CN111669401B - Security protection method and device for network system, computer equipment and storage medium - Google Patents

Security protection method and device for network system, computer equipment and storage medium Download PDF

Info

Publication number
CN111669401B
CN111669401B CN202010574819.4A CN202010574819A CN111669401B CN 111669401 B CN111669401 B CN 111669401B CN 202010574819 A CN202010574819 A CN 202010574819A CN 111669401 B CN111669401 B CN 111669401B
Authority
CN
China
Prior art keywords
view
information
managed
vlan
network system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010574819.4A
Other languages
Chinese (zh)
Other versions
CN111669401A (en
Inventor
张华兵
吕华辉
杨航
曹小明
陈华军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Southern Power Grid Digital Power Grid Group Information Communication Technology Co ltd
Southern Power Grid Digital Grid Research Institute Co Ltd
Original Assignee
Southern Power Grid Digital Grid Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southern Power Grid Digital Grid Research Institute Co Ltd filed Critical Southern Power Grid Digital Grid Research Institute Co Ltd
Priority to CN202010574819.4A priority Critical patent/CN111669401B/en
Publication of CN111669401A publication Critical patent/CN111669401A/en
Application granted granted Critical
Publication of CN111669401B publication Critical patent/CN111669401B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5041Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a security protection method and device of a network system, computer equipment and a storage medium. The method comprises the following steps: acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes; generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view; and adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view. By adopting the method, the network protection efficiency can be improved.

Description

Security protection method and device for network system, computer equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a security protection method and apparatus for a network system, a computer device, and a storage medium.
Background
Network systems have been widely used in daily work and life of people. For example, government departments, enterprises, institutions, science and education and civilization organizations and the like all have the informatization level, and particularly, network informatization is not necessary in organizations which have built a large number of business systems.
Generally, in the use process of a network system, a professional is often required to maintain network security, for example, the hardware operation condition and the network communication condition of network equipment are checked. However, the conventional network security maintenance method requires a professional to check the network security condition, and such an operation mode causes inefficient maintenance of the network security.
Disclosure of Invention
In view of the foregoing, it is desirable to provide an efficient security protection method and apparatus for a network system, a computer device, and a storage medium.
A method of securing a network system, the method comprising:
acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
In one embodiment, the performing security protection on the network system to be managed based on the target view by using a preset security policy service includes:
and adopting the security policy service, acquiring vulnerability information of the network system to be managed according to the target view, and carrying out security protection on the network system to be managed according to the vulnerability information.
In one embodiment, the obtaining vulnerability information of the network system to be managed according to the target view and performing security protection on the network system to be managed according to the vulnerability information by using the security policy slight service includes:
and acquiring the equipment information of the illegal access equipment appearing in the physical network topology view by adopting the security micro-service, and setting a firewall according to the equipment information of the illegal access equipment so as to perform security protection on the network system to be managed.
In one embodiment, the method further comprises:
acquiring role authority of a user; each role authority corresponds to the management authority of the target equipment in the network system to be managed;
and feeding back vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal where the role authority is located.
In one embodiment, the method further comprises:
acquiring fault information of the network system to be managed according to the target view by adopting the safety strategy service;
and displaying the fault information on a target view corresponding to the fault information.
In one embodiment, the generating at least one target view according to the physical network node information includes:
generating the physical network topology view according to the physical network node information by adopting a preset physical network topology micro-service; and/or
Generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view micro-service; and/or
Generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; and/or
Generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and/or
And generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service.
In one embodiment, the primitives in the physical network topology view include: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship, the operation information and the physical network alarm information among the server, the network equipment, the safety equipment and the storage equipment;
the routing topology view comprises a routing structure and routing information which characterize the network system to be managed;
the VLAN management view comprises a VLAN structure, HSRP protocol information of a hot backup router of the VLAN and VRRP protocol information of virtual routing redundancy;
the VLAN topological view comprises showing the attribution relation among the VLAN, the switch and the switch port and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on a modification instruction;
the IP address management view is used for periodically collecting an Address Resolution Protocol (ARP) table, storing relation data of the IP and the hardware address MAC, and inquiring IP use information based on an inquiry instruction.
A security device for a network system, the device comprising:
the topology discovery module is used for acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
the target view module is used for generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and the security policy module is used for adopting a preset security policy to slightly serve and carrying out security protection on the network system to be managed based on the target view.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
According to the security protection method, the security protection device, the computer equipment and the storage medium of the network system, the physical network node information in the network system to be managed is obtained through the security management server, at least one target view is generated according to the physical network node information, then the preset security policy is adopted for slightly serving, and the network system to be managed is subjected to security protection based on the target view. Compared with the traditional technology, the method has high maintenance cost caused by the protective measures for directly modifying the codes, and because the safety strategy is adopted to carry out the safety protection of the network system to be managed, different strategies can be presented and operated in the form of each micro-service, so that each safety strategy is independently executed, and the safety protection is more convenient and quicker. Meanwhile, the security protection of the network system to be managed is carried out in the form of micro-services, so that the iteration of different strategies based on the micro-services is faster, and the protection efficiency of the network security is improved.
Drawings
Fig. 1 is an application environment diagram of a security protection method of a network system according to an embodiment;
fig. 2 is a flowchart illustrating a security protection method of a network system according to an embodiment;
fig. 3 is a schematic flowchart of a security protection method of a network system according to another embodiment;
FIG. 4 is a block diagram of a security device of a network system, according to an embodiment;
FIG. 5 is a block diagram of a security device of a network system according to another embodiment;
FIG. 6 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The management method of the network system provided by the application can be applied to the application environment shown in fig. 1. The security management server 102 is connected to the network system to be managed via a network, for example, the security device 104, the network device 106 and the storage device 108 are respectively in communication via the network. And performing safety protection on the network system to be managed by adopting the micro-service by acquiring the information of each physical network node in the network system. The security management server 102 may be implemented by a separate server or a server cluster composed of a plurality of servers.
Those skilled in the art will appreciate that the architecture shown in fig. 1 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific examples. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
It should be noted that the execution subject of the method embodiments described below may be a security protection device of a network system, and the device may be implemented as part of or all of the computer device described above by software, hardware, or a combination of software and hardware. The following method embodiments take the execution subject as an example of the security management server.
Fig. 1 is a flowchart illustrating a security protection method of a network system according to an embodiment. The embodiment relates to a specific process of security protection of the network system to be managed by the security management server. As shown in fig. 1, includes:
s101, acquiring physical network node information in a network system to be managed; the physical network node information includes at least one of an Internet Protocol (IP) network segment of the device in the network system to be managed, a key routing node parameter, configuration information of the key routing node, and a port connection link of the key routing node.
Specifically, the security management server can obtain the physical network node information in the network system to be managed. Alternatively, a protocol such as a network neighbor may be used to obtain the physical network node information of the network system to be managed, or a discovery tool of an existing network topology may be used to obtain the physical network node information. It should be noted that the network system to be managed is a network system that needs security maintenance, and may include a security device, a network device, and a storage device, and may also include other devices and loaded software, middleware, a connection bus, and the like. The physical network node information may include an IP network segment of each device in the network system to be managed; key routing node parameters may also be included, such as device parameters of security devices, such as bandwidth of network devices; configuration information for the key routing node may also be included, which may include, but is not limited to, device type, device name, make, model, IP address of the device, static and dynamic routing tables for the routing node, dynamic routing tables for the routing node. Port connection links for critical routing nodes may also be included, such as port identifications of connections between different critical routing nodes, and so forth.
S102, generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view.
Specifically, the security management server can generate different target views according to the physical network node information. The target view comprises one or more of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view. It should be noted that the physical network topology view is used to represent a network topology structure of a physical device in a network system to be managed, the routing topology view is used to represent a path of a signal in a route propagation process, the virtual local area network VLAN management view is used to represent a management relationship of devices in a VLAN, the VLAN topology view is used to represent a network topology structure of devices in the VLAN, and the IP address management view is used to represent a membership relationship between IP addresses.
S103, adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
Specifically, the security management server adopts a micro-service mode, that is, a preset security policy can be adopted to slightly service, and the security protection is performed on the network to be managed based on the target view. Alternatively, a security policy microservice for accommodating the above security policies may be established in advance, where the security policies include security policies for high risk port blocking, IP blocking, and protocols of session layer, application layer, etc. located in layers 4-7 of ISO layer 7 (typically, layers 3 and 4 are supported by network equipment, and layer 567 is protected by security policy reinforcement performed by WAF or soft load, etc.). Optionally, the security management server may identify and analyze the routing topology view by using the micro service to obtain a fault that a path of the route is not through in the network system to be managed, and then perform fault repair, for example, automatically repair a routing path according to a protection policy corresponding to the fault to ensure network security, so as to implement security protection on the network to be managed; and the security protection of the network to be managed can be realized by repairing the possible bugs of the new access equipment in the IP address management view.
In this embodiment, the security management server obtains physical network node information in a network system to be managed, generates at least one target view according to the physical network node information, and performs security protection on the network system to be managed based on the target view by using a preset security policy. Compared with the traditional technology, the method has high maintenance cost caused by the protective measures for directly modifying the codes, and because the safety strategy is adopted to carry out the safety protection of the network system to be managed, different strategies can be presented and operated in the form of each micro-service, so that each safety strategy is independently executed, and the safety protection is more convenient and quicker. Meanwhile, the security protection of the network system to be managed is carried out in the form of micro-services, so that the iteration of different strategies based on the micro-services is faster, and the protection efficiency of the network security is improved.
Optionally, one possible implementation manner of the foregoing S103 may include: and adopting the security policy service, acquiring vulnerability information of the network system to be managed according to the target view, and carrying out security protection on the network system to be managed according to the vulnerability information. Specifically, the security management server uses a security policy service to obtain vulnerability information of the network system to be managed according to one or more target views, for example, according to parameters of a node in a physical network topology view, it is determined that a device access protocol of the node has a vulnerability, and thus specific information of the vulnerability is obtained. The specific information of the vulnerability may include, but is not limited to, a determined high-risk port, and a security policy that is not configured to be effective is checked for which devices corresponding to the high-risk port in the network system to be managed, so that a whole network influence range is obtained; for example, the firmware bugs of the devices in the network system to be managed, and the number of affected devices and the distribution range of the devices in the corresponding network system to be managed. And then repairing the network system to be managed according to preset repairing strategies corresponding to different vulnerability types. By adopting the method, the vulnerability information existing in the network can be identified and repaired, the safety of the network system to be managed is further ensured, and the safety protection is realized.
Optionally, one possible implementation manner of the foregoing step "adopting the security policy slight service, obtaining vulnerability information of the network system to be managed according to the target view, and performing security protection on the network system to be managed according to the vulnerability information" may include: and acquiring the security risk information of the illegal access equipment appearing in the physical network topology view by adopting the security micro-service, and setting a firewall according to the security risk information of the illegal access equipment so as to perform security protection on the network system to be managed. Specifically, the security management server can adopt the security policy to slightly serve, acquire security risk information of the illegal access device appearing in the physical network topology view, and set a corresponding firewall based on the security risk of the device, that is, issue a security policy to devices such as the firewall to take effect, thereby implementing security protection of the network system to be managed.
Optionally, on the basis of the foregoing embodiments, as shown in fig. 3, the method further includes:
s104, acquiring role authority of a user; and each role authority corresponds to the management authority of the target equipment in the network system to be managed.
And S105, feeding back vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal where the role authority is located.
Specifically, the security management server can also obtain role permissions corresponding to the account according to the login account of the user, and the role permissions correspond to the management permissions of the user on various target devices in the network system to be managed, such as information obtaining permissions or configuration modification permissions, and monitoring and management permissions on different types of vulnerability information. The target device may be various devices to be monitored in the network system to be managed. The security management server also feeds back vulnerability information of the target device in the to-be-managed network system corresponding to the role authority to the terminal where the role authority is located, for example, when a kernel vulnerability of an operating system of a certain device in the to-be-managed network system is exploded, the influence range and the quantity of the device responsible for the corresponding asset manager are pushed to the terminal where the asset manager is located, and therefore the asset manager can further make and develop a working plan. In this embodiment, the security management server can enable users with different role authorities to timely acquire corresponding vulnerability information by acquiring the role authorities of the users and feeding the vulnerability information of the target device in the network system to be managed corresponding to the role authorities back to the terminal where the role authorities are located, so that the vulnerability information can be managed based on the management authority of the users, classified or classified protection is realized, the security protection of the network system to be managed is more reasonable, and the security of the network is further improved.
Optionally, on the basis of the foregoing embodiments, the method may further include: acquiring fault information of the network system to be managed according to the target view by adopting the safety strategy service; and displaying the fault information on a target view corresponding to the fault information.
Optionally, on the basis of the foregoing embodiments, one possible implementation manner of step S102 may include at least one of the following steps: generating the physical network topology view according to the physical network node information by adopting a preset physical network topology micro-service; generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view micro-service; generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service. Specifically, the security management server may identify the acquisition mode of the target view by using a micro service mode, which may include generating a physical network topology view according to physical network node information by using a preset physical network topology micro service; generating a routing topology view according to key routing node parameters by adopting a preset routing topology view micro-service; generating a VLAN management view according to physical network node information by adopting a preset VLAN management view micro-service; generating a VLAN topological view according to physical network node information by adopting a preset VLAN topological view micro-service; and generating an IP address management view according to the physical network node information by adopting a preset IP address management view micro-service. By adopting the method to obtain various target views, different target views can be obtained in the form of each micro service, so that the method is more convenient and quicker, the iteration of the micro services of different types of target views is quicker, the obtaining efficiency and the accuracy of the target views are improved, and therefore, the protection efficiency of network security is improved and the security of a network system is enhanced.
Optionally, on the basis of the foregoing embodiments, the primitives in the physical network topology view include: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship and the operation information among the server, the network equipment, the safety equipment and the storage equipment, such as signal flow direction and physical network alarm information; the routing topology view comprises a routing structure and routing information which characterize the network system to be managed; the VLAN management view comprises a VLAN structure, Hot Standby Router (HSRP) Protocol information of the VLAN and Virtual Router Redundancy (VRRP) Protocol information; the VLAN topological view comprises the attribution relation between the VLAN and the switch and the port of the switch, and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on the modification instruction. The IP Address management view is used for periodically collecting an Address Resolution Protocol (ARP table for short), storing relationship data between an IP and a hardware Address MAC, and querying IP usage information based on a query instruction.
It should be understood that although the various steps in the flow charts of fig. 2-3 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2-3 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed in turn or alternately with other steps or at least some of the other steps.
In one embodiment, as shown in fig. 4, there is provided a security device of a network system, including:
a topology discovery module 100, configured to obtain information of a physical network node in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
a target view module 200, configured to generate at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and the security policy module 300 is configured to perform security protection on the network system to be managed based on the target view by using a preset security policy service.
In an embodiment, the security policy module 300 is specifically configured to adopt the security policy service, obtain vulnerability information of the network system to be managed according to the target view, and perform security protection on the network system to be managed according to the vulnerability information.
In an embodiment, the security policy module 300 is specifically configured to acquire, by using the security microservice, device information of an illegal access device appearing in the physical network topology view, and set a firewall according to the device information of the illegal access device, so as to perform security protection on the network system to be managed.
In one embodiment, the apparatus further comprises: the feedback module is used for acquiring the role authority of the user; each role authority corresponds to the management authority of the target equipment in the network system to be managed; and feeding back the vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal where the role authority is located.
In one embodiment, the feedback module is further configured to obtain, by using the security policy slight service, fault information of the network system to be managed according to the target view; and displaying the fault information on a target view corresponding to the fault information.
In an embodiment, the target view module 200 is specifically configured to generate the physical network topology view according to the physical network node information by using a preset physical network topology microservice; and/or generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view microservice; and/or generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; and/or generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and/or generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service.
In one embodiment, the primitives in the physical network topology view include: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship, the operation information and the physical network alarm information among the server, the network equipment, the safety equipment and the storage equipment; the routing topology view comprises a routing structure and routing information which characterize the network system to be managed; the VLAN management view comprises a VLAN structure, HSRP protocol information of a hot backup router of the VLAN and VRRP protocol information of virtual routing redundancy; the VLAN topological view comprises showing the attribution relation among the VLAN, the switch and the switch port and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on a modification instruction; the IP address management view is used for periodically collecting an Address Resolution Protocol (ARP) table, storing relation data of the IP and the hardware address MAC, and inquiring IP use information based on an inquiry instruction.
In one embodiment, the structure of the security management server may also be as shown in fig. 5.
For specific limitations of the security protection apparatus of the network system, reference may be made to the above limitations of the security protection method of the network system, which are not described herein again. The modules in the security device of the network system may be implemented in whole or in part by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 6. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing physical network node information. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of securing a network system.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
and adopting the security policy service, acquiring vulnerability information of the network system to be managed according to the target view, and carrying out security protection on the network system to be managed according to the vulnerability information.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
and acquiring the equipment information of the illegal access equipment appearing in the physical network topology view by adopting the security micro-service, and setting a firewall according to the equipment information of the illegal access equipment so as to perform security protection on the network system to be managed.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
acquiring role authority of a user; each role authority corresponds to the management authority of the target equipment in the network system to be managed;
and feeding back vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal where the role authority is located.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
acquiring fault information of the network system to be managed according to the target view by adopting the safety strategy service;
and displaying the fault information on a target view corresponding to the fault information.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
generating the physical network topology view according to the physical network node information by adopting a preset physical network topology micro-service; and/or
Generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view micro-service; and/or
Generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; and/or
Generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and/or
And generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service.
In one embodiment, the primitives in the physical network topology view include: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship, the operation information and the physical network alarm information among the server, the network equipment, the safety equipment and the storage equipment;
the routing topology view comprises a routing structure and routing information which characterize the network system to be managed;
the VLAN management view comprises a VLAN structure, HSRP protocol information of a hot backup router of the VLAN and VRRP protocol information of virtual routing redundancy;
the VLAN topological view comprises showing the attribution relation among the VLAN, the switch and the switch port and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on a modification instruction;
the IP address management view is used for periodically collecting an Address Resolution Protocol (ARP) table, storing relation data of the IP and the hardware address MAC, and inquiring IP use information based on an inquiry instruction.
It should be clear that, in the embodiments of the present application, the process of executing the computer program by the processor is consistent with the process of executing the steps in the above method, and specific reference may be made to the description above.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
generating at least one target view according to the physical network node information; wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
and adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view.
In one embodiment, the computer program when executed by the processor further performs the steps of:
and adopting the security policy service, acquiring vulnerability information of the network system to be managed according to the target view, and carrying out security protection on the network system to be managed according to the vulnerability information.
In one embodiment, the computer program when executed by the processor further performs the steps of:
and acquiring the equipment information of the illegal access equipment appearing in the physical network topology view by adopting the security micro-service, and setting a firewall according to the equipment information of the illegal access equipment so as to perform security protection on the network system to be managed.
In one embodiment, the computer program when executed by the processor further performs the steps of:
acquiring role authority of a user; each role authority corresponds to the management authority of the target equipment in the network system to be managed;
and feeding back vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal where the role authority is located.
In one embodiment, the computer program when executed by the processor further performs the steps of:
acquiring fault information of the network system to be managed according to the target view by adopting the safety strategy service;
and displaying the fault information on a target view corresponding to the fault information.
In one embodiment, the computer program when executed by the processor further performs the steps of:
generating the physical network topology view according to the physical network node information by adopting a preset physical network topology micro-service; and/or
Generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view micro-service; and/or
Generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; and/or
Generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and/or
And generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service.
In one embodiment, the primitives in the physical network topology view include: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship, the operation information and the physical network alarm information among the server, the network equipment, the safety equipment and the storage equipment;
the routing topology view comprises a routing structure and routing information which characterize the network system to be managed;
the VLAN management view comprises a VLAN structure, HSRP protocol information of a hot backup router of the VLAN and VRRP protocol information of virtual routing redundancy;
the VLAN topological view comprises showing the attribution relation among the VLAN, the switch and the switch port and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on a modification instruction;
the IP address management view is used for periodically collecting an Address Resolution Protocol (ARP) table, storing relation data of the IP and the hardware address MAC, and inquiring IP use information based on an inquiry instruction.
It should be clear that, in the embodiments of the present application, the process executed by the processor by the computer program is consistent with the execution process of each step in the above method, and specific reference may be made to the description above.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is specific and detailed, but not to be understood as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (14)

1. A method for securing a network system, the method comprising:
acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
generating at least one target view according to the physical network node information; adopting a preset security policy to slightly serve, and carrying out security protection on the network system to be managed based on the target view;
wherein the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
generating at least one target view according to the physical network node information, including:
generating the physical network topology view according to the physical network node information by adopting a preset physical network topology micro-service; and/or
Generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view micro-service; and/or
Generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; and/or
Generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and/or
And generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service.
2. The method according to claim 1, wherein the employing the preset security policy service to perform security protection on the network system to be managed based on the target view comprises:
and adopting the security policy service, acquiring vulnerability information of the network system to be managed according to the target view, and carrying out security protection on the network system to be managed according to the vulnerability information.
3. The method according to claim 2, wherein the using the security policy slight service, acquiring vulnerability information of the network system to be managed according to the target view, and performing security protection on the network system to be managed according to the vulnerability information includes:
and adopting the security policy to slightly serve, acquiring the equipment information of the illegal access equipment appearing in the physical network topology view, and setting a firewall according to the equipment information of the illegal access equipment so as to perform security protection on the network system to be managed.
4. The method of claim 2, further comprising:
acquiring role authority of a user; each role authority corresponds to the management authority of the target equipment in the network system to be managed;
and feeding back vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal corresponding to the role authority.
5. The method of claim 2, further comprising:
acquiring fault information of the network system to be managed according to the target view by adopting the safety strategy service;
and displaying the fault information on a target view corresponding to the fault information.
6. The method according to any of claims 1 to 5, wherein the primitives in the physical network topology view comprise: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship, the operation information and the physical network alarm information among the server, the network equipment, the safety equipment and the storage equipment;
the routing topology view comprises a routing structure and routing information which characterize the network system to be managed;
the VLAN management view comprises a VLAN structure, HSRP protocol information of a hot backup router of the VLAN and VRRP protocol information of virtual routing redundancy;
the VLAN topological view comprises showing the attribution relation among the VLAN, the switch and the switch port and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on a modification instruction;
the IP address management view is used for periodically collecting an Address Resolution Protocol (ARP) table, storing relation data of the IP and the hardware address MAC, and inquiring IP use information based on an inquiry instruction.
7. A security apparatus for a network system, the apparatus comprising:
the topology discovery module is used for acquiring physical network node information in a network system to be managed; the physical network node information comprises at least one of an Internet Protocol (IP) network segment of equipment in the network system to be managed, key routing node parameters, configuration information of key routing nodes and port connection links of the key routing nodes;
the target view module is used for generating at least one target view according to the physical network node information; the security policy module is used for adopting a preset security policy to slightly serve and carrying out security protection on the network system to be managed based on the target view; the target view comprises at least one of a physical network topology view, a routing topology view, a Virtual Local Area Network (VLAN) management view, a VLAN topology view and an IP address management view;
the target view module is further configured to generate the physical network topology view according to the physical network node information by using a preset physical network topology microservice; and/or
Generating the routing topology view according to the key routing node parameters by adopting a preset routing topology view micro-service; and/or
Generating the VLAN management view according to the physical network node information by adopting a preset VLAN management view micro-service; and/or
Generating the VLAN topological view according to the physical network node information by adopting a preset VLAN topological view micro-service; and/or
And generating the IP address management view according to the physical network node information by adopting a preset IP address management view micro-service.
8. The apparatus of claim 7,
the security policy module is further configured to use the security policy service to obtain vulnerability information of the network system to be managed according to the target view, and perform security protection on the network system to be managed according to the vulnerability information.
9. The apparatus of claim 8,
the security policy module is further configured to use the security policy to slightly serve, acquire device information of the illegal access device appearing in the physical network topology view, and set a firewall according to the device information of the illegal access device, so as to perform security protection on the network system to be managed.
10. The apparatus of claim 8, further comprising:
the feedback module is used for acquiring the role authority of the user; each role authority corresponds to the management authority of the target equipment in the network system to be managed;
and feeding back vulnerability information of the target equipment in the network system to be managed corresponding to the role authority to the terminal corresponding to the role authority.
11. The apparatus of claim 8,
the feedback module is used for acquiring the fault information of the network system to be managed according to the target view by adopting the safety strategy slight service; and displaying the fault information on a target view corresponding to the fault information.
12. The apparatus according to any of claims 7 to 11, wherein the primitives in the physical network topology view comprise: the connection lines among the graphic elements in the physical network topology view are used for representing the physical connection relationship, the operation information and the physical network alarm information among the server, the network equipment, the safety equipment and the storage equipment;
the routing topology view comprises a routing structure and routing information which characterize the network system to be managed;
the VLAN management view comprises a VLAN structure, HSRP protocol information of a hot backup router of the VLAN and VRRP protocol information of virtual routing redundancy;
the VLAN topological view comprises showing the attribution relation among the VLAN, the switch and the switch port and is used for modifying the VLAN alias, the network address, the subnet mask and the subnet type based on a modification instruction;
the IP address management view is used for periodically collecting an Address Resolution Protocol (ARP) table, storing relation data of the IP and the hardware address MAC, and inquiring IP use information based on an inquiry instruction.
13. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 6.
14. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
CN202010574819.4A 2020-06-22 2020-06-22 Security protection method and device for network system, computer equipment and storage medium Active CN111669401B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010574819.4A CN111669401B (en) 2020-06-22 2020-06-22 Security protection method and device for network system, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010574819.4A CN111669401B (en) 2020-06-22 2020-06-22 Security protection method and device for network system, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111669401A CN111669401A (en) 2020-09-15
CN111669401B true CN111669401B (en) 2022-05-13

Family

ID=72389218

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010574819.4A Active CN111669401B (en) 2020-06-22 2020-06-22 Security protection method and device for network system, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111669401B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220171649A1 (en) * 2020-11-30 2022-06-02 Juniper Networks, Inc. Extending a software defined network between public cloud computing architecture and a data center
CN113765708B (en) * 2021-08-19 2022-06-07 东北大学 VLAN configuration comprehensive method based on DSL
CN113726813B (en) * 2021-09-09 2023-08-15 海尔数字科技(青岛)有限公司 Network security configuration method, device and storage medium
CN115102865A (en) * 2022-06-27 2022-09-23 李泽宾 Network security device topology management method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483222A (en) * 2016-06-08 2017-12-15 中兴通讯股份有限公司 A kind of management method and network management system of the virtual network function based on micro services
CN109587071A (en) * 2018-11-30 2019-04-05 北京工业大学 Micro services load-balancing method based on SDN
CN110266716A (en) * 2019-06-24 2019-09-20 中国南方电网有限责任公司 Power grid unitary service platform system
CN110651451A (en) * 2017-05-24 2020-01-03 瑞典爱立信有限公司 Routing table selection in policy-based routing systems
CN111108733A (en) * 2017-07-31 2020-05-05 阿姆多克斯发展公司 System, method and computer program for providing security in Network Function Virtualization (NFV) -based communication networks and Software Defined Networks (SDNS)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10129078B2 (en) * 2014-10-30 2018-11-13 Equinix, Inc. Orchestration engine for real-time configuration and management of interconnections within a cloud-based services exchange
CN106533804A (en) * 2016-12-22 2017-03-22 成都西加云杉科技有限公司 Network operation support system
CN106850611B (en) * 2017-01-25 2020-04-10 辽宁中科信科技有限公司 Cross-system Internet of things secure communication technology service platform method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107483222A (en) * 2016-06-08 2017-12-15 中兴通讯股份有限公司 A kind of management method and network management system of the virtual network function based on micro services
CN110651451A (en) * 2017-05-24 2020-01-03 瑞典爱立信有限公司 Routing table selection in policy-based routing systems
CN111108733A (en) * 2017-07-31 2020-05-05 阿姆多克斯发展公司 System, method and computer program for providing security in Network Function Virtualization (NFV) -based communication networks and Software Defined Networks (SDNS)
CN109587071A (en) * 2018-11-30 2019-04-05 北京工业大学 Micro services load-balancing method based on SDN
CN110266716A (en) * 2019-06-24 2019-09-20 中国南方电网有限责任公司 Power grid unitary service platform system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
电力营销微信服务平台信息交互及其安全的研究;卢潇潇;《中国优秀博硕士学位论文全文数据库(硕士)经济与管理科学辑(月刊)》;20180315(第03期);J150-584页 *

Also Published As

Publication number Publication date
CN111669401A (en) 2020-09-15

Similar Documents

Publication Publication Date Title
CN111669401B (en) Security protection method and device for network system, computer equipment and storage medium
US11962571B2 (en) Ecosystem per distributed element security through virtual isolation networks
US20190238410A1 (en) Verifying network intents
AU2004282937B2 (en) Policy-based network security management
CN111108733B (en) System, method and computer program for providing security in Network Function Virtualization (NFV) -based communication networks and Software Defined Networks (SDNS)
US11743206B2 (en) Systems and methods for intelligent application grouping
US11431792B2 (en) Determining contextual information for alerts
CN109413088B (en) Method and system for decomposing threat handling strategy in network
US20060153192A1 (en) Network host isolation tool
WO2014202026A1 (en) Method and system for virtual network mapping protection and computer storage medium
CN113824643B (en) Ubiquitous network topological graph construction method and network security protection method
US11824716B2 (en) Systems and methods for controlling the deployment of network configuration changes based on weighted impact
CN110839007A (en) Cloud network security processing method and device and computer storage medium
CN111698110B (en) Network equipment performance analysis method, system, equipment and computer medium
Vásquez-Bermúdez et al. Analysis of a network fault detection system to support decision making
Montanari et al. Attack-resilient compliance monitoring for large distributed infrastructure systems
US9137121B1 (en) Managing networks utilizing network simulation
US11743142B1 (en) Segmentation using infrastructure policy feedback
CN112887158B (en) Equipment communication rule configuration method based on domain mode
US11570193B2 (en) Malware propagation risk assessment in software defined networks
Kang et al. SD-MTD: Software-defined moving-target defense for cloud-system obfuscation
Sviridov et al. AutoNet: Automatic Reachability Policy Management in Public Cloud Networks
CN115695206A (en) Method and device for determining network topology, computer equipment and storage medium
Bahrami Design of a mobile agents based solution to distributional management of computer networks, taking into account the security mechanisms
CN110474788B (en) Data processing method, terminal and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Room 86, room 406, No.1, Yichuang street, Zhongxin Guangzhou Knowledge City, Huangpu District, Guangzhou City, Guangdong Province

Applicant after: Southern Power Grid Digital Grid Research Institute Co.,Ltd.

Address before: 511458 Room 1301, Chengtou Building, 106 Fengze East Road, Nansha District, Guangzhou City, Guangdong Province (self-compiled 1301-12159)

Applicant before: Southern Power Grid Digital Grid Research Institute Co.,Ltd.

GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: Room 86, room 406, No.1, Yichuang street, Zhongxin Guangzhou Knowledge City, Huangpu District, Guangzhou City, Guangdong Province

Patentee after: Southern Power Grid Digital Grid Research Institute Co.,Ltd.

Country or region after: China

Address before: Room 86, room 406, No.1, Yichuang street, Zhongxin Guangzhou Knowledge City, Huangpu District, Guangzhou City, Guangdong Province

Patentee before: Southern Power Grid Digital Grid Research Institute Co.,Ltd.

Country or region before: China

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20240312

Address after: Floor 12, Unit 2, Building 2, No. 11 Spectral Middle Road, Huangpu District, Guangzhou City, Guangdong Province, 510700, China

Patentee after: China Southern Power Grid Digital Power Grid Group Information Communication Technology Co.,Ltd.

Country or region after: China

Address before: Room 86, room 406, No.1, Yichuang street, Zhongxin Guangzhou Knowledge City, Huangpu District, Guangzhou City, Guangdong Province

Patentee before: Southern Power Grid Digital Grid Research Institute Co.,Ltd.

Country or region before: China