CN112910705B - Method, device and storage medium for arranging network flow - Google Patents

Method, device and storage medium for arranging network flow Download PDF

Info

Publication number
CN112910705B
CN112910705B CN202110142091.2A CN202110142091A CN112910705B CN 112910705 B CN112910705 B CN 112910705B CN 202110142091 A CN202110142091 A CN 202110142091A CN 112910705 B CN112910705 B CN 112910705B
Authority
CN
China
Prior art keywords
network
security
assets
cloud
resource pool
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110142091.2A
Other languages
Chinese (zh)
Other versions
CN112910705A (en
Inventor
刘学年
范渊
杨勃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202110142091.2A priority Critical patent/CN112910705B/en
Publication of CN112910705A publication Critical patent/CN112910705A/en
Application granted granted Critical
Publication of CN112910705B publication Critical patent/CN112910705B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a method, equipment and a storage medium for arranging network traffic, wherein the method for arranging the network traffic comprises the following steps: the method comprises the steps that by configuring drainage parameters on a core switch, acquired flow data are guided into a security resource pool of a cloud platform from the core switch; acquiring a preset security service chain and network assets of a user, and determining an arrangement mode of flow data according to the sequence of security components in the security service chain and the types of the network assets, wherein the security components correspond to the network assets; and guiding the flow data to the network assets through the flow guiding equipment in the safety resource pool according to the arranging mode. Through the method and the device, the problems that in the related technology, the process of manually configuring the network is complicated and complex and mistakes are easily made are solved, and the efficiency of network configuration is improved.

Description

Method, device and storage medium for arranging network flow
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and a storage medium for arranging network traffic.
Background
With the development of cloud computing technology, cloud security technology is also emerging. For safety reasons, traffic of a user in various cloud scenarios needs to be cleaned and filtered, however, before cleaning and filtering, the traffic needs to be guided to a safety component before being processed by a different safety component. In the related art, when traffic is guided, the traffic needs to be manually issued and configured to be printed on the cloud, and then a routing strategy is manually issued in the cloud to a three-layer network component to print the traffic on different security components of a security resource pool.
As the network scenes of the cloud environment are more and more complex, the manual configuration cannot adapt to complex and variable cloud scenes, and the configuration rules of different network devices are different, so that the manual configuration process is complicated and is easy to make mistakes.
At present, no effective solution is provided aiming at the problems of complicated and error-prone process of manually configuring the network in the related technology.
Disclosure of Invention
The embodiment of the application provides a method, equipment and a storage medium for arranging network flow, so as to at least solve the problems that the process of manually configuring a network in the related technology is complicated and error is easy to occur.
In a first aspect, an embodiment of the present application provides a method for arranging network traffic, including:
the method comprises the steps that by configuring drainage parameters on a core switch, acquired flow data are guided into a security resource pool of a cloud platform from the core switch;
acquiring a preset security service chain and network assets of a user, and determining an arrangement mode of the flow data according to the sequence of security components in the security service chain and the types of the network assets, wherein the security components correspond to the network assets;
and guiding the flow data to the network assets through the flow guiding equipment in the safe resource pool according to the arranging mode.
In some embodiments, obtaining the preset security service chain includes:
and dragging the security component and the network assets to a preset position on a configuration page to form the security service chain.
In some of these embodiments, prior to directing the traffic data to the network asset in the orchestrated manner by a drainage device in the secure resource pool, the method includes:
acquiring the flow data from the core switch through a service switch of the cloud platform;
and forwarding the flow data to the drainage equipment in the safe resource pool through the service switch.
In some embodiments, forwarding, by the traffic switch, the traffic data to a drainage device in the secure resource pool comprises:
and acquiring a preset load balancing rule, and distributing the flow data acquired from the service switch to a plurality of flow guiding devices according to the load balancing rule.
In some of these embodiments, prior to directing the traffic data to the network asset in the orchestrated manner by a drainage device in the secure resource pool, the method includes:
acquiring a network topological graph, acquiring the number of the drainage devices according to the load capacity of each gateway device in the network topological graph, and pulling up the number of the drainage devices.
In some embodiments, directing the traffic data to the network asset in the orchestrated manner by a steering device in the secure resource pool comprises:
and configuring a policy route for the gateway equipment in the security resource pool, and realizing the next hop connection between the gateway equipment and the drainage equipment through the policy route.
In some embodiments, determining the orchestration of the traffic data according to the order of security components in the security service chain and the type of the network assets comprises:
in the case that the network asset comprises a host asset, if the security component comprises a cloud firewall, the traffic data only passes through the cloud firewall; alternatively, the first and second electrodes may be,
if the network asset comprises a host asset, the cloud platform reports an error if the security component does not comprise a cloud firewall.
In some embodiments, determining the orchestration of the traffic data according to the order of security components in the security service chain and the type of the network assets comprises:
determining a boot order of the traffic data in the security components based on a positional relationship of the security components in the security service chain in the case that the network assets include website assets, wherein the security components include at least one of a cloud firewall, a cloud WAF, and a third party gateway type security component.
In a second aspect, an embodiment of the present application provides a device for arranging network traffic, including a configuration module, an acquisition module, and a guidance module:
the configuration module is used for configuring the drainage parameters on the core switch and guiding the acquired flow data from the core switch to a security resource pool of the cloud platform;
the acquisition module is used for acquiring a preset security service chain and network assets of a user, and determining an arrangement mode of the flow data according to the sequence of security components in the security service chain and the types of the network assets, wherein the security components correspond to the network assets;
and the guiding module is used for guiding the flow data to the network assets through the flow guiding equipment in the safe resource pool according to the arranging mode.
In a third aspect, an embodiment of the present application provides an electronic apparatus, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the processor implements the method for arranging network traffic according to the first aspect.
In a fourth aspect, the present application provides a storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the method for arranging network traffic as described in the first aspect.
Compared with the related art, the method for arranging the network traffic, provided by the embodiment of the application, guides the acquired traffic data from the core switch to the secure resource pool of the cloud platform by configuring the drainage parameters on the core switch; acquiring a preset security service chain and network assets of a user, and determining an arrangement mode of flow data according to the sequence of security components in the security service chain and the types of the network assets, wherein the security components correspond to the network assets; the flow data are guided to the network assets through the flow guiding equipment in the safety resource pool according to the arranging mode, the problems that the process of manually configuring the network in the related technology is complicated and error is prone to occurring are solved, and the efficiency of network configuration is improved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a schematic diagram of an application environment of a method for orchestration of network traffic according to an embodiment of the present application;
FIG. 2 is a flow diagram of a method of network traffic orchestration according to an embodiment of the present application;
FIG. 3 is a schematic diagram of configuring a secure service chain according to an embodiment of the application;
FIG. 4 is a flow diagram of another method of network traffic orchestration according to embodiments of the present application;
FIG. 5 is a schematic diagram of network traffic orchestration to add load balancing according to an embodiment of the present application;
fig. 6 is a block diagram of a hardware structure of a terminal of a method for arranging network traffic according to an embodiment of the present application;
FIG. 7 is a block diagram of an apparatus for network traffic orchestration according to an embodiment of the present application;
FIG. 8 is a schematic diagram of a network traffic orchestration device according to a preferred embodiment of the present application;
FIG. 9 is a schematic diagram of another network traffic orchestration device according to the preferred embodiments of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The use of the terms "including," "comprising," "having," and any variations thereof herein, is meant to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
For the traffic data of various cloud scenes, the traffic data needs to be cleaned and filtered from the perspective of network security, and the cleaning and filtering are performed on the premise that the traffic data is guided to security components before being processed through functions in different security components. In the related art, the configuration needs to be manually issued to the core switch, the traffic data is guided to the cloud platform, then the routing strategy is manually issued to the three-layer network component in the cloud platform, and the traffic data is guided to different security components. Therefore, the configuration process for processing the traffic data is complicated and error-prone, and different network devices, such as a two-layer network device, a three-layer network device, and a security component having a three-layer routing function, have different configuration rules, and need professional technicians to operate, which is not friendly to common users.
The method for arranging network traffic provided by the present application may be applied to an application environment shown in fig. 1, where fig. 1 is an application environment schematic diagram of the method for arranging network traffic according to the embodiment of the present application, as shown in fig. 1. The core switch 10 at the user end and the cloud platform 20 communicate with each other through a network. A user or a technician may configure a flow guide parameter on the core switch 10, guide flow data acquired by the core switch 10 to a secure resource pool of the cloud platform 20, where the secure resource pool includes a plurality of flow guide devices 21 and a gateway device 22 corresponding to functions of the secure component, guide the flow data according to a preset arrangement mode through the flow guide devices 21 in the secure resource pool, and reach a network asset after passing through the gateway device, so that the flow data may enter the gateway device 22 from the flow guide devices 21 to be cleaned, and flow out from the gateway device 22 after being cleaned, and return to the flow guide devices 21.
The embodiment provides a method for arranging network traffic. Fig. 2 is a flowchart of a method for network traffic orchestration according to an embodiment of the present application, as shown in fig. 2, the method comprising the steps of:
step S210, configuring a flow guide parameter on the core switch, and guiding the acquired traffic data from the core switch to a secure resource pool of the cloud platform.
Wherein, the core switch is a three-layer switch. The three-layer switch is a switch having a function of a part of routers, and operates in a third layer of an Open System Interconnection Reference Model (OSI Model for short): and (4) a network layer. The three-layer switch has the most important purpose of accelerating data exchange in a large local area network, has a routing function serving the purpose, can realize routing once and forwarding for many times, realizes regular processes such as data packet forwarding and the like at high speed by hardware, and realizes functions such as routing information updating, routing table maintenance, routing calculation, routing determination and the like by software.
The flow guide parameters are parameters for guiding flow data in the core switch to the cloud platform, and include a specified manufacturer of the core switch, connection information, flow guide interface information and a switch name, wherein the specified manufacturer is a manufacturer brand of the core switch, the connection information includes a connection address, a connection port, an interconnection interface, a user name and a password of the core switch, the flow guide interface information includes an inbound interface and an outbound interface, and the switch name is set by a user or a technician.
In the Configuration process, the drainage parameters are issued to the core switch through a Network Configuration Protocol (NETCONF for short), so that the flow acquired by the core switch is guided to the cloud platform. NETCONF is an XML-based network management protocol, and provides a programmable method for configuring and managing network devices. The user can set parameters, obtain parameter values, obtain statistical information, etc. through the protocol. The NETCONF message uses an XML format, has strong filtering capability, and each data item has a fixed element name and position, so that different devices of the same manufacturer have the same access mode and result presentation mode, and the devices of different manufacturers can obtain the same effect by mapping XML, therefore, the NETCONF message can provide convenience for developing special customized network management software in the environment of mixing different manufacturers and different devices. Based on the network management software, the efficiency of network equipment configuration management can be improved, and the operation of a user is more convenient. XML is a markup language for marking electronic documents to have a structure.
The secure resource pool is established based on the cloud platform in the embodiment, and comprises a plurality of secure components and can further comprise a drainage device, wherein the drainage device is used for cleaning and screening the flow data and filtering unsafe flow data. Further, the traffic data is information data that reaches the core switch through the communication network.
Step S220, obtaining a preset security service chain and network assets of a user, and determining an arrangement manner of the traffic data according to a sequence of security components in the security service chain and types of the network assets, where the security components correspond to the network assets.
In this embodiment, the security service chain is a chain formed by different security components and connection relationships between the security components, for example, when the security components include a cloud Firewall and a cloud WAF (Web Application Firewall, web Application level intrusion prevention system), traffic data passes through the cloud Firewall and then passes through the cloud WAF to form one security service chain, and traffic data passes through the cloud WAF and then passes through the cloud Firewall to form another security service chain.
The network assets are preset user assets needing protection, such as host assets of the user or website assets of the user. Different security components correspond to different network assets, and the specific correspondence is determined by the attributes of the security components and the type of network assets, for example, a cloud firewall is used to protect host assets and a cloud WAF is used to protect website assets. Further, the corresponding relation between the traffic data and the network assets can be determined according to the IP addresses, and the traffic data can be guided to the security component corresponding to the network assets.
The arrangement mode is a route of the actual flow of the flow data in the safety resource pool, and can be determined according to the safety service chain based on the corresponding relation among the safety component, the website assets and the flow data.
And step S230, guiding the flow data to the network assets through the drainage equipment in the secure resource pool according to the arranging mode.
The drainage device is a device for guiding and distributing traffic data, and may specifically be a Cloud router (vrrouter), where the Cloud router implements multiple network services through a customized Linux Cloud host, and is also referred to as a Virtual Private Cloud (VPC) network router.
In this embodiment, the traffic data is guided by the flow guidance device, and after the security components in the security resource pool are cleaned, the traffic data is finally guided to the corresponding network assets.
Through the steps S210 to S230, in this embodiment, the flow data in the core switch is guided to the security resource pool in the cloud platform for cleaning by setting the flow guide parameter of the core switch, and the flow transfer line of the flow data in the security resource pool can be automatically arranged according to the preset security service chain.
In some embodiments, the preset security service chain may be obtained through graphical programming, specifically, the arrangement of the traffic data is dragged in a configuration page in a manner of a network topology map, so as to form a chain-type traffic data protection model, for example, when the drainage device is a vRouter, and the cloud firewall is specifically a next-generation cloud firewall, the trend of the traffic data in the model is as follows: after the firewall is cleaned from the vRouter to the next-generation cloud firewall, the flow data is transferred from the vRouter to the cloud WAF, and then the chain structure in the security service chain is as follows: from vRouter to next generation cloud firewalls to cloud WAFs. Fig. 3 is a schematic diagram of a configuration security service chain according to an embodiment of the present application, for example, an existing network asset and security component are displayed on a configuration page with graphical marks, where the network asset includes a host asset and a website asset, the security component includes a cloud firewall, a cloud WAF, a third-party security component, and the like, and an initial model of the security service chain is also displayed on the configuration page, the initial model includes reserved boxes set for the security component and the network asset, and two adjacent reserved boxes are connected by an arrow to indicate a flow direction of traffic data. A user or technician may drag the security components and network assets on the configuration page to preset locations to form a final chain of security services, for example, a network asset to be protected may be dragged from left to right into a preset location of "please drag into the protected asset", and one or more network assets may be placed simultaneously in the protected network asset. And the preset position is a reserved frame in the security service chain initial model. Further, the type and number of security components is not limited.
According to the embodiment, the configuration process of the security service chain is simplified through graphical programming, the requirement of the configuration process on the professional skill of a user is lowered, the convenience of the configuration process is improved, and meanwhile the user experience is improved.
The present embodiments provide another method for orchestrating network traffic. Fig. 4 is a flowchart of another method for arranging network traffic according to an embodiment of the present application, and as shown in fig. 4, the method further includes the following steps:
step S410, obtaining flow data from the core switch through the service switch of the cloud platform.
The service switch is a switch capable of providing multiple services and multiple communication protocols.
Step S420, forwarding the traffic data to the drainage device in the secure resource pool through the service switch.
Through the above steps S420 and S420, in the process of guiding the traffic data, the service switch is added between the core switch and the drainage device in the secure resource pool in this embodiment, so that the traffic data passes through the service switch first in the flow process, and then is forwarded to the drainage device by the service switch.
In some embodiments, in the presence of the short board effect, the problem may be solved by adding load balancing, specifically, obtaining a preset load balancing rule, and distributing traffic data obtained from the service switch to the plurality of drainage devices according to the load balancing rule. Fig. 5 is a schematic diagram of network traffic arrangement with load balancing added according to an embodiment of the present application, and as shown in fig. 5, traffic data in a core switch reaches a load balancing device after passing through a service switch, and the load balancing device distributes the traffic data to a plurality of drainage devices according to a preset load balancing rule. The load balancing rule can be set by a user or a technician, or can be directly calculated by the load balancing device according to the capacity of each drainage device, and the load balancing rule is used for configuring the distribution condition of the flow data on each drainage device. The capacity of the drainage device is limited by the capacity of a single gateway device, and the gateway device is a gateway type safety product and has the functions of a cloud firewall or a cloud WAF. The load balancing means to balance the load and further distribute the load to a plurality of operation units for operation, such as an FTP server, a Web server, an enterprise core application server, and other main task servers. The load balancing process in this embodiment may be constructed on the basis of an original network structure, and may extend the bandwidths of the server and the network device, enhance the network data processing capability, increase the throughput, and improve the availability and flexibility of the network.
In some embodiments, a certain number of the drainage devices need to be pulled up to process the traffic data before the traffic data is directed to the network assets in an orchestrated manner by the drainage devices in the secure resource pool. The process of acquiring the number of the drainage devices is specifically to acquire a network topology map, and acquire the number of the drainage devices according to the load capacity of each gateway device in the network topology map, wherein the network topology map is a network structure map composed of network node devices and communication media. Specifically, after the issued network extension graph is acquired, the load capacity of each gateway device and the load capacity of a single drainage device are determined through product model information such as a standard edition or a flagship edition, and the load capacities of the gateway devices are respectively marked as x 1 ,x 2 ,…,x n In this embodiment, a cloud router (vRouter) is selected as the drainage device, and the load capacity is denoted as y. The number n of gateway devices that a single vRouter can load is calculated according to the following equation 1:
y=2x 1 +2x 2 +…+x n equation 1
In formula 1, x represents the load capacity of a single gateway device, subscripts 1 to n represent the serial numbers of the gateway devices, and n represents the total number of the gateway devices.
After the number of gateway devices which can be loaded by each vRouter is obtained, the number of vRouters is calculated according to the total flow data, that is, the number of the flow guiding devices required for guiding all the flow data is obtained, and then the corresponding number of flow guiding devices are pulled up, so that all the flow data can enter a security resource pool to be arranged.
The gateway device and the drainage device in the application are connected by designating the next hop, so that the gateway device is required to support configuration of the policy routing in a mode of an interface. If the gateway type equipment does not support, the gateway equipment in the security resource pool needs to be configured with a strategy route, and the next hop connection between the gateway equipment and the drainage equipment is realized through the strategy route, so that the backflow of the flow data is realized.
In the process of arranging the traffic data, the network assets include host assets and/or website assets, and the security component includes a cloud firewall and/or a cloud WAF, where the cloud firewall is configured to protect the host assets, the cloud firewall in this embodiment may be a next-generation cloud firewall, and the cloud WAF protects the website assets. Therefore, in the case that the kind of network assets and the specific functions of the security components are different, a plurality of scenarios are generated, and the security service chain and the arrangement manner are different in each scenario.
First, a security service chain determined by the order of security components in different scenarios will be described.
1. If a user, such as a user or a technician, puts a next-generation cloud firewall in a first preset position and puts a cloud WAF in a second preset position in the initial model of the security service chain, the scheduling order of the traffic data in the security service chain is: first to the next generation cloud firewall, then to the cloud WAF, and finally to the user's network assets.
2. If the user puts the cloud WAF in the first preset position and puts the next-generation cloud firewall in the second preset position in the initial model of the security service chain, the scheduling order of the flow data in the security service chain is as follows: the traffic data in the scenario may be website traffic data corresponding to the website assets, optionally.
3. If the user only puts the next-generation cloud firewall in all the preset positions in the initial model of the security service chain, the traffic data is only forwarded to the next-generation cloud firewall and then to the network assets of the user.
4. If the user only puts the cloud WAF in all the preset positions in the initial model of the security service chain, the website traffic data is only forwarded to the cloud WAF and then to the website assets of the user.
5. If a user joins a third party gateway type security component in a pre-set location in the security service chain initial model, the path that traffic data is forwarded to that security component is determined by the location of the security component itself.
Based on the above description of the security service chain, the following description specifically describes the way of arranging the traffic data in different scenarios.
1. If the protected network assets only have host assets and no website assets, and the security component has a next-generation cloud firewall, then the traffic data only passes through the next-generation cloud firewall.
2. If the protected network assets only have host assets and no website assets, and the security component only has cloud WAF, the cloud platform reports errors: under the shortage of host assets to be protected a security component for cloud firewalls.
3. If the protected network assets only have host assets and no website assets, and the security component simultaneously has a next-generation cloud firewall and a cloud WAF, the traffic data does not pass through the cloud WAF, but only passes through the next-generation cloud firewall.
4. If the protected network assets are only website assets and the security component has a next generation cloud firewall, then the traffic data is forwarded to the next generation cloud firewall.
5. If the only network assets that are protected are website assets and the only cloud WAFs in the security component, then the traffic data is forwarded to the cloud WAFs.
6. If the protected network assets only comprise website assets and the security component comprises a next-generation cloud firewall and a cloud WAF, the flow data can pass through the next-generation cloud firewall and the cloud WAF, and the specific sequence is determined by the positions of the next-generation cloud firewall and the cloud WAF.
7. If the protected network asset has a host asset and a website asset at the same time and the security component has a cloud firewall and a cloud WAF at the same time, the flow data is guided according to the sequence of the cloud firewall and the cloud WAF and the inclusion relationship between the IP address of the host asset and the IP address of the website asset, and the following two conditions exist specifically:
a. if the website asset exists that part of the IP addresses are not included in the IP addresses of the host assets under the condition that the sequence of the cloud firewall is positioned in front of the cloud WAF, creating host assets corresponding to the IP addresses of the website assets which are not included; and guiding all the flow data corresponding to the host assets to a cloud firewall, and guiding the six-link data corresponding to the website assets to a cloud WAF. For example, the cloud firewall is specifically a next-generation cloud firewall, and if the next-generation cloud firewall is at a first preset position and the cloud WAF is at a second preset position, the IP address of the host asset at that time is required to include the IP of the website asset. For example, the IP addresses of the host assets include 10.10.10.10 and 20.20.20.20, and the IP addresses of the website assets include 10.10.10.10. The arrangement mode of the flow data is as follows: the traffic data of 10.10.10.10, 20.20.20, 30.30.30.30, 40.40.40.40 is forwarded to the next generation cloud firewall, and then the traffic data of 10.10.10.10.
b. Under the condition that the sequence of the cloud firewall is behind the cloud WAF, the traffic data corresponding to the website assets are sequentially guided to the cloud WAF and the cloud firewall, and the traffic data corresponding to the host assets are directly guided to the cloud firewall. For example, the cloud firewall is specifically a next-generation cloud firewall, if the cloud WAF is at a first preset location, and the next-generation cloud firewall is at a second preset location, the IP addresses of the host assets include 10.10.10.10, 20.20.20, and 50.50.50.50, and the IP address of the website asset includes 10.10.10.10: the flow data of 10.10.10.10. While the traffic data of 10.10.10.10, 20.20.20, and 50.50.50.50 do not pass through the cloud WAF, but are directly forwarded to the next generation cloud firewall and finally to the user's host assets.
8. If the protected network assets simultaneously have host assets and website assets and the security component only has a next-generation cloud firewall, all host traffic data corresponding to the host assets are forwarded to the next-generation cloud firewall, but only website traffic data corresponding to a port are forwarded to the website assets, and finally the website assets of the user are returned.
9. If the protected network assets have both host assets and website assets and only the cloud WAF exists in the security component, the cloud platform reports an error and prompts: host assets exist, lacking the protection of next generation cloud firewalls.
In the above arrangement manner of the traffic data in different scenarios, it should be noted that after one network asset is associated with one security service chain, the network asset cannot be associated with other security service chains. First, when the network asset includes a host asset, if the security component includes a cloud firewall, the flow data only passes through the cloud firewall; or, in the case that the network asset includes a host, if the security component does not include a cloud firewall, the cloud platform reports an error. Second, in the case where the network assets include website assets, based on the positional relationship of the security components in the security service chain, determining a boot order of traffic data in a security component, wherein the security component comprises at least one of a cloud firewall, a cloud WAF, and a third party gateway type security component. In this embodiment, the type and number of the security components are not limited. Further, the efficiency of arranging the traffic data can be improved by the rule of the arrangement mode set in the embodiment.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here.
The method embodiments provided in the present application may be executed in a terminal, a computer or a similar computing device. Taking the operation on the terminal as an example, fig. 6 is a hardware structure block diagram of the terminal of the network traffic arrangement method according to the embodiment of the present application. As shown in fig. 6, the terminal 60 may include one or more (only one shown in fig. 6) processors 602 (the processor 602 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 604 for storing data, and optionally may also include a transmission device 606 for communication functions and an input-output device 608. It will be understood by those skilled in the art that the structure shown in fig. 6 is only an illustration and is not intended to limit the structure of the terminal. For example, terminal 60 may also include more or fewer components than shown in FIG. 6, or have a different configuration than shown in FIG. 6.
The memory 604 may be used to store a control program, for example, a software program and a module of an application software, such as a control program corresponding to the method for arranging network traffic in the embodiment of the present application, and the processor 602 executes various functional applications and data processing by running the control program stored in the memory 604, so as to implement the method described above. The memory 604 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 604 may further include memory located remotely from the processor 602, which may be connected to the terminal 60 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmitting device 606 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the terminal 60. In one example, the transmission device 606 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmitting device 606 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The present embodiment further provides a device for arranging network traffic, where the device is used to implement the foregoing embodiments and preferred embodiments, and details of the description are omitted for brevity. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 7 is a block diagram of a structure of a device for arranging network traffic according to an embodiment of the present application, and as shown in fig. 7, the device includes a configuration module 71, an acquisition module 72, and a guidance module 73:
the configuration module 71 is configured to configure a drainage parameter on the core switch, and guide the acquired traffic data from the core switch to a secure resource pool of the cloud platform; an obtaining module 72, configured to obtain a preset security service chain and network assets of a user, and determine an arrangement manner of the traffic data according to a sequence of security components in the security service chain and types of the network assets, where the security components correspond to the network assets; and the guiding module 73 is used for guiding the flow data to the network assets through the drainage equipment in the safe resource pool according to the arranging mode.
In this embodiment, the configuration module 71 sets the flow guide parameters of the core switch, and guides the flow data in the core switch to the secure resource pool in the cloud platform for cleaning, and the flow route of the flow data in the secure resource pool can be realized according to the arrangement mode determined by the acquisition module 72, so that the embodiment can realize automatic arrangement of the flow data, solve the problems of complicated and complicated process of manually configuring the network in the related art and easy error, and improve the efficiency of network configuration.
The embodiments of the present application are described and illustrated below by means of preferred embodiments.
Fig. 8 is a schematic diagram of a network traffic orchestration device according to a preferred embodiment of the present application, and as shown in fig. 8, after configuration of a flow guide parameter for a core switch, traffic data in the core switch is guided into a secure resource pool of a cloud platform, and in the secure resource pool, a service switch is reached first, and then the traffic switch forwards the traffic data to a first flow guide device, and meanwhile, the traffic data may also be forwarded to a non-gateway type device and/or a non-flow guide device. The flow data reaching the drainage equipment can be distributed to the plurality of gateway equipment, the second drainage equipment can be connected behind the gateway equipment, the second drainage equipment can be connected with the plurality of gateway equipment, the numbers 1 to n of the gateway equipment represent the numbers of the gateway equipment, and the flow of the flow data is realized in such a reciprocating way. The gateway device of the embodiment is a security product with a cloud firewall or cloud WAF function, the drainage device is a router, and the flow data is guided by the drainage device in the security resource pool according to a preset arrangement mode and reaches the network asset after passing through the gateway device, so that the flow data can enter the gateway device from the drainage device to be cleaned, and flow out of the gateway device after being cleaned and return to the drainage device. It should be noted that the drainage device needs to support multiple drainage, and multiple security products share the same drainage device, that is, policy routing must be supported when multiple arrangements and sharing of security products occur.
Specifically, the process of configuring the core switch with the flow guide parameters includes the following steps:
step S810, new configuration is established.
The method specifically comprises the following steps: step S811, the configuration of the core switch is acquired, and whether the configuration of the core switch exists is checked. Including checking whether a vlan exists, an acl number exists, and policy exists. If not, go to step S812, if yes, go back directly without going to step S812; step S812, splicing the information related to vlan, trunk, acl, pbr, executing the issuing operation, and waiting for a return result, wherein the Acl Number needs to call the get Available Acl interface for obtaining; step S813, if the distribution is successful, the distributed configuration is saved to the local, and if the distribution is failed, the previous distributed configuration is rolled back.
The method for naming the local file comprises the following steps: 201 201\\ pbr_enable, 201 denotes vlan _ id. The purpose of checking the configuration in step S810 is: the core switch of the user may have configuration itself, and if the original configuration which would cover the user is directly issued without checking, there is a great risk. Furthermore, the core switch has the possibility of manual operation by a technician, so that the situation of adding and deleting the configuration in the core switch may exist.
Step S820, delete configuration.
The method specifically comprises the following steps: step S821, reading the configuration file 201 saved locally; step S822, if the local file exists, the deleting operation is issued, the core switch is waited to return the result, if the deletion is successful, the local files 201 and 201_pbr _enableare deleted, and if the deletion fails, the local files are retained.
Step S830, disabling the configuration.
The method specifically comprises the following steps: step S831, read the configuration file saved locally; step S832, if the local file exists, issue a delete operation, and wait for the core switch result to return.
Step S840, enable configuration.
The method specifically comprises the following steps: step S841, read locally saved configuration file 201_pbr_enable; step S842, if the local file exists, issue a delete operation, and wait for the core switch result to return.
In this embodiment, the configuration of the drainage parameters of the core switch is completed through the steps S810 to S840.
Furthermore, strategy issuing and automatic drainage of the core switch and configuration management of the core switch are realized through NETCONF, and labor cost of operation and maintenance deployment is reduced; the Yun Luyou device vRouter is introduced, and based on the policy routing function of the cloud router, flow arrangement of gateway devices such as a cloud firewall and a cloud WAF is achieved. For example, an external host (PC) with an IP address of 12.12.95.195 accesses a WEB server with an IP address of 12.12.15.210 in a cloud platform, and when traffic data is introduced into a secure resource pool by a core switch through a policy issued by NETCONF, the traffic data can be introduced into a cloud firewall and then a cloud WAF through a voruter according to a user requirement, and the traffic data is returned to the WEB server after being processed. Compared with the manual configuration process in the related technology, the arrangement mode of the flow data is more intuitive, and for a user, the arrangement efficiency is higher, and the arrangement mode is more convenient and intuitive.
Fig. 9 is a schematic diagram of another network traffic orchestration device according to a preferred embodiment of the present application, as shown in fig. 9, after a core switch is configured with a drainage parameter, traffic data in the core switch is guided to a secure resource pool of a cloud platform, in the secure resource pool, the traffic data is directly guided to a first drainage device through a service network, and at the same time, the traffic data may be forwarded to a non-gateway device and a non-drainage device, the traffic data arriving at the drainage device may be distributed to multiple gateway devices, a second drainage device may be connected to the gateway devices, and the second drainage device may be connected to multiple gateway devices again, and so on, so as to implement a flow of the traffic data. The gateway device of this embodiment is a security product having a cloud firewall or cloud WAF function, and the drainage device may be a router. In the embodiment, because no service switch is arranged, the production cost can be reduced.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device, comprising a memory having a computer program stored therein and a processor configured to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, configuring a flow guide parameter on a core switch, and guiding acquired flow data from the core switch to a security resource pool of a cloud platform;
s2, acquiring a preset security service chain and network assets of a user, and determining an arrangement mode of the flow data according to the sequence of security components in the security service chain and the types of the network assets, wherein the security components correspond to the network assets;
and S3, guiding the flow data to the network assets through the flow guiding equipment in the safety resource pool according to an arranging mode.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, in combination with the method for arranging network traffic in the foregoing embodiments, the embodiments of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; the computer program, when executed by a processor, implements the method of network traffic orchestration of any of the above embodiments.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method of network traffic orchestration, comprising:
the method comprises the steps that by configuring drainage parameters on a core switch, acquired flow data are guided into a security resource pool of a cloud platform from the core switch;
acquiring a preset security service chain and network assets of a user, and determining an arrangement mode of the flow data according to the sequence of security components in the security service chain and the type of the network assets, wherein the security components correspond to the network assets, the network assets comprise host assets and website assets of the user, and the security components corresponding to the host assets are cloud firewalls;
and guiding the flow data to the network assets through a flow guiding device in the safe resource pool according to the arrangement mode, wherein the flow guiding device is a cloud router.
2. The method of claim 1, wherein obtaining the preset security service chain comprises:
and dragging the security component and the network assets to a preset position on a configuration page to form the security service chain.
3. The method of network traffic orchestration according to claim 1, wherein prior to directing the traffic data to the network assets in the orchestrated manner by a drainage device in the secure resource pool, the method comprises:
acquiring the flow data from the core switch through a service switch of the cloud platform;
and forwarding the flow data to the drainage equipment in the safe resource pool through the service switch.
4. The method of network traffic orchestration according to claim 3, wherein forwarding, by the service switch, the traffic data to a drainage device in the secure resource pool comprises:
and acquiring a preset load balancing rule, and distributing the flow data acquired from the service switch to a plurality of flow guiding devices according to the load balancing rule.
5. The method of network traffic orchestration according to claim 1, wherein prior to directing the traffic data to the network assets in the orchestrated manner by a steering device in the secure resource pool, the method comprises:
acquiring a network topological graph, acquiring the number of the drainage devices according to the load capacity of each gateway device in the network topological graph, and pulling up the number of the drainage devices.
6. The method of network traffic orchestration according to claim 1, wherein directing the traffic data to the network assets in the orchestrated manner by a drainage device in the secure resource pool comprises:
and configuring a policy route for the gateway equipment in the security resource pool, and realizing the next hop connection between the gateway equipment and the drainage equipment through the policy route.
7. The method of network traffic orchestration according to any one of claims 1-6, wherein determining the orchestration of the traffic data according to the order of security components in the security service chain and the type of the network assets comprises:
in the case that the network asset comprises a host asset, if the security component comprises a cloud firewall, the traffic data only passes through the cloud firewall; alternatively, the first and second electrodes may be,
if the network asset comprises a host asset, the cloud platform reports an error if the security component does not comprise a cloud firewall.
8. The method of network traffic orchestration according to any one of claims 1-6, wherein determining the orchestration of the traffic data according to the order of security components in the security service chain and the type of the network assets comprises:
determining a boot order of the traffic data in the security components based on a positional relationship of the security components in the security service chain in the case that the network assets include website assets, wherein the security components include at least one of a cloud firewall, a cloud WAF, and a third party gateway type security component.
9. The equipment for arranging the network flow is characterized by comprising a configuration module, an acquisition module and a guide module:
the configuration module is used for configuring the drainage parameters on the core switch and guiding the acquired flow data from the core switch to a security resource pool of the cloud platform;
the acquisition module is used for acquiring a preset security service chain and network assets of a user, and determining an arrangement mode of the flow data according to the sequence of security components in the security service chain and the type of the network assets, wherein the security components correspond to the network assets, the network assets comprise host assets and website assets of the user, and the security components corresponding to the host assets are cloud firewalls;
the guiding module is configured to guide the flow data to the network asset according to the arrangement manner through a flow guiding device in the secure resource pool, where the flow guiding device is a cloud router.
10. A storage medium having a computer program stored thereon, wherein the computer program is arranged to perform the method of network traffic orchestration according to any one of claims 1 to 8 when executed.
CN202110142091.2A 2021-02-02 2021-02-02 Method, device and storage medium for arranging network flow Active CN112910705B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110142091.2A CN112910705B (en) 2021-02-02 2021-02-02 Method, device and storage medium for arranging network flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110142091.2A CN112910705B (en) 2021-02-02 2021-02-02 Method, device and storage medium for arranging network flow

Publications (2)

Publication Number Publication Date
CN112910705A CN112910705A (en) 2021-06-04
CN112910705B true CN112910705B (en) 2023-04-07

Family

ID=76121406

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110142091.2A Active CN112910705B (en) 2021-02-02 2021-02-02 Method, device and storage medium for arranging network flow

Country Status (1)

Country Link
CN (1) CN112910705B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11677723B2 (en) * 2021-09-09 2023-06-13 Beijing Bytedance Network Technology Co., Ltd. Third-party gateway for security and privacy
CN113904866B (en) * 2021-10-29 2024-02-09 中国电信股份有限公司 SD-WAN traffic safety treatment drainage method, device, system and medium
CN114024746B (en) * 2021-11-04 2023-11-28 北京天融信网络安全技术有限公司 Processing method, virtual switch and processing system of network message
CN114124849A (en) * 2021-12-03 2022-03-01 北京天融信网络安全技术有限公司 Method and device for realizing service chain based on ghost-user
CN114827045B (en) * 2022-06-23 2022-09-13 天津天睿科技有限公司 Method and device for flow arrangement
CN115296921A (en) * 2022-08-19 2022-11-04 南方电网数字电网研究院有限公司 Cloud security resource pool and Internet of things security protection system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105007323A (en) * 2015-07-22 2015-10-28 上海斐讯数据通信技术有限公司 System and method for arranging cloud resources
CN107920023A (en) * 2017-12-29 2018-04-17 深信服科技股份有限公司 A kind of realization method and system in secure resources pond
CN108063761A (en) * 2017-12-11 2018-05-22 新华三云计算技术有限公司 Network processing method, cloud platform and software defined network SDN controllers
CN110311838A (en) * 2019-07-24 2019-10-08 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of security service traffic statistics
CN110708178A (en) * 2018-07-09 2020-01-17 中兴通讯股份有限公司 Network deployment method and device

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10243922B2 (en) * 2014-09-23 2019-03-26 Nec Corporation Efficient service function chaining over a transport network
CN104917653A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Virtual flow monitoring method based on cloud platform and device thereof
CN110875943A (en) * 2018-09-03 2020-03-10 深信服科技股份有限公司 Security service delivery method and related device
CN109547437B (en) * 2018-11-23 2021-05-25 奇安信科技集团股份有限公司 Drainage processing method and device for safe resource pool
CN111371595A (en) * 2020-02-25 2020-07-03 深信服科技股份有限公司 Network security deployment method, device, equipment and readable storage medium
CN111970242B (en) * 2020-07-15 2022-09-30 深信服科技股份有限公司 Cloud security protection method and device and storage medium
CN111934922B (en) * 2020-07-29 2023-07-14 深信服科技股份有限公司 Method, device, equipment and storage medium for constructing network topology
CN112272166A (en) * 2020-09-30 2021-01-26 新华三信息安全技术有限公司 Traffic processing method, device, equipment and machine readable storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105007323A (en) * 2015-07-22 2015-10-28 上海斐讯数据通信技术有限公司 System and method for arranging cloud resources
CN108063761A (en) * 2017-12-11 2018-05-22 新华三云计算技术有限公司 Network processing method, cloud platform and software defined network SDN controllers
CN107920023A (en) * 2017-12-29 2018-04-17 深信服科技股份有限公司 A kind of realization method and system in secure resources pond
CN110708178A (en) * 2018-07-09 2020-01-17 中兴通讯股份有限公司 Network deployment method and device
CN110311838A (en) * 2019-07-24 2019-10-08 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of security service traffic statistics

Also Published As

Publication number Publication date
CN112910705A (en) 2021-06-04

Similar Documents

Publication Publication Date Title
CN112910705B (en) Method, device and storage medium for arranging network flow
US11470001B2 (en) Multi-account gateway
US8856357B2 (en) BGP peer prioritization in networks
CN109644190A (en) Multipath UDP communication means between two terminals
CN106911778A (en) A kind of flow bootstrap technique and system
CN108667638A (en) A kind of network service configuration method and network management device
CN109450905B (en) Method, device and system for transmitting data
CN108270690A (en) The method and apparatus for controlling message flow
CN110351135B (en) Network equipment configuration method and device in multiple DCs
CN108964961A (en) A kind of method, apparatus and system of management transmission network slice
CN113037761B (en) Login request verification method and device, storage medium and electronic equipment
CN113783781A (en) Method and device for interworking between virtual private clouds
CN105721487B (en) Information processing method and electronic equipment
US20230336377A1 (en) Packet forwarding method and apparatus, and network system
EP4207699A1 (en) Service packet forwarding method, sr policy sending method, device, and system
CN102480403B (en) Method for providing virtual private network service, device and system
CN105915384A (en) Active configuration method of router
EP3503484A1 (en) Message transmission method, device and network system
CN105812272B (en) Processing method, device and the system of business chain
CN108768861B (en) Method and device for sending service message
CN109756409B (en) Bridge forwarding method
CN110324186A (en) Network collocating method, device, server and computer readable storage medium
WO2022089169A1 (en) Method and apparatus for sending computing routing information, device, and storage medium
CN117097818A (en) Message processing method and related equipment
CN114978563A (en) Method and device for blocking IP address

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant