CN113098851A - Method, device, system, equipment and medium for implementing virtual firewall - Google Patents

Method, device, system, equipment and medium for implementing virtual firewall Download PDF

Info

Publication number
CN113098851A
CN113098851A CN202110321094.2A CN202110321094A CN113098851A CN 113098851 A CN113098851 A CN 113098851A CN 202110321094 A CN202110321094 A CN 202110321094A CN 113098851 A CN113098851 A CN 113098851A
Authority
CN
China
Prior art keywords
security
network
management server
security policy
filtering module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110321094.2A
Other languages
Chinese (zh)
Other versions
CN113098851B (en
Inventor
薛萌
林冠豪
陈国颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Huya Technology Co Ltd
Original Assignee
Guangzhou Huya Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Huya Technology Co Ltd filed Critical Guangzhou Huya Technology Co Ltd
Priority to CN202110321094.2A priority Critical patent/CN113098851B/en
Publication of CN113098851A publication Critical patent/CN113098851A/en
Application granted granted Critical
Publication of CN113098851B publication Critical patent/CN113098851B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses a method, a device, a system, equipment and a medium for realizing a virtual firewall. The method comprises the following steps: acquiring a security policy matched with the Linux host in a security management server through a target management process, and issuing the security policy to a network filtering module positioned in a kernel; and executing corresponding filtering operation according to the security policy through the network filtering module, and reporting the filtering operation to the security management server through the target management process, so that the security management server schedules a network security device according to the filtering operation to provide security monitoring service for the Linux host. According to the technical scheme, the manual management cost of the network firewall service is greatly reduced under the conditions that the number of enterprise servers is increased and the network strategy of a hybrid cloud scene is complex, and the emergency response efficiency of security events is improved.

Description

Method, device, system, equipment and medium for implementing virtual firewall
Technical Field
The embodiment of the invention relates to the technical field of networks, in particular to a method, a device, a system, equipment and a medium for realizing a virtual firewall.
Background
In a netfilter frame of a kernel network protocol stack, the Linux system presets and arranges the HOOK function and provides a matched user mode tool iptables, so that operation and maintenance personnel can configure different network rules to realize the function of a firewall.
The operation and maintenance personnel can directly use the iptables tool and some grammars carried by the system to configure simple IP filtering rules, and meanwhile, based on the open characteristic of the netfilter, some organizations in the community can perform further encapsulation, so that the method provides supplement in the aspects of usability, automation management and the like.
However, iptables has high learning cost, and under the condition that the number of enterprise servers is increased and the network policy of a hybrid cloud scene is complex, it is almost impossible for operation and maintenance personnel to manage configuration rules of thousands of sentences and maintain and manage corresponding policies on thousands of machines by using a command line mode. A large number of community management tools for solving the configuration complexity are unattended for a long time, and the use of the tools increases the management cost. In addition, only some local LOGs (LOG) and data packet label printing can be achieved by using the iptables tool set, and the functions are single and cannot be expanded.
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, a system, a device, and a medium for implementing a virtual firewall, so as to reduce labor management cost of a network firewall service under the conditions that the number of enterprise servers is increased and a network policy of a hybrid cloud scenario is complex, and improve emergency response efficiency to a security event.
In a first aspect, an embodiment of the present invention provides a method for implementing a virtual firewall, which is applied to a Linux host, and includes:
acquiring a security policy matched with the Linux host in a security management server through a target management process, and issuing the security policy to a network filtering module positioned in a kernel;
and executing corresponding filtering operation according to the security policy through the network filtering module, and reporting the filtering operation to the security management server through the target management process, so that the security management server schedules a network security device according to the filtering operation to provide security monitoring service for the Linux host.
In a second aspect, an embodiment of the present invention further provides an apparatus for implementing a virtual firewall, which is applied to a Linux host, and includes:
the security policy acquisition and issuing module is used for acquiring a security policy matched with the Linux host from a security management server through a target management process and issuing the security policy to a network filtering module positioned in a kernel;
and the security policy execution module is used for executing corresponding filtering operation according to the security policy through the network filtering module and reporting the filtering operation to the security management server through the target management process so that the security management server schedules a network security device according to the filtering operation to provide security monitoring service for the Linux host.
In a third aspect, an embodiment of the present invention further provides a system for implementing a virtual firewall, where the system includes: a safety management server, at least one network safety device and a plurality of Linux hosts, wherein,
the security management server is used for realizing the uniform arrangement of security policies respectively matched with the plurality of Linux hosts and scheduling the network security device to provide security monitoring service for the Linux hosts according to the filtering operation reported by the Linux hosts;
the Linux host is used for acquiring a matched security policy in the security management server through a target management process, issuing the security policy to a network filtering module positioned in a kernel, executing corresponding filtering operation according to the security policy through the network filtering module, and reporting the filtering operation to the security management server through the target management process;
and the network security device is used for providing security monitoring service for the Linux host under the scheduling of the security management server.
In a fourth aspect, an embodiment of the present invention further provides a computer device, where the computer device includes:
one or more processors;
a memory for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for implementing the virtual firewall according to any embodiment.
In a fifth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for implementing a virtual firewall according to any embodiment.
In the technical scheme provided by the embodiment of the invention, a target management process in the Linux host acquires a matched security policy from a security management server and sends the security policy to a network filtering module positioned in a kernel for execution, wherein the security management server is used for realizing the uniform arrangement of the security policies of the Linux host, and filtering rules and management functions do not need to be configured on each Linux host manually and independently, so that the manual management cost of network firewall service under the conditions that the number of enterprise servers is increased and the network policy of a mixed cloud scene is complicated is greatly reduced; the network filtering module reports the filtering operation to the safety management server through the target management process, so that the safety management server schedules the network safety device to provide safety monitoring service for the Linux host, thereby greatly reducing the discovery time of potential safety hazards and further improving the emergency response efficiency of the Linux host safety event.
Drawings
Fig. 1 is an architecture diagram of an implementation system of a virtual firewall according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for implementing a virtual firewall according to a second embodiment of the present invention;
fig. 3 is a flowchart of a method for implementing a virtual firewall according to a third embodiment of the present invention;
fig. 4 is a schematic block diagram of an implementation apparatus of a virtual firewall according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
Example one
Fig. 1 is an architecture diagram of an implementation system of a virtual firewall according to an embodiment of the present invention, which is applicable to a case of providing a network firewall service for an enterprise production network in a complex scenario. As shown in fig. 1, the system for implementing a virtual firewall provided in this embodiment includes: the system comprises a security management server 10, at least one network security device 20 (one is shown in figure 1) and a plurality of Linux hosts 30 (two are shown in figure 1).
The security management server 10 is used for realizing the uniform arrangement of the security policies respectively matched with the plurality of Linux hosts 30 and dispatching the network security device 20 to provide security monitoring service for the Linux hosts 30 according to the filtering operation reported by the Linux hosts 30;
the Linux host 30 is configured to acquire a matched security policy in the security management server 10 through a target management process, issue the security policy to a network filtering module located in a kernel, execute a corresponding filtering operation according to the security policy through the network filtering module, and report the filtering operation to the security management server 10 through the target management process;
and the network security device 20 is used for providing security monitoring service for the Linux host 30 under the scheduling of the security management server 10.
The Linux host can be any Linux server in an enterprise production network, which needs to be provided with firewall services. The security policies of different Linux hosts in an enterprise production cluster can be the same or different, and can be specifically divided according to the service modules to which the Linux hosts belong, the security policies of a plurality of Linux hosts belonging to the same service module are the same, and the security policies of a plurality of Linux hosts belonging to different service modules are different. For example, the service module may include an access service module and a data storage service module according to different services provided by the Linux host, and the security policies of the Linux hosts respectively belonging to the access service module and the data storage service module are necessarily different. Optionally, the security policy at least includes: put through strategy, reject strategy, filter strategy, alarm strategy, etc.
The security policies respectively matched with the plurality of Linux hosts are arranged in the security management server. The matched security policies are centrally and uniformly arranged in the security management server for a plurality of Linux hosts with the same security policy, such as a plurality of Linux hosts belonging to the same service module. The security management server may be implemented by a single computer device, or may be implemented by a cluster formed by a plurality of computer devices. Therefore, the filtering rules and the management functions which originally need to be manually configured on each Linux host by operation and maintenance personnel are centralized to a uniform back end (namely, a safety management server) to be arranged, and the manual management cost is greatly reduced.
The target management process is a process which is pre-configured in each Linux host and is used for realizing the Linux host firewall service management, and belongs to a user mode. When the Linux host is started, the target management process is automatically pulled up, the target management process initiates registration to the security management server, and the security policy belonging to the host is pulled through an Application Programming Interface (API), and other personalized information of the host, such as a machine room where the host is located, a business module belonging to the host, and the like, can also be pulled at the same time.
The network filtering module is a virtual function module which is configured in each Linux host in advance and used for executing a security policy, and belongs to a kernel mode. After the target management process is started, the network filtering module is pulled up and inserted into a position in front of a specific filtering point (HOOK point) in a netfilter frame of a host network protocol stack. Optionally, if the network filtering module executes the security policy for filtering the received data packet, the network filtering module may be inserted into a location IN the netfilter framework of the host network protocol stack before NF _ IP _ LOCAL _ IN; if the network filtering module executes the security policy for filtering the sent data packet, the network filtering module may be inserted into a location in the netfilter framework of the host network protocol stack before NF _ IP _ LOCAL _ OUT; if the network filtering module implements a security policy for filtering the forwarded data packets, the network filtering module may be inserted into the netfilter framework of the host network protocol stack at a location before NF _ IP _ FORWARD.
The target management process imports the security policies pulled in the security management server into the network filtering module in batch through the netlink channel, for example, the target management process imports the contents of IP, port, black/white list configuration, log, alarm policies and the like acquired in the security management server into the kernel network filtering module in batch through the netlink channel.
And then, the network filtering module can execute corresponding filtering operation according to the obtained security policy, enable a corresponding firewall function, and send all filtering behaviors of the network filtering module to a target management process through a netlink channel in real time and upload the filtering behaviors to a security management server through the target management process.
If the Linux host corresponds to the private protocol service, the network filtering module opens the flow of the corresponding port section according to the corresponding security strategy; if the Linux host corresponds to the internal service, the network filtering module discards the request of all source IPs from the non-internal server according to the corresponding security policy, and the like. Therefore, according to different services corresponding to the Linux hosts in the enterprise production cluster, the network filtering module in the Linux host executes different filtering behaviors according to different security strategies, so that unnecessary services in the enterprise production cluster are not opened to the outside, and the security of the enterprise production cluster is ensured.
In an optional implementation manner, the Linux host executes, by the network filtering module, a corresponding filtering operation according to the security policy based on a principle of hash matching.
Hash matching refers to converting a fixed-length character string into a hash value for matching. Alternatively, the hash match may be a multiple hash match.
When the network filtering module filters the data packet, hash matching can be performed on information such as an IP (Internet protocol) and a port of the data packet and the security policy, and if matching is successful, corresponding filtering behavior can be executed. The filtering behavior may include a put-through behavior, a reject behavior, a filtering behavior, an alarm behavior, and the like.
In the prior art, the iptables grammar has the characteristic of serial matching, so that not only is the arrangement of rules very complicated, but also the network performance of a host computer is greatly reduced (after a test, the network performance is reduced by more than 25% when about 2K rules are adopted). Compared with the serial chain matching of iptables, the hash matching adopted in the embodiment can greatly improve the operation efficiency of the network filtering function, and further improve the performance of the firewall service.
When the safety management server receives the filtering operation reported by the Linux host, the filtering operation can be directly linked to other safety management servers to provide safety monitoring service for the Linux host, whether the Linux host has potential safety hazards or not is judged through the safety management server, the discovering time of the potential safety hazards of the Linux host can be greatly reduced, and the emergency response efficiency is improved.
Optionally, the security management server may determine the filtering operation when receiving the filtering operation reported by the Linux host, and if the filtering operation meets a preset specific condition, link to another security management server to provide a security monitoring service for the Linux host. For example, if the filtering operation reported by the Linux host includes that the data packet is discarded by the network filtering module, the filtering operation is directly linked to other security management servers to provide security monitoring service for the Linux host.
The security management server may be an existing operation and maintenance system of an enterprise, such as a monitoring system, an alarm system, and the like, and may also be a third-party monitoring program.
As an alternative embodiment, the network security device may be a security vulnerability scanner.
And when the security management server judges that the filtering operation reported by the Linux host meets the preset specific condition, scheduling the security vulnerability scanner to externally scan the security vulnerability of the Linux host. And the security vulnerability scanner scans the security vulnerability of the Linux host under the scheduling of the security management server and feeds back the scanning result to the security management server. If the security vulnerability scanner scans that the security risk exists in the Linux host, the security management server can immediately send the security vulnerability to operation and maintenance personnel for processing in an alarm mode, so that the danger and the vulnerability of the Linux host can be found in real time.
Further, when the Linux host reports the filtering operation to the security management server through the target management process by the network filtering module, the Linux host may also report information to be monitored for security to the security management server through the target management process by the network filtering module, so that the security management server schedules a network security device to provide security monitoring service for the Linux host according to the information to be monitored for security.
The information to be monitored for security refers to information which is determined by the Linux host side and needs to be monitored for security, and specifically may be information which is determined by the network filtering module and needs to be monitored for security, for example, information such as a host IP, a process, a port, and the like.
The network filtering module can determine information to be monitored safely when executing corresponding filtering behaviors according to the safety strategy, and then can report the information to the safety management server through the target management process. The safety management server can send the information to be monitored to the network safety device for safety monitoring, so that the accuracy of the network safety device for providing safety monitoring service is improved, and unnecessary performance waste is avoided.
Taking a network security device as a security vulnerability scanner as an example, some ports are closed by some ports opened by the network filtering module when executing corresponding filtering behaviors according to a security policy, and then the opened ports can be reported to a security management server as information to be monitored by the network filtering module through a target management process, so that potential safety hazards caused by the exposure of newly added services are avoided. For those ports that are closed, no security monitoring is required. Therefore, after receiving the information to be monitored (i.e. the information of the opened ports) reported by the network filtering module, the security management server can schedule the security vulnerability scanner to scan the security vulnerabilities of the ports, and the security vulnerability scanner does not need to scan the closed ports, so that unnecessary operations of the security vulnerability scanner are avoided, the accuracy of the security vulnerability scanning operation of the security vulnerability scanner is improved, and the performance waste is avoided.
Further, the Linux host is further configured to control the network filtering module to discard the security policy when the target management process determines that the security policy is abnormal.
The target management process detects the security policy executed by the network filtering module according to a preset standard, if the security policy is abnormal, the security policy may be abnormal due to an unknown error, for example, the configuration of the security policy is incomplete or the interception amount of a data packet is suddenly increased, and the target management process may control the network filtering module to discard the security policy and send an alarm in time to notify operation and maintenance personnel to perform fault processing.
As an optional implementation manner, after the Linux host issues the security policy to the network filtering module located in the kernel through the target management process, the Linux host may further include:
and sending a query request to the security management server at regular time through the target management process, acquiring the security policy change when querying that the security management server has the security policy change matched with the Linux host, and sending the security policy change to the network filtering module.
When hosts are added or deleted in an enterprise production cluster where the Linux host is located, so that the IP distribution of the hosts changes, or when a service module to which the Linux host belongs changes (for example, the service module belongs to the access service module is changed into the data storage service module), the security policy of the Linux host needs to be changed. At this time, the security policy of the Linux host needs to be adjusted in time to ensure the security of the enterprise production cluster.
In the present embodiment, the target management process sends an inquiry request to the security management server at regular time, for example, every several seconds or several tens of seconds, and inquires whether there is a security policy change matching the target management process. The security policy change may include a security policy addition and a security policy modification. And after the target management process inquires a security policy change matched with the local machine in the security management server, the security policy change is transmitted to the network filtering module, the network filtering module executes corresponding filtering operation by combining the security policy change on the basis of the original security policy, and reports the filtering operation to the security management server in real time through the target management process.
In the technical scheme, when the security policy is changed, the security management server uniformly arranges the security policy and then sends the security policy to each Linux host, and the security policy does not need to be adjusted separately for the Linux hosts, so that the manual management cost is greatly reduced.
Under the condition that a network filtering module executes security policy change, when the Linux host reports the filtering operation to the security management server through the network filtering module via the target management process, the Linux host can also report information to be monitored for security to the security management server through the network filtering module via the target management process, so that the security management server schedules a network security device to provide security monitoring service for the Linux host according to the information to be monitored for security, for example, a security vulnerability scanner is scheduled to scan security vulnerabilities of the Linux host.
In any operation, when the security policy on the network filtering module is changed, it means that the enterprise production cluster where the Linux host is located has newly added services exposed, and there may be a potential safety hazard. At this time, the management process may actively upload the information to be monitored for security, which is determined by the network filtering module, to the security management server, such as the host IP, the process, the port, and the like. And the security management server schedules the security vulnerability scanner to scan the corresponding Linux host from the outside, confirms whether the newly exposed service is reasonable or not, and feeds back the scanning result to the security management server. Furthermore, the safety management server can send the safety problem to operation and maintenance personnel for processing in an alarm mode when the exposed service has the safety problem.
Therefore, the system can directly link to network safety devices such as alarm and scanning aiming at safety events such as external exposure events and the like of cluster emergencies, greatly reduces the discovery time of potential safety hazards, and improves the efficiency of emergency response.
Further, the Linux host is further configured to control the network filtering module to discard the security policy change when it is determined that the security policy change is abnormal through the target management process.
The target management process detects the security policy change executed by the network filtering module according to a preset standard, if the security policy change is abnormal, the security policy change may be abnormal due to an unknown error, for example, the configuration of the security policy change is incomplete or the interception amount of a data packet is suddenly increased, and the target management process may control the network filtering module to discard the security policy change and timely send an alarm to notify operation and maintenance personnel to perform fault processing.
In the technical scheme provided by the embodiment of the invention, a target management process in the Linux host acquires a matched security policy from a security management server and sends the security policy to a network filtering module positioned in a kernel for execution, wherein the security management server is used for realizing the uniform arrangement of the security policies of the Linux host, and filtering rules and management functions do not need to be configured on each Linux host manually and independently, so that the manual management cost of network firewall service under the conditions that the number of enterprise servers is increased and the network policy of a mixed cloud scene is complicated is greatly reduced; the network filtering module reports the filtering operation to the safety management server through the target management process, so that the safety management server schedules the network safety device to provide safety monitoring service for the Linux host, thereby greatly reducing the discovery time of potential safety hazards and further improving the emergency response efficiency of the Linux host safety event.
The technical scheme provides a high-performance flexible and linkable network firewall management service for an enterprise production network in a complex scene, and thousands of statement rules are automatically and uniformly arranged by using a safety management server without using a native iptables tool on a Linux host. Moreover, any security policy on the Linux host can be linked with the security monitoring service in real time, so that real-time promotion of threat (security vulnerability) discovery is realized.
Example two
Fig. 2 is a flowchart of a method for implementing a virtual firewall according to a second embodiment of the present invention, where the present embodiment is applicable to a situation where a network firewall service is provided for an enterprise production network in a complex scenario, and the method can be executed by an apparatus for implementing a virtual firewall according to any embodiment of the present invention, where the apparatus may be composed of hardware and/or software, and may be generally integrated in a computer device, such as a Linux host.
As shown in fig. 2, the method for implementing a virtual firewall provided in this embodiment is applied to a Linux host, and includes the following steps:
s210, a security policy matched with the Linux host is obtained in a security management server through a target management process, and the security policy is issued to a network filtering module located in a kernel.
The target management process is a process which is pre-configured in each Linux host and is used for realizing the Linux host firewall service management, and belongs to a user mode. When the Linux host is started, the target management process is automatically pulled up, initiates registration to the security management server, pulls the security policy belonging to the host through the API, and can also pull other personalized information of the host, such as a machine room where the host is located, a business module belonging to the host, and the like. Wherein the security policy at least comprises: put through strategy, reject strategy, filter strategy, alarm strategy, etc.
The network filtering module is a virtual function module which is configured in each Linux host in advance and used for executing a security policy, and belongs to a kernel mode. After the target management process is started, the network filtering module is pulled up and inserted into a position in front of a specific filtering point (HOOK point) in a netfilter frame of a host network protocol stack.
The target management process imports the security policies pulled in the security management server into the network filtering module in batch through the netlink channel, for example, the target management process imports the contents of IP, port, black/white list configuration, log, alarm policies and the like acquired in the security management server into the kernel network filtering module in batch through the netlink channel.
S220, executing corresponding filtering operation according to the security policy through the network filtering module, and reporting the filtering operation to the security management server through the target management process, so that the security management server schedules a network security device according to the filtering operation to provide security monitoring service for the Linux host.
And the network filtering module executes corresponding filtering operation according to the acquired security policy to enable a corresponding firewall function. All filtering behaviors of the network filtering module can be sent to a target management process through a netlink channel in real time and uploaded to a safety management server through the target management process.
Optionally, the network filtering module executes a corresponding filtering operation according to the security policy, which may specifically be: and executing corresponding filtering operation according to the security policy by the network filtering module based on a principle of hash matching.
Compared with the serial chain matching of iptables, the operation efficiency of the network filtering function can be greatly improved by adopting Hash matching, and the performance of firewall service is further improved.
When the safety management server receives the filtering operation reported by the Linux host, the filtering operation can be directly linked to other safety management servers to provide safety monitoring service for the Linux host, whether the Linux host has potential safety hazards or not is judged through the safety management server, the discovering time of the potential safety hazards of the Linux host can be greatly reduced, and the emergency response efficiency is improved.
Optionally, the security management server may determine the filtering operation when receiving the filtering operation reported by the Linux host, and if the filtering operation meets a preset specific condition, link to another security management server to provide a security monitoring service for the Linux host. For example, if the filtering operation reported by the Linux host includes that the data packet is discarded by the network filtering module, the filtering operation is directly linked to other security management servers to provide security monitoring service for the Linux host.
The security management server may be an existing operation and maintenance system of an enterprise, such as a monitoring system, an alarm system, and the like, and may also be a third-party monitoring program.
As an alternative embodiment, the network security device may be a security vulnerability scanner.
And when the security management server judges that the filtering operation reported by the Linux host meets the preset specific condition, scheduling the security vulnerability scanner to externally scan the security vulnerability of the Linux host. And the security vulnerability scanner scans the security vulnerability of the Linux host under the scheduling of the security management server and feeds back the scanning result to the security management server. If the security vulnerability scanner scans that the security risk exists in the Linux host, the security management server can immediately send the security vulnerability to operation and maintenance personnel for processing in an alarm mode, so that the danger and the vulnerability of the Linux host can be found in real time.
As an optional implementation manner, when the filtering operation is reported to the security management server through the target management process by the network filtering module, information to be monitored for security may also be reported to the security management server through the target management process by the network filtering module, so that the security management server schedules a network security device to provide a security monitoring service for the Linux host according to the information to be monitored for security.
The information to be monitored for security refers to information which is determined by the Linux host side and needs to be monitored for security, and specifically may be information which is determined by the network filtering module and needs to be monitored for security, for example, information such as a host IP, a process, a port, and the like.
Taking a network security device as a security vulnerability scanner as an example, some ports are closed by some ports opened by the network filtering module when executing corresponding filtering behaviors according to a security policy, and then the opened ports can be reported to a security management server as information to be monitored by the network filtering module through a target management process, so that potential safety hazards caused by the exposure of newly added services are avoided. For those ports that are closed, no security monitoring is required. Therefore, after receiving the information to be monitored (i.e. the information of the opened ports) reported by the network filtering module, the security management server can schedule the security vulnerability scanner to scan the security vulnerabilities of the ports, and the security vulnerability scanner does not need to scan the closed ports, so that unnecessary operations of the security vulnerability scanner are avoided, the accuracy of the security vulnerability scanning operation of the security vulnerability scanner is improved, and the performance waste is avoided.
Optionally, when the target management process determines that the security policy is abnormal, the network filtering module may be controlled to discard the security policy, and send an alarm in time to notify operation and maintenance personnel to perform fault handling.
For those parts of this embodiment that are not explained in detail, reference is made to the aforementioned embodiments, which are not repeated herein.
In the technical scheme provided by the embodiment of the invention, a target management process in the Linux host acquires a matched security policy from a security management server and sends the security policy to a network filtering module positioned in a kernel for execution, wherein the security management server is used for realizing the uniform arrangement of the security policies of the Linux host, and filtering rules and management functions do not need to be configured on each Linux host manually and independently, so that the manual management cost of network firewall service under the conditions that the number of enterprise servers is increased and the network policy of a mixed cloud scene is complicated is greatly reduced; the network filtering module reports the filtering operation to the safety management server through the target management process, so that the safety management server schedules the network safety device to provide safety monitoring service for the Linux host, thereby greatly reducing the discovery time of potential safety hazards and further improving the emergency response efficiency of the Linux host safety event.
EXAMPLE III
Fig. 3 is a flowchart of a method for implementing a virtual firewall according to a third embodiment of the present invention, which is embodied on the basis of the foregoing embodiment, where after the target management process issues the security policy to a network filtering module located in a kernel, the method further includes:
and sending a query request to the security management server at regular time through the target management process, acquiring the security policy change when querying that the security management server has the security policy change matched with the Linux host, and sending the security policy change to the network filtering module.
As shown in fig. 3, the method for implementing a virtual firewall provided in this embodiment is applied to a Linux host, and includes the following steps:
s310, a security policy matched with the Linux host is obtained in the security management server through the target management process, and the security policy is issued to the network filtering module located in the kernel.
S320, sending a query request to the security management server at regular time through the target management process, acquiring security policy change when querying that the security management server has security policy change matched with the Linux host, and sending the security policy change to the network filtering module.
And the target management process sends an inquiry request to the security management server at regular time to inquire whether security policy change matched with the local machine exists or not. The security policy change may include a security policy addition and a security policy modification. And after the target management process inquires a security policy change matched with the local machine in the security management server, the security policy change is transmitted to the network filtering module, the network filtering module executes corresponding filtering operation by combining the security policy change on the basis of the original security policy, and reports the filtering operation to the security management server in real time through the target management process.
In the technical scheme, when the security policy is changed, the security management server uniformly arranges the security policy and then sends the security policy to each Linux host, and the security policy does not need to be adjusted separately for the Linux hosts, so that the manual management cost is greatly reduced.
S330, executing corresponding filtering operation according to the security policy and/or the security policy change through the network filtering module, and reporting the filtering operation to the security management server through a target management process, so that the security management server schedules a network security device according to the filtering operation to provide security monitoring service for the Linux host.
Optionally, when determining that the security policy or the security policy change is abnormal, the target management process controls the network filtering module to discard the corresponding security policy or the security policy change, and sends an alarm in time to notify operation and maintenance personnel to perform fault handling.
In an optional implementation manner, when the network filtering module executes security policy change, and the Linux host reports the filtering operation to the security management server through the target management process by using the network filtering module, the Linux host may also report information to be monitored for security to the security management server through the target management process by using the network filtering module, so that the security management server schedules the network security device to provide security monitoring service for the Linux host according to the information to be monitored for security, for example, schedules a security vulnerability scanner to scan security vulnerabilities of the Linux host.
In any operation, when the security policy on the network filtering module is changed, it means that the enterprise production cluster where the Linux host is located has newly added services exposed, and there may be a potential safety hazard. At this time, the management process may actively upload the information to be monitored for security, which is determined by the network filtering module, to the security management server, such as the host IP, the process, the port, and the like. And the security management server schedules the security vulnerability scanner to scan the corresponding Linux host from the outside, confirms whether the newly exposed service is reasonable or not, and feeds back the scanning result to the security management server. Furthermore, the safety management server can send the safety problem to operation and maintenance personnel for processing in an alarm mode when the exposed service has the safety problem.
Therefore, the system can directly link to network safety devices such as alarm and scanning aiming at safety events such as external exposure events and the like of cluster emergencies, greatly reduces the discovery time of potential safety hazards, and improves the efficiency of emergency response.
For those parts of this embodiment that are not explained in detail, reference is made to the aforementioned embodiments, which are not repeated herein.
The technical scheme provides a high-performance flexible and linkable network firewall management service for an enterprise production network in a complex scene, and thousands of statement rules are automatically and uniformly arranged by using a safety management server without using a native iptables tool on a Linux host. Moreover, any security policy on the Linux host can be linked with the security monitoring service in real time, so that real-time promotion of threat (security vulnerability) discovery is realized.
Example four
Fig. 4 is a schematic block structure diagram of an implementation apparatus for a virtual firewall according to a fourth embodiment of the present invention, where this embodiment may be applicable to a situation where a network firewall service is provided for an enterprise production network in a complex scenario, and the implementation apparatus may be implemented in a software and/or hardware manner, and may be generally integrated in a computer device, such as a Linux host. As shown in fig. 4, the apparatus is applied to a Linux host, and specifically includes: a security policy acquisition and issuing module 410 and a security policy execution module 420. Wherein the content of the first and second substances,
a security policy acquiring and issuing module 410, configured to acquire, in a security management server through a target management process, a security policy matched with the Linux host, and issue the security policy to a network filtering module located in a kernel;
and the security policy executing module 420 is configured to execute, by the network filtering module, a corresponding filtering operation according to the security policy, and report the filtering operation to the security management server via the target management process, so that the security management server schedules a network security device according to the filtering operation to provide a security monitoring service for the Linux host.
In the technical scheme provided by the embodiment of the invention, a target management process in the Linux host acquires a matched security policy from a security management server and sends the security policy to a network filtering module positioned in a kernel for execution, wherein the security management server is used for realizing the uniform arrangement of the security policies of the Linux host, and filtering rules and management functions do not need to be configured on each Linux host manually and independently, so that the manual management cost of network firewall service under the conditions that the number of enterprise servers is increased and the network policy of a mixed cloud scene is complicated is greatly reduced; the network filtering module reports the filtering operation to the safety management server through the target management process, so that the safety management server schedules the network safety device to provide safety monitoring service for the Linux host, thereby greatly reducing the discovery time of potential safety hazards and further improving the emergency response efficiency of the Linux host safety event.
On the basis of the technical scheme, the device further comprises: and the security policy changing module is used for sending a query request to the security management server at regular time through the target management process after the security policy is sent to the network filtering module positioned in the kernel through the target management process, acquiring the security policy change when the security management server is queried to have the security policy change matched with the Linux host, and sending the security policy change to the network filtering module.
On the basis of the technical scheme, the device further comprises: and the security policy discarding module is used for controlling the network filtering module to discard the corresponding security policy or the security policy change when the target management process determines that the security policy or the security policy change is abnormal.
On the basis of the technical scheme, the device further comprises: and the active reporting module of the information to be safely monitored is used for reporting the information to be safely monitored to the safety management server through the target management process by the network filtering module when the filtering operation is reported to the safety management server through the target management process by the network filtering module, so that the safety management server schedules a network safety device to provide safety monitoring service for the Linux host according to the information to be safely monitored.
Optionally, the network security device at least includes a security vulnerability scanner.
Optionally, the security policy executing module 420 is specifically configured to execute, by the network filtering module, a corresponding filtering operation according to the security policy based on a principle of hash matching.
The implementation device of the virtual firewall provided by the embodiment of the invention can execute the implementation method of the virtual firewall provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
Fig. 5 is a schematic structural diagram of a computer apparatus according to a fifth embodiment of the present invention, as shown in fig. 5, the computer apparatus includes a processor 50, a memory 51, an input device 52, and an output device 53; the number of processors 50 in the computer device may be one or more, and one processor 50 is taken as an example in fig. 5; the processor 50, the memory 51, the input device 52 and the output device 53 in the computer apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 5.
The memory 51 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the implementation method of the virtual firewall in the embodiment of the present invention (for example, the security policy acquisition issuing module 410 and the security policy execution module 420 in the implementation apparatus of the virtual firewall in fig. 4). The processor 50 executes various functional applications and data processing of the computer device by running software programs, instructions and modules stored in the memory 51, that is, implements the above-described implementation method of the virtual firewall.
The memory 51 may mainly include a storage program area and a storage data table area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data table area may store data created according to use of the computer device, and the like. Further, the memory 51 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 51 may further include memory located remotely from the processor 50, which may be connected to a computer device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 52 is operable to receive input numeric or character information and to generate key signal inputs relating to user settings and function controls of the computer apparatus. The output device 53 may include a display device such as a display screen.
EXAMPLE six
An embodiment of the present invention further provides a computer-readable storage medium storing a computer program, where the computer program is used to execute a method for implementing a virtual firewall when executed by a computer processor, and the method includes:
acquiring a security policy matched with the Linux host in a security management server through a target management process, and issuing the security policy to a network filtering module positioned in a kernel;
and executing corresponding filtering operation according to the security policy through the network filtering module, and reporting the filtering operation to the security management server through the target management process, so that the security management server schedules a network security device according to the filtering operation to provide security monitoring service for the Linux host.
Of course, the computer program of the computer-readable storage medium storing the computer program provided in the embodiment of the present invention is not limited to the above method operations, and may also perform related operations in the implementation method of the virtual firewall provided in any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods of the embodiments of the present invention.
It should be noted that, in the embodiment of the implementation apparatus of the virtual firewall, each unit and each module included in the implementation apparatus are only divided according to functional logic, but are not limited to the above division, as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments illustrated herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A method for realizing a virtual firewall is applied to a Linux host, and comprises the following steps:
acquiring a security policy matched with the Linux host in a security management server through a target management process, and issuing the security policy to a network filtering module positioned in a kernel;
and executing corresponding filtering operation according to the security policy through the network filtering module, and reporting the filtering operation to the security management server through the target management process, so that the security management server schedules a network security device according to the filtering operation to provide security monitoring service for the Linux host.
2. The method of claim 1, after issuing the security policy to a network filtering module located in a kernel by the target management process, further comprising:
and sending a query request to the security management server at regular time through the target management process, acquiring the security policy change when querying that the security management server has the security policy change matched with the Linux host, and sending the security policy change to the network filtering module.
3. The method of claim 2, further comprising:
and controlling the network filtering module to discard the corresponding security policy or the security policy change when the target management process determines that the security policy or the security policy change is abnormal.
4. The method of claim 1, wherein when reporting the filtering operation to the security management server via the target management process by the network filtering module, further comprising:
and reporting information to be monitored safely to the safety management server through the target management process by the network filtering module so that the safety management server schedules a network safety device to provide safety monitoring service for the Linux host according to the information to be monitored safely.
5. The method of claim 1 or 4, wherein the network security appliance comprises at least a security vulnerability scanner.
6. The method of claim 1, wherein performing, by the network filtering module, a corresponding filtering operation according to the security policy comprises:
and executing corresponding filtering operation according to the security policy by the network filtering module based on a principle of hash matching.
7. A system for implementing a virtual firewall, comprising: a safety management server, at least one network safety device and a plurality of Linux hosts, wherein,
the security management server is used for realizing the uniform arrangement of security policies respectively matched with the plurality of Linux hosts and scheduling the network security device to provide security monitoring service for the Linux hosts according to the filtering operation reported by the Linux hosts;
the Linux host is used for acquiring a matched security policy in the security management server through a target management process, issuing the security policy to a network filtering module positioned in a kernel, executing corresponding filtering operation according to the security policy through the network filtering module, and reporting the filtering operation to the security management server through the target management process;
and the network security device is used for providing security monitoring service for the Linux host under the scheduling of the security management server.
8. The device for implementing the virtual firewall is applied to a Linux host and comprises the following components:
the security policy acquisition and issuing module is used for acquiring a security policy matched with the Linux host from a security management server through a target management process and issuing the security policy to a network filtering module positioned in a kernel;
and the security policy execution module is used for executing corresponding filtering operation according to the security policy through the network filtering module and reporting the filtering operation to the security management server through the target management process so that the security management server schedules a network security device according to the filtering operation to provide security monitoring service for the Linux host.
9. A computer device, characterized in that the computer device comprises:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-6.
CN202110321094.2A 2021-03-25 2021-03-25 Method, device, system, equipment and medium for implementing virtual firewall Active CN113098851B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110321094.2A CN113098851B (en) 2021-03-25 2021-03-25 Method, device, system, equipment and medium for implementing virtual firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110321094.2A CN113098851B (en) 2021-03-25 2021-03-25 Method, device, system, equipment and medium for implementing virtual firewall

Publications (2)

Publication Number Publication Date
CN113098851A true CN113098851A (en) 2021-07-09
CN113098851B CN113098851B (en) 2023-01-31

Family

ID=76669906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110321094.2A Active CN113098851B (en) 2021-03-25 2021-03-25 Method, device, system, equipment and medium for implementing virtual firewall

Country Status (1)

Country Link
CN (1) CN113098851B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114629726A (en) * 2022-04-26 2022-06-14 深信服科技股份有限公司 Cloud management method, device, equipment, system and readable storage medium
CN114726612A (en) * 2022-04-01 2022-07-08 北京指掌易科技有限公司 Method, device, medium and electronic equipment for managing working domain
CN117176475A (en) * 2023-11-02 2023-12-05 成都卓拙科技有限公司 Rule configuration method and device, linux host and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080022385A1 (en) * 2006-06-30 2008-01-24 Microsoft Corporation Applying firewalls to virtualized environments
CN105141571A (en) * 2014-06-09 2015-12-09 中兴通讯股份有限公司 Distributed virtual firewall device and method
CN109413110A (en) * 2018-12-19 2019-03-01 武汉思普崚技术有限公司 A kind of method and system of the managing main frame strategy based on firewall policy linkage
CN111262815A (en) * 2018-11-30 2020-06-09 武汉新软科技有限公司 Virtual host management system
CN112491822A (en) * 2020-11-13 2021-03-12 中盈优创资讯科技有限公司 Method and device for automatically issuing security policy

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080022385A1 (en) * 2006-06-30 2008-01-24 Microsoft Corporation Applying firewalls to virtualized environments
CN105141571A (en) * 2014-06-09 2015-12-09 中兴通讯股份有限公司 Distributed virtual firewall device and method
CN111262815A (en) * 2018-11-30 2020-06-09 武汉新软科技有限公司 Virtual host management system
CN109413110A (en) * 2018-12-19 2019-03-01 武汉思普崚技术有限公司 A kind of method and system of the managing main frame strategy based on firewall policy linkage
CN112491822A (en) * 2020-11-13 2021-03-12 中盈优创资讯科技有限公司 Method and device for automatically issuing security policy

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
阳俐: "试论Linux防火墙的设计", 《福建电脑》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726612A (en) * 2022-04-01 2022-07-08 北京指掌易科技有限公司 Method, device, medium and electronic equipment for managing working domain
CN114726612B (en) * 2022-04-01 2024-03-26 北京指掌易科技有限公司 Work domain management method, device, medium and electronic equipment
CN114629726A (en) * 2022-04-26 2022-06-14 深信服科技股份有限公司 Cloud management method, device, equipment, system and readable storage medium
CN117176475A (en) * 2023-11-02 2023-12-05 成都卓拙科技有限公司 Rule configuration method and device, linux host and storage medium
CN117176475B (en) * 2023-11-02 2024-02-27 成都卓拙科技有限公司 Rule configuration method and device, linux host and storage medium

Also Published As

Publication number Publication date
CN113098851B (en) 2023-01-31

Similar Documents

Publication Publication Date Title
CN113098851B (en) Method, device, system, equipment and medium for implementing virtual firewall
US10126719B2 (en) Methods for changing an authority of control for a controller in environment having multiple controllers
CN112217771B (en) Data forwarding method and data forwarding device based on tenant information
WO2015101119A1 (en) Flow table matching method and apparatus, and openflow exchanging system
CN111865736B (en) Equipment control method and device
US10887408B2 (en) Remote monitoring of network communication devices
WO2023056722A1 (en) Distributed firewall definition method and system
WO2020125320A1 (en) Vdc-based route configuration method and apparatus, and device and readable storage medium
CN111866030B (en) Industrial protocol identification device and method of mimicry edge gateway
WO2014131263A1 (en) Rule set arrangement processing method and apparatus, and trunking data system
CN110868402A (en) IP address blocking and deblocking method and device
CN109413001B (en) Method and device for carrying out security protection on interactive data in cloud computing system
CN102263837B (en) A kind of domain name system DNS analysis method and device
US10367785B2 (en) Software defined traffic modification system
CN110838930A (en) Method and device for generating service logic topology
WO2022121660A1 (en) Method, apparatus and system for implementing remote automatic packet capture
CN113612627B (en) Protocol adaptation processing method and system applied to intelligent lamp post
CN112637081A (en) Bandwidth speed limiting method and device
EP3510535A1 (en) Techniques for policy-controlled analytic data collection in large-scale systems
KR101629089B1 (en) Hybrid openFlow method for combining legacy switch protocol function and SDN function
CN110943978A (en) Security policy configuration method and device, electronic equipment and medium
WO2012000273A1 (en) Apparatus and method for inspecting multiple network-elements
US20170272463A1 (en) Method and System for Dark Matter Scanning
US20220006712A1 (en) System and method for monitoring ingress/egress packets at a network device
CN114189485A (en) Network port management method and system of switch and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant