CN107332851A - Flow is controlled in a kind of virtual environment collocation method and system - Google Patents

Flow is controlled in a kind of virtual environment collocation method and system Download PDF

Info

Publication number
CN107332851A
CN107332851A CN201710552136.7A CN201710552136A CN107332851A CN 107332851 A CN107332851 A CN 107332851A CN 201710552136 A CN201710552136 A CN 201710552136A CN 107332851 A CN107332851 A CN 107332851A
Authority
CN
China
Prior art keywords
information
access
master agent
server
sent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710552136.7A
Other languages
Chinese (zh)
Inventor
邹荣新
胡遵华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201710552136.7A priority Critical patent/CN107332851A/en
Publication of CN107332851A publication Critical patent/CN107332851A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

This application discloses the collocation method that flow in a kind of virtual environment is controlled, including:Server host information and service port information that management server Receiving Host agency sends;According to the server host information and the serve port information, corresponding business domains are divided to the corresponding application role of service configuration, and to server host;Configure the access strategy rule of the application role and the business domains;Access strategy rule is sent to the master agent, the master agent is performed the access strategy rule.Divided by the port information configuration to fictitious host computer and apply role and business domains, it is reconfigured at the access strategy rule performed for master agent, the control function to flowing of access and application role is realized, control of authority can be carried out the Operational Visit fictitious host computer, to prevent the intrusion of unauthorized access.Disclosed herein as well is the configuration system that flow in a kind of virtual environment is controlled, with above-mentioned beneficial effect.

Description

Flow is controlled in a kind of virtual environment collocation method and system
Technical field
The application is related to virtual environment control field, the flow access control method of more particularly to a kind of virtual environment and is System.
Background technology
With the fast development of information technology, increasing tissue enterprise needs informationization technology to solve in actual production Some problems serviced accordingly on server or main frame, it is necessary to dispose, and due to main frame cost, tissue enterprise must not Other settling modes are not found.Therefore, cloud computing and big data application technology arise, in thing followed virtualization data The heart has also obtained unprecedented development.Because cloud computing technology is built a station fast, and adequate and systematic service is complete, the advantages of cost performance is higher, greatly Amount tissue corporate client completes the construction of Visualized data centre, and the safety that supporting also being bought on border deploys correlation is set It is standby.
But, due to the construction of virtualization service, original IT service business is reconstructed, has broken original IT foundation rings Border, it is multiple virtual that the mode for providing service from multiple service hosts for being physically present is changed into fictionalizing on a few main frame Main frame provides the mode of service.The Managed Solution of original safety method is caused not apply to, and because multiple fictitious host computers are all deposited With a physical host on, also introduce new safety problem.
In traditional IT solutions, security boundary can provide main frame using main frame as minimum management unit Different demarcation is serviced into the security domain of different business, the access control policy carried out between domain and domain is configured.Because minimum Management unit be can be physically present between physical host, physical host access control policy configuration.But current institute Some business services are all on the platform of Visualized data centre, it is impossible to carry out the division of the business domains of physical layer, so The access control policy configuration between domain and domain can not be carried out.
Meanwhile, have no idea to carry out the access control policy between domain and domain and configure, inside control of also just having no idea Safety management.When attack is complicated, border defence can not effectively resist all attacks, as long as border fall again, then Great potential safety hazard just occurs in server internal.Especially there is the phase between different fictitious host computers on same physical host Mutually attack, is even more to resist.
At the same time there is the problem of Visualized data centre is migrated, it is corresponding anti-that different virtual machine platform is equipped with oneself Wall with flues technology, but when carrying out platform migration, has to reconfigure corresponding fire wall, and due to technology it is different its Protection effect is also had any different, and has great potential safety hazard.
Therefore, the collocation method of the flow access control of Visualized data centre, is the research of those skilled in the art Hot issue.
The content of the invention
The purpose of the application is to provide the collocation method and system that flow is controlled in a kind of virtual environment, by empty to obtaining Intend the serve port information of main frame, and by the corresponding application role of fictitious host computer configuration and business domains, while configuration supplies main frame The access strategy rule performed is acted on behalf of, is realized to flow and the control function of application, therefore can be the business fictitious host computer Access is controlled, to filter unsafe access.
In order to solve the above technical problems, the application provides the collocation method that flow is controlled in a kind of virtual environment, including:
Server host information and service port information that management server Receiving Host agency sends;
According to the server host information and the serve port information, to the corresponding application role of service configuration, and Corresponding business domains are divided to server host;
Configure the access strategy rule of the application role and the business domains;
Access strategy rule is sent to the master agent, the master agent is performed the access strategy rule Then.
Optionally, the master agent is sent server host information and service port information, including:
The master agent obtains the server host by the port for scanning the service and the server host Information and the serve port information;
The server host information and the serve port information are sent to the management server.
Optionally, the master agent performs the access strategy rule, including:
Receive the access strategy rule that the management server is sent;
Using host firewall Access Events are detected and are controlled according to access strategy rule.
Optionally, in addition to:
The management server receives the log information that the master agent is sent;
Log information progress dissection process is obtained into daily record;
According to the content of the daily record, the warning message of the Access Events is shown.
Optionally, the generation of the log information, including:
The master agent is according to access strategy rule generation Access Events daily record;
The information that the Access Events log acquisition needs is parsed, and is encapsulated as log information;
The log information is sent to the management server.
The application also provides the configuration system that flow is controlled in a kind of virtual environment, and the system includes:
Master agent, for obtaining server host information and service port information, the clothes are sent to management server Business device host information and the serve port information;Perform the access strategy rule that the management server is sent;
Management server, for according to the server host information and the serve port information, to service configuration phase The application role answered, and corresponding business domains are divided to server host;Configure the visit of the application role and the business domains Ask policing rule;Access strategy rule is sent to the master agent.
Optionally, the master agent is specifically for by the port for scanning the service and the server host, obtaining Take the server host information and the serve port information.
Optionally, the master agent is advised specifically for receiving the access strategy that the management server is sent Then;Using host firewall Access Events are detected and are controlled according to access strategy rule.
Optionally,
The master agent, is additionally operable to send log information to the management server;
The management server, is additionally operable to log information progress dissection process obtaining daily record;According to the daily record Content, show the warning message of the Access Events.
Optionally, the master agent is specifically for according to access strategy rule generation Access Events daily record;Parsing The information that the Access Events log acquisition needs, and it is encapsulated as log information;The log information is sent to the management Server.
The collocation method that flow is controlled in a kind of virtual environment provided herein, including:Management server receives master Server host information and service port information that machine agency sends;According to the server host information and the serve port Information, corresponding business domains are divided to the corresponding application role of service configuration, and to server host;Configure the application role With the access strategy rule of the business domains;Access strategy rule is sent to the master agent, makes the main frame generation Reason performs the access strategy rule.
By way of management server and master agent cooperate, to the application in fictitious host computer and fictitious host computer Service carries out the division in domain, and the control to the flowing of access between domain and domain is realized using the fire wall of fictitious host computer, can be with Control of authority is carried out the Operational Visit fictitious host computer, to prevent the intrusion of unauthorized access.The application also provides a kind of virtual The configuration system that flow is controlled in environment, with above beneficial effect, therefore not to repeat here.
Brief description of the drawings
, below will be to embodiment or existing in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this The embodiment of application, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis The accompanying drawing of offer obtains other accompanying drawings.
The flow chart for the collocation method that Fig. 1 provides for the embodiment of the present application;
Fig. 2 divides schematic diagram for the domain that the embodiment of the present application is provided;
Fig. 3 divides schematic diagram for the multiple domain that the embodiment of the present application is provided;
Fig. 4 obtains the flow chart of information for the master agent that the embodiment of the present application is provided;
The flow chart for the master agent executing rule that Fig. 5 provides for the embodiment of the present application;
The flow chart for the management servers process daily record that Fig. 6 provides for the embodiment of the present application;
Fig. 7 handles the flow chart of daily record for the master agent that the embodiment of the present application is provided;
The flow chart for the configuration system that Fig. 8 provides for the embodiment of the present application;
The Organization Chart for the systemic-function that Fig. 9 provides for the embodiment of the present application.
Embodiment
The core of the application is to provide the collocation method that flow is controlled in a kind of virtual environment, passes through the end to fictitious host computer Mouth information configuration, which is divided, applies role and business domains, and the access strategy for being reconfigured at supplying master agent to perform is regular, realizes to accessing Flow and the control function of application role, can carry out control of authority to the Operational Visit fictitious host computer, to prevent illegal visit The intrusion asked.
To make the purpose, technical scheme and advantage of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application In accompanying drawing, the technical scheme in the embodiment of the present application is clearly and completely described, it is clear that described embodiment is Some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of the application protection.
It refer to Fig. 1, the flow chart for the collocation method that Fig. 1 provides for the embodiment of the present application.
The present embodiment may comprise steps of:
S100, server host information and service port information that management server Receiving Host agency sends;
Wherein, management server can receive the information of master agent transmission by Intranet, can be effectively protected letter Breath safety prevents from leaking.The serve port refers to the port information in the fictitious host computer where application service, such as Http, 80 Or TCP, 3306, it may be determined that protocol type and port information of the application service in its fictitious host computer.The server host Information can determine the position of the fictitious host computer in virtual environment where being served by, and the identifier of its position can be by void The manager unified management and explanation in near-ring border, rather than fictitious host computer is positioned simply by IP address.
S200, according to server host information and service port information, to the corresponding application role of service configuration, and to clothes Business device main frame divides corresponding business domains;
The access strategy rule of S300, configuration application role and business domains;
S400, access strategy rule is sent to master agent, master agent is performed access strategy rule.
It should be noted that the application service provided in step s 200 fictitious host computer and fictitious host computer carries out domain Divide, classification division can be carried out to its different feature, as long as domain scope can effectively can be performed to access control The dividing mode that the division methods of the least unit of system can be implemented as it, is not limited herein.
In the present embodiment, division tenant domain, then root are first carried out according to the server apparatus of different tenant's account applications Logical partitioning business domains are pressed according to different business purposes, the application service provided in business domains according to server host is configured not It is same to apply role.
After the division for determining tenant domain, business domains and application role through the above way, corresponding access plan can be configured It is slightly regular, can also be without configuration, the access strategy rule between that each domain now is exactly that the access strategy given tacit consent to is advised Then, the access strategy rule of its acquiescence is to forbid accessing.
The content of its access strategy rule, can do and set accordingly according to actual service condition and required function simultaneously It is fixed, do not limit herein.
For example, can be with as shown in table 1 below to the collocation form of the access strategy rule of application role.
Table 1
Meanwhile, Fig. 2 is refer to, Fig. 2 divides schematic diagram for the domain that the embodiment of the present application is provided.
Wherein, i.e. include service security domain business domains using role, and application role service supplier, with And application service information and apply user, also corresponding policy action.
For upper table, the access strategy between portal website's business domains and OA business domains is the denied access of acquiescence, industry It is also the access strategy of acquiescence between fictitious host computer in business domain, it is necessary to configure the access strategy of permission.For example, in portal website The server host group of WEB application role in business domains provides Apache application services, and the strategy of correspondence application user is moved Work is to allow, that is, allows the access of the All hosts in the business domains.And the DB in portal website's business domains applies role The MySQL application services of offer, access strategy only allows the main frame for belonging to WEB application role in the business domains to access.
When different business domain occur and needing to access same business domains, related access strategy rule can be configured such as table 2 below Then.
Table 2
Fig. 3 is refer to, Fig. 3 divides schematic diagram for the multiple domain that the embodiment of the present application is provided.
It should be noted that the access plan between two of which business domains OA business domains and research and development business domains still for acquiescence Slightly, it is impossible to access.And now it is desirable that OA business domains and research and development business domains are required for accessing the application in data bank service domain Service, therefore it is configured to the access strategy rule of upper table.
It should be noted that management server is configured after access strategy rule, the access strategy rule is stored as matching somebody with somebody File is put, configuration center is stored in.Meanwhile, the configuration file send to during master agent, it is necessary to be converted into master agent Support file format, configuration file will be stored in locally in master agent.Specific format content can be according to application Environment is designed, and is not limited herein.
In the present embodiment, the configuration file at management server end is named as micro_segmentation.ini, its lattice Formula is as follows:
/config
Policy_num=2//strategy number
The tactful title of Policy0=xxx//the first
The tactful service of Service0=httpd//the first
The tactful port of port0=443//the first
The equipment or the quantity of cluster tool of the tactful offer service of Provider_num0=2//the first
The equipment of first tactful offer service of Provider0_0=web//the first
The equipment of second tactful offer service of Provider0_1=computer1//the first
The equipment or the quantity of cluster tool of the tactful use service of Visitor_num0=1//the first
The first tactful equipment using service of Visitor0_0=db//the first
The tactful title of Policy1=xxx//the second
Service1=tomcat
Port1=8080
Provider_num1=1
Provider1_0=web
Visitor_num1=2
Visitor1_0=db
Visitor1_1=computer1
The form that corresponding master agent is supported is as follows:
Action:allow/prevent
Direction:in/out
Priority:0/1/2/3/4
Local_Port:443/3389-3392/
Remont_port:443/123-345
Host:1.1.1.1/2.2.2.2-3.3.3.3
App:tomcat
For arrangement above, the visual page that manager can be shown by management server is configured and grasped Make, while the flow that master agent is detected and controlled can also graphically be shown in visual page, pole The big operation for facilitating manager.Meanwhile, visual page can be WEB page can also be mobile phone terminal the APP pages, This is not limited.
The technical scheme of the application, by the division in business domains and application role to fictitious host computer, and uses main frame The control to flowing of access is acted on behalf of, realizes to the access privilege control between application role and business domains, prevents unauthorized access Intrusion.
Fig. 4 is refer to, Fig. 4 obtains the flow chart of information for the master agent that the embodiment of the present application is provided.
Based on above-described embodiment, the present embodiment can include:
S110, port and server host of the master agent by scan service obtain server host information and service Port information;
S120, server host information and service port information are sent to management server.
, wherein it is desired to install master agent in fictitious host computer, configured accordingly, so that master agent can be normal Operation.
It should be noted that master agent obtains server host information and service port information, can be master agent Active scan fictitious host computer is obtained or master agent reads original information, is directly transmitted.When master agent is needed Want iteration upgrade when, original port information can be preserved, carry out updating operation, after the completion of read original information.
When newly increasing fictitious host computer or increase service in server, the information of fictitious host computer can be manually added, Master agent can be made to rescan the port of fictitious host computer and application service.
It refer to Fig. 5, the flow chart for the master agent executing rule that Fig. 5 provides for the embodiment of the present application.
Based on above-described embodiment, the present embodiment can include:
S410, receives the access strategy rule of management server transmission;
S420, Access Events are detected and are controlled using host firewall according to access strategy rule.
It should be noted that the access strategy rule that master agent is received is in the form of strategy file, to the strategy Rule content in file is parsed.
Generally, in master agent, new Rule content can directly replace old Rule content.In the present embodiment In, original Rule content can be backed up, new Rule content is reapplied.
Wherein, master agent can realize the execution to access control policy using the technology of host firewall, and correspondence is not Same main frame can use different host firewalls, for example:Windows WPF, Linux iptables firewall access Control technology, is not limited herein.
Therefore, when being migrated, master agent is only needed to identical access strategy rule use in different main frames In fire wall, it is possible to effectively solve the problem of different platform when Visualized data centre is migrated coexists.
It refer to Fig. 6, the flow chart for the management servers process daily record that Fig. 6 provides for the embodiment of the present application.
Based on above-described embodiment, the present embodiment can include:
S500, the log information that management server Receiving Host agency sends;
S600, daily record is obtained by log information progress dissection process;
S700, according to the content of daily record, shows the warning message of Access Events.
Wherein, the particular content of daily record and the display format of daily record can be according to the problem of specific solve and actual conditions Setting, while being also required to the readability in view of manager, is not limited herein.
Wherein, correlation log information can be transmitted by Intranet between management server and master agent, can be based on Http is sent, and can also be sent, not limited herein based on TCP.Management server needs to parse the log information received Corresponding database is arrived into the daily record read using storage and administrative staff, and by daily record storage.
It should be noted that management server can configure the screening rule of correlation, according to the rule management server meeting Screen corresponding information to be illustrated on the display platform of management server, can be page presentation or use mobile phone A PP It is shown, does not limit herein.
Fig. 7 is refer to, Fig. 7 handles the flow chart of daily record for the master agent that the embodiment of the present application is provided.
Based on above-described embodiment, the present embodiment can include:
S510, master agent is according to access strategy rule generation Access Events daily record;
S520, the information that parsing Access Events log acquisition needs, and it is encapsulated as log information;
S530, log information is sent to management server.
Wherein, the generating mode of daily record, is generated according to access strategy rule.When access time occurs, record is related Information, for example, the time, whom port, requestor is, in whether can access in rule, records its access process. This, has obtained the log content of Access Events, to it parse the log content needed, and be encapsulated as corresponding in Intranet The log information of transmission, its form can correspond to the form for sending the protocol requirement that information is used.
The embodiment of the present application provides the collocation method of the flow control in virtual environment, passes through the port to fictitious host computer Information configuration, which is divided, applies role and business domains, is reconfigured at the access strategy rule performed for master agent, realizes and flowed to accessing Amount and the control function of application role, can carry out control of authority, to prevent unauthorized access to the Operational Visit fictitious host computer Intrusion.
The compounding system of flow control in the virtual environment provided below the embodiment of the present application is introduced, and hereafter retouches The compounding system of flow control in the virtual environment stated and the collocation method of the flow control in above-described virtual environment Can be mutually to should refer to.
It refer to Fig. 8, the flow chart for the configuration system that Fig. 8 provides for the embodiment of the present application.
The present embodiment provides a kind of configuration system of the flow control in virtual environment, and the system can include:Management clothes Business device and master agent, wherein master agent distributed deployment perform access strategy rule in each virtual machine.Management platform The Unified Policy management configuration for supporting different Visualized data centres on the internet can be disposed.
Master agent, for obtaining server host information and service port information, server is sent to management server Host information and service port information;Perform the access strategy rule that management server is sent;
Management server, for according to server host information and service port information, to the corresponding application of service configuration Role, and corresponding business domains are divided to server host;Configuration application role and the access strategy rule of business domains;It will access Policing rule is sent to master agent.
Based on above-described embodiment, the present embodiment, master agent is specifically for the port by scan service and server master Machine, obtains server host information and service port information.
Based on above-described embodiment, the present embodiment, master agent is specifically for receiving the access plan that management server is sent It is slightly regular;Using host firewall Access Events are detected and are controlled according to access strategy rule.
Based on above-described embodiment, the present embodiment, master agent is additionally operable to send log information to management server;
Management server, is additionally operable to log information progress dissection process obtaining daily record;According to the content of daily record, displaying is visited Ask the warning message of event.
Based on above-described embodiment, the present embodiment, master agent is specifically for according to access strategy rule generation Access Events Daily record;The information that Access Events log acquisition needs is parsed, and is encapsulated as log information;Log information is sent to management service Device.
It refer to Fig. 9, the Organization Chart for the systemic-function that Fig. 9 provides for the embodiment of the present application.
Wherein, the management platform refers to operation management system in management server.
The management platform, including policing rule module and log pattern.Wherein, policing rule module be responsible for strategy configuration, Policy store and policy distribution, log pattern are responsible for daily record displaying, daily record storage and daily record parsing.Plan is included i.e. in management platform Rule module and log pattern are omited, policing rule module carries out applying role to the demand according to business in the front-end configuration page Access strategy rule configuration, and the access strategy that configure is regular is stored, then uniformly issue access strategy rule to Corresponding host A gent.Host A gent is received after the corresponding file of access strategy rule, to the file of access strategy rule In Rule content parsed, then back up original Rule content, and apply new Rule content.Wherein, closed in system The file of the access strategy rule of key, will be stored in and match somebody with somebody in the configuration file (i.e. the file of access strategy rule) of management platform Center is put, agent configuration file will be stored in locally., can be flat by management if the file format content on both sides is different Platform is unified, and strategy file is converted into the rule of agent supports by such as management platform, is then issued to Agent and uses.
The master agent (Agent), including policing rule module, log pattern and scan module.Wherein, policing rule mould Block is responsible for regular backup, policing rule parsing and regular application/parsing, and log pattern is responsible for daily record parsing, log package and day Will is sent, and scan module is responsible for scan service application and service port and also has main frame configuration.That is the log pattern on host A gent According to the Access Events daily record of rule generation, log content is parsed, the log information needed is obtained, daily record letter is then Resealed Breath, and log information is sent to management platform using communication module.Management platform receives and information is solved after log information Analysis is handled, and daily record storage is arrived into corresponding database, and is shown on the page of platform.
Specifically, management platform is responsible for the configuration to above-mentioned various access strategy rules, the action for storing, issuing, And the processing parsed, stored to the event log reported, shown.Management platform by capturing virtual machine between service (i.e. application service) access information, collects and analyzes the data communication between empty machine, is that user is shown in whole cloud platform Traffic conditions between discharge model, including virtual machine and between different application service, set up basic access view.According to pipe The new flow increasing of finger in platform accesses view, so as to analyze the slight change of inside, fast and easy configures corresponding access plan Omit rule action.And the concrete application type in virtual machine traffic can be identified, and flow is provided on this basis with answering With control function, fine-grained control of authority can be carried out the Operational Visit virtual machine, to filter unauthorized access.
The implementation process of the business of i.e. micro- isolation is:Fictitious host computer is installed after host A gent, can automatically scanning discovery application The port of service, and server host information and service port information are reported to management platform.In management platform, keeper can To apply role according to the configuration of the application purpose of server host, then server host is divided again and belongs to corresponding business Domain.Keeper is needed in micro- isolation configuration page, according to the access relation configuration service access strategy of business.Under strategy is automatic Host A gent is issued, Agent is received after strategy file, be parsed into executable Rule rules, and according to the flow between empty machine Access strategy reported event daily record, management platform is received after event log information, shows event alarm information.
It should be noted that there is title identical functional module in management platform and master agent, but its work(is not represented Can be identical.
The embodiment of each in specification is described by the way of progressive, and what each embodiment was stressed is and other realities Apply the difference of example, between each embodiment identical similar portion mutually referring to.For device disclosed in embodiment Speech, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part is referring to method part illustration .
Professional further appreciates that, with reference to the unit of each example of the embodiments described herein description And algorithm steps, can be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate hardware and The interchangeability of software, generally describes the composition and step of each example according to function in the above description.These Function is performed with hardware or software mode actually, depending on the application-specific and design constraint of technical scheme.Specialty Technical staff can realize described function to each specific application using distinct methods, but this realization should not Think to exceed scope of the present application.
Directly it can be held with reference to the step of the method or algorithm that the embodiments described herein is described with hardware, processor Capable software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
The collocation method and system of the flow control in a kind of virtual environment provided herein have been carried out in detail above It is thin to introduce.Specific case used herein is set forth to the principle and embodiment of the application, and above example is said It is bright to be only intended to help and understand the present processes and its core concept.It should be pointed out that for the ordinary skill of the art For personnel, on the premise of the application principle is not departed from, some improvement and modification can also be carried out to the application, these improvement Also fallen into modification in the application scope of the claims.

Claims (10)

1. the collocation method that flow is controlled in a kind of virtual environment, it is characterised in that methods described includes:
Server host information and service port information that management server Receiving Host agency sends;
According to the server host information and the serve port information, to the corresponding application role of service configuration, and to clothes Business device main frame divides corresponding business domains;
Configure the access strategy rule of the application role and the business domains;
Access strategy rule is sent to the master agent, the master agent is performed the access strategy rule.
2. according to the method described in claim 1, it is characterised in that the server host information kimonos that the master agent is sent Business port information, including:
The master agent obtains the server host information by the port for scanning the service and the server host With the serve port information;
The server host information and the serve port information are sent to the management server.
3. method according to claim 2, it is characterised in that the master agent performs the access strategy rule, bag Include:
Receive the access strategy rule that the management server is sent;
Using host firewall Access Events are detected and are controlled according to access strategy rule.
4. the method according to any one of claims 1 to 3, it is characterised in that also include:
The management server receives the log information that the master agent is sent;
Log information progress dissection process is obtained into daily record;
According to the content of the daily record, the warning message of the Access Events is shown.
5. method according to claim 4, it is characterised in that the generation of the log information, including:
The master agent is according to access strategy rule generation Access Events daily record;
The information that the Access Events log acquisition needs is parsed, and is encapsulated as log information;
The log information is sent to the management server.
6. the configuration system that flow is controlled in a kind of virtual environment, it is characterised in that the system includes:
Master agent, for obtaining server host information and service port information, the server is sent to management server Host information and the serve port information;Perform the access strategy rule that the management server is sent;
Management server, it is corresponding to service configuration for according to the server host information and the serve port information Corresponding business domains are divided using role, and to server host;Configure the access plan of the application role and the business domains It is slightly regular;Access strategy rule is sent to the master agent.
7. system according to claim 6, it is characterised in that the master agent is specifically for by scanning the service Port and the server host, obtain the server host information and the serve port information.
8. the system according to claim 7, it is characterised in that the master agent takes specifically for receiving the management The access strategy rule that business device is sent;Detected and controlled to visit according to access strategy rule using host firewall Ask event.
9. the system according to any one of claim 6 to 8, it is characterised in that
The master agent, is additionally operable to send log information to the management server;
The management server, is additionally operable to log information progress dissection process obtaining daily record;According in the daily record Hold, show the warning message of the Access Events.
10. system according to claim 9, it is characterised in that the master agent is specifically for according to the access plan Slightly rule generation Access Events daily record;The information that the Access Events log acquisition needs is parsed, and is encapsulated as log information;Will The log information is sent to the management server.
CN201710552136.7A 2017-07-07 2017-07-07 Flow is controlled in a kind of virtual environment collocation method and system Pending CN107332851A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710552136.7A CN107332851A (en) 2017-07-07 2017-07-07 Flow is controlled in a kind of virtual environment collocation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710552136.7A CN107332851A (en) 2017-07-07 2017-07-07 Flow is controlled in a kind of virtual environment collocation method and system

Publications (1)

Publication Number Publication Date
CN107332851A true CN107332851A (en) 2017-11-07

Family

ID=60196335

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710552136.7A Pending CN107332851A (en) 2017-07-07 2017-07-07 Flow is controlled in a kind of virtual environment collocation method and system

Country Status (1)

Country Link
CN (1) CN107332851A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109150860A (en) * 2018-08-02 2019-01-04 郑州云海信息技术有限公司 A kind of method and system for realizing the micro- isolation of network under OpenStack environment
CN111443986A (en) * 2020-01-09 2020-07-24 武汉思普崚技术有限公司 Micro-isolation protection method and system for distributed virtual environment
CN111866100A (en) * 2020-07-06 2020-10-30 北京天空卫士网络安全技术有限公司 Method, device and system for controlling data transmission rate

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104202333A (en) * 2014-09-16 2014-12-10 浪潮电子信息产业股份有限公司 Implementation method of distributed firewall
CN104378387A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Virtual platform information security protection method
US9049187B2 (en) * 2009-01-08 2015-06-02 Alcatel Lucent Connectivity, adjacencies and adaptation functions
CN105684391A (en) * 2013-11-04 2016-06-15 伊尔拉米公司 Automated generation of label-based access control rules

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9049187B2 (en) * 2009-01-08 2015-06-02 Alcatel Lucent Connectivity, adjacencies and adaptation functions
CN105684391A (en) * 2013-11-04 2016-06-15 伊尔拉米公司 Automated generation of label-based access control rules
CN104202333A (en) * 2014-09-16 2014-12-10 浪潮电子信息产业股份有限公司 Implementation method of distributed firewall
CN104378387A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Virtual platform information security protection method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109150860A (en) * 2018-08-02 2019-01-04 郑州云海信息技术有限公司 A kind of method and system for realizing the micro- isolation of network under OpenStack environment
CN111443986A (en) * 2020-01-09 2020-07-24 武汉思普崚技术有限公司 Micro-isolation protection method and system for distributed virtual environment
CN111866100A (en) * 2020-07-06 2020-10-30 北京天空卫士网络安全技术有限公司 Method, device and system for controlling data transmission rate

Similar Documents

Publication Publication Date Title
US11363112B2 (en) High-density multi-tenant distributed cache as a service
US7689676B2 (en) Model-based policy application
WO2021017279A1 (en) Cluster security management method and apparatus based on kubernetes and network domain, and storage medium
US7484237B2 (en) Method and apparatus for role-based security policy management
US9053460B2 (en) Rule management using a configuration database
CN104487943B (en) The method and apparatus of trusted file indirect operation
RU2598324C2 (en) Means of controlling access to online service using conventional catalogue features
JP6314236B2 (en) Entity handle registry to support traffic policy enforcement
CN107911421A (en) For configuring the method for internetwork communication, equipment and computer-readable storage medium in block chain
US20090249340A1 (en) Managing the Progress of a Plurality of Tasks
CN103946834A (en) Virtual network interface objects
US20080183603A1 (en) Policy enforcement over heterogeneous assets
CN107332851A (en) Flow is controlled in a kind of virtual environment collocation method and system
CN107786551B (en) Method for accessing intranet server and device for controlling access to intranet server
CN107633168A (en) Automate Password Management
JP2005514699A (en) Method and system for hosting multiple dedicated servers
US11546271B2 (en) System and method for tag based request context in a cloud infrastructure environment
US20060031927A1 (en) Information management system, information management method, and system control apparatus
CN110881039B (en) Cloud security management system
US20060253658A1 (en) Provisioning or de-provisioning shared or reusable storage volumes
KR101233934B1 (en) Integrated Intelligent Security Management System and Method
US11425139B2 (en) Enforcing label-based rules on a per-user basis in a distributed network management system
CN106803798A (en) Virtual switch QoS configuration management systems and Cloud Server under a kind of cloud platform
KR20180118874A (en) Method and System for providing Access Security in private Cloud Access Security Broker
CN114816776B (en) Enterprise intelligent cloud asset management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171107

RJ01 Rejection of invention patent application after publication