CN113660248A - Service flow isolation method, system, readable storage medium and device - Google Patents

Service flow isolation method, system, readable storage medium and device Download PDF

Info

Publication number
CN113660248A
CN113660248A CN202110918832.1A CN202110918832A CN113660248A CN 113660248 A CN113660248 A CN 113660248A CN 202110918832 A CN202110918832 A CN 202110918832A CN 113660248 A CN113660248 A CN 113660248A
Authority
CN
China
Prior art keywords
network
service
flow
name space
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110918832.1A
Other languages
Chinese (zh)
Other versions
CN113660248B (en
Inventor
陆波
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202110918832.1A priority Critical patent/CN113660248B/en
Publication of CN113660248A publication Critical patent/CN113660248A/en
Application granted granted Critical
Publication of CN113660248B publication Critical patent/CN113660248B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a service flow isolation method, a system, a readable storage medium and a device, wherein the service flow isolation method is applied to WAF equipment, the WAF equipment is provided with a physical network interface, and the method comprises the following steps: creating a network name space according to the number of actual services, and dividing physical network interfaces into the network name space in sequence; creating a flow detection process in a network name space; executing a flow detection process to perform protection processing on the flow on a physical network interface in a network name space where the flow detection process is located, and generating a protection log; and reading the network name space identifier in the protection log, inquiring corresponding service information, and correspondingly storing the service information in a database. The invention divides one or more physical network interfaces correspondingly connected with the actual service into different network namespaces through a network namespace mechanism provided by the system, so that the network flow corresponding to the physical network interfaces operates in different network protocol stacks, thereby realizing the WAF service flow isolation.

Description

Service flow isolation method, system, readable storage medium and device
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, a system, a readable storage medium, and an apparatus for isolating service traffic.
Background
At present, attacks of an application layer are more diverse, and network security defense needs to be performed on a web service server, so a WAF (web page firewall) is deployed, and the WAF performs network security defense on a network address for acquiring the network address entering the web service server through the network address.
The following disadvantages exist in the related art: due to the limitation of the protocol stack, the WAF cannot process different services with the same network address, for example, the local area network where the service a is located is 192.168.1.0/24, the local area network where the service B is located is 192.168.1.0/24, the two local area networks where the service a and the service B are located are physically independent of each other, but have the same network address division method, and if the IP addresses where the service a and the service B are located are both 192.168.1.100, the WAF cannot deploy the service a and the service B at the same time.
Disclosure of Invention
Embodiments of the present application provide a method, a system, a readable storage medium, and an apparatus for isolating service traffic, so as to at least solve the above-mentioned deficiencies in the related art.
In a first aspect, an embodiment of the present application provides a service traffic isolation method, which is applied to a WAF device, where the WAF device is provided with a plurality of physical network interfaces, and the service traffic isolation method includes:
acquiring the number of actual services, creating a plurality of network name spaces according to the number of the actual services, and sequentially dividing the physical network interfaces correspondingly connected with the actual services into the network name spaces;
creating a corresponding flow detection process in the network name space;
executing the flow detection process to perform protection processing on the flow on the physical network interface in the network name space where the flow detection process is located, and generating a protection log according to the protection processing result and the network name space identifier of the corresponding network name space;
and reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and correspondingly storing the service information and the protection log in a database.
In some embodiments, before the step of obtaining the actual traffic volume, the method further includes:
configuring service basic information with the same network address, wherein the service basic information at least comprises an IP address and a service port where the service is located, and different services with the same IP address configure different service ports.
In some embodiments, the step of executing the traffic detection process to perform protection processing on the traffic on the physical network interface in the network namespace in which the traffic detection process is located specifically includes:
and continuously detecting the flow on the physical network interface in the network name space where the flow detection process is positioned, and performing protection processing on the flow according to a safety protection strategy.
In some embodiments, after the step of querying the corresponding service information according to the network namespace identifier and storing the service information and the protection log in the database, the method further comprises:
and when a database viewing instruction is acquired, displaying the protection log and the service information on a display module, wherein the database viewing instruction is an instruction sent when a user triggers a viewing key.
In some embodiments, the step of displaying the guard log and the service information includes:
displaying the protection log information and the hidden identification corresponding to the service information on a display module;
and when a trigger event aiming at the hidden identifier is detected, unfolding and displaying corresponding service information on the display module.
In a second aspect, an embodiment of the present application provides a service traffic isolation system, which is applied to a WAF device, where the WAF device is provided with a plurality of physical network interfaces, and the service traffic isolation system includes:
the system comprises a first establishing module, a second establishing module and a third establishing module, wherein the first establishing module is used for acquiring the number of actual services, establishing a plurality of network name spaces according to the number of the actual services, and sequentially dividing the physical network interfaces correspondingly connected with the actual services into the network name spaces;
the second establishing module is used for establishing a corresponding flow detection process in the network name space;
the execution module is used for executing the flow detection process so as to perform protection processing on the flow on the physical network interface in the network name space where the flow detection process is located, and generating a protection log according to the protection processing result and the network name space identifier of the corresponding network name space;
and the reading module is used for reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and correspondingly storing the service information and the protection log in a database.
In some of these embodiments, the system further comprises:
the configuration module is used for configuring service basic information with the same network address, the service basic information at least comprises an IP address and a service port where the service is located, and different services with the same IP address configure different service ports.
In some embodiments, the execution module comprises:
and the processing unit is used for continuously detecting the flow on the physical network interface in the network name space where the flow detection process is positioned and carrying out protection processing on the flow according to a safety protection strategy.
In a third aspect, an embodiment of the present application provides a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the traffic isolation method according to the first aspect.
In a fourth aspect, an embodiment of the present application provides a service traffic isolation apparatus, including a server, where the server includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the processor, when executing the computer program, implements the service traffic isolation method according to the first aspect.
Compared with the related art, the service traffic isolation method, the system, the readable storage medium and the device provided by the embodiment of the application divide one or more physical network interfaces correspondingly connected with actual services into different network namespaces by acquiring the number of the actual services through a network namespace mechanism provided by the system, and simultaneously create a corresponding traffic detection process in the network namespace to detect traffic on the physical network interface in the network namespace where the corresponding traffic detection process is located in real time and perform protection processing, so that the network traffic corresponding to the physical network interface runs in different network protocol stacks, and thus the traffic isolation of the WAF service is realized.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a service traffic isolation method according to a first embodiment of the present invention;
fig. 2 is a flowchart of a service traffic isolation method according to a second embodiment of the present invention;
fig. 3 is a flowchart of a service traffic isolation method according to a third embodiment of the present invention;
fig. 4 is a block diagram of a service traffic isolation system according to a fourth embodiment of the present invention;
fig. 5 is a block diagram of a service traffic isolating apparatus according to a fifth embodiment of the present invention.
Description of the main element symbols:
Figure BDA0003206633060000031
Figure BDA0003206633060000041
the following detailed description will further illustrate the invention in conjunction with the above-described figures.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
First, it should be noted that the name space: the Linux kernel provides 6 types of namespaces: (Process ID, pid), (Mount, mnt), (Network, net), (Process Communication, ipc), UTS, (User ID, User). For example, processes within a pid namespace can only see processes in the same namespace. The mnt namespace, where processes can be attached to their file system.
Network namespaces (networks) provide a completely new, isolated Network protocol stack for all processes within a namespace. This includes network interfaces, routing tables and iptables rules. By using the network name space, the network virtual environment can be realized, and network isolation between the network virtual environment and the network name space can be realized.
Example one
Referring to fig. 1, a service traffic isolation method in a first embodiment of the present invention is shown, and is applied to a WAF device, where the WAF device is provided with a plurality of physical network interfaces, and the method specifically includes steps S101 to S104:
s101, acquiring the number of actual services, creating a plurality of network name spaces according to the number of the actual services, and sequentially dividing the physical network interfaces correspondingly connected with the actual services into the network name spaces;
in specific implementation, the system acquires the number of actual services, and creates a plurality of network namespaces according to the number of the actual services, wherein the creation of the network namespaces can be completed by a linux command ip netns, for example, a network namespace named demo is created by ip netns add demo. It should be understood that in other alternative embodiments, the manner in which the network namespace is created may also be commanded by other systems.
The system divides physical network interfaces correspondingly connected with actual services into each network naming space in sequence, unique network naming space identifiers are arranged in the network naming spaces, different network naming spaces are provided with independent network protocol stacks, and the physical network interfaces cannot be located in two or more network naming spaces simultaneously.
S102, establishing a corresponding flow detection process in the network name space;
in specific implementation, the traffic detection process is a program that is run on the WAF and used for receiving, analyzing, and forwarding data packets passing through the WAF physical network interface, and each network namespace has a corresponding traffic detection process.
The method for creating the flow detection process can execute the ip netns exec/path/to/check _ program if the flow detection process needs to be created in a network namespace named demo through a linux command ip netns exec, wherein the/path/to/check _ program is a storage position of an executable file corresponding to the flow detection process on a disk.
It should be understood that in alternative embodiments, the manner in which the traffic detection process is created may be commanded by other systems.
S103, executing the flow detection process to perform protection processing on the flow on the physical network interface in the network name space where the flow detection process is located, and generating a protection log according to the protection processing result and the network name space identifier of the corresponding network name space;
during specific implementation, the flow on the physical network interface in the network name space where the flow detection process is located is detected in real time through the flow detection process, the flow is protected according to the security protection strategy, and a corresponding protection log is generated according to the protection processing result and the network name space identifier of the corresponding network name space.
The security protection policy refers to a processing rule for a network data packet detected to have an attack behavior in a software system, such as discarding the data packet, blocking a TCP network connection corresponding to the data packet, and logging an HTTP request corresponding to the data packet.
S104, reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and correspondingly storing the service information and the protection log in a database.
And reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and correspondingly storing the service information and the protection log in a database.
It should be understood that, the service information and the protection log are correspondingly stored in the database, so that the system can compare the information in the database, and when the service network addresses corresponding to a plurality of protection logs are the same (for example, the IP addresses of the service a and the service B are both 192.168.1.100), the system can distinguish a plurality of services according to the service information corresponding to the service, thereby realizing the traffic isolation of the WAF service and avoiding the situation that the WAF cannot deploy a plurality of tasks at the same time.
In summary, in the service traffic isolation method in the above embodiments of the present invention, through a network namespace mechanism provided by the system, by obtaining the number of actual services, one or more physical network interfaces connected to the actual services are divided into different network namespaces, and meanwhile, a corresponding traffic detection process is created in the network namespace to detect traffic on the physical network interface in the network namespace where the corresponding traffic detection process is located in real time and perform protection processing, so that network traffic corresponding to the physical network interface runs in different network protocol stacks, thereby implementing traffic isolation of the WAF service.
Example two
Referring to fig. 2, a service traffic isolation method in a second embodiment of the present invention is shown, and is applied to a WAF device, where the WAF device is provided with a plurality of physical network interfaces, and the method specifically includes steps S201 to S205:
s201, configuring basic service information with the same network address, wherein the basic service information at least comprises an IP address and a service port where the service is located, and different services with the same IP address configure different service ports;
in specific implementation, the service, i.e., the site configured on the WAF, the configuration method is as follows: the basic information of the site is added in the site management of the WAF, including the name of the site, the IP address, the port, and the name of the physical network interface connected to the site by the WAF.
S202, acquiring the number of actual services, creating a plurality of network name spaces according to the number of the actual services, and sequentially dividing the physical network interfaces correspondingly connected with the actual services into the network name spaces;
in specific implementation, the system acquires the number of actual services, and creates a plurality of network namespaces according to the number of the actual services, wherein the creation of the network namespaces can be completed by a linux command ip netns, for example, a network namespace named demo is created by ip netns add demo. It should be understood that in other alternative embodiments, the manner in which the network namespace is created may also be commanded by other systems.
The system divides physical network interfaces correspondingly connected with actual services into each network naming space in sequence, unique network naming space identifiers are arranged in the network naming spaces, different network naming spaces are provided with independent network protocol stacks, and the physical network interfaces cannot be located in two or more network naming spaces simultaneously.
S203, creating a corresponding flow detection process in the network name space;
in specific implementation, the traffic detection process is a program that is run on the WAF and used for receiving, analyzing, and forwarding data packets passing through the WAF physical network interface, and each network namespace has a corresponding traffic detection process.
The method for creating the flow detection process can execute the ip netns exec/path/to/check _ program if the flow detection process needs to be created in a network namespace named demo through a linux command ip netns exec, wherein the/path/to/check _ program is a storage position of an executable file corresponding to the flow detection process on a disk.
It should be understood that in alternative embodiments, the manner in which the traffic detection process is created may be commanded by other systems.
S204, executing the flow detection process to perform protection processing on the flow on the physical network interface in the network name space where the flow detection process is located, and generating a protection log according to the protection processing result and the network name space identifier of the corresponding network name space;
during specific implementation, the flow on the physical network interface in the network name space where the flow detection process is located is detected in real time through the flow detection process, the flow is protected according to the security protection strategy, and a corresponding protection log is generated according to the protection processing result and the network name space identifier of the corresponding network name space.
The security protection policy refers to a processing rule for a network data packet detected to have an attack behavior in a software system, such as discarding the data packet, blocking a TCP network connection corresponding to the data packet, and logging an HTTP request corresponding to the data packet.
S205, reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and correspondingly storing the service information and the protection log in a database.
And reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and correspondingly storing the service information and the protection log in a database.
It should be understood that, the service information and the protection log are correspondingly stored in the database, so that the system can compare the information in the database, and when the service network addresses corresponding to a plurality of protection logs are the same (for example, the IP addresses of the service a and the service B are both 192.168.1.100), the system can distinguish a plurality of services according to the service information corresponding to the service, thereby realizing the traffic isolation of the WAF service and avoiding the situation that the WAF cannot deploy a plurality of tasks at the same time.
In summary, in the service traffic isolation method in the above embodiments of the present invention, through a network namespace mechanism provided by the system, by obtaining the number of actual services, one or more physical network interfaces connected to the actual services are divided into different network namespaces, and meanwhile, a corresponding traffic detection process is created in the network namespace to detect traffic on the physical network interface in the network namespace where the corresponding traffic detection process is located in real time and perform protection processing, so that network traffic corresponding to the physical network interface runs in different network protocol stacks, thereby implementing traffic isolation of the WAF service.
EXAMPLE III
Referring to fig. 3, a service traffic isolation method in a third embodiment of the present invention is shown, and is applied to a WAF device, where the WAF device is provided with a plurality of physical network interfaces, and the method specifically includes steps S301 to S308:
s301, configuring basic service information with the same network address, wherein the basic service information at least comprises an IP address and a service port where the service is located, and different services with the same IP address configure different service ports;
in specific implementation, the service, i.e., the site configured on the WAF, the configuration method is as follows: the basic information of the site is added in the site management of the WAF, including the name of the site, the IP address, the port, and the name of the physical network interface connected to the site by the WAF.
S302, acquiring the number of actual services, creating a plurality of network name spaces according to the number of the actual services, and sequentially dividing the physical network interfaces correspondingly connected with the actual services into the network name spaces;
in specific implementation, the system acquires the number of actual services, and creates a plurality of network namespaces according to the number of the actual services, wherein the creation of the network namespaces can be completed by a linux command ip netns, for example, a network namespace named demo is created by ip netns add demo. It should be understood that in other alternative embodiments, the manner in which the network namespace is created may also be commanded by other systems.
The system divides physical network interfaces correspondingly connected with actual services into each network naming space in sequence, unique network naming space identifiers are arranged in the network naming spaces, different network naming spaces are provided with independent network protocol stacks, and the physical network interfaces cannot be located in two or more network naming spaces simultaneously.
S303, creating a corresponding flow detection process in the network name space;
in specific implementation, the traffic detection process is a program that is run on the WAF and used for receiving, analyzing, and forwarding data packets passing through the WAF physical network interface, and each network namespace has a corresponding traffic detection process.
The method for creating the flow detection process can execute the ip netns exec/path/to/check _ program if the flow detection process needs to be created in a network namespace named demo through a linux command ip netns exec, wherein the/path/to/check _ program is a storage position of an executable file corresponding to the flow detection process on a disk.
It should be understood that in alternative embodiments, the manner in which the traffic detection process is created may be commanded by other systems.
S304, continuously detecting the flow on the physical network interface in the network name space where the flow detection process is located, and performing protection processing on the flow according to a safety protection strategy;
in specific implementation, a traffic detection process is executed to enable traffic detection to continuously detect traffic on a physical network interface in a network namespace where the traffic detection is located, and the traffic is protected according to a security protection policy, where the security protection policy refers to a processing rule for a network data packet detected to have an attack behavior in a software system, such as discarding the data packet, blocking a TCP network connection corresponding to the data packet, and changing an HTTP request record log corresponding to the data packet.
S305, generating a protection log according to the protection processing result and the corresponding network name space identifier of the network name space;
s306, reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and correspondingly storing the service information and the protection log in a database;
and reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and correspondingly storing the service information and the protection log in a database.
It should be understood that, the service information and the protection log are correspondingly stored in the database, so that the system can compare the information in the database, and when the service network addresses corresponding to a plurality of protection logs are the same (for example, the IP addresses of the service a and the service B are both 192.168.1.100), the system can distinguish a plurality of services according to the service information corresponding to the service, thereby realizing the traffic isolation of the WAF service and avoiding the situation that the WAF cannot deploy a plurality of tasks at the same time.
S307, when a database viewing instruction is obtained, displaying the protection log and the service information on a display module, wherein the database viewing instruction is an instruction sent when a user triggers a viewing key;
in specific implementation, a user sends a database viewing instruction when triggering a viewing key, and when the system acquires the database viewing instruction, the protection log and the service information are transmitted to the corresponding display module to be displayed.
S308, displaying the protection log information and the hidden identification corresponding to the service information on a display module;
and when a trigger event aiming at the hidden identifier is detected, unfolding and displaying corresponding service information on the display module.
In specific implementation, the protection log is displayed on the display module for normal viewing of a user, and the hidden identification corresponding to the service information enables the user to view the protection log and the service information in real time according to self conditions.
It should be understood that the user may also activate the hidden information viewing instruction to view the service information in real time by triggering the hidden information viewing key, and distinguish different services according to the service information, thereby implementing WAF service traffic isolation and avoiding a situation where the WAF cannot deploy multiple tasks at the same time.
When the system detects that the service network addresses corresponding to the plurality of protection logs are the same (for example, the IP addresses of the service a and the service B are both 192.168.1.100), activating a corresponding hidden information viewing instruction, and expanding and displaying the corresponding service information on the display module.
It can be understood that, when the system detects that the service network addresses corresponding to the multiple protection logs are the same (for example, the IP addresses of the service a and the service B are both 192.168.1.100), the system can distinguish multiple services according to the service information corresponding to the services, thereby implementing the traffic isolation of the WAF service and avoiding the situation that the WAF cannot deploy multiple tasks at the same time.
In summary, in the service traffic isolation method in the above embodiments of the present invention, through a network namespace mechanism provided by the system, by obtaining the number of actual services, one or more physical network interfaces connected to the actual services are divided into different network namespaces, and meanwhile, a corresponding traffic detection process is created in the network namespace to detect traffic on the physical network interface in the network namespace where the corresponding traffic detection process is located in real time and perform protection processing, so that network traffic corresponding to the physical network interface runs in different network protocol stacks, thereby implementing traffic isolation of the WAF service.
Example four
Another aspect of the present invention further provides a service traffic isolation system, referring to fig. 4, which shows a service traffic isolation system in a fourth embodiment of the present invention, and is applied to a WAF device, where the WAF device is provided with a plurality of physical network interfaces, and the service traffic isolation system includes:
the configuration module 11 is configured to configure basic service information with the same network address, where the basic service information at least includes an IP address where a service is located and a service port, and different services with the same IP address configure different service ports.
The first creating module 12 is configured to obtain the number of actual services, create a plurality of network name spaces according to the number of actual services, and sequentially divide the physical network interfaces correspondingly connected to the actual services into the network name spaces;
a second creating module 13, configured to create a corresponding flow detection process in the network namespace;
an execution module 14, configured to execute the traffic detection process, perform protection processing on traffic on the physical network interface in the network namespace where the traffic detection process is located, and generate a protection log according to the protection processing result and a corresponding network namespace identifier of the network namespace;
further, the execution module 14 includes:
the processing unit 141 is configured to continuously detect traffic on a physical network interface in the network namespace where the traffic detection process is located, and perform protection processing on the traffic according to a security protection policy.
The reading module 15 is configured to read the network namespace identifier in the protection log, query corresponding service information according to the network namespace identifier, and store the service information and the protection log in a database in a corresponding manner.
The control module 16 is configured to display the protection log and the service information on a display module when a database viewing instruction is obtained, where the database viewing instruction is an instruction sent when a user triggers a viewing key;
further, the control module 16 includes:
a display unit 161, configured to display the protection log information and the hidden identifier corresponding to the service information on a display module;
and when a trigger event aiming at the hidden identifier is detected, unfolding and displaying corresponding service information on the display module.
To sum up, in the service traffic isolation system in the above embodiment of the present invention, the configuration module 11 configures the service basic information with the same network address, the first creation module 12 obtains the number of the actual services and creates the network name space according to the number of the actual services, one or more physical network interfaces connected to the actual services are divided into different network name spaces, the second creation module 13 creates a corresponding traffic detection process in the network name space, the execution module 14 executes the traffic detection process to detect the traffic on the physical network interface in the network name space where the traffic detection process is located in real time and perform protection processing, further, the reading module 15 reads the network name space identifier in the protection log, and queries the corresponding service information according to the network name space identifier, the service information and the protection log are correspondingly stored in the database, so that a system or a user can distinguish services with the same network address, and specifically, the control module 16 displays and processes the corresponding protection log and the service information, so that network traffic corresponding to a physical network interface runs in different network protocol stacks, and thereby, WAF service traffic isolation is realized.
EXAMPLE five
Referring to fig. 5, the traffic isolation apparatus according to a fifth embodiment of the present invention is shown, which includes a server, where the server includes a memory 10, a processor 20, and a computer program 30 stored in the memory 10 and executable on the processor 20, and the processor 20 implements the traffic isolation method when executing the computer program 30.
In specific implementation, the processor 20 obtains the number of actual services, creates a plurality of network name spaces according to the number of actual services, and sequentially divides the physical network interfaces correspondingly connected with the actual services into the network name spaces;
processor 20 creates a corresponding traffic detection process within the network namespace;
the processor 20 executes the traffic detection process to perform protection processing on the traffic on the physical network interface in the network namespace where the traffic detection process is located, and generates a protection log according to the protection processing result and the corresponding network namespace identifier of the network namespace;
the processor 20 reads the network namespace identifier in the protection log, queries corresponding service information according to the network namespace identifier, and stores the service information and the protection log in a database correspondingly.
The memory 10 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, and the like. The memory 10 may in some embodiments be an internal storage unit of the vehicle, such as a hard disk of the vehicle. The memory 10 may also be an external storage device of the vehicle in other embodiments, such as a plug-in hard disk provided on the vehicle, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 10 may also include both an internal storage unit and an external storage device of the vehicle. The memory 10 may be used not only to store application software installed in the vehicle and various types of data, but also to temporarily store data that has been output or is to be output.
In some embodiments, the processor 20 may be an Electronic Control Unit (ECU), a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor or other data Processing chip, and is configured to run program codes stored in the memory 10 or process data, such as executing an access restriction program.
It should be noted that the configuration shown in fig. 5 does not constitute a limitation of the traffic isolation device, and in other embodiments the traffic isolation device may comprise fewer or more components than those shown, or some components may be combined, or a different arrangement of components.
The service flow isolation device divides one or more physical network interfaces correspondingly connected with actual services into different network naming spaces by acquiring the number of the actual services through a network naming space mechanism provided by a system, and simultaneously creates a corresponding flow detection process in the network naming space to detect the flow on the physical network interface in the network naming space where the flow detection process is located in real time and carry out protection processing, so that the network flow corresponding to the physical network interface runs in different network protocol stacks, and the WAF service flow isolation is realized.
An embodiment of the present invention further provides a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the service traffic isolation method as described above.
Those of skill in the art will understand that the logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be viewed as implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A service flow isolation method is applied to WAF equipment, and a plurality of physical network interfaces are arranged on the WAF equipment, and is characterized in that the service flow isolation method comprises the following steps:
acquiring the number of actual services, creating a plurality of network name spaces according to the number of the actual services, and sequentially dividing the physical network interfaces correspondingly connected with the actual services into the network name spaces;
creating a corresponding flow detection process in the network name space;
executing the flow detection process to perform protection processing on the flow on the physical network interface in the network name space where the flow detection process is located, and generating a protection log according to the protection processing result and the network name space identifier of the corresponding network name space;
and reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and correspondingly storing the service information and the protection log in a database.
2. The traffic flow isolation method according to claim 1, wherein the step of obtaining the number of actual services is preceded by the method further comprising:
configuring service basic information with the same network address, wherein the service basic information at least comprises an IP address and a service port where the service is located, and different services with the same IP address configure different service ports.
3. The method according to claim 1, wherein the step of executing the traffic detection process to perform protection processing on the traffic on the physical network interface in the network namespace in which the traffic detection process is located specifically includes:
and continuously detecting the flow on the physical network interface in the network name space where the flow detection process is positioned, and performing protection processing on the flow according to a safety protection strategy.
4. The traffic flow isolation method according to claim 1, wherein after the step of querying the corresponding traffic information according to the network namespace identifier and storing the traffic information and the protection log in a database, the method further comprises:
and when a database viewing instruction is acquired, displaying the protection log and the service information on a display module, wherein the database viewing instruction is an instruction sent when a user triggers a viewing key.
5. The traffic flow isolation method according to claim 4, wherein the step of displaying the protection log and the traffic information comprises:
displaying the protection log information and the hidden identification corresponding to the service information on a display module;
and when a trigger event aiming at the hidden identifier is detected, unfolding and displaying corresponding service information on the display module.
6. A service flow isolation system is applied to WAF equipment, and a plurality of physical network interfaces are arranged on the WAF equipment, and is characterized by comprising:
the system comprises a first establishing module, a second establishing module and a third establishing module, wherein the first establishing module is used for acquiring the number of actual services, establishing a plurality of network name spaces according to the number of the actual services, and sequentially dividing the physical network interfaces correspondingly connected with the actual services into the network name spaces;
the second establishing module is used for establishing a corresponding flow detection process in the network name space;
the execution module is used for executing the flow detection process so as to perform protection processing on the flow on the physical network interface in the network name space where the flow detection process is located, and generating a protection log according to the protection processing result and the network name space identifier of the corresponding network name space;
and the reading module is used for reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and correspondingly storing the service information and the protection log in a database.
7. The traffic flow isolation system of claim 6, further comprising:
the configuration module is used for configuring service basic information with the same network address, the service basic information at least comprises an IP address and a service port where the service is located, and different services with the same IP address configure different service ports.
8. The traffic flow isolation system of claim 6, wherein the execution module comprises:
and the processing unit is used for continuously detecting the flow on the physical network interface in the network name space where the flow detection process is positioned and carrying out protection processing on the flow according to a safety protection strategy.
9. A readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the traffic flow isolation method according to any one of claims 1 to 5.
10. Traffic isolation apparatus comprising a server comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the traffic isolation method according to any of claims 1 to 5 when executing the computer program.
CN202110918832.1A 2021-08-11 2021-08-11 Service traffic isolation method, system, readable storage medium and device Active CN113660248B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110918832.1A CN113660248B (en) 2021-08-11 2021-08-11 Service traffic isolation method, system, readable storage medium and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110918832.1A CN113660248B (en) 2021-08-11 2021-08-11 Service traffic isolation method, system, readable storage medium and device

Publications (2)

Publication Number Publication Date
CN113660248A true CN113660248A (en) 2021-11-16
CN113660248B CN113660248B (en) 2023-05-26

Family

ID=78479499

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110918832.1A Active CN113660248B (en) 2021-08-11 2021-08-11 Service traffic isolation method, system, readable storage medium and device

Country Status (1)

Country Link
CN (1) CN113660248B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107426047A (en) * 2017-05-08 2017-12-01 智慧海派科技有限公司 Network flow monitoring method and its terminal based on the mono- kernel multisystems of Android
CN109981613A (en) * 2019-03-11 2019-07-05 北京启明星辰信息安全技术有限公司 A kind of flow rate testing methods and resource pool system for cloud environment
CN110855525A (en) * 2019-11-19 2020-02-28 深圳市网心科技有限公司 Flow statistical method, electronic device, system and medium
CN111475705A (en) * 2020-03-05 2020-07-31 中国平安人寿保险股份有限公司 SQ L query-based network service monitoring method, device, equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107426047A (en) * 2017-05-08 2017-12-01 智慧海派科技有限公司 Network flow monitoring method and its terminal based on the mono- kernel multisystems of Android
CN109981613A (en) * 2019-03-11 2019-07-05 北京启明星辰信息安全技术有限公司 A kind of flow rate testing methods and resource pool system for cloud environment
CN110855525A (en) * 2019-11-19 2020-02-28 深圳市网心科技有限公司 Flow statistical method, electronic device, system and medium
CN111475705A (en) * 2020-03-05 2020-07-31 中国平安人寿保险股份有限公司 SQ L query-based network service monitoring method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN113660248B (en) 2023-05-26

Similar Documents

Publication Publication Date Title
CN1777179B (en) Method and system for distributing security policies
US8458785B2 (en) Information security protection host
US6721890B1 (en) Application specific distributed firewall
CN106899604B (en) Processing method and device for data packet filtering rules
US20060095961A1 (en) Auto-triage of potentially vulnerable network machines
US20080289040A1 (en) Source/destination operating system type-based IDS virtualization
CN110995640B (en) Method for identifying network attack and honeypot protection system
US20090328193A1 (en) System and Method for Implementing a Virtualized Security Platform
CN111756761A (en) Network defense system and method based on flow forwarding and computer equipment
CN110798482B (en) System-level honeypot network isolation system based on linux network filter
CN112019545B (en) Honeypot network deployment method, device, equipment and medium
JP4582682B2 (en) Security wall system
CN111565202A (en) Intranet vulnerability attack defense method and related device
CN113904852A (en) Honeypot dynamic deployment method and device, electronic equipment and readable storage medium
CN113612783A (en) Honeypot protection system
KR20110006399A (en) Apparatus and method for splitting host-based networks
CN110839025A (en) Centralized web penetration detection honeypot method, device and system and electronic equipment
CN110022319A (en) Attack security isolation method, device, computer equipment and the storage equipment of data
CN113660248A (en) Service flow isolation method, system, readable storage medium and device
US9881155B2 (en) System and method for automatic use-after-free exploit detection
KR101042226B1 (en) The method of counteracting distributed denial of service attack using network filter monitoring white list and dummy web server
CN107395615B (en) Method and device for printer safety protection
CN113886020A (en) Security system, cloud platform building method and server
CN112383517A (en) Hiding method, device and equipment of network connection information and readable storage medium
KR101059698B1 (en) Portable memory unit having a module of api hooking and method for driving personal firewall using thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant