CN112104540A - Cross-domain resource dynamic arranging method and cross-domain interconnection system - Google Patents
Cross-domain resource dynamic arranging method and cross-domain interconnection system Download PDFInfo
- Publication number
- CN112104540A CN112104540A CN202010934406.2A CN202010934406A CN112104540A CN 112104540 A CN112104540 A CN 112104540A CN 202010934406 A CN202010934406 A CN 202010934406A CN 112104540 A CN112104540 A CN 112104540A
- Authority
- CN
- China
- Prior art keywords
- cross
- domain
- service
- resources
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/78—Architectures of resource allocation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
- H04L67/1074—Peer-to-peer [P2P] networks for supporting data block transmission mechanisms
Abstract
The invention discloses a cross-domain resource dynamic arrangement method and a cross-domain interconnection system, and belongs to the technical field of cross-domain controlled interconnection and intercommunication. The invention divides cross-domain resources of the cross-domain interconnection system into management control resources, safety protection resources, network addressing resources and isolation exchange resources, virtualizes the management control resources, the safety protection resources and the network addressing resources, pools the isolation exchange resources, realizes unified scheduling control of various cross-domain resources through a unified capability interface, and provides a unified service interface and service arrangement capability for the outside. And dynamically arranging required management and control strategies, safety protection, cross-domain addressing and isolation of switching resources according to cross-domain service requirements to form a cross-domain interconnection functional service chain. When the cross-domain security service finds the cross-domain security risk, the security event information is reported to the cross-domain management and control service, so that the functional service chain of various cross-domain resources is dynamically adjusted, and the dynamic response to the cross-domain security risk is realized.
Description
Technical Field
The invention relates to the technical field of cross-domain controlled interconnection and intercommunication in a multi-security-level private network environment, in particular to a cross-domain resource dynamic arrangement method and a cross-domain interconnection system.
Background
For the requirement of cross-domain controlled interconnection and intercommunication of information in a multi-security-level private network environment, currently, multiple types of special cross-domain equipment and multiple types of commercial cross-domain equipment can provide cross-domain exchange capability, can meet the cross-domain exchange requirement in a specific application scene, and can resist common network attacks to a certain extent.
However, in the aspect of cross-domain interconnection and interworking capability of a multi-security-level private network environment network, cross-domain service switching capability is still solidified, and the requirements of cross-domain resource dynamic deployment and adjustment as required under various cross-domain service requirement scenes cannot be met, so that a cross-domain capability bottleneck is caused, and a cross-domain security risk is caused.
Disclosure of Invention
In view of this, the present invention provides a cross-domain resource dynamic arrangement method and a cross-domain interconnection system, which can meet the requirement of cross-domain interconnection and intercommunication of multiple types of services of a multi-security-level private network, and in the cross-domain interconnection system, provide a uniform arrangement management capability of various types of cross-domain resources, and implement on-demand allocation and dynamic adjustment of the cross-domain resources.
In order to achieve the purpose, the invention adopts the technical scheme that:
a cross-domain resource dynamic arranging method comprises the following steps:
(1) dividing cross-domain resources into four types of management control resources, safety protection resources, network addressing resources and isolation switching resources;
(2) the four types of cross-domain resources provide a service cross-domain support capability through a service interface, and provide a uniform service capability interface to the outside;
(3) through linkage among the four types of cross-domain resources, cross-domain support capability of adapting service characteristics is provided for cross-domain services, the cross-domain services are controlled from the dimensions of strategy control, security check, cross-domain addressing and network isolation, and dynamic cooperation of multi-dimensional cross-domain resources and controlled intercommunication of the cross-domain services are realized.
Furthermore, the management control resources, the safety protection resources and the network addressing resources realize the virtualization of cross-domain resources in a virtualization mode, and the isolation switching resources are packaged on physical entities of the isolation switching equipment through a uniform abstract interface to realize the pooling management of different types of isolation switching equipment;
on the basis of cross-domain resource virtualization and pooling management, a unified capability interface is provided externally, so that unified scheduling control of various cross-domain resources is realized, and unified capability interfaces for identity authentication, access control, interconnection control, safety transmission, data exchange, authority management, safety protection, situation monitoring, safety audit and approval management and control are provided;
on the basis of uniform scheduling control of cross-domain resources, uniform service interfaces and service arranging capability are provided for the outside, various cross-domain resources are arranged according to requirements to form a cross-domain interconnection functional service chain, and a series of cross-domain services are provided for cross-domain users to use.
Furthermore, the management control resource provides cross-domain capabilities of cross-domain service type identification, cross-domain authority control, protocol deep inspection, cross-domain situation monitoring and security event early warning through a cross-domain management and control service interface, so that unified policy management and control and unified situation presentation of a cross-domain interconnection system are realized;
the safety protection resources provide safety functions of a virtualized firewall, intrusion detection, intrusion prevention, WAF, data leakage prevention, malicious code prevention and network audit through a cross-domain safety service interface, dynamic loading and scheduling of the safety components are realized, required virtual safety function instances are dynamically deployed according to cross-domain service requirements, and the safety components are dynamically adjusted when safety threats occur;
the network addressing resource provides the cross-domain network addressing service of name routing addressing, network directory addressing and DNS/ENUM addressing for the cross-domain service through a cross-domain addressing service interface.
Further, the isolated switching resource comprises an isolated switching resource pool and an isolated switching service; the isolation exchange resource pool comprises an internetwork bidirectional isolation exchange device, a unidirectional transmission device, an optical disk automatic ferrying machine and an electronic disk ferrying system; the isolation switching resource pool implements uniform abstract management on various cross-domain isolation switching devices to form a uniform scheduling management interface;
on the basis of unified scheduling management of the isolated switching resource pool, differential isolated switching services are provided for the isolated switching resource pool according to the type of the cross-domain service, and a cross-domain transmission channel adaptive to service characteristics is formed by dynamically arranging the isolated switching resources, so that cross-domain transmission of service data is realized.
Further, a cross-domain transmission path of the service is dynamically generated according to the type of the cross-domain service, cross-domain resources of management and control strategies, safety protection, cross-domain addressing and isolation exchange required by the transmission path are arranged according to needs, and a corresponding functional service chain is generated; after entering a cross-domain interconnection system, cross-domain service flow is dragged to flow through the cross-domain transmission path through the flow, and each functional service chain provides various services for the cross-domain service flow.
Further, when the cross-domain security service finds the security risk in the cross-domain flow, the security event information is reported to the cross-domain management and control service, the cross-domain management and control service generates a corresponding processing strategy according to the security event information and issues the processing strategy to the cross-domain security service, the cross-domain addressing service and the cross-domain isolation switching service, a functional service chain of various cross-domain resources is adjusted, and dynamic response aiming at the cross-domain security risk is achieved.
A cross-domain interconnection system for dynamically arranging resources comprises four types of cross-domain resources, namely management control resources, safety protection resources, network addressing resources and isolation exchange resources, wherein the four types of cross-domain resources provide a service cross-domain support capability through a service interface and provide a uniform service capability interface to the outside; through linkage among the four types of cross-domain resources, cross-domain support capability of adapting service characteristics is provided for cross-domain services, the cross-domain services are controlled from the dimensions of strategy control, security check, cross-domain addressing and network isolation, and dynamic cooperation of multi-dimensional cross-domain resources and controlled intercommunication of the cross-domain services are realized;
the management control resources, the safety protection resources and the network addressing resources realize the virtualization of cross-domain resources in a virtualization mode, the isolation switching resources are on the physical entity of the isolation switching equipment, and the pooling management of different types of isolation switching equipment is realized through uniform abstract interface packaging;
on the basis of cross-domain resource virtualization and pooling management, a unified capability interface is provided externally, so that unified scheduling control of various cross-domain resources is realized, and unified capability interfaces for identity authentication, access control, interconnection control, safety transmission, data exchange, authority management, safety protection, situation monitoring, safety audit and approval management and control are provided;
on the basis of uniform scheduling control of cross-domain resources, uniform service interfaces and service arranging capability are provided for the outside, various cross-domain resources are arranged according to requirements to form a cross-domain interconnection functional service chain, and a series of cross-domain services are provided for cross-domain users to use.
Furthermore, the management control resource provides cross-domain capabilities of cross-domain service type identification, cross-domain authority control, protocol deep inspection, cross-domain situation monitoring and security event early warning through a cross-domain management and control service interface, so that unified policy management and control and unified situation presentation of a cross-domain interconnection system are realized;
the safety protection resources provide safety functions of a virtualized firewall, intrusion detection, intrusion prevention, WAF, data leakage prevention, malicious code prevention and network audit through a cross-domain safety service interface, dynamic loading and scheduling of the safety components are realized, required virtual safety function instances are dynamically deployed according to cross-domain service requirements, and the safety components are dynamically adjusted when safety threats occur;
the network addressing resource provides the cross-domain network addressing service of name routing addressing, network directory addressing and DNS/ENUM addressing for the cross-domain service through a cross-domain addressing service interface;
the isolation switching resource comprises an isolation switching resource pool and an isolation switching service; the isolation exchange resource pool comprises an internetwork bidirectional isolation exchange device, a unidirectional transmission device, an optical disk automatic ferrying machine and an electronic disk ferrying system; the isolation switching resource pool implements uniform abstract management on various cross-domain isolation switching devices to form a uniform scheduling management interface;
on the basis of unified scheduling management of the isolated switching resource pool, differential isolated switching services are provided for the isolated switching resource pool according to the type of the cross-domain service, and a cross-domain transmission channel adaptive to service characteristics is formed by dynamically arranging the isolated switching resources, so that cross-domain transmission of service data is realized.
Further, the cross-domain interconnection system dynamically generates a cross-domain transmission path of the service according to the type of the cross-domain service, arranges the cross-domain resources of management and control strategy, security protection, cross-domain addressing and isolation exchange required by the transmission path according to requirements, and generates a corresponding functional service chain; after entering a cross-domain interconnection system, cross-domain service flow is dragged to flow through the cross-domain transmission path through the flow, and each functional service chain provides various services for the cross-domain service flow.
Further, when the cross-domain security service finds the security risk in the cross-domain flow, the security event information is reported to the cross-domain management and control service, the cross-domain management and control service generates a corresponding processing strategy according to the security event information and issues the processing strategy to the cross-domain security service, the cross-domain addressing service and the cross-domain isolation switching service, a functional service chain of various cross-domain resources is adjusted, and dynamic response aiming at the cross-domain security risk is achieved.
Compared with the prior art, the invention has the following beneficial effects:
1. the invention can realize the uniform arrangement and management of various types of cross-domain resources in the cross-domain interconnection system, and solves the problems of insufficient structural design, diversified technical system, difficult maintenance and guarantee and the like of the cross-domain interconnection system.
2. The invention can realize the dynamic arrangement of various cross-domain resources in the cross-domain interconnection system, provide the cross-domain resources according to the cross-domain service as required, and solve the problems of fixed deployment of cross-domain facilities and capability solidification of cross-domain exchange means.
3. The invention can realize the cooperative linkage response of the cross-domain interconnection system to the cross-domain security event, and can respond to the security event from multiple dimensions such as management strategy, security protection, cross-domain addressing, network isolation and the like through the dynamic adjustment of various cross-domain resources, thereby preventing the cross-domain security risk caused by a single cross-domain resource short board.
Drawings
Fig. 1 is a schematic structural diagram of a cross-domain interconnection system in an embodiment of the present invention.
FIG. 2 is a schematic diagram illustrating the cross-domain resource servicing capability according to an embodiment of the present invention.
FIG. 3 is a schematic diagram illustrating a method for dynamically arranging cross-domain resources according to an embodiment of the present invention.
FIG. 4 is a diagram illustrating a dynamic orchestration process of cross-domain service capabilities according to an embodiment of the present invention.
Detailed Description
The invention is further described with reference to the following figures and detailed description.
As shown in fig. 1, a cross-domain interconnection system provides a software-defined 3-layer architecture of a cross-domain resource layer, a cross-domain control layer, and a cross-domain service layer by using resource virtualization such as cross-domain security, management and control, addressing, etc., isolated exchange resource pooling, interface abstract encapsulation, cross-domain path dynamic arrangement, and service provision such as cross-domain security, management and control, addressing, isolated exchange in a service manner, for the requirements of "cross-domain resource servitization, cross-domain service adaptive security capability flexible link and embedding". The cross-domain resource layer mainly comprises multiple types of cross-domain resources such as security, management and control, addressing, isolation exchange and the like. The virtualization technology is utilized to realize virtualization of various cross-domain resources such as safety, management and control, addressing and the like, isolation switching resources are packaged on various physical entity devices through uniform abstract interfaces, and pooling management and uniform scheduling of different types of isolation switching devices are realized. The cross-domain control layer provides unified capability interfaces of identity authentication, access control, interconnection control, safety transmission, data exchange, authority management, safety protection, situation monitoring, safety audit, approval management and control and the like, and realizes unified scheduling control of various cross-domain resources. The cross-domain service layer provides a uniform service interface and service arrangement capability for the outside, various cross-domain resources are arranged according to needs to form a cross-domain interconnection service chain, and a series of cross-domain services are provided for cross-domain users to use.
On the basis of cross-domain resource virtualization and pooling management, the cross-domain interconnection system provides a uniform service capability interface to the outside, including a cross-domain management and control service, a cross-domain security service, a cross-domain addressing service, and a cross-domain isolation switching service, as shown in fig. 2. The cross-domain management and control service realizes the functions of cross-domain unified management and control and unified situation presentation of the service, and provides cross-domain service type identification, cross-domain authority control, protocol deep inspection, cross-domain situation monitoring and cross-domain security event early warning capabilities. The cross-domain security service virtualizes various security functions such as a firewall, intrusion detection, intrusion prevention, WAF, data anti-disclosure, malicious code prevention, network audit and the like, and provides dynamic loading and scheduling of security components, dynamic arrangement of security service chains and dynamic deployment capability of security function instances. The cross-domain addressing service realizes the uniform network addressing of the cross-domain services of each access network domain, and provides various addressing capabilities such as name routing addressing, network directory addressing, DNS/ENUM addressing and the like. The cross-domain isolation switching service performs uniform abstract management on various different types of cross-domain transmission equipment, realizes isolation switching resource pooling management, and provides different service type-oriented differentiated isolation switching service providing capabilities.
The cross-domain resource dynamic arrangement is a cross-domain service dynamic arrangement capability which realizes the separation of cross-domain control and cross-domain resources and opens the cross-domain service capability to upper-layer application on the basis of cross-domain resource servitization and software and hardware decoupling. The principle of cross-domain resource dynamic orchestration is shown in fig. 3.
Various cross-domain services of the service layer provide service capability interfaces for cross-domain service demands, and are connected with the control layer through an open RESTful interface.
The control layer may be further divided into a policy control sublayer and a traffic forwarding sublayer. The strategy control sublayer comprises core components such as a service chain controller, a lightweight virtual security resource management platform, a virtual security function centralized control, a threat perception and intelligent decision, an SDN controller and the like. The north direction of the service chain controller provides a service interface, and the south direction is in butt joint with the SDN controller and the lightweight virtual security resource management platform in a loose coupling mode to obtain asset and other knowledge information and manage various entities. And the SDN controller issues the flow tables of the Classifier and the SFF to a vSwitch or an entity SDN switch of a forwarding layer through an Openflow protocol. The SSC controller provides a RESTful programming interface for the service layer and provides functions of constructing and managing a cross-domain service chain. The lightweight virtual security resource management platform provides management of a virtual resource pool and realizes dynamic centralized deployment of cross-domain service functions according to needs. And the cross-domain service equipment management sub-platform provides a unified management function for the cross-domain service equipment according to the standardized interface. The flow forwarding sub-layer comprises various network forwarding resources such as vSwitch virtual switch software or entity SDN switches, and flow table execution is performed through the vSwitch or the SDN switches, so that arrangement of flow among different cross-domain service resources is realized.
The resource layer comprises virtual resources and physical entity resources, wherein the virtual resources comprise security functions such as a virtual firewall, virtual intrusion detection, virtual intrusion prevention and virtual WAF, addressing functions such as name routing addressing, network directory addressing and DNS/ENUM addressing, and management and control functions such as policy management, log management, security event management and cross-domain situation management. The physical entity resources comprise various isolation switching devices such as internetwork bidirectional isolation switching devices, unidirectional transmission devices, optical disk automatic ferrying machines, electronic disk ferrying systems and the like.
The cross-domain interconnection system orderly combines various cross-domain service functions according to the service cross-domain transmission requirements, and enables cross-domain flow to sequentially flow through the service functions to form a service function chain. The cross-domain interconnection system can dynamically arrange various cross-domain resources, establish differentiated service function chains, pull different cross-domain flows to flow through different service function chains according to different sequences, and provide cross-domain service capability adapting to service characteristics.
Fig. 4 illustrates a cross-domain security service as an example, for 3 types of different cross-domain services, by arranging 3 different cross-domain security function service chains, it may be mandatory that a cross-domain service traffic 1 passes through security services such as a firewall, IDS and DPI, a cross-domain service traffic 2 passes through the firewall without passing through the IDS and DPI, and a cross-domain service traffic 3 passes through the IDS and DPI without passing through the firewall, thereby implementing dynamic arrangement and on-demand provision of cross-domain service capability.
The invention divides cross-domain resources of the cross-domain interconnection system into four types of management control resources, safety protection resources, network addressing resources, isolation exchange resources and the like, virtualizes the management control resources, the safety protection resources and the network addressing resources, pools the isolation exchange resources, realizes unified scheduling control of various cross-domain resources through a unified capability interface, and provides a unified service interface and service arrangement capability for the outside. According to the cross-domain service requirement, various cross-domain resources such as management and control strategies, safety protection, cross-domain addressing, isolation exchange and the like required by dynamic arrangement are formed to form a cross-domain interconnection function service chain, and a series of cross-domain services are provided for cross-domain services. After entering a cross-domain interconnection system, cross-domain service flow is dragged by the flow to flow through a functional service chain, and the functional service chain provides various services for the cross-domain service flow. When the cross-domain security service finds the cross-domain security risk, the security event information is reported to the cross-domain management and control service, the cross-domain management and control service generates a corresponding processing strategy according to the security event information and issues the processing strategy to the cross-domain security service, the cross-domain addressing service and the cross-domain isolation exchange service, the functional service chain of various cross-domain resources is dynamically adjusted, and the dynamic response to the cross-domain security risk is realized.
The invention realizes the solution of dynamic arrangement of cross-domain resources of a cross-domain interconnection system in a multi-security-level private network environment, so that the cross-domain interconnection system can realize the uniform arrangement management of various types of cross-domain resources, dynamically arrange and provide the cross-domain resources as required according to the cross-domain service requirements, dynamically adjust various types of cross-domain resources aiming at cross-domain security events, and perform coordinated linkage response processing on the security events from multiple dimensions such as management strategies, security protection, cross-domain addressing, network isolation and the like, thereby solving the problems of insufficient design of a cross-domain interconnection system, diversified technical system, difficult maintenance and guarantee, fixed deployment of cross-domain facilities, solidification of cross-domain exchange capacity and the like in the multi-security-level private network environment and the problem of cross-domain security risk caused by a single cross-domain resource short board.
In a word, the invention realizes the service cross-domain support capability of various cross-domain resources such as management strategy, safety protection, cross-domain addressing, network isolation and the like based on a uniform technical system, and realizes the dynamic arrangement of the cross-domain resources according to the cross-domain service requirement; through dynamic cooperative linkage among various cross-domain resources, cross-domain support capability of adapting to service characteristics is provided for cross-domain services, and controlled intercommunication of the cross-domain services is realized. By dynamic arrangement of cross-domain resources, the problems of cross-domain resource allocation and dynamic adjustment of a cross-domain intercommunication system under a multi-security-level private network environment are solved.
Claims (10)
1. A cross-domain resource dynamic arranging method is characterized by comprising the following steps:
(1) dividing cross-domain resources into four types of management control resources, safety protection resources, network addressing resources and isolation switching resources;
(2) the four types of cross-domain resources provide a service cross-domain support capability through a service interface, and provide a uniform service capability interface to the outside;
(3) through linkage among the four types of cross-domain resources, cross-domain support capability of adapting service characteristics is provided for cross-domain services, the cross-domain services are controlled from the dimensions of strategy control, security check, cross-domain addressing and network isolation, and dynamic cooperation of multi-dimensional cross-domain resources and controlled intercommunication of the cross-domain services are realized.
2. The method for dynamically arranging cross-domain resources according to claim 1, wherein management control resources, security protection resources and network addressing resources are virtualized to implement cross-domain resource virtualization, the isolated switching resources are on physical entities of the isolated switching devices, and pooling management of different types of isolated switching devices is implemented through uniform abstract interface encapsulation;
on the basis of cross-domain resource virtualization and pooling management, a unified capability interface is provided externally, so that unified scheduling control of various cross-domain resources is realized, and unified capability interfaces for identity authentication, access control, interconnection control, safety transmission, data exchange, authority management, safety protection, situation monitoring, safety audit and approval management and control are provided;
on the basis of uniform scheduling control of cross-domain resources, uniform service interfaces and service arranging capability are provided for the outside, various cross-domain resources are arranged according to requirements to form a cross-domain interconnection functional service chain, and a series of cross-domain services are provided for cross-domain users to use.
3. The method according to claim 1, wherein the management control resources provide cross-domain service type identification, cross-domain authority control, protocol deep inspection, cross-domain situation monitoring, and cross-domain capability of security event early warning through a cross-domain management and control service interface, so as to implement unified policy management and control and unified situation presentation for a cross-domain interconnection system;
the safety protection resources provide safety functions of a virtualized firewall, intrusion detection, intrusion prevention, WAF, data leakage prevention, malicious code prevention and network audit through a cross-domain safety service interface, dynamic loading and scheduling of the safety components are realized, required virtual safety function instances are dynamically deployed according to cross-domain service requirements, and the safety components are dynamically adjusted when safety threats occur;
the network addressing resource provides the cross-domain network addressing service of name routing addressing, network directory addressing and DNS/ENUM addressing for the cross-domain service through a cross-domain addressing service interface.
4. The method according to claim 1, wherein the isolated switching resource comprises an isolated switching resource pool and an isolated switching service; the isolation exchange resource pool comprises an internetwork bidirectional isolation exchange device, a unidirectional transmission device, an optical disk automatic ferrying machine and an electronic disk ferrying system; the isolation switching resource pool implements uniform abstract management on various cross-domain isolation switching devices to form a uniform scheduling management interface;
on the basis of unified scheduling management of the isolated switching resource pool, differential isolated switching services are provided for the isolated switching resource pool according to the type of the cross-domain service, and a cross-domain transmission channel adaptive to service characteristics is formed by dynamically arranging the isolated switching resources, so that cross-domain transmission of service data is realized.
5. The method according to claim 1, wherein a cross-domain transmission path of the service is dynamically generated according to the type of the cross-domain service, cross-domain resources required by the transmission path, such as management and control policies, security protection, cross-domain addressing, and isolation switching, are arranged as required, and a corresponding functional service chain is generated; after entering a cross-domain interconnection system, cross-domain service flow is dragged to flow through the cross-domain transmission path through the flow, and each functional service chain provides various services for the cross-domain service flow.
6. The method according to claim 1, wherein when the cross-domain security service finds the security risk in the cross-domain traffic, the cross-domain security service reports the security event information to the cross-domain management and control service, and the cross-domain management and control service generates a corresponding processing policy according to the security event information and issues the processing policy to the cross-domain security service, the cross-domain addressing service, and the cross-domain isolation switching service, and adjusts a functional service chain of each type of cross-domain resources to implement dynamic response to the cross-domain security risk.
7. A cross-domain interconnection system for dynamically arranging resources is characterized by comprising four types of cross-domain resources including management control resources, safety protection resources, network addressing resources and isolation exchange resources, wherein the four types of cross-domain resources provide a service cross-domain support capability through a service interface and provide a uniform service capability interface to the outside; through linkage among the four types of cross-domain resources, cross-domain support capability of adapting service characteristics is provided for cross-domain services, the cross-domain services are controlled from the dimensions of strategy control, security check, cross-domain addressing and network isolation, and dynamic cooperation of multi-dimensional cross-domain resources and controlled intercommunication of the cross-domain services are realized;
the management control resources, the safety protection resources and the network addressing resources realize the virtualization of cross-domain resources in a virtualization mode, the isolation switching resources are on the physical entity of the isolation switching equipment, and the pooling management of different types of isolation switching equipment is realized through uniform abstract interface packaging;
on the basis of cross-domain resource virtualization and pooling management, a unified capability interface is provided externally, so that unified scheduling control of various cross-domain resources is realized, and unified capability interfaces for identity authentication, access control, interconnection control, safety transmission, data exchange, authority management, safety protection, situation monitoring, safety audit and approval management and control are provided;
on the basis of uniform scheduling control of cross-domain resources, uniform service interfaces and service arranging capability are provided for the outside, various cross-domain resources are arranged according to requirements to form a cross-domain interconnection functional service chain, and a series of cross-domain services are provided for cross-domain users to use.
8. The cross-domain interconnection system with dynamic arrangement of resources according to claim 7, wherein the management control resources provide cross-domain capabilities of cross-domain service type identification, cross-domain authority control, protocol deep inspection, cross-domain situation monitoring and security event early warning through a cross-domain management and control service interface, so as to realize unified policy management and control and unified situation presentation for the cross-domain interconnection system;
the safety protection resources provide safety functions of a virtualized firewall, intrusion detection, intrusion prevention, WAF, data leakage prevention, malicious code prevention and network audit through a cross-domain safety service interface, dynamic loading and scheduling of the safety components are realized, required virtual safety function instances are dynamically deployed according to cross-domain service requirements, and the safety components are dynamically adjusted when safety threats occur;
the network addressing resource provides the cross-domain network addressing service of name routing addressing, network directory addressing and DNS/ENUM addressing for the cross-domain service through a cross-domain addressing service interface;
the isolation switching resource comprises an isolation switching resource pool and an isolation switching service; the isolation exchange resource pool comprises an internetwork bidirectional isolation exchange device, a unidirectional transmission device, an optical disk automatic ferrying machine and an electronic disk ferrying system; the isolation switching resource pool implements uniform abstract management on various cross-domain isolation switching devices to form a uniform scheduling management interface;
on the basis of unified scheduling management of the isolated switching resource pool, differential isolated switching services are provided for the isolated switching resource pool according to the type of the cross-domain service, and a cross-domain transmission channel adaptive to service characteristics is formed by dynamically arranging the isolated switching resources, so that cross-domain transmission of service data is realized.
9. The cross-domain interconnection system for the dynamic arrangement of resources according to claim 7, wherein the cross-domain interconnection system dynamically generates a cross-domain transmission path of the service according to the type of the cross-domain service, arranges cross-domain resources of management and control policy, security protection, cross-domain addressing and isolation exchange required by the transmission path according to needs, and generates a corresponding functional service chain; after entering a cross-domain interconnection system, cross-domain service flow is dragged to flow through the cross-domain transmission path through the flow, and each functional service chain provides various services for the cross-domain service flow.
10. The cross-domain interconnection system for dynamically arranging resources according to claim 1, wherein when the cross-domain security service finds the security risk in the cross-domain traffic, the cross-domain security service reports the security event information to the cross-domain management and control service, the cross-domain management and control service generates a corresponding processing policy according to the security event information and issues the processing policy to the cross-domain security service, the cross-domain addressing service and the cross-domain isolation switching service, and adjusts a functional service chain of various cross-domain resources to realize dynamic response to the cross-domain security risk.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010934406.2A CN112104540A (en) | 2020-09-08 | 2020-09-08 | Cross-domain resource dynamic arranging method and cross-domain interconnection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010934406.2A CN112104540A (en) | 2020-09-08 | 2020-09-08 | Cross-domain resource dynamic arranging method and cross-domain interconnection system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112104540A true CN112104540A (en) | 2020-12-18 |
Family
ID=73751091
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010934406.2A Pending CN112104540A (en) | 2020-09-08 | 2020-09-08 | Cross-domain resource dynamic arranging method and cross-domain interconnection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112104540A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112953954A (en) * | 2021-03-03 | 2021-06-11 | 华能国际电力股份有限公司 | Industrial internet security capability arranging method |
| CN113873040A (en) * | 2021-09-29 | 2021-12-31 | 国网河南省电力公司信息通信公司 | Block chain-based power internet of things cross-domain service function chain arrangement method |
| CN114143076A (en) * | 2021-11-29 | 2022-03-04 | 全球能源互联网研究院有限公司 | Electric power thing networking safety protection system |
| CN114827045A (en) * | 2022-06-23 | 2022-07-29 | 天津天睿科技有限公司 | Method and device for flow arrangement |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243496A (en) * | 2014-10-11 | 2014-12-24 | 北京邮电大学 | Software defined network cross-domain security agent method and software defined network cross-domain security agent system |
| CN108600101A (en) * | 2018-03-21 | 2018-09-28 | 北京交通大学 | A kind of network for the optimization of end-to-end time delay performance services cross-domain method of combination |
| CN108965289A (en) * | 2018-07-10 | 2018-12-07 | 北京明朝万达科技股份有限公司 | A kind of network security collaboration means of defence and system |
| CN110932902A (en) * | 2019-11-29 | 2020-03-27 | 中国人民解放军国防科技大学 | Cross-domain switching resource dynamic allocation method |
| CN111049851A (en) * | 2019-12-24 | 2020-04-21 | 中国电子科技集团公司第五十四研究所 | Multi-level and multi-dimensional linkage management and control system for cross-domain transmission service |
-
2020
- 2020-09-08 CN CN202010934406.2A patent/CN112104540A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243496A (en) * | 2014-10-11 | 2014-12-24 | 北京邮电大学 | Software defined network cross-domain security agent method and software defined network cross-domain security agent system |
| CN108600101A (en) * | 2018-03-21 | 2018-09-28 | 北京交通大学 | A kind of network for the optimization of end-to-end time delay performance services cross-domain method of combination |
| CN108965289A (en) * | 2018-07-10 | 2018-12-07 | 北京明朝万达科技股份有限公司 | A kind of network security collaboration means of defence and system |
| CN110932902A (en) * | 2019-11-29 | 2020-03-27 | 中国人民解放军国防科技大学 | Cross-domain switching resource dynamic allocation method |
| CN111049851A (en) * | 2019-12-24 | 2020-04-21 | 中国电子科技集团公司第五十四研究所 | Multi-level and multi-dimensional linkage management and control system for cross-domain transmission service |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112953954A (en) * | 2021-03-03 | 2021-06-11 | 华能国际电力股份有限公司 | Industrial internet security capability arranging method |
| CN112953954B (en) * | 2021-03-03 | 2022-11-01 | 华能国际电力股份有限公司 | Industrial Internet security capability arrangement method |
| CN113873040A (en) * | 2021-09-29 | 2021-12-31 | 国网河南省电力公司信息通信公司 | Block chain-based power internet of things cross-domain service function chain arrangement method |
| CN113873040B (en) * | 2021-09-29 | 2023-04-28 | 国网河南省电力公司信息通信公司 | Block chain-based power Internet of things cross-domain service function chain arrangement method |
| CN114143076A (en) * | 2021-11-29 | 2022-03-04 | 全球能源互联网研究院有限公司 | Electric power thing networking safety protection system |
| CN114143076B (en) * | 2021-11-29 | 2024-01-19 | 全球能源互联网研究院有限公司 | Electric power thing networking safety protection system based on virtual switch frame |
| CN114827045A (en) * | 2022-06-23 | 2022-07-29 | 天津天睿科技有限公司 | Method and device for flow arrangement |
| CN114827045B (en) * | 2022-06-23 | 2022-09-13 | 天津天睿科技有限公司 | Method and device for flow arrangement |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112104540A (en) | Cross-domain resource dynamic arranging method and cross-domain interconnection system | |
| CN106375384B (en) | The management system and control method of image network flow in a kind of virtual network environment | |
| US9225683B2 (en) | Integrated security switch | |
| EP3703330A1 (en) | Automatic configuration of perimeter firewalls based on security group information of sdn virtual firewalls | |
| US6308276B1 (en) | SS7 firewall system | |
| CN102594814B (en) | Terminal-based network access control system | |
| RU2402881C2 (en) | Method and facility for control of data streams of protected distributed information systems in network of coded communication | |
| CN107819742B (en) | System architecture and method for dynamically deploying network security service | |
| CN103269282A (en) | Method and device for automatically deploying network configuration | |
| CN103905523A (en) | Cloud computing network virtualization method and system based on SDN | |
| CN104618379A (en) | IDC service scene-oriented security service arranging method and network structure | |
| US8442041B2 (en) | Virtual service domains | |
| CN111049851B (en) | Multi-level and multi-dimensional linkage management and control system for cross-domain transmission service | |
| CN101212453A (en) | Network access control method and firewall device | |
| CN103152282A (en) | Single logical network interface for advanced load balancing and fail-over functionality | |
| CN101005437B (en) | Method and system for realizing heap virtual local area network | |
| CN104853002B (en) | A kind of dns resolution system and analytic method based on SDN network | |
| CN103036870A (en) | Industrial firewall without industrial protocol (IP) distributed type depth check arithmetic based on industrial protocol object linking and embedding for process control (OPC) classic | |
| CN104378657A (en) | Video security access system based on agency and isolation and method of video security access system | |
| KR102247938B1 (en) | Method and arrangement to control data exchange of an industrial edge device | |
| CN101662480B (en) | Log system based on access control | |
| US7047564B2 (en) | Reverse firewall packet transmission control system | |
| CN109507975A (en) | A kind of acquisition network system of industry big data | |
| US20180359279A1 (en) | Automatic handling of device group oversubscription using stateless upstream network devices | |
| CN103873469A (en) | Broadcast control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201218 |