CN111752679A - Dynamic arranging device for safety service chain - Google Patents
Dynamic arranging device for safety service chain Download PDFInfo
- Publication number
- CN111752679A CN111752679A CN202010573745.2A CN202010573745A CN111752679A CN 111752679 A CN111752679 A CN 111752679A CN 202010573745 A CN202010573745 A CN 202010573745A CN 111752679 A CN111752679 A CN 111752679A
- Authority
- CN
- China
- Prior art keywords
- flow
- safety
- virtual machine
- module
- service chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a dynamic arranging device for a security service chain, and relates to the technical field of network security. The device comprises a flow classification module, a safety function virtual machine management module, a lightweight virtual safety resource management platform, a network management module and a flow table generation module; the flow classification module is used for generating a flow classification result flow table; the safety function virtual machine management module is used for carrying out management operation on the safety function virtual machine; the lightweight virtual security resource management platform realizes the operations of creating, starting, deleting and the like of the security function virtual machine; the network management module realizes the network configuration of the safety function virtual machine; the flow table generating module is used for generating a flow traction flow table. The invention can provide differentiated safety protection capability for different flows according to safety requirements and network states in a safety function service chain mode, provides fine-grained, definable and diversified safety protection means for the network, and has wide application prospect.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a dynamic arranging device for a security service chain.
Background
The existing network safety protection measures comprise multiple layers of safety protection equipment such as host safety, network safety, application safety, safety management and the like, and the improvement of the capability of protecting from single equipment to the whole network depth safety defense is realized. However, there is a gap in dealing with high-strength countermeasure under future informatization combat conditions. The main manifestations are as follows:
(1) the static passive boundary safety protection system is mainly used, the existing safety protection equipment is in a static state once being installed and deployed, and the capabilities of continuous upgrading, dynamic maintenance of safety strategies and dynamic deployment and adjustment of safety functions in a complex network environment according to requirements are lacked;
(2) the management control interfaces of the safety protection equipment are not uniform, so that a great deal of inconvenience is brought to the use and configuration of the safety protection equipment by operators.
In order to solve the above problems, the future novel safety protection equipment should be developed towards safety protection diversity, easy management and the like, and is specifically expressed in the following aspects:
(1) the safety functions of all manufacturers open standard interfaces, are compatible with one another, are virtualized, and can be deployed, dynamically arranged and elastically stretched as required;
(2) the safety protection equipment is loosely coupled with the network environment, and when the network topology changes, the safety scheme can be timely and effectively adjusted; when the security mechanism finds the malicious threat, the network can be adjusted in time to resist the attack; meanwhile, differential safety service is provided for different services.
However, the prior art is still lacking in a technology capable of satisfying the above-described needs.
Disclosure of Invention
In view of this, the present invention provides a dynamic arrangement device for security service chains, which loads different security function virtual machines for each security function service chain in a manner of constructing a security function service chain, so as to provide dynamic protection capabilities of different security function service chains for different flows.
In order to achieve the purpose, the invention adopts the technical scheme that:
a dynamic arrangement device of a security service chain comprises a flow receiving and sending module of a resource layer, a vSwitch virtual switch module, a security function virtual machine module, a security function template management module of a management layer, a security service chain template management module, a log management module, a user management module and an SDN controller module of a control layer; in addition, the control layer also comprises a flow classification module, a safety function virtual machine management module, a lightweight virtual safety resource management platform, a network management module and a flow table generation module; wherein:
the flow classification module is used for carrying out flow classification according to the quintuple information of the flow received by the flow transceiver module, generating a flow classification result flow table and sending the flow classification result flow table to the safety function virtual machine management module; the five-tuple comprises a source IP address, a source port, a destination IP address, a destination port and a protocol type; the flow classification result flow table comprises a flow quintuple, a security service chain number and a security service chain template number;
the safety function virtual machine management module is used for issuing a management instruction to the lightweight virtual safety resource management platform when the safety service chain is created, modified and deleted; the management instruction comprises instructions for creating, starting, restarting, closing and deleting the virtual machine;
the light-weight virtual security resource management platform is used for receiving a management instruction sent by the security function virtual machine management module and operating the resource layer security function virtual machine according to the management instruction; the operations comprise creating a safety function virtual machine, starting the safety function virtual machine, restarting the safety function virtual machine, shutting down the safety function virtual machine and deleting the safety function virtual machine;
the network management module is used for carrying out automatic network configuration on the safety function virtual machine and sending network configuration information to the flow table generating module; the network configuration comprises the steps of automatically adding a virtual network port for a safety function virtual machine, configuring a mac address for the virtual network port, and mounting the virtual network port on a vSwitch virtual switch; in addition, the network management module also comprises a DHCP server for automatically configuring the IP address of the management port of the safety function virtual machine;
and the flow table generating module is used for generating a flow traction flow table according to the network configuration information sent by the network management module and sending the flow traction flow table to the SDN controller module for flow scheduling control.
Further, the traffic classification module comprises a security service chain rule base module and a traffic category determination module, wherein:
the safety service chain rule base module is used for storing safety service chain information corresponding to the flow quintuple; the safety service chain information comprises a flow quintuple, a safety service chain number and a safety service chain template number;
and the flow category judgment module is used for extracting a flow quintuple from the flow received by the flow transceiver module, acquiring the safety service chain information corresponding to the flow quintuple from the safety service chain rule base module, packaging the flow quintuple and the corresponding safety service chain information into a flow classification result flow table, and then sending the flow classification result flow table to the safety function virtual machine management module.
Further, the security function virtual machine management module includes a security service chain analysis module and a security function virtual machine management and control module, wherein:
the security service chain analysis module is used for receiving the flow table of the flow classification result, analyzing the number of a security service chain template in the flow table, and acquiring resource layer security function virtual machine information and vSwitch virtual switch information contained in the numbered security service chain template according to security service chain template information stored in the management layer security service chain template management module; the safety service chain template comprises a safety service chain template name, a safety function list and a safety function arrangement sequence;
and the safety function virtual machine management and control module is used for issuing a management instruction to the lightweight virtual safety resource management platform according to the safety function virtual machine information in the safety service chain analysis module, packaging the management instruction, the safety function virtual machine information related to the safety service chain and the switch information together into a safety function flow table and sending the safety function flow table to the network management module.
Further, the safety function flow table includes a traffic quintuple, a switch name, a switch IP address, a switch traffic ingress port name, a switch traffic ingress port number, a switch traffic ingress port mac address, a switch traffic egress port name, a switch traffic egress port number, a switch traffic egress port mac address, and a safety function virtual machine name related in the safety service chain.
Further, the specific way of the network management module to perform network configuration on the security function virtual machine is as follows: receiving a safety function flow table, and automatically performing network configuration on the safety function virtual machine according to the safety function flow table;
the network configuration comprises the establishment and deletion of a safety function virtual machine network port, the IP address configuration of a safety function virtual machine virtual network, the MAC address configuration of a safety function virtual machine virtual network and the connection relation configuration of the safety function virtual machine virtual network port and the virtual network;
the network configuration information comprises the name of a safety function virtual machine, the name of a safety function virtual machine flow inlet, the IP address of a flow inlet, the mac address of the flow inlet, the port number of the flow inlet, the name of a flow outlet, the IP address of the flow outlet, the mac address of the flow outlet and the port number of the flow outlet which are related in a safety service chain list.
Further, the traffic traction flow table includes a traffic quintuple, a switch name, a switch IP address, a switch traffic ingress port name, a switch traffic ingress port number, a switch traffic ingress port mac address, a switch traffic egress port name, a switch traffic egress port number, a switch traffic egress port mac address, a security function virtual machine name related in the security service chain list, a security function virtual machine traffic ingress name, a traffic ingress IP address, a traffic ingress mac address, a traffic ingress port number, a traffic egress name, a traffic egress IP address, a traffic egress mac address, and a traffic egress port number.
Compared with the prior art, the invention has the following beneficial effects:
1. according to the invention, through a mode of a safety function service chain, differentiated safety protection capability can be provided for different flows according to safety requirements and network states, and a fine-grained, definable and diversified safety protection means is provided for the network.
2. The invention supports the unified arrangement of the safety functions of various manufacturers, can integrate the advantages of the protection equipment of each manufacturer, provides the optimal protection efficiency for the network and has wide application prospect.
3. The invention realizes virtualization and centralized control of traditional firewall, intrusion detection and other safety protection equipment by constructing the virtual safety resource pool, and realizes the traction of flow among different virtual safety functions by safety flow scheduling, thereby constructing differentiated safety protection capability for different service flows, and being an effective way for improving the flexibility of safety protection measures and improving the safety control efficiency.
4. The invention integrates various safety functions into one device, and adopts the safety service chain technology to realize the dynamic scheduling of the flow among different safety functions.
Drawings
FIG. 1 is a block diagram of a dynamic arrangement apparatus for a security service chain according to the present invention;
FIG. 2 is a flow chart illustrating a dynamic arrangement of a security service chain according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
As shown in fig. 1, a dynamic arrangement device for a security service chain includes a traffic transceiving module, a vSwitch virtual switch module, a security function virtual machine module in a resource layer, a security function template management module, a security service chain template management module, a log management module, a user management module in a management layer, and an SDN controller module in a control layer; in addition, the control layer also comprises a flow classification module, a safety function virtual machine management module, a lightweight virtual safety resource management platform, a network management module and a flow table generation module; wherein:
the flow classification module is used for carrying out flow classification according to the quintuple information of the flow received by the flow transceiver module, generating a flow classification result flow table and sending the flow classification result flow table to the safety function virtual machine management module; the five-tuple comprises a source IP address, a source port, a destination IP address, a destination port and a protocol type; the flow classification result flow table comprises a flow quintuple, a security service chain number and a security service chain template number;
the safety function virtual machine management module is used for issuing a management instruction to the lightweight virtual safety resource management platform when the safety service chain is created, modified and deleted; the management instruction comprises instructions for creating, starting, restarting, closing and deleting the virtual machine;
the light-weight virtual security resource management platform is used for receiving a management instruction sent by the security function virtual machine management module and operating the resource layer security function virtual machine according to the management instruction; the operations comprise creating a safety function virtual machine, starting the safety function virtual machine, restarting the safety function virtual machine, shutting down the safety function virtual machine and deleting the safety function virtual machine;
the network management module is used for carrying out automatic network configuration on the safety function virtual machine and sending network configuration information to the flow table generating module; the network configuration comprises the steps of automatically adding a virtual network port for a safety function virtual machine, configuring a mac address for the virtual network port, and mounting the virtual network port on a vSwitch virtual switch; in addition, the network management module also comprises a DHCP server for automatically configuring the IP address of the management port of the safety function virtual machine;
and the flow table generating module is used for generating a flow traction flow table according to the network configuration information sent by the network management module and sending the flow traction flow table to the SDN controller module for flow scheduling control.
Further, the traffic classification module comprises a security service chain rule base module and a traffic category determination module, wherein:
the safety service chain rule base module is used for storing safety service chain information corresponding to the flow quintuple; the safety service chain information comprises a flow quintuple, a safety service chain number and a safety service chain template number;
and the flow category judgment module is used for extracting a flow quintuple from the flow received by the flow transceiver module, acquiring the safety service chain information corresponding to the flow quintuple from the safety service chain rule base module, packaging the flow quintuple and the corresponding safety service chain information into a flow classification result flow table, and then sending the flow classification result flow table to the safety function virtual machine management module.
Further, the security function virtual machine management module includes a security service chain analysis module and a security function virtual machine management and control module, wherein:
the security service chain analysis module is used for receiving the flow table of the flow classification result, analyzing the number of a security service chain template in the flow table, and acquiring resource layer security function virtual machine information and vSwitch virtual switch information contained in the numbered security service chain template according to security service chain template information stored in the management layer security service chain template management module; the safety service chain template comprises a safety service chain template name, a safety function list and a safety function arrangement sequence;
and the safety function virtual machine management and control module is used for issuing a management instruction to the lightweight virtual safety resource management platform according to the safety function virtual machine information in the safety service chain analysis module, packaging the management instruction, the safety function virtual machine information related to the safety service chain and the switch information together into a safety function flow table and sending the safety function flow table to the network management module.
Further, the safety function flow table includes a traffic quintuple, a switch name, a switch IP address, a switch traffic ingress port name, a switch traffic ingress port number, a switch traffic ingress port mac address, a switch traffic egress port name, a switch traffic egress port number, a switch traffic egress port mac address, and a safety function virtual machine name related in the safety service chain.
Further, the specific way of the network management module to perform network configuration on the security function virtual machine is as follows: receiving a safety function flow table, and automatically performing network configuration on the safety function virtual machine according to the safety function flow table;
the network configuration comprises the establishment and deletion of a safety function virtual machine network port, the IP address configuration of a safety function virtual machine virtual network, the MAC address configuration of a safety function virtual machine virtual network and the connection relation configuration of the safety function virtual machine virtual network port and the virtual network;
the network configuration information comprises the name of a safety function virtual machine, the name of a safety function virtual machine flow inlet, the IP address of a flow inlet, the mac address of the flow inlet, the port number of the flow inlet, the name of a flow outlet, the IP address of the flow outlet, the mac address of the flow outlet and the port number of the flow outlet which are related in a safety service chain list.
Further, the traffic traction flow table includes a traffic quintuple, a switch name, a switch IP address, a switch traffic ingress port name, a switch traffic ingress port number, a switch traffic ingress port mac address, a switch traffic egress port name, a switch traffic egress port number, a switch traffic egress port mac address, a security function virtual machine name related in the security service chain list, a security function virtual machine traffic ingress name, a traffic ingress IP address, a traffic ingress mac address, a traffic ingress port number, a traffic egress name, a traffic egress IP address, a traffic egress mac address, and a traffic egress port number.
The process of dynamically arranging the security service chain by using the device is shown in fig. 2, and comprises the following steps:
(1) the flow classification module generates a flow classification result flow table according to the quintuple and sends the flow classification result flow table to the safety function virtual machine management module;
(2) the safety function virtual machine management module analyzes the flow table to obtain a safety service chain template number, safety virtual machine information and switch information, generates a safety function virtual machine management instruction and sends the safety function virtual machine management instruction to the lightweight virtual safety resource management platform;
(3) the safety function virtual machine management module packages the management instruction, the safety function virtual machine information and the switch information into a safety function flow table and sends the safety function flow table to the network management module;
(4) the lightweight virtual secure resource management platform performs the operations of creating, starting, restarting, closing and deleting the secure function virtual machine according to the management instruction;
(5) the network management module carries out network configuration on the safety function virtual machine, generates network configuration information and sends the network configuration information to the flow table generation module;
(6) the flow table generating module generates a flow traction flow table and issues the flow traction flow table to the network switch;
and finishing the dynamic arrangement process of the security service chain.
In a word, the invention can provide differentiated safety protection capability for different flows according to safety requirements and network states in a safety function service chain mode, provides fine-grained, definable and diversified safety protection means for the network, and has wide application prospect.
Claims (6)
1. A dynamic arrangement device of a security service chain comprises a flow receiving and sending module of a resource layer, a vSwitch virtual switch module, a security function virtual machine module, a security function template management module of a management layer, a security service chain template management module, a log management module, a user management module and an SDN controller module of a control layer; the control layer also comprises a flow classification module, a safety function virtual machine management module, a lightweight virtual safety resource management platform, a network management module and a flow table generation module; wherein:
the flow classification module is used for carrying out flow classification according to the quintuple information of the flow received by the flow transceiver module, generating a flow classification result flow table and sending the flow classification result flow table to the safety function virtual machine management module; the five-tuple comprises a source IP address, a source port, a destination IP address, a destination port and a protocol type; the flow classification result flow table comprises a flow quintuple, a security service chain number and a security service chain template number;
the safety function virtual machine management module is used for issuing a management instruction to the lightweight virtual safety resource management platform when the safety service chain is created, modified and deleted; the management instruction comprises instructions for creating, starting, restarting, closing and deleting the virtual machine;
the light-weight virtual security resource management platform is used for receiving a management instruction sent by the security function virtual machine management module and operating the resource layer security function virtual machine according to the management instruction; the operations comprise creating a safety function virtual machine, starting the safety function virtual machine, restarting the safety function virtual machine, shutting down the safety function virtual machine and deleting the safety function virtual machine;
the network management module is used for carrying out automatic network configuration on the safety function virtual machine and sending network configuration information to the flow table generating module; the network configuration comprises the steps of automatically adding a virtual network port for a safety function virtual machine, configuring a mac address for the virtual network port, and mounting the virtual network port on a vSwitch virtual switch; in addition, the network management module also comprises a DHCP server for automatically configuring the IP address of the management port of the safety function virtual machine;
and the flow table generating module is used for generating a flow traction flow table according to the network configuration information sent by the network management module and sending the flow traction flow table to the SDN controller module for flow scheduling control.
2. The dynamic security service chain arranging device according to claim 1, wherein the traffic classification module comprises a security service chain rule base module and a traffic class determination module, wherein:
the safety service chain rule base module is used for storing safety service chain information corresponding to the flow quintuple; the safety service chain information comprises a flow quintuple, a safety service chain number and a safety service chain template number;
and the flow category judgment module is used for extracting a flow quintuple from the flow received by the flow transceiver module, acquiring the safety service chain information corresponding to the flow quintuple from the safety service chain rule base module, packaging the flow quintuple and the corresponding safety service chain information into a flow classification result flow table, and then sending the flow classification result flow table to the safety function virtual machine management module.
3. The dynamic security service chain organizing device according to claim 1, wherein the security function virtual machine management module comprises a security service chain parsing module and a security function virtual machine management and control module, wherein:
the security service chain analysis module is used for receiving the flow table of the flow classification result, analyzing the number of a security service chain template in the flow table, and acquiring resource layer security function virtual machine information and vSwitch virtual switch information contained in the numbered security service chain template according to security service chain template information stored in the management layer security service chain template management module; the safety service chain template comprises a safety service chain template name, a safety function list and a safety function arrangement sequence;
and the safety function virtual machine management and control module is used for issuing a management instruction to the lightweight virtual safety resource management platform according to the safety function virtual machine information in the safety service chain analysis module, packaging the management instruction, the safety function virtual machine information related to the safety service chain and the switch information together into a safety function flow table and sending the safety function flow table to the network management module.
4. The dynamic safe service chain organizing device of claim 3, wherein the safe function flow table comprises traffic quintuple, switch name, switch IP address, switch traffic ingress port name, switch traffic ingress port number, switch traffic ingress port mac address, switch traffic egress port name, switch traffic egress port number, switch traffic egress port mac address, and safe function virtual machine name involved in the safe service chain.
5. The dynamic security service chain organizing device according to claim 4, wherein the network management module performs network configuration on the security function virtual machine in a specific manner: receiving a safety function flow table, and automatically performing network configuration on the safety function virtual machine according to the safety function flow table;
the network configuration comprises the establishment and deletion of a safety function virtual machine network port, the IP address configuration of a safety function virtual machine virtual network, the MAC address configuration of a safety function virtual machine virtual network and the connection relation configuration of the safety function virtual machine virtual network port and the virtual network;
the network configuration information comprises the name of a safety function virtual machine, the name of a safety function virtual machine flow inlet, the IP address of a flow inlet, the mac address of the flow inlet, the port number of the flow inlet, the name of a flow outlet, the IP address of the flow outlet, the mac address of the flow outlet and the port number of the flow outlet which are related in a safety service chain list.
6. The dynamic orchestration device of security service chains according to claim 1, wherein the traffic traction flow table comprises traffic quintuple, switch name, switch IP address, switch traffic ingress port name, switch traffic ingress port number, switch traffic ingress port mac address, switch traffic egress port name, switch traffic egress port number, switch traffic egress port mac address, security function virtual machine name, security function virtual machine traffic ingress name, traffic ingress IP address, traffic ingress mac address, traffic ingress port number, traffic egress name, traffic egress IP address, traffic egress mac address, and traffic egress port number involved in the security service chain list.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010573745.2A CN111752679B (en) | 2020-06-22 | 2020-06-22 | Dynamic arranging device for safety service chain |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010573745.2A CN111752679B (en) | 2020-06-22 | 2020-06-22 | Dynamic arranging device for safety service chain |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111752679A true CN111752679A (en) | 2020-10-09 |
CN111752679B CN111752679B (en) | 2022-03-22 |
Family
ID=72676409
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010573745.2A Active CN111752679B (en) | 2020-06-22 | 2020-06-22 | Dynamic arranging device for safety service chain |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111752679B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112769841A (en) * | 2021-01-15 | 2021-05-07 | 杭州安恒信息技术股份有限公司 | Network security protection method and system based on network security equipment |
CN114143076A (en) * | 2021-11-29 | 2022-03-04 | 全球能源互联网研究院有限公司 | Electric power thing networking safety protection system |
CN114629853A (en) * | 2022-02-28 | 2022-06-14 | 天翼安全科技有限公司 | Traffic classification control method based on security service chain analysis in security resource pool |
CN115914135A (en) * | 2021-08-03 | 2023-04-04 | 中移动信息技术有限公司 | Data transmission method, virtual switch and storage medium |
CN116155764A (en) * | 2023-01-05 | 2023-05-23 | 鹏城实验室 | Management method, device, equipment and storage medium for monitoring network data |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103038652A (en) * | 2010-05-25 | 2013-04-10 | 海德沃特合作I有限公司 | Device-assisted services for protecting network capacity |
WO2015081766A1 (en) * | 2013-12-04 | 2015-06-11 | 蓝盾信息安全技术有限公司 | Sdn based virtual machine security policy migration system and method |
CN107872443A (en) * | 2016-09-28 | 2018-04-03 | 深圳市深信服电子科技有限公司 | Virtual network security protection system, flow lead method and device |
CN108833335A (en) * | 2018-04-16 | 2018-11-16 | 中山大学 | A kind of network security function service catenary system based on cloud computing management platform Openstack |
CN111224990A (en) * | 2020-01-09 | 2020-06-02 | 武汉思普崚技术有限公司 | Flow traction method and system of distributed micro-isolation network |
-
2020
- 2020-06-22 CN CN202010573745.2A patent/CN111752679B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103038652A (en) * | 2010-05-25 | 2013-04-10 | 海德沃特合作I有限公司 | Device-assisted services for protecting network capacity |
WO2015081766A1 (en) * | 2013-12-04 | 2015-06-11 | 蓝盾信息安全技术有限公司 | Sdn based virtual machine security policy migration system and method |
CN107872443A (en) * | 2016-09-28 | 2018-04-03 | 深圳市深信服电子科技有限公司 | Virtual network security protection system, flow lead method and device |
CN108833335A (en) * | 2018-04-16 | 2018-11-16 | 中山大学 | A kind of network security function service catenary system based on cloud computing management platform Openstack |
CN111224990A (en) * | 2020-01-09 | 2020-06-02 | 武汉思普崚技术有限公司 | Flow traction method and system of distributed micro-isolation network |
Non-Patent Citations (2)
Title |
---|
张林杰 等: "基于 SDN /NFV 的安全服务链构建技术", 《无线电工程》 * |
陈松 等: "SDN 网络抗 DDoS 动态纵深防御体系设计", 《通信技术》 * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112769841A (en) * | 2021-01-15 | 2021-05-07 | 杭州安恒信息技术股份有限公司 | Network security protection method and system based on network security equipment |
CN115914135A (en) * | 2021-08-03 | 2023-04-04 | 中移动信息技术有限公司 | Data transmission method, virtual switch and storage medium |
CN114143076A (en) * | 2021-11-29 | 2022-03-04 | 全球能源互联网研究院有限公司 | Electric power thing networking safety protection system |
CN114143076B (en) * | 2021-11-29 | 2024-01-19 | 全球能源互联网研究院有限公司 | Electric power thing networking safety protection system based on virtual switch frame |
CN114629853A (en) * | 2022-02-28 | 2022-06-14 | 天翼安全科技有限公司 | Traffic classification control method based on security service chain analysis in security resource pool |
CN114629853B (en) * | 2022-02-28 | 2024-06-14 | 天翼安全科技有限公司 | Flow classification control method based on security service chain analysis in security resource pool |
CN116155764A (en) * | 2023-01-05 | 2023-05-23 | 鹏城实验室 | Management method, device, equipment and storage medium for monitoring network data |
CN116155764B (en) * | 2023-01-05 | 2024-02-20 | 鹏城实验室 | Management method, device, equipment and storage medium for monitoring network data |
Also Published As
Publication number | Publication date |
---|---|
CN111752679B (en) | 2022-03-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111752679B (en) | Dynamic arranging device for safety service chain | |
US9166988B1 (en) | System and method for controlling virtual network including security function | |
Chen et al. | Collaborative network security in multi-tenant data center for cloud computing | |
CN103561011A (en) | Method and system for preventing blind DDoS attacks on SDN controllers | |
CN105100026B (en) | A kind of safe retransmission method of message and device | |
CN103685250A (en) | Virtual machine security policy migration system and method based on SDN | |
CN101958903A (en) | Method for realizing high-performance firewall based on SOC and parallel virtual firewall | |
US8797876B2 (en) | Identification of underutilized network devices | |
CN106533724B (en) | Method, device and system for monitoring and optimizing Network Function Virtualization (NFV) network | |
CN103607399A (en) | Special IP network safety monitor system and method based on hidden network | |
CN106549792B (en) | A kind of method, apparatus and system of the security control of VNF | |
CN108234223B (en) | Safety service design method of data center integrated management system | |
CN102255903A (en) | Safety isolation method for virtual network and physical network of cloud computing | |
CN106899612B (en) | Method for automatically detecting ARP spoofing of fake host | |
CN109862045B (en) | SDN-based industrial control system dynamic defense method and device | |
Kim et al. | Ibcs: Intent-based cloud services for security applications | |
CN102801738A (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
CN103701822A (en) | Access control method | |
Shirali-Shahreza et al. | Rewiflow: Restricted wildcard openflow rules | |
CN103178988A (en) | Method and system for monitoring virtualized resources with optimized performance | |
US8516103B2 (en) | Method for accessing control that based on virtual computing | |
CN102624721B (en) | Feature code verification platform system and feature code verification method | |
CN105553948A (en) | Flexible attack prevention method based on virtual machine | |
CN111901154B (en) | Safety architecture system based on NFV and safety deployment and safety threat processing method | |
CN103067356A (en) | System and method for business virtual machine safety guaranteeing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |