CN113660248B - Service traffic isolation method, system, readable storage medium and device - Google Patents

Service traffic isolation method, system, readable storage medium and device Download PDF

Info

Publication number
CN113660248B
CN113660248B CN202110918832.1A CN202110918832A CN113660248B CN 113660248 B CN113660248 B CN 113660248B CN 202110918832 A CN202110918832 A CN 202110918832A CN 113660248 B CN113660248 B CN 113660248B
Authority
CN
China
Prior art keywords
network
service
traffic
detection process
protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110918832.1A
Other languages
Chinese (zh)
Other versions
CN113660248A (en
Inventor
陆波
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202110918832.1A priority Critical patent/CN113660248B/en
Publication of CN113660248A publication Critical patent/CN113660248A/en
Application granted granted Critical
Publication of CN113660248B publication Critical patent/CN113660248B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a business flow isolation method, a system, a readable storage medium and a device, wherein the business flow isolation method is applied to WAF equipment, and the WAF equipment is provided with a physical network interface, and the method comprises the following steps: creating a network naming space according to the number of actual services, and dividing physical network interfaces into the network naming space in sequence; creating a flow detection process in a network namespace; executing a flow detection process to carry out protection processing on the flow on a physical network interface in a network naming space where the flow detection process is located, and generating a protection log; and reading the network name space identifier in the protection log, inquiring corresponding service information, and correspondingly storing the service information in a database. The invention divides one or a plurality of physical network interfaces which are correspondingly connected with the actual service into different network namespaces through a network namespaces mechanism provided by the system, so that the network traffic corresponding to the physical network interfaces operates in different network protocol stacks, thereby realizing WAF service traffic isolation.

Description

Service traffic isolation method, system, readable storage medium and device
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, a system, a readable storage medium, and an apparatus for traffic isolation.
Background
At present, attacks of an application layer are more various, network security defense needs to be performed on a web service server, and then a WAF (web firewall) is deployed, and the WAF performs network security defense on acquiring a network address entering the web service server through the network address.
The prior related art has the following disadvantages: due to the limitation of a protocol stack, the WAF cannot process different services with the same network address, for example, the local area network where the service A is located is 192.168.1.0/24, the local area network where the service B is located is 192.168.1.0/24, and the two local area networks where the service A and the service B are located are mutually independent on a physical layer, but have the same network address dividing method, if the IP addresses where the service A and the service B are located are both 192.168.1.100, the WAF cannot deploy the service A and the service B at the same time.
Disclosure of Invention
The embodiments of the present application provide a method, a system, a readable storage medium and a device for traffic isolation, so as to at least solve the above-mentioned disadvantages in the related art.
In a first aspect, an embodiment of the present application provides a service traffic isolation method, which is applied to a WAF device, where a plurality of physical network interfaces are provided on the WAF device, and the service traffic isolation method includes:
acquiring the number of actual services, creating a plurality of network namespaces according to the number of the actual services, and dividing the physical network interfaces correspondingly connected with the actual services into the network namespaces in sequence;
creating a corresponding flow detection process in the network namespace;
executing the flow detection process to perform protection processing on the flow on the physical network interface in the network namespace where the flow detection process is located, and generating a protection log according to the protection processing result and the network namespace identifier of the corresponding network namespace;
and reading the network naming space identifier in the protection log, inquiring corresponding service information according to the network naming space identifier, and storing the service information and the protection log in a database correspondingly.
In some embodiments, before the step of obtaining the number of actual services, the method further includes:
the method comprises the steps of configuring service basic information with the same network address, wherein the service basic information at least comprises an IP address and a service port where a service is located, and configuring different service ports by different services with the same IP address.
In some embodiments, the step of executing the traffic detection process to perform protection processing on traffic on the physical network interface in the network namespace where the traffic detection process is located specifically includes:
and continuously detecting the traffic on a physical network interface in the network naming space where the traffic detection process is located, and carrying out protection treatment on the traffic according to a security protection strategy.
In some embodiments, after the step of querying the corresponding service information according to the network namespace identifier and storing the service information in the database corresponding to the protection log, the method further includes:
when a database checking instruction is acquired, the protection log and the service information are displayed on a display module, wherein the database checking instruction is an instruction sent by a user when a checking key is triggered.
In some embodiments, the step of displaying the protection log and the service information includes:
displaying the protection log information and the hidden identifier corresponding to the service information on a display module;
and when the triggering event aiming at the hidden mark is detected, the corresponding service information is unfolded and displayed on the display module.
In a second aspect, an embodiment of the present application provides a service traffic isolation system, which is applied to a WAF device, where a plurality of physical network interfaces are disposed on the WAF device, and the service traffic isolation system includes:
the first creation module is used for obtaining the number of actual services, creating a plurality of network namespaces according to the number of the actual services, and dividing the physical network interfaces correspondingly connected with the actual services into the network namespaces in sequence;
the second creation module is used for creating a corresponding flow detection process in the network naming space;
the execution module is used for executing the flow detection process to carry out protection processing on the flow on the physical network interface in the network naming space where the flow detection process is located, and generating a protection log according to the protection processing result and the network naming space identifier of the corresponding network naming space;
and the reading module is used for reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and storing the service information and the protection log in a database correspondingly.
In some of these embodiments, the system further comprises:
the configuration module is used for configuring the service basic information with the same network address, wherein the service basic information at least comprises an IP address and a service port where the service is located, and different service ports are configured for different services with the same IP address.
In some of these embodiments, the execution module comprises:
and the processing unit is used for continuously detecting the traffic on the physical network interface in the network naming space where the traffic detection process is located, and carrying out protection processing on the traffic according to a safety protection strategy.
In a third aspect, embodiments of the present application provide a readable storage medium having stored thereon a computer program which, when executed by a processor, implements a traffic isolation method as described in the first aspect above.
In a fourth aspect, an embodiment of the present application provides a traffic isolation device, including a server, where the server includes a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the processor implements the traffic isolation method according to the first aspect when executing the computer program.
Compared with the related art, the service traffic isolation method, the system, the readable storage medium and the device provided by the embodiment of the application divide one or more physical network interfaces corresponding to the actual service into different network namespaces by acquiring the number of the actual service through a network namespace mechanism provided by the system, and simultaneously create a corresponding traffic detection process in the network namespaces to detect traffic on the physical network interfaces in the network namespaces where the corresponding traffic detection process is located in real time and perform protection processing, so that the network traffic corresponding to the physical network interfaces runs in different network protocol stacks, thereby realizing WAF service traffic isolation.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the other features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a flow chart of a traffic isolation method in a first embodiment of the present invention;
FIG. 2 is a flow chart of a traffic isolation method according to a second embodiment of the present invention;
FIG. 3 is a flow chart of a traffic isolation method according to a third embodiment of the present invention;
fig. 4 is a block diagram of a traffic isolation system according to a fourth embodiment of the present invention;
fig. 5 is a block diagram of a traffic isolation device according to a fifth embodiment of the present invention.
Description of main reference numerals:
Figure BDA0003206633060000031
Figure BDA0003206633060000041
the invention will be further described in the following detailed description in conjunction with the above-described figures.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described and illustrated below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden on the person of ordinary skill in the art based on the embodiments provided herein, are intended to be within the scope of the present application.
It is apparent that the drawings in the following description are only some examples or embodiments of the present application, and it is possible for those of ordinary skill in the art to apply the present application to other similar situations according to these drawings without inventive effort. Moreover, it should be appreciated that while such a development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as having the benefit of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly and implicitly understood by those of ordinary skill in the art that the embodiments described herein can be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar terms herein do not denote a limitation of quantity, but rather denote the singular or plural. The terms "comprising," "including," "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to only those steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein refers to two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. The terms "first," "second," "third," and the like, as used herein, are merely distinguishing between similar objects and not representing a particular ordering of objects.
First, it should be noted that the namespaces: the Linux kernel provides 6 types of namespaces: (Process ID, pid), (Mount, mnt), (Network, net), (InterProcess Communication, ipc), UTS, (User ID, user). For example, a process within a pid namespace can only see processes in the same namespace. An mnt namespace, may attach processes to its own file system.
A Network namespace (net) provides an entirely new isolated Network protocol stack for all processes within the namespace. This includes network interfaces, routing tables and iptables rules. The network virtual environment can be realized by using the network namespaces, and network isolation between the network virtual environment and the network virtual environment can be realized.
Example 1
Referring to fig. 1, a service traffic isolation method in a first embodiment of the present invention is applied to a WAF device, where a plurality of physical network interfaces are provided on the WAF device, and the method specifically includes steps S101 to S104:
s101, acquiring the number of actual services, creating a plurality of network namespaces according to the number of the actual services, and dividing the physical network interfaces correspondingly connected with the actual services into the network namespaces in sequence;
in a specific implementation, the system acquires the number of actual services, and creates a plurality of network namespaces according to the number of actual services, wherein the creation of the network namespaces can be completed through a linux command ip netns, and a network namespace named demo is created as ip netns add demo. It should be appreciated that in other alternative embodiments, the manner in which the network namespaces are created may be other system commands.
The system sequentially divides physical network interfaces which are correspondingly connected with actual services into network namespaces, wherein the network namespaces are provided with unique network namespaces identifiers, different network namespaces are provided with independent network protocol stacks, and the physical network interfaces cannot be simultaneously positioned in two or more network namespaces.
S102, creating a corresponding flow detection process in the network naming space;
in particular implementations, the flow detection process is a program running on the WAF for receiving, analyzing, and forwarding packets across the WAF physical network interface, and each network namespace has a corresponding flow detection process.
The method for creating the flow detection process may be implemented by using a linux command ip netns exec, and if the flow detection process needs to be created in a network namespace named demo, ip netns exec demo/path/to/check_program is executed, where/path/to/check_program is a save location on a disk of an executable file for the flow detection process.
It should be appreciated that in other alternative embodiments, the manner in which the flow detection process is created may be other system commands.
S103, executing the flow detection process to perform protection processing on the flow on the physical network interface in the network namespace where the flow detection process is located, and generating a protection log according to the protection processing result and the network namespace identifier of the corresponding network namespace;
in the implementation, the traffic detection process detects the traffic on a physical network interface in the network namespace where the traffic detection process is located in real time, performs protection processing on the traffic according to the security protection policy, and generates a corresponding protection log according to the result of the protection processing and the network namespace identifier of the corresponding network namespace.
The security protection policy refers to a processing rule of a network data packet with an attack behavior in a software system, such as discarding the data packet, blocking a TCP network connection corresponding to the data packet, logging an HTTP request corresponding to the data packet, and the like.
S104, reading the network naming space identifier in the protection log, inquiring corresponding service information according to the network naming space identifier, and storing the service information and the protection log in a database correspondingly.
And reading a network naming space identifier in the protection log, inquiring corresponding service information according to the network naming space identifier, and storing the service information and the protection log in a database correspondingly.
It should be understood that the service information and the protection log are correspondingly stored in the database, so that the system can compare the information in the database, and when the service network addresses corresponding to the protection logs are the same (for example, the IP addresses where the service A and the service B are located are 192.168.1.100), the system can distinguish the services according to the service information corresponding to the service, thereby realizing WAF service traffic isolation and avoiding the situation that WAF cannot deploy a plurality of tasks at the same time.
In summary, in the service traffic isolation method in the above embodiment of the present invention, by using a network naming space mechanism provided by the system, by obtaining the number of actual services, one or more physical network interfaces corresponding to the actual services are divided into different network naming spaces, and meanwhile, a corresponding traffic detection process is created in the network naming space to detect traffic on the physical network interfaces in the network naming space where the corresponding traffic detection process is located in real time, and protection processing is performed, so that network traffic corresponding to the physical network interfaces runs in different network protocol stacks, thereby implementing WAF service traffic isolation.
Example two
Referring to fig. 2, a service traffic isolation method in a second embodiment of the present invention is applied to a WAF device, where a plurality of physical network interfaces are provided on the WAF device, and the method specifically includes steps S201 to S205:
s201, configuring service basic information with the same network address, wherein the service basic information at least comprises an IP address and a service port where a service is located, and different services with the same IP address configure different service ports;
in specific implementation, the service, namely, the site configured on the WAF, is configured by the following method: basic information of a station is added in the station management of the WAF, including a station name, an IP address, a port, and a physical network interface name of the WAF connected to the station.
S202, acquiring the number of actual services, creating a plurality of network namespaces according to the number of the actual services, and dividing the physical network interfaces correspondingly connected with the actual services into the network namespaces in sequence;
in a specific implementation, the system acquires the number of actual services, and creates a plurality of network namespaces according to the number of actual services, wherein the creation of the network namespaces can be completed through a linux command ip netns, and a network namespace named demo is created as ip netns add demo. It should be appreciated that in other alternative embodiments, the manner in which the network namespaces are created may be other system commands.
The system sequentially divides physical network interfaces which are correspondingly connected with actual services into network namespaces, wherein the network namespaces are provided with unique network namespaces identifiers, different network namespaces are provided with independent network protocol stacks, and the physical network interfaces cannot be simultaneously positioned in two or more network namespaces.
S203, creating a corresponding flow detection process in the network naming space;
in particular implementations, the flow detection process is a program running on the WAF for receiving, analyzing, and forwarding packets across the WAF physical network interface, and each network namespace has a corresponding flow detection process.
The method for creating the flow detection process may be implemented by using a linux command ip netns exec, and if the flow detection process needs to be created in a network namespace named demo, ip netns exec demo/path/to/check_program is executed, where/path/to/check_program is a save location on a disk of an executable file for the flow detection process.
It should be appreciated that in other alternative embodiments, the manner in which the flow detection process is created may be other system commands.
S204, executing the flow detection process to perform protection processing on the flow on the physical network interface in the network namespace where the flow detection process is located, and generating a protection log according to the protection processing result and the network namespace identifier of the corresponding network namespace;
in the implementation, the traffic detection process detects the traffic on a physical network interface in the network namespace where the traffic detection process is located in real time, performs protection processing on the traffic according to the security protection policy, and generates a corresponding protection log according to the result of the protection processing and the network namespace identifier of the corresponding network namespace.
The security protection policy refers to a processing rule of a network data packet with an attack behavior in a software system, such as discarding the data packet, blocking a TCP network connection corresponding to the data packet, logging an HTTP request corresponding to the data packet, and the like.
S205, reading the network naming space identifier in the protection log, inquiring corresponding service information according to the network naming space identifier, and storing the service information and the protection log in a database correspondingly.
And reading a network naming space identifier in the protection log, inquiring corresponding service information according to the network naming space identifier, and storing the service information and the protection log in a database correspondingly.
It should be understood that the service information and the protection log are correspondingly stored in the database, so that the system can compare the information in the database, and when the service network addresses corresponding to the protection logs are the same (for example, the IP addresses where the service A and the service B are located are 192.168.1.100), the system can distinguish the services according to the service information corresponding to the service, thereby realizing WAF service traffic isolation and avoiding the situation that WAF cannot deploy a plurality of tasks at the same time.
In summary, in the service traffic isolation method in the above embodiment of the present invention, by using a network naming space mechanism provided by the system, by obtaining the number of actual services, one or more physical network interfaces corresponding to the actual services are divided into different network naming spaces, and meanwhile, a corresponding traffic detection process is created in the network naming space to detect traffic on the physical network interfaces in the network naming space where the corresponding traffic detection process is located in real time, and protection processing is performed, so that network traffic corresponding to the physical network interfaces runs in different network protocol stacks, thereby implementing WAF service traffic isolation.
Example III
Referring to fig. 3, a traffic isolation method in a third embodiment of the present invention is applied to a WAF device, where a plurality of physical network interfaces are provided on the WAF device, and the method specifically includes steps S301 to S308:
s301, configuring service basic information with the same network address, wherein the service basic information at least comprises an IP address and a service port where a service is located, and different services with the same IP address configure different service ports;
in specific implementation, the service, namely, the site configured on the WAF, is configured by the following method: basic information of a station is added in the station management of the WAF, including a station name, an IP address, a port, and a physical network interface name of the WAF connected to the station.
S302, acquiring the number of actual services, creating a plurality of network namespaces according to the number of the actual services, and dividing the physical network interfaces correspondingly connected with the actual services into the network namespaces in sequence;
in a specific implementation, the system acquires the number of actual services, and creates a plurality of network namespaces according to the number of actual services, wherein the creation of the network namespaces can be completed through a linux command ip netns, and a network namespace named demo is created as ip netns add demo. It should be appreciated that in other alternative embodiments, the manner in which the network namespaces are created may be other system commands.
The system sequentially divides physical network interfaces which are correspondingly connected with actual services into network namespaces, wherein the network namespaces are provided with unique network namespaces identifiers, different network namespaces are provided with independent network protocol stacks, and the physical network interfaces cannot be simultaneously positioned in two or more network namespaces.
S303, creating a corresponding flow detection process in the network naming space;
in particular implementations, the flow detection process is a program running on the WAF for receiving, analyzing, and forwarding packets across the WAF physical network interface, and each network namespace has a corresponding flow detection process.
The method for creating the flow detection process may be implemented by using a linux command ip netns exec, and if the flow detection process needs to be created in a network namespace named demo, ip netns exec demo/path/to/check_program is executed, where/path/to/check_program is a save location on a disk of an executable file for the flow detection process.
It should be appreciated that in other alternative embodiments, the manner in which the flow detection process is created may be other system commands.
S304, continuously detecting the flow on a physical network interface in the network naming space where the flow detection process is located, and carrying out protection treatment on the flow according to a safety protection strategy;
in a specific implementation, the flow detection process is executed, so that the flow detection detects the flow on the physical network interface in the network naming space where the flow detection process is located continuously, and the flow is protected according to a security protection policy, where the security protection policy refers to a processing rule of a network data packet with detected attack in a software system, such as discarding the data packet, blocking the TCP network connection corresponding to the data packet, logging the HTTP request corresponding to the data packet, and the like.
S305, generating a protection log according to the protection processing result and the network namespace identification of the corresponding network namespace;
s306, reading the network naming space identifier in the protection log, inquiring corresponding service information according to the network naming space identifier, and storing the service information and the protection log in a database correspondingly;
and reading a network naming space identifier in the protection log, inquiring corresponding service information according to the network naming space identifier, and storing the service information and the protection log in a database correspondingly.
It should be understood that the service information and the protection log are correspondingly stored in the database, so that the system can compare the information in the database, and when the service network addresses corresponding to the protection logs are the same (for example, the IP addresses where the service A and the service B are located are 192.168.1.100), the system can distinguish the services according to the service information corresponding to the service, thereby realizing WAF service traffic isolation and avoiding the situation that WAF cannot deploy a plurality of tasks at the same time.
S307, when a database checking instruction is acquired, the protection log and the service information are displayed on a display module, wherein the database checking instruction is an instruction sent by a user when a checking key is triggered;
when the system acquires the database checking instruction, the protection log and the service information are transmitted to the corresponding display module for display.
S308, displaying the protection log information and the hidden identifier corresponding to the service information on a display module;
and when the triggering event aiming at the hidden mark is detected, the corresponding service information is unfolded and displayed on the display module.
In the implementation, the protection log is displayed on the display module for the user to view normally, and the hidden identifier corresponding to the service information, so that the user can view the protection log and the service information in real time according to the self-running condition.
It should be understood that, the user may also trigger the hidden information viewing button to activate the hidden information viewing instruction to view the service information in real time, and distinguish different services according to the service information, so as to implement WAF service traffic isolation, and avoid the situation that the WAF cannot deploy multiple tasks at the same time.
When the system detects that the service network addresses corresponding to the plurality of protection logs are the same (for example, the IP addresses of the service A and the service B are 192.168.1.100), corresponding hidden information checking instructions are activated, and corresponding service information is unfolded and displayed on the display module.
It can be understood that when the system detects that the service network addresses corresponding to the plurality of protection logs are the same (for example, the IP addresses where the service a and the service B are located are 192.168.1.100), the system can distinguish the plurality of services according to the service information corresponding to the service, thereby realizing the traffic isolation of the WAF service and avoiding the situation that the WAF cannot deploy a plurality of tasks at the same time.
In summary, in the service traffic isolation method in the above embodiment of the present invention, by using a network naming space mechanism provided by the system, by obtaining the number of actual services, one or more physical network interfaces corresponding to the actual services are divided into different network naming spaces, and meanwhile, a corresponding traffic detection process is created in the network naming space to detect traffic on the physical network interfaces in the network naming space where the corresponding traffic detection process is located in real time, and protection processing is performed, so that network traffic corresponding to the physical network interfaces runs in different network protocol stacks, thereby implementing WAF service traffic isolation.
Example IV
In another aspect, referring to fig. 4, a service traffic isolation system in a fourth embodiment of the present invention is shown, and is applied to a WAF device, where the WAF device is provided with a plurality of physical network interfaces, and the service traffic isolation system includes:
the configuration module 11 is configured to configure service basic information with the same network address, where the service basic information at least includes an IP address and a service port where a service is located, and different services with the same IP address configure different service ports.
The first creating module 12 is configured to obtain the number of actual services, create a plurality of network namespaces according to the number of actual services, and sequentially divide the physical network interfaces correspondingly connected to the actual services into the network namespaces;
a second creating module 13, configured to create a corresponding traffic detection process in the network namespace;
the execution module 14 is configured to execute the flow detection process, so as to perform protection processing on the flow on the physical network interface in the network namespace where the flow detection process is located, and generate a protection log according to the protection processing result and the network namespace identifier of the corresponding network namespace;
further, the execution module 14 includes:
and the processing unit 141 is configured to continuously detect a flow on a physical network interface in the network namespace where the flow detection process is located, and perform protection processing on the flow according to a security protection policy.
And the reading module 15 is configured to read the network namespace identifier in the protection log, query corresponding service information according to the network namespace identifier, and store the service information in a database corresponding to the protection log.
The control module 16 is configured to display the protection log and the service information on the display module when a database viewing instruction is acquired, where the database viewing instruction is an instruction sent when a user triggers a viewing button;
further, the control module 16 includes:
a display unit 161, configured to display the protection log information and a hidden identifier corresponding to the service information on a display module;
and when the triggering event aiming at the hidden mark is detected, the corresponding service information is unfolded and displayed on the display module.
In summary, in the service traffic isolation system in the above embodiment of the present invention, the configuration module 11 is used to configure service basic information with the same network address, the first creation module 12 is used to obtain the number of actual services and create a network namespace according to the number of actual services, one or more physical network interfaces corresponding to the actual services are divided into different network namespaces, the second creation module 13 is used to create a corresponding traffic detection process in the network namespaces, the execution module 14 is used to execute the traffic detection process to detect the traffic on the physical network interface in the network namespaces where the traffic detection process is located in real time and perform protection processing, and further the reading module 15 is used to read the network namespace identifier in the protection log, query the corresponding service information according to the network namespace identifier, and store the service information and the protection log in the database correspondingly so as to facilitate the differentiation of the services with the same network address by the system or the user, specifically, the control module 16 is used to display and process the corresponding protection log and service information, so that the network traffic corresponding to the physical network interface operates in different network protocol stacks to realize the isolation of the traffic of the network interface.
Example five
The present invention also proposes a traffic isolation device, please refer to fig. 5, which shows a traffic isolation device in a fifth embodiment of the present invention, comprising a server, the server comprising a memory 10, a processor 20 and a computer program 30 stored in the memory 10 and capable of running on the processor 20, wherein the processor 20 implements the traffic isolation method when executing the computer program 30.
In a specific implementation, the processor 20 acquires the number of actual services, creates a plurality of network namespaces according to the number of actual services, and sequentially divides the physical network interfaces correspondingly connected with the actual services into the network namespaces;
processor 20 creates a corresponding traffic detection process within the network namespace;
the processor 20 executes the flow detection process to perform protection processing on the flow on the physical network interface in the network namespace where the flow detection process is located, and generates a protection log according to the protection processing result and the network namespace identifier of the corresponding network namespace;
the processor 20 reads the network namespace identifier in the protection log, queries corresponding service information according to the network namespace identifier, and stores the service information in a database corresponding to the protection log.
The memory 10 includes at least one type of readable storage medium including flash memory, a hard disk, a multimedia card, a card memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, etc. The memory 10 may in some embodiments be an internal storage unit of a vehicle, such as a hard disk of the vehicle. The memory 10 may also be an external storage device of the vehicle in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the vehicle. Further, the memory 10 may also include both internal storage units and external storage devices of the vehicle. The memory 10 may be used not only for storing application software installed in a vehicle and various types of data, but also for temporarily storing data that has been output or is to be output.
The processor 20 may be, in some embodiments, an electronic control unit (Electronic Control Unit, ECU), a central processing unit (Central Processing Unit, CPU), a controller, a microcontroller, a microprocessor, or other data processing chip, for executing program codes or processing data stored in the memory 10, such as executing an access restriction program, or the like.
It should be noted that the structure shown in fig. 5 does not constitute a limitation of the traffic isolation device, and in other embodiments, the traffic isolation device may include fewer or more components than shown, or may combine certain components, or may have a different arrangement of components.
According to the service flow isolation device provided by the invention, through a network naming space mechanism provided by a system, one or more physical network interfaces which are correspondingly connected with the actual service are divided into different network naming spaces by acquiring the number of the actual service, and meanwhile, corresponding flow detection processes are created in the network naming spaces to detect the flow on the physical network interfaces in the network naming spaces in real time and carry out protection processing, so that the network flow corresponding to the physical network interfaces operates in different network protocol stacks, thereby realizing WAF service flow isolation.
The embodiment of the invention also provides a readable storage medium, on which a computer program is stored, which when executed by a processor implements the traffic isolation method as described above.
Those of skill in the art will appreciate that the logic and/or steps represented in the flow diagrams or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.

Claims (9)

1. The service flow isolation method is applied to WAF equipment, and a plurality of physical network interfaces are arranged on the WAF equipment, and is characterized by comprising the following steps:
configuring service basic information with the same network address, wherein the service basic information at least comprises an IP address and a service port where a service is located, and different service ports are configured for different services with the same IP address;
acquiring the number of actual services, creating a plurality of network namespaces according to the number of the actual services, and dividing the physical network interfaces correspondingly connected with the actual services into the network namespaces in sequence; wherein the network namespace has a unique network namespace identifier therein;
creating a corresponding flow detection process in the network namespace;
executing the flow detection process to perform protection processing on the flow on the physical network interface in the network namespace where the flow detection process is located, and generating a protection log according to the protection processing result and the network namespace identifier of the corresponding network namespace;
and reading the network naming space identifier in the protection log, inquiring corresponding service information according to the network naming space identifier, and storing the service information and the protection log in a database correspondingly.
2. The traffic isolation method according to claim 1, wherein the step of executing the traffic detection process to perform protection processing on traffic on the physical network interface in the network namespace where the traffic detection process is located specifically comprises:
and continuously detecting the traffic on a physical network interface in the network naming space where the traffic detection process is located, and carrying out protection treatment on the traffic according to a security protection strategy.
3. The traffic isolation method according to claim 1, wherein after the step of querying corresponding traffic information according to the network namespace identifier and storing the traffic information in a database corresponding to the protection log, the method further comprises:
when a database checking instruction is acquired, the protection log and the service information are displayed on a display module, wherein the database checking instruction is an instruction sent by a user when a checking key is triggered.
4. The traffic isolation method according to claim 3, wherein the step of displaying the protection log and the traffic information comprises:
displaying the protection log information and the hidden identifier corresponding to the service information on a display module;
and when the triggering event aiming at the hidden mark is detected, the corresponding service information is unfolded and displayed on the display module.
5. A traffic isolation system for a WAF device, the WAF device having a plurality of physical network interfaces thereon, the traffic isolation system comprising:
the configuration module is used for configuring service basic information with the same network address, wherein the service basic information at least comprises an IP address and a service port where a service is located, and different services with the same IP address configure different service ports;
the first creation module is used for obtaining the number of actual services, creating a plurality of network namespaces according to the number of the actual services, and dividing the physical network interfaces correspondingly connected with the actual services into the network namespaces in sequence; wherein the network namespace has a unique network namespace identifier therein;
the second creation module is used for creating a corresponding flow detection process in the network naming space;
the execution module is used for executing the flow detection process to carry out protection processing on the flow on the physical network interface in the network naming space where the flow detection process is located, and generating a protection log according to the protection processing result and the network naming space identifier of the corresponding network naming space;
and the reading module is used for reading the network name space identifier in the protection log, inquiring corresponding service information according to the network name space identifier, and storing the service information and the protection log in a database correspondingly.
6. The traffic isolation system according to claim 5, wherein said system further comprises:
the configuration module is used for configuring the service basic information with the same network address, wherein the service basic information at least comprises an IP address and a service port where the service is located, and different service ports are configured for different services with the same IP address.
7. The traffic isolation system according to claim 5, wherein said execution module comprises:
and the processing unit is used for continuously detecting the traffic on the physical network interface in the network naming space where the traffic detection process is located, and carrying out protection processing on the traffic according to a safety protection strategy.
8. A readable storage medium having stored thereon a computer program, which when executed by a processor implements a traffic isolation method according to any of claims 1 to 4.
9. A traffic isolation device comprising a server comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the traffic isolation method according to any of claims 1 to 4 when executing the computer program.
CN202110918832.1A 2021-08-11 2021-08-11 Service traffic isolation method, system, readable storage medium and device Active CN113660248B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110918832.1A CN113660248B (en) 2021-08-11 2021-08-11 Service traffic isolation method, system, readable storage medium and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110918832.1A CN113660248B (en) 2021-08-11 2021-08-11 Service traffic isolation method, system, readable storage medium and device

Publications (2)

Publication Number Publication Date
CN113660248A CN113660248A (en) 2021-11-16
CN113660248B true CN113660248B (en) 2023-05-26

Family

ID=78479499

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110918832.1A Active CN113660248B (en) 2021-08-11 2021-08-11 Service traffic isolation method, system, readable storage medium and device

Country Status (1)

Country Link
CN (1) CN113660248B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110855525A (en) * 2019-11-19 2020-02-28 深圳市网心科技有限公司 Flow statistical method, electronic device, system and medium
CN111475705A (en) * 2020-03-05 2020-07-31 中国平安人寿保险股份有限公司 SQ L query-based network service monitoring method, device, equipment and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107426047A (en) * 2017-05-08 2017-12-01 智慧海派科技有限公司 Network flow monitoring method and its terminal based on the mono- kernel multisystems of Android
CN109981613B (en) * 2019-03-11 2021-10-22 北京启明星辰信息安全技术有限公司 Flow detection method for cloud environment and resource pool system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110855525A (en) * 2019-11-19 2020-02-28 深圳市网心科技有限公司 Flow statistical method, electronic device, system and medium
CN111475705A (en) * 2020-03-05 2020-07-31 中国平安人寿保险股份有限公司 SQ L query-based network service monitoring method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN113660248A (en) 2021-11-16

Similar Documents

Publication Publication Date Title
US8458785B2 (en) Information security protection host
CN106899604B (en) Processing method and device for data packet filtering rules
CN1777179B (en) Method and system for distributing security policies
US8689349B2 (en) Information flow tracking and protection
EP3607705A1 (en) Intelligent thread management across isolated network stacks
CN110581903A (en) multilayer intranet penetration method, system and medium
CN107643940A (en) Container creation method, relevant device and computer-readable storage medium
CN104871174B (en) User's portable equipment and the system and method for " carrying " evaluation work environment
CN111901177B (en) Bare metal server network configuration method, system and related equipment
JP4582682B2 (en) Security wall system
CN112019545B (en) Honeypot network deployment method, device, equipment and medium
CN110995640A (en) Method for identifying network attack and honeypot protection system
WO2017112154A1 (en) Intelligent devices in a software-defined network
US9146749B1 (en) System and methods for updating digital signage device operating systems and registering signage devices to a global network
CN114978610B (en) Flow transmission control method, device, equipment and storage medium
CN113612783A (en) Honeypot protection system
CN113660248B (en) Service traffic isolation method, system, readable storage medium and device
US8185943B1 (en) Network adapter firewall system and method
US9881155B2 (en) System and method for automatic use-after-free exploit detection
CN112688899A (en) In-cloud security threat detection method and device, computing equipment and storage medium
CN113660243A (en) Application protection method and system, readable storage medium and computer equipment
CN116521306A (en) Method for enabling selinux by container and computer equipment
JP4617898B2 (en) ACCESS CONTROL METHOD AND METHOD, SERVER DEVICE, TERMINAL DEVICE, AND PROGRAM
CN113079128B (en) Information blocking method and device, computing equipment and computer storage medium
CN110347517B (en) Dual-system communication method and computer-readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant