CN107864062B - Container firewall system deployment method - Google Patents

Container firewall system deployment method Download PDF

Info

Publication number
CN107864062B
CN107864062B CN201711317697.5A CN201711317697A CN107864062B CN 107864062 B CN107864062 B CN 107864062B CN 201711317697 A CN201711317697 A CN 201711317697A CN 107864062 B CN107864062 B CN 107864062B
Authority
CN
China
Prior art keywords
container
firewall
network
host
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711317697.5A
Other languages
Chinese (zh)
Other versions
CN107864062A (en
Inventor
兰国语
刘晓毅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronic Technology Cyber Security Co Ltd
Original Assignee
China Electronic Technology Cyber Security Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electronic Technology Cyber Security Co Ltd filed Critical China Electronic Technology Cyber Security Co Ltd
Publication of CN107864062A publication Critical patent/CN107864062A/en
Application granted granted Critical
Publication of CN107864062B publication Critical patent/CN107864062B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • G06F8/63Image based installation; Cloning; Build to order
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention completes the functions of access control, message filtering, network attack prevention, flow restriction and the like of the container application deployed on the same host. The firewall is deployed in a container mode, so that the firewall is deployed in a lightweight mode, excessive resources of a host machine cannot be occupied, and the maintenance cost is low; meanwhile, the network topology structure of the existing container service does not need to be changed, and the deployment is simple.

Description

Container firewall system deployment method
Technical Field
The invention relates to the field of virtual desktops, in particular to a container firewall system deployment method.
Background
The container technology represented by docker is rapidly popularized by virtue of the advantages of light weight, convenience and simplicity in deployment and the like. Once a certain container application is attacked, containers running on the same host machine can be crashed due to the characteristics of the container network topology and the existence of the containers, so that the safety and the stability of service deployment are greatly influenced, and great loss is caused to users. In addition, in the container deployment scheme, for security reasons, strict access control, traffic limitation, and other functions are often required for the service.
Disclosure of Invention
In order to solve the above problems, the present invention provides a container firewall system deployment method. The invention discloses a container firewall system deployment method, which comprises the following steps:
s1, packaging the firewall in a container mode to form a firewall container mirror image;
s2, starting the packaged firewall container mirror image on the host, setting the network mode of the container firewall to host mode, making the container firewall completely share the host network protocol stack data, having complete authority to access the host network interface, and setting the parameter of the container firewall with privilege option to make it have authority to configure the related network;
s3, setting the network mode of the container where the non-firewall is located to be the bridge mode and not specifying the privileged option of the container;
s4, the container firewall monitors and synchronizes port mapping data in a container chain in the NAT table of the host in real time, and the container firewall stores an array for each container, wherein the array is used for recording the externally exposed port of the container and the array of the IP and the port in the container;
s5, the container firewall obtains the name of the running container mirror image through the relevant interface of the container, the administrator sets the access rule of the container through the web management interface, and the set rule parameters are stored in the relevant configuration files;
s6, applying the access rule set by the administrator to the container, and the container firewall generating a corresponding message filtering function according to the parameters in the configuration file to filter the network data packet entering the host;
s7, after starting the firewall, recording the process IDs of all running container images in the host machine;
s8, the container firewall filters all network data packets entering the host machine, and then security marks are carried out on all network message data filtered by the container firewall;
s9, requesting to obtain network data by the process;
s10, judging whether the process requesting to acquire the network data is a container process where the non-container firewall is located, if so, turning to step s12, and if not, turning to step s 11;
s11, granting the process request;
s12, judging whether the network data acquired by the process request has a safety mark, if so, turning to step s 13; if not, go to step s 14;
s13, granting the process request;
s14, rejecting the process request.
The method comprises the steps that a container firewall screens network data packets entering a host machine, returns safety network data to a host machine network layer and then forwards the safety network data to a corresponding container, and comprises the steps of filtering data flow from a source or to the container, and processing messages with the transmission source IP address and port of the messages or the destination IP address and port of the messages matched with the recorded externally exposed IP address and port of the running container according to the externally exposed port of the host machine of the matched container to obtain the screened message flow.
The administrator sets flow limitation, IP access control and access rules for preventing network attack through a web management interface. And the container firewall generates a corresponding message filtering function according to the parameters in the relevant configuration file according to the access rule set by the administrator. And filtering the screened message flow according to the corresponding message filtering function, discarding the flow which does not accord with the rule, and analyzing the flow which accords with the rule in the next step. And performing detailed classified data statistics and log record according to the address for the flow which meets the rule, and correspondingly discarding or forwarding the excessive message flow according to the limit rule for the flow of the container mirror image which is limited by the administrator.
In addition, in the network attack prevention mode, the container firewall carries out access flow statistics, behavior analysis, log recording and network attack detection on each container, gives a corresponding method, and then discards the attack flow.
The invention can be used for realizing the functions of access control, message filtering, network attack prevention, flow restriction and the like of the container application deployed on the same host. The firewall is deployed in a container mode, so that the firewall is deployed in a lightweight mode, excessive resources of a host machine cannot be occupied, and the maintenance cost is low; meanwhile, the network topology structure of the existing container service does not need to be changed, and the deployment is simple.
Drawings
FIG. 1 is a diagram illustrating the deployment method of the container firewall system according to the present invention;
fig. 2 is a schematic flow chart of an implementation of a container firewall system deployment method according to the present invention.
Detailed Description
For a better understanding of the present invention, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
As shown in fig. 1 and 2, the present invention provides a method for deploying a container firewall system. The invention discloses a container firewall system deployment method, which comprises the following steps:
s1, packaging the firewall in a container mode to form a firewall container mirror image;
s2, starting the packaged firewall container mirror image on the host, setting the network mode of the container firewall to host mode, making the container firewall completely share the host network protocol stack data, having complete authority to access the host network interface, and setting the parameter of the container firewall with privilege option to make it have authority to configure the related network;
s3, setting the network mode of the container where the non-firewall is located to be the bridge mode and not specifying the privileged option of the container;
s4, the container firewall monitors and synchronizes port mapping data in a container chain in the NAT table of the host in real time, and the container firewall stores an array for each container, wherein the array is used for recording the externally exposed port of the container and the array of the IP and the port in the container;
s5, the container firewall obtains the name of the running container mirror image through the relevant interface of the container, the administrator sets the access rule of the container through the web management interface, and the set rule parameters are stored in the relevant configuration files;
s6, applying the access rule set by the administrator to the container, and the container firewall generating a corresponding message filtering function according to the parameters in the configuration file to filter the network data packet entering the host;
s7, after starting the firewall, recording the process IDs of all running container images in the host machine;
s8, the container firewall filters all network data packets entering the host machine, and then security marks are carried out on all network message data filtered by the container firewall;
s9, requesting to obtain network data by the process;
s10, judging whether the process requesting to acquire the network data is a container process where the non-container firewall is located, if so, turning to step s12, and if not, turning to step s 11;
s11, granting the process request;
s12, judging whether the network data acquired by the process request has a safety mark, if so, turning to step s 13; if not, go to step s 14;
s13, granting the process request;
s14, rejecting the process request.
The method comprises the steps that a container firewall screens network data packets entering a host machine, returns safety network data to a host machine network layer and then forwards the safety network data to a corresponding container, and comprises the steps of filtering data flow from a source or to the container, and processing messages with the transmission source IP address and port of the messages or the destination IP address and port of the messages matched with the recorded externally exposed IP address and port of the running container according to the externally exposed port of the host machine of the matched container to obtain the screened message flow.
The administrator sets flow limitation, IP access control and access rules for preventing network attack through a web management interface. And the container firewall generates a corresponding message filtering function according to the parameters in the relevant configuration file according to the access rule set by the administrator. And filtering the screened message flow according to the corresponding message filtering function, discarding the flow which does not accord with the rule, and analyzing the flow which accords with the rule in the next step. And performing detailed classified data statistics and log record according to the address for the flow which meets the rule, and correspondingly discarding or forwarding the excessive message flow according to the limit rule for the flow of the container mirror image which is limited by the administrator.
In addition, in the network attack prevention mode, the container firewall carries out access flow statistics, behavior analysis, log recording and network attack detection on each container, gives a corresponding method, and then discards the attack flow.
The invention can be used for realizing the functions of access control, message filtering, network attack prevention, flow restriction and the like of the container application deployed on the same host. The firewall is deployed in a container mode, so that the firewall is deployed in a lightweight mode, excessive resources of a host machine cannot be occupied, and the maintenance cost is low; meanwhile, the network topology structure of the existing container service does not need to be changed, and the deployment is simple. Aiming at the potential safety hazard of the existing container network application, the invention adopts a method for deploying the firewall in a container mode, utilizes the characteristic of light weight of the container application, directly screens and acquires network data from a host machine network protocol stack under the conditions of not occupying excessive resources and not changing the network topology structure of the existing container application, and achieves the purposes of carrying out access control, message filtering, network attack prevention, flow restriction and other safety protection on the container application; meanwhile, in order to prevent the illegal acquisition of the network data by the container application bypassing the firewall, the method for carrying out the security marking on the network message data ensures the functional validity and stability of the firewall of the container.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be able to cover the technical solutions and the inventive concepts of the present invention within the technical scope of the present invention.

Claims (7)

1. A container firewall system deployment method is characterized by comprising the following steps:
s1, packaging the firewall in a container mode to form a firewall container mirror image;
s2, starting the packaged firewall container mirror image on the host, setting the network mode of the container firewall to host mode, making the container firewall completely share the host network protocol stack data, having complete authority to access the host network interface, and setting the parameter of the container firewall with privilege option to make it have authority to configure the related network;
s3, setting the network mode of the container where the non-firewall is located to be the bridge mode and not specifying the privileged option of the container;
s4, the container firewall monitors and synchronizes port mapping data in a container chain in the NAT table of the host in real time, and the container firewall stores an array for each container, wherein the array is used for recording the externally exposed port of the container and the array of the IP and the port in the container;
s5, the container firewall obtains the name of the running container mirror image through the relevant interface of the container, the administrator sets the access rule of the container through the web management interface, and the set rule parameters are stored in the relevant configuration files;
s6, applying the access rule set by the administrator to the container, and the container firewall generating a corresponding message filtering function according to the parameters in the configuration file to filter the network data packet entering the host;
s7, after starting the firewall, recording the process IDs of all running container images in the host machine;
s8, the container firewall filters all network data packets entering the host machine, and then security marks are carried out on all network message data filtered by the container firewall;
s9, requesting to obtain network data by the process;
s10, judging whether the process requesting to acquire the network data is a container process where the non-container firewall is located, if so, turning to step s12, and if not, turning to step s 11;
s11, granting the process request;
s12, judging whether the network data acquired by the process request has a safety mark, if so, turning to step s 13; if not, go to step s 14;
s13, granting the process request;
s14, rejecting the process request.
2. The method of claim 1, wherein the container firewall system is configured to be deployed,
the container firewall screens network data packets entering a host machine, returns secure network data to a host machine network layer and then forwards the secure network data to a corresponding container, and comprises the steps of filtering data flow from a source or to the container, and processing a message sending source IP address and port or a message destination IP address and port of the message and a recorded message of which the running container is exposed to the outside and matched with the port of the host machine according to a port of the host machine exposed to the outside of the matched container, so as to obtain the screened message flow.
3. The method for deploying a container firewall system according to claim 2, wherein an administrator sets access rules for traffic limitation, IP access control, and network attack prevention through a web management interface.
4. The method for deploying a container firewall system according to claim 3, wherein the container firewall generates the corresponding message filtering function according to the parameters in the relevant configuration file according to the access rules set by the administrator.
5. The method for deploying a container firewall system according to claim 4, wherein the screened message traffic is filtered according to the corresponding message filtering function, traffic which does not meet the rules is discarded, and the traffic which meets the rules is analyzed next.
6. The method for deploying a container firewall system according to claim 5, wherein detailed classification data statistics and log records are performed according to addresses for traffic that meets rules, and excess message traffic is discarded or forwarded according to restriction rules for traffic that is mirrored by a container that is restricted by an administrator.
7. The container firewall system deployment method according to any one of claims 1 to 6, wherein in the anti-cyber attack mode, the container firewall performs access traffic statistics, behavior analysis, log recording, cyber attack detection on each container, gives a corresponding method, and then discards the attack traffic.
CN201711317697.5A 2016-12-14 2017-12-12 Container firewall system deployment method Active CN107864062B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611154896 2016-12-14
CN2016111548964 2016-12-14

Publications (2)

Publication Number Publication Date
CN107864062A CN107864062A (en) 2018-03-30
CN107864062B true CN107864062B (en) 2021-02-09

Family

ID=61705936

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711317697.5A Active CN107864062B (en) 2016-12-14 2017-12-12 Container firewall system deployment method

Country Status (1)

Country Link
CN (1) CN107864062B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413069B (en) * 2018-10-29 2021-11-12 北京百悟科技有限公司 Application method and device of virtual website firewall based on block chain
CN112631601B (en) * 2020-12-24 2024-04-12 深信服科技股份有限公司 Application firewall deployment method, device and equipment of container orchestration engine
CN113221103B (en) * 2021-05-08 2022-09-20 山东英信计算机技术有限公司 Container safety protection method, system and medium
CN113342468B (en) * 2021-06-23 2023-08-08 山石网科通信技术股份有限公司 Container data processing method and device
CN114900350B (en) * 2022-04-29 2024-02-20 北京元数智联技术有限公司 Message transmission method, device, equipment, storage medium and program product
CN114978610B (en) * 2022-04-29 2024-05-28 北京火山引擎科技有限公司 Flow transmission control method, device, equipment and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9231911B2 (en) * 2006-10-16 2016-01-05 Aruba Networks, Inc. Per-user firewall
CN105635329A (en) * 2014-11-03 2016-06-01 中兴通讯股份有限公司 Online log generation method and apparatus
CN105681305B (en) * 2016-01-15 2019-08-09 北京工业大学 A kind of SDN firewall system and implementation method

Also Published As

Publication number Publication date
CN107864062A (en) 2018-03-30

Similar Documents

Publication Publication Date Title
CN107864062B (en) Container firewall system deployment method
AU2021209277B2 (en) Efficient packet capture for cyber threat analysis
US11343285B2 (en) Multi-access edge computing services security in mobile networks by parsing application programming interfaces
EP3151505B1 (en) Method and network element for improved access to communications networks
US10038671B2 (en) Facilitating enforcement of security policies by and on behalf of a perimeter network security device by providing enhanced visibility into interior traffic flows
CN104301321B (en) A kind of method and system for realizing distributed network security protection
US9917849B2 (en) Security system for physical or virtual environments
US11689502B2 (en) Securing control and user plane separation in mobile networks
MXPA06013129A (en) Automated containment of network intruder.
CA2464784A1 (en) Multi-layered firewall architecture
Nife et al. Application-aware firewall mechanism for software defined networks
US10567441B2 (en) Distributed security system
CN107395588A (en) Video monitoring accesses safe blocking-up method and system
Mukkamala et al. A survey on the different firewall technologies
US20160205135A1 (en) Method and system to actively defend network infrastructure
JP5153779B2 (en) Method and apparatus for overriding unwanted traffic accusations in one or more packet networks
WO2005026872A2 (en) Internal lan perimeter security appliance composed of a pci card and complementary software
Yamanoue et al. Capturing malicious bots using a beneficial bot and wiki
CN103873467A (en) Method for controlling network perimeter
Nurika et al. Review of various firewall deployment models
Deri et al. Enforcing Security in IoT and Home Networks.
Zaballos et al. Testing Network Security Using OPNET
Carter et al. for Network Security”
CN117596220A (en) Transmission method and system for shadow flow of bare metal server
CN111385113A (en) Differential access method and system of VPN server cluster

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant