CN111683074A - NFV-based secure network architecture and network security management method - Google Patents
NFV-based secure network architecture and network security management method Download PDFInfo
- Publication number
- CN111683074A CN111683074A CN202010479425.0A CN202010479425A CN111683074A CN 111683074 A CN111683074 A CN 111683074A CN 202010479425 A CN202010479425 A CN 202010479425A CN 111683074 A CN111683074 A CN 111683074A
- Authority
- CN
- China
- Prior art keywords
- security
- network
- layer
- service
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a safety network architecture and a network safety management method based on NFV, wherein the safety network architecture comprises the following components: the system comprises a network function virtualization infrastructure, a virtualization network function module, a network function virtualization management and arrangement module, an operation support system, a business support system and a security orchestrator; the safety orchestrator is connected with the virtualized network function module through the network function virtualization management and orchestration module, and is used for performing real-time safety evaluation on a data flow process of the safety network architecture. The embodiment of the invention solves the problem that the NFV network security integral framework is not established in the service deployment process based on network function virtualization and needs to strengthen network security protection, can reasonably configure virtual security equipment resources, provides various security services, improves enough security protection capability and realizes intelligent security services.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a safety network architecture and a network safety management method based on NFV.
Background
NFV (Network Functions Virtualization) is an emerging technology, in which a Network node level function is divided into several functional blocks, which are implemented in a software manner, and are not limited to a hardware architecture. NFV separates network functions from dedicated devices, providing a flexible and economical method for deploying network functions and services. However, successful deployment of NFV entails new challenges for network security management. For example, because NFV converts network functions into software modules, an attack on a software module may affect other modules located on the same virtual machine. In addition, many NFV systems are built on open source projects such as Openstack and OSM. Potential software defects in these items may pose a security threat.
Currently, technicians have proposed a software component known as a policy manager that allows users to specify their security requirements and automatically select the desired virtual network functions based on policy optimization techniques, and further add support for the automatic execution of security policies, designing an optimization model that enables the selection of the best way to optimize network policies. A network modeling method for formal verification of forwarding behavior has also been proposed, and a security framework has been designed to protect end users that are compliant with the security as a service model. While all of these studies have focused on addressing NFV security issues, an overall framework is still needed to address network security issues.
Disclosure of Invention
The embodiment of the invention provides a security network architecture and a network security management method based on NFV, which are used for reasonably configuring virtual security equipment resources, providing various security services, improving enough security protection capability and realizing intelligent security services.
In a first aspect, an embodiment of the present invention provides an NFV-based secure network architecture, where the NFV-based secure network architecture includes:
network function virtualization infrastructure, virtualized network functions, network function virtualization management and orchestration, operation support systems, business support systems, and security orchestrators;
the safety orchestrator is connected with the virtualized network function block through the network function virtualization management and orchestration, and is used for performing real-time safety evaluation on a data stream process of the safety network architecture.
Optionally, the security orchestrator includes:
the system comprises an application store layer, an arrangement engine, a safety controller and a virtual safety equipment management platform;
the application store layer is used for providing web interaction service and generating an arrangement strategy; the arrangement engine is used for receiving the business process strategy and the business process service template issued by the application store layer and generating a business process task; the security controller comprises a device management module, a resource scheduling module and a service chain module, and is used for receiving a resource calling request of the arrangement engine, selecting target devices from a resource pool, and executing a network security protection task through the resource scheduling module; the virtual security device management platform is used for providing computing, storage and network resources required by the operation of security services.
Optionally, the service chaining module is connected to an SDN control platform interface.
Optionally, the architecture of the application store layer includes a Web layer, a Rest service platform, a data layer, and a Docker layer;
the system comprises a Docker layer, a data layer, a Rest service platform and a Web layer, wherein the Docker layer is used as a bottom layer operation environment, the data layer realizes data persistence and stores issued arrangement strategy information, the Rest service platform is used for realizing encapsulation of service logic and is opened in the form of Rest and/or APP, and the Web layer is used for providing a user interface.
Optionally, the resource pool is formed by a plurality of server nodes, and a network structure of the resource pool includes a network egress layer, a core layer, an aggregation layer, and a network access layer.
Optionally, a switch connected to the resource pool is configured with a virtual local area network and a virtual forwarding path.
Optionally, the layout engine includes an REST application program interface module, a layout service module, a database module, and a security service driver module.
Optionally, the orchestration service module includes a business process policy analysis sub-module, a security device model, and an orchestration service template, where the security device model is an abstraction of each security device by the orchestration engine, and the orchestration service template defines a mapping relationship between input and output between application programs.
Optionally, the topology of the virtual security device management platform includes three OVS bridges respectively connected to the management port, the data ingress port, and the data egress port of the virtual security device, and a bridge connected to the external network.
In a second aspect, an embodiment of the present invention further provides a network security management method, which is implemented by the NFV-based secure network architecture in any embodiment of the present invention, and the method includes:
acquiring asset information of a user and recommending a security arrangement scheme to the user according to the asset information;
determining a corresponding arranging strategy according to the selection and the setting of the safety arranging scheme by the user;
and analyzing and executing the arrangement strategy to protect the network security.
The embodiment of the invention forms a security network architecture by a network function virtualization infrastructure, a virtualization network function module, a management and network arrangement module and a security orchestrator, wherein the security orchestrator is connected with the virtualization network function module through the network function virtualization management and arrangement module and can perform real-time security evaluation on the data flow process of the whole NFV system. Therefore, the problem that the network security protection needs to be enhanced when the NFV network security integral framework is not established in the service deployment process based on network function virtualization is solved, the virtual security equipment resources can be reasonably configured, various security services are provided, the sufficient security protection capability is improved, and the intelligent security service is realized.
Drawings
Fig. 1 is a schematic diagram of an NFV-based security network architecture according to a first embodiment of the present invention;
FIG. 2 is a schematic diagram of a security organizer according to a first embodiment of the present invention;
FIG. 3 is a schematic diagram of a workflow of a security organizer according to a first embodiment of the present invention;
fig. 4 is a schematic diagram of an AppStore cloud architecture according to a first embodiment of the present invention;
FIG. 5 is an interaction diagram of a security controller according to a first embodiment of the present invention;
FIG. 6 is a schematic structural diagram of a data center network hierarchy in the first embodiment of the present invention;
FIG. 7 is a schematic diagram of an organization engine according to one embodiment of the invention;
fig. 8 is a topology diagram of a virtual security device management platform according to a first embodiment of the present invention;
fig. 9 is a flowchart of a network security management method in the second embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described through embodiments with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. In the following embodiments, optional features and examples are provided in each embodiment, and various features described in the embodiments may be combined to form a plurality of alternatives, and each numbered embodiment should not be regarded as only one technical solution.
Example one
Fig. 1 is a schematic diagram of an NFV-based security network architecture according to an embodiment of the present invention. As shown, the NFV-based security network architecture includes:
network function virtualization infrastructure, virtualized network functions, network function virtualization management and orchestration, operation support systems, business support systems, and security orchestrators. The safety orchestrator is connected with the virtualized network function through the network function virtualization management and orchestration, and is used for performing real-time safety evaluation on a data flow process of the safety network architecture.
Specifically, the Network Function Virtualization Infrastructure (NFVI) is built based on non-proprietary hardware (e.g., x86 servers), including a Virtualization Layer (Virtualization Layer), which is a hypervisor or a container management system, such as Docker, and vSwitch. The Network function virtualization infrastructure also includes physical resources (ComputingHardware, Storage Hardware and Network Hardware), such as COTS servers, switches, Storage devices, and the like. NFVI can be deployed across several physical locations, in which case the network providing data connectivity for these physical sites is also referred to as part of the NFVI. In order to be compatible with the existing network architecture, the network access point of the NFVI needs to be able to interwork with other physical networks. It abstracts computing hardware, storage hardware, and network hardware into virtual resources and provides these resources to support the execution of virtualized network functions
Virtualized Network Functions (VNFs) refer to specific virtual network functions, providing some kind of network service, being software, deployed in virtual machines, containers, or barrel-metal physical machines using the infrastructure provided by NFVI. The Element Management Systems (EMs) are responsible for fault, configuration, accounting, performance and security monitoring VNFs, where s refers to sequence numbers 1, 2 and 3 in fig. 1.
Management and organization (MANO) provides for the overall Management and organization of NFV, upward access to Operations Support Systems (OSS) and Business Support Systems (BSS), consisting of nfvo (NFV ontology), vnfm (vnf manager), and vim (virtualized in architecture manager) virtualization infrastructure managers. Wherein, VIM: the VIM manages the NFVI, and controls the virtual resource allocation of the VNF, such as virtual computing, virtual storage, and virtual networking. Both Openstack and VMWare are available as VIM, the former being open-source and the latter being commercial. The VNFM manages the life cycle of the VNF, such as online and offline, and performs state monitoring and image adapter. The VNFM manages VNFs based on VNFDs (VNF descriptions). The NFVO is used to manage a Network Service (NS) lifecycle, coordinate management of the NS lifecycle, coordinate management of the VNF lifecycle (which needs to be supported by a VNF manager VNFM), and coordinate management of various NFVI resources. An Operation Support System (OSS) and a Business Support System (BSS) are a collection of system management applications that support network management, configuration management, customer management, and the like.
Further, the structure of the Security organizer (Security editor) is shown in fig. 2, and includes: the system comprises an application store layer, an arranging engine, a safety controller and a virtual safety equipment management platform. The application store layer is used for providing web interaction service and generating an arrangement strategy; the arrangement engine is used for receiving the business process strategy and the business process service template issued by the application store layer and generating a business process task; the security controller comprises a device management module, a resource scheduling module and a service chain module, and is used for receiving a resource calling request of the arrangement engine, selecting target devices from a resource pool, and executing a network security protection task through the resource scheduling module; the virtual security device management platform is used for providing computing, storage and network resources required by the operation of security services.
The architecture of the application Store layer (APP Store Server) comprises a Web layer, a Rest service platform, a data layer and a Docker layer. The top layer of the security orchestrator is a Web service layer developed based on an AppStore platform, and the security orchestrator is generally deployed on a central server, provides Web interaction services for users, generates an orchestration strategy, and is a client environment below the Web layer. The related internal modules of the security controller (security controller) comprise an Equipment management module (Equipment management), a Resource scheduling module (Resource scheduling) and a Service chain module (Service chain), and the Service chain module is connected with an SDN control platform interface to realize a secure Service chain and provide guarantee for correct implementation of a bottom layer arrangement strategy. The arrangement engine is responsible for receiving the business process strategies and the business process service templates issued by the AppStore, generating business process tasks and arranging and executing the process tasks. And the security controller receives a resource calling request of the business process engine, selects proper equipment from the resource pool, and executes the protection task through the resource scheduling module. The Infrastructure layer (Infrastructure) provides the computing, storage, and network resources needed for the security services to operate.
In the present embodiment, the work flow of the security orchestrator can refer to the flow chart shown in fig. 3, and first, AppStore recommends relevant security orchestration schemes to users according to their asset information (requirements). After the user selects and defines the arranging method of the security service, the AppStore sends the corresponding arranging strategy to an arranging engine (chord arranging). The orchestration engine then analyzes the business process policy and generates jobs (persistent tasks) for it. And finally, the scheduling engine executes the scheduling method according to the strategy. Specifically, the orchestration engine invokes a first security application of the business process scenario according to the business process policy. If the application itself can complete the security service, the security task execution results will be returned directly to the orchestration engine. If the security service requires a security device to implement, the security application sends a device call request to a security controller (security controller), wherein the request parameters include: protection target information, security device type and device configuration parameters. And the safety controller selects proper safety equipment through a resource scheduling algorithm according to the type of the safety equipment and other service parameters, and sends a protection task to the selected equipment. The security controller collects the results of the task execution by the security device and returns the information to the security application. The security application further processes the collected log and alarm information, converts it to an interface format recognizable by the orchestration engine, and then returns it to the orchestration engine. Finally, the arrangement engine compares the information returned by the security application program with the business process strategy, and if the triggering condition is met, the next security application program is called to be protected according to the business process strategy; and if the triggering condition is not met, calling the first task again according to a task scheduling method defined by the business process policy security application program. The orchestration strategy supports flexible job execution methods, such as executing once every 5 minutes, keeping tasks all the time or stopping tasks after several executions.
Further, AppStore may be divided into two parts: cloud and client. From the perspective of technical architecture, the design of the cloud and the client architecture are similar, and both can be divided into four layers: the architecture diagram shown in fig. 4 may be referred to specifically as a Web layer (The Web tier), a resource service platform (resource layer), a Data service layer (Data service later), and a Docker layer (The Docker layer). As can be seen from fig. 4, the AppStore cloud architecture is divided into four levels from bottom to top: the system comprises a Docker layer, a data service layer, a REST service platform layer and a WEB layer. The system comprises a data layer, a Rest service platform, a Web layer and a data layer, wherein the Docker layer is used as a bottom layer operation environment, the data layer realizes data persistence and stores issued arrangement strategy information, the Rest service platform is used for realizing encapsulation of service logic and is opened in the form of Rest and/or APP, and the Web layer is used for providing a user interface to facilitate user operation. AppStore is the portal for various network security services. Currently, it is primarily a network security scan. And after the corresponding security service is selected, filling related parameters to release the security service. Such as Web vulnerability scanning.
Further, in a security controller (security controller), several main modules used are an application Manager (App Manager) for managing supported applications. A Device manager (Device manager) manages various information of the currently enabled Device, such as an IP address port, a service type, and the like. The Event manager (Event manager) is the control of internal interaction events, and the various modules interact by subscribing to push events. BootAccent controls the starting and recovery of the virtual machine, and the resource pool is a network vulnerability where the server vulnerability cluster is located. Reference may be made to the interaction diagram of the safety controller shown in figure 5.
Further, the resource pool in fig. 5 is an infrastructure resource pool in a secure network architecture, the number of which can typically scale to thousands of servers. With the introduction of virtualization technologies, the size of server nodes (VMs) will further increase. Meanwhile, the cloud computing resource pool improves the resource utilization rate. The resource pool is a data center of a secure Network architecture, and the Network hierarchy of the data center may refer to a data center Network hierarchy model shown in fig. 6, which includes a Network exit layer (Network exit layer), a Core layer (Core layer), a Convergence layer (Convergence layer), and a Network access layer (Network access layer).
Data centers should ensure flexible partitioning of network areas. By constructing an NFV-based data center that conforms to the data center design principle, different application systems can be divided into different areas, and a core layer responsible for the core switching function, which is the core part of the entire network and functions as a transport bus, is necessary to enhance the system functions by directly adding devices at the core switching layer to enhance scalability and availability, compared to other levels. At the same time, the access device must connect to the network access layer to perform the functions of the device accessing the network. And adding an aggregation layer between the network access layer and the core layer to complete the aggregation function of the access equipment. Finally, a network exit layer is required to be added for external access resources, and meanwhile, network firewalls, load balancing and other devices are added inside and outside the data center. Specifically, the network egress layer is used to connect an internal network and an external network. Meanwhile, the network information forwarding control system can play a role in converting internal and external network information and control information forwarding of the internal and external networks. The core layer is connected with the network exit layer and the aggregation layer, and mainly realizes the information forwarding and control of the core switching equipment. The aggregation layer is connected with the core layer and mainly realizes the aggregation function of the access layer equipment. The network access layer mainly provides a network access function to ensure normal access of the terminal equipment. In view of the high reliability, availability and security of the network, the deployment plan is as follows: and configuring a virtual local area network and a virtual forwarding path on the core switch to realize the isolation from other Service systems and configuring Quality of Service (QOS) to meet the requirement of converged communication Service bandwidth. In the internal virtualization layer of the server, a Virtual Switch (VSW) function should be supported to meet the requirements of throughput, CPU and memory utilization to implement virtual machine switching, virtual lan differentiation and port speed limiting functions.
Further, the structure of the Orchestration engine is shown in fig. 7, and includes a REST application program interface module (REST api), an Orchestration business module (organizational task scheduling module), a Database module (Database module), and a Security service driver module (Security service driver). The orchestration service module comprises a business process policy analysis submodule (relationship analysis), a security device model (security equipment model) and an orchestration service template (organizational service template), wherein the security device model is an abstraction of each security device by the orchestration engine, and the orchestration service template defines a mapping relation between input and output of applications. Specifically, the REST API module provides a service flow policy registration/cancellation interface, a registered service flow policy query interface, and a Job query interface for the AppStore platform. The middle layer is a core function module of the arrangement engine and realizes the functions of business process strategy analysis and business process task scheduling. Where the security device model is a high abstraction of the security device by the orchestration engine, and each type of security device corresponds to a device model in the engine. The orchestration service template defines the mapping between the inputs and outputs of two applications, which can be dynamically loaded by the orchestration engine, and is a key design to break the "barrier" between applications. The lowest level is the database module and the security service driver module. The database module is used for storing the registered arrangement strategy and the operation information so as to realize data persistence. The security service driver module is used to interface the business process engine with different manufacturers and different types of security devices. It is independent of the orchestration engine in the form of an application (proxy application). The Agent application program is developed in the north direction according to the standard API interface specification of the SDS equipment and receives the security protection task sent by the editing engine. And the south direction is in butt joint with the safety controller and is used for dispatching and issuing protection dispatching information for the equipment. Request and device identification.
Further, the virtual security device management platform may be written in Python and incorporate open source technologies such as dnsmartq, libvirt, OpenvSwitch and Linux namespaces. Device boot and registration in a software defined security architecture, a pool of secure resources must mask differences between different manufacturers and different types of devices, and device boot and registration must be managed uniformly at the bottom level. On the cloud platform, the security devices are virtualized in a secure resource pool. Thus, management of the security device is equivalent to management of the virtual machine. It is desirable to build a virtual security appliance model that is as generic as possible. If the device is different from the generic model, the personalization function can be implemented in the subclass by inheriting the generic class. In other words, the access of the virtual security device management platform to the new device is achieved by adding a "plug-in class". In addition, when the virtual safety equipment management platform is started, the configuration file information is read, a plurality of safety equipment are started in advance, and the safety equipment is registered to the safety controller in a unified mode. The configuration file contains the type, number, image information and drive information of the boot security device.
The virtual security device management platform network topology design is shown in fig. 8. In fig. 8, WAF (Web application firewall) and RASS (remote system evaluation system) are virtual security devices each having three network cards, a management port, a data flow port, and a data flow port. Accordingly, the three network cards are connected to three OVS (OpenvSwitch) bridges of br-con, br-in and br-out, respectively. The management port is used for transmitting management layer data, and data flows in and out for transmitting network flow. The above two deployment modes of the security device are also common deployment modes of the management platform. Because the device has no service request when being started for the first time and does not need to access an external network, the device does not need to be allocated with an external network IP when being started, and only the connection between the management platform and the server needs to be allocated. It is possible to ensure that the device manages the ports. Based on the above considerations, the port on the control bridge br-con is ba-DHCP-if and is bound to the DHCP server service to provide local DHCP for the virtual security device. In the present embodiment, DNSmasq is used for this item. DNSmasq is a small, convenient tool for configuring DNS and DHCP, applicable to small networks. The DHCP assigned address and associated commands may be configured to a single host or core device (e.g., router). DNSmasq supports both static and dynamic DHCP configuration methods. The present embodiment uses a dynamic DHCP method, and the allocated IP address pool interval is 120.0.0.1/24. The bo-router is a Linux network name space, which is a network name space, and is used to implement NAT (network address translation), i.e., an IP address segment allocated by a local dhcp service, between a virtual security device network and a host network. NAT forwarding allows virtual security devices to connect to external networks. In service, the virtual security appliance has no protection task at initial startup and does not require external network access. However, when many commercial virtual security devices are started, they will first enter the security provider's cloud to verify the validity of the local license and then decide whether to provide normal security services. Therefore, NAT in this solution is to ensure that the virtual security device can communicate with the cloud normally at startup. brO in the topology is a bridge connected to an external network. br-con and brO need to be patched to ensure that external access traffic can reach the virtual security appliance correctly after it has been assigned the external network IP. The information that the database device management platform needs to store is mainly device information, and the database selected in this embodiment is Redis. Redis is a remote in-memory database that has not only powerful capabilities, but also replication features and unique data models for problem solving. Redis supports 5 different types of data structures, and many problems are stored directly without data conversion. Furthermore, through replication, persistence, and client fragmentation, users can easily extend Redis to a system that contains hundreds of GB of data and handles millions of requests per second.
The technical scheme of the embodiment is based on a software-defined security architecture and an SDN/NFV technology, and a security network architecture, particularly a security orchestrator in the architecture is designed and implemented, a bridge is set up between security services, a delivery mode of cloud security services is changed, and delivery of a single security service is changed into delivery of multiple security services in a coordinated security protection scheme. Due to the change of the delivery mode, the threshold of using the safety service is reduced, the user experience is improved, the safety protection efficiency and the resource utilization rate of the cloud platform are improved, and the cost of cloud computing manufacturers is reduced. The orchestration system in this embodiment is deeply integrated with the software-defined security technology, which maximizes the advantages of the software-defined security technology, shields the differences between the devices of various security providers in the data plane, and weakens the complex technical details of the underlying system, so that the orchestration engine can focus on the processing of the high-level business process logic. In addition, aiming at the virtualization characteristic of the cloud platform, the virtual security device management platform is designed in the embodiment to realize the management and registration functions of the virtual security device and provide guarantee for basic implementation of the arrangement policy. From the perspective of a software-defined security architecture, the virtual security device management platform is also an implementation method of the security resource pool.
Example two
Fig. 9 is a flowchart of a network security management method according to a second embodiment of the present invention, where the method is applied to protect network security in the development and deployment of network function virtualization, and the method can be implemented by the NFV-based security network architecture according to any embodiment of the present invention.
As shown in fig. 9, the network security management method specifically includes the following steps:
and S110, acquiring the asset information of the user and recommending a security arrangement scheme to the user according to the asset information.
Specifically, first, the REST service platform in the NFV-based secure network architecture receives user asset information from the front end, performs port scanning on the virtual machine of the user, and guesses the main service of the virtual machine according to the scanning result. The scanner used in this system is the NMAP, an open source network connection port scanning software that is used to scan network connection ports on the internet to determine which services are running and to infer the operating system (also known as a fingerprint) that the computer is running for evaluating the security of the network system. The NMAP has high scanning speed, light weight and capability of providing an open port and a service state of a target host and meeting service requirements. And secondly, recommending a related safety arrangement scheme to the user according to the port scanning result.
For example, if the target host is scanned and has an existing port 443 or port 80 open, which means that an HTTP server service is running on the host, the user may need Web security. The REST service platform reads the security arrangement scheme table from the database, selects the policy _ type attribute as the WEB security arrangement scheme, and recommends the WEB security arrangement scheme to the user.
And S120, determining a corresponding arranging strategy according to the selection and the setting of the safety arranging scheme by the user.
And after receiving the recommended strategy, the user can select according to the recommended content, and set specific arrangement parameters to adapt to the requirements of the service of the user, so that the final arrangement strategy is generated.
S130, analyzing and executing the arranging strategy to protect the network security.
After a particular orchestration policy is determined, the policy may be executed by the security orchestrator.
Specifically, first, the orchestration engine invokes a first security application of a business process scenario according to a business process policy. If the application itself can complete the security service, the security task execution results will be returned directly to the business process engine. If the security service requires a security device to implement, the security application sends a device call request to the security controller. Wherein the request parameters include protection target information, a security device type and device configuration parameters. And the safety controller selects proper safety equipment through a resource scheduling algorithm according to the type of the safety equipment and other service parameters, and sends a protection task to the selected equipment. The security controller collects the results of the task execution by the security device and returns the information to the security application. The security application further processes the collected log and alarm information, converts it to an interface format recognizable by the orchestration engine, and then returns it to the orchestration engine. Finally, the arrangement engine compares the information returned by the security application program with the business process strategy, and if the triggering condition is met, the next security application program is called to be protected according to the business process strategy; and if the triggering condition is not met, calling the first task again according to a task scheduling method defined by the business process policy security application program.
According to the technical scheme of the embodiment, the network security management method is executed through the security network architecture, so that the virtual security equipment resources can be reasonably configured, various security services are provided, the sufficient security protection capability is improved, and the intelligent security services are realized.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. An NFV-based secure network architecture, comprising:
network function virtualization infrastructure, virtualized network functions, network function virtualization management and orchestration, operation support systems, business support systems, and security orchestrators;
the safety orchestrator is connected with the virtualized network function through the network function virtualization management and orchestration, and is used for performing real-time safety evaluation on a data flow process of the safety network architecture.
2. The secure network architecture of claim 1, wherein the security orchestrator comprises:
the system comprises an application store layer, an arrangement engine, a safety controller and a virtual safety equipment management platform;
the application store layer is used for providing web interaction service and generating an arrangement strategy; the arrangement engine is used for receiving the business process strategy and the business process service template issued by the application store layer and generating a business process task; the security controller comprises a device management module, a resource scheduling module and a service chain module, and is used for receiving a resource calling request of the arrangement engine, selecting target devices from a resource pool, and executing a network security protection task through the resource scheduling module; the virtual security device management platform is used for providing computing, storage and network resources required by the operation of security services.
3. The secure network architecture of claim 2, wherein the service chaining module interfaces with an SDN control platform.
4. The secure network architecture of claim 2, wherein the architecture of the application store layer comprises a Web layer, a Rest service platform, a data layer, and a Docker layer;
the system comprises a Docker layer, a data layer, a Rest service platform and a Web layer, wherein the Docker layer is used as a bottom layer operation environment, the data layer realizes data persistence and stores issued arrangement strategy information, the Rest service platform is used for realizing encapsulation of service logic and is opened in the form of Rest and/or APP, and the Web layer is used for providing a user interface.
5. The secure network architecture of claim 2, wherein the resource pool is comprised of a plurality of server nodes, and wherein a network structure of the resource pool includes a network egress layer, a core layer, an aggregation layer, and a network access layer.
6. The secure network architecture of claim 5, wherein a virtual local area network and a virtual forwarding path are configured on a switch connected to the resource pool.
7. The secure network architecture of claim 2, wherein the orchestration engine comprises a REST application program interface module, an orchestration service module, a database module, and a security service driver module.
8. The secure network architecture of claim 7, wherein the orchestration service module comprises a business process policy analysis submodule, a security device model, and an orchestration service template, wherein the security device model is an abstraction of each security device by the orchestration engine, and wherein the orchestration service template defines input and output mappings between applications.
9. The secure network architecture of claim 2, wherein the topology of the virtual security device management platform includes three OVS bridges connected to the management port, the data ingress port and the data egress port of the virtual security device, respectively, and a bridge connected to an external network.
10. A network security management method implemented by the secure network architecture of any one of claims 1-9, the method comprising:
acquiring asset information of a user and recommending a security arrangement scheme to the user according to the asset information;
determining a corresponding arranging strategy according to the selection and the setting of the safety arranging scheme by the user;
and analyzing and executing the arrangement strategy to protect the network security.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010479425.0A CN111683074A (en) | 2020-05-29 | 2020-05-29 | NFV-based secure network architecture and network security management method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010479425.0A CN111683074A (en) | 2020-05-29 | 2020-05-29 | NFV-based secure network architecture and network security management method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111683074A true CN111683074A (en) | 2020-09-18 |
Family
ID=72434485
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010479425.0A Pending CN111683074A (en) | 2020-05-29 | 2020-05-29 | NFV-based secure network architecture and network security management method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111683074A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112560061A (en) * | 2020-12-18 | 2021-03-26 | 国家工业信息安全发展研究中心 | Industrial Internet data safety protection capability assessment method and equipment deployment method |
| CN112769841A (en) * | 2021-01-15 | 2021-05-07 | 杭州安恒信息技术股份有限公司 | Network security protection method and system based on network security equipment |
| CN112822059A (en) * | 2021-02-09 | 2021-05-18 | 江苏省未来网络创新研究院 | Service chain arrangement management system and method for intelligent network card |
| CN112822192A (en) * | 2021-01-06 | 2021-05-18 | 中山大学 | User-demand-oriented safety function service network system and implementation method thereof |
| CN112822037A (en) * | 2020-12-30 | 2021-05-18 | 绿盟科技集团股份有限公司 | Flow arrangement method and system for security resource pool |
| CN112953954A (en) * | 2021-03-03 | 2021-06-11 | 华能国际电力股份有限公司 | Industrial internet security capability arranging method |
| CN113708965A (en) * | 2021-08-24 | 2021-11-26 | 北京计算机技术及应用研究所 | High-performance component-based data packet processing framework |
| CN113726744A (en) * | 2021-08-02 | 2021-11-30 | 南京南瑞信息通信科技有限公司 | Visual safety alarm processing system and method based on task arrangement |
| CN114024747A (en) * | 2021-11-04 | 2022-02-08 | 全球能源互联网研究院有限公司 | Security service chain arranging and deploying method and system based on software defined network virtualization (NFV) |
| CN114338193A (en) * | 2021-12-31 | 2022-04-12 | 北京天融信网络安全技术有限公司 | Flow arrangement method and device and ovn flow arrangement system |
| CN114785548A (en) * | 2022-03-23 | 2022-07-22 | 中国人民解放军战略支援部队信息工程大学 | Virtual flow anomaly detection method and system based on weighted adaptive ensemble learning and intelligent flow monitoring platform |
| CN115987989A (en) * | 2023-03-22 | 2023-04-18 | 麒麟软件有限公司 | Method for expanding cloud virtual network in common system |
| CN116016213A (en) * | 2022-12-27 | 2023-04-25 | 绿盟科技集团股份有限公司 | Traffic arrangement method, device, system and equipment based on network target range |
| WO2024012240A1 (en) * | 2022-07-11 | 2024-01-18 | 中国移动通信有限公司研究院 | Function orchestration method and apparatus, and device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108900551A (en) * | 2018-08-16 | 2018-11-27 | 中国联合网络通信集团有限公司 | SDN/NFV network safety protection method and device |
| CN109753344A (en) * | 2018-12-15 | 2019-05-14 | 内蒙航天动力机械测试所 | Network function virtualization system |
| CN109831447A (en) * | 2019-03-05 | 2019-05-31 | 浙江大学 | A kind of intelligent honeynet system based on NFV |
| US10491594B2 (en) * | 2014-08-22 | 2019-11-26 | Nokia Technologies Oy | Security and trust framework for virtualized networks |
-
2020
- 2020-05-29 CN CN202010479425.0A patent/CN111683074A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10491594B2 (en) * | 2014-08-22 | 2019-11-26 | Nokia Technologies Oy | Security and trust framework for virtualized networks |
| CN108900551A (en) * | 2018-08-16 | 2018-11-27 | 中国联合网络通信集团有限公司 | SDN/NFV network safety protection method and device |
| CN109753344A (en) * | 2018-12-15 | 2019-05-14 | 内蒙航天动力机械测试所 | Network function virtualization system |
| CN109831447A (en) * | 2019-03-05 | 2019-05-31 | 浙江大学 | A kind of intelligent honeynet system based on NFV |
Non-Patent Citations (1)
| Title |
|---|
| 赵瑞: "基于软件定义安全架构的安全服务编排系统设计与开发", 《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》 * |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112560061B (en) * | 2020-12-18 | 2024-05-03 | 国家工业信息安全发展研究中心 | Industrial Internet data security protection capability assessment method and equipment deployment method |
| CN112560061A (en) * | 2020-12-18 | 2021-03-26 | 国家工业信息安全发展研究中心 | Industrial Internet data safety protection capability assessment method and equipment deployment method |
| CN112822037A (en) * | 2020-12-30 | 2021-05-18 | 绿盟科技集团股份有限公司 | Flow arrangement method and system for security resource pool |
| CN112822037B (en) * | 2020-12-30 | 2022-09-02 | 绿盟科技集团股份有限公司 | Flow arrangement method and system for security resource pool |
| CN112822192A (en) * | 2021-01-06 | 2021-05-18 | 中山大学 | User-demand-oriented safety function service network system and implementation method thereof |
| CN112769841A (en) * | 2021-01-15 | 2021-05-07 | 杭州安恒信息技术股份有限公司 | Network security protection method and system based on network security equipment |
| CN112822059B (en) * | 2021-02-09 | 2022-08-16 | 江苏省未来网络创新研究院 | Service chain arrangement management system and method facing intelligent network card |
| CN112822059A (en) * | 2021-02-09 | 2021-05-18 | 江苏省未来网络创新研究院 | Service chain arrangement management system and method for intelligent network card |
| CN112953954A (en) * | 2021-03-03 | 2021-06-11 | 华能国际电力股份有限公司 | Industrial internet security capability arranging method |
| CN112953954B (en) * | 2021-03-03 | 2022-11-01 | 华能国际电力股份有限公司 | Industrial Internet security capability arrangement method |
| CN113726744A (en) * | 2021-08-02 | 2021-11-30 | 南京南瑞信息通信科技有限公司 | Visual safety alarm processing system and method based on task arrangement |
| CN113708965A (en) * | 2021-08-24 | 2021-11-26 | 北京计算机技术及应用研究所 | High-performance component-based data packet processing framework |
| CN114024747A (en) * | 2021-11-04 | 2022-02-08 | 全球能源互联网研究院有限公司 | Security service chain arranging and deploying method and system based on software defined network virtualization (NFV) |
| CN114338193A (en) * | 2021-12-31 | 2022-04-12 | 北京天融信网络安全技术有限公司 | Flow arrangement method and device and ovn flow arrangement system |
| CN114338193B (en) * | 2021-12-31 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Traffic arrangement method and device and ovn traffic arrangement system |
| CN114785548A (en) * | 2022-03-23 | 2022-07-22 | 中国人民解放军战略支援部队信息工程大学 | Virtual flow anomaly detection method and system based on weighted adaptive ensemble learning and intelligent flow monitoring platform |
| CN114785548B (en) * | 2022-03-23 | 2024-04-30 | 中国人民解放军战略支援部队信息工程大学 | Intelligent flow monitoring platform |
| WO2024012240A1 (en) * | 2022-07-11 | 2024-01-18 | 中国移动通信有限公司研究院 | Function orchestration method and apparatus, and device and storage medium |
| CN116016213A (en) * | 2022-12-27 | 2023-04-25 | 绿盟科技集团股份有限公司 | Traffic arrangement method, device, system and equipment based on network target range |
| CN115987989B (en) * | 2023-03-22 | 2023-09-26 | 麒麟软件有限公司 | Method for expanding cloud virtual network in common system |
| CN115987989A (en) * | 2023-03-22 | 2023-04-18 | 麒麟软件有限公司 | Method for expanding cloud virtual network in common system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111683074A (en) | NFV-based secure network architecture and network security management method | |
| US10931507B2 (en) | Systems and methods for selectively implementing services on virtual machines and containers | |
| EP3455728B1 (en) | Orchestrator for a virtual network platform as a service (vnpaas) | |
| US11924068B2 (en) | Provisioning a service | |
| Nurmi et al. | The eucalyptus open-source cloud-computing system | |
| US8370481B2 (en) | Inventory management in a computing-on-demand system | |
| US20170279672A1 (en) | System and method for policy-based smart placement for network function virtualization | |
| US11108653B2 (en) | Network service management method, related apparatus, and system | |
| US20200403970A1 (en) | Providing Network Address Translation in a Software Defined Networking Environment | |
| CN112470431A (en) | Synthesis of models for networks using automatic Boolean learning | |
| US20190056975A1 (en) | Virtualized network function manager determining method and network functions virtualization orchestrator | |
| US8468228B2 (en) | System architecture method and computer program product for managing telecommunication networks | |
| US10999161B2 (en) | Method and arrangement for licence management in NFV network environment | |
| EP3218805B1 (en) | Method and system for model-driven, affinity-based, network functions | |
| US20190372879A1 (en) | Network monitoring entity and method for a communication network implementing network slices | |
| US11886927B2 (en) | ICT resource management device, ICT resource management method and ICT resource management program | |
| CN115086166A (en) | Computing system, container network configuration method, and storage medium | |
| Xie et al. | Intent-driven management for multi-vertical end-to-end network slicing services | |
| EP3614262A1 (en) | Security-aware partitioning of processes | |
| US10020998B2 (en) | Data center service oriented networking | |
| Mena et al. | Enhancing the performance of 5G slicing operations via multi-tier orchestration | |
| CN114629794A (en) | Hardware resource management method and communication device | |
| Song et al. | Design of a security service orchestration framework for NFV | |
| US20230259387A1 (en) | Data flow mirroring method and apparatus | |
| CN116661941A (en) | Virtual Network Function (VNF) instantiation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200918 |