CN112671706A - Network access control system based on micro-service architecture - Google Patents
Network access control system based on micro-service architecture Download PDFInfo
- Publication number
- CN112671706A CN112671706A CN202011333133.2A CN202011333133A CN112671706A CN 112671706 A CN112671706 A CN 112671706A CN 202011333133 A CN202011333133 A CN 202011333133A CN 112671706 A CN112671706 A CN 112671706A
- Authority
- CN
- China
- Prior art keywords
- micro
- network
- service
- access control
- micro service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000011217 control strategy Methods 0.000 claims abstract description 10
- 230000003993 interaction Effects 0.000 claims description 12
- 238000002372 labelling Methods 0.000 claims 1
- 238000012423 maintenance Methods 0.000 abstract description 6
- 238000007726 management method Methods 0.000 abstract description 6
- 238000000034 method Methods 0.000 abstract description 6
- 238000012550 audit Methods 0.000 abstract description 3
- 230000008569 process Effects 0.000 abstract description 3
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Abstract
The invention discloses a network access control system based on a micro-service architecture, which belongs to the field of network access control and aims at solving the problems that in the prior art, due to the increase of complexity of network objects and network relations, the configuration and maintenance workload of network access control strategies can be exponentially increased, and meanwhile, managers are difficult to analyze and audit the service rationality and necessity of each control strategy; in the specific deployment and implementation process, the rapid configuration of the network control strategy is realized by combining management or technical means; the characteristics of the micro-service are fully utilized, and the network access requirements among the application systems are integrated. The invention is applied to network access of a micro-service architecture.
Description
Technical Field
The invention relates to the field of network access control, in particular to a network access control system based on a micro-service architecture.
Background
The micro-service can realize a completely independent, fine-grained and self-contained service in a specific service range, and the micro-service needs to run in an independent environment which cannot have dependency on the outside. The purpose of the microservice is to efficiently split applications, thereby enabling agile development and deployment.
Current computer networks face increasingly serious security threats due to their openness, diversity, vulnerability and anonymity. The network access control can reduce the exposed surface and block network attacks to unauthorized ports or services, and therefore the network access control is used as an underlying technical means for building a deep defense system. Network access control is typically implemented by a specific device configuring a detailed policy of source to destination addresses.
With the development of the internet and the rapid increase of user groups, more and more online service application systems face the technical problems of high client connection concurrency, severe user traffic change, complex business combination logic, high service reliability requirements and the like. The micro-service architecture well releases the risks posed by the above challenges, but at the same time greatly increases the number of network objects and network access relationships within the application system. The traditional network access control method and the network access control equipment do not concern the service logic of upper application and the internal association of each IP in a network object, and only configure an access control list according to the detailed requirement from a source address to a destination address. Under the micro-service architecture, due to the increase of complexity of network objects and network relations, the configuration and maintenance workload of the network access control strategies can be exponentially increased, and meanwhile, managers are difficult to analyze and audit the service rationality and the necessity of each control strategy.
Disclosure of Invention
The invention provides a network access control system based on a micro-service architecture, aiming at the problems that in the prior art, due to the increase of the complexity of a network object and a network relation, the configuration and maintenance workload of a network access control strategy can be exponentially increased, and simultaneously, managers are difficult to analyze and audit the service reasonability and necessity of each control strategy, and the network access control system based on the micro-service architecture is provided and aims to: the characteristics of the micro-service are fully utilized to integrate the network access requirements among the application systems, the number of the network security strategies is reduced on the basis of meeting the minimum authority principle, the effectiveness of the network security strategies is guaranteed, and the maintainability of the network security strategies is improved.
The technical scheme adopted by the invention is as follows:
the network access control device is arranged on an access path between the network port and the micro service system;
when an application system is constructed and designed, analyzing each micro-service system to obtain the type and the function of the micro-service system, and dividing the micro-service system into different access types according to the type and the basic function of the micro-service system;
the network access control equipment performs data configuration on the micro service system according to different access types, wherein the data configuration comprises an IP address pool and network ports, different 'micro service roles' are formed after the configuration is completed, and the network ports of the different 'micro service roles' are predefined;
when the micro-service system is deployed or updated, the host associates the corresponding 'micro-service role' by accessing the predefined network port.
Further, each "micro-service role" is set as a combination of an IP address pool and one or several network ports, and different "micro-service roles" are distinguished by predefining different network ports.
Furthermore, the same IP address can be configured for a plurality of "micro service roles", but a combined object of "one IP address + a network port" can be configured only for a certain specific "micro service role".
Further, the micro service roles divide the micro service system into different types according to the man-machine interaction function and the inter-system interaction function, and if one micro service role provides the man-machine interaction function and the inter-system interaction function at the same time, the micro service role is classified into the type providing the inter-system interaction function.
Further, if the network port of the "micro service role" is an external function interface, the "micro service role" is an external access type, and if the network port of the "micro service role" is an internal function interface, the "micro service role" is an internal access type.
Furthermore, when the micro service system is deployed or updated, the host is associated with the corresponding "micro service role" through a management mode of tagging or adding attributes to the network port, or through a technical mode of host registration and data synchronization, for example, through unified discovery and collection of information by an automated operation and maintenance platform.
Further, based on the configured microservice role, a network access control policy is added or updated on the network access control device.
Further, a plurality of the network ports are isolated from each other by a network, and one network port accesses at least one micro service system.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that: under the micro-service architecture, network access requirements among all application systems are integrated, complexity of network objects and network relations is reduced, configuration and maintenance workload of network access control strategies can be obviously weakened, the number of network security strategies is reduced, effectiveness of the network security strategies is guaranteed, and maintainability of the network security strategies is improved.
Drawings
FIG. 1 is a schematic diagram of one embodiment of the present invention.
Detailed Description
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
The present invention will be described in detail with reference to the following embodiments:
in the construction and design stage of the application system, the micro-service types and basic functions included in the application system are specified, and table 1 configures 2 micro-service types related to basic user information for a user management application system, as shown in table 1:
table 1:
analyzing the subdivision function and possible service call relation of each micro-service type, distinguishing the man-machine interaction function and the inter-system interaction function, integrating the external function and the internal function, forming a 'micro-service role' list aiming at the external function which is not the application function and aiming at the internal function which is other micro-service functions applied to the application, and predefining a service port of a network layer. As shown in table 2:
table 2:
when each micro service system is actually deployed and updated, a micro service-micro service role-IP address pool correspondence table is formed by associating a specific micro service role for each host or container through manual entry in a configuration management system and an access control centralized management system or unified discovery and collection of information through an automated operation and maintenance platform, as shown in table 3.
Table 3:
through manual operation or push of the network access control system, each microservice role is configured or updated on the network access control equipment, and comprises a host or container IP address and a network port, as shown in tables 4 and 5.
Table 4 (network object table):
table 5 (port object table):
| network port object name | Port number |
| user_basic_inner | 8888 |
| user_basic_internal | 9999 |
| user_manager_ui | 8080 |
Step D: network access control policies are added or updated on the network access control device based on the configured microservice roles, as shown in table 6.
Table 6:
the method predefines the micro-service role and the communication port through the design flow of the embedded micro-service; and in the specific deployment and implementation process, the rapid configuration of the network control strategy is realized by combining management or technical means.
The above-mentioned embodiments only express the specific embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for those skilled in the art, without departing from the technical idea of the present application, several changes and modifications can be made, which are all within the protection scope of the present application.
Claims (8)
1. A network access control system based on a microservice architecture, comprising:
the network access control device is arranged on an access path between the network port and the micro service system;
when an application system is constructed and designed, analyzing each micro-service system to obtain the type and the function of the micro-service system, and dividing the micro-service system into different access types according to the type and the basic function of the micro-service system;
the network access control equipment performs data configuration on the micro service system according to different access types, wherein the data configuration comprises an IP address pool and network ports, different 'micro service roles' are formed after the configuration is completed, and the network ports of the different 'micro service roles' are predefined;
when the micro-service system is deployed or updated, the host associates the corresponding 'micro-service role' by accessing the predefined network port.
2. The network access control system based on micro service architecture as claimed in claim 1, wherein: each "micro-service role" is set as a combination of one IP address pool and one or several network ports, and different "micro-service roles" are distinguished by predefining different network ports.
3. The network access control system based on micro service architecture as claimed in claim 2, wherein: the same IP address can be configured for a plurality of 'micro service roles', but the combined object of 'one IP address + network port' can only be configured for a certain specific 'micro service role'.
4. The network access control system based on micro service architecture as claimed in claim 1, wherein: the micro service roles divide the micro service system into different types according to the man-machine interaction function and the inter-system interaction function, and if one micro service role provides the man-machine interaction function and the inter-system interaction function at the same time, the micro service role is classified into the type providing the inter-system interaction function.
5. The network access control system based on micro service architecture as claimed in claim 1, wherein:
if the network port of the 'micro service role' is an external function interface, the 'micro service role' is an external access type, and if the network port of the 'micro service role' is an internal function interface, the 'micro service role' is an internal access type.
6. The network access control system based on micro service architecture as claimed in claim 1, wherein: when the micro service system is deployed or updated, the host associates the corresponding micro service role by labeling or adding attributes to the network port, or associates the corresponding micro service role by the host through host registration and data synchronization.
7. The network access control system based on micro service architecture as claimed in claim 1, wherein: based on the configured 'micro service role', the network access control strategy is added or updated on the network access control device.
8. The network access control system based on micro service architecture as claimed in claim 1, wherein: several of the network ports are network isolated from each other and one network port accesses at least one microservice system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011333133.2A CN112671706A (en) | 2020-11-25 | 2020-11-25 | Network access control system based on micro-service architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011333133.2A CN112671706A (en) | 2020-11-25 | 2020-11-25 | Network access control system based on micro-service architecture |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112671706A true CN112671706A (en) | 2021-04-16 |
Family
ID=75402944
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011333133.2A Pending CN112671706A (en) | 2020-11-25 | 2020-11-25 | Network access control system based on micro-service architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112671706A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116881942A (en) * | 2023-07-21 | 2023-10-13 | 广州三叠纪元智能科技有限公司 | Role authority verification method and system for distributed system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160127454A1 (en) * | 2014-10-30 | 2016-05-05 | Equinix, Inc. | Interconnection platform for real-time configuration and management of a cloud-based services exchange |
| CN106487594A (en) * | 2016-10-31 | 2017-03-08 | 中国人民解放军91655部队 | Network traffics collection based on micro services assembly and analysis system |
| CN106612188A (en) * | 2015-10-21 | 2017-05-03 | 中兴通讯股份有限公司 | Method and device for extending software function based on micro service architecture |
| CN106878393A (en) * | 2017-01-16 | 2017-06-20 | 深圳市商沃科技发展有限公司 | A kind of system based on fusion micro services framework |
| US20180349121A1 (en) * | 2017-05-30 | 2018-12-06 | International Business Machines Corporation | Dynamic deployment of an application based on micro-services |
| CN109582472A (en) * | 2018-10-19 | 2019-04-05 | 华为技术有限公司 | A kind of micro services processing method and equipment |
| CN109784503A (en) * | 2018-12-13 | 2019-05-21 | 平安普惠企业管理有限公司 | Business O&M method, apparatus, equipment and readable storage medium storing program for executing |
| CN110532101A (en) * | 2019-09-03 | 2019-12-03 | 中国联合网络通信集团有限公司 | The deployment system and method for micro services cluster |
| US20200084263A1 (en) * | 2017-10-25 | 2020-03-12 | Beijing Kedong Power Control System Co Ltd | A method of micro-service transformation for power trading functions |
| CN111277650A (en) * | 2020-01-20 | 2020-06-12 | 南京航空航天大学 | Automatic micro-service identification method combining functional indexes and non-functional indexes |
| US10684940B1 (en) * | 2018-09-18 | 2020-06-16 | Amazon Technologies, Inc. | Microservice failure modeling and testing |
-
2020
- 2020-11-25 CN CN202011333133.2A patent/CN112671706A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160127454A1 (en) * | 2014-10-30 | 2016-05-05 | Equinix, Inc. | Interconnection platform for real-time configuration and management of a cloud-based services exchange |
| CN106612188A (en) * | 2015-10-21 | 2017-05-03 | 中兴通讯股份有限公司 | Method and device for extending software function based on micro service architecture |
| CN106487594A (en) * | 2016-10-31 | 2017-03-08 | 中国人民解放军91655部队 | Network traffics collection based on micro services assembly and analysis system |
| CN106878393A (en) * | 2017-01-16 | 2017-06-20 | 深圳市商沃科技发展有限公司 | A kind of system based on fusion micro services framework |
| US20180349121A1 (en) * | 2017-05-30 | 2018-12-06 | International Business Machines Corporation | Dynamic deployment of an application based on micro-services |
| US20200084263A1 (en) * | 2017-10-25 | 2020-03-12 | Beijing Kedong Power Control System Co Ltd | A method of micro-service transformation for power trading functions |
| US10684940B1 (en) * | 2018-09-18 | 2020-06-16 | Amazon Technologies, Inc. | Microservice failure modeling and testing |
| CN109582472A (en) * | 2018-10-19 | 2019-04-05 | 华为技术有限公司 | A kind of micro services processing method and equipment |
| CN109784503A (en) * | 2018-12-13 | 2019-05-21 | 平安普惠企业管理有限公司 | Business O&M method, apparatus, equipment and readable storage medium storing program for executing |
| CN110532101A (en) * | 2019-09-03 | 2019-12-03 | 中国联合网络通信集团有限公司 | The deployment system and method for micro services cluster |
| CN111277650A (en) * | 2020-01-20 | 2020-06-12 | 南京航空航天大学 | Automatic micro-service identification method combining functional indexes and non-functional indexes |
Non-Patent Citations (1)
| Title |
|---|
| 张晶等: "微服务框架的设计与实现", 《计算机系统应用》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116881942A (en) * | 2023-07-21 | 2023-10-13 | 广州三叠纪元智能科技有限公司 | Role authority verification method and system for distributed system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wu et al. | A hierarchical security framework for defending against sophisticated attacks on wireless sensor networks in smart cities | |
| EP3149582B1 (en) | Method and apparatus for a scoring service for security threat management | |
| US20210194932A1 (en) | Network asset characterization, classification, grouping and control | |
| EP1678912B1 (en) | Method and apparatus for providing network security using role-based access control | |
| US7647621B2 (en) | System, method and computer program product for applying electronic policies | |
| CN116938558A (en) | Computer implemented method for providing access to each node of a network and core network access system | |
| CN107153565A (en) | Configure the method and its network equipment of resource | |
| US10200408B2 (en) | Computer network security | |
| US20210176125A1 (en) | Programmable switching device for network infrastructures | |
| Du | Application of information communication network security management and control based on big data technology | |
| Hosney et al. | An artificial intelligence approach for deploying zero trust architecture (zta) | |
| US11374979B2 (en) | Graph-based policy representation system for managing network devices | |
| Basile et al. | Inter‐function anomaly analysis for correct SDN/NFV deployment | |
| CN112671706A (en) | Network access control system based on micro-service architecture | |
| CN113067861A (en) | Distributed extensible access control authorization system and method based on block chain | |
| Farahmandian et al. | SDS 2: A novel software-defined security service for protecting cloud computing infrastructure | |
| Poltavtseva et al. | High-performance NIDS architecture for enterprise networking | |
| US20230319115A1 (en) | Systems and methods for validating, maintaining, and visualizing security policies | |
| Ali et al. | Privacy-preserving and Trusted Threat Intelligence Sharing using Distributed Ledgers | |
| Maitland et al. | Balancing security and other requirements in hastily formed networks: The case of the syrian refugee response | |
| Kim et al. | Analysis of recent IIoT security technology trends in a smart factory environment | |
| Mattila et al. | Predicting the architecture of military ICT infrastructure | |
| CN111199056A (en) | Grading authentication method based on intelligent contract in block chain | |
| Bessa et al. | Proposal of a BI/SSBI System for Knowledge Management of the Traffic of a Network Infrastructure–A University of Trás-os-Montes e Alto Douro Case Study | |
| US20030135738A1 (en) | Compartmented multi operator network management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210416 |
|
| RJ01 | Rejection of invention patent application after publication |