CN113839824A - Flow auditing method and device, electronic equipment and storage medium - Google Patents
Flow auditing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113839824A CN113839824A CN202010514500.2A CN202010514500A CN113839824A CN 113839824 A CN113839824 A CN 113839824A CN 202010514500 A CN202010514500 A CN 202010514500A CN 113839824 A CN113839824 A CN 113839824A
- Authority
- CN
- China
- Prior art keywords
- cpe
- flow
- traffic
- auditing
- networking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 80
- 230000006855 networking Effects 0.000 claims abstract description 57
- 238000012550 audit Methods 0.000 claims abstract description 31
- 238000005206 flow analysis Methods 0.000 claims abstract description 27
- 238000012536 packaging technology Methods 0.000 claims abstract description 10
- 238000005538 encapsulation Methods 0.000 claims description 37
- 238000005516 engineering process Methods 0.000 claims description 30
- 229920006235 chlorinated polyethylene elastomer Polymers 0.000 claims description 28
- 238000000136 cloud-point extraction Methods 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 27
- 238000004806 packaging method and process Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 abstract description 13
- 238000004458 analytical method Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 238000012360 testing method Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 7
- 238000013459 approach Methods 0.000 description 6
- 230000035515 penetration Effects 0.000 description 6
- 238000012544 monitoring process Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 239000000523 sample Substances 0.000 description 3
- 230000000875 corresponding effect Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012384 transportation and delivery Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000012800 visualization Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a flow auditing method, a flow auditing device, electronic equipment and a storage medium, wherein the method comprises the following steps: networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow audit based on a Software Defined Network (SDN); the flow of each CPE is mirrored to a preset CPE center node through a packaging technology, and the flow of each CPE is introduced to a flow analysis sensor through the CPE center node so as to realize flow audit of each CPE. The invention reverses the original flow auditing mode of localizing mirror flow by a VPN method, and changes the original flow auditing mode into the flow auditing mode of realizing full networking by an SDN network. In addition, the invention does not depend on the mode of accessing the central node of the CPE through the VPN to carry out flow audit, so the invention does not need to log in every use, thereby the flow audit process becomes simple and effective.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a flow auditing method and device, electronic equipment and a storage medium.
Background
In the prior art, a VPN dial-in is generally performed through a CPE in a VPN manner, and the flow enters a flow analysis sensor directly to perform flow audit by localized mirroring of flow.
The disadvantages of this implementation are: the method needs to log in each use and has complicated steps. ② single IP egress will result in global blacklisting. And 3, the testable scenes are few, and only a PC and a test destination are provided. And fourthly, the requirement of flow audit in the intranet environment cannot be met.
Disclosure of Invention
To solve the problems in the prior art, embodiments of the present invention provide a method and an apparatus for traffic auditing, an electronic device, and a storage medium.
Specifically, the embodiment of the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a traffic auditing method, including:
networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow audit based on a Software Defined Network (SDN);
the flow of each CPE is mirrored to a preset CPE center node through a packaging technology, and the flow of each CPE is introduced to a flow analysis sensor through the CPE center node so as to realize flow audit of each CPE.
Further, the mirroring of the traffic of each CPE to a preset CPE central node by the encapsulation technology includes:
mirroring the flow of each CPE to a preset CPE center node through a general routing encapsulation GRE technology;
or the like, or, alternatively,
and mirroring the flow of each CPE to a preset CPE central node by using an ERSPAN technology of packaging remote port mirroring.
Further, the mirroring of the traffic of each CPE to a preset CPE central node by the generic routing encapsulation GRE technique includes:
and (3) mirroring the flow of each CPE to a preset CPE central node by using a GRE OVER IPSEC technology.
Further, when the traffic of each CPE is mirrored to a preset CPE central node by the encapsulation technology, the branch location of each CPE is performed in a gre-key manner.
Further, the networking a plurality of customer premise equipment CPEs to be subjected to traffic auditing based on the software defined network SDN includes:
and networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow audit based on the Software Defined Wide Area Network (SDWAN).
Further, the traffic auditing method further includes:
and acquiring flow data of each CPE acquired by the flow analysis sensor, and carrying out flow analysis according to the IP and the domain name of each CPE.
In a second aspect, an embodiment of the present invention further provides a flow auditing apparatus, including:
the system comprises a networking module, a flow auditing module and a flow auditing module, wherein the networking module is used for networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow auditing based on a Software Defined Network (SDN);
and the flow auditing module is used for mirroring the flow of each CPE to a preset CPE central node through a packaging technology, and introducing the flow of each CPE to the flow analysis sensor through the CPE central node so as to realize the flow auditing of each CPE.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program to implement the steps of the traffic auditing method according to the first aspect.
In a fourth aspect, the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the traffic auditing method according to the first aspect.
In a fifth aspect, an embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by a processor, the computer program implements the steps of the traffic auditing method according to the first aspect.
As can be seen from the above technical solutions, the flow auditing method, apparatus, electronic device and storage medium provided in the embodiments of the present invention implement flow auditing of each CPE by networking a plurality of customer premise equipment CPEs to be subjected to flow auditing based on a software defined network SDN, mirroring the flow of each CPE to a preset CPE center node through an encapsulation technique, and introducing the flow of each CPE to a flow analysis sensor through the CPE center node. Therefore, the embodiment of the invention replaces the original flow auditing mode of the localized mirror flow through the VPN method, and changes the mode of the SDN network into the mode of realizing the flow auditing of the whole network, and the embodiment of the invention can realize the analysis of the whole flow. In addition, the embodiment of the invention does not depend on the mode of accessing the central node of the CPE through the VPN to carry out flow audit, so that the embodiment of the invention does not need to log in every use, thereby enabling the flow audit process to be simple and effective. In addition, because the embodiment of the invention adopts the SDN networking mode, the situation of single IP outlet caused by the VPN mode adopted in the prior art is avoided, and the result of global blacklisting is avoided. In addition, the embodiment of the invention adopts the SDN network to carry out networking of the multi-CPE equipment, so that the test scene can be enriched. In addition, the embodiment of the invention can also cope with an intranet environment due to the adoption of an SDN networking mode.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a flow chart of a method for traffic auditing according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating an architecture of a software defined network SDN according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating an implementation principle of a traffic auditing method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a GRE packet encapsulation structure according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a flow audit device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The current general technology is to perform flow audit by a VPN localized mirror flow method. The invention overturns the original architecture, defines the network type as multi-networking through the SDN, and can realize full-flow analysis under the condition of ensuring the safety. In addition, the invention can also realize timely response and point-to-point networking. The flow auditing method provided by the invention is explained and explained in detail by specific embodiments.
Fig. 1 shows a flowchart of a traffic auditing method provided by an embodiment of the present invention. As shown in fig. 1, the method for auditing traffic according to the embodiment of the present invention includes the following steps:
step 101: networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow audit based on a Software Defined Network (SDN);
in this step, a Software Defined Network (SDN) is a novel Network innovation architecture, and is an implementation manner of Network virtualization. By separating the control plane and the data plane of the network equipment through the core technology OpenFlow, the flexible control of network flow is realized, the network becomes more intelligent as a pipeline, and a good platform is provided for innovation of a core network and application. To make the software defined network SDN more understood, this step is additionally explained as follows: with the idea of layering, software defined networks SDN separate data from control. And the control layer comprises a logic centralized and programmable controller, so that the global network information can be mastered, the network can be managed and configured conveniently, a new protocol can be deployed, and the like. In a data layer, the switch is included, and the switch only provides a simple data forwarding function, can quickly process matched data packets, and is suitable for the increasing demand of flow. And the two layers interact by adopting an open unified interface such as OpenFlow and the like. The controller sends the uniform standard rules to the switch through the standard interface, and the switch only needs to execute corresponding actions according to the rules. Therefore, the idea of the software defined network SDN is to centralize the control logic of the switching device in the network on one computing device by separating control and forwarding, and a new idea is brought to improve the network management configuration capability. The essential features of SDN are the separation of control and data planes and open programmability. By separating the control plane and the data plane and the open communication protocol, the SDN breaks the seal of the traditional network devices. Referring to the schematic diagram of the overall SDN architecture shown in fig. 2, a data plane is composed of network general hardware such as switches, and SDN data paths formed by different rules are connected between network devices; the control plane comprises a SDN controller which is logically used as a center, grasps global network information and is responsible for controlling various forwarding rules; the application plane contains various SDN-based network applications, and users can program and deploy new applications without concern for underlying details. The control plane and the data plane communicate with each other through a SDN control data plane interface (CDPI for short), and the CDPI has a unified communication standard, is mainly responsible for issuing a forwarding rule in a controller to a forwarding device, and is mainly applied to an OpenFlow protocol. The control plane and the application plane communicate with each other through an SDN northbound interface (NBI), which is not a unified standard and allows users to customize and develop various network management applications according to their own needs. The SDN interface has openness, a controller is used as a logic center, a southbound interface is responsible for communicating with a data plane, a northbound interface is responsible for communicating with an application plane, and an east-west interface is responsible for communicating among multiple controllers. The most prevalent southbound interface CDPI employs the OpenFlow protocol. The most basic characteristic of OpenFlow is that forwarding rules are matched based on the concept of Flow, each switch maintains a Flow Table, forwarding is performed according to the forwarding rules in the Flow Table, and the establishment, maintenance and issuing of the Flow Table are completed by a controller. And aiming at the northbound interface, the application program calls various required network resources through the programming of the northbound interface, so that the rapid configuration and deployment of the network are realized. The east-west interface enables the controller to have expandability and provides technical support for load balancing and performance improvement.
In this step, a plurality of Customer Premise Equipment (CPE) to be subjected to flow auditing are networked based on a Software Defined Network (SDN). The Customer Premise Equipment CPE is a mobile signal access device that receives a mobile signal and forwards the mobile signal as a wireless WIFI signal, and is also a device that converts a high-speed 4G or 5G signal into a WIFI signal.
In this step, a plurality of CPEs are networked based on a software defined network SDN, so as to facilitate traffic monitoring of the plurality of CPEs in the networking, and perform full traffic analysis on the plurality of CPEs in the networking. In addition, it should be noted that, because the traffic analysis sensor needs to interact with the CPE central node to obtain traffic, a plurality of CPEs are networked through the SDN, which not only facilitates traffic monitoring of the plurality of CPEs in the networking, and enables full traffic analysis of the plurality of CPEs in the networking, but also eliminates the need for a VPN (virtual private network) mode due to the fact that traffic transmission between the plurality of networked CPEs and the CPE central node can adopt a packaging mode, and therefore, the embodiment does not rely on a VPN access CPE central node to perform traffic auditing, and therefore the embodiment does not need to log in every use, and the traffic auditing process becomes simple and effective. In addition, the embodiment replaces the original flow auditing mode of localizing mirror flow by a VPN method, and changes the flow auditing mode into a mode of realizing full networking by an SDN network, so that the embodiment can realize full flow analysis.
Step 102: the flow of each CPE is mirrored to a preset CPE center node through a packaging technology, and the flow of each CPE is introduced to a flow analysis sensor through the CPE center node so as to realize flow audit of each CPE.
In this step, the traffic transmission between the networked CPEs and the CPE central node may be implemented by a packaging technique, and specifically, the traffic of each CPE may be mirrored to a preset CPE central node by the packaging technique, and the traffic of each CPE is introduced to the traffic analysis sensor by the CPE central node, so as to implement traffic audit of each CPE. In this embodiment, the flow-resolving sensor may be implemented using a flow probe. Therefore, the flow audit of each CPE is realized based on the software defined network SDN networking mode. The following explains the traffic auditing method provided by the present embodiment with reference to fig. 3.
Two traffic auditing approaches are illustrated in fig. 3, one being a conventional approach: the other is the method provided by this embodiment: and the software defines a network SDN networking mode.
As can be seen from fig. 3, for the first VPN approach, the CPE01 dials into the CPE central node (CPE 02 in fig. 3) through the VPN and then directly enters the probe. For the second software defined networking SDN networking mode, a plurality of CPEs 100 are networked by SDN, and then image traffic to a CPE center node (CPE 02 in fig. 3) by GRE OVER IPSEC technology, and introduce the traffic to a traffic analysis sensor after arriving at the CPE center node.
In this embodiment, it should be noted that the CPE01 and the CPE02 in fig. 3 may be deployed separately, or one device may be used to bear two access modes.
In this embodiment, after the flow rate analysis sensor acquires the flow rate data of each CPE, the flow rate data of each CPE acquired by the flow rate analysis sensor is acquired, and the flow rate data of each CPE is subjected to flow rate analysis.
In this embodiment, it should be noted that the traffic auditing method provided in this embodiment may be used in an HTTPS traffic auditing scenario, so as to implement HTTPS traffic auditing. Specifically, a plurality of customer premise equipment CPEs to be subjected to HTTPS traffic auditing may be networked based on a software defined network SDN, traffic of each CPE is mirrored to a preset CPE central node by an encapsulation technique, and traffic of each CPE is introduced to a traffic analysis sensor through the CPE central node, so as to implement traffic auditing of each CPE.
In this embodiment, it should be noted that, for the HTTPS decryption process, either the near-end decryption or the far-end decryption may be used, which is not limited in this embodiment. As can be seen from the above technical solutions, in the traffic auditing method provided in this embodiment, a plurality of customer premises equipment CPEs to be subjected to traffic auditing are networked based on a software defined network SDN, then traffic of each CPE is mirrored to a preset CPE central node by using an encapsulation technology, and traffic of each CPE is introduced to a traffic analysis sensor through the CPE central node, so as to implement traffic auditing of each CPE. Therefore, the method and the device for analyzing the flow rate of the image flow in the SDN mode replace the original flow rate auditing mode of localizing the image flow by the VPN method, and the flow rate auditing of the whole network is realized by the SDN mode. In addition, because the embodiment does not depend on the mode of accessing the central node of the CPE through the VPN to perform traffic auditing, the embodiment does not need to log in every use, so that the traffic auditing process becomes simple and effective. In addition, in the embodiment, because the SDN networking mode is adopted, the situation of single IP export caused by the VPN mode adopted in the prior art is avoided, and the consequence of global blacklisting is avoided. In addition, in the embodiment, a mode of networking multiple CPE devices by adopting an SDN network is adopted, so that test scenes can be enriched. In addition, the embodiment adopts an SDN networking mode, so that the method can also cope with an intranet environment.
Based on the content of each of the above embodiments, in this embodiment, the mirroring the traffic of each CPE to a preset CPE central node by using an encapsulation technology includes: and mirroring the flow of each CPE to a preset CPE central node by a general routing encapsulation GRE technology.
In this embodiment, Generic Routing Encapsulation (GRE) is a three-layer VPN Encapsulation technology, which is called General Routing Encapsulation (generic Routing Encapsulation) in english, and GRE can encapsulate packets of some network layer protocols (such as IPX, MPLS, ethernet, Apple Talk, IP, etc.), so that the encapsulated packets can be transmitted in another network (such as IPv4), thereby solving the problem of packet transmission across heterogeneous networks. The network layer protocols of the data packets before and after encapsulation may be the same or different. The path of the encapsulated data packet transmitted in the network is called a GRE tunnel. The GRE tunnel is a virtual point-to-point connection, and the devices at both ends encapsulate and decapsulate data packets respectively. Fig. 4 is a schematic diagram of a GRE packet encapsulation structure, where: payload data (Payload packet): data messages need to be encapsulated and transmitted. The Protocol type of payload data is called Passenger Protocol (Passenger Protocol). The passenger protocol may be any network layer protocol. GRE header (GRE header): and the message header added by encapsulating the payload data by adopting the GRE protocol comprises the contents of the number of encapsulating layers, the version, the passenger protocol type, the check sum information, the Key information and the like. The message added with the GRE header is called a GRE message. The GRE Protocol that encapsulates payload data is called Encapsulation Protocol (Encapsulation Protocol). Transport protocol header (Delivery header): and a message header is added to the GRE message so that the transmission protocol can forward the GRE message. The Transport Protocol (Delivery Protocol) refers to a network layer Protocol responsible for forwarding GRE messages. The passenger protocols capable of being carried by the GRE comprise IPv4, IPv6 and MPLS protocols, and when the transmission protocol is IPv4, the GRE tunnel is called a GRE over IPv4 tunnel; when the transport protocol is IPv6, the GRE tunnel is referred to as a GRE over IPv6 tunnel.
In this embodiment, the traffic of each CPE is mirrored to a preset CPE center node by the generic routing encapsulation GRE technique, thereby completing effective transmission of the traffic of each networking CPE to the CPE center node, so that the CPE center node summarizes the traffic of all the CPEs in the entire network, and further facilitating the traffic analyzing sensor to obtain the traffic of all the CPEs in the entire network through the CPE center node.
Based on the content of each of the above embodiments, in this embodiment, the mirroring of the traffic of each CPE to a preset CPE central node through the generic routing encapsulation GRE technology includes:
and (3) mirroring the flow of each CPE to a preset CPE central node by using a GRE OVER IPSEC technology.
In this embodiment, since the GRE OVER IPSEC encapsulation technology is a relatively secure GRE encapsulation technology, the GRE OVER IPSEC technology is adopted in this embodiment, and the traffic of each CPE is mirrored to a preset CPE central node, so that full traffic analysis can be performed under the condition of ensuring security.
The GRE OVER IPSEC encapsulation technique is explained below as follows:
IPsec is a mainstream affiliate interconnection protocol, and its own strong encryption and verification functions ensure the security of private network data when transmitted over the internet, but IPsec cannot meet the complex inter-access requirements of clients on private network segments in the face of the current diversified access requirements; in practical environments, the mechanism separating two places requires the establishment of routing neighbor relations between private networks through tunnels, and Ipsec itself does not have the capability of routing, so the GRE over Ipsec technology comes along. When the dynamic routing protocol is operated in the GRE tunnel, the issued route is a tunnel address and a private network routing address. The public network equipment does not need to have a route to a two-place loopback interface, and can be analyzed through GRE OVER IPSEC message encapsulation. For the GRE OVER IPSEC, it means that GRE is encapsulated in an IPSEC message, and the encrypted traffic is the entire GRE tunnel, and as long as private network data issued by a routing protocol running through the GRE tunnel is encrypted, data security can be sufficiently ensured. In addition, because GRE OVER IPSEC is the IPSEC message header outside, according to the IP address situation between the border gateways, can use two kinds of modes of IPSEC tunnel flexibly: transport and tunnel modes, and because the transport mode is simpler to encapsulate, it is less efficient in traffic handling and software resource consumption than the tunnel mode.
Based on the content of each embodiment described above, in this embodiment, when the traffic of each CPE is mirrored to a preset CPE central node by the encapsulation technology, the branch location of each CPE is performed in a gre-key manner.
In this embodiment, when the traffic of each CPE is mirrored to a preset CPE central node by an encapsulation technique, the branch location of each CPE is performed in a gre-key manner.
In this embodiment, GRE supports a GRE Key authentication security mechanism. The validity of the message can be checked through GRE Key verification. The sender carries the GRE Key configured locally in the sent message. And after receiving the message, the receiver compares the GRE Key in the message with the GRE Key locally configured by the receiver, if the GRE Key is consistent with the GRE Key, the message is further processed, and if not, the message is discarded. Therefore, by the mode, the branch positioning of each CPE can be carried out, and the branch positioning of each CPE can be realized only by setting the GRE Key of each CPE branch to different values.
Based on the content of each of the above embodiments, in this embodiment, the mirroring the traffic of each CPE to a preset CPE central node by using an encapsulation technology includes: and mirroring the flow of each CPE to a preset CPE central node by using an ERSPAN technology of packaging remote port mirroring.
In the present embodiment, an Encapsulated Remote Port Switch Port Analyzer (ERSPAN) is an extension of a Remote Port image (RSPAN). In the common remote port mirror image, the mirror image data message can only be transmitted in two layers and cannot pass through the routed network, and the mirror image message can be transmitted between the routed networks by encapsulating the remote port mirror image. The function of the ERSPAN is to encapsulate all mirrored messages into IP messages through a GRE tunnel, and route the IP messages to the destination port of the remote mirroring device. The device roles involved in adopting the encapsulating remote port mirror ERSPAN technology are two, namely a source switch and a destination switch. Wherein the source switch: and packaging the switch where the remote mirror image source port is positioned, copying the message of the source port to output from an output port of the source switch, packaging the message into an IP message through GRE (generic encapsulation protocol) for forwarding, and transmitting the IP message to a target switch. The purpose switch: and encapsulating the switch where the remote mirror image destination port is located, de-encapsulating the GRE message by the received mirror image message through the mirror image destination port, and then forwarding the de-encapsulated GRE message to the monitoring equipment. It should be noted that, to implement the function of encapsulating the remote port mirror image, the IP packet after GRE encapsulation must be able to be normally routed to the destination mirror image device in the network.
In this embodiment, it should be noted that, because ERSPAN copies a source port packet and sends the copied packet to a destination switch for analysis through GRE, the physical location of the acquisition server is not limited; in addition, since ERSPAN can perform any offset of 1-126 bytes based on the Base domain through an expert extended list by virtue of the UDF (user Defined field) characteristic of the chip, session keywords are matched to realize the visualization of the session, for example, the visualization of TCP three-way handshake and RDMA session; in addition, because the ERSPAN supports setting of the sampling rate and supports message interception length, the pressure of the target server can be reduced, and thus, in this embodiment, the ERSPAN is adopted to mirror the traffic of each CPE to a preset CPE central node, which not only can complete a basic traffic mirroring function, but also has the above-mentioned advantages.
Based on the content of the foregoing embodiments, in this embodiment, the networking, by the SDN based on the software defined network, a plurality of pieces of customer premise equipment CPE to be subjected to traffic audit includes:
and networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow audit based on the Software Defined Wide Area Network (SDWAN).
In this embodiment, an SDN service suitable for a wide area network scenario, that is, an SDWAN, is used for networking. SDWAN, a software defined wide area network, is a service formed by applying SDN technology to a wide area network scenario, and is used to connect enterprise networks, data centers, internet applications, and cloud services in a wide geographic area.
In this embodiment, the customer premise equipment CPEs located in different regions are networked through the software-defined wide area network SDWAN, so that traffic monitoring can be performed on a plurality of CPEs in the group network, and full traffic analysis can be further performed on the plurality of CPEs in the group network. It should be noted that, networking is performed on a plurality of CPEs through the SDN, which not only facilitates traffic monitoring of the plurality of CPEs in the networking and full traffic analysis of the plurality of CPEs in the networking, but also eliminates the need for a VPN method because a plurality of networking CPEs and traffic transmission of a CPE center node can adopt an encapsulation method, and thus, the embodiment does not rely on a VPN access method for traffic auditing of the CPE center node, and therefore, the embodiment does not require logging in every use, thereby enabling the traffic auditing process to be simple and effective. In addition, the embodiment replaces the original flow auditing mode of localizing mirror flow by a VPN method, and changes the flow auditing mode into a mode of realizing full networking by an SDN network, so that the embodiment can realize full flow analysis. In addition, in the embodiment, because the SDN networking mode is adopted, the situation of single IP export caused by the VPN mode adopted in the prior art is avoided, and the consequence of global blacklisting is avoided. In addition, in the embodiment, a mode of networking multiple CPE devices by adopting an SDN network is adopted, so that test scenes can be enriched. In addition, the embodiment adopts an SDN networking mode, so that the method can also cope with an intranet environment.
Based on the content of the foregoing embodiments, in this embodiment, the flow auditing method further includes:
and acquiring flow data of each CPE acquired by the flow analysis sensor, and carrying out flow analysis according to the IP and the domain name of each CPE.
In this embodiment, the traffic of each CPE is mirrored to a preset CPE center node by using a GRE OVER IPSEC technique, so that the traffic of each networked CPE is effectively transmitted to the CPE center node, and the CPE center node summarizes the traffic of all the CPEs in the whole network, thereby facilitating the traffic analyzing sensor to obtain the traffic of all the CPEs in the whole network through the CPE center node. And then based on the flow data of each CPE collected by the flow analysis sensor, the flow analysis of each CPE can be carried out according to the IP and the domain name of each CPE.
The following explains and explains the flow auditing method provided by this embodiment with reference to a comparison between two flow auditing methods illustrated in fig. 3 and an example. Two traffic auditing approaches are illustrated in fig. 3, one being a conventional approach: the other is the method provided by this embodiment: and the software defines a network SDN networking mode.
As can be seen from fig. 3, for the first VPN approach, the CPE01 dials into the CPE central node (CPE 02 in fig. 3) through the VPN and then directly enters the probe. For the second software defined networking SDN networking mode, a plurality of CPEs 100 are networked by SDN, and then image traffic to a CPE center node (CPE 02 in fig. 3) by GRE OVER IPSEC technology, and introduce the traffic to a traffic analysis sensor after arriving at the CPE center node. And the flow analysis sensor spits the flow in the BP format to the distributed publishing and subscribing message system. And then carrying out subsequent analysis work after ip enrichment work is carried out by an ETL engine. In the CPE butt joint, branch positioning is carried out in a gre-key mode, and analysis is carried out in an ip and domain name mode.
In this embodiment, it should be noted that the distributed publish-subscribe messaging system may be implemented by using kafka cluster, ActiveMQ, RabbitMQ, ZeroMQ, and the like. Example (c): auditing requirements of a certain user in a penetration test scene;
the user needs to use penetration tests for both addresses www.demo.com, 101.101.101.101;
a total of 2 persons were tested for penetration. And preparing a node 2, opening networking for 1 central node 10.10.10.1, 1 branch node 10.10.2, opening SSLVPN, and networking with the central node.
Penetration tester a was installed with CPE. And installing an SSLVPN client for the penetration tester B.
A is networked at the home CPE. And connecting the central node 10.10.10.1, and completely mirroring the test traffic to the central node.
B log-in penetration test at home SSLVPN. And connecting a branch node 10.10.10.2, leading the VPN flow into a central node through a GRE tunnel by the branch node, summarizing the central node, sending the flow to a flow resolver at the rear end, and performing warehousing operation.
Fig. 5 shows a schematic structural diagram of a traffic auditing apparatus provided by an embodiment of the present invention. As shown in fig. 5, the flow auditing apparatus provided in this embodiment includes: networking module 21 and flow audit module 22, wherein:
a networking module 21, configured to network a plurality of customer premise equipment CPEs to be subjected to traffic auditing based on a software defined network SDN;
and the flow auditing module 22 is configured to mirror the flow of each CPE to a preset CPE central node through a packaging technology, and introduce the flow of each CPE to a flow analysis sensor through the CPE central node, so as to implement flow auditing of each CPE.
Based on the content of the foregoing embodiments, in this embodiment, the traffic auditing module 22 is specifically configured to:
and mirroring the flow of each CPE to a preset CPE central node by a general routing encapsulation GRE technology.
Based on the content of the foregoing embodiments, in this embodiment, the traffic auditing module 22 is specifically configured to:
and mirroring the flow of each CPE to a preset CPE central node by a general routing encapsulation GRE technology.
Based on the content of each embodiment described above, in this embodiment, when the traffic of each CPE is mirrored to a preset CPE central node by the encapsulation technology, the traffic auditing module 22 performs branch location of each CPE in a gre-key manner.
Based on the content of the foregoing embodiments, in this embodiment, the networking module 21 is specifically configured to:
and networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow audit based on the Software Defined Wide Area Network (SDWAN).
Based on the content of the foregoing embodiments, in this embodiment, the flow audit device further includes:
and the flow analysis module is used for acquiring the flow data of each CPE acquired by the flow analysis sensor and carrying out flow analysis according to the IP and the domain name of each CPE.
Since the flow auditing device provided by the embodiment of the present invention can be used for executing the flow auditing method described in the above embodiment, and the working principle and the beneficial effect are similar, detailed description is omitted here, and specific contents can be referred to the introduction of the above embodiment.
In this embodiment, it should be noted that each module in the apparatus according to the embodiment of the present invention may be integrated into a whole or may be separately disposed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Based on the same inventive concept, another embodiment of the present invention provides an electronic device, which specifically includes the following components, with reference to fig. 6: a processor 301, a memory 302, a communication interface 303, and a communication bus 304;
the processor 301, the memory 302 and the communication interface 303 complete mutual communication through the communication bus 304;
the processor 301 is configured to call a computer program in the memory 302, and the processor implements all the steps of the above-mentioned traffic auditing method when executing the computer program, for example, the processor implements the following processes when executing the computer program: networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow audit based on a Software Defined Network (SDN); the flow of each CPE is mirrored to a preset CPE center node through a packaging technology, and the flow of each CPE is introduced to a flow analysis sensor through the CPE center node so as to realize flow audit of each CPE.
It will be appreciated that the detailed functions and extended functions that the computer program may perform may be as described with reference to the above embodiments.
Based on the same inventive concept, a further embodiment of the present invention provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor implements all the steps of the above-mentioned flow auditing method, for example, the processor implements the following processes when executing the computer program: networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow audit based on a Software Defined Network (SDN); the flow of each CPE is mirrored to a preset CPE center node through a packaging technology, and the flow of each CPE is introduced to a flow analysis sensor through the CPE center node so as to realize flow audit of each CPE.
It will be appreciated that the detailed functions and extended functions that the computer program may perform may be as described with reference to the above embodiments.
Based on the same inventive concept, another embodiment of the present invention provides a computer program product, which includes a computer program, when being executed by a processor, the computer program implements all the steps of the above-mentioned associated application starting control method, for example, when the processor executes the computer program, the processor implements the following processes: networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow audit based on a Software Defined Network (SDN); the flow of each CPE is mirrored to a preset CPE center node through a packaging technology, and the flow of each CPE is introduced to a flow analysis sensor through the CPE center node so as to realize flow audit of each CPE.
It will be appreciated that the detailed functions and extended functions that the computer program may perform may be as described with reference to the above embodiments.
In addition, the logic instructions in the memory may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on such understanding, the above technical solutions may be essentially or partially implemented in the form of software products, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and include instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the traffic auditing method according to various embodiments or some parts of embodiments.
Moreover, in the present invention, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Furthermore, in the present disclosure, reference to the description of the terms "one embodiment," "some embodiments," "an example," "a specific example," or "some examples" or the like means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present disclosure. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for traffic auditing, comprising:
networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow audit based on a Software Defined Network (SDN);
the flow of each CPE is mirrored to a preset CPE center node through a packaging technology, and the flow of each CPE is introduced to a flow analysis sensor through the CPE center node so as to realize flow audit of each CPE.
2. The traffic auditing method of claim 1, wherein mirroring the traffic of each CPE to a pre-provisioned CPE hub node via encapsulation techniques comprises:
mirroring the flow of each CPE to a preset CPE center node through a general routing encapsulation GRE technology;
or the like, or, alternatively,
and mirroring the flow of each CPE to a preset CPE central node by using an ERSPAN technology of packaging remote port mirroring.
3. The traffic auditing method of claim 2, where mirroring the traffic of each CPE to a preset CPE hub node via Generic Routing Encapsulation (GRE) comprises:
and (3) mirroring the flow of each CPE to a preset CPE central node by using a GRE OVER IPSEC technology.
4. The traffic auditing method of claim 1, wherein branch location of each CPE is performed by gre-key when the traffic of each CPE is mirrored to a pre-defined CPE central node by encapsulation techniques.
5. The traffic auditing method according to claim 1, wherein said software defined networking, SDN based, networking a plurality of customer premises equipment CPEs to be traffic audited, comprises:
and networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow audit based on the Software Defined Wide Area Network (SDWAN).
6. The traffic auditing method of claim 1 further comprising:
and acquiring flow data of each CPE acquired by the flow analysis sensor, and carrying out flow analysis according to the IP and the domain name of each CPE.
7. A traffic auditing apparatus, comprising:
the system comprises a networking module, a flow auditing module and a flow auditing module, wherein the networking module is used for networking a plurality of Customer Premise Equipment (CPE) to be subjected to flow auditing based on a Software Defined Network (SDN);
and the flow auditing module is used for mirroring the flow of each CPE to a preset CPE central node through a packaging technology, and introducing the flow of each CPE to the flow analysis sensor through the CPE central node so as to realize the flow auditing of each CPE.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of the flow auditing method of any one of claims 1-6.
9. A non-transitory computer readable storage medium having a computer program stored thereon, wherein the computer program when executed by a processor implements the steps of the traffic auditing method of any one of claims 1-6.
10. A computer program product comprising a computer program, wherein the computer program when executed by a processor implements the steps of a flow auditing method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010514500.2A CN113839824A (en) | 2020-06-08 | 2020-06-08 | Flow auditing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010514500.2A CN113839824A (en) | 2020-06-08 | 2020-06-08 | Flow auditing method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113839824A true CN113839824A (en) | 2021-12-24 |
Family
ID=78963664
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010514500.2A Pending CN113839824A (en) | 2020-06-08 | 2020-06-08 | Flow auditing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113839824A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115580657A (en) * | 2022-12-08 | 2023-01-06 | 北京亿赛通科技发展有限责任公司 | Method and device for auditing and protecting tandem flow based on process separation |
| CN116471125A (en) * | 2023-06-19 | 2023-07-21 | 杭州美创科技股份有限公司 | Encryption database flow auditing method, device, computer equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104796348A (en) * | 2015-04-03 | 2015-07-22 | 华为技术有限公司 | IDC (internet data center) network export flow balancing and adjusting method, equipment and system based on SDN (software-defined networking) |
| US20150319043A1 (en) * | 2014-05-05 | 2015-11-05 | Alcatel Lucent Usa, Inc. | Automating network build-out in self building networks |
| CN106130850A (en) * | 2016-08-22 | 2016-11-16 | 福建富士通信息软件有限公司 | Individual line subscriber intellectuality cut-in method |
| WO2017004693A1 (en) * | 2015-07-03 | 2017-01-12 | Teloip Inc. | System, apparatus and method for providing a virtual network edge and overlay |
| CN107404421A (en) * | 2017-09-18 | 2017-11-28 | 赛尔网络有限公司 | Flow monitoring, monitoring and managing method and system |
| CN108092855A (en) * | 2017-12-29 | 2018-05-29 | 中国联合网络通信有限公司广东省分公司 | A kind of UTN flow monitoring systems and method based on SDN technologies |
| CN109743244A (en) * | 2019-03-21 | 2019-05-10 | 山东华辰泰尔信息科技股份有限公司 | A kind of system and method for realizing that high speed interconnects based on SDN and NFV technology |
-
2020
- 2020-06-08 CN CN202010514500.2A patent/CN113839824A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150319043A1 (en) * | 2014-05-05 | 2015-11-05 | Alcatel Lucent Usa, Inc. | Automating network build-out in self building networks |
| CN104796348A (en) * | 2015-04-03 | 2015-07-22 | 华为技术有限公司 | IDC (internet data center) network export flow balancing and adjusting method, equipment and system based on SDN (software-defined networking) |
| WO2017004693A1 (en) * | 2015-07-03 | 2017-01-12 | Teloip Inc. | System, apparatus and method for providing a virtual network edge and overlay |
| CN106130850A (en) * | 2016-08-22 | 2016-11-16 | 福建富士通信息软件有限公司 | Individual line subscriber intellectuality cut-in method |
| CN107404421A (en) * | 2017-09-18 | 2017-11-28 | 赛尔网络有限公司 | Flow monitoring, monitoring and managing method and system |
| CN108092855A (en) * | 2017-12-29 | 2018-05-29 | 中国联合网络通信有限公司广东省分公司 | A kind of UTN flow monitoring systems and method based on SDN technologies |
| CN109743244A (en) * | 2019-03-21 | 2019-05-10 | 山东华辰泰尔信息科技股份有限公司 | A kind of system and method for realizing that high speed interconnects based on SDN and NFV technology |
Non-Patent Citations (1)
| Title |
|---|
| 扶奉超等: "VCPE中CPE与云平台连接建立方法", 《电信科学》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115580657A (en) * | 2022-12-08 | 2023-01-06 | 北京亿赛通科技发展有限责任公司 | Method and device for auditing and protecting tandem flow based on process separation |
| CN115580657B (en) * | 2022-12-08 | 2023-03-10 | 北京亿赛通科技发展有限责任公司 | Method and device for auditing and protecting serial flow based on process separation |
| CN116471125A (en) * | 2023-06-19 | 2023-07-21 | 杭州美创科技股份有限公司 | Encryption database flow auditing method, device, computer equipment and storage medium |
| CN116471125B (en) * | 2023-06-19 | 2023-09-08 | 杭州美创科技股份有限公司 | Encryption database flow auditing method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10944691B1 (en) | Container-based network policy configuration in software-defined networking (SDN) environments | |
| US11082542B2 (en) | Transmitting network overlay information in a service function chain | |
| US20210243276A1 (en) | Systems and methods for protecting an identity in network communications | |
| US10454984B2 (en) | Method for streaming packet captures from network access devices to a cloud server over HTTP | |
| US10237230B2 (en) | Method and system for inspecting network traffic between end points of a zone | |
| US20150135178A1 (en) | Modifying virtual machine communications | |
| US20120233350A1 (en) | Techniques for routing data between network areas | |
| CN105637819B (en) | It is used for transmission the method and system of broadcast data | |
| US11153185B2 (en) | Network device snapshots | |
| US11962495B2 (en) | Data transmission method and system | |
| CN111262715B (en) | Virtual intranet acceleration method and system and computer equipment | |
| US20220021576A1 (en) | Bulk discovery of devices behind a network address translation device | |
| CN113839824A (en) | Flow auditing method and device, electronic equipment and storage medium | |
| CN108512669A (en) | It is used for transmission the method and system of broadcast data | |
| CN117811875A (en) | Household intercommunication network access method and device | |
| Jain | OpenFlow, software defined networking (SDN) and network function virtualization (NFV) | |
| CN115134141A (en) | Micro-service container cluster cross-network communication system and communication method thereof | |
| US11784874B2 (en) | Bulk discovery of devices behind a network address translation device | |
| US9185155B2 (en) | Internet presence for a home network | |
| Singh | Implementing Cisco Networking Solutions: Configure, implement, and manage complex network designs | |
| US20240179028A1 (en) | Cloud-based virtual extensable local area network (vxlan) tunnel switching across access points | |
| US20240007435A1 (en) | Chassis system management through data paths | |
| EP3738276B1 (en) | Isolating services across a single physical network interface | |
| Nickless et al. | SD-WAN Evaluation Criteria for a Defense Information Systems Network Expeditionary Customer Edge | |
| CN117596220A (en) | Transmission method and system for shadow flow of bare metal server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: QAX Technology Group Inc. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: QAX Technology Group Inc. Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| CB02 | Change of applicant information |