CN107864166A - Cloud data security protection method and device - Google Patents
Cloud data security protection method and device Download PDFInfo
- Publication number
- CN107864166A CN107864166A CN201711450369.2A CN201711450369A CN107864166A CN 107864166 A CN107864166 A CN 107864166A CN 201711450369 A CN201711450369 A CN 201711450369A CN 107864166 A CN107864166 A CN 107864166A
- Authority
- CN
- China
- Prior art keywords
- configuration
- direct
- flow
- layer network
- tenant
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
A kind of cloud data safety method of servicing and device, including security service equipment obtain the security protection request that tenant sends, and the identification information for including tenant is asked in security protection;Security service equipment asks to instruct to three-layer network appliance send configuration according to security protection, and configuration-direct includes the network segment address of tenant, and configuration-direct is used to indicate that three-layer network appliance sends the flow of tenant to safety protection equipment according to configuration-direct.The application includes security service device and safety device, and safety device bypass is arranged on three-layer network appliance.Security service device is used to configure safety device and three-layer network appliance.Make three-layer network appliance to when receiving the flow of specified network segment address, being sent to safety device;Safety device is filtered the flow of the specified network segment address of reception, and the flow after filtering is sent to the three-layer network appliance.
Description
Technical field
The application is related to the complete protection technology field of network, more particularly to a kind of cloud data security protection method and device.
Background technology
Cloud Server be a kind of disposal ability can elastic telescopic calculating service.Wherein, privately owned Cloud Server is only to allow
The Cloud Server that certain customers access, publicly-owned Cloud Server be it is all with addressable Cloud Server per family (sometimes for satisfaction
Certain condition just may have access to).With the development of cloud service, requirement more and more higher of the user to network safety prevention.If cloud service
When device None- identified is some viral, terminal will cannot get safeguard protection, consequently, it is possible to losing significant data, cause to damage to user
Lose.Therefore, how further to improve terminal security is current a great problem.
In network security scene, private clound virtualizes (Network by disposing network function in three-layer routing equipment
Function Virtualization, NFV) technology security service, so as to be filtered to the flow of user.During NFV technologies
In the corresponding software equipment of three-layer routing deployed with devices, so as to be filtered to all flows by three routing devices.
But the security function that NFV technologies provide at present, although energy meet demand in flexibility, for the performance of virus filtration
It can't be met with the personalized filtration needs for different user.
The content of the invention
In order to solve the above-mentioned technical problem, the application specific embodiment provides a kind of cloud data security protection method and dress
Put, so as to the demand according to tenant in cloud service, flexibly different tenants are realized with security protection, ensures the network of tenant's flow
Safety.
The application realizes in the following way:
In a first aspect, the application specific embodiment provides a kind of cloud data safety method of servicing, this method includes:
Security service equipment obtains the security protection request that tenant sends, and security protection request includes the mark letter of tenant
Breath;
The identification information for the tenant that security service equipment asks to include according to security protection, with determining the network segment of the tenant
Location;
Security service equipment asks to instruct to three-layer network appliance send configuration according to security protection, and configuration-direct is used to refer to
Show that three-layer network appliance sends the flow of network segment address to safety protection equipment, configuration-direct includes the network segment address of tenant.
In a possible design, this method also includes:
Security service equipment asks to instruct to safety protection equipment send configuration according to security protection, and configuration-direct is used to refer to
Show that safety protection equipment sends the flow of specified network segment address after filtering to three-layer network appliance, configuration-direct includes referring to
Fixed network segment address.
In a possible design, before security service equipment obtains the security protection request that tenant sends, this method is also
Including:
Security service equipment sends the first data forwarding configuration-direct to three-layer network appliance, and the configuration of the first data forwarding refers to
Order includes the mark of safety protection equipment, and the first data forwarding configuration-direct is used to indicate three-layer network appliance by the specified network segment
The flow of location is sent to safety protection equipment and the flow to specifying safety protection equipment to send receives.
In a possible design, the first data forwarding configuration-direct also includes checking information, and checking information is used to make
Three-layer network appliance determine checking information and three-layer network appliance to it is corresponding when the first data forwarding configuration-direct perform.
In a possible design, before security service equipment obtains the security protection request that tenant sends, this method is also
Including:
Security service equipment sends the second data forwarding configuration-direct to safety protection equipment, and the configuration of the second data forwarding refers to
Order includes the mark of three-layer network appliance and the interface of message is sent to three-layer network appliance, and the second data forwarding configuration-direct is used
The flow after filtering is sent by specified interface number to the three-layer network appliance of specified address in specifying safety protection equipment.
Second aspect, the application specific embodiment provide a kind of cloud data security protection method, and this method includes:
Safety protection equipment obtains the configuration-direct that security service equipment is sent, and configuration-direct is with including the network segment specified
Location;
Safety protection equipment filters according to configuration-direct to the flow for specifying network segment address;
Safety protection equipment sends the flow by filtering to three-layer network appliance according to configuration-direct.
In a possible design, before safety protection equipment obtains the configuration-direct that security service equipment is sent, the party
Method also includes:
Safety protection equipment obtains the second data forwarding configuration-direct, and the second data forwarding configuration-direct includes three-layer network
The mark of equipment, the interface for receiving the flow that three-layer network appliance is sent and the interface that message is sent to three-layer network appliance;
Safety protection equipment performs the second data forwarding configuration-direct, and performing the second data forwarding configuration-direct is included to referring to
The flow for determining network segment address is filtered and is sent the flow after filtering to three-layer network appliance by interface.
In a possible design, before safety protection equipment performs the second data forwarding configuration-direct, this method is also wrapped
Include:
Safety protection equipment is that tenant configures corresponding username and password, tenant is logged according to the username and password
Filtering is advised during to safety protection equipment and to being filtered in the safety protection equipment to the flow of network segment address corresponding to tenant
Then configured;
Safety protection equipment filters according to configuration-direct to the flow for specifying network segment address, specifically includes:According to stream
The filtering rule that tenant corresponding to the network segment address that amount includes configures filters to flow.
The third aspect, the application specific embodiment provide a kind of cloud data safety service unit, including:
Acquiring unit, for obtaining the security protection request of tenant's transmission, security protection request includes the mark letter of tenant
Breath;
Processing unit, for the identification information for the tenant for asking to include according to security protection, determine the network segment of the tenant
Address;
Transmitting element, for asking to instruct to three-layer network appliance send configuration according to security protection, configuration-direct is used for
Indicate that three-layer network appliance sends the flow of network segment address to safety protection equipment, configuration-direct is with including the network segment of tenant
Location.
In a possible design, transmitting element, ask to refer to safety protection equipment send configuration according to security protection
Order, configuration-direct are used to indicate that safety protection equipment sends out the flow of specified network segment address by filtering backward three-layer network appliance
Send, configuration-direct includes the network segment address specified.
In a possible design, acquiring unit, before obtaining the security protection request that tenant sends, in addition to:
Transmitting element, for sending the first data forwarding configuration-direct, the configuration of the first data forwarding to three-layer network appliance
Instruction includes the mark of safety protection equipment, and the first data forwarding configuration-direct is used to indicate three-layer network appliance by the specified network segment
The flow of address is sent to safety protection equipment and the flow to being sent to specified safety protection equipment receives.
In a possible design, the first data forwarding configuration-direct that transmitting element is sent to three-layer network appliance is also
Including checking information, checking information be used to making three-layer network appliance determine checking information and three-layer network appliance to it is corresponding when the
One data forwarding configuration-direct performs.
In a possible design, acquiring unit, before the security protection request for obtaining tenant's transmission, in addition to:
Transmitting element, for sending the second data forwarding configuration-direct, the configuration of the second data forwarding to safety protection equipment
Instruction includes the mark of three-layer network appliance and the interface of message, the second data forwarding configuration-direct is sent to three-layer network appliance
For specifying safety protection equipment to send out the flow after filtering to the three-layer network appliance of specified address by specified interface number
Send.
Fourth aspect, the application specific embodiment provide a kind of cloud data safety protector, in addition to:
Acquiring unit, for obtaining the configuration-direct of security service equipment transmission, configuration-direct is with including the network segment specified
Location;
Processing unit, for being filtered according to configuration-direct to the flow for specifying network segment address;
Transmitting element, for being sent the flow by filtering to three-layer network appliance according to configuration-direct.
In a possible design, acquiring unit, before obtaining the configuration-direct that security service equipment is sent, in addition to:
Acquiring unit, for obtaining the second data forwarding configuration-direct, the second data forwarding configuration-direct includes three-layer network
The mark of network equipment, the interface for receiving the flow that three-layer network appliance is sent and the interface that message is sent to three-layer network appliance;
Processing unit, for perform the second data forwarding configuration-direct, perform the second data forwarding configuration-direct include pair
The flow of network segment address is specified to be filtered and send the flow after filtering to three-layer network appliance by interface.
In a possible design, processing unit, before performing the second data forwarding configuration-direct, including:
Processing unit, for configuring corresponding username and password for tenant, tenant is set to be stepped on according to the username and password
Record safety protection equipment and filter during to being filtered in the safety protection equipment to the flow of network segment address corresponding to tenant
Rule is configured;
Processing unit, for being filtered according to configuration-direct to the flow for specifying network segment address, specifically include:According to stream
The filtering rule that tenant corresponding to the network segment address that amount includes configures filters to flow.
5th aspect, the embodiment of the present application provide a kind of cloud data safety service unit, including:Processor and memory,
Wherein, memory internal memory contains the operational order that processor is able to carry out, and the operational order that processor is read in memory is used for
Realize first aspect and the possible method of any one.
6th aspect, the embodiment of the present application provides a kind of computer-readable recording medium, including instruction, when it is in computer
During upper operation so that computer performs such as first aspect and the possible method of any one.
7th aspect, the embodiment of the present application provide a kind of private clound safety device, including:Processor and memory,
Wherein, memory internal memory contains the operational order that processor is able to carry out, and the operational order that processor is read in memory is used for
Realize second aspect and the possible method of any one.
Eighth aspect, the embodiment of the present application provides a kind of computer-readable recording medium, including instruction, when it is in computer
During upper operation so that computer performs such as second aspect and the possible method of any one.
9th aspect, the embodiment of the present application provide the application specific embodiment and provide a kind of private clound security protection system,
The system includes security service equipment and safety protection equipment;
The security service equipment is used to perform first aspect and the possible method of any one;
The safety protection equipment is used to perform second aspect and the possible method of any one.
The application specific embodiment provides a kind of cloud data security protection method and device, including security service device and peace
Full protection device, safety device bypass are arranged on three-layer network appliance.Security service device is used for security protection
Device and three-layer network appliance are configured.Make three-layer network appliance to when receiving the flow of specified network segment address, Xiang An
Full protection device is sent;Safety device is set to filter the flow of the specified network segment address of reception, and by after filtering
Flow is sent to the three-layer network appliance.
Brief description of the drawings
Accompanying drawing described herein is used for providing further understanding of the present application, forms the part of the application, this Shen
Schematic description and description please is used to explain the application, does not form the improper restriction to the application.In the accompanying drawings:
Fig. 1 is the cloud service network connection system after a kind of virtualization that the application specific embodiment provides;
Fig. 2 is that one kind that the application specific embodiment provides is anti-to three-layer network appliance and safety by security service device
The configuration flow figure of protection unit;
Fig. 3 is a kind of virtualization Network Security Service method that the application specific embodiment provides;
Fig. 4 is a kind of cloud data safety service unit that the application specific embodiment provides;
Fig. 5 is a kind of cloud data safety protector that the application specific embodiment provides;
Fig. 6 is a kind of security service device structure schematic diagram that the embodiment of the present application provides;
Fig. 7 is a kind of safety protection equipment structural representation that the embodiment of the present application provides.
Embodiment
To make the purpose, technical scheme and advantage of the application clearer, below in conjunction with the application specific embodiment and
Technical scheme is clearly and completely described corresponding accompanying drawing.Obviously, described embodiment is only the application one
Section Example, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not doing
Go out under the premise of creative work the every other embodiment obtained, belong to the scope of the application protection.
Below in conjunction with accompanying drawing, the technical scheme that each embodiment of the application provides is described in detail.
The application specific embodiment is used to carry out security protection to each tenant in cloud service.Security protection is anti-with safety
The specific means of defence used in shield equipment is relevant, and how the application carries out security protection to safety protection equipment without limit
It is fixed.The cloud service includes public cloud or private clound.In the specific embodiment of the application, carried out specifically by taking private clound as an example
Bright, still, the method, apparatus in the embodiment of the present application can also be used in public cloud.
Fig. 1 is the private clound network connection system after a kind of virtualization that the application specific embodiment provides.Such as Fig. 1 institutes
Show, including calculate node and three-layer network appliance, shown calculate node are the private clound after virtualization.In the specific reality of the application
Shi Zhong, the three-layer network appliance can be the network switch, and the safety protection equipment can be WEB application fire wall.
Calculate node can include multiple virtual machines and the keeper being managed to multiple virtual machines.Virtual machine is management
A complete meter that there is complete hardware system function, operating in a completely isolated environment of the member in calculate node division
Calculation machine system.The keeper can create one or more virtual machines for tenant according to demand and assign them to tenant's use.
After keeper creates tenant, it is also necessary to create tenant network for tenant.The network of tenant and the Vlan of physical network
It is one-to-one, therefore needs to indicate Vlan ID during establishment network.Also include virtual bridge in the calculate node, by this
Virtual bridge is forwarded the message of different tenants.In addition also need in three-layer network appliance, net is created for tenant network
Close.Virtual machine in tenant network can be forwarded in three-layer network appliance by Vlan ID, realized most by three-layer network appliance
Whole three-layer routing function.
It is that each tenant creates corresponding gateway to create tenant network for tenant and be additionally included in three-layer network appliance.When
When the flow of one tenant is sent to the three-layer network appliance, calculating is forwarded the traffic to by the gateway corresponding with the tenant
The virtual bridge of node.Flow is forwarded to specific tenant by virtual bridge again.When tenant sends flow, pass through physics
Bridge, band Vlan ID reach three-layer network appliance, and three-layer network appliance will by the virtual gateway corresponding with the Vlan ID
Flow forwards to destination address.
In the specific implementation of the application, in addition to safety protection equipment and security service equipment.Shown security service
Equipment is used to carry out security protection configuration to the flow of tenant.So that the flow of specified tenant is forwarded to by three-layer network appliance
Safety protection equipment, the flow of tenant is filtered by the safety protection equipment.Safety protection equipment is again by after filtering
Flow is sent to security service equipment.
In the specific embodiment of the application, method and prior art that the web application firewalls are filtered to flow
Identical the application is to this without limiting.
Because the bypass of Web application firewalls is under three-layer network appliance.Three-layer network appliance presses tenant's demand, by specific rent
The flow lead at family is recycled into three-layer network appliance and normally forwarded into Web application firewalls again after over cleaning, by
This realizes high performance firewall services.
Below.Have by specific embodiment to the private clound network safety protection method after being virtualized in the application
The explanation of body.Private clound network safety protection method after the virtualization is included by security service device to three-layer network appliance
Configuration with safety device and the flow that tenant is specified in three-layer network appliance is filtered by safety device
Two parts.
Security service device is matched somebody with somebody to three-layer network appliance and safety device below by a specific flow
Put and be specifically described.
Fig. 2 is that one kind that the application specific embodiment provides is anti-to three-layer network appliance and safety by security service device
The configuration flow figure of protection unit.As shown in Fig. 2 shown method includes:
S201, security service equipment send the first data forwarding configuration-direct to three-layer network appliance.
Security service equipment to a calculate node when it is determined that open network safety prevention, to corresponding to the calculate node
Three-layer network appliance sends the first data forwarding configuration-direct.The first data forwarding configuration-direct is used to indicate that three-layer network is set
Before the standby flow to specifying network segment address specifies the tenant of network segment address to send to this, this is specified into the flow of network segment address to peace
Full protection equipment is sent;And receive the flow of the specified network segment address of safety protection equipment return.
In a specific example, the security service equipment sends the configuration of the first data forwarding to three-layer network appliance and referred to
Order is that the netconf agreements in three-layer network appliance are transmitted.
Wherein, can include at least one checking information in the security service equipment, each checking information respectively with one
Calculate node is corresponding.When security service equipment determines to open network safety prevention to a calculate node, according to the calculating section
The mark of point, it is determined that checking information corresponding with the node.
Optionally, the checking information can be public key.
Specifically, the first data forwarding configuration-direct includes the checking information of the three-layer network appliance.The three-layer network
The checking information of equipment is used to make the three-layer network appliance determine to perform the instruction that the equipment is sent.
S202, three-layer network appliance determine that the checking information that the first data forwarding configuration-direct includes is correct, according to
One data forwarding configuration-direct sends to safety protection equipment to the flow of specified address and to the specified address of transmission
Flow is received.
Three-layer network appliance, will be to the when the first data conversion for receiving the transmission of security service device sends out configuration-direct
The checking information that one data forwarding configuration-direct includes is verified.When three-layer network appliance verifies the checking information mistake
When, error message is returned to security service equipment, by security service equipment to three-layer network appliance and safety protection equipment
Network safety prevention stops performing.When three-layer network appliance verifies that the checking information is correct, three-layer network appliance is to safety clothes
The first data forwarding configuration-direct that business equipment is sent is performed.
S203, three-layer network appliance determine to receive the interface of the flow for specifying address.
Three-layer network appliance is it is determined that after the first data forwarding configuration-direct that security service equipment is sent, it is also necessary to it is determined that
Receive the interface of the flow for specifying address.So that safety protection equipment according to the interface that this is specified by the flow of specified address
Returned to three-layer network appliance.
The interface that the three-layer network appliance determines to receive the flow for specifying address is three-layer network appliance according to netconf
Agreement or other agreements, rule determine that the application is to this without limiting.
S204, three-layer network appliance return to the interface that the flow of address is specified in the reception determined to security service equipment.
The three-layer network appliance also sets the interface to security service when it is determined that receiving the interface for the flow for specifying address
Preparation is sent.When three-layer network appliance sends the interface of determination to security service equipment, in addition to instruction security service device configuration
Three-layer network appliance is configured to network safety prevention and completed.
S205, security service equipment send the second data forwarding configuration-direct to safety protection equipment.
Security service equipment receive three-layer network appliance return reception specify address flow interface when, also to
Safety protection equipment sends the second data forwarding configuration-direct.Second data forwarding configuration-direct is used to indicate safety protection equipment
The flow of the specified network segment address of reception is filtered, and the flow after filtering is set by specified interface to three-layer network
Preparation is sent.The second data forwarding configuration-direct includes the mark of the interface that this specifies and three-layer network appliance.Second number
According to the mark of forwarding configuration-direct including three-layer network appliance, the flow for receiving three-layer network appliance transmission interface and to this
Three-layer network appliance sends the interface of message
S206, safety protection equipment determine to filter the flow of reception and the flow after filter are passed through into specified interface
Number to specified address three-layer network appliance send.
Safety protection equipment, will be according to this when receiving the second data forwarding configuration-direct of security service equipment transmission
Second data forwarding configuration-direct performs.The flow of the specified network segment address of reception is filtered, the safety protection equipment pair
The method of traffic filtering is identical with the method for traffic filtering in the prior art, and the application is to this without limiting.The security protection
Equipment by the flow after filtering by the interface specified in the second data forwarding configuration-direct by the flow after filtering to this second
The three-layer network appliance that data forwarding configuration-direct includes is sent.
S207, return to determination information.
Safety protection equipment is completed, accordingly with postponing, the information that the configuration is completed to be sent to security service equipment.
So that security service equipment determines that the network safety prevention configuration to safety protection equipment is completed.
In the specific embodiment of the application, safety protection equipment turns in the second data for receiving the transmission of security service equipment
To also be that the tenant creates corresponding authorize when sending out configuration-direct.Should be that the tenant creates corresponding authorize including being tenant's wound
Username and password is built, and the authority of prevention policies can be freely configured for user distribution.Safety protection equipment is to safety
It is the username and password that the tenant creates also to include safety protection equipment in the determination information that service equipment returns.The tenant is led to
Cross the username and password directly can conduct interviews to safety protection equipment, and configure corresponding prevention policies.Security protection
When the flow of equipment pair network segment address corresponding with the tenant filters, filtered according to the prevention policies of user configuration.
Below to the stream in the application specific embodiment by safety device to specified tenant in three-layer network appliance
Amount carries out filtering and made to illustrate.
Fig. 3 is a kind of virtualization Network Security Service method that the application specific embodiment provides.It is as shown in figure 3, shown
Method includes:
S301, security service equipment obtain the security protection request that tenant sends, and security protection request includes tenant's
Identification information.
The security service equipment is before obtaining tenant and sending security service request, in addition to tenant sends to calculate node and used
In the request of security protection.The request for the security protection that calculate node is sent according to tenant determines the network segment address of tenant.Calculate
The request for the security protection that node is sent according to tenant sends security service request, security service request to security service equipment
The network segment address of the tenant of security protection is carried out including request.
S302, security service equipment ask to instruct to three-layer network appliance send configuration according to security protection, configuration-direct
Network segment address including tenant.
Security service equipment receives the security service request that calculate node is sent.Security service equipment is based on the security service
Request determines whether three-layer network appliance corresponding to the calculate node can carry out network safety prevention.
When the three-layer network appliance can not carry out network safety prevention, three-layer network appliance is returned to calculate node and asked
Failure.When the three-layer network appliance can carry out network safety prevention, to this, the network equipment is sent security service equipment three times
Configuration-direct.
S303, three-layer network appliance are according to configuration-direct, to the flow of the network segment address before being forwarded to the tenant
Sent to safety protection equipment.
In one example, the three-layer network appliance includes network safety prevention information table, the network safety prevention information
Table includes multiple tenants and the network segment address with the plurality of tenant., will be when three-layer network appliance receives the configuration-direct
New tenant and the network segment address of the tenant are added in the network safety prevention information table.
Three-layer network appliance receive a flow after, judge the flow forwarding address whether with network safety prevention information
The network segment address that table includes is identical.Network segment address when the flow of reception and one in network safety prevention information table
When network segment address is identical, the flow is forwarded to safety protection equipment.When the network segment address of the flow of reception is prevented with network security
When each network segment address in shield information table is different from, tenant corresponding to the flow to the network segment address is sent.
S304, safety protection equipment filter to the flow of reception.
Safety protection equipment is received and to the stream of reception when three-layer network appliance is sent to flow to the flow
Amount is filtered.The method that safety protection equipment is filtered to flow is identical with the method for traffic filtering in the prior art, this
Application is to this without limiting.
S305, safety protection equipment are by the flow after filtering by specifying address to be sent to three-layer network appliance.
S306, three-layer network appliance send flow of the tenant after filtering to the tenant.
When three-layer network appliance is by formulating flow that interface is sent to safety protection equipment, determine that the flow is completed
Protection, and the flow sent to tenant corresponding with the network segment address.
Fig. 4 is a kind of privately owned cloud security service device that the application specific embodiment provides.As shown in figure 4, the device bag
Include:The processing unit 402 of acquiring unit 401 and transmitting element 403.
Acquiring unit 401, for obtaining the security protection request of tenant's transmission, the mark for including tenant is asked in the security protection
Know information.
Processing unit 402, for the identification information of the tenant included according to security protection request, determine the tenant's
Network segment address.
Transmitting element 403, for asking to instruct to three-layer network appliance send configuration according to the security protection, the configuration refers to
Make for indicating that the three-layer network appliance sends the flow of the network segment address to safety protection equipment, the configuration-direct includes should
The network segment address of tenant.
Optionally, transmitting element 403, ask to instruct to the safety protection equipment send configuration according to the security protection, should
Configuration-direct is used to indicate the safety protection equipment by the flow of specified network segment address by backward three layer network devices of filtering
Send, the configuration-direct includes the network segment address specified.
Optionally, before acquiring unit 401 obtains the security protection request that tenant sends, in addition to, transmitting element 402,
For sending the first data forwarding configuration-direct to three-layer network appliance, the first data forwarding configuration-direct includes
The mark of safety protection equipment, the first data forwarding configuration-direct are used to indicate three-layer network appliance by specified network segment address
Flow is sent to the safety protection equipment and the flow to being sent to specified safety protection equipment receives.
Optionally, transmitting element 403, for also including to the first data forwarding configuration-direct that three-layer network appliance is sent
Checking information, the checking information be used to making the three-layer network appliance determine the checking information and the three-layer network appliance to it is corresponding when
Performed according to the first data forwarding configuration-direct.
Optionally, before acquiring unit 401 obtains the security protection request that tenant sends, in addition to, transmitting element 402, use
In sending the second data forwarding configuration-direct to safety protection equipment, the second data forwarding configuration-direct is set including three-layer network
Standby mark and the interface to three-layer network appliance transmission message, the second data forwarding configuration-direct are used to specify safety anti-
Equipment is protected to send the flow after filtering to the three-layer network appliance of specified address by specified interface number.
Certainly, the acquiring unit 401 and transmitting element 402 that above-mentioned a kind of privately owned cloud security service device and the device include
The only restriction of the application specific embodiment.The acquiring unit that a kind of shown privately owned cloud security service device and the device include
401st, processing unit 402 and transmitting element 40403 can also carry out any one side that security service equipment performs in Fig. 2, Fig. 3
Method.
Fig. 5 is a kind of private clound safety device that the application specific embodiment provides.As shown in figure 5, the device bag
Include:Acquiring unit 501, processing unit 502 and transmitting element 503.
Acquiring unit 501, for obtaining the configuration-direct of security service equipment transmission, configuration-direct includes the network segment specified
Address.
Processing unit 502, for being filtered according to configuration-direct to the flow for specifying network segment address.
Transmitting element 503, for being sent the flow by filtering to three-layer network appliance according to configuration-direct.
Optionally, acquiring unit 501, before obtaining the configuration-direct that security service equipment is sent, in addition to:
Acquiring unit 501, for obtaining the second data forwarding configuration-direct, the second data forwarding configuration-direct includes three layers
The mark of the network equipment, the interface for receiving the flow that three-layer network appliance is sent and connecing to three-layer network appliance transmission message
Mouthful.Processing unit 502, for performing the second data forwarding configuration-direct, performing the second data forwarding configuration-direct is included to referring to
The flow for determining network segment address is filtered and is sent the flow after filtering to three-layer network appliance by interface.
Optionally, acquiring unit obtain three-layer network appliance forwarding flow before, in addition to, processing unit 502, for for
Tenant configures corresponding username and password, tenant is signed in safety protection equipment and to the peace according to the username and password
Filtering rule configures when being filtered in full protection equipment to the flow of network segment address corresponding to tenant.Processing unit 502,
For being filtered according to configuration-direct to the flow for specifying network segment address, specifically include:The network segment included according to flow
The filtering rule that tenant corresponding to location configures filters to flow.
Fig. 6 is a kind of security service device structure schematic diagram that the embodiment of the present application provides.
As shown in fig. 6, the security service equipment includes:Processor 601, memory 602, communication interface 603.
Processor 601 can use general central processing unit (Central Processing Unit, CPU), microprocessor
Device, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or
Multiple integrated circuits, for performing relative program, to realize technical scheme that foregoing the inventive method embodiment is provided.
Memory 602 can be read-only storage (Read Only Memory, ROM), static storage device, dynamic memory
Equipment or random access memory (Random Access Memory, RAM).Memory 602 can store application program.
During by software or firmware to realize technical scheme provided in an embodiment of the present invention, for realizing that preceding method of the present invention is implemented
The program code for any optional technical scheme that example provides preserves in the memory 602, and is performed by processor 601.
Communication interface 603 is sent with safety protection equipment, calculate node and three-layer network appliance.
Specifically, communication interface 603 obtains the security protection request that tenant sends, the mark for including tenant is asked in security protection
Know information;The identification information for the tenant that processor 601 asks to include according to security protection, determine the network segment address of the tenant;
Communication interface 603, ask to instruct to three-layer network appliance send configuration according to security protection, configuration-direct is used to indicate three-layer network
Network equipment sends the flow of network segment address to safety protection equipment, and configuration-direct includes the network segment address of tenant.
Communication interface 603, ask to instruct to safety protection equipment send configuration according to security protection, configuration-direct is used to refer to
Show that safety protection equipment sends the flow of specified network segment address after filtering to three-layer network appliance, configuration-direct includes referring to
Fixed network segment address.
Communication interface 603, before obtaining the security protection request that tenant sends, obtain the security protection request that tenant sends
Before, communication interface 603 sends the first data forwarding configuration-direct to three-layer network appliance, and the first data forwarding configuration-direct includes
The mark of safety protection equipment, the first data forwarding configuration-direct are used to indicate three-layer network appliance by the stream of specified network segment address
Measure and received to safety protection equipment transmission and the flow to being sent to specified safety protection equipment.
First data forwarding configuration-direct also includes checking information, and checking information is used to make three-layer network appliance determine checking
Information and three-layer network appliance to it is corresponding when the first data forwarding configuration-direct perform.
Before communication interface 1103 obtains the security protection request that tenant sends, communication interface 603 is sent out to safety protection equipment
Send the second data forwarding configuration-direct, the second data forwarding configuration-direct includes the mark of three-layer network appliance and to three-layer network
Equipment sends the interface of message, and the second data forwarding configuration-direct is used to specify safety protection equipment to pass through the flow after filtering
The interface number specified is sent to the three-layer network appliance of specified address..
Fig. 7 is a kind of safety protection equipment structural representation that the embodiment of the present application provides.
As shown in fig. 7, the safety protection equipment includes processor 701, memory 702, communication interface 703.
Processor 701 can use general central processing unit (Central Processing Unit, CPU), microprocessor
Device, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or
Multiple integrated circuits, for performing relative program, to realize technical scheme that foregoing the inventive method embodiment is provided.
Memory 702 can be read-only storage (Read Only Memory, ROM), static storage device, dynamic memory
Equipment or random access memory (Random Access Memory, RAM).Memory 702 can store application program.
During by software or firmware to realize technical scheme provided in an embodiment of the present invention, for realizing that preceding method of the present invention is implemented
The program code for any optional technical scheme that example provides is stored in memory 702, and is performed by processor 701.
Communication interface 703 is sent with security service equipment, calculate node and three-layer network appliance.
Communication interface 703, the configuration-direct that security service equipment is sent is obtained, configuration-direct is with including the network segment specified
Location.
Processor 701, the flow for specifying network segment address is filtered according to configuration-direct.
Communication interface 703, the flow by filtering is sent to three-layer network appliance according to configuration-direct.
Optionally, communication interface 703, before obtaining the configuration-direct that security service equipment is sent, in addition to communication interface
703, the second data forwarding configuration-direct is obtained, the second data forwarding configuration-direct includes the mark of three-layer network appliance, received
The interface for the flow that three-layer network appliance is sent and the interface that message is sent to three-layer network appliance.The data of processor 701 second
Configuration-direct is forwarded, the second data forwarding configuration-direct of execution includes filtering the flow of specified network segment address and will filtering
Flow afterwards is sent by interface to three-layer network appliance.
Optionally, before processor 701 performs the second data forwarding configuration-direct, in addition to it is the corresponding user of tenant's configuration
Name and password, make tenant according to the username and password sign in safety protection equipment and in the safety protection equipment to tenant
Filtering rule is configured when the flow of corresponding network segment address is filtered.Processor 701 is according to configuration-direct to specifying net
The flow of sector address is filtered, and is specifically included:The filtering rule configured according to tenant corresponding to the network segment address that flow includes
Then flow is filtered.
The application specific embodiment provides a kind of computer-readable recording medium, the computer-readable recording medium storage one
Individual or multiple programs, one or more programs include instruction, instruct when the electronic equipment for being included multiple application programs performs,
So that shown electronic equipment performs the method flow shown in Fig. 2-Fig. 3.
A kind of computer program product is also proposed in the specific embodiment of the application, the computer program product can be used for
Routing device is run.When the computer program product is being run on routing device so that routing device performs Fig. 2-Fig. 3 such as and appointed
The flow of one.
It should be noted that the application offer embodiment is the alternative embodiment that the application is introduced, art technology
Personnel on this basis, can be designed that more embodiments, therefore do not repeat here completely.
Those of ordinary skill in the art are it is to be appreciated that the list of each example described with reference to the embodiments described herein
Member and algorithm steps, it can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually
Performed with hardware or software mode, application-specific and design constraint depending on technical scheme.Professional and technical personnel
Described function can be realized using distinct methods to each specific application, but this realization is it is not considered that exceed
Scope of the present application.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, can be with
Realize by another way.For example, device embodiment described above is only schematical, for example, the division of unit,
Only a kind of division of logic function, there can be other dividing mode when actually realizing, such as multiple units or 40 components can
To combine or be desirably integrated into another system, or some features can be ignored, or not perform.It is another, it is shown or beg for
The mutual coupling of opinion or direct-coupling or communication connection can be the INDIRECT COUPLINGs by some interfaces, device or unit
Or communication connection, can be electrical, mechanical or other forms.The unit illustrated as separating component can be or can also
It is not physically separate, can is as the part that unit is shown or may not be physical location, you can with positioned at one
Individual place, or can also be distributed on multiple NEs.Part therein or complete can be selected according to the actual needs
Portion's unit realizes the purpose of this embodiment scheme.
In addition, each functional unit in each embodiment of the application can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.If function is with soft
The form of part functional unit is realized and is used as independent production marketing or computer-readable is deposited in use, one can be stored in
In storage media.Based on such understanding, part that the technical scheme of the application substantially contributes to prior art in other words
Or the part of the technical scheme can be embodied in the form of software product, the computer software product is stored in one and deposited
In storage media, including some instructions are make it that a computer equipment (can be personal computer, server, or network
Equipment etc.) or processor (processor) perform each embodiment method of the application all or part of step.And foregoing deposit
Storage media includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), random access memory (RAM,
Random AccessMemory), magnetic disc or CD etc. are various can be with the medium of store program codes.
More than, the only embodiment of the application, but the protection domain of the application is not limited thereto is any to be familiar with
Those skilled in the art can readily occur in change or replacement in the technical scope that the application discloses, and should all cover
Within the protection domain of the application.Therefore, the protection domain of the application should be defined by scope of the claims.
Claims (10)
1. a kind of cloud data safety method of servicing, it is characterised in that methods described includes:
Security service equipment obtains the security protection request that tenant sends, and the security protection request includes the mark letter of tenant
Breath;
The identification information for the tenant that security service equipment includes according to security protection request, with determining the network segment of the tenant
Location;
Security service equipment is asked to instruct to three-layer network appliance send configuration according to the security protection, and the configuration-direct is used
The flow of the network segment address is sent to safety protection equipment in the instruction three-layer network appliance, the configuration-direct includes
The network segment address of the tenant.
2. according to the method for claim 1, it is characterised in that methods described also includes:
Security service equipment asks to instruct to the safety protection equipment send configuration according to the security protection, and the configuration refers to
Make for indicating that the safety protection equipment sends out the flow of specified network segment address by the backward three-layer network appliance of filtering
Send, the configuration-direct includes the network segment address specified.
3. according to the method for claim 1, it is characterised in that the security service equipment obtains the safety that tenant sends and prevented
Before shield request, methods described also includes:
Security service equipment sends the first data forwarding configuration-direct to three-layer network appliance, and the first data forwarding configuration refers to
Order includes the mark of safety protection equipment, and the first data forwarding configuration-direct is used to indicate three-layer network appliance by specified net
The flow of sector address is sent to the safety protection equipment and the flow to specifying safety protection equipment to send receives.
4. according to the method described in any one of claims 1 to 3, it is characterised in that the security service equipment obtains tenant's hair
Before the security protection request sent, methods described also includes:
Security service equipment sends the second data forwarding configuration-direct to safety protection equipment, and the second data forwarding configuration refers to
Order includes the mark of three-layer network appliance and the interface of message is sent to the three-layer network appliance, and second data forwarding is matched somebody with somebody
Instruction is put to be used to specify safety protection equipment to send out the flow after filtering to specified three-layer network appliance by specified interface number
Send.
5. a kind of cloud data security protection method, it is characterised in that methods described includes:
Safety protection equipment obtains the configuration-direct that the security service equipment is sent, and the configuration-direct includes described specify
Network segment address;
Safety protection equipment filters according to the configuration-direct to the flow for specifying network segment address;
Safety protection equipment sends the flow by filtering to three-layer network appliance according to the configuration-direct.
6. according to the method for claim 5, it is characterised in that the safety protection equipment obtains the security service equipment
Before the configuration-direct of transmission, methods described also includes:
Safety protection equipment obtains the second data forwarding configuration-direct, and the second data forwarding configuration-direct includes three-layer network
The mark of equipment, the interface for receiving the flow that the three-layer network appliance is sent and send message to the three-layer network appliance
Interface;
Safety protection equipment performs the second data forwarding configuration-direct, and the safety protection equipment performs the configuration of the second data forwarding
Instruction includes setting to specifying the flow of network segment address to be filtered and to three-layer network the flow after filtering by the interface
Preparation is sent.
A kind of 7. cloud data safety service unit, it is characterised in that including:
Acquiring unit, for obtaining the security protection request of tenant's transmission, the security protection request includes the mark letter of tenant
Breath;
Processing unit, for the identification information of tenant included according to security protection request, determine the network segment of the tenant
Address;
Transmitting element, for asking to instruct to three-layer network appliance send configuration according to the security protection, the configuration-direct
For indicating that the three-layer network appliance sends the flow of the network segment address to safety protection equipment, the configuration-direct bag
Include the network segment address of the tenant.
8. device according to claim 7, it is characterised in that the acquiring unit, obtain the security protection that tenant sends
Before request, in addition to:
Transmitting element, for sending the first data forwarding configuration-direct, the first data forwarding configuration to three-layer network appliance
Instruction includes the mark of safety protection equipment, and the first data forwarding configuration-direct is used to indicate that three-layer network appliance will specify
The flow of network segment address is sent to the safety protection equipment and the flow to being sent to specified safety protection equipment connects
Receive.
A kind of 9. cloud data safety protector, it is characterised in that including:
Acquiring unit, the configuration-direct sent for obtaining the security service equipment, the configuration-direct include described specify
Network segment address;
Processing unit, for being filtered according to the configuration-direct to the flow for specifying network segment address;
Transmitting element, for being sent the flow by filtering to three-layer network appliance according to the configuration-direct.
10. device according to claim 9, it is characterised in that the acquiring unit, obtain the security service equipment hair
Before the configuration-direct sent, in addition to:
Acquiring unit, for obtaining the second data forwarding configuration-direct, the second data forwarding configuration-direct includes three-layer network
The mark of network equipment, the interface for receiving the flow that the three-layer network appliance is sent and send message to the three-layer network appliance
Interface;
Processing unit, for perform the second data forwarding configuration-direct, it is described execution the second data forwarding configuration-direct include pair
The flow of network segment address is specified to be filtered and send the flow after filtering to three-layer network appliance by the interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711450369.2A CN107864166A (en) | 2017-12-27 | 2017-12-27 | Cloud data security protection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711450369.2A CN107864166A (en) | 2017-12-27 | 2017-12-27 | Cloud data security protection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107864166A true CN107864166A (en) | 2018-03-30 |
Family
ID=61707483
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711450369.2A Pending CN107864166A (en) | 2017-12-27 | 2017-12-27 | Cloud data security protection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107864166A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030123456A1 (en) * | 2001-12-28 | 2003-07-03 | Denz Peter R. | Methods and system for data packet filtering using tree-like hierarchy |
| CN101095114A (en) * | 2004-12-29 | 2007-12-26 | 诺基亚公司 | Limiting traffic in communications systems |
| CN103152227A (en) * | 2013-03-26 | 2013-06-12 | 北京启明星辰信息技术股份有限公司 | Integrated real-time detection system and detection method coping with network threats and attacks |
| CN103166869A (en) * | 2013-03-12 | 2013-06-19 | 华为技术有限公司 | Message processing method and switch |
| CN106506538A (en) * | 2016-12-15 | 2017-03-15 | 汉柏科技有限公司 | A kind of optimization method of intrusion prevention equipment performance and system |
-
2017
- 2017-12-27 CN CN201711450369.2A patent/CN107864166A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030123456A1 (en) * | 2001-12-28 | 2003-07-03 | Denz Peter R. | Methods and system for data packet filtering using tree-like hierarchy |
| CN101095114A (en) * | 2004-12-29 | 2007-12-26 | 诺基亚公司 | Limiting traffic in communications systems |
| CN103166869A (en) * | 2013-03-12 | 2013-06-19 | 华为技术有限公司 | Message processing method and switch |
| CN103152227A (en) * | 2013-03-26 | 2013-06-12 | 北京启明星辰信息技术股份有限公司 | Integrated real-time detection system and detection method coping with network threats and attacks |
| CN106506538A (en) * | 2016-12-15 | 2017-03-15 | 汉柏科技有限公司 | A kind of optimization method of intrusion prevention equipment performance and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gibb et al. | Outsourcing network functionality | |
| CN105095023B (en) | A kind of cloud host creating device, method and computing device | |
| US20180316769A1 (en) | Private service endpoints in isolated virtual networks | |
| CN107623663B (en) | Method and device for processing network flow | |
| CN115380514A (en) | Automated deployment of network elements for heterogeneous computing elements | |
| JP5888561B2 (en) | Management apparatus and management method | |
| CN106464534A (en) | Provisioning and managing slices of consumer premises equipment device | |
| CN103946834A (en) | Virtual network interface objects | |
| CN108322417A (en) | Processing method, device and system and the safety equipment of network attack | |
| CN111355649A (en) | Flow reinjection method, device and system | |
| US20130297752A1 (en) | Provisioning network segments based on tenant identity | |
| CN110661670A (en) | Network equipment configuration management method and device | |
| CN106201769B (en) | Server system, non-provisional computer-readable recording mediums and the method to enhance the memory fault-tolerant rate in server system | |
| US8266303B2 (en) | Managing network connections | |
| CN106878480A (en) | A kind of DHCP service process sharing method and device | |
| CN105981330A (en) | Enabling Load Balancing in a Network Virtualization Overlay Architecture | |
| CN104506368B (en) | A kind of method and apparatus for being managed collectively switch device | |
| CN108390808A (en) | Communication processing method and device | |
| CN102480403B (en) | Method for providing virtual private network service, device and system | |
| CN110166299A (en) | SDN controller configuration recovery method and device | |
| WO2021147358A1 (en) | Network interface establishing method, apparatus, and system | |
| US8289969B2 (en) | Network edge switch configuration based on connection profile | |
| CN110839007A (en) | Cloud network security processing method and device and computer storage medium | |
| Vrijders et al. | Reducing the complexity of virtual machine networking | |
| CN108768861B (en) | Method and device for sending service message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180330 |
|
| RJ01 | Rejection of invention patent application after publication |