CN112187735A - WAF-combined protection method in PaaS container cloud platform environment - Google Patents
WAF-combined protection method in PaaS container cloud platform environment Download PDFInfo
- Publication number
- CN112187735A CN112187735A CN202010947732.7A CN202010947732A CN112187735A CN 112187735 A CN112187735 A CN 112187735A CN 202010947732 A CN202010947732 A CN 202010947732A CN 112187735 A CN112187735 A CN 112187735A
- Authority
- CN
- China
- Prior art keywords
- waf
- haproxy
- platform
- request
- judgment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention aims to provide a protection method combining WAF under a cloud platform environment of a PaaS container, which can ensure that WAF protection is timely removed when a WAF fails while performing safety protection on services in a cloud platform, so that the services can keep normal operation, and the problem that the conventional WAF directly causes the service of the PaaS platform to stop once the WAF fails is solved.
Description
Technical Field
The invention relates to a protection method combining WAF under a PaaS container cloud platform.
Background
Paas (platform as a service), platform as a service, refers to a platform (or business infrastructure) developed by software and provided to a user as a service. OpenShift is PaaS developed by red hat corporation, a cloud computing platform that provides free and open source code, enabling developers to create, test, and run corresponding applications, and to deploy them into the cloud.
The Web Application protection system (WAF), also known as the "Web Application level intrusion prevention system," is a product that specifically provides protection for Web applications by enforcing a series of security policies against HTTP/HTTPs.
At present, the WAFs on the market mainly have two forms, one is a traditional hardware WAF, which is generally a deployed enterprise network entrance and is used for detecting all traffic; the other is public cloud WAF, namely WAF protection provided for a customer by a cloud platform manufacturer in a SaaS mode, and the basic principle is that the customer fills in relevant information such as a domain name to be protected, a source IP (Internet protocol), a source port and the like on a WAF product interface of a cloud platform, then the WAF of the cloud platform returns a domain name A to the customer, the customer changes a dns cname record of the domain name and points to the domain name A returned by the WAF of the cloud platform, and therefore the flow of the domain name of the customer is guided to the WAF of the cloud platform firstly, and the WAF performs attack detection and then forwards the flow to the source IP of the domain name of the customer.
However, the current WAF has the following disadvantages:
both the traditional hardware WAF and the public cloud WAF are connected in series between requests of a client and a server, and if the WAF fails, the requests cannot be used, so that the normal operation of the service is influenced.
Disclosure of Invention
The invention aims to provide a WAF-combined protection method in a PaaS container cloud platform environment, which can decouple platform services and WAFs while performing safety protection on services in a cloud platform, can monitor the WAF state, can remove WAF protection for all domain names under the condition that the WAFs have faults, and cannot influence the services per se due to the faults of the WAFs.
In order to solve the technical problems, the invention provides the following technical scheme:
taking an Openshift platform as an example, a data flow diagram of a service of a general PaaS container cloud platform is shown in fig. 1, after a user creates and releases a service on the platform, the platform will create a specified number of pods for the service and allocate a load-balanced virtual IP to point to the pods, and at the same time, allocate a domain name for the service, where a mapping relationship between the domain name and the virtual IP will exist in a configuration file in a Router (routing module), and when a client initiates a request for the domain name, the Router will forward the request to the virtual IP, and the virtual IP is then load-balanced to the pod where the service really runs. The traditional WAFs are all connected in series between the requests of the client and the server, and if the WAF fails, the request is unavailable, and the service is greatly influenced. Therefore, the present invention adopts a parallel WAF to solve the above problems.
Therefore, the invention provides a protection method combining with WAF under a PaaS container cloud platform, which comprises the following steps:
configuring health check of WAF in a routing module;
configuring a judgment condition in a routing module, wherein the judgment condition comprises that whether the WAF has a survival node or not;
after the judgment, if the judgment condition result is satisfied, the request is forwarded to the WAF.
Further, if the result of the judgment condition is not satisfied, the routing module forwards the request to the service Pod.
Further, the protection method is suitable for the Openshift platform.
Furthermore, the protection method realizes the related functions of the routing module through Haproxy.
Further, the condition that the judgment condition result satisfies is as follows: all the judgment results are true.
Further, the request is denied if the WAF detects an attack.
Further, if no attack is detected, the request is forwarded to Haproxy.
Furthermore, configuring an IP and a Port of upstream as an IP and a Port of Haproxy on the WAF;
the information prepared in Haproxy also comprises IP and Port of WAF node;
and configuring a judgment condition in Haproxy, wherein the judgment condition comprises whether the source IP is not the IP of the WAF node.
Further, the deployment of the WAF may take a single point or a cluster manner; the deployment form can be hardware, software or docker; may be deployed outside or within the container platform.
Therefore, the method can realize that the service can also ensure normal operation under the WAF fault condition when the service operates: the routing module checks whether the WAF cluster normally operates, and when the WAF cluster can normally operate, the WAF can normally perform protection; and if all the nodes of the WAF cluster are abnormal, the routing module does not forward the request to the WAF again until the nodes of the WAF cluster are recovered to be normal.
Drawings
FIG. 1 PaaS platform dataflow graph
FIG. 2 is a data flow diagram of a PaaS platform with WAF protection according to the present invention
FIG. 3 is a system flow diagram
Detailed Description
In order to make the objects, technical solutions and advantages of the present application clearer, the following will describe embodiments of the present application in further detail, and describe the technical solutions of the present application and how to solve the above technical problems in specific embodiments. It should be understood, however, that the present invention may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The embodiment of the application provides a protection method combining WAF under a PaaS platform environment, and takes the operation under an openshift platform as an example.
The deployment of the WAF can be in a single-point or cluster mode, the deployment form can be hardware, software or docker, and the deployment can be outside or inside the container platform. The embodiment of the application adopts the following modes: and the WAF cluster is deployed and comprises 3 nodes which are all deployed in a software form. The increase of the number of the WAF cluster nodes can ensure that under the condition that some nodes are in failure, other normally operated nodes can still enable protection to continue.
When the method is operated, the specific flow is as follows: the Haproxy of the routing module acquires an access domain name and a source IP from the request, judges whether the WAF node normally operates and whether the access source IP is not the IP of the WAF node, if the judgment is passed, the Haproxy forwards the request to the WAF, the WAF rejects the request when detecting the attack, and if the attack is not detected, the Haproxy forwards the request back to the Haproxy; when only one of the conditions fails, the Haproxy forwards the request to the service Pod.
In the embodiment of the present application, the method for implementing the WAF health check and judgment comprises: configuring health check for 3 WAF servers in a fronted block of Haproxy; and adding ACL for configuring the normal operation of the WAF cluster in a fronted block of Haproxy and naming the ACL as WAF-up, and judging the condition that the survival number of the WAF nodes is not 0.
For configuring a node ip of a WAF cluster in a Haproxy, the embodiment of the application is realized by adopting the following mode: creating domain.lst, writing all protection domain names into a file, wherein one domain name occupies one row; lst is created in Haproxy, and the ip of 3 nodes of the WAF cluster is written into a file, and one ip occupies one line.
For the step of performing condition judgment, the embodiment of the present application is implemented in the following manner: and adding ACL for configuring a source IP in a front block of Haproxy and naming the ACL as from-waf, judging that the source IP is equal to a certain node IP of the waf cluster, wherein a matched object is the source IP, and a matched value is a file wap.
Meanwhile, the ip and port of the upstream are configured as the ip and port of Haproxy on the WAF.
A declaration, named WAF, is added in the Haproxy configuration file, and the server address of the declaration is the ip and the port of 3 WAF nodes. And configuring the condition of using the waf backup in the front block of the Haproxy: the from-waf condition is not satisfied. The effect is that, in the case where the WAF is operating normally and the data information is not data information originating from the WAF return, the data is transmitted to the WAF for subsequent attack detection. If the data is from data returned by the WAF, the Hasproxy allocates a virtual IP to the request and forwards the virtual IP to the service Pod.
In summary, under such a condition, the system operation flow chart is shown in fig. 3. It should be noted that the determination conditions in the embodiments of the present application are not in sequence.
This embodiment details the setting and subsequent operation flow of health check on the WAF node, and if the WAF cluster is abnormal, the ACL check cannot pass, and the request is forwarded to subsequent service processing, which does not cause service interruption.
Claims (10)
1. A WAF protection method applied to a PaaS container cloud platform is characterized by comprising the following steps:
configuring health check of the WAF node in a routing module;
configuring a judgment condition in a routing module, wherein the judgment condition comprises that whether the WAF node normally operates or not;
after the judgment, if the judgment condition result is satisfied, the request is forwarded to the WAF.
2. The protection method according to claim 1, wherein if the result of the determination condition is not satisfied, the routing module forwards the request to the service Pod.
3. The defense method as recited in claim 2, wherein the PaaS platform is an Openshift platform.
4. A prevention method as claimed in claim 3, characterized in that the routing module function is implemented by a HAproxy.
5. The protection method according to claim 4, wherein the condition that the judgment condition result satisfies is: the results of all the judgment conditions are true.
6. The securing method according to claim 5, wherein if the WAF detects an attack, the request is denied.
7. The securing method according to claim 6, wherein if the WAF does not detect an attack, the request is forwarded to Haproxy.
8. The method of safeguarding as claimed in claim 7, wherein:
preparing ip and port of upstream of WAF into ip and port of Haproxy;
the HAproxy prepares information including IP and Port of WAF node;
the judgment condition configured in the HAproxy further includes "whether the source IP is not the IP of the WAF node".
9. The method according to any one of claims 1 to 8, wherein the WAF is deployed in a single-point or cluster manner in the form of hardware, software or docker.
10. The method according to any of claims 1-8, wherein the WAF is deployed off-platform or within-platform.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010947732.7A CN112187735A (en) | 2020-09-10 | 2020-09-10 | WAF-combined protection method in PaaS container cloud platform environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010947732.7A CN112187735A (en) | 2020-09-10 | 2020-09-10 | WAF-combined protection method in PaaS container cloud platform environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112187735A true CN112187735A (en) | 2021-01-05 |
Family
ID=73921779
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010947732.7A Pending CN112187735A (en) | 2020-09-10 | 2020-09-10 | WAF-combined protection method in PaaS container cloud platform environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112187735A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114172906A (en) * | 2021-12-10 | 2022-03-11 | 中国人寿保险股份有限公司上海数据中心 | Elastic expansion method, system, equipment and medium for WAF cluster computing resources |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104363113A (en) * | 2014-10-29 | 2015-02-18 | 中国建设银行股份有限公司 | Business continuity detection method |
CN107204963A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | High reliability WEB security protection implementation methods under cloud computing mode |
CN107360162A (en) * | 2017-07-12 | 2017-11-17 | 北京奇艺世纪科技有限公司 | A kind of network application means of defence and device |
CN107426206A (en) * | 2017-07-17 | 2017-12-01 | 北京上元信安技术有限公司 | A kind of protector and method to web server |
CN110581855A (en) * | 2019-09-12 | 2019-12-17 | 中国工商银行股份有限公司 | Application control method and device, electronic equipment and computer readable storage medium |
CN111343030A (en) * | 2020-03-31 | 2020-06-26 | 新华三信息安全技术有限公司 | Message processing method, device, network equipment and storage medium |
CN111541591A (en) * | 2020-07-09 | 2020-08-14 | 武汉绿色网络信息服务有限责任公司 | SSH-based server detection method and device |
-
2020
- 2020-09-10 CN CN202010947732.7A patent/CN112187735A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104363113A (en) * | 2014-10-29 | 2015-02-18 | 中国建设银行股份有限公司 | Business continuity detection method |
CN107204963A (en) * | 2016-03-18 | 2017-09-26 | 上海有云信息技术有限公司 | High reliability WEB security protection implementation methods under cloud computing mode |
CN107360162A (en) * | 2017-07-12 | 2017-11-17 | 北京奇艺世纪科技有限公司 | A kind of network application means of defence and device |
CN107426206A (en) * | 2017-07-17 | 2017-12-01 | 北京上元信安技术有限公司 | A kind of protector and method to web server |
CN110581855A (en) * | 2019-09-12 | 2019-12-17 | 中国工商银行股份有限公司 | Application control method and device, electronic equipment and computer readable storage medium |
CN111343030A (en) * | 2020-03-31 | 2020-06-26 | 新华三信息安全技术有限公司 | Message processing method, device, network equipment and storage medium |
CN111541591A (en) * | 2020-07-09 | 2020-08-14 | 武汉绿色网络信息服务有限责任公司 | SSH-based server detection method and device |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114172906A (en) * | 2021-12-10 | 2022-03-11 | 中国人寿保险股份有限公司上海数据中心 | Elastic expansion method, system, equipment and medium for WAF cluster computing resources |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11632392B1 (en) | Distributed malware detection system and submission workflow thereof | |
US9769250B2 (en) | Fight-through nodes with disposable virtual machines and rollback of persistent state | |
EP2283611B1 (en) | Distributed security provisioning | |
US7007299B2 (en) | Method and system for internet hosting and security | |
US10887347B2 (en) | Network-based perimeter defense system and method | |
US9282111B1 (en) | Application-based network traffic redirection for cloud security service | |
US10785255B1 (en) | Cluster configuration within a scalable malware detection system | |
CN107623663B (en) | Method and device for processing network flow | |
Ficco et al. | Intrusion detection in cloud computing | |
US9697069B2 (en) | Providing a remote diagnosis for an information appliance via a secure connection | |
US20220210168A1 (en) | Facilitating identification of compromised devices by network access control (nac) or unified threat management (utm) security services by leveraging context from an endpoint detection and response (edr) agent | |
CN117378174A (en) | Protecting containerized applications | |
CN113645213A (en) | Multi-terminal network management monitoring system based on VPN technology | |
US20190005100A1 (en) | Centralized state database storing state information | |
CN112187735A (en) | WAF-combined protection method in PaaS container cloud platform environment | |
US8370897B1 (en) | Configurable redundant security device failover | |
CN112187737A (en) | WAF-combined protection method in PaaS container cloud platform environment | |
Bertoni et al. | Detecting and locating faults in VLSI implementations of the Advanced Encryption Standard | |
US11153350B2 (en) | Determining on-net/off-net status of a client device | |
CN111786940A (en) | Data processing method and device | |
Silva et al. | Rave: Replicated antivirus engine | |
CN110198298A (en) | A kind of information processing method, device and storage medium | |
CN113328976B (en) | Security threat event identification method, device and equipment | |
EP1866725B1 (en) | Network attack detection | |
US10992644B2 (en) | Network security system and method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |