CN110138760A

CN110138760A - A kind of setting method and device of security service

Info

Publication number: CN110138760A
Application number: CN201910379447.7A
Authority: CN
Inventors: 沈辉; 何丹丹; 李彦斌
Original assignee: NSFOCUS Information Technology Co Ltd; Beijing NSFocus Information Security Technology Co Ltd
Current assignee: NSFOCUS Information Technology Co Ltd; Beijing NSFocus Information Security Technology Co Ltd
Priority date: 2019-05-08
Filing date: 2019-05-08
Publication date: 2019-08-16
Anticipated expiration: 2039-05-08
Also published as: CN110138760B

Abstract

This application discloses a kind of setting method of security service and devices.This method is after receiving the security service request of user, security service request includes that security service strategy and security service execute sequence, the safety equipment at least one of combining type with the targeted security equipment for meeting security service strategy according at least one safety equipment that host each at least one host configures, determines the targeted security equipment sequence for meeting security service strategy on target host machine and target host machine；When adjacent security equipment is configured on target host machine in targeted security equipment sequence, sequence is executed according to security service strategy, security service, the flow layout path of adjacent security equipment room is set；It is classified flow table according to flow layout path and target, flow is successively drawn to each safety equipment.The method increase the efficiencies of service of security service.

Description

A kind of setting method and device of security service

Technical field

This application involves field of cloud computer technology more particularly to the setting methods and device of a kind of security service.

Background technique

Traditional calculations, storage, network are become different resource pools using virtualization technology by cloud computing, and cloud service platform is pressed It is that cloud tenant (or " user ") provides security service according to cloud computing service mode.With the development of technology, cloud service platform portion The proprietary safety zone for having affixed one's name to a standard, creates virtual safety equipment in this region, and safety equipment refers to user The Business Stream equipment that carries out safe handling, mainly include that firewall box, anti-virus equipment etc. protect class equipment and scanning class Equipment, detection class equipment etc., the safe O&M portal of cloud service platform can be constructed according to these safety equipments, be managed with difference The secure resources pond of demand for security, and security service is provided a user by cloud platform tenant's portal.In cloud security resource pool field Under scape, since the demand for security of user traffic flow (or " flow ") needs safety equipment to carry, therefore cloud service platform is according to peace Full demand carries out layout (or " setting ") to the security service of safety equipment, and layout refers to for the purpose of user demand, will be each Kind service or element carry out arrangement and the tissue of science, make each component part balance coordination, and generation can satisfy user demand Service.

If the demand for security is the demand for security of single type, the safety equipment of respective type is only needed to provide safety clothes Business；Common practice is that respective traffic flows are drawn to targeted security equipment, that is, realizes a drainage process, pacify by target It is sent to again after the filtering and analysis of full equipment by protection host, such as destination server；

If the demand for security is the demand for security of polymorphic type, needs the safety equipment of corresponding polymorphic type to combine and safety is provided Service.Common practice is, allows Business Stream to pass sequentially through all safety in secure resources pond according to the static order of safety equipment Equipment realizes multiple drainage process, on the safety equipment for meeting demand for security, safety equipment provides safety clothes to Business Stream Business, on the safety equipment for being unsatisfactory for demand for security, safety equipment does not provide security service to Business Stream, i.e. Business Stream directly flows It crosses.

However, it is found by the inventors that it is lower by the efficiency that security service is completed in the multiple drainage of static order, and can not expire The differentiated demand of sufficient multi-tenant.

Summary of the invention

The embodiment of the present application provides the setting method and device of a kind of security service, solves of the existing technology above-mentioned Problem, to improve the efficiency of service of security service.

In a first aspect, providing a kind of setting method of security service, this method may include:

Security service controller receives the security service request of user, and the security service request includes security service strategy Sequence is executed with security service；

According at least one safety equipment of host each at least one host configuration and meet the safety clothes The safety equipment of at least one of the targeted security equipment combination of business strategy type, determines target host machine and the target host Meet the targeted security equipment sequence of the security service strategy on machine, the targeted security equipment group is combined into the first peace of storage Meet the safety equipment combination of the security service strategy in full equipment sequence；

When adjacent security equipment is configured on the target host machine in the targeted security equipment sequence, according to institute The execution sequence and preset flow table for stating security service strategy, the security service, are provided the adjacent security equipment room Flow layout path；

It is classified flow table according to flow layout path and target, flow is successively drawn to each safety equipment, The target classification flow table is to modify mode using default destination address, is set according to the execution sequence and safety of the security service Standby working condition modify to the destination address of each safety equipment after classification flow table.

In an optional realization, set according at least one safety that host each at least one host configures The standby safety equipment that type at least one of is combined with targeted security equipment that is meeting the security service strategy, determines target place Meet the targeted security equipment sequence of the security service strategy on host and the target host machine, comprising:

According at least one safety equipment of host each at least one host configuration and meet the safety clothes The safety equipment of at least one of the targeted security equipment combination of business strategy type determines mesh using the first preset rules algorithm Mark host；

According at least one for meeting the security service strategy on the second preset rules algorithm and the target host machine The location information of safety equipment in second safety equipment sequence determines the target at least one described second safety equipment sequence Safety equipment sequence, the second safety equipment sequence include the safety equipment of at least one type.

In an optional realization, after the security service request for receiving user, the method also includes:

Obtain the host communicated with the security service controller；

At least one host that physical resource surplus in the host is greater than default resource threshold is determined as at least one A host, the default resource threshold are to meet the physical resource amount of configuration preset quantity safety equipment.

In an optional realization, set according at least one safety that host each at least one host configures Standby facility information at least one of combines the safety equipment of type with the targeted security equipment for meeting the security service strategy Facility information target host machine is determined using the first preset rules algorithm, comprising:

By at least one safety equipment of host each at least one host configuration and meet the security service The safety equipment of at least one of the targeted security equipment combination of strategy type makees intersection operation, obtains shared safety equipment First quantity；

Using the first preset rules algorithm, to the second of at least one safety equipment of each host configuration Quantity and corresponding first quantity carry out score value operation, determine target host machine.

In an optional realization, before the first quantity for obtaining shared safety equipment, the method also includes:

At least one safety equipment based on each host configuration obtains the first peace using default addition principle Full equipment sequence, the first safety equipment sequence include the combination of at least one safety equipment, and each safety equipment combination includes The safety equipment of at least one type；

Wherein, the default addition principle is to traverse each safety equipment combination, and if current security device combination In the type of any safety equipment and the type of safety equipment to be added be all different, then by the safety equipment to be added Current security device combination is added；If in each safety equipment combination including the type of the safety equipment to be added, The safety equipment to be added is added to the safety equipment combination newly configured.

In an optional realization, using the first preset rules algorithm, at least the one of each host configuration Second quantity of a safety equipment and corresponding first quantity carry out score value operation, determine destination host, comprising:

Using the first preset rules algorithm, to the second number of at least one safety equipment of each host configuration Amount, the default weight of second quantity, the default weight of corresponding first quantity of corresponding host and first quantity into Row score value operation, obtains the score value to be selected of each host, and the default weight of second quantity is greater than first number The default weight of amount；

The corresponding host of maximum score value to be selected at least one described host is determined as target host machine.

In an optional realization, meet the safety according on the second preset rules algorithm and the target host machine The location information of safety equipment at least one second safety equipment sequence of service strategy determines at least one described second peace Before targeted security equipment sequence in full equipment sequence, the method also includes:

Obtain the third safety equipment sequence for meeting the security service strategy on the target host machine, the third peace Full equipment sequence includes the safety equipment set of at least one type, each type of safety equipment set include same type extremely A few safety equipment；

Using default permutation and combination algorithm, permutation and combination operation is carried out to each type of safety equipment set, is obtained Meet at least one second safety equipment sequence of the security service strategy on to the target host machine.

In an optional realization, meet the safety according on the second preset rules algorithm and the target host machine The location information of safety equipment at least one second safety equipment sequence of service strategy determines at least one described second peace Targeted security equipment sequence in full equipment sequence, comprising:

Using the second preset rules algorithm, to the position of the safety equipment of at least one of safety equipment sequence to be selected type Information carries out score value operation, obtains the score value to be selected of the safety equipment sequence to be selected, the safety equipment sequence to be selected is institute State any sequence in the second safety equipment sequence；

The corresponding second safety equipment sequence of minimum score value to be selected at least one described second safety equipment sequence is true It is set to targeted security equipment sequence.

In an optional realization, using the second preset rules algorithm, at least one of safety equipment sequence to be selected The safety equipment of type carries out score value operation, obtains the score value to be selected of the safety equipment sequence to be selected, comprising:

The initial score value to be selected of the safety equipment sequence to be selected is set；

Detect adjacent two kinds of safety in the safety equipment of at least one type of the safety equipment sequence to be selected Whether equipment is configured on same host；

If the adjacent two kinds of safety equipment is configured on same host, by the initial score value to be selected Add the first numerical value, obtains the current score value to be selected of the adjacent two kinds of safety equipment；

It, will be described to be selected point initial if the adjacent two kinds of safety equipment is not configured on same host Value plus second value, obtain the current score value to be selected of the adjacent two kinds of safety equipment, and first numerical value is greater than institute State second value；

According to the current score value to be selected of adjacent two kinds of safety equipment each pair of in the safety equipment sequence to be selected, adopt With default accumulation algorithm, the score value to be selected of the safety equipment sequence to be selected is obtained.

In an optional realization, the target classification flow table includes the scalable stream of internet protocol address type One of table, the classification flow table of port Port type and the classification flow table for bypassing By-pass type, and the Port type The priority of classification flow table is greater than the priority of the classification flow table of the IP address type, the classification flow table of the IP address type Priority be greater than it is described bypass By-pass type classification flow table.

In an optional realization, the method also includes:

When not being configured on the target host machine in the adjacent security equipment there are a safety equipment, according to The security service strategy, the security service execution sequence and the different hosts machine between communication connection, be provided The flow layout path of the adjacent security equipment room.

Second aspect provides a kind of setting device of security service, the apparatus may include: receiving unit obtains list Member, determination unit and setting unit；

The receiving unit, the security service for receiving user are requested, and the security service request includes security service Strategy executes sequence with security service；

The determination unit, at least one safety equipment for being configured according to host each at least one host The safety equipment that type at least one of is combined with the targeted security equipment for meeting the security service strategy, determines target host Meet the targeted security equipment sequence of the security service strategy, the targeted security equipment group on machine and the target host machine It is combined into the safety equipment combination for meeting the security service strategy in the first safety equipment sequence of storage；

The setting unit is configured in the target for working as adjacent security equipment in the targeted security equipment sequence When on host, sequence is executed according to the security service strategy, the security service, adjacent security equipment room is provided Flow layout path, and flow table is classified according to flow layout path and target, flow is successively drawn to each peace Full equipment, the target classification flow table are to modify mode using default destination address, execute sequence according to the security service Classification flow table after modifying with the working condition of safety equipment to the destination address of each safety equipment.

In an optional realization, the determination unit is specifically used for according to host each at least one host At least one safety equipment of machine configuration at least one of combines class with the targeted security equipment for meeting the security service strategy The safety equipment of type determines target host machine using the first preset rules algorithm；

In an optional realization, described device further includes first acquisition unit；

The first acquisition unit, for obtaining the host communicated with the safety service platform；

The determination unit is also used to for physical resource surplus in the host to be greater than at least the one of default resource threshold A host is determined as at least one host, and the default resource threshold is the physics for meeting configuration preset quantity safety equipment Stock number.

One it is optional realize, the determination unit, also particularly useful for by host each at least one host At least one safety equipment of machine configuration at least one of combines class with the targeted security equipment for meeting the security service strategy The safety equipment of type makees intersection operation, obtains the first quantity of shared safety equipment；

In an optional realization, described device further includes second acquisition unit；

The second acquisition unit, at least one for being configured based on host each at least one described host Safety equipment obtains the first safety equipment sequence using default addition principle, and the first safety equipment sequence includes at least one A safety equipment combination, each safety equipment combination include the safety equipment of at least one type；

In an optional realization, the determination unit, also particularly useful for the first preset rules algorithm is used, to described The second quantity of at least one safety equipment, the default weight of second quantity, corresponding host of each host configuration The default weight of corresponding first quantity and first quantity carries out score value operation, obtains to be selected point of each host Value, the default weight of second quantity are greater than the default weight of first quantity；

In an optional realization, described device further includes third acquiring unit；

The third acquiring unit, for obtaining the third peace for meeting the security service strategy on the target host machine Full equipment sequence, the third safety equipment sequence includes the safety equipment set of at least one type, each type of safety Cluster tool includes at least one safety equipment of same type；

Using default permutation and combination algorithm, permutation and combination operation is carried out to each type of safety equipment set, is obtained To at least one the second safety equipment sequence.

In an optional realization, the determination unit, also particularly useful for the second preset rules algorithm is used, to be selected The location information of the safety equipment of at least one of safety equipment sequence type carries out score value operation, obtains the safety to be selected and sets The score value to be selected of standby sequence, the safety equipment sequence to be selected are any sequence in the second safety equipment sequence；

In an optional realization, described device further includes the 4th acquiring unit；

The setting unit is also used to be arranged the initial score value to be selected of the safety equipment sequence to be selected；

4th acquiring unit, the safety equipment of at least one type for detecting the safety equipment sequence to be selected In adjacent two kinds of safety equipment whether be configured on same host；

In an optional realization, the setting unit is also used to when there are a peaces in the adjacent security equipment When full equipment is not configured on the target host machine, then according to the security service strategy, the execution of the security service Communication connection between sequence and the different hosts machine, is provided the flow layout path of the adjacent security equipment room.

The third aspect provides a kind of electronic equipment, which includes processor, communication interface, memory and lead to Believe bus, wherein processor, communication interface, memory complete mutual communication by communication bus；

Memory, for storing computer program；

Processor when for executing the program stored on memory, realizes any side in above-mentioned first aspect Method step.

Fourth aspect provides a kind of computer readable storage medium, and meter is stored in the computer readable storage medium Calculation machine program, the computer program realize any method and step in above-mentioned first aspect when being executed by processor.

For method provided by the present application after receiving the security service request of user, security service request includes security service plan Summary executes sequence with security service；According to host each at least one host configuration at least one safety equipment with The safety equipment for meeting at least one of the targeted security equipment combination of security service strategy type, determines target host machine and mesh Meet the targeted security equipment sequence of security service strategy on mark host, targeted security equipment group is combined into the first safety of storage Meet the safety equipment combination of security service strategy in equipment sequence；When adjacent security equipment is matched in targeted security equipment sequence It sets when on target host machine, sequence is executed according to security service strategy, security service, adjacent security equipment room is provided Flow layout path；It is classified flow table according to flow layout path and target, flow is successively drawn to each safety equipment, target Classification flow table is to modify mode using default destination address, according to the working condition of the execution sequence and safety equipment of security service Classification flow table after modifying to the destination address of each safety equipment.This method is by first determining target host machine, then leads to The mode for crossing screening safety equipment obtains targeted security equipment sequence, and across main-machine communication process is greatly reduced, improves safety The efficiency of service of service, while reducing packet loss and time delay.

Detailed description of the invention

Fig. 1 is the structural representation of the safety service platform of the setting method provided in an embodiment of the present invention using security service Figure；

Fig. 2 is a kind of flow diagram of the setting method of security service provided in an embodiment of the present invention；

Fig. 3 is a kind of structural schematic diagram of the setting device of security service provided in an embodiment of the present invention；

Fig. 4 is the structural schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.

Specific embodiment

Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiment is only some embodiments of the present application, is not whole embodiments.Based on this Apply for embodiment, every other implementation obtained by those of ordinary skill in the art without making creative efforts Example, shall fall in the protection scope of this application.

The setting method of security service provided in an embodiment of the present invention can apply safety service platform shown in Fig. 1 In, safety service platform may include security service controller, the secure resources including at least one safety equipment and interchanger Pond and host.

Security service controller is connect with secure resources pond and main-machine communication respectively；Secure resources pond and main-machine communication connect It connects；Overlay network is supported to carry out three layers of communication between host.

Interchanger can be virtual distributed exchange (OpenVswitch) interchanger for supporting OpenFlow agreement, can also To be software defined network (Software Defined Network, the SDN) interchanger for supporting OpenFlow agreement.

Safety equipment is used for the access control to user traffic flow, attack inspection, attaching filtering, content auditing etc., safety Resource pool supports OpenFlow agreement.Safety equipment can be security gateway (Unified Threat Management, UTM), Intruding detection system (Intrusion Detection Systems, IDS), intrusion prevention system (Intrusion Prevention System, IPS), website application layer intrusion prevention system (Web Application Firewall, WAF) etc. Equipment.

Fig. 2 is a kind of flow diagram of the setting method of security service provided in an embodiment of the present invention.As shown in Fig. 2, This method may include:

Step 210, the security service request for receiving user, security service request includes security service strategy and security service Execute sequence.

Security service controller is responsible for reception and analysis security service request from the user, and therefrom extracts and organize peace The security service strategy that services entirely and security service execute sequence (or being referred to as " demand for security "), such as the class of security service Type, the quantity of security service and sequence of all types of security services etc..

Step 220, at least one host for being communicated with security service controller of acquisition, at least one host each Host includes at least one safety equipment of configuration.

Security service controller obtains the physical resource surplus at least one host of self communication, and physical resource can To include cpu resource, memory source, hard disk resources, process resource etc..

Security service controller by least one host that physical resource surplus is greater than default resource threshold be determined as to A few host, thus obtains at least one host, and default resource threshold is to meet to establish preset quantity safety equipment Physical resource amount.That is, at least one host is all satisfied the condition of creation safety equipment.It is created in each host Build at least one safety equipment, wherein at least one safety equipment can be different types of safety equipment.

In order to improve the setting efficiency (or " scheduling efficiency ") of resource utilization and Subsequent secure service, safety clothes Being engaged in, controller is more according to the quantity of the safety equipment of the host creation more than physical resource surplus, and physical resource surplus is few The few creation rule of the quantity of the safety equipment of host creation, is preferentially deployed in same host for different types of safety equipment On.

Step 230 is pacified according at least one safety equipment and satisfaction of host each at least one host configuration The safety equipment of at least one of the targeted security equipment combination of full service strategy type, determines target host machine and target host Meet the targeted security equipment sequence of security service strategy on machine.

According at least one safety equipment of host each at least one host configuration and meet security service plan The safety equipment of at least one of targeted security equipment combination slightly type determines target place using the first preset rules algorithm Host.

According at least one second safety for meeting security service strategy on the second preset rules algorithm and target host machine The location information of safety equipment in equipment sequence determines the targeted security equipment sequence at least one second safety equipment sequence Column, the second safety equipment sequence includes the safety equipment of at least one type.

(1) target host machine is determined:

In combining with the targeted security equipment for meeting security service strategy at least one safety equipment of host to be selected The safety equipment of at least one type makees intersection operation, obtains the first quantity of shared safety equipment.

Wherein, host to be selected is any host at least one host；Targeted security equipment group is combined into storage The first safety equipment sequence in meet security service information safety equipment combination.Shared safety equipment, which refers to, both belongs to mesh Mark safety equipment combination, and the safety equipment being configured on host to be selected.

Before executing the step, security service controller based on each host at least one host at least one A safety equipment, obtaining the first safety equipment sequence G, the first safety equipment sequence G includes the combination of at least one safety equipment, often A safety equipment combination includes the safety equipment of at least one type.

Specifically, initial safe equipment sequence can be set in security service controller, initial safe equipment sequence is for depositing The combination of at least one safety equipment is stored up, each safety equipment combines the safety equipment for storing at least one type, indicates are as follows:

G={ g₁,g₂...g_i...g_n}；

g_i={ VM₁,VM₂...VM_i...VM_n}；

Wherein, G indicates initial safe equipment sequence, g_iIndicate i-th of safety equipment combination, VM₁, VM₂, VM_iAnd VM_nIt indicates Different types of safety equipment.

Security service controller traverses at least one safety equipment combination in initial safe equipment sequence, is added using default Add principle, the safety equipment of at least one of host each at least one host is added into initial safe equipment sequence At least one safety equipment combination in.

Adding procedure can be such that

If not including the type of safety equipment to be added in current security device combination, by safety equipment to be added It is added into current security device combination.Wherein, current security device group is combined into any peace in the combination of at least one safety equipment Full equipment combination, safety equipment to be added are any safety equipment at least one safety equipment, to obtain the first safety Equipment sequence.

If that is, default addition principle be in current security device combination the type of any safety equipment with it is to be added The type of safety equipment be all different, then current security device combination is added in safety equipment to be added；

Default addition principle can indicate are as follows:

VM_j∈g_i→VM_j.type≠VM_x.type；

Wherein, gi indicates i-th of safety equipment combination, VM_j.type the type of j-th of safety equipment, VM are indicated_x.type Indicate the type of x-th of safety equipment to be added at least one safety equipment.

If including the type of safety equipment to be added in each safety equipment combination, in initial safe equipment sequence End configure new safety equipment combination, safety equipment to be added is added into new safety equipment and is combined, to obtain the One safety equipment sequence.That is, if default addition principle is in each safety equipment combination comprising safety to be added Safety equipment to be added is then added the safety equipment newly configured and combined by the type of equipment.

It is understood that the safety equipment of at least one of each safety equipment combination type can be disposed on not With the safety equipment in host, it is also possible to configure the safety equipment in identical host.

Further, security service controller obtains the target for meeting security service strategy from the first safety equipment sequence Safety equipment combination.The combination of targeted security equipment includes the safety equipment of at least one type, and is configured according to host to be selected At least one safety equipment the safety equipment of type at least one of is combined with targeted security equipment, identify and both belong to target In the first quantity of the shared safety equipment of host to be selected, host to be selected is at least one for configuration again for safety equipment combination Any host in host.

First quantity can indicate are as follows:

Count1=| h_j.vms∩g_i|；

Wherein, h_j.vms the safety equipment configured on j-th of host, g are indicated_iExpression meets the i-th of security service strategy A safety equipment combination.

Further, using the first preset rules algorithm, to the of at least one safety equipment of each host configuration Two quantity and corresponding first quantity carry out score value operation, determine target host machine.

Specifically, security service controller first obtains the second number of at least one safety equipment of each host configuration Amount, the second quantity can indicate are as follows:

Count2=| h_j.vms|；

In order to improve the accuracy of score value to be selected, the default weight of the second quantity is can be set in security service controller, such as The default weight of the default weight of Weight1 and the first quantity, such as Weight2, and the second quantity is greater than the default of the first quantity Weight.

Security service controller uses the first preset rules algorithm, to the second number of each host configuration safety equipment Amount, the default weight of the second quantity, the default weight progress score value fortune of corresponding first quantity of corresponding host and the first quantity It calculates, obtains the score value to be selected of each host.

The score value Y to be selected of each host can be indicated are as follows:

Y=Count1*Weight1-Count2*Weight2；

The corresponding host of maximum score value to be selected at least one host is determined as target host machine.

(2) targeted security equipment sequence is determined:

After determining target host machine, security service controller, which obtains, meets security service strategy on target host machine Third safety equipment sequence D, third safety equipment sequence include the safety equipment set of at least one type, each type of peace Full cluster tool includes at least one safety equipment of same type, is such as expressed as (D₁, D₂..., D_n), D_iFor the i-th seed type safety The set of equipment.

Using default permutation and combination algorithm, permutation and combination operation is carried out to each type of safety equipment set, i.e., from every A safety equipment is chosen in the safety equipment set of seed type, obtains at least one second safety equipment sequence, each second Safety equipment sequence includes the safety equipment of at least one type, and such as each second safety equipment sequence d is expressed as (d₁, d₂..., d_n), d_iFor the safety equipment of the i-th seed type, d_iFor D_iIn element.Security service controller obtains on target host machine as a result, Meet at least one second safety equipment sequence of security service strategy.

Further, security service controller use the second preset rules algorithm, in safety equipment sequence to be selected at least The location information of a type of safety equipment carries out score value operation, obtains the score value to be selected of safety equipment sequence to be selected, to be selected Safety equipment sequence is any sequence in the second safety equipment sequence d；

Specifically, the initial score value to be selected of safety equipment sequence to be selected is arranged.

Detect adjacent two kinds of safety equipment in the safety equipment of at least one type of safety equipment sequence to be selected Whether it is configured on same host；

If adjacent two kinds of safety equipment is configured on same host, initial score value to be selected is added into the first number Value, obtains the current score value to be selected of adjacent two kinds of safety equipment；

If adjacent two kinds of safety equipment is not configured on same host, initial score value to be selected is added second Numerical value, obtains the current score value to be selected of adjacent two kinds of safety equipment, and the first numerical value is greater than second value.

The expression formula of the current score value to be selected of adjacent two kinds of safety equipment can indicate are as follows:

Wherein, f (d_i,d_i+1) indicate i-th safety equipment and i+1 safety equipment current score value to be selected.

According to the current score value to be selected of adjacent two kinds of safety equipments whole in safety equipment sequence to be selected, using pre- If accumulation algorithm, the score value to be selected of safety equipment sequence to be selected is obtained.

Wherein, the current score value S to be selected of safety equipment sequence to be selected can be indicated are as follows:

For example, when safety equipment sequence to be selected includes three different types of safety equipments: the first safety equipment, the second peace Full equipment and third safety equipment.If the initial score value to be selected of safety equipment sequence to be selected is 0, the first numerical value is 1, second value It is 0.

If the first safety equipment and the second safety equipment are configured on same host, the first safety equipment and second The current score value to be selected of safety equipment be initial score value to be selected and the first numerical value and, that is, being worth is 1.

If the second safety equipment and third safety equipment are configured on same host, the second safety equipment and third The current score value to be selected of safety equipment be initial score value to be selected and the first numerical value and, that is, being worth is 1, therefore safety equipment sequence to be selected Score value to be selected be 2.

Alternatively, if the first safety equipment and the second safety equipment are configured on same host, the first safety equipment With the current score value to be selected of the second safety equipment be initial score value to be selected and the first numerical value and, that is, being worth is 1.If the second safety is set Standby not to be configured on same host with third safety equipment, then the second safety equipment and third safety equipment is current to be selected Score value be initial score value and second value to be selected and, i.e., value is 0, therefore the score value to be selected of safety equipment sequence to be selected is 1.

Based on above-mentioned algorithm, to be selected point of at least one available the second safety equipment sequence of security service controller Value, and the corresponding second safety equipment sequence of minimum score value to be selected is determined as targeted security equipment sequence.

It is understood that the score value to be selected of the second safety equipment sequence is smaller, show corresponding second safety equipment sequence The safety equipment being configured on same host in column is more, it is possible thereby to the number of across host offer security service is provided, Improve security service efficiency.

Step 240, when adjacent security equipment is configured on target host machine in adjacent security equipment, according to safety clothes Business strategy, the execution sequence of security service and default destination address modify mode, obtain the flow layout of adjacent security equipment room Path and different types of classification flow table.

When adjacent security equipment is configured on target host machine in adjacent security equipment, security service controller according to Security service strategy, security service execute sequence, can be set out adjacent security equipment room in targeted security equipment sequence Flow layout path, and sequence is executed according to the working condition of safety equipment and security service, it is repaired using default destination address Change mode to modify to the destination address of each safety equipment, obtains different types of classification flow table, and store.

Different types of classification flow table may include the classification flow table of internet protocol address type, port Port type Classification flow table and bypass By-pass type classification flow table, and the priority of the classification flow table of Port type is greater than IP address The priority of the classification flow table of type is greater than the classification flow table of bypass By-pass type, and routed path is by targeted security equipment sequence The physical address address (Media Access Control, MAC) of at least one of the column safety equipment of type is constituted.

The classification flow table of IP address type refers to only using the purpose IP address of Business Stream as filter condition, is suitable for complete The security service of flow protection, the rank of priority are set as 2.

The classification flow table of Port type refers to using the purpose IP address of Business Stream and destination port as filter condition, fits The rank of security service for being protected designated port flow, priority is set as 3.

The classification flow table of By-pass type refers to and guarantees that flow does not enter certain safety equipments, is suitable for safety equipment event Barrier and section ports do not need the security service protected, and the rank of priority is set as 1.Wherein, By-pass type Classification flow table outside can also be passed through according to the working condition and/or security service Automatic generation of information of safety equipment Input is to obtain.

When there is the Business Stream wait draw, the working condition of each safety equipment in targeted security equipment sequence is detected, That is whether detection safety equipment damages, and the safety equipment of the safety equipment damaged if it exists or port damage then selects IP address The classification flow table of type, i.e. the classification flow table of IP address type are that target is classified flow table；

In order to meet by-pass and refine to the protective capacities of safety equipment port, classification flow table is divided into three preferentially Grade, when the five-tuple with Business Stream is matched, the higher classification flow table of priority will be more first matched, to improve peace The efficiency serviced entirely.

Optionally, when not being configured on target host machine in adjacent security equipment there are a safety equipment, safety Phase is provided according to the communication connection between security service strategy, safe execution sequence and different hosts machine in service controller Flow layout path between adjacent safety equipment.

(1) it is all configured in same host in the safety equipment of at least one of targeted security equipment sequence type On, i.e. security service setting is not related to the scene across host:

The OpenFlow interchanger that host where security service controller to targeted security equipment sequence docks issues pre- If classification flow table.Targeted security equipment sequence is (d₁, d₂..., d_i..., d_n)。

If the purpose IP address of Business Stream is the IP address of host to be protected, and the address purpose mac of Business Stream is OpenFlow interchanger drain into the address mac, then the address purpose mac is changed to safety equipment d₁The address mac, and by industry Business stream is drained to safety equipment d₁Port.

(1) to (d₁, d₂..., d_i..., d_n) where host docking OpenFlow interchanger issue By-pass type Classification flow table, classification flow table content it is as follows:

If the purpose IP address of Business Stream is the IP address of host to be protected, and the address purpose mac of Business Stream is d₁'s The address purpose mac is then changed to d by the address mac₂The address mac, classification flow table priority be 1.

If the purpose IP address of Business Stream is the IP address of host to be protected, and the address purpose mac of Business Stream is d_i's Purpose mac is then changed to d by the address mac_i+1The address mac, classification flow table priority be 1.

If the purpose IP address of Business Stream is the IP address of host to be protected, and the address purpose mac of Business Stream is d_n's The address purpose mac is then changed to the address mac that OpenFlow interchanger drains, and Business Stream is drained to by the address mac OpenFlow interchanger drains outgoing interface, and classification flow table priority is 1.

(2) (d is given₁, d₂..., d_i..., d_n) where the OpenFlow interchanger of host docking issue the classification of IP type Flow table:

If the purpose IP address of Business Stream is the IP address of host to be protected, and the address purpose mac of Business Stream is d₁'s The address purpose mac is changed to d by the address mac₂The address mac, and Business Stream is given to d₂Port, classification flow table priority be 2。

If the purpose IP address of Business Stream is the IP address of host to be protected, and the purpose mac of Business Stream is d_iMac The address purpose mac is then changed to d by location_i+1, and flow is given to d_i+1Port, classification flow table priority be 2.

If the purpose IP address of Business Stream is the IP address of host to be protected, and the address purpose mac of Business Stream is d_n's The address purpose mac is then changed to the address mac that OpenFlow interchanger drains, and Business Stream is drained to by the address mac OpenFlow interchanger drains outgoing interface, and classification flow table priority is 2.

(3) (d is given₁, d₂..., d_i..., d_n) where host docking OpenFlow interchanger issue port type point Grade flow table:

If the purpose IP address of Business Stream is the IP address of host to be protected, and the purpose port of Business Stream is security strategy P₁In the Port that specifies, and the address purpose mac is d₁The address mac, then the address purpose mac is changed to d₂The address mac, and Business Stream is given to d₂Port, classification flow table priority be 3.

If the purpose IP address of Business Stream is the IP address of host to be protected, and the purpose port of Business Stream is security strategy P_iIn the Port that specifies, and the address purpose mac is d_iThe address mac, then the address purpose mac is changed to d_i+1The address mac, and Business Stream is given to d_i+1Port, classification flow table priority be 3.

If the purpose IP address of Business Stream is the IP address of host to be protected, and the purpose port of Business Stream is security strategy P_nIn the port that specifies, and the address purpose mac is d_nThe address mac, then the address purpose mac is changed to OpenFlow interchanger The address mac drained, and Business Stream is given to OpenFlow interchanger drainage outgoing interface, classification flow table priority is 3.

As it can be seen that if configuration is on same host between safety equipment in targeted security equipment sequence, according to routing road Diameter can provide security service.

(2) same host is partly arranged in the safety equipment of at least one of targeted security equipment sequence type On, i.e. security service setting is related to the scene across host:

If targeted security equipment sequence is (d₁, d₂..., d_i..., d_n).Work as d_iWith d_i+1When positioned at different hosts, peace Full service controller executes sequence according to security service strategy, security service, can be set out in targeted security equipment sequence The flow layout path of adjacent security equipment room and d_iWith d_i+1The communication link of overlay between the different hosts machine at place It connects, by Business Stream from d_iIntroduce d_i+1.As it can be seen that if in targeted security equipment sequence on different hosts machine where adjacent security equipment, Then security service is provided for the user according to the communication connection between routed path and different hosts machine.

The acquisition process of above-mentioned routed path can satisfy the demand of the execution sequence of the customized more security services of user, lead to Cross the convenience that checks routed path not only and can be promoted user's voluntarily O&M, can also be improved user voluntarily safeguard it is correct Rate.

Corresponding with the above method, the embodiment of the present invention also provides a kind of setting device of security service, as shown in figure 3, The device includes: receiving unit 310, determination unit 320 and setting unit 330；

Receiving unit 310, the security service for receiving user are requested, and the security service request includes security service plan Slightly sequentially with the execution setting of security service；

Determination unit 320, at least one safety equipment for being configured according to host each at least one host The safety equipment that type at least one of is combined with the targeted security equipment for meeting the security service strategy, determines target host Meet the targeted security equipment sequence of the security service strategy, the targeted security equipment group on machine and the target host machine It is combined into the safety equipment combination for meeting the security service strategy in the first safety equipment sequence of storage；

Setting unit 330 is configured in the target for working as adjacent security equipment in the targeted security equipment sequence When on host, sequence is executed according to the security service strategy, the security service, adjacent security equipment room is provided Flow layout path, and flow table is classified according to flow layout path and target, flow is successively drawn to each peace Full equipment, the target classification flow table are to modify mode using default destination address, execute sequence according to the security service Classification flow table after modifying with the working condition of safety equipment to the destination address of each safety equipment.

In an optional realization, determination unit 320 is specifically used for according to host each at least one host At least one safety equipment of configuration at least one of combines type with the targeted security equipment for meeting the security service strategy Safety equipment target host machine is determined using the first preset rules algorithm；

In an optional realization, described device further includes first acquisition unit 340；

First acquisition unit 340, for obtaining the host communicated with the safety service platform；

Determination unit 320 is also used to for physical resource surplus in the host to be greater than at least the one of default resource threshold A host is determined as at least one host, and the default resource threshold is the physics for meeting configuration preset quantity safety equipment Stock number.

One it is optional realize, determination unit 320, also particularly useful for by host each at least one host At least one safety equipment of configuration at least one of combines type with the targeted security equipment for meeting the security service strategy Safety equipment make intersection operation, obtain the first quantity of shared safety equipment；

In an optional realization, described device further includes second acquisition unit 350；

Second acquisition unit 350, at least one for being configured based on host each at least one described host Safety equipment obtains the first safety equipment sequence using default addition principle, and the first safety equipment sequence includes at least one A safety equipment combination, each safety equipment combination include the safety equipment of at least one type；

In an optional realization, determination unit 320, also particularly useful for the first preset rules algorithm is used, to described The second quantity of at least one safety equipment, the default weight of second quantity, corresponding host of each host configuration The default weight of corresponding first quantity and first quantity carries out score value operation, obtains to be selected point of each host Value, the default weight of second quantity are greater than the default weight of first quantity；

In an optional realization, described device further includes third acquiring unit 360；

Third acquiring unit 360, for obtaining the third peace for meeting the security service strategy on the target host machine Full equipment sequence, the third safety equipment sequence includes the safety equipment set of at least one type, each type of safety Cluster tool includes at least one safety equipment of same type；

In an optional realization, determination unit 320, also particularly useful for the second preset rules algorithm is used, to be selected The location information of the safety equipment of at least one of safety equipment sequence type carries out score value operation, obtains the safety to be selected and sets The score value to be selected of standby sequence, the safety equipment sequence to be selected are any sequence in the second safety equipment sequence；

In an optional realization, described device further includes the 4th acquiring unit 370；

Setting unit 330 is also used to be arranged the initial score value to be selected of the safety equipment sequence to be selected；

4th acquiring unit 370, the safety equipment of at least one type for detecting the safety equipment sequence to be selected In adjacent two kinds of safety equipment whether be configured on same host；

In an optional realization, setting unit 330 is also used to when there are a safety in the adjacent security equipment When equipment is not configured on the target host machine, sequence is executed according to the security service strategy, the security service And the communication connection between the different hosts machine, the flow layout path of the adjacent security equipment room is provided.

The function of each functional unit of the setting device for the security service that the above embodiment of the present invention provides, can be by upper Various method steps are stated to realize, therefore, the tool of each unit in the setting device of security service provided in an embodiment of the present invention Body running process and beneficial effect, do not repeat again herein.

The embodiment of the invention also provides a kind of electronic equipment, as shown in figure 4, include processor 410, communication interface 420, Memory 430 and communication bus 440, wherein processor 410, communication interface 420, memory 430 are complete by communication bus 440 At mutual communication.

Memory 430, for storing computer program；

Processor 410 when for executing the program stored on memory 430, realizes following steps:

Receive the security service request of user, security service request includes holding for security service strategy and security service Row sequence；

When adjacent security equipment is configured on the target host machine in the targeted security equipment sequence, according to institute State security service strategy, the security service executes sequence, be provided the flow layout path of the adjacent security equipment room；

Obtain the host communicated with the security service controller；

In an optional realization, the method also includes:

When not being configured on the target host machine in the adjacent security equipment there are a safety equipment, according to The security service strategy, the security service the communication executed between sequence, preset flow table and the different hosts machine Connection, is provided the flow layout path of the adjacent security equipment room.

Communication bus mentioned above can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, control bus etc..For just It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.

Communication interface is for the communication between above-mentioned electronic equipment and other equipment.

Memory may include random access memory (Random Access Memory, RAM), also may include non-easy The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also To be storage device that at least one is located remotely from aforementioned processor.

Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit, CPU), network processing unit (Network Processor, NP) etc.；It can also be digital signal processor (Digital Signal Processing, DSP), it is specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete Door or transistor logic, discrete hardware components.

The embodiment and beneficial effect solved the problems, such as due to each device of electronic equipment in above-described embodiment can join Each step in embodiment as shown in Figure 2 realizes, therefore, the specific works mistake of electronic equipment provided in an embodiment of the present invention Journey and beneficial effect, do not repeat again herein.

In another embodiment provided by the invention, a kind of computer readable storage medium is additionally provided, which can It reads to be stored with instruction in storage medium, when run on a computer, so that computer executes any institute in above-described embodiment The setting method for the security service stated.

In another embodiment provided by the invention, a kind of computer program product comprising instruction is additionally provided, when it When running on computers, so that computer executes the setting method of any security service in above-described embodiment.

It should be understood by those skilled in the art that, the embodiment in the embodiment of the present application can provide as method, system or meter Calculation machine program product.Therefore, complete hardware embodiment, complete software embodiment can be used in the embodiment of the present application or combine soft The form of the embodiment of part and hardware aspect.Moreover, being can be used in the embodiment of the present application in one or more wherein includes meter Computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, the optical memory of calculation machine usable program code Deng) on the form of computer program product implemented.

It is referring to according to the method for embodiment, equipment (system) and calculating in the embodiment of the present application in the embodiment of the present application The flowchart and/or the block diagram of machine program product describes.It should be understood that can be realized by computer program instructions flow chart and/or The combination of the process and/or box in each flow and/or block and flowchart and/or the block diagram in block diagram.It can mention For the processing of these computer program instructions to general purpose computer, special purpose computer, Embedded Processor or other programmable datas The processor of equipment is to generate a machine, so that being executed by computer or the processor of other programmable data processing devices Instruction generation refer to for realizing in one or more flows of the flowchart and/or one or more blocks of the block diagram The device of fixed function.

These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.

These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.

Although the preferred embodiment in the embodiment of the present application has been described, once a person skilled in the art knows Basic creative concept, then additional changes and modifications may be made to these embodiments.So appended claims are intended to explain Being includes preferred embodiment and all change and modification for falling into range in the embodiment of the present application.

Obviously, those skilled in the art embodiment in the embodiment of the present application can be carried out various modification and variations without It is detached from the spirit and scope of embodiment in the embodiment of the present application.If in this way, in the embodiment of the present application embodiment these modification Within the scope of belonging in the embodiment of the present application claim and its equivalent technologies with modification, then also it is intended in the embodiment of the present application It includes these modifications and variations.

Claims

1. a kind of setting method of security service, which is characterized in that the described method includes:

Security service controller receives the security service request of user, and the security service request includes security service strategy and peace What is serviced entirely executes sequence；

According at least one safety equipment of host each at least one host configuration and meet the security service plan The safety equipment of at least one of targeted security equipment combination slightly type, determines on target host machine and the target host machine Meet the targeted security equipment sequence of the security service strategy, the first safety that the targeted security equipment group is combined into storage is set Meet the safety equipment combination of the security service strategy in standby sequence；

When adjacent security equipment is configured on the target host machine in the targeted security equipment sequence, according to the peace Full service strategy, the security service execute sequence, and the flow layout path of the adjacent security equipment room is provided；

It is classified flow table according to flow layout path and target, Business Stream is successively drawn to each safety equipment, institute Stating target classification flow table is to modify mode using default destination address, according to the execution sequence and safety equipment of the security service Working condition modify to the destination address of each safety equipment after classification flow table.

2. the method as described in claim 1, which is characterized in that extremely according to host each at least one host configuration The safety that a few safety equipment at least one of combines type with the targeted security equipment for meeting the security service strategy is set It is standby, it determines the targeted security equipment sequence for meeting the security service strategy on target host machine and the target host machine, wraps It includes:

According at least one safety equipment of host each at least one host configuration and meet the security service plan The safety equipment of at least one of targeted security equipment combination slightly type determines target place using the first preset rules algorithm Host；

According to meet on the second preset rules algorithm and the target host machine security service strategy at least one second The location information of safety equipment in safety equipment sequence determines the targeted security at least one described second safety equipment sequence Equipment sequence, the second safety equipment sequence include the safety equipment of at least one type.

3. the method as described in claim 1, which is characterized in that after the security service request for receiving user, the method is also Include:

Obtain the host communicated with the security service controller；

At least one host that physical resource surplus in the host is greater than default resource threshold is determined as at least one place Host, the default resource threshold are to meet the physical resource amount of configuration preset quantity safety equipment.

4. method according to claim 2, which is characterized in that extremely according to host each at least one host configuration The facility information of a few safety equipment at least one of combines class with the targeted security equipment for meeting the security service strategy The facility information of the safety equipment of type determines target host machine using the first preset rules algorithm, comprising:

By at least one safety equipment of host each at least one host configuration and meet the security service strategy At least one of the targeted security equipment combination safety equipment of type make intersection operation, obtain the first of shared safety equipment Quantity；

Using the first preset rules algorithm, to the second quantity of at least one safety equipment of each host configuration Score value operation is carried out with corresponding first quantity, determines target host machine.

5. method as claimed in claim 4, which is characterized in that described before the first quantity for obtaining shared safety equipment Method further include:

It obtains the first safety using default addition principle based at least one safety equipment of each host configuration and sets Standby sequence, the first safety equipment sequence include the combination of at least one safety equipment, and each safety equipment combination includes at least A type of safety equipment；

Wherein, the default addition principle is to traverse each safety equipment combination, and if appointing in current security device combination The type of one safety equipment and the type of safety equipment to be added are all different, then the safety equipment to be added are added The current security device combination；If in each safety equipment combination including the class of the safety equipment to be added The safety equipment to be added is then added the safety equipment newly configured and combined by type.

6. method as claimed in claim 4, which is characterized in that the first preset rules algorithm is used, to each host The second quantity and corresponding first quantity of at least one safety equipment of configuration carry out score value operation, determine destination host, wrap It includes:

The second quantity, institute using the first preset rules algorithm, at least one safety equipment of each host configuration State the default weight of the second quantity, the default weight progress score value of corresponding first quantity of corresponding host and first quantity Operation, obtains the score value to be selected of each host, and the default weight of second quantity is greater than the pre- of first quantity If weight；

7. method according to claim 2, which is characterized in that according on the second preset rules algorithm and the target host machine Meet the location information of safety equipment at least one second safety equipment sequence of the security service strategy, determination is described extremely Before targeted security equipment sequence in a few second safety equipment sequence, the method also includes:

The third safety equipment sequence for meeting the security service strategy on the target host machine is obtained, the third is set safely Standby sequence includes the safety equipment set of at least one type, and each type of safety equipment set includes at least the one of same type A safety equipment；

Using default permutation and combination algorithm, permutation and combination operation is carried out to each type of safety equipment set, obtains institute State at least one the second safety equipment sequence for meeting the security service strategy on target host machine.

8. the method as described in claim 2 or 7, which is characterized in that according to the second preset rules algorithm and the target host The location information for meeting safety equipment at least one second safety equipment sequence of the security service strategy on machine, determines institute State the targeted security equipment sequence at least one second safety equipment sequence, comprising:

Using the second preset rules algorithm, to the location information of the safety equipment of at least one of safety equipment sequence to be selected type Score value operation is carried out, obtains the score value to be selected of the safety equipment sequence to be selected, the safety equipment sequence to be selected is described the Any sequence in two safety equipment sequences；

The corresponding second safety equipment sequence of minimum score value to be selected at least one described second safety equipment sequence is determined as Targeted security equipment sequence.

9. method according to claim 8, which is characterized in that the second preset rules algorithm is used, to safety equipment sequence to be selected The safety equipment of at least one of column type carries out score value operation, obtains the score value to be selected of the safety equipment sequence to be selected, wraps It includes:

Detect adjacent two kinds of safety equipment in the safety equipment of at least one type of the safety equipment sequence to be selected Whether it is configured on same host；

If the adjacent two kinds of safety equipment is configured on same host, the initial score value to be selected is added the One numerical value obtains the current score value to be selected of the adjacent two kinds of safety equipment；

If the adjacent two kinds of safety equipment is not configured on same host, the initial score value to be selected is added Second value, obtains the current score value to be selected of the adjacent two kinds of safety equipment, and first numerical value is greater than described the Two numerical value；

According to the current score value to be selected of adjacent two kinds of safety equipment each pair of in the safety equipment sequence to be selected, using pre- If accumulation algorithm, the score value to be selected of the safety equipment sequence to be selected is obtained.

10. the method as described in claim 1, which is characterized in that the target classification flow table includes internet protocol address The classification flow table of type, the classification flow table of port Port type and the classification flow table for bypassing By-pass type, and the Port class The priority of the classification flow table of type is greater than the priority of the classification flow table of the IP address type, the classification of the IP address type The priority of flow table is greater than the classification flow table of the bypass By-pass type.

11. the method as described in claim 1, which is characterized in that the method also includes:

When not being configured on the target host machine in the adjacent security equipment there are a safety equipment, according to described Communication connection between security service strategy, the safe execution sequence and the different hosts machine, is provided described adjacent Flow layout path between safety equipment.

12. a kind of setting device of security service, which is characterized in that described device includes: receiving unit, determination unit and setting Unit；

The receiving unit, the security service for receiving user are requested, and the security service request includes security service strategy Sequence is executed with security service；

The determination unit, at least one safety equipment for being configured according to host each at least one host and full The safety equipment of at least one of the targeted security equipment combination of foot security service strategy type, determine target host machine and Meet the targeted security equipment sequence of the security service strategy on the target host machine, the targeted security equipment group is combined into Meet the safety equipment combination of the security service strategy in first safety equipment sequence of storage；

The setting unit is configured in the target host for working as adjacent security equipment in the targeted security equipment sequence When on machine, sequence is executed according to the security service strategy, the security service, is provided the adjacent security equipment room Flow layout path, and flow table is classified according to flow layout path and target, flow is successively drawn to each peace Full equipment, the target classification flow table are to modify mode using default destination address, execute sequence according to the security service Classification flow table after modifying with the working condition of safety equipment to the destination address of each safety equipment.

13. device as claimed in claim 12, which is characterized in that the determination unit is specifically used for according at least one place At least one safety equipment of each host configuration and the targeted security equipment group for meeting the security service strategy in host The safety equipment of at least one of conjunction type determines target host machine using the first preset rules algorithm；

14. device as claimed in claim 12, which is characterized in that described device further includes first acquisition unit；

The determination unit is also used to for physical resource surplus in the host being greater than at least one master of default resource threshold Machine is determined as at least one host, and the default resource threshold is the physical resource for meeting configuration preset quantity safety equipment Amount.

15. device as claimed in claim 13, which is characterized in that the determination unit, also particularly useful for by least one place At least one safety equipment of each host configuration and the targeted security equipment group for meeting the security service strategy in host The safety equipment of at least one of conjunction type makees intersection operation, obtains the first quantity of shared safety equipment；

16. device as claimed in claim 15, which is characterized in that described device further includes second acquisition unit；

The second acquisition unit, at least one safety for being configured based on host each at least one described host Equipment obtains the first safety equipment sequence, the first safety equipment sequence includes at least one peace using default addition principle Full equipment combination, each safety equipment combination include the safety equipment of at least one type；

17. device as claimed in claim 15, which is characterized in that the determination unit, also particularly useful for default using first Rule-based algorithm, to the second quantity of at least one safety equipment of each host configuration, second quantity it is default The default weight of corresponding first quantity of weight, corresponding host and first quantity carries out score value operation, obtains described every The score value to be selected of a host, the default weight of second quantity are greater than the default weight of first quantity；

18. device as claimed in claim 13, which is characterized in that described device further includes third acquiring unit；

The third acquiring unit meets the third of the security service strategy and sets safely for obtaining on the target host machine Standby sequence, the third safety equipment sequence includes the safety equipment set of at least one type, each type of safety equipment Set includes at least one safety equipment of same type；

19. the device as described in claim 13 or 18, which is characterized in that the determination unit, also particularly useful for using second Preset rules algorithm carries out score value fortune to the location information of the safety equipment of at least one of safety equipment sequence to be selected type It calculates, obtains the score value to be selected of the safety equipment sequence to be selected, the safety equipment sequence to be selected is second safety equipment Any sequence in sequence；

20. device as claimed in claim 19, which is characterized in that described device further includes the 4th acquiring unit；

4th acquiring unit, phase in the safety equipment of at least one type for detecting the safety equipment sequence to be selected Whether adjacent two kinds of safety equipment is configured on same host；

21. device as claimed in claim 12, which is characterized in that the target classification flow table includes internet protocol address One of the classification flow table of type, the classification flow table of port Port type and the classification flow table for bypassing By-pass type, and institute State the classification flow table of Port type priority be greater than the IP address type classification flow table priority, the IP address class The priority of the classification flow table of type is greater than the classification flow table of the bypass By-pass type.

22. device as claimed in claim 12, which is characterized in that the setting unit is also used to set when the adjacent security It is standby middle when not being configured on the target host machine there are a safety equipment, according to the security service strategy, the peace Communication connection between the execution sequence serviced entirely and the different hosts machine, is provided the flow of the adjacent security equipment room Layout path.

23. a kind of electronic equipment, which is characterized in that the electronic equipment includes that processor, communication interface, memory and communication are total Line, wherein processor, communication interface, memory complete mutual communication by communication bus；

Memory, for storing computer program；

Processor when for executing the program stored on memory, realizes any method and step of claim 1-11.

24. a kind of computer readable storage medium, which is characterized in that be stored with computer in the computer readable storage medium Program realizes claim 1-11 any method and step when the computer program is executed by processor.