网络安全技术有限公司 | Method, device and system for controlling data transmission rate |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
CN104378387A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Virtual platform information security protection method |
US9049187B2 (en) * | 2009-01-08 | 2015-06-02 | Alcatel Lucent | Connectivity, adjacencies and adaptation functions |
CN105684391A (en) * | 2013-11-04 | 2016-06-15 | 伊尔拉米公司 | Automated generation of label-based access control rules |
-
2017
- 2017-07-07 CN CN201710552136.7A patent/CN107332851A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9049187B2 (en) * | 2009-01-08 | 2015-06-02 | Alcatel Lucent | Connectivity, adjacencies and adaptation functions |
CN105684391A (en) * | 2013-11-04 | 2016-06-15 | 伊尔拉米公司 | Automated generation of label-based access control rules |
CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
CN104378387A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Virtual platform information security protection method |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109150860A (en) * | 2018-08-02 | 2019-01-04 | 郑州云海信息技术有限公司 | A kind of method and system for realizing the micro- isolation of network under OpenStack environment |
CN111443986A (en) * | 2020-01-09 | 2020-07-24 | 武汉思普崚技术有限公司 | Micro-isolation protection method and system for distributed virtual environment |
CN111866100A (en) * | 2020-07-06 | 2020-10-30 | 北京天空卫士网络安全技术有限公司 | Method, device and system for controlling data transmission rate |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11363112B2 (en) | High-density multi-tenant distributed cache as a service | |
US7689676B2 (en) | Model-based policy application | |
WO2021017279A1 (en) | Cluster security management method and apparatus based on kubernetes and network domain, and storage medium | |
US7484237B2 (en) | Method and apparatus for role-based security policy management | |
US9053460B2 (en) | Rule management using a configuration database | |
CN104487943B (en) | The method and apparatus of trusted file indirect operation | |
RU2598324C2 (en) | Means of controlling access to online service using conventional catalogue features | |
JP6314236B2 (en) | Entity handle registry to support traffic policy enforcement | |
CN107911421A (en) | For configuring the method for internetwork communication, equipment and computer-readable storage medium in block chain | |
US20090249340A1 (en) | Managing the Progress of a Plurality of Tasks | |
CN103946834A (en) | Virtual network interface objects | |
US20080183603A1 (en) | Policy enforcement over heterogeneous assets | |
CN107332851A (en) | Flow is controlled in a kind of virtual environment collocation method and system | |
CN107786551B (en) | Method for accessing intranet server and device for controlling access to intranet server | |
CN107633168A (en) | Automate Password Management | |
JP2005514699A (en) | Method and system for hosting multiple dedicated servers | |
US11546271B2 (en) | System and method for tag based request context in a cloud infrastructure environment | |
US20060031927A1 (en) | Information management system, information management method, and system control apparatus | |
CN110881039B (en) | Cloud security management system | |
US20060253658A1 (en) | Provisioning or de-provisioning shared or reusable storage volumes | |
KR101233934B1 (en) | Integrated Intelligent Security Management System and Method | |
US11425139B2 (en) | Enforcing label-based rules on a per-user basis in a distributed network management system | |
CN106803798A (en) | Virtual switch QoS configuration management systems and Cloud Server under a kind of cloud platform | |
KR20180118874A (en) | Method and System for providing Access Security in private Cloud Access Security Broker | |
CN114816776B (en) | Enterprise intelligent cloud asset management system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171107 |
|
RJ01 | Rejection of invention patent application after publication |