CN112073397A - Software definition security-based hybrid resource management system - Google Patents
Software definition security-based hybrid resource management system Download PDFInfo
- Publication number
- CN112073397A CN112073397A CN202010880502.3A CN202010880502A CN112073397A CN 112073397 A CN112073397 A CN 112073397A CN 202010880502 A CN202010880502 A CN 202010880502A CN 112073397 A CN112073397 A CN 112073397A
- Authority
- CN
- China
- Prior art keywords
- resource
- module
- control
- security
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The invention relates to a hybrid resource management system based on software definition security, and belongs to the field of software definition security and the technical field of virtualization. The hybrid resource management system based on software definition safety provided by the invention follows a standard software definition safety architecture, considers the advantages of the traditional software definition safety, realizes the decoupling of data and control, ensures the mutual separation of a data layer and a control layer, and solves the problems of software service management and control and hybrid resource scheduling.
Description
Technical Field
The invention belongs to the field of software definition security and the technical field of virtualization, and particularly relates to a hybrid resource management system based on software definition security.
Background
Software definition security is extended from the concept of a software defined network, traditional software definition security focuses on security equipment, and abstracts the functions of the security equipment, so that the security equipment does not adopt working modes which are respectively administrative and independently deployed, and the software defined network management method has the advantages that the networking division effect of the software defined network is utilized, network equipment with physical partitions which are not together is divided into the same management system for management, and the scheduling and the management of the security functions are facilitated; the coupling between the data processing layer and the control management layer is removed, the central management can conveniently and independently control each device with the same function, and the difference of management control layers such as manufacturer versions is ignored. However, conventional software defined security also has disadvantages, such as only aiming at physical or virtual network security devices, not oriented to security functions. The system can manage and control hardware devices such as IDS, firewall, server and the like, can also configure virtual network devices, but lacks management aiming at software type security service or security plug-in; secondly, software-defined security also lacks an orchestration means for multiple secure resources, especially in combination with software and hardware resource scheduling.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is as follows: how to provide a hybrid resource management system based on software defined security aiming at service management and control in software aspect and scheduling condition of software and hardware hybrid resources which are lacked in the current software defined security system, inherits the advantages of the traditional software defined security, and solves the problems of software service management and control and hybrid resource scheduling.
(II) technical scheme
In order to solve the technical problem, the invention provides a hybrid resource management system based on software defined security, which comprises a security resource module of various hybrid resources, a centralized control module responsible for resource scheduling and distribution, and an application management module providing a calling interface for a user.
Preferably, the secure resource module is a component of the data layer, and provides a mixture of resources, such as a container, a physical device, a virtual device, a secure application, and a secure service; the centralized control module directly interacts with the security resources to realize the uniform scheduling and management of various resources in the security resource module, and the application management module is associated with the applications and services of users to provide uniform interfaces for various applications and services.
Preferably, the security resource module is composed of physical and virtual security network devices, containers, security services and security processes, the security resource module integrates a data layer obtained by splitting an SDN, and then uses an NFV technology to complete virtualization of network functions, and ensures that all mixed resources have respective enough system resources, thereby providing security storage, starting environment and operation dependence; the centralized control module integrates the control layers split by the SDN and integrates the control management module according to the resource type, so that the centralized control module downwards performs arrangement and state management on the functional components of the mixed resources; the centralized control module pairs the function points and the control of various resources to form a 'control-function pair', integrates the function points and the control to form a control interface, upwards provides a control management API for the application management module, downwards performs resource allocation and scheduling on the safety resource module, realizes the management of scheduling and arrangement of mixed resources, completes the service distribution of the safety resource module through a configuration service chain, classifies the control management API according to the function points and the function types, re-adapts the control interfaces of the mixed resources, further integrates all the function interfaces in a unified way, and provides the occupation allocation management and the system resource allocation of the safety resources; the application management module is directly connected with a user, and provides a security service interface, a security application interface, a resource management interface and an arrangement engine task issuing interface for the user; the application management module inquires and manages through a resource management interface, the resource allocation condition of the safety resources in the safety resource module, the deployment management of physical and virtual safety equipment and the scheduling use condition of the network virtualization module; and checking the management condition of each control-function pair, the use condition and the detailed configuration of the function elements and the configuration condition of the service chain of the control management module in the centralized management module.
Preferably, the secure resource module is composed of multiple carrier types, physical and virtual secure network devices, containers, secure services and secure processes; the method comprises the following steps of classifying 10 types, namely a firewall type, a security vulnerability scanning analysis type, an intrusion detection type, a network equipment security module type, a virus protection type, a network 3A, a security operating system type, a network security isolation type, a security protocol type and an encryption type, according to security products; the 10-class functions realize network, calculation and storage splitting of the data processing layer through NFV to obtain relatively independent 10-class safety function elements, and the centralized control module schedules the safety function elements to further complete safety tasks required by users.
Preferably, the centralized control module recombines the control layers according to the functional elements of various safety resources, manages uniformly and adapts the control layers as external interfaces to be provided for the application management module; the centralized control module consists of a resource scheduling engine, a control management module and a control interface decoupled from the security resources; the resource scheduling engine is used for judging, distributing and scheduling whether the current system resource can start the functional element, whether the current functional element is occupied or not and whether deadlock occurs or not, and the starting aspect adopts an FIFO mode to ensure the operating environments of a container and software; the control management module is responsible for pairing and managing 'control-function pair', managing the resource access authority, acquiring information of the state of the function element and feeding the information back to the resource scheduling engine in time; and aiming at the functional elements of the safety resource module, a resource scheduling engine in charge of dynamic allocation and a control management module in charge of resource management and control schedule the functional elements.
Preferably, the application management module accepts an external interface provided by the centralized control module, the application management module includes a security service interface and a security application interface for standardizing the interface format, a resource management interface for modifying and querying security resources, and an orchestration engine task issuing interface for processing security tasks, and provides these simplified and centralized security function solutions to users, and users can directly use these services to execute required services, and can also use the orchestration engine application to issue orchestration tasks.
Preferably, the centralized management module directly interacting with the security resources further splits the control layer against the functions based on the security function elements, corresponds the control layer to the security function elements, forms the function unitized control elements as much as possible, takes the 10-class security functions as branches, and converges to form the control elements by taking the single function as a unit, and constructs the control elements as the control interfaces, and the centralized control module externally provides the control interfaces with the minimized functions for the application management module to use.
Preferably, the control management module is further configured to configure the service chaining module, and is responsible for managing a source and allocation of each functional element when processing input, including which secure resource the data stream is allocated to process, where the processing mode is forwarding traffic or copy traffic.
Preferably, the resource scheduling engine determines the resources expected to be consumed by the secure resources in the following manner: the following definitions are first made: resource overhead
Refers to the resource overhead incurred by deploying a functional element i to a virtual resource r,
represents the storage overhead of the selected virtual resource r;
an overhead of computing resources representing the selected virtual resource r;
representing the interaction overhead generated by deploying the functional element i on the virtual resource r and a resource scheduling engine;
the data transmission quantity between the function module representing the function element and the resource scheduling engine;
thus, there are:
resource scheduling engine pair
And judging, when the allocable resources do not meet the conditions, waiting for resource allocation and execution in an FIFO mode, detecting the deadlock problem of the functional element resource request in real time by the centralized management module, checking the running state of the safe resources, and carrying out proper adjustment and allocation.
The invention also provides a working method of the system after the user calls the application management module interface, which comprises the following steps: the user application calls a single safety function through a service interface of the application management module; the user application issues a task strategy issued by a user through an arrangement engine interface of the application management module to realize the scheduling of a plurality of safety functions and a plurality of safety resources; the user modifies the configuration of the control management configuration and the resource management configuration through a resource management interface of the application management module;
the step of calling the single security function by the application through the service interface provided by the application management module specifically comprises the following steps: (1) the user-defined application selects and calls a service interface with one function according to the self-requirement; (2) the service interface is connected with the centralized management module to control and manage the API and issue a resource application; (3) a resource scheduling engine of the centralized control module schedules a control submodule where a control element of the function is located according to the application content; (4) the control sub-module starts the function element of the corresponding safety resource module according to the control-function pair and executes the safety function;
the steps of calling the security resources through the orchestration engine specifically include: (1) the scheduling engine receives a task strategy issued by a user and generates a scheduling task according to the task strategy; (2) the arrangement engine judges whether the current resource meets the arrangement condition according to the arrangement task content, and waits if the current resource does not meet the arrangement condition; (3) after the arranging condition is met, according to each safety function configured in the task, calling a corresponding service interface and issuing a resource application; (4) a resource scheduling engine of the centralized control module schedules a control submodule where a control element of the function is located according to the application content; (5) the control sub-module starts the function element of the corresponding safety resource module according to the control-function pair and executes the safety function;
the step of modifying the resource configuration through the resource management interface provided by the application management module specifically comprises the following steps: (1) a user calls a resource management interface to send out a management request; (2) the resource management processing module processes the management request and inquires corresponding management contents; (3) judging according to the query target, distinguishing into control management configuration or resource management configuration, and querying modules of different levels; (4) if the query target is control management configuration, the management condition of a control-function pair of the centralized control module, the use condition and detailed configuration of the function elements, the configuration condition of the service chain and the like are displayed; (5) if the query target is resource management configuration, displaying the resource allocation condition of the security resources in the security resource module, the deployment management of physical, namely virtual security equipment, and the scheduling use condition of the network virtualization module; (6) and finishing the modification of the resource configuration.
(III) advantageous effects
The hybrid resource management system based on software definition safety provided by the invention follows a standard software definition safety architecture, considers the advantages of the traditional software definition safety, realizes the decoupling of data and control, ensures the mutual separation of a data layer and a control layer, and solves the problems of software service management and control and hybrid resource scheduling.
Drawings
FIG. 1 is a block diagram of a hybrid resource management system based on software-defined security according to the present invention;
FIG. 2 is a sequence diagram illustrating a service interface usage flow of a hybrid resource management system based on software defined security according to the present invention;
FIG. 3 is a timing diagram illustrating a process for using an orchestration engine of a hybrid resource management system based on software defined security according to the present invention;
fig. 4 is a flowchart illustrating a resource management interface of a hybrid resource management system based on software defined security according to the present invention.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
As shown in fig. 1, the system constructs an overall architecture of a software-defined security system based on SDN/NFV, and the SDN decouples a control layer and a data processing layer of security resources, so that the decoupled control layer interface does not depend on the architecture of each manufacturer alone, and then the NFV further decouples the data processing layer to obtain independent modules of network, calculation and storage, so that the security function does not depend on a dedicated device. The software defined security architecture is divided into three levels, so the system comprises from bottom to top: the system comprises a safety resource module containing various mixed resources, a centralized control module in charge of resource scheduling and distribution, and an application management module for providing a calling interface for a user.
The security resource module is used as an important component of the data layer and provides mixed resources of a container, physical equipment, virtual equipment, security application and security service; the control layer comprises a centralized control module and an application management module, wherein the centralized control module directly interacts with the security resources to realize the uniform scheduling and management of various resources in the security resource module, and the application management module is associated with the applications and services of the user to provide uniform interfaces for various applications and services and reduce the professional requirements of the user on the application system. The control layer has the characteristics of centralized management, high efficiency of resource utilization, simplicity in operation and the like, and is suitable for network security construction of large groups and organizations.
The security resource module integrates a data layer obtained by SDN splitting, and then uses NFV technology to complete virtualization of network functions, and ensures that all mixed resources have respective enough system resources, thereby providing security storage, starting environment and operation dependence; the centralized control module integrates the control layers split by the SDN and integrates the control management module according to the resource types, so that the centralized control module comprises a container control submodule, a software control submodule, an equipment control submodule and an access control submodule and downwards arranges and manages the state of the functional components of the mixed resources; the centralized control module pairs the function points and the control of various resources to form a control-function pair, integrates the control-function pair into a control interface, upwards provides a control management API for the application management module, downwards performs resource allocation and scheduling on the safety resource module to realize the management of scheduling and arrangement of mixed resources, completes service distribution on the safety resource module through a configuration service chain, and the control management API classifies according to the function points and the function types, re-adapts the control interfaces of the mixed resources to further uniformly integrate all the function interfaces and provide occupation allocation management and system resource allocation of the safety resources. The application management module is responsible for directly connecting users, provides a simpler and more convenient security service interface, a security application interface, a resource management interface and an arrangement engine task issuing interface for the users, and the users can use the arrangement engine to realize the connection of services required by corresponding services, can also directly use the service application interface normalized by the application management module, and can also manage the resource management of the security resource module through the resource management interface to carry out resource configuration, authority and storage management. The user can directly interface the service interface, the service interface standardizes the control management API of the centralized management module, and the user can conveniently call a single safety function; the user can also utilize the arrangement engine of the application management module to process corresponding services, the arrangement engine constructs a plurality of safety functions to form tasks, and the function execution sequence and parameters are flexibly adjusted; the application management module inquires and manages through a resource management interface, the resource allocation condition of the safety resources in the safety resource module, the deployment management of physical and virtual safety equipment, the scheduling use condition of the network virtualization module and the like; and checking the management condition of the control management module in the centralized management module on each control-function pair, the use condition and detailed configuration of the function elements, the configuration condition of the service chain and the like.
The safety resource module consists of various carrier types, physical and virtual safety network equipment, a container, safety service and safety process; the security products are classified into 10 types, namely firewall type, security vulnerability scanning analysis type, intrusion detection type, network equipment security module type, virus protection type, network 3A, security operating system type, network security isolation type, security protocol type and encryption type. The 10-class functions realize network, calculation and storage splitting of the data processing layer through NFV to obtain relatively independent 10-class safety function elements, and the centralized control module schedules the safety function elements to further complete safety tasks required by users.
The centralized control module is composed of control layers of software defined security technology decoupling, and the centralized control module recombines the control layers according to the functional elements of various security resources, manages the control layers in a unified mode and adapts the control layers into external interfaces to be provided for the application management module. Aiming at the functional elements of the safety resource module, the centralized control module schedules the functional elements by a resource scheduling engine in charge of dynamic allocation and a control management module in charge of resource management and control, the resource scheduling engine judges allocation and scheduling according to whether the current system resources can start the functional elements, whether the current functional elements are occupied, whether deadlock occurs and the like, and a service chain module is used for allocating the trend of data streams, forwarding and copying and other processing modes.
The application management module is used for receiving an external interface provided by the centralized control module, comprises a security service interface and a security application interface for standardizing the interface format, a resource management interface for modifying and inquiring security resources and an arrangement engine task issuing interface for processing security tasks, and provides simplified and centralized security function solutions for users. Users can directly utilize the services to execute required services, and can also use the orchestration engine application to issue orchestration tasks.
The safety resource module for gathering various resources is composed of various carrier types. Different from a traditional software definition system, the system comprehensively considers the potential safety hazard of pure software service/application and the software and hardware scheduling plan of the service, and brings the lightweight virtualization container, the safety service and the process into the overall planning range of safety resources. Network functions are further virtualized by using NFV technology to obtain independent modules of network, calculation and storage, functional elements aiming at specific safety functions are formed according to functional division, and a management system can directly use the combination of the functional elements to finish the use of safety resources.
The centralized management module directly interacting with the security resources further splits the control layer according to the functions on the basis of the security function elements, corresponds the control layer to the security function elements, and forms functional unitized control elements as much as possible, which is different from the traditional software definition system, and the control layer split of the system is more unitized. The 10-class security functions are taken as branches, the control elements are formed by converging single functions as units, and the control elements are constructed as control interfaces. The centralized control module provides externally such a control interface with minimized functionality for use by the application management module.
The centralized control module of the management system constructs a scheduling and management engine aiming at the security resource module, and the scheduling and management engine consists of a resource scheduling engine, a control management module and a control interface decoupled from the security resources. The resource scheduling engine judges and schedules whether the current system resource can start the functional element, whether the current functional element is occupied, whether deadlock occurs and the like, and the starting aspect adopts an FIFO mode to ensure the operating environments of containers, software and the like. The control management module is divided into a container control submodule, an equipment control submodule, a software control submodule and an access control submodule and is responsible for pairing and managing 'control-function pair', managing resource access authority, acquiring information of the states of the function elements and feeding the information back to the resource scheduling engine in time so as to avoid the problems of occupation waiting, overload and the like. In addition, the control management module configures the service chain module, and is responsible for managing the source and allocation of each functional element when processing input, including which secure resource the data stream is allocated to for processing, and the processing mode is forwarding traffic or copying traffic.
The resource scheduling engine determines the resources expected to be consumed by the security resources in the following manner: the following definitions are first made: resource overhead
Refers to the resource overhead incurred by deploying a functional element i to a virtual resource r,
represents the storage overhead of the selected virtual resource r;
an overhead of computing resources representing the selected virtual resource r;
representing the interaction overhead generated by deploying the functional element i on the virtual resource r and a resource scheduling engine;
function module representing function elementThe amount of data transmitted to and from the resource scheduling engine;
thus, there are:
resource scheduling engine pair
And judging, when the allocable resources do not meet the conditions, waiting for resource allocation and execution in an FIFO mode, detecting the deadlock problem of the functional element resource request in real time by the centralized management module, checking the running state of the safe resources, and carrying out proper adjustment and allocation.
The application management module provides a simplified single-function application/service interface, a resource management interface and a task issuing interface of the scheduling engine. The scheduling engine consists of a strategy analysis module, a scheduling task generation module, a scheduling task execution module, a scheduling task model library and a security resource model, wherein a user initiates a configuration strategy, the analysis module analyzes to obtain the operation required to be executed by the user, the scheduling engine is used for scheduling according to a task template, such as ids detection, flow cleaning, user authentication and other complex operations, each functional element is configured according to the requirement to start sequence opportunity and cycle, the security resource model is used for simulating the actual running condition, and when no scheduling problem exists, the scheduling task execution module issues the task, and calls a corresponding interface provided by the centralized control module to run and monitor.
For resource management, the resource management interface of the application management module is used for inquiring the safe resource control condition of the centralized control module, so that the management condition of the control management module of the centralized control module on each control-function pair can be obtained, the use condition and the detailed configuration of the function elements can be checked, the configuration condition of the service chain can be checked, and the resource management interface is used for configuring and managing the centralized control module. The resource management interface of the application management module is used for inquiring the equipment condition of the security resource module, so that the resource allocation condition of the security resource, the deployment management of the physical and virtual security equipment and the scheduling use condition of the network virtualization module can be obtained, and the resource management interface is used for visually inquiring the configuration management of the corresponding management module.
The invention is introduced by using a plurality of embodiments, and the working process of the hybrid resource management system based on software defined safety after a user calls an application management module interface comprises the following steps: the user application calls a single safety function through a service interface of the application management module; the user application issues a task strategy issued by a user through an arrangement engine interface of the application management module to realize the scheduling of a plurality of safety functions and a plurality of safety resources; and the user modifies the configuration of the control management configuration and the resource management configuration through the resource management interface of the application management module.
As shown in fig. 2, an embodiment of the hybrid resource management system based on software defined security according to the present invention, wherein the step of calling the single security function by the service interface provided by the application management module is: (1) the user-defined application selects and calls a service interface of a certain function according to the self requirement; (2) the service interface is connected with the centralized management module to control and manage the API and issue a resource application; (3) a resource scheduling engine of the centralized control module schedules a control submodule where a control element of the function is located according to the application content; (4) the control sub-module enables the function element of the corresponding safety resource module according to the control-function pair and executes the safety function.
As shown in fig. 3, an embodiment of the hybrid resource management system based on software defined security according to the present invention, wherein the step of invoking the secure resource by the orchestration engine comprises: (1) the scheduling engine receives a task strategy issued by a user and generates a scheduling task according to the task strategy; (2) the arrangement engine judges whether the current resource meets the arrangement condition according to the arrangement task content, and waits if the current resource does not meet the arrangement condition; (3) after the arranging condition is met, according to each safety function configured in the task, calling a corresponding service interface and issuing a resource application; (4) a resource scheduling engine of the centralized control module schedules a control submodule where a control element of the function is located according to the application content; (5) the control sub-module enables the function element of the corresponding safety resource module according to the control-function pair and executes the safety function.
As shown in fig. 4, an embodiment of the hybrid resource management system based on software defined security according to the present invention, wherein the step of modifying the resource configuration through the resource management interface provided by the application management module comprises: (1) a user calls a resource management interface to send out a management request; (2) the resource management processing module processes the management request and inquires corresponding management contents; (3) judging according to the query target, distinguishing into control management configuration or resource management configuration, and querying modules of different levels; (4) if the query target is control management configuration, the management condition of a control-function pair of the centralized control module, the use condition and detailed configuration of the function elements, the configuration condition of the service chain and the like are displayed; (5) if the query target is resource management configuration, displaying the resource allocation condition of the security resources in the security resource module, the deployment management of physical and virtual security equipment, the scheduling use condition of the network virtualization module and the like; (6) and finishing the modification of the resource configuration.
Compared with the prior art, the invention has the following advantages:
1. the safety resource module provides mixed resources of software and hardware, covers application scenes that the safety resources are wide, the contents are many and the expansion is easy, and realizes the combined use of the safety functions of the software and the hardware.
2. The centralized control module provides functions of safe resource occupation waiting and allocation optimization, reasonably schedules resources of the safe resource module, optimizes internal management and facilitates cooperation and intercommunication among mixed resources.
3. The application management module is classified according to the safety function, and provides a uniform, simple and easy-to-operate resource utilization interface based on the API provided upwards by the centralized control module.
4. The application management module is provided with an arrangement engine, and is configured with a safety device model and an arrangement task template to simulate the actual arrangement effect, so that whether the current resource is suitable for task arrangement is judged.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (10)
1. A hybrid resource management system based on software defined security, comprising: the system comprises a safety resource module containing various mixed resources, a centralized control module in charge of resource scheduling and distribution, and an application management module for providing a calling interface for a user.
2. The system of claim 1, wherein the secure resource module provides a hybrid of resources of containers, physical devices, virtual devices, security applications, and security services as part of the data layer; the centralized control module directly interacts with the security resources to realize the uniform scheduling and management of various resources in the security resource module, and the application management module is associated with the applications and services of users to provide uniform interfaces for various applications and services.
3. The system of claim 2, wherein the security resource module is composed of physical and virtual security network devices, containers, security services and security processes, the security resource module integrates data layers obtained by splitting an SDN, and then uses NFV technology to complete virtualization of network functions, and ensures that all mixed resources have respective sufficient system resources, providing secure storage, starting environment and operation dependence; the centralized control module integrates the control layers split by the SDN and integrates the control management module according to the resource type, so that the centralized control module downwards performs arrangement and state management on the functional components of the mixed resources; the centralized control module pairs the function points and the control of various resources to form a 'control-function pair', integrates the function points and the control to form a control interface, upwards provides a control management API for the application management module, downwards performs resource allocation and scheduling on the safety resource module, realizes the management of scheduling and arrangement of mixed resources, completes the service distribution of the safety resource module through a configuration service chain, classifies the control management API according to the function points and the function types, re-adapts the control interfaces of the mixed resources, further integrates all the function interfaces in a unified way, and provides the occupation allocation management and the system resource allocation of the safety resources; the application management module is directly connected with a user, and provides a security service interface, a security application interface, a resource management interface and an arrangement engine task issuing interface for the user; the application management module inquires and manages through a resource management interface, the resource allocation condition of the safety resources in the safety resource module, the deployment management of physical and virtual safety equipment and the scheduling use condition of the network virtualization module; and checking the management condition of each control-function pair, the use condition and the detailed configuration of the function elements and the configuration condition of the service chain of the control management module in the centralized management module.
4. The system of claim 3, wherein said secure resource module, consisting of a plurality of bearer types, physical and virtual secure network devices, containers, secure services and secure processes; the method comprises the following steps of classifying 10 types, namely a firewall type, a security vulnerability scanning analysis type, an intrusion detection type, a network equipment security module type, a virus protection type, a network 3A, a security operating system type, a network security isolation type, a security protocol type and an encryption type, according to security products; the 10-class functions realize network, calculation and storage splitting of the data processing layer through NFV to obtain relatively independent 10-class safety function elements, and the centralized control module schedules the safety function elements to further complete safety tasks required by users.
5. The system of claim 4, wherein the centralized control module reorganizes the control layer against the functional elements of the various types of security resources, manages them uniformly, and adapts them to be external interfaces for the application management module; the centralized control module consists of a resource scheduling engine, a control management module and a control interface decoupled from the security resources; the resource scheduling engine is used for judging, distributing and scheduling whether the current system resource can start the functional element, whether the current functional element is occupied or not and whether deadlock occurs or not, and the starting aspect adopts an FIFO mode to ensure the operating environments of a container and software; the control management module is responsible for pairing and managing 'control-function pair', managing the resource access authority, acquiring information of the state of the function element and feeding the information back to the resource scheduling engine in time; and aiming at the functional elements of the safety resource module, a resource scheduling engine in charge of dynamic allocation and a control management module in charge of resource management and control schedule the functional elements.
6. The system of claim 5, wherein the application management module accepts an external interface provided by the centralized control module, the application management module includes a security service interface and a security application interface for standardizing the interface format, a resource management interface for modifying and querying security resources, and an orchestration engine task issuing interface for processing security tasks, and provides these simplified and centralized security function solutions to users, and users can directly use these services to execute required services or use the orchestration engine application to issue orchestration tasks.
7. The system of claim 6, wherein the centralized management module directly interacting with the security resources further splits the control layer with respect to the security function elements based on the security function elements, corresponds the control layer to the security function elements, forms the control elements with the function units as large as possible, converges the control elements with the single function unit as the unit by taking the security functions of 10 categories as branches, and constructs the control elements as the control interfaces, and the centralized control module externally provides the control interfaces with the minimized functions for the application management module to use.
8. The system of claim 7, wherein the control management module is further configured to configure the service chaining module to manage the source and allocation of each functional element in processing the input, including which secure resource the data stream is allocated to process, and the processing manner is forwarding traffic or copying traffic.
9. The system of claim 8, wherein the resource scheduling engine is to determine resources expected to be consumed by a secure resourceThe method comprises the following steps: the following definitions are first made: resource overhead
Refers to the resource overhead incurred by deploying a functional element i to a virtual resource r,
represents the storage overhead of the selected virtual resource r;
an overhead of computing resources representing the selected virtual resource r;
representing the interaction overhead generated by deploying the functional element i on the virtual resource r and a resource scheduling engine;
the data transmission quantity between the function module representing the function element and the resource scheduling engine;
thus, there are:
resource scheduling engine pair
And judging, when the allocable resources do not meet the conditions, waiting for resource allocation and execution in an FIFO mode, detecting the deadlock problem of the functional element resource request in real time by the centralized management module, checking the running state of the safe resources, and carrying out proper adjustment and allocation.
10. A method of operating a system as claimed in any one of claims 1 to 9, after a user invokes an application management module interface, comprising the steps of: the user application calls a single safety function through a service interface of the application management module; the user application issues a task strategy issued by a user through an arrangement engine interface of the application management module to realize the scheduling of a plurality of safety functions and a plurality of safety resources; the user modifies the configuration of the control management configuration and the resource management configuration through a resource management interface of the application management module;
the step of calling the single security function by the application through the service interface provided by the application management module specifically comprises the following steps: (1) the user-defined application selects and calls a service interface with one function according to the self-requirement; (2) the service interface is connected with the centralized management module to control and manage the API and issue a resource application; (3) a resource scheduling engine of the centralized control module schedules a control submodule where a control element of the function is located according to the application content; (4) the control sub-module starts the function element of the corresponding safety resource module according to the control-function pair and executes the safety function;
the steps of calling the security resources through the orchestration engine specifically include: (1) the scheduling engine receives a task strategy issued by a user and generates a scheduling task according to the task strategy; (2) the arrangement engine judges whether the current resource meets the arrangement condition according to the arrangement task content, and waits if the current resource does not meet the arrangement condition; (3) after the arranging condition is met, according to each safety function configured in the task, calling a corresponding service interface and issuing a resource application; (4) a resource scheduling engine of the centralized control module schedules a control submodule where a control element of the function is located according to the application content; (5) the control sub-module starts the function element of the corresponding safety resource module according to the control-function pair and executes the safety function;
the step of modifying the resource configuration through the resource management interface provided by the application management module specifically comprises the following steps: (1) a user calls a resource management interface to send out a management request; (2) the resource management processing module processes the management request and inquires corresponding management contents; (3) judging according to the query target, distinguishing into control management configuration or resource management configuration, and querying modules of different levels; (4) if the query target is control management configuration, the management condition of a control-function pair of the centralized control module, the use condition and detailed configuration of the function elements, the configuration condition of the service chain and the like are displayed; (5) if the query target is resource management configuration, displaying the resource allocation condition of the security resources in the security resource module, the deployment management of physical, namely virtual security equipment, and the scheduling use condition of the network virtualization module; (6) and finishing the modification of the resource configuration.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010880502.3A CN112073397B (en) | 2020-08-27 | 2020-08-27 | Software-defined security-based hybrid resource management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010880502.3A CN112073397B (en) | 2020-08-27 | 2020-08-27 | Software-defined security-based hybrid resource management system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112073397A true CN112073397A (en) | 2020-12-11 |
| CN112073397B CN112073397B (en) | 2022-08-23 |
Family
ID=73659044
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010880502.3A Active CN112073397B (en) | 2020-08-27 | 2020-08-27 | Software-defined security-based hybrid resource management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112073397B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113778991A (en) * | 2021-09-14 | 2021-12-10 | 珠海市新德汇信息技术有限公司 | Method for realizing resource access control of big data |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104363159A (en) * | 2014-07-02 | 2015-02-18 | 北京邮电大学 | Virtual open network building system and method based on software definition network |
| WO2016180068A1 (en) * | 2015-05-11 | 2016-11-17 | 中兴通讯股份有限公司 | Multi-domain controller, single-domain controller, and software-defined optical network system and method |
| CN106612312A (en) * | 2015-10-23 | 2017-05-03 | 中兴通讯股份有限公司 | Virtualized data center scheduling system and method |
| CN107370835A (en) * | 2017-09-11 | 2017-11-21 | 郑州云海信息技术有限公司 | A kind of cloud computing center network architecture based on SDN and NFV technologies |
| CN109617873A (en) * | 2018-12-06 | 2019-04-12 | 中山大学 | A kind of flow attacking system of defense based on SDN cloud security function services tree-model |
-
2020
- 2020-08-27 CN CN202010880502.3A patent/CN112073397B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104363159A (en) * | 2014-07-02 | 2015-02-18 | 北京邮电大学 | Virtual open network building system and method based on software definition network |
| WO2016180068A1 (en) * | 2015-05-11 | 2016-11-17 | 中兴通讯股份有限公司 | Multi-domain controller, single-domain controller, and software-defined optical network system and method |
| CN106612312A (en) * | 2015-10-23 | 2017-05-03 | 中兴通讯股份有限公司 | Virtualized data center scheduling system and method |
| CN107370835A (en) * | 2017-09-11 | 2017-11-21 | 郑州云海信息技术有限公司 | A kind of cloud computing center network architecture based on SDN and NFV technologies |
| CN109617873A (en) * | 2018-12-06 | 2019-04-12 | 中山大学 | A kind of flow attacking system of defense based on SDN cloud security function services tree-model |
Non-Patent Citations (2)
| Title |
|---|
| 严军: "浅探基于SDN及NFV的电力数据中心网络资源调度架构", 《信息数据与电子工程》 * |
| 张凯: "面向公安大数据中心的软件定义安全系统设计与实现", 《警察技术》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113778991A (en) * | 2021-09-14 | 2021-12-10 | 珠海市新德汇信息技术有限公司 | Method for realizing resource access control of big data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112073397B (en) | 2022-08-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11875173B2 (en) | Execution of auxiliary functions in an on-demand network code execution system | |
| JP7060724B2 (en) | Task scheduling methods, resource sharing usage, schedulers, computer-readable storage media and equipment | |
| US10817331B2 (en) | Execution of auxiliary functions in an on-demand network code execution system | |
| US11442762B2 (en) | Systems and methods for introspective application reporting to facilitate virtual machine movement between cloud hosts | |
| EP3811209A1 (en) | Execution of auxiliary functions in an on-demand network code execution system | |
| US9202225B2 (en) | Aggregate monitoring of utilization data for vendor products in cloud networks | |
| US20150160936A1 (en) | Self-moving operating system installation in cloud-based network | |
| US20120311571A1 (en) | Systems and methods for tracking cloud installation information using cloud-aware kernel of operating system | |
| CN109032806A (en) | The service scheduling method and device of container | |
| JP2015537307A (en) | Component-oriented hybrid cloud operating system architecture and communication method thereof | |
| CA2875807A1 (en) | Offloading virtual machine flows to physical queues | |
| CN112416737B (en) | Container testing method, device, equipment and storage medium | |
| Sun et al. | HYPER: A hybrid high-performance framework for network function virtualization | |
| CN112202615B (en) | Multi-CNI cooperative work system and method | |
| US11546413B2 (en) | System and method for identifying capabilities and limitations of an orchestration based application integration | |
| US20110258620A1 (en) | Method and Apparatus for Making a BPM Application Available to Multiple Tenants | |
| CN112073397B (en) | Software-defined security-based hybrid resource management system | |
| Harmer et al. | An application-centric model for cloud management | |
| WO2022271223A9 (en) | Dynamic microservices allocation mechanism | |
| CN110308987A (en) | A method of distributed training mission Connecting quantity on more new container cloud | |
| CN103677983A (en) | Scheduling method and device of application | |
| CN116113923A (en) | Container cluster management method and system | |
| US8743387B2 (en) | Grid computing system with virtual printer | |
| WO2020108337A1 (en) | Cpu resource scheduling method and electronic equipment | |
| Brune et al. | Managing clusters of geographically distributed high‐performance computers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |