CN112187735A - WAF-combined protection method in PaaS container cloud platform environment - Google Patents

WAF-combined protection method in PaaS container cloud platform environment Download PDF

Info

Publication number
CN112187735A
CN112187735A CN202010947732.7A CN202010947732A CN112187735A CN 112187735 A CN112187735 A CN 112187735A CN 202010947732 A CN202010947732 A CN 202010947732A CN 112187735 A CN112187735 A CN 112187735A
Authority
CN
China
Prior art keywords
waf
haproxy
platform
request
judgment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010947732.7A
Other languages
Chinese (zh)
Inventor
尹钦
闫帅帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Citic Bank Corp Ltd
Original Assignee
China Citic Bank Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Citic Bank Corp Ltd filed Critical China Citic Bank Corp Ltd
Priority to CN202010947732.7A priority Critical patent/CN112187735A/en
Publication of CN112187735A publication Critical patent/CN112187735A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention aims to provide a protection method combining WAF under a cloud platform environment of a PaaS container, which can ensure that WAF protection is timely removed when a WAF fails while performing safety protection on services in a cloud platform, so that the services can keep normal operation, and the problem that the conventional WAF directly causes the service of the PaaS platform to stop once the WAF fails is solved.

Description

WAF-combined protection method in PaaS container cloud platform environment
Technical Field
The invention relates to a protection method combining WAF under a PaaS container cloud platform.
Background
Paas (platform as a service), platform as a service, refers to a platform (or business infrastructure) developed by software and provided to a user as a service. OpenShift is PaaS developed by red hat corporation, a cloud computing platform that provides free and open source code, enabling developers to create, test, and run corresponding applications, and to deploy them into the cloud.
The Web Application protection system (WAF), also known as the "Web Application level intrusion prevention system," is a product that specifically provides protection for Web applications by enforcing a series of security policies against HTTP/HTTPs.
At present, the WAFs on the market mainly have two forms, one is a traditional hardware WAF, which is generally a deployed enterprise network entrance and is used for detecting all traffic; the other is public cloud WAF, namely WAF protection provided for a customer by a cloud platform manufacturer in a SaaS mode, and the basic principle is that the customer fills in relevant information such as a domain name to be protected, a source IP (Internet protocol), a source port and the like on a WAF product interface of a cloud platform, then the WAF of the cloud platform returns a domain name A to the customer, the customer changes a dns cname record of the domain name and points to the domain name A returned by the WAF of the cloud platform, and therefore the flow of the domain name of the customer is guided to the WAF of the cloud platform firstly, and the WAF performs attack detection and then forwards the flow to the source IP of the domain name of the customer.
However, the current WAF has the following disadvantages:
both the traditional hardware WAF and the public cloud WAF are connected in series between requests of a client and a server, and if the WAF fails, the requests cannot be used, so that the normal operation of the service is influenced.
Disclosure of Invention
The invention aims to provide a WAF-combined protection method in a PaaS container cloud platform environment, which can decouple platform services and WAFs while performing safety protection on services in a cloud platform, can monitor the WAF state, can remove WAF protection for all domain names under the condition that the WAFs have faults, and cannot influence the services per se due to the faults of the WAFs.
In order to solve the technical problems, the invention provides the following technical scheme:
taking an Openshift platform as an example, a data flow diagram of a service of a general PaaS container cloud platform is shown in fig. 1, after a user creates and releases a service on the platform, the platform will create a specified number of pods for the service and allocate a load-balanced virtual IP to point to the pods, and at the same time, allocate a domain name for the service, where a mapping relationship between the domain name and the virtual IP will exist in a configuration file in a Router (routing module), and when a client initiates a request for the domain name, the Router will forward the request to the virtual IP, and the virtual IP is then load-balanced to the pod where the service really runs. The traditional WAFs are all connected in series between the requests of the client and the server, and if the WAF fails, the request is unavailable, and the service is greatly influenced. Therefore, the present invention adopts a parallel WAF to solve the above problems.
Therefore, the invention provides a protection method combining with WAF under a PaaS container cloud platform, which comprises the following steps:
configuring health check of WAF in a routing module;
configuring a judgment condition in a routing module, wherein the judgment condition comprises that whether the WAF has a survival node or not;
after the judgment, if the judgment condition result is satisfied, the request is forwarded to the WAF.
Further, if the result of the judgment condition is not satisfied, the routing module forwards the request to the service Pod.
Further, the protection method is suitable for the Openshift platform.
Furthermore, the protection method realizes the related functions of the routing module through Haproxy.
Further, the condition that the judgment condition result satisfies is as follows: all the judgment results are true.
Further, the request is denied if the WAF detects an attack.
Further, if no attack is detected, the request is forwarded to Haproxy.
Furthermore, configuring an IP and a Port of upstream as an IP and a Port of Haproxy on the WAF;
the information prepared in Haproxy also comprises IP and Port of WAF node;
and configuring a judgment condition in Haproxy, wherein the judgment condition comprises whether the source IP is not the IP of the WAF node.
Further, the deployment of the WAF may take a single point or a cluster manner; the deployment form can be hardware, software or docker; may be deployed outside or within the container platform.
Therefore, the method can realize that the service can also ensure normal operation under the WAF fault condition when the service operates: the routing module checks whether the WAF cluster normally operates, and when the WAF cluster can normally operate, the WAF can normally perform protection; and if all the nodes of the WAF cluster are abnormal, the routing module does not forward the request to the WAF again until the nodes of the WAF cluster are recovered to be normal.
Drawings
FIG. 1 PaaS platform dataflow graph
FIG. 2 is a data flow diagram of a PaaS platform with WAF protection according to the present invention
FIG. 3 is a system flow diagram
Detailed Description
In order to make the objects, technical solutions and advantages of the present application clearer, the following will describe embodiments of the present application in further detail, and describe the technical solutions of the present application and how to solve the above technical problems in specific embodiments. It should be understood, however, that the present invention may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The embodiment of the application provides a protection method combining WAF under a PaaS platform environment, and takes the operation under an openshift platform as an example.
The deployment of the WAF can be in a single-point or cluster mode, the deployment form can be hardware, software or docker, and the deployment can be outside or inside the container platform. The embodiment of the application adopts the following modes: and the WAF cluster is deployed and comprises 3 nodes which are all deployed in a software form. The increase of the number of the WAF cluster nodes can ensure that under the condition that some nodes are in failure, other normally operated nodes can still enable protection to continue.
When the method is operated, the specific flow is as follows: the Haproxy of the routing module acquires an access domain name and a source IP from the request, judges whether the WAF node normally operates and whether the access source IP is not the IP of the WAF node, if the judgment is passed, the Haproxy forwards the request to the WAF, the WAF rejects the request when detecting the attack, and if the attack is not detected, the Haproxy forwards the request back to the Haproxy; when only one of the conditions fails, the Haproxy forwards the request to the service Pod.
In the embodiment of the present application, the method for implementing the WAF health check and judgment comprises: configuring health check for 3 WAF servers in a fronted block of Haproxy; and adding ACL for configuring the normal operation of the WAF cluster in a fronted block of Haproxy and naming the ACL as WAF-up, and judging the condition that the survival number of the WAF nodes is not 0.
For configuring a node ip of a WAF cluster in a Haproxy, the embodiment of the application is realized by adopting the following mode: creating domain.lst, writing all protection domain names into a file, wherein one domain name occupies one row; lst is created in Haproxy, and the ip of 3 nodes of the WAF cluster is written into a file, and one ip occupies one line.
For the step of performing condition judgment, the embodiment of the present application is implemented in the following manner: and adding ACL for configuring a source IP in a front block of Haproxy and naming the ACL as from-waf, judging that the source IP is equal to a certain node IP of the waf cluster, wherein a matched object is the source IP, and a matched value is a file wap.
Meanwhile, the ip and port of the upstream are configured as the ip and port of Haproxy on the WAF.
A declaration, named WAF, is added in the Haproxy configuration file, and the server address of the declaration is the ip and the port of 3 WAF nodes. And configuring the condition of using the waf backup in the front block of the Haproxy: the from-waf condition is not satisfied. The effect is that, in the case where the WAF is operating normally and the data information is not data information originating from the WAF return, the data is transmitted to the WAF for subsequent attack detection. If the data is from data returned by the WAF, the Hasproxy allocates a virtual IP to the request and forwards the virtual IP to the service Pod.
In summary, under such a condition, the system operation flow chart is shown in fig. 3. It should be noted that the determination conditions in the embodiments of the present application are not in sequence.
This embodiment details the setting and subsequent operation flow of health check on the WAF node, and if the WAF cluster is abnormal, the ACL check cannot pass, and the request is forwarded to subsequent service processing, which does not cause service interruption.

Claims (10)

1. A WAF protection method applied to a PaaS container cloud platform is characterized by comprising the following steps:
configuring health check of the WAF node in a routing module;
configuring a judgment condition in a routing module, wherein the judgment condition comprises that whether the WAF node normally operates or not;
after the judgment, if the judgment condition result is satisfied, the request is forwarded to the WAF.
2. The protection method according to claim 1, wherein if the result of the determination condition is not satisfied, the routing module forwards the request to the service Pod.
3. The defense method as recited in claim 2, wherein the PaaS platform is an Openshift platform.
4. A prevention method as claimed in claim 3, characterized in that the routing module function is implemented by a HAproxy.
5. The protection method according to claim 4, wherein the condition that the judgment condition result satisfies is: the results of all the judgment conditions are true.
6. The securing method according to claim 5, wherein if the WAF detects an attack, the request is denied.
7. The securing method according to claim 6, wherein if the WAF does not detect an attack, the request is forwarded to Haproxy.
8. The method of safeguarding as claimed in claim 7, wherein:
preparing ip and port of upstream of WAF into ip and port of Haproxy;
the HAproxy prepares information including IP and Port of WAF node;
the judgment condition configured in the HAproxy further includes "whether the source IP is not the IP of the WAF node".
9. The method according to any one of claims 1 to 8, wherein the WAF is deployed in a single-point or cluster manner in the form of hardware, software or docker.
10. The method according to any of claims 1-8, wherein the WAF is deployed off-platform or within-platform.
CN202010947732.7A 2020-09-10 2020-09-10 WAF-combined protection method in PaaS container cloud platform environment Pending CN112187735A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010947732.7A CN112187735A (en) 2020-09-10 2020-09-10 WAF-combined protection method in PaaS container cloud platform environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010947732.7A CN112187735A (en) 2020-09-10 2020-09-10 WAF-combined protection method in PaaS container cloud platform environment

Publications (1)

Publication Number Publication Date
CN112187735A true CN112187735A (en) 2021-01-05

Family

ID=73921779

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010947732.7A Pending CN112187735A (en) 2020-09-10 2020-09-10 WAF-combined protection method in PaaS container cloud platform environment

Country Status (1)

Country Link
CN (1) CN112187735A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172906A (en) * 2021-12-10 2022-03-11 中国人寿保险股份有限公司上海数据中心 Elastic expansion method, system, equipment and medium for WAF cluster computing resources

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363113A (en) * 2014-10-29 2015-02-18 中国建设银行股份有限公司 Business continuity detection method
CN107204963A (en) * 2016-03-18 2017-09-26 上海有云信息技术有限公司 High reliability WEB security protection implementation methods under cloud computing mode
CN107360162A (en) * 2017-07-12 2017-11-17 北京奇艺世纪科技有限公司 A kind of network application means of defence and device
CN107426206A (en) * 2017-07-17 2017-12-01 北京上元信安技术有限公司 A kind of protector and method to web server
CN110581855A (en) * 2019-09-12 2019-12-17 中国工商银行股份有限公司 Application control method and device, electronic equipment and computer readable storage medium
CN111343030A (en) * 2020-03-31 2020-06-26 新华三信息安全技术有限公司 Message processing method, device, network equipment and storage medium
CN111541591A (en) * 2020-07-09 2020-08-14 武汉绿色网络信息服务有限责任公司 SSH-based server detection method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363113A (en) * 2014-10-29 2015-02-18 中国建设银行股份有限公司 Business continuity detection method
CN107204963A (en) * 2016-03-18 2017-09-26 上海有云信息技术有限公司 High reliability WEB security protection implementation methods under cloud computing mode
CN107360162A (en) * 2017-07-12 2017-11-17 北京奇艺世纪科技有限公司 A kind of network application means of defence and device
CN107426206A (en) * 2017-07-17 2017-12-01 北京上元信安技术有限公司 A kind of protector and method to web server
CN110581855A (en) * 2019-09-12 2019-12-17 中国工商银行股份有限公司 Application control method and device, electronic equipment and computer readable storage medium
CN111343030A (en) * 2020-03-31 2020-06-26 新华三信息安全技术有限公司 Message processing method, device, network equipment and storage medium
CN111541591A (en) * 2020-07-09 2020-08-14 武汉绿色网络信息服务有限责任公司 SSH-based server detection method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172906A (en) * 2021-12-10 2022-03-11 中国人寿保险股份有限公司上海数据中心 Elastic expansion method, system, equipment and medium for WAF cluster computing resources

Similar Documents

Publication Publication Date Title
US11632392B1 (en) Distributed malware detection system and submission workflow thereof
US9769250B2 (en) Fight-through nodes with disposable virtual machines and rollback of persistent state
EP2283611B1 (en) Distributed security provisioning
US7007299B2 (en) Method and system for internet hosting and security
US10887347B2 (en) Network-based perimeter defense system and method
US9282111B1 (en) Application-based network traffic redirection for cloud security service
US10785255B1 (en) Cluster configuration within a scalable malware detection system
CN107623663B (en) Method and device for processing network flow
Ficco et al. Intrusion detection in cloud computing
US9697069B2 (en) Providing a remote diagnosis for an information appliance via a secure connection
US20220210168A1 (en) Facilitating identification of compromised devices by network access control (nac) or unified threat management (utm) security services by leveraging context from an endpoint detection and response (edr) agent
CN117378174A (en) Protecting containerized applications
CN113645213A (en) Multi-terminal network management monitoring system based on VPN technology
US20190005100A1 (en) Centralized state database storing state information
CN112187735A (en) WAF-combined protection method in PaaS container cloud platform environment
US8370897B1 (en) Configurable redundant security device failover
CN112187737A (en) WAF-combined protection method in PaaS container cloud platform environment
Bertoni et al. Detecting and locating faults in VLSI implementations of the Advanced Encryption Standard
US11153350B2 (en) Determining on-net/off-net status of a client device
CN111786940A (en) Data processing method and device
Silva et al. Rave: Replicated antivirus engine
CN110198298A (en) A kind of information processing method, device and storage medium
CN113328976B (en) Security threat event identification method, device and equipment
EP1866725B1 (en) Network attack detection
US10992644B2 (en) Network security system and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination