Disclosure of Invention
In view of this, an object of the embodiments of the present invention is to provide an application program protection method and apparatus based on a virtualized container, which can perform application program protection based on a virtualized container for different applications or different types of applications, effectively protect application layer security of a server system, and avoid the influence of attack means such as SQL injection, cross-site scripting, information leakage, and the like.
Based on the above object, an aspect of the embodiments of the present invention provides an application program protection method based on a virtualized container, which is applied to a server, and includes the following steps:
monitoring an external port and acquiring an application program access request from the outside;
extracting application layer information from a data packet of an application program access request;
filtering the application layer information by using a firewall strategy to generate legal application layer information;
and transmitting the legal application layer information to an application program container for processing.
In some embodiments, further comprising the steps of:
the application program container generates feedback information after processing;
filtering the feedback information by using a firewall strategy to generate legal feedback information;
and packaging the legal feedback information and feeding back the legal feedback information through an external interface.
In some embodiments, the firewall policies are recorded in the policy repository in the form of firewall parameters.
In some embodiments, the policy repository is connected to a specific programming interface through which the firewall policy is configured.
In some embodiments, the application requesting access is disposed in an application container.
In some embodiments, the firewall policy is in effect at the start of the application container, and the firewall policy shares a network namespace and an external network address with the application container.
On the other hand, the embodiment of the invention also provides an application program protection device based on the virtualization container, which is applied to a server and comprises a reverse proxy server, a policy library and a programming interface.
In another aspect of the embodiments of the present invention, there is also provided a computer device including a memory, at least one processor, and a computer program stored on the memory and executable on the processor, the processor executing the program to perform the method described above.
In another aspect of the embodiments of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program is executed by a processor to perform the above method.
In another aspect of the embodiments of the present invention, there is also provided a computer program product including a computer program stored on a computer-readable storage medium, the computer program including instructions which, when executed by a computer, cause the computer to perform the above method.
The invention has the following beneficial technical effects: according to the application program protection method and device based on the virtualization container, provided by the embodiment of the invention, by the technical scheme that the external port is monitored, the access request of the application program from the outside is obtained, the application layer information is extracted from the data packet, and the firewall policy is used for filtering and transmitting the application layer information to the application program container for processing, so that the application layer safety of the server system is effectively protected, and the application layer safety is prevented from being influenced by attack means such as SQL injection, cross-site scripts and information leakage.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In view of the above, a first aspect of the embodiments of the present invention provides a first embodiment of a method for protecting an application program based on a virtualized container for different applications or different types of applications. Fig. 1 is a flowchart illustrating a first embodiment of a virtualized container-based application protection method according to the present invention.
The application program protection method based on the virtualized container is optionally applied to a server, and comprises the following steps:
step S101, monitoring an external port and acquiring an access request of an application program from the outside;
step S103, extracting application layer information from the data packet of the application program access request;
step S105, filtering the application layer information by using a firewall policy to generate legal application layer information;
step S107, the legal application layer information is transmitted to the application program container for processing.
In some embodiments, further comprising the steps of:
the application program container generates feedback information after processing;
filtering the feedback information by using a firewall strategy to generate legal feedback information;
and packaging the legal feedback information and feeding back the legal feedback information through an external interface.
Optionally, the firewall policy performs the same filtering process on the feedback information generated by the application container. This is a technical measure taken to cope with network attacks from inside the system, which makes other applications unaffected if a particular application is infected.
In some embodiments, the firewall policies are recorded in the policy repository in the form of firewall parameters.
In some embodiments, the policy repository is connected to a specific programming interface through which the firewall policy is configured.
Wherein optionally, the policy base is also arranged in one container. The policy repository can be considered a special application, and the policy repository is connected to a different external port than the general application; the general application is connected to a common external port, the strategy library is connected to a specific programming interface, and a specific application program can access and read and write firewall parameters from the outside through the specific programming interface so as to modify the firewall strategy.
In some embodiments, the application requesting access is disposed in an application container.
In some embodiments, the firewall policy is in effect at the start of the application container, and the firewall policy shares a network namespace and an external network address with the application container.
Wherein optionally, the firewall policy acts as a reverse proxy server by sharing a network namespace with an external network address.
It can be seen from the foregoing embodiments that, in the application protection method based on a virtualized container provided in the embodiments of the present invention, by monitoring an external port and obtaining an access request of an application from the outside, application layer information is extracted from a data packet, and filtered by using a firewall policy and transmitted to an application container for processing, the application layer security of a server system is effectively protected from the influence of attack means such as SQL injection, cross-site scripting, information leakage, and the like.
The embodiment of the invention also provides a second embodiment of the application program protection method based on the virtualization container, which can be used for different applications or different types of applications.
The virtual application firewall is issued in the form of a docker mirror container, is started together when the application container is started, and shares a network name space with the application container, so that the virtual firewall container and the application container share an external IP.
The core of the virtual application firewall is a reverse proxy server. The reverse proxy server can proxy the external network to access the internal network and monitor the external IP port according to the configuration. The reverse proxy server obtains the network packet of the access application by receiving the connection request of the external network, and performs sequencing and recombination to extract the application layer information. The reverse proxy server runs a strategy engine, loads firewall strategy when the strategy engine is started, compares the extracted application layer information with the firewall strategy, filters out attack flow, forwards the legal application layer information to the internal network, and processes the information by the application container. After the application is processed, the return information is forwarded to the reverse proxy server, the reverse proxy server strategy engine filters the return information again, and the legal return information is sent to an external network through an external IP. When the virtual application firewall is used as a reverse proxy, the network flow is analyzed and compared with the firewall strategy, the attack flow is cleaned, and the application safety is protected.
The virtual firewall provides an RESTFul API (application program interface) for external programs to configure firewall parameters and a policy base.
It can be seen from the foregoing embodiments that, in the application protection method based on a virtualized container provided in the embodiments of the present invention, by monitoring an external port and obtaining an access request of an application from the outside, application layer information is extracted from a data packet, and filtered by using a firewall policy and transmitted to an application container for processing, the application layer security of a server system is effectively protected from the influence of attack means such as SQL injection, cross-site scripting, information leakage, and the like.
It should be particularly noted that, the steps in the embodiments of the application protection method based on the virtualized container may be mutually intersected, replaced, added, and deleted, and therefore, these reasonable permutation and combination transformations to the application protection method based on the virtualized container should also belong to the scope of the present invention, and should not limit the scope of the present invention to the described embodiments.
In view of the above, a second aspect of the embodiments of the present invention provides a first embodiment of a virtualized container-based application program guard for different applications or different types of applications. The application program protection device based on the virtualized container is applied to a server and comprises a reverse proxy server, a policy base and a programming interface, and the application program protection method based on the virtualized container is used. Fig. 2 is a schematic structural diagram of a first embodiment of a virtualized container-based application guard according to the present invention.
As shown in fig. 2, a virtual firewall docker container mirror image is constructed based on an Apache application server, the Apache is configured to monitor a fixed port, and an RESTFul API interface is provided on the fixed port, so as to implement the function of configuring an application port and a policy library. The Apache is then configured to listen to the application port (e.g., the default 80 port) and configure the Apache mode of operation of the application port as the reverse proxy mode. The strategy engine is realized on the Apache application server in the mode of Apache module plug-in, and the functions of application layer information analysis, strategy loading, strategy comparison and the like are realized along the path of the dotted line shown in FIG. 2. After the function test of the virtual firewall is finished, the Apache application server, the configuration file, the policy engine module and the like are packaged into a docker mirror image, the starting operation parameters are configured, and the application program works along the path of the solid line shown in FIG. 2.
According to the application program protection device based on the virtualization container, the technical scheme that the application layer information is extracted from the data packet, filtered by the firewall strategy and transmitted to the application program container for processing is adopted by monitoring the external port and acquiring the access request of the application program from the outside, so that the application layer safety of the server system is effectively protected, and the application program protection device is prevented from being influenced by SQL injection, cross-site scripts, information leakage and other attack means.
It should be particularly noted that the above embodiment of the application protection apparatus based on the virtualized container uses the embodiment of the application protection method based on the virtualized container to specifically describe the working process of each module, and those skilled in the art can easily think that these modules are applied to other embodiments of the application protection method based on the virtualized container. Of course, since the steps in the embodiment of the application protection method based on the virtualized container may be intersected, replaced, added, or deleted, these reasonable permutations and combinations should also fall within the scope of the present invention, and should not limit the scope of the present invention to the embodiment.
In view of the foregoing, according to a third aspect of the embodiments of the present invention, an embodiment of a computer device for executing the virtualized container-based application protection method is provided.
The computer device for executing the virtualized container-based application protection method includes a memory, at least one processor, and a computer program stored in the memory and running on the processor, wherein the processor executes the computer program to perform any one of the methods described above.
Fig. 3 is a schematic hardware structural diagram of an embodiment of a computer device for executing the virtualized container-based application protection method according to the present invention.
Taking the computer device shown in fig. 3 as an example, the computer device includes a processor 301 and a memory 302, and may further include: an input device 303 and an output device 304.
The processor 301, the memory 302, the input device 303 and the output device 304 may be connected by a bus or other means, and fig. 3 illustrates the connection by a bus as an example.
The memory 302 is a non-volatile computer-readable storage medium, and can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the virtualized container-based application protection method in this embodiment of the present application. The processor 301 executes various functional applications of the server and data processing by running the nonvolatile software programs, instructions and modules stored in the memory 302, that is, implements the application program protection method based on the virtualized container of the above-described method embodiment.
The memory 302 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created from use of the virtualized container-based application guard, and the like. Further, the memory 302 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 302 optionally includes memory located remotely from processor 301, which may be connected to a local module via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 303 may receive input numeric or character information and generate key signal inputs related to user settings and function controls of the virtualized container-based application guard. The output means 304 may comprise a display device such as a display screen.
Program instructions/modules corresponding to the one or more virtualized container-based application protection methods are stored in the memory 302 and, when executed by the processor 301, perform the virtualized container-based application protection method in any of the above-described method embodiments.
Any embodiment of the computer device executing the virtualized container-based application protection method may achieve the same or similar effects as any corresponding method embodiment described above.
In view of the foregoing, a fourth aspect of the embodiments of the present invention provides a computer-readable storage medium, where computer-executable instructions are stored, and the computer-executable instructions may execute the virtualized container based application protection method in any of the above method embodiments and implement the virtualized container based application protection apparatus in any of the above apparatus embodiments. Embodiments of the computer-readable storage medium may achieve the same or similar effects as any of the aforementioned method and apparatus embodiments corresponding thereto.
In view of the above object, a fifth aspect of the embodiments of the present invention provides a computer program product, which includes a computer program stored on a computer-readable storage medium, where the computer program includes instructions that, when executed by a computer, cause the computer to execute a virtualized container based application protection method in any of the above method embodiments and a virtualized container based application protection apparatus implementing any of the above apparatus embodiments. Embodiments of the computer program product may achieve the same or similar effects as any of the aforementioned method and apparatus embodiments corresponding thereto.
Finally, it should be noted that, as will be understood by those skilled in the art, all or part of the processes of the methods of the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like. Embodiments of the computer program may achieve the same or similar effects as any of the preceding method embodiments to which it corresponds.
In addition, the apparatuses, devices and the like disclosed in the embodiments of the present invention may be various electronic terminal devices, such as a mobile phone, a Personal Digital Assistant (PDA), a tablet computer (PAD), a smart television and the like, or may be a large terminal device, such as a server and the like, and therefore the scope of protection disclosed in the embodiments of the present invention should not be limited to a specific type of apparatus, device. The client disclosed in the embodiment of the present invention may be applied to any one of the above electronic terminal devices in the form of electronic hardware, computer software, or a combination of both.
Furthermore, the method disclosed according to an embodiment of the present invention may also be implemented as a computer program executed by a CPU, and the computer program may be stored in a computer-readable storage medium. The computer program, when executed by the CPU, performs the above-described functions defined in the method disclosed in the embodiments of the present invention.
Further, the above method steps and system elements may also be implemented using a controller and a computer readable storage medium for storing a computer program for causing the controller to implement the functions of the above steps or elements.
Further, it should be appreciated that the computer-readable storage media (e.g., memory) described herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which can act as external cache memory. By way of example and not limitation, RAM is available in a variety of forms such as synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
The various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein may be implemented or performed with the following components designed to perform the functions described herein: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination of these components. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP, and/or any other such configuration.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that, as used herein, the singular forms "a," "an," "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of an embodiment of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.