CN112491822A - Method and device for automatically issuing security policy - Google Patents
Method and device for automatically issuing security policy Download PDFInfo
- Publication number
- CN112491822A CN112491822A CN202011266711.5A CN202011266711A CN112491822A CN 112491822 A CN112491822 A CN 112491822A CN 202011266711 A CN202011266711 A CN 202011266711A CN 112491822 A CN112491822 A CN 112491822A
- Authority
- CN
- China
- Prior art keywords
- security
- group
- address group
- rule
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000008859 change Effects 0.000 claims description 25
- 238000013475 authorization Methods 0.000 claims description 22
- 230000009471 action Effects 0.000 claims description 18
- 230000000694 effects Effects 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 6
- 238000012423 maintenance Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method and a device for automatically issuing a security policy, wherein the method comprises the following steps: the management and control platform collects security group information of the data center and forms an address group according to the virtual machine address information under the security group; the control platform informs the security rule and the address group information to a security management system; the safety management system forms a safety strategy according to the address group information and the safety rules; the security management system compares the security policy converted by the security group with the existing security policy on the boundary firewall; and updating the security policy or the address group on the boundary firewall according to the comparison result. The method and the device improve the safety of the system and the efficiency of operation and maintenance through the mutual cooperation of the boundary firewall safety strategy and the safety group in the data center.
Description
Technical Field
The invention relates to the field of security policy operation and maintenance and management, in particular to a method and a device for automatically issuing security policies.
Background
The security policies for north-south traffic and east-west traffic of a data center are independently operated and managed. Generally, the south-north traffic, that is, the external traffic accesses the internal server of the data center, or the internal server accesses the external network, and the security policy of the internal server is executed by the boundary firewall; east-west traffic, i.e., traffic between servers within a data center, is typically governed by security groups.
Currently, border firewalls and internal security groups are managed by different control management systems. Due to migration, capacity expansion, address change of a virtual machine and the like of the data center, the boundary firewall cannot sense the changes, and therefore many security policies configured by the boundary firewall are invalid or conflict.
Disclosure of Invention
In order to solve the existing problems, the invention provides a method and a device for automatically issuing a security policy, which improve the security of a system and the efficiency of operation and maintenance by the mutual cooperation of a boundary firewall security policy and a security group inside a data center.
In order to achieve the purpose, the invention adopts the following technical scheme:
in an embodiment of the present invention, a method for automatically issuing a security policy is provided, where the method includes:
the management and control platform collects security group information of the data center and forms an address group according to the virtual machine address information under the security group;
the control platform informs the security rule and the address group information to a security management system;
the safety management system forms a safety strategy according to the address group information and the safety rules;
the security management system compares the security policy converted by the security group with the existing security policy on the boundary firewall;
and updating the security policy or the address group on the boundary firewall according to the comparison result.
Further, the security group executes security rules on the virtual machines joining the security group, the security rules are composed of priorities, authorization objects, protocols, port ranges, actions, and rule directions, and the security rules are uniquely numbered within the security group.
Further, if the priority of the security rules is the same, the rule of the refusing policy takes effect preferentially, and the rule of the allowing policy does not take effect; and if the priority of the safety rules is different, the rules with high priority take effect.
Further, the management and control platform acquires IP address information of the host according to the host added in the security group, and the IP addresses of the hosts in the security group form an address group; within the scope of the administration, the address group name is unique.
Further, the management and control platform notifies the security rule and the address group information to the security management system, and the method includes:
the management and control platform informs the security rules and the address group information associated with the security rules to a security management system;
subsequent announcements of only change information, except that the first synchronization is a full announcement; when the virtual machine under the security group is changed, only the change information of the address group is notified;
when the security rule is changed, only the address group name and the changed security rule are notified.
Further, the security management system constructs a security policy according to the address group information and the security rule, including:
the security management system firstly determines a security domain to which a host under a security group corresponding to an address group belongs according to the address group under a security rule; determining a security domain corresponding to the authorization object according to the IP address or the address group corresponding to the authorization object; discarding the security rule related to the address group if the address group information which cannot be matched with the proper security domain is obtained;
the security management system further forms a security policy according to the security domain, the action, protocol and port range under the security rule, the address group and the authorized object, and sets the priority of the security policy according to the priority of the security rule; the one with higher priority is ahead.
Further, the comparing, by the security management system, the security policy converted by the security group with the existing security policy on the boundary firewall includes:
the security management system compares the security strategies corresponding to the security groups of the same security domain and the target security domain with the existing security strategies on the boundary firewall; the comparison result comprises: newly adding a security rule, newly adding a security group, updating an address group, newly adding an address group, deleting a security group, updating a security rule and deleting a security rule;
if the security management system receives a change notification of the address group or the security rule, only the address group is updated or the security policy related to the security rule is updated according to the address group detection boundary firewall address group and the security policy related to the address group.
Further, according to the comparison result, updating the security policy or address group on the boundary firewall, including:
updating a security policy or an address group on the boundary firewall according to the comparison result, if the security group is newly added, newly adding the security policy on the boundary firewall, and if the address group is updated, updating the address group on the boundary firewall; and if the security rule is deleted, deleting a certain security policy on the boundary firewall.
In an embodiment of the present invention, a device for automatically issuing a security policy is further provided, where the device includes:
the management and control platform is used for collecting security group information of the data center and forming an address group according to the virtual machine address information under the security group; notifying the security rule and the address group information to a security management system;
the safety management system is used for forming a safety strategy according to the address group information and the safety rules; comparing the security policy converted by the security group with the existing security policy on the boundary firewall; updating the security policy or address group on the boundary firewall according to the comparison result;
the boundary firewall is used for managing and controlling the north-south flow according to the security policy;
and the security group is used for implementing security management and control on the hosts joining the security group according to the security rules.
Further, the security group executes security rules on the virtual machines joining the security group, the security rules are composed of priorities, authorization objects, protocols, port ranges, actions, and rule directions, and the security rules are uniquely numbered within the security group.
Further, if the priority of the security rules is the same, the rule of the refusing policy takes effect preferentially, and the rule of the allowing policy does not take effect; and if the priority of the safety rules is different, the rules with high priority take effect.
Further, the management and control platform acquires IP address information of the host according to the host added in the security group, and the IP addresses of the hosts in the security group form an address group; within the scope of the administration, the address group name is unique.
Further, the notifying of the security rule and the address group information to the security management system in the management and control platform includes:
the management and control platform informs the security rules and the address group information associated with the security rules to a security management system;
subsequent announcements of only change information, except that the first synchronization is a full announcement; when the virtual machine under the security group is changed, only the change information of the address group is notified;
when the security rule is changed, only the address group name and the changed security rule are notified.
Further, the step of forming a security policy in the security management system according to the address group information and the security rule includes:
the security management system firstly determines a security domain to which a host under a security group corresponding to an address group belongs according to the address group under a security rule; determining a security domain corresponding to the authorization object according to the IP address or the address group corresponding to the authorization object; discarding the security rule related to the address group if the address group information which cannot be matched with the proper security domain is obtained;
the security management system further forms a security policy according to the security domain, the action, protocol and port range under the security rule, the address group and the authorized object, and sets the priority of the security policy according to the priority of the security rule; the one with higher priority is ahead.
Further, comparing the security policy converted by the security group with the existing security policy on the boundary firewall in the security management system includes:
the security management system compares the security strategies corresponding to the security groups of the same security domain and the target security domain with the existing security strategies on the boundary firewall; the comparison result comprises: newly adding a security rule, newly adding a security group, updating an address group, newly adding an address group, deleting a security group, updating a security rule and deleting a security rule;
if the security management system receives a change notification of the address group or the security rule, only the address group is updated or the security policy related to the security rule is updated according to the address group detection boundary firewall address group and the security policy related to the address group.
Further, updating the security policy or address group on the boundary firewall in the security management system according to the comparison result includes:
updating a security policy or an address group on the boundary firewall according to the comparison result, if the security group is newly added, newly adding the security policy on the boundary firewall, and if the address group is updated, updating the address group on the boundary firewall; and if the security rule is deleted, deleting a certain security policy on the boundary firewall.
In an embodiment of the present invention, a computer device is further provided, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, and when the processor executes the computer program, the method for automatically issuing the security policy is implemented.
In an embodiment of the present invention, a computer-readable storage medium is further provided, where a computer program for executing the method for automatically issuing the security policy is stored in the computer-readable storage medium.
Has the advantages that:
the invention improves the safety of the system and the efficiency of operation and maintenance by the mutual cooperation of the safety strategy of the boundary firewall and the safety group in the data center.
Drawings
FIG. 1 is a logical view of a data center according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for automatically issuing a security policy according to an embodiment of the present invention;
FIG. 3 is a diagram of an example of the logic of a data center in accordance with one embodiment of the present invention;
fig. 4 is a schematic structural diagram of an apparatus for automatically issuing a security policy according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The principles and spirit of the present invention will be described below with reference to several exemplary embodiments, which should be understood to be presented only to enable those skilled in the art to better understand and implement the present invention, and not to limit the scope of the present invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, the method and the device for automatically issuing the security policy are provided, the security group information of the data center is mapped into the security policy, the security policy is compared with the security policy of the boundary firewall, and the security policy of the boundary firewall is automatically updated according to the comparison result, so that project cooperation and automatic issuing of the internal and external security policies of the data center are realized.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments of the invention.
FIG. 1 is a logical view of a data center according to an embodiment of the present invention. As shown in fig. 1, the security policies are respectively executed by a boundary firewall and a distributed virtual firewall, FW (firewall) is the boundary firewall and controls north-south traffic, DVFW (distributed virtual firewall) is used as an execution point of a security group of the data center and mainly controls east-west traffic and controls the ingress and egress of virtual machines joining the security group, and one security group is composed of a plurality of security rules. The boundary firewall is generally managed by a security management system, and the DVFW is generally managed by an internal management platform or an SDN (software defined network) controller. The data center internal management and control platform manages the configuration of the security group, and when the virtual machine is changed and dragged, the configuration of the security group does not need to be changed and automatically adapts to the change of the virtual machine. The security group, like the security policy, has state monitoring and packet filtering capabilities. In the figure, vs (virtual switch), vr (virtual router) and vm (virtual machine) constitute network elements inside the server. The security group may be executed by other enforcement points, and the present embodiment takes DVFW as an example.
Hereinafter, the management and control platform refers to an internal management and control platform of the data center, and manages an internal security group; the safety management system refers to an external safety management platform and manages a firewall of a boundary.
Fig. 2 is a flowchart illustrating a method for automatically issuing a security policy according to an embodiment of the present invention. As shown in fig. 2, the method includes:
s1, collecting security group information of the data center by the control platform; forming an address group according to the virtual machine address information under the security group;
the security group executes security rules on the virtual machines added into the security group, wherein the security rules comprise priority, authorized objects, protocols, port ranges, actions and rule directions;
priority: is composed of 0-255, the smaller the number is, the higher the priority is; the priority is the same: the rule of the refusal strategy takes effect preferentially, and the rule of the permission strategy does not take effect; the priorities are different: the rule with high priority takes effect; the invention does not limit the definition mode of the priority;
the authorization object: may generally consist of an IP address field or a security group ID;
the regular direction is as follows: generally, the direction of access is an access direction, and may be an access direction of an internal network or an access direction of a public network;
the actions are as follows: indicates allowance and denial; the rule identifies that certain traffic may be denied or allowed to go in and out;
protocol: TCP, UDP, ICMP, etc.;
port range: the default range is 0-65535;
the management and control platform acquires IP address information of the host according to the host added in the security group, and the IP addresses of the hosts in the security group form an address group; in the control range, the address group name is unique;
the number of the security rule in the security group is unique;
s2, the management and control platform informs the security rule and the address group information to the security management system;
the management and control platform informs the security rules and the address group information associated with the security rules to a security management system;
subsequent announcements of only change information, except that the first synchronization is a full announcement; when the virtual machine under the security group is changed, only the change information of the address group is notified;
when the safety rule is changed, only the address group name and the changed safety rule are notified;
s3, the security management system forms a security policy according to the address group information and the security rules;
firstly, the security management system determines a security domain according to an address group under a security rule; in this embodiment, a routing table is matched according to information of an address group, and a security domain to which a host under a security group corresponding to the address group belongs is determined according to an egress interface of a route; matching a routing table according to the IP address or the address group corresponding to the authorized object to determine a security domain corresponding to the authorized object; for address group information which cannot be matched with a proper security domain, flow related to the address group cannot enter a firewall, and the security rule related to the address group is discarded;
the security management system further forms a security policy according to the security domain, the action, protocol and port range under the security rule, the address group and the authorized object, and sets the priority of the security policy according to the priority of the security rule; the one with higher priority is ahead;
s4, the security management system compares the security policy converted by the security group with the existing security policy on the boundary firewall;
the security management system compares the security strategies corresponding to the security groups of the same security domain and the target security domain with the existing security strategies on the boundary firewall; the comparison result comprises: newly adding a security rule, newly adding a security group, updating an address group, newly adding an address group, deleting a security group, updating a security rule, deleting a security rule and the like;
if the security management system receives a change notification of the address group or the security rule, only the address group is updated or the security policy related to the security rule is updated according to the address group detection boundary firewall address group and the security policy related to the address group.
S5, updating the security policy or address group on the boundary firewall according to the comparison result;
updating a security policy or an address group on the boundary firewall according to the comparison result, and if the security group is newly added, newly adding the security policy on the boundary firewall; if the address group is updated, updating the address group on the firewall; if the security rule is deleted, a certain security policy on the firewall is deleted, and the like.
It should be noted that although the operations of the method of the present invention have been described in the above embodiments and the accompanying drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the operations shown must be performed, to achieve the desired results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
For a clearer explanation of the above method for automatically issuing the security policy, a specific embodiment is described below, but it should be noted that the embodiment is only for better explaining the present invention and is not to be construed as an undue limitation to the present invention.
FIG. 3 is a diagram of an example of the logic of a data center in accordance with one embodiment of the present invention. As shown in fig. 3, there are multiple security groups in the data center, wherein security group a, the joined hosts include VM1, VM2, VM3, and 1 security rule under security group a, allows the address of extranet 101.10.10.10 to access its 80 port.
The method comprises the following implementation steps:
s1, the management and control platform collects security group information of the data center and forms an address group according to the virtual machine address information under the security group;
the security group executes security rules on the virtual machines joining the security group, the security rules consisting of priority, authorization objects, protocols, port ranges, actions, and rule directions.
In this embodiment, the IP addresses of the hosts VM1, VM2, and VM3 in the security group a are 192.168.10.2, 192.168.10.3, and 192.168.10.4, respectively; the safety rule ID is 1, the priority is 0, and the action is allowed; the protocol is TCP, and the port is 80; the authorization object is 101.10.10.10, and the rule direction is the incoming direction;
according to the condition of the virtual machine address under the security group, an address group is formed, and the name of the address group is security-group-A;
s2, the management and control platform informs the security rule and the address group information to the security management system;
the management and control platform informs the security rules and the address group information associated with the security rules to a security management system;
the address group, namely security-group-A, comprises three addresses of 192.168.10.2, 192.168.10.3, 192.168.10.4 and the like;
subsequent announcements of only change information, except that the first synchronization is a full announcement; when the virtual machine under the security group is changed, only the change information of the address group is notified;
when the safety rule is changed, only the address group name and the changed safety rule are notified;
an interface between the control platform and the security management system is a restful API interface;
s3, the security management system forms a security policy according to the address group information and the security rules;
the safety management system firstly matches a routing table according to an address group under a safety rule and determines a safety domain to which a host under a safety group corresponding to the address group belongs according to an outlet interface of a route; determining a security domain corresponding to the authorization object according to the IP address or the address group corresponding to the authorization object; in this embodiment, the security domain corresponding to the security-group-a is trust, and the security domain corresponding to the authorization object, i.e., the extranet address 101.10.10.10 is untrusty; according to the rule direction as an entering direction, further determining that the source security address domain is untrusty and the target security domain is trust;
for address group information which cannot be matched with a proper security domain, flow related to the address group cannot enter a firewall, and the security rule related to the address group is discarded;
the security management system further forms a security policy according to the security domain, actions (permission), a protocol (TCP) and a port (80) under the security rules, the address group and the authorization object, and sets the priority of the security policy according to the security rule priority; the one with higher priority is ahead;
the security policy based on the security rules and address group translation is:
a source security domain: untrusty, destination security domain: trust; the actions are as follows: allowed, protocol: TCP, port 80, source address group: 101.10.10.10, respectively; destination address group: security-group-a.
S4, the security management system compares the security policy converted by the security group with the existing security policy on the boundary firewall;
the security management system compares security policies corresponding to security groups of the same security domain and the target security domain with security policies on the boundary firewall; the comparison result comprises: newly adding a security rule, newly adding a security group, updating an address group, newly adding an address group, deleting a security group, updating a security rule, deleting a security rule and the like;
in this embodiment, the security policy with the source security domain of untrusty and the destination security domain of trust on the boundary firewall is compared with the security policy converted in step 3, and if not, the security policy is considered to be issued to the boundary firewall; if the security policy already exists and the rules are the same, no processing is needed; if the security policy already exists but the rules are inconsistent, the security policy on the fireproof boundary wall is considered to need to be updated;
in this embodiment, the security policy already exists, but the rules are not consistent, the security policy rules on the boundary firewall are looser than the security groups, and some ports are left, the security policy needs to be updated, and the ports left in the security policy are deleted;
if the security management system receives a change notice of the address group or the security rule, detecting the address group on the boundary firewall and the security policy related to the address group according to the address group; if the change of the address group is notified, directly updating the corresponding address group on the boundary firewall; if the change of the address group related safety rules is notified, updating the safety strategies related to the safety rules;
s5, updating the security policy or address group on the boundary firewall according to the comparison result;
the security management system can implement security policy addition, address group addition, security policy update, security policy deletion, address group update and the like according to the comparison result.
In this embodiment, the security policy is updated, and redundant ports are deleted.
Based on the same inventive concept, the invention also provides a device for automatically issuing the security policy. The implementation of the device can be referred to the implementation of the method, and repeated details are not repeated. The term "module," as used below, may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 4 is a schematic structural diagram of an apparatus for automatically issuing a security policy according to an embodiment of the present invention. As shown in fig. 4, the apparatus includes:
the management and control platform 101 is used for collecting security group information of the data center and forming an address group according to the virtual machine address information under the security group; notifying the security rule and the address group information to a security management system;
the security group executes security rules on the virtual machines added into the security group, wherein the security rules comprise priority, authorized objects, protocols, port ranges, actions and rule directions;
priority: is composed of 0-255, the smaller the number is, the higher the priority is; the priority is the same: the rule of the refusal strategy takes effect preferentially, and the rule of the permission strategy does not take effect; the priorities are different: the rule with high priority takes effect;
the authorization object: may generally consist of an IP address field or a security group ID;
the regular direction is as follows: generally, the direction of access is an access direction, and may be an access direction of an internal network or an access direction of a public network;
the actions are as follows: indicates allowance and denial; the rule identifies that certain traffic may be denied or allowed to go in and out;
protocol: TCP, UDP, ICMP, etc.;
port range: the default range is 0-65535;
the management and control platform acquires IP address information of the host according to the host added in the security group, and the IP addresses of the hosts in the security group form an address group; in the control range, the address group name is unique;
the security rules are uniquely numbered within the security group.
The management and control platform informs the security rules and the address group information associated with the security rules to a security management system; the address group is composed of a group of IP addresses;
subsequent announcements of only change information, except that the first synchronization is a full announcement; when the virtual machine under the security group is changed, only the change information of the address group is notified;
when the security rule is changed, only the address group name and the changed security rule are notified.
The security management system 102 is used for forming a security policy according to the address group information and the security rule; comparing the security policy converted by the security group with the existing security policy on the boundary firewall; updating the security policy or address group on the boundary firewall according to the comparison result;
the security management system firstly determines a security domain to which a host under a security group corresponding to an address group belongs according to the address group under a security rule; determining a security domain corresponding to the authorization object according to the IP address or the address group corresponding to the authorization object; discarding the security rule related to the address group if the address group information which cannot be matched with the proper security domain is obtained;
the security management system further forms a security policy according to the security domain, the action, protocol and port range under the security rule, the address group and the authorized object, and sets the priority of the security policy according to the priority of the security rule; the one with higher priority is ahead;
the security management system compares the security strategies corresponding to the security groups of the same security domain and the target security domain with the existing security strategies on the boundary firewall; the comparison result comprises: newly adding a security rule, newly adding a security group, updating an address group, newly adding an address group, deleting a security group, updating a security rule and deleting a security rule;
if the safety management system receives a change notice of the address group or the safety rule, only updating the address group or updating the safety policy related to the safety rule according to the address group detection boundary firewall address group and the safety policy related to the address group;
updating a security policy or an address group on the boundary firewall according to the comparison result, if the security group is newly added, newly adding the security policy on the boundary firewall, and if the address group is updated, updating the address group on the boundary firewall; and if the security rule is deleted, deleting a certain security policy on the boundary firewall.
And the boundary firewall 103 is used for managing and controlling the north-south traffic according to the security policy.
And the security group 104 is used for implementing security management and control on the hosts joining the security group according to the security rules.
It should be noted that although several modules of the apparatus for automatic issuing of security policies are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functionality of two or more of the modules described above may be embodied in one module according to embodiments of the invention. Conversely, the features and functions of one module described above may be further divided into embodiments by a plurality of modules.
Based on the aforementioned inventive concept, as shown in fig. 5, the present invention further provides a computer device 200, which includes a memory 210, a processor 220, and a computer program 230 stored on the memory 210 and operable on the processor 220, wherein the processor 220 implements the aforementioned method for automatically issuing the security policy when executing the computer program 230.
Based on the above inventive concept, the present invention further provides a computer-readable storage medium storing a computer program for executing the method for automatically issuing the security policy.
The method and the device for automatically issuing the security policy, provided by the invention, have the advantages that the mutual cooperation of the boundary firewall security policy and the internal security group of the data center is realized, the security of the system is improved, and the operation and maintenance efficiency is improved.
While the spirit and principles of the invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, nor is the division of aspects, which is for convenience only as the features in such aspects may not be combined to benefit. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
The limitation of the protection scope of the present invention is understood by those skilled in the art, and various modifications or changes which can be made by those skilled in the art without inventive efforts based on the technical solution of the present invention are still within the protection scope of the present invention.
Claims (18)
1. A method for automatically issuing a security policy is characterized in that the method comprises the following steps:
the management and control platform collects security group information of the data center and forms an address group according to the virtual machine address information under the security group;
the control platform informs the security rule and the address group information to a security management system;
the safety management system forms a safety strategy according to the address group information and the safety rules;
the security management system compares the security policy converted by the security group with the existing security policy on the boundary firewall;
and updating the security policy or the address group on the boundary firewall according to the comparison result.
2. The method of claim 1, wherein the security group executes security rules on the virtual machines joining the security group, the security rules are composed of priorities, authorization objects, protocols, port ranges, actions, and rule directions, and the security rules are uniquely numbered within the security group.
3. The method according to claim 2, wherein if the security rule priorities are the same, the rule of the rejected policy is preferentially valid, and the rule of the allowed policy is not valid; and if the priority of the safety rules is different, the rules with high priority take effect.
4. The method for automatically issuing the security policy according to claim 1, wherein the management and control platform acquires IP address information of the host according to the host added to the security group, and the IP addresses of the host under the security group form an address group; within the scope of the administration, the address group name is unique.
5. The method for automatically issuing the security policy according to claim 1, wherein the step of notifying the security management system of the security rule and the address group information by the management and control platform comprises:
the management and control platform informs the security rules and the address group information associated with the security rules to a security management system;
subsequent announcements of only change information, except that the first synchronization is a full announcement; when the virtual machine under the security group is changed, only the change information of the address group is notified;
when the security rule is changed, only the address group name and the changed security rule are notified.
6. The method for automatically issuing the security policy according to claim 1, wherein the step of forming the security policy by the security management system according to the address group information and the security rule comprises:
the security management system firstly determines a security domain to which a host under a security group corresponding to an address group belongs according to the address group under a security rule; determining a security domain corresponding to the authorization object according to the IP address or the address group corresponding to the authorization object; discarding the security rule related to the address group if the address group information which cannot be matched with the proper security domain is obtained;
the security management system further forms a security policy according to the security domain, the action, protocol and port range under the security rule, the address group and the authorized object, and sets the priority of the security policy according to the priority of the security rule; the one with higher priority is ahead.
7. The method for automatically issuing the security policy according to claim 1, wherein the comparing the security policy converted by the security group with the existing security policy on the boundary firewall by the security management system comprises:
the security management system compares the security strategies corresponding to the security groups of the same security domain and the target security domain with the existing security strategies on the boundary firewall; the comparison result comprises: newly adding a security rule, newly adding a security group, updating an address group, newly adding an address group, deleting a security group, updating a security rule and deleting a security rule;
if the security management system receives a change notification of the address group or the security rule, only the address group is updated or the security policy related to the security rule is updated according to the address group detection boundary firewall address group and the security policy related to the address group.
8. The method for automatically issuing a security policy according to claim 1, wherein updating the security policy or the address group on the boundary firewall according to the comparison result comprises:
updating a security policy or an address group on the boundary firewall according to the comparison result, if the security group is newly added, newly adding the security policy on the boundary firewall, and if the address group is updated, updating the address group on the boundary firewall; and if the security rule is deleted, deleting a certain security policy on the boundary firewall.
9. An apparatus for automatically issuing a security policy, the apparatus comprising:
the management and control platform is used for collecting security group information of the data center and forming an address group according to the virtual machine address information under the security group; notifying the security rule and the address group information to a security management system;
the safety management system is used for forming a safety strategy according to the address group information and the safety rules; comparing the security policy converted by the security group with the existing security policy on the boundary firewall; updating the security policy or address group on the boundary firewall according to the comparison result;
the boundary firewall is used for managing and controlling the north-south flow according to the security policy;
and the security group is used for implementing security management and control on the hosts joining the security group according to the security rules.
10. The apparatus for automatic issuance of security policies according to claim 9, wherein the security group enforces security rules on virtual machines joining the security group, the security rules are composed of priorities, authorization objects, protocols, port ranges, actions, and rule directions, and the security rules are uniquely numbered within the security group.
11. The apparatus for automatically issuing a security policy according to claim 10, wherein if the security rule priorities are the same, the rule of the policy is rejected to be valid preferentially, and the rule of the policy is allowed to be invalid; and if the priority of the safety rules is different, the rules with high priority take effect.
12. The apparatus for automatically issuing a security policy according to claim 9, wherein the management and control platform obtains IP address information of the host according to the host added to the security group, and the IP addresses of the host in the security group form an address group; within the scope of the administration, the address group name is unique.
13. The apparatus for automatically issuing a security policy according to claim 9, wherein the notifying, in the management and control platform, the security rule and the address group information to the security management system includes:
the management and control platform informs the security rules and the address group information associated with the security rules to a security management system;
subsequent announcements of only change information, except that the first synchronization is a full announcement; when the virtual machine under the security group is changed, only the change information of the address group is notified;
when the security rule is changed, only the address group name and the changed security rule are notified.
14. The apparatus for automatically issuing a security policy according to claim 9, wherein the configuring of the security policy in the security management system according to the address group information and the security rule comprises:
the security management system firstly determines a security domain to which a host under a security group corresponding to an address group belongs according to the address group under a security rule; determining a security domain corresponding to the authorization object according to the IP address or the address group corresponding to the authorization object; discarding the security rule related to the address group if the address group information which cannot be matched with the proper security domain is obtained;
the security management system further forms a security policy according to the security domain, the action, protocol and port range under the security rule, the address group and the authorized object, and sets the priority of the security policy according to the priority of the security rule; the one with higher priority is ahead.
15. The apparatus for automatically issuing a security policy according to claim 9, wherein the comparing, in the security management system, the security policy converted from the security group with the security policy existing on the boundary firewall comprises:
the security management system compares the security strategies corresponding to the security groups of the same security domain and the target security domain with the existing security strategies on the boundary firewall; the comparison result comprises: newly adding a security rule, newly adding a security group, updating an address group, newly adding an address group, deleting a security group, updating a security rule and deleting a security rule;
if the security management system receives a change notification of the address group or the security rule, only the address group is updated or the security policy related to the security rule is updated according to the address group detection boundary firewall address group and the security policy related to the address group.
16. The apparatus for automatically issuing a security policy according to claim 9, wherein the updating, in the security management system, the security policy or the address group on the boundary firewall according to the comparison result includes:
updating a security policy or an address group on the boundary firewall according to the comparison result, if the security group is newly added, newly adding the security policy on the boundary firewall, and if the address group is updated, updating the address group on the boundary firewall; and if the security rule is deleted, deleting a certain security policy on the boundary firewall.
17. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1-8 when executing the computer program.
18. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011266711.5A CN112491822A (en) | 2020-11-13 | 2020-11-13 | Method and device for automatically issuing security policy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011266711.5A CN112491822A (en) | 2020-11-13 | 2020-11-13 | Method and device for automatically issuing security policy |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112491822A true CN112491822A (en) | 2021-03-12 |
Family
ID=74930277
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011266711.5A Pending CN112491822A (en) | 2020-11-13 | 2020-11-13 | Method and device for automatically issuing security policy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112491822A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113098851A (en) * | 2021-03-25 | 2021-07-09 | 广州虎牙科技有限公司 | Method, device, system, equipment and medium for implementing virtual firewall |
| CN113709099A (en) * | 2021-07-12 | 2021-11-26 | 新华三大数据技术有限公司 | Method, device, equipment and storage medium for issuing mixed cloud firewall rules |
| CN114095257A (en) * | 2021-11-23 | 2022-02-25 | 中国工商银行股份有限公司 | Security policy adjustment method, security policy adjustment device, communication equipment and storage medium |
| CN114205130A (en) * | 2021-12-03 | 2022-03-18 | 紫光云(南京)数字技术有限公司 | Method for realizing firewall object policy rule priority |
| CN114374526A (en) * | 2021-09-28 | 2022-04-19 | 中远海运科技股份有限公司 | Method and device for protecting full-flow network access of cloud host |
| CN114513465A (en) * | 2022-02-15 | 2022-05-17 | 京东科技信息技术有限公司 | Load balancing method, load balancing device, electronic device and storage medium |
| CN115001964A (en) * | 2022-05-19 | 2022-09-02 | 中国人民银行数字货币研究所 | Method and device for managing firewall |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104378387A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Method for protecting information security under virtualization platform |
| CN105791311A (en) * | 2016-04-14 | 2016-07-20 | 汉柏科技有限公司 | Security protection method and device for cloud platform firewall |
| CN105871930A (en) * | 2016-06-21 | 2016-08-17 | 上海携程商务有限公司 | Self-adaptive firewall security policy configuration method and system based on applications |
| CN106656987A (en) * | 2016-11-03 | 2017-05-10 | 郑州理工职业学院 | Computer information security management system |
| US20190068402A1 (en) * | 2017-08-28 | 2019-02-28 | Michael Emory Mazarick | System and Method for Providing Private Instances of Shared Resources using VxLAN |
| CN109995725A (en) * | 2017-12-29 | 2019-07-09 | 中移(苏州)软件技术有限公司 | A kind of implementation method and device of cloud computing status firewall |
| CN111614605A (en) * | 2019-02-26 | 2020-09-01 | 瞻博网络公司 | Automatic configuration of boundary firewall based on security group information of SDN virtual firewall |
| CN111641597A (en) * | 2020-05-11 | 2020-09-08 | 紫光云技术有限公司 | Firewall dynamic security protection system and method for cloud environment |
-
2020
- 2020-11-13 CN CN202011266711.5A patent/CN112491822A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104378387A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Method for protecting information security under virtualization platform |
| CN105791311A (en) * | 2016-04-14 | 2016-07-20 | 汉柏科技有限公司 | Security protection method and device for cloud platform firewall |
| CN105871930A (en) * | 2016-06-21 | 2016-08-17 | 上海携程商务有限公司 | Self-adaptive firewall security policy configuration method and system based on applications |
| CN106656987A (en) * | 2016-11-03 | 2017-05-10 | 郑州理工职业学院 | Computer information security management system |
| US20190068402A1 (en) * | 2017-08-28 | 2019-02-28 | Michael Emory Mazarick | System and Method for Providing Private Instances of Shared Resources using VxLAN |
| CN109995725A (en) * | 2017-12-29 | 2019-07-09 | 中移(苏州)软件技术有限公司 | A kind of implementation method and device of cloud computing status firewall |
| CN111614605A (en) * | 2019-02-26 | 2020-09-01 | 瞻博网络公司 | Automatic configuration of boundary firewall based on security group information of SDN virtual firewall |
| CN111641597A (en) * | 2020-05-11 | 2020-09-08 | 紫光云技术有限公司 | Firewall dynamic security protection system and method for cloud environment |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113098851A (en) * | 2021-03-25 | 2021-07-09 | 广州虎牙科技有限公司 | Method, device, system, equipment and medium for implementing virtual firewall |
| CN113098851B (en) * | 2021-03-25 | 2023-01-31 | 广州虎牙科技有限公司 | Method, device, system, equipment and medium for implementing virtual firewall |
| CN113709099A (en) * | 2021-07-12 | 2021-11-26 | 新华三大数据技术有限公司 | Method, device, equipment and storage medium for issuing mixed cloud firewall rules |
| CN113709099B (en) * | 2021-07-12 | 2023-11-07 | 新华三大数据技术有限公司 | Mixed cloud firewall rule issuing method, device, equipment and storage medium |
| CN114374526A (en) * | 2021-09-28 | 2022-04-19 | 中远海运科技股份有限公司 | Method and device for protecting full-flow network access of cloud host |
| CN114374526B (en) * | 2021-09-28 | 2023-03-24 | 中远海运科技股份有限公司 | Method and device for protecting full-flow network access of cloud host |
| CN114095257A (en) * | 2021-11-23 | 2022-02-25 | 中国工商银行股份有限公司 | Security policy adjustment method, security policy adjustment device, communication equipment and storage medium |
| CN114095257B (en) * | 2021-11-23 | 2024-03-26 | 中国工商银行股份有限公司 | Security policy adjustment method, device, communication equipment and storage medium |
| CN114205130A (en) * | 2021-12-03 | 2022-03-18 | 紫光云(南京)数字技术有限公司 | Method for realizing firewall object policy rule priority |
| CN114513465A (en) * | 2022-02-15 | 2022-05-17 | 京东科技信息技术有限公司 | Load balancing method, load balancing device, electronic device and storage medium |
| CN115001964A (en) * | 2022-05-19 | 2022-09-02 | 中国人民银行数字货币研究所 | Method and device for managing firewall |
| CN115001964B (en) * | 2022-05-19 | 2023-08-22 | 中国人民银行数字货币研究所 | Method and device for managing firewall |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112491822A (en) | Method and device for automatically issuing security policy | |
| US11962622B2 (en) | Automated enforcement of security policies in cloud and hybrid infrastructure environments | |
| US7644168B2 (en) | SAS expander | |
| US10476843B2 (en) | Firewall configured with dynamic membership sets representing machine attributes | |
| KR102318338B1 (en) | System and method for providing an integrated firewall for secure network communication in a multi-tenant environment | |
| US8081640B2 (en) | Network system, network management server, and access filter reconfiguration method | |
| US20150334089A1 (en) | Managing mac moves with secure port groups | |
| EP2920916B1 (en) | Virtual device context (vdc) integration for network services | |
| US9634991B2 (en) | Method, apparatus, host, and network system for processing packet | |
| US7054944B2 (en) | Access control management system utilizing network and application layer access control lists | |
| CN108322467B (en) | OVS-based virtual firewall configuration method, electronic equipment and storage medium | |
| CN113596033B (en) | Access control method and device, equipment and storage medium | |
| CN112003750A (en) | Data center host Overlay network access control method | |
| US20210226899A1 (en) | Signature based management of packets in a software defined networking environment | |
| KR20220070875A (en) | Smart home network system based on sdn/nfv | |
| KR101854996B1 (en) | SDN for preventing malicious application and Determination apparatus comprising the same | |
| Rivera et al. | Expressing and managing network policies for emerging HPC systems | |
| CN115622808B (en) | Method for secure isolation, electronic device, computer readable medium | |
| KR102666943B1 (en) | Method for managing network using micro-segmentation for zero trust security and access switch using the same | |
| CN115514501A (en) | Method and device for blocking network attack | |
| CN116980196A (en) | Safety protection method and device and electronic equipment | |
| JP2023063811A (en) | access control system | |
| CN117519901A (en) | Data access processing method, device, equipment and medium | |
| CN116521318A (en) | Method and device for virtualizing multiple honeypot nodes by single host based on xdp technology | |
| CN117938525A (en) | Firewall configuration method, device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210312 |