CN110138760B

CN110138760B - Method and device for setting security service

Info

Publication number: CN110138760B
Application number: CN201910379447.7A
Authority: CN
Inventors: 沈辉; 何丹丹; 李彦斌
Original assignee: Nsfocus Technologies Inc; Nsfocus Technologies Group Co Ltd
Current assignee: Nsfocus Technologies Inc; Nsfocus Technologies Group Co Ltd
Priority date: 2019-05-08
Filing date: 2019-05-08
Publication date: 2021-10-01
Anticipated expiration: 2039-05-08
Also published as: CN110138760A

Abstract

The application discloses a method and a device for setting security service. After receiving a security service request of a user, the security service request comprises a security service strategy and an execution sequence of security services, and a target host and a target security equipment sequence which meets the security service strategy on the target host are determined according to at least one security equipment configured by each host in at least one host and at least one type of security equipment in a target security equipment combination which meets the security service strategy; when the adjacent safety equipment in the target safety equipment sequence is configured on the target host machine, setting a flow arrangement path between the adjacent safety equipment according to a safety service strategy and the execution sequence of the safety service; and according to the flow arrangement path and the target grading flow table, the flow is sequentially dragged to each safety device. The method improves the service efficiency of the security service.

Description

Method and device for setting security service

Technical Field

The application relates to the technical field of cloud computing, in particular to a method and a device for setting security services.

Background

The cloud computing adopts a virtualization technology to change traditional computing, storage and network into different resource pools, and the cloud service platform provides security service for cloud tenants (or called users) according to a cloud computing service mode. With the development of the technology, a standard proprietary security zone is deployed on a cloud service platform, virtual security equipment is created in the zone, the security equipment refers to equipment for performing security processing on a service flow of a user, and mainly includes protection equipment such as firewall equipment and antivirus equipment, scanning equipment and detection equipment, and a security operation and maintenance portal of the cloud service platform can construct and manage security resource pools with different security requirements according to the security equipment, and provides security services for the user through a tenant portal of the cloud platform. In a cloud security resource pool scenario, because security requirements of user traffic (or called "traffic") need to be borne by security equipment, a cloud service platform arranges (or called "sets") security services of the security equipment according to the security requirements, and the arranging refers to scientifically arranging and organizing various services or elements with the user requirements as a target, so that all components are balanced and coordinated, and the services capable of meeting the user requirements are generated.

If the security requirement is a single type of security requirement, only the corresponding type of security equipment is required to provide security service; the general method is that the corresponding service flow is drawn to the target safety equipment, namely, a drainage process is realized, and the service flow is filtered and analyzed by the target safety equipment and then sent to a protected host, such as a target server;

if the security requirement is a multi-type security requirement, a corresponding multi-type security device combination is required to provide security service. Generally, a service flow sequentially passes through all the security devices of the security resource pool according to a static sequence of the security devices, that is, a multi-time drainage process is realized, the security devices provide security services for the service flow on the security devices meeting the security requirements, and the security devices do not provide security services for the service flow on the security devices not meeting the security requirements, that is, the service flow directly flows through the security devices.

However, the inventor finds that the efficiency of completing the security service through multiple drainage in a static order is low, and the differentiated requirements of multiple tenants cannot be met.

Disclosure of Invention

The embodiment of the application provides a method and a device for setting a security service, which solve the problems in the prior art and improve the service efficiency of the security service.

In a first aspect, a method for setting a security service is provided, and the method may include:

the method comprises the steps that a security service controller receives a security service request of a user, wherein the security service request comprises a security service policy and an execution sequence of security services;

determining a target security device sequence which meets the security service policy on a target host and the target host according to at least one type of security device in at least one security device combination which is configured by each host in the at least one host and meets the security service policy, wherein the target security device combination is a security device combination which meets the security service policy in a stored first security device sequence;

when the adjacent safety equipment in the target safety equipment sequence is configured on the target host machine, setting a flow arrangement path between the adjacent safety equipment according to the safety service strategy, the execution sequence of the safety service and a preset flow table;

and sequentially dragging the flow to each safety device according to the flow arranging path and a target hierarchical flow table, wherein the target hierarchical flow table is a hierarchical flow table obtained by modifying the destination address of each safety device in a preset destination address modification mode according to the execution sequence of the safety service and the working state of the safety device.

In an optional implementation, determining a target host and a target security device sequence on the target host that satisfies the security service policy according to at least one type of security device in a combination of at least one security device configured by each host in the at least one host and a target security device that satisfies the security service policy includes:

determining a target host machine by adopting a first preset rule algorithm according to at least one type of safety equipment in at least one safety equipment configured by each host machine in at least one host machine and a target safety equipment combination meeting the safety service strategy;

and determining a target security device sequence in at least one second security device sequence according to a second preset rule algorithm and the position information of the security device in the at least one second security device sequence meeting the security service policy on the target host, wherein the second security device sequence comprises at least one type of security device.

In an optional implementation, after receiving the security service request of the user, the method further includes:

obtaining a host in communication with the security service controller;

and determining at least one host machine with the physical resource residual quantity larger than a preset resource threshold value in the host machines as at least one host machine, wherein the preset resource threshold value is the physical resource quantity which meets the requirement of configuring a preset number of safety devices.

In an optional implementation, determining a target host by using a first preset rule algorithm according to device information of at least one security device configured by each host in the at least one host and device information of at least one type of security device in a target security device combination meeting the security service policy includes:

performing intersection operation on at least one security device configured for each host in at least one host and at least one type of security device in a target security device combination meeting the security service policy to obtain a first number of common security devices;

and performing score operation on the second quantity and the corresponding first quantity of the at least one safety device configured for each host machine by adopting the first preset rule algorithm to determine a target host machine.

In an optional implementation, before obtaining the first number of shared security devices, the method further comprises:

acquiring a first security device sequence based on at least one security device configured by each host machine by adopting a preset adding principle, wherein the first security device sequence comprises at least one security device combination, and each security device combination comprises at least one type of security device;

the preset adding principle is that each safety equipment combination is traversed, and if the type of any safety equipment in the current safety equipment combination is different from that of the safety equipment to be added, the safety equipment to be added is added into the current safety equipment combination; and if each safety equipment combination comprises the type of the safety equipment to be added, adding the safety equipment to be added into the newly configured safety equipment combination.

In an optional implementation, the determining the target host by performing score operation on the second quantity and the corresponding first quantity of the at least one security device configured for each host by using a first preset rule algorithm includes:

performing score operation on a second quantity of at least one safety device configured for each host machine, a preset weight of the second quantity, a first quantity corresponding to the corresponding host machine and the preset weight of the first quantity by adopting a first preset rule algorithm to obtain a value to be selected of each host machine, wherein the preset weight of the second quantity is greater than the preset weight of the first quantity;

and determining the host corresponding to the maximum score to be selected in the at least one host as a target host.

In an optional implementation, before determining a target security device sequence in at least one second security device sequence that satisfies the security service policy according to a second preset rule algorithm and location information of a security device in the at least one second security device sequence on the target host, the method further includes:

acquiring a third security device sequence which meets the security service policy on the target host, wherein the third security device sequence comprises at least one type of security device set, and each type of security device set comprises at least one security device of the same type;

and performing permutation and combination operation on each type of security device set by adopting a preset permutation and combination algorithm to obtain at least one second security device sequence which meets the security service strategy on the target host machine.

In an optional implementation, determining, according to a second preset rule algorithm and location information of a security device in at least one second security device sequence that satisfies the security service policy on the target host, a target security device sequence in the at least one second security device sequence includes:

performing score operation on the position information of at least one type of safety equipment in a safety equipment sequence to be selected by adopting a second preset rule algorithm to obtain a score to be selected of the safety equipment sequence to be selected, wherein the safety equipment sequence to be selected is any one of the second safety equipment sequence;

and determining the second safety equipment sequence corresponding to the minimum score to be selected in the at least one second safety equipment sequence as a target safety equipment sequence.

In an optional implementation, performing score operation on at least one type of security device in a security device sequence to be selected by using a second preset rule algorithm to obtain a score to be selected of the security device sequence to be selected includes:

setting an initial candidate value of the to-be-selected safety equipment sequence;

detecting whether two adjacent types of safety equipment in at least one type of safety equipment in the safety equipment sequence to be selected are configured on the same host machine;

if the two adjacent types of safety equipment are configured on the same host machine, adding a first numerical value to the initial value to be selected to obtain the current value to be selected of the two adjacent types of safety equipment;

if the two adjacent types of safety equipment are not configured on the same host machine, adding a second numerical value to the initial value to be selected to obtain the current value to be selected of the two adjacent types of safety equipment, wherein the first numerical value is larger than the second numerical value;

and acquiring the value to be selected of the sequence of the safety equipment to be selected by adopting a preset accumulation algorithm according to the current value to be selected of each pair of adjacent two types of safety equipment in the sequence of the safety equipment to be selected.

In an alternative implementation, the target hierarchical flow table includes one of an internet protocol IP address type hierarchical flow table, a Port type hierarchical flow table, and a bypass By-pass type hierarchical flow table, and a priority of the Port type hierarchical flow table is greater than a priority of the IP address type hierarchical flow table, which is greater than a priority of the bypass By-pass type hierarchical flow table.

In an optional implementation, the method further comprises:

and when one safety device is not configured on the target host machine in the adjacent safety devices, setting a flow arranging path between the adjacent safety devices according to the safety service strategy, the execution sequence of the safety service and the communication connection between different host machines.

In a second aspect, there is provided a setting apparatus of a security service, which may include: the device comprises a receiving unit, an obtaining unit, a determining unit and a setting unit;

the receiving unit is used for receiving a security service request of a user, wherein the security service request comprises a security service policy and an execution sequence of security services;

the determining unit is configured to determine a target host and a target security device sequence on the target host that satisfies the security service policy according to at least one type of security device in a combination of at least one security device configured for each host in the at least one host and a target security device that satisfies the security service policy, where the target security device combination is a security device combination that satisfies the security service policy in a stored first security device sequence;

the setting unit is configured to set a flow arrangement path between adjacent security devices according to the security service policy and the execution sequence of the security service when the adjacent security devices in the target security device sequence are configured on the target host, and sequentially pull the flow to each security device according to the flow arrangement path and a target hierarchical flow table, where the target hierarchical flow table is a hierarchical flow table in which the destination address of each security device is modified according to the execution sequence of the security service and the working state of the security device by using a preset destination address modification manner.

In an optional implementation, the determining unit is specifically configured to determine, according to at least one type of security device in a combination of at least one security device configured for each host in at least one host and a target security device that satisfies the security service policy, a target host by using a first preset rule algorithm;

In an optional implementation, the apparatus further comprises a first obtaining unit;

the first acquisition unit is used for acquiring a host which is communicated with the security service platform;

the determining unit is further configured to determine at least one host in which the remaining amount of the physical resources in the hosts is greater than a preset resource threshold as the at least one host, where the preset resource threshold is a physical resource amount that satisfies a preset number of security devices configured.

In an optional implementation, the determining unit is further specifically configured to perform intersection operation on at least one security device configured in each of at least one host and at least one type of security device in a target security device combination that satisfies the security service policy, to obtain a first number of common security devices;

In an optional implementation, the apparatus further comprises a second obtaining unit;

the second obtaining unit is configured to obtain, based on at least one security device configured for each of the at least one host, a first security device sequence by using a preset adding principle, where the first security device sequence includes at least one security device combination, and each security device combination includes at least one type of security device;

In an optional implementation, the determining unit is further specifically configured to perform, by using a first preset rule algorithm, a score operation on a second number of the at least one security device configured for each host, a preset weight of the second number, a first number corresponding to the corresponding host, and the preset weight of the first number, to obtain a value to be selected of each host, where the preset weight of the second number is greater than the preset weight of the first number;

In an optional implementation, the apparatus further comprises a third obtaining unit;

the third obtaining unit is configured to obtain a third security device sequence that satisfies the security service policy on the target host, where the third security device sequence includes at least one type of security device set, and each type of security device set includes at least one security device of the same type;

and performing permutation and combination operation on each type of safety equipment set by adopting a preset permutation and combination algorithm to obtain at least one second safety equipment sequence.

In an optional implementation, the determining unit is further specifically configured to perform score operation on the position information of at least one type of security device in a security device sequence to be selected by using a second preset rule algorithm, so as to obtain a score to be selected of the security device sequence to be selected, where the security device sequence to be selected is any one of the second security device sequence;

In an optional implementation, the apparatus further comprises a fourth obtaining unit;

the setting unit is further used for setting an initial candidate score of the to-be-selected safety equipment sequence;

the fourth obtaining unit is configured to detect whether two adjacent types of security devices in at least one type of security device in the to-be-selected security device sequence are configured on the same host;

In an optional implementation, the setting unit is further configured to set a flow orchestration path between the adjacent security devices according to the security service policy, the execution sequence of the security service, and the communication connection between the different hosts when one security device is not configured on the target host.

In a third aspect, an electronic device is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;

a memory for storing a computer program;

a processor adapted to perform the method steps of any of the above first aspects when executing a program stored in the memory.

In a fourth aspect, a computer-readable storage medium is provided, having stored therein a computer program which, when executed by a processor, performs the method steps of any of the above first aspects.

After receiving a security service request of a user, the method provided by the application comprises the steps that the security service request comprises a security service strategy and an execution sequence of security services; determining a target security device sequence which meets a security service policy on a target host and the target host according to at least one type of security device in at least one security device combination which is configured by each host in the at least one host and meets the security service policy, wherein the target security device combination is a security device combination which meets the security service policy in a stored first security device sequence; when the adjacent safety equipment in the target safety equipment sequence is configured on the target host machine, setting a flow arranging path between the adjacent safety equipment according to the safety service strategy and the execution sequence of the safety service; and the target hierarchical flow table is the hierarchical flow table which modifies the destination address of each safety device according to the execution sequence of the safety service and the working state of the safety device by adopting a preset destination address modification mode. According to the method, the target host is determined first, and then the target safety equipment sequence is obtained in a mode of screening the safety equipment, so that the cross-host communication process is greatly reduced, the service efficiency of safety service is improved, and the packet loss rate and the time delay are reduced.

Drawings

Fig. 1 is a schematic structural diagram of a security service platform applying a setting method of a security service according to an embodiment of the present invention;

fig. 2 is a schematic flowchart of a method for setting a security service according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of a security service setting apparatus according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without any creative effort belong to the protection scope of the present application.

The method for setting the security service provided by the embodiment of the present invention may be applied to the security service platform shown in fig. 1, where the security service platform may include a security service controller, a security resource pool including at least one security device and a switch, and a host.

The security service controller is respectively in communication connection with the security resource pool and the host; the secure resource pool is in communication connection with the host; and the hosts support an overlay network to carry out three-layer communication.

The switch may be an OpenVswitch (OpenVswitch) switch supporting the OpenFlow protocol, or a Software Defined Network (SDN) switch supporting the OpenFlow protocol.

The security device is used for access control, attack check, attack filtering, content audit and the like of the user service flow, and the security resource pool supports an OpenFlow protocol. The security device may be a security gateway (UTM), an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS), a Web Application level Intrusion Prevention System (WAF), or the like.

Fig. 2 is a flowchart illustrating a method for setting a security service according to an embodiment of the present invention. As shown in fig. 2, the method may include:

step 210, receiving a security service request of a user, where the security service request includes a security service policy and an execution sequence of security services.

The security service controller is responsible for receiving and analyzing security service requests from users, and extracting and organizing security service policies of the security services and execution sequences (or collectively "security requirements") of the security services, such as types of security services, number of security services, and sequences of the types of security services.

Step 220, at least one host machine communicating with the security service controller is obtained, wherein each host machine in the at least one host machine comprises at least one configured security device.

The security service controller obtains the remaining amount of physical resources of at least one host in communication with the security service controller, wherein the physical resources can comprise CPU resources, memory resources, hard disk resources, process resources and the like.

The safety service controller determines at least one host machine with the physical resource residual quantity larger than a preset resource threshold value as at least one host machine, so as to obtain at least one host machine, wherein the preset resource threshold value is the physical resource quantity meeting the requirement of establishing a preset quantity of safety devices. That is, at least one host satisfies the condition for creating the security device. At least one security device is created in each host, wherein the at least one security device may be a different type of security device.

In order to improve the resource utilization rate and the setting efficiency (or called "arranging efficiency") of subsequent security services, the security service controller preferentially deploys different types of security devices on the same host according to a creation rule that the number of security devices created by hosts with large physical resource residual amounts is large and the number of security devices created by hosts with small physical resource residual amounts is small.

Step 230, determining the target host and a target security device sequence on the target host meeting the security service policy according to at least one type of security device in a combination of at least one security device configured for each host in the at least one host and the target security device meeting the security service policy.

And determining the target host machine by adopting a first preset rule algorithm according to at least one type of safety equipment in at least one safety equipment configured by each host machine in at least one host machine and a target safety equipment combination meeting the safety service strategy.

And determining a target security device sequence in the at least one second security device sequence according to a second preset rule algorithm and the position information of the security device in the at least one second security device sequence which meets the security service policy on the target host, wherein the second security device sequence comprises at least one type of security device.

Determining a target host:

and performing intersection operation on at least one safety device of the host to be selected and at least one type of safety device in the target safety device combination meeting the safety service strategy to obtain a first number of common safety devices.

The host to be selected is any host in at least one host; the target security device combination is the security device combination which satisfies the security service information in the stored first security device sequence. The shared security device refers to a security device which belongs to the target security device combination and is configured on the host to be selected.

Before executing the step, the security service controller obtains a first security device sequence G based on at least one security device of each host of the at least one host, the first security device sequence G comprising at least one security device combination, each security device combination comprising at least one type of security device.

In particular, the security service controller may set an initial security device sequence for storing at least one security device combination, each security device combination for storing at least one type of security device, expressed as:

G＝{g₁,g₂...g_i...g_n}；

g_i＝{VM₁,VM₂...VM_i...VM_n}；

wherein G denotes an initial security device sequence, G_iRepresenting the ith Security device combination, VM₁，VM₂，VM_iAnd VM_nRepresenting different types of security devices.

And the security service controller traverses at least one security device combination in the initial security device sequence, and adds at least one security device of each host in at least one host into at least one security device combination in the initial security device sequence by adopting a preset adding principle.

The addition process may be as follows:

and if the type of the safety equipment to be added is not contained in the current safety equipment combination, adding the safety equipment to be added into the current safety equipment combination. The current security device combination is any one of the at least one security device combination, and the security device to be added is any one of the at least one security device combination, so as to obtain the first security device sequence.

That is to say, the preset adding principle is that if the type of any one of the safety devices in the current safety device combination is different from the type of the safety device to be added, the safety device to be added is added into the current safety device combination;

the preset addition principle can be expressed as:

VM_j∈g_i→VM_j.type≠VM_x.type；

wherein gi denotes the ith security device combination, VM_jType denotes the type of the jth security device, VM_xType represents a type of the xth to-be-added secure device among the at least one secure device.

If each security device combination contains the type of the security device to be added, a new security device combination is configured at the end of the initial security device sequence, and the security device to be added is added into the new security device combination to obtain a first security device sequence. That is, the preset adding principle is that if each safety device combination includes the type of the safety device to be added, the safety device to be added is added into the newly configured safety device combination.

It is understood that at least one type of security device in each security device combination may be a security device configured in a different host, or may be a security device configured in the same host.

Further, the security service controller obtains a target security device combination satisfying the security service policy from the first security device sequence. The target security device combination comprises at least one type of security device, and a first number of shared security devices which belong to the target security device combination and are configured on the hosts to be selected is identified according to the at least one security device configured on the hosts to be selected and the at least one type of security device in the target security device combination, and the hosts to be selected are any one of the hosts to be selected.

The first number may be expressed as:

Count1＝|h_j.vms∩g_i|；

wherein h is_jVs. ms denotes the security device configured on the jth host, g_iIndicating the ith security device combination that satisfies the security service policy.

Further, a first preset rule algorithm is adopted to perform score operation on the second quantity and the corresponding first quantity of the at least one safety device configured for each host machine, and a target host machine is determined.

Specifically, the security service controller first obtains a second number of at least one security device configured for each host, where the second number may be represented as:

Count2＝|h_j.vms|；

to improve the accuracy of the candidate score, the safety service controller may set a second number of preset weights, such as Weight1, and a first number of preset weights, such as Weight2, with the second number of preset weights being greater than the first number of preset weights.

And the safety service controller performs score operation on the second quantity of the safety equipment configured on each host machine, the preset weight of the second quantity, the first quantity corresponding to the corresponding host machine and the preset weight of the first quantity by adopting a first preset rule algorithm to obtain a score to be selected of each host machine.

The candidate score Y for each host may be represented as:

Y＝Count1*Weight1-Count2*Weight2；

and determining the host corresponding to the maximum score to be selected in at least one host as a target host.

(II) determining a target safety device sequence:

after determining the target host, the security service controller obtains a third security device sequence D on the target host, which satisfies the security service policy, the third security device sequence including at least one type of security device set, each type of security device set including at least one security device of the same type, as denoted by (D)₁，D₂，…，D_n)，D_iIs a collection of type i security devices.

Performing permutation and combination operation on each type of security device set by adopting a preset permutation and combination algorithm, namely selecting one security device from each type of security device set to obtain at least one second security device sequence, wherein each second security device sequence comprises at least one type of security device, and for example, each second security device sequence d is represented as (d)₁，d₂，…，d_n)，d_iIs a safety device of the i-th type, d_iIs D_iOf (1). Thus, the security service controller obtains at least one second security device sequence on the target host that satisfies the security service policy.

Further, the safety service controller performs score operation on the position information of at least one type of safety equipment in the safety equipment sequence to be selected by adopting a second preset rule algorithm to obtain a score to be selected of the safety equipment sequence to be selected, wherein the safety equipment sequence to be selected is any one of the second safety equipment sequence d;

specifically, an initial candidate score of the candidate security device sequence is set.

Detecting whether two adjacent types of safety equipment in at least one type of safety equipment of a safety equipment sequence to be selected are configured on the same host machine;

if two adjacent types of safety equipment are configured on the same host machine, adding a first numerical value to the initial value to be selected to obtain the current value to be selected of the two adjacent types of safety equipment;

and if the two adjacent types of safety equipment are not configured on the same host machine, adding a second numerical value to the initial value to be selected to obtain the current values to be selected of the two adjacent types of safety equipment, wherein the first numerical value is larger than the second numerical value.

The expression of the current candidate scores of two adjacent types of security devices can be expressed as follows:

wherein, f (d)_i,d_i+1) And the current candidate values of the ith safety device and the (i + 1) th safety device are represented.

And acquiring the value to be selected of the sequence of the safety equipment to be selected by adopting a preset accumulation algorithm according to the current value to be selected of all the adjacent two types of safety equipment in the sequence of the safety equipment to be selected.

The current candidate score S of the candidate security device sequence may be represented as:

for example, when the sequence of security devices to be selected includes three different types of security devices: a first security device, a second security device, and a third security device. Setting the initial candidate value of the candidate safety device sequence as 0, the first numerical value as 1 and the second numerical value as 0.

If the first safety device and the second safety device are configured on the same host machine, the current candidate value of the first safety device and the second safety device is the sum of the initial candidate value and the first numerical value, namely the value is 1.

If the second safety device and the third safety device are configured on the same host machine, the current candidate score of the second safety device and the third safety device is the sum of the initial candidate score and the first numerical value, namely the value is 1, so that the candidate score of the candidate safety device sequence is 2.

Or, if the first security device and the second security device are configured on the same host, the current candidate score of the first security device and the second security device is the sum of the initial candidate score and the first numerical value, that is, the value is 1. If the second safety device and the third safety device are not configured on the same host machine, the current value to be selected of the second safety device and the third safety device is the sum of the initial value to be selected and the second numerical value, namely the value is 0, so that the value to be selected of the sequence of the safety devices to be selected is 1.

Based on the algorithm, the security service controller may obtain a candidate value of at least one second security device sequence, and determine the second security device sequence corresponding to the smallest candidate value as the target security device sequence.

It can be understood that the smaller the value to be selected of the second security device sequence is, the more security devices configured on the same host in the corresponding second security device sequence are indicated, so that the number of times of providing security services across hosts can be reduced, and the security service efficiency can be improved.

And 240, when the adjacent safety equipment in the adjacent safety equipment is configured on the target host machine, acquiring a flow arrangement path and different types of hierarchical flow tables between the adjacent safety equipment according to the safety service strategy, the execution sequence of the safety service and the preset destination address modification mode.

When the adjacent safety equipment in the adjacent safety equipment is configured on the target host machine, the safety service controller can set a flow arrangement path between the adjacent safety equipment in the target safety equipment sequence according to the safety service strategy and the execution sequence of the safety service, and modify the destination address of each safety equipment by adopting a preset destination address modification mode according to the working state of the safety equipment and the execution sequence of the safety service to obtain different types of hierarchical flow tables and store the hierarchical flow tables.

The different types of hierarchical flow tables may include an internet protocol IP address type hierarchical flow table, a Port type hierarchical flow table, and a bypass By-pass type hierarchical flow table, and the Port type hierarchical flow table has a priority greater than that of the IP address type hierarchical flow table and a priority greater than that of the bypass By-pass type hierarchical flow table, and the routing path is formed By a physical address (MAC) address of at least one type of security device in the target security device sequence.

The hierarchical flow table of the IP address type is applicable to a security service of full-flow protection by using only a destination IP address of a service flow as a filtering condition, and the priority level is set to 2.

The Port type hierarchical flow table refers to a security service which takes a destination IP address and a destination Port of a service flow as filtering conditions and is suitable for protecting the flow of a specified Port, and the priority level is set to be 3.

The By-pass type hierarchical flow table is a safety service which ensures that flow does not enter certain safety equipment and is suitable for safety equipment faults and part of ports do not need to be protected, and the priority level is set to be 1. The By-pass type hierarchical flow table can be automatically generated according to the working state of the safety equipment and/or the safety service information, and can also be acquired through external input.

When a service flow to be dragged exists, detecting the working state of each safety device in a target safety device sequence, namely detecting whether the safety device is damaged or not, and if the damaged safety device or the safety device with a damaged port exists, selecting a hierarchical flow table of an IP address type, namely selecting the hierarchical flow table of the IP address type as a target hierarchical flow table;

in order to meet by-pass and refine the protection capability of a port of the safety equipment, the hierarchical flow table is divided into three priority levels, and when the hierarchical flow table is matched with the quintuple of the service flow, the hierarchical flow table with higher priority level is matched with the quintuple of the service flow in advance, so that the efficiency of safety service is improved.

Optionally, when there is a security device that is not configured on the target host in the neighboring security devices, the security service controller sets a flow orchestration path between the neighboring security devices according to the security service policy, the security execution sequence, and the communication connection between different hosts.

(one) at least one type of security device in the sequence of target security devices is all configured on the same host, i.e. the security service settings do not involve a cross-host scenario:

and the security service controller issues a preset hierarchical flow table to the OpenFlow switch which is in butt joint with the host machine where the target security device sequence is located. The target security device sequence is (d)₁，d₂，…，d_i，…，d_n)。

If the destination IP address of the service flow is the IP address of the host to be protected and the destination mac address of the service flow is the mac address introduced by the OpenFlow switch, changing the destination mac address into the safety device d₁And traffic is directed to security device d₁The port of (2).

(1) To (d)₁，d₂，…，d_i，…，d_n) The OpenFlow switch in the host machine for docking sends a By-pass type hierarchical flow table, and the content of the hierarchical flow table is as follows:

if the destination IP address of the service flow is the IP address of the host to be protected and the destination mac address of the service flow is d₁The mac address of the destination is changed to d₂The hierarchical flow table priority is 1.

If the destination IP address of the service flow is the IP address of the host to be protected and the destination mac address of the service flow is d_iThe mac address of the target mac is changed to d_i+1The hierarchical flow table priority is 1.

If the destination IP address of the service flow is the IP address of the host to be protected and the destination mac address of the service flow is d_nAnd if so, changing the target mac address into a mac address drained by the OpenFlow switch, and draining the service flow to a drainage interface of the OpenFlow switch, wherein the priority of the hierarchical flow table is 1.

(2) To (d)₁，d₂，…，d_i，…，d_n) The OpenFlow switch in the host machine to which the OpenFlow switch is connected issues an IP-type hierarchical flow table:

if the destination IP address of the service flow is the IP address of the host to be protected and the destination mac address of the service flow is d₁The destination mac address is changed to d₂And gives the traffic flow to d₂The hierarchical flow table priority of 2.

If the destination IP address of the service flow is the IP address of the host to be protected, and the destination mac of the service flow is d_iThe mac address of (2) is changed to d_i+1And gives the flow to d_i+1The hierarchical flow table priority of 2.

If the destination IP address of the service flow is the IP address of the host to be protected and the destination mac address of the service flow is d_nAnd if so, changing the target mac address into a mac address drained by the OpenFlow switch, and draining the service flow to a drainage interface of the OpenFlow switch, wherein the priority of the hierarchical flow table is 2.

(3) To (d)₁，d₂，…，d_i，…，d_n) And sending port type hierarchical flow tables by the OpenFlow switch in the host machine to be docked:

if the destination IP address of the service flow is the IP address of the host to be protected, and the destination port of the service flow is the security policy P₁Is the Port specified in (1), and the destination mac address is d₁The mac address of the destination is changed to d₂And gives the traffic flow to d₂The hierarchical flow table priority of 3.

If the destination IP address of the service flow is the IP address of the host to be protected, and the destination port of the service flow is the security policy P_iIs the Port specified in (1), and the destination mac address is d_iThe mac address of the destination is changed to d_i+1And gives the traffic flow to d_i+1The hierarchical flow table priority of 3.

If the destination IP address of the service flow is the IP address of the host to be protectedAnd the destination port of the traffic flow is a security policy P_nAnd the destination mac address is d_nAnd if so, changing the target mac address into a mac address diverted by the OpenFlow switch, and sending the service flow to a diversion interface of the OpenFlow switch, wherein the priority of the hierarchical flow table is 3.

Therefore, if the safety devices in the target safety device sequence are all configured on the same host machine, the safety service can be provided according to the routing path.

(ii) at least one type of security device in the sequence of target security devices is partially configured on the same host, i.e. the security service settings relate to a scenario across hosts:

targeting the security device sequence as (d)₁，d₂，…，d_i，…，d_n). When d is_iAnd d_i+1When the target security device is located in different hosts, the security service controller can set a flow arrangement path between adjacent security devices in the target security device sequence according to the security service strategy and the execution sequence of the security service, and d_iAnd d_i+1The communication connection of overlay between different hosts in which the host is located enables the traffic flow to be from d_iIntroduction of d_i+1. Therefore, if the adjacent security devices in the target security device sequence are located on different hosts, the security service is provided for the user according to the communication connection between the routing path and the different hosts.

The acquiring process of the routing path can meet the requirement of a user for customizing the execution sequence of multiple safety services, the convenience of the user in self operation and maintenance can be improved by checking the routing path, and the accuracy of self maintenance of the user can also be improved.

Corresponding to the above method, an embodiment of the present invention further provides a device for setting a security service, as shown in fig. 3, where the device includes: a receiving unit 310, a determining unit 320, and a setting unit 330;

a receiving unit 310, configured to receive a security service request of a user, where the security service request includes a security service policy and an execution setting order of a security service;

a determining unit 320, configured to determine, according to at least one type of security device in a combination of at least one security device configured by each host in at least one host and a target security device that satisfies the security service policy, a target host and a target security device sequence on the target host that satisfies the security service policy, where the target security device combination is a security device combination that satisfies the security service policy in a stored first security device sequence;

a setting unit 330, configured to set a flow arrangement path between adjacent security devices according to the security service policy and the execution sequence of the security service when adjacent security devices in the target security device sequence are configured on the target host, and sequentially pull the flow to each security device according to the flow arrangement path and a target hierarchical flow table, where the target hierarchical flow table is a hierarchical flow table obtained by modifying a destination address of each security device according to the execution sequence of the security service and a working state of the security device in a preset destination address modification manner.

In an optional implementation, the determining unit 320 is specifically configured to determine, according to at least one type of security device in a combination of at least one security device configured for each host in at least one host and a target security device that satisfies the security service policy, the target host by using a first preset rule algorithm;

In an optional implementation, the apparatus further comprises a first obtaining unit 340;

a first obtaining unit 340, configured to obtain a host that communicates with the security service platform;

the determining unit 320 is further configured to determine, as at least one host, at least one host in which the remaining amount of the physical resources in the hosts is greater than a preset resource threshold, where the preset resource threshold is a physical resource amount that satisfies a preset number of security devices configured.

In an optional implementation, the determining unit 320 is further specifically configured to perform intersection operation on at least one security device configured in each of at least one host and at least one type of security device in a target security device combination that satisfies the security service policy, to obtain a first number of common security devices;

In an optional implementation, the apparatus further comprises a second obtaining unit 350;

a second obtaining unit 350, configured to obtain, based on at least one security device configured for each host in the at least one host, a first security device sequence by using a preset adding principle, where the first security device sequence includes at least one security device combination, and each security device combination includes at least one type of security device;

In an optional implementation, the determining unit 320 is further specifically configured to perform, by using a first preset rule algorithm, a score operation on a second number of the at least one security device configured for each host, a preset weight of the second number, a first number corresponding to the corresponding host, and the preset weight of the first number, to obtain a to-be-selected score of each host, where the preset weight of the second number is greater than the preset weight of the first number;

In an optional implementation, the apparatus further comprises a third obtaining unit 360;

a third obtaining unit 360, configured to obtain a third security device sequence that meets the security service policy on the target host, where the third security device sequence includes at least one type of security device set, and each type of security device set includes at least one security device of the same type;

In an optional implementation, the determining unit 320 is further specifically configured to perform score operation on the position information of at least one type of security device in the sequence of security devices to be selected by using a second preset rule algorithm, so as to obtain a score to be selected of the sequence of security devices to be selected, where the sequence of security devices to be selected is any one of the second sequence of security devices;

In an optional implementation, the apparatus further comprises a fourth obtaining unit 370;

the setting unit 330 is further configured to set an initial candidate score of the candidate security device sequence;

a fourth obtaining unit 370, configured to detect whether two adjacent types of security devices in at least one type of security device in the to-be-selected security device sequence are configured on the same host;

In an optional implementation, the setting unit 330 is further configured to set a flow orchestration path between the adjacent security devices according to the security service policy, the execution sequence of the security service, and the communication connection between the different hosts, when there is one security device that is not configured on the target host among the adjacent security devices.

The functions of the functional units of the setting device for security services provided in the above embodiment of the present invention can be implemented by the above method steps, and therefore, detailed working processes and beneficial effects of the units in the setting device for security services provided in the embodiment of the present invention are not repeated herein.

An embodiment of the present invention further provides an electronic device, as shown in fig. 4, including a processor 410, a communication interface 420, a memory 430, and a communication bus 440, where the processor 410, the communication interface 420, and the memory 430 complete mutual communication through the communication bus 440.

A memory 430 for storing computer programs;

the processor 410, when executing the program stored in the memory 430, implements the following steps:

receiving a security service request of a user, wherein the security service request comprises a security service policy and an execution sequence of security services;

when the adjacent safety equipment in the target safety equipment sequence is configured on the target host machine, setting a flow arrangement path between the adjacent safety equipment according to the safety service strategy and the execution sequence of the safety service;

obtaining a host in communication with the security service controller;

In an optional implementation, the method further comprises:

and when one safety device is not configured on the target host machine in the adjacent safety devices, setting a flow arranging path between the adjacent safety devices according to the safety service strategy, the execution sequence of the safety service, a preset flow table and communication connection between different host machines.

The aforementioned communication bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

The communication interface is used for communication between the electronic equipment and other equipment.

The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.

The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.

Since the implementation manner and the beneficial effects of the problem solving of each device of the electronic device in the foregoing embodiment can be implemented by referring to each step in the embodiment shown in fig. 2, detailed working processes and beneficial effects of the electronic device provided by the embodiment of the present invention are not described herein again.

In another embodiment of the present invention, a computer-readable storage medium is further provided, which stores instructions that, when executed on a computer, cause the computer to execute the setting method of security service described in any one of the above embodiments.

In a further embodiment of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the method for setting security services as described in any of the above embodiments.

As will be appreciated by one of skill in the art, the embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all changes and modifications that fall within the true scope of the embodiments of the present application.

It is apparent that those skilled in the art can make various changes and modifications to the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the embodiments of the present application and their equivalents, the embodiments of the present application are also intended to include such modifications and variations.

Claims

1. A method for setting up a security service, the method comprising:

and sequentially drawing the service flow to each safety device according to the flow arrangement path and a target hierarchical flow table, wherein the target hierarchical flow table is a hierarchical flow table obtained By modifying the destination address of each safety device according to the execution sequence of the safety service and the working state of the safety device By adopting a preset destination address modification mode, the target hierarchical flow table comprises an Internet Protocol (IP) address type hierarchical flow table, a Port type hierarchical flow table and a bypass By-pass type hierarchical flow table, the priority of the Port type hierarchical flow table is greater than that of the IP address type hierarchical flow table, and the priority of the IP address type hierarchical flow table is greater than that of the bypass By-pass type hierarchical flow table.

2. The method of claim 1, wherein determining a target host and a sequence of target security devices on the target host that satisfy the security service policy according to at least one type of security device in a combination of at least one security device configured by each of the at least one host and the target security devices that satisfy the security service policy comprises:

3. The method of claim 1, wherein after receiving a security service request from a user, the method further comprises:

obtaining a host in communication with the security service controller;

4. The method of claim 2, wherein determining the target host according to the device information of at least one security device configured by each host in the at least one host and the device information of at least one type of security device in the target security device combination satisfying the security service policy by using a first preset rule algorithm comprises:

5. The method of claim 4, wherein prior to obtaining the first number of shared security devices, the method further comprises:

the preset adding principle is that each safety equipment combination is traversed, and if the type of any safety equipment in the current safety equipment combination is different from that of the safety equipment to be added, the safety equipment to be added is added into the current safety equipment combination; and if the type of the safety equipment to be added is contained in each safety equipment combination, adding the safety equipment to be added into the newly configured safety equipment combination.

6. The method of claim 4, wherein performing a score operation on the second number of the at least one security device configured for each host and the corresponding first number using a first predetermined rule algorithm to determine the target host comprises:

7. The method of claim 2, wherein before determining the target security device sequence in the at least one second security device sequence according to a second predetermined rule algorithm and location information of the security device in the at least one second security device sequence satisfying the security service policy on the target host, the method further comprises:

8. The method of claim 2 or 7, wherein determining the target security device sequence in the at least one second security device sequence according to a second preset rule algorithm and location information of a security device in the at least one second security device sequence satisfying the security service policy on the target host comprises:

9. The method of claim 8, wherein performing score operation on at least one type of security device in the sequence of security devices to be selected by using a second predetermined rule algorithm to obtain a score to be selected of the sequence of security devices to be selected comprises:

10. The method of claim 1, wherein the method further comprises:

11. An arrangement for security services, the arrangement comprising: a receiving unit, a determining unit and a setting unit;

the setting unit is configured to set a flow arrangement path between adjacent security devices according to the security service policy and the execution sequence of the security service when adjacent security devices in the target security device sequence are configured on the target host, and to sequentially pull the flow to each security device according to the flow arrangement path and a target hierarchical flow table, where the target hierarchical flow table is a hierarchical flow table obtained By modifying the destination address of each security device according to the execution sequence of the security service and the operating state of the security device in a preset destination address modification manner, the target hierarchical flow table includes one of a hierarchical flow table of an internet protocol IP address type, a hierarchical flow table of a Port type, and a hierarchical flow table of a bypass By-pass type, and the priority of the hierarchical flow table of the Port type is greater than the priority of the hierarchical flow table of the IP address type, the priority of the hierarchical flow table of the IP address type is greater than that of the hierarchical flow table of the bypass By-pass type.

12. The apparatus according to claim 11, wherein the determining unit is specifically configured to determine the target host by using a first preset rule algorithm according to at least one type of security device in a combination of at least one security device configured by each host in the at least one host and a target security device satisfying the security service policy;

13. The apparatus of claim 11, further comprising a first acquisition unit;

14. The apparatus according to claim 12, wherein the determining unit is further specifically configured to intersect at least one security device configured by each of the at least one host with at least one type of security device in a target security device combination that satisfies the security service policy, to obtain a first number of common security devices;

15. The apparatus of claim 14, further comprising a second acquisition unit;

16. The apparatus according to claim 14, wherein the determining unit is further specifically configured to perform score operation on a second number of the at least one security device configured for each host, a preset weight of the second number, a first number corresponding to the corresponding host, and the preset weight of the first number by using a first preset rule algorithm, so as to obtain a value to be selected of each host, where the preset weight of the second number is greater than the preset weight of the first number;

17. The apparatus of claim 12, further comprising a third acquisition unit;

18. The apparatus according to claim 12 or 17, wherein the determining unit is further specifically configured to perform score operation on location information of at least one type of security device in a security device sequence to be selected by using a second preset rule algorithm, so as to obtain a score to be selected of the security device sequence to be selected, where the security device sequence to be selected is any one of the second security device sequences;

19. The apparatus of claim 18, further comprising a fourth acquisition unit;

20. The apparatus of claim 11, wherein the setting unit is further configured to set a traffic orchestration path between the neighboring security devices according to the security service policy, the execution order of the security services, and communication connections between different hosts when one of the neighboring security devices is not configured on the target host.

21. An electronic device, characterized in that the electronic device comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;

a memory for storing a computer program;

a processor for implementing the method steps of any of claims 1-10 when executing a program stored on a memory.

22. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of the claims 1-10.