CN114244576A - Flow protection method and device in cloud environment - Google Patents

Flow protection method and device in cloud environment Download PDF

Info

Publication number
CN114244576A
CN114244576A CN202111402619.1A CN202111402619A CN114244576A CN 114244576 A CN114244576 A CN 114244576A CN 202111402619 A CN202111402619 A CN 202111402619A CN 114244576 A CN114244576 A CN 114244576A
Authority
CN
China
Prior art keywords
forwarding
node
traffic
service
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111402619.1A
Other languages
Chinese (zh)
Inventor
宋飞虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unihub China Information Technology Co Ltd
Original Assignee
Unihub China Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unihub China Information Technology Co Ltd filed Critical Unihub China Information Technology Co Ltd
Priority to CN202111402619.1A priority Critical patent/CN114244576A/en
Publication of CN114244576A publication Critical patent/CN114244576A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a flow protection method and a device in a cloud environment, wherein the method comprises the following steps: establishing a virtual security resource pool; generating a service chain, issuing the classification rule to a classifier node, and issuing a forwarding table to a forwarding node; the classifier node forwards the traffic of different tenants to different service chains according to the classification rules; the forwarding node forwards the traffic, and the service node performs security protection processing on the traffic. The method and the device combine the virtual secure resource pool and the SFC, the SFC forwards the data according to the hop count, and the flow table configuration of the forwarding node cannot be influenced when the topology of the virtual secure resource pool changes; the traffic of different tenants is processed in a differentiated mode, and the safety protection efficiency is improved; and SSL decryption is carried out on the flow and deep detection is carried out, so that the safety protection capability is enhanced.

Description

Flow protection method and device in cloud environment
Technical Field
The invention relates to the field of security of cloud environments, in particular to a method and a device for protecting flow in the cloud environment.
Background
With the development of computer virtualization, security issues in cloud environments are becoming more and more important. Both inter-tenant and tenant-to-extranet traffic may be subject to network attacks. Once a virtual machine is broken, an attacker can take the virtual machine as a springboard to attack other virtual machines in the network, causing greater loss. In the prior art, services are provided for tenants in a virtual secure resource pool manner. However, as the business develops, the security service required by the tenant may change frequently, which may increase the number of flow tables of the forwarding node, change more frequently, and converge more slowly.
In a network environment, a data stream usually needs to pass through a plurality of network devices, such as IDS (intrusion detection system), IPS (intrusion prevention system), FW (firewall), LB (load balancing), WAF (web application firewall), and the like, and finally reaches a destination, which is the most common scenario of SFC (service function chain) technology. The SFC technology can process the traffic of the user through the corresponding network functions in sequence according to the requirements of the user, so as to achieve the processing targets of different scene traffic of different users.
Disclosure of Invention
In order to solve the problem that security services required by tenants may change frequently and further the number of flow tables of forwarding nodes increases, the invention provides a flow protection method and device in a cloud environment, wherein a virtual security resource pool is constructed, an SFC (secure form factor correction) technology is used for forming a service chain for the security services of the tenants, the service chain is forwarded according to hop count information and is not related to topology, and when security services of the tenants change, only the corresponding relation of an SDN (software defined network) controller needs to be modified, and the flow tables of the forwarding nodes cannot change frequently; and SSL unloading and loading are carried out on the flow of the HTTPS, so that the virtual security equipment can protect the HTTPS malicious attack.
In order to achieve the purpose, the invention adopts the following technical scheme:
in an embodiment of the present invention, a method for protecting traffic in a cloud environment is provided, where the method includes:
establishing a virtual security resource pool;
generating a service chain, issuing the classification rule to a classifier node, and issuing a forwarding table to a forwarding node;
the classifier node forwards the traffic of different tenants to different service chains according to the classification rules;
the forwarding node forwards the traffic, and the service node performs security protection processing on the traffic.
Further, the virtual secure resource pool includes: the system comprises a classifier node, a plurality of forwarding nodes and a plurality of service nodes, wherein the service nodes are accessed to a network through the forwarding nodes;
the virtual secure resource pool uses the network controller as a control terminal for the classifier node, forwarding node and service node.
Further, generating a service chain, issuing the classification rule to the classifier node, and issuing the forwarding table to the forwarding node, includes:
the network controller calculates a complete service path according to the tenant identification and the safety service ordered by the tenant, generates a service chain of different tenants, issues the classification rule to the classifier node, and issues the forwarding table to the forwarding node;
when the safety service subscribed by the tenant changes, the network controller recalculates the service path, generates a new service chain, then retransmits the classification rule to the classifier node, and retransmits the forwarding table to the forwarding node.
Further, the classifier node forwards the traffic of different tenants to different service chains according to the classification rules, including:
after receiving the flow of the tenant, the classifier node judges whether the flow is HTTPS flow, and if the flow is the HTTPS flow, SSL unloading operation is carried out on the HTTPS flow by using NGINX at the classifier node; and if the traffic is non-HTTPS traffic or the unloaded HTTPS traffic, forwarding the traffic of different tenants to different service chains according to the classification rules.
Further, the forwarding node forwards the traffic, and the service node performs security protection processing on the traffic, including:
forwarding the traffic in sequence between forwarding nodes according to the service path corresponding to the service chain, and performing security protection processing on the traffic by the service nodes according to the configured security protection strategy;
after all the service nodes process the flow, the forwarding tail node uses NGINX to perform SSL loading operation on the HTTPS flow.
In an embodiment of the present invention, a flow protection device in a cloud environment is further provided, where the device includes:
the virtual security resource pool is used for providing security capability to the tenant in the form of a virtual machine;
the network controller is used for generating a service chain, issuing the classification rule to the classifier node and issuing the forwarding table to the forwarding node;
the forwarding node is used for forwarding the flow;
the classifier node is used for forwarding the traffic of different tenants to different service chains according to the classification rules;
and the service node is used for carrying out safety protection processing on the flow according to the configured safety protection strategy.
Further, the virtual secure resource pool includes: the system comprises a classifier node, a plurality of forwarding nodes and a plurality of service nodes, wherein the service nodes are accessed to a network through the forwarding nodes;
the virtual secure resource pool uses the network controller as a control terminal for the classifier node, forwarding node and service node.
Further, the network controller is specifically configured to:
calculating a complete service path according to the tenant identification and the safety service ordered by the tenant, generating service chains of different tenants, issuing classification rules to the classifier nodes, and issuing a forwarding table to the forwarding nodes;
when the safety service subscribed by the tenant changes, the network controller recalculates the service path, generates a new service chain, then retransmits the classification rule to the classifier node, and retransmits the forwarding table to the forwarding node.
Further, the classifier node is specifically configured to:
after receiving the flow of the tenant, judging whether the flow is HTTPS flow, if the flow is the HTTPS flow, performing SSL unloading operation on the HTTPS flow by using NGINX at the classifier node; and if the traffic is non-HTTPS traffic or the unloaded HTTPS traffic, forwarding the traffic of different tenants to different service chains according to the classification rules.
Further, the forwarding node is specifically configured to:
forwarding the traffic in sequence between forwarding nodes according to the service path corresponding to the service chain;
after all the service nodes process the flow, the forwarding tail node uses NGINX to perform SSL loading operation on the HTTPS flow.
In an embodiment of the present invention, a computer device is further provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the method for traffic protection in a cloud environment is implemented.
In an embodiment of the present invention, a computer-readable storage medium is further provided, where a computer program for executing the method for traffic protection in a cloud environment is stored in the computer-readable storage medium.
Has the advantages that:
1. the invention combines the virtual security resource pool and the SFC, the SFC forwards according to the hop count (the hop count is the number and the sequence information of the forwarding nodes, for example, the firewall is the 1 st forwarding node, and the firewall is the first hop equipment of the flow no matter what the network topology changes, and the topology of the virtual security resource pool does not influence the flow table configuration of the forwarding nodes when the topology changes.
2. The method and the system perform differentiated processing on the traffic of different tenants, and improve the safety protection efficiency.
3. The invention carries out SSL decryption and deep detection on the flow, thereby enhancing the safety protection capability.
Drawings
FIG. 1 is a flow chart of a traffic protection method in a cloud environment according to the present invention;
FIG. 2 is a schematic diagram of the virtual secure resource pool of the present invention;
FIG. 3 is a schematic diagram of virtual secure resource pool establishment in accordance with the present invention;
FIG. 4 is a schematic diagram of virtual secure resource pool establishment according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a flow protection device in a cloud environment according to the present invention;
FIG. 6 is a schematic diagram of the structure of the computer device of the present invention.
Detailed Description
The principles and spirit of the present invention will be described below with reference to several exemplary embodiments, which should be understood to be presented only to enable those skilled in the art to better understand and implement the present invention, and not to limit the scope of the present invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, a method and a device for flow protection in a cloud environment are provided, wherein a virtual security resource pool is established, and security capability is provided for tenants in the form of virtual machines, and the virtual security resource pool comprises virtual security devices such as NGFW (cloud next generation firewall), WAF (web application firewall), HSMP (host security protection) and IPS (intrusion prevention system); using a forwarding node to guide the flow inside the tenant and the flow from the tenant to an external network to a virtual security resource pool; according to the tenant identification and the safety service ordered by the tenant, different service chains are established for different tenants by using SDN (Software Defined Network) and SFC (service function chain) technologies, and the flow of the tenant is processed in a differentiated mode; and SSL (secure socket layer) unloading and loading are carried out on HTTPS (hypertext transfer secure protocol) traffic at the same time, so that the virtual security equipment can carry out deep processing on encrypted data.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments of the invention.
Fig. 1 is a schematic flow chart of a traffic protection method in a cloud environment according to the present invention. As shown in fig. 1, the method includes:
s101, establishing a virtual security resource pool;
as shown in fig. 2, the virtual security resource pool includes virtual security devices such as NGFW, WAF, HSMP, IPS, and the like;
as shown in fig. 2 and 3, the virtual secure resource pool uses OVS (virtual switch) as forwarding node, wherein the OVS of the virtual secure resource pool entry is used as classifier node of SFC;
as shown in fig. 2 and fig. 3, virtual security devices such as NGFW, WAF, HSMP, IPS, etc. included in the virtual security resource pool are used as service nodes;
as shown in fig. 3, the virtual secure resource pool uses an SDN controller as a network controller.
S102, generating a service chain, then issuing the classification rule to a classifier node, and simultaneously issuing a forwarding table to a forwarding node;
the network controller calculates a complete service path according to the tenant identification and the safety service ordered by the tenant, generates a service chain of different tenants, issues the classification rule to the classifier node, and issues the forwarding table to the forwarding node;
when the security service subscribed by the tenant changes, the network controller recalculates the service path (the open-source controller has a related algorithm and can be directly used), generates a new service chain, and then re-issues the classification rule to the classifier node and re-issues the forwarding table to the forwarding node.
S103, the network forwarding equipment guides the flow of the tenant to a virtual security resource pool;
when the tenant accesses to the outside or the virtual machine accesses to each other inside the tenant, the network forwarding device guides the flow of the tenant to the classifier node at the inlet of the virtual security resource pool.
S104, forwarding the traffic of different tenants to different service chains by the classifier node according to the classification rule;
after receiving the flow of the tenant, a classifier node at the inlet of the virtual security resource pool judges whether the flow is HTTPS flow;
if the flow rate is HTTPS flow rate, using NGINX (a software name, just like Windows, is a high-performance HTTP and reverse proxy web server) to carry out SSL unloading operation on the HTTPS flow rate at the classifier node;
and if the traffic is non-HTTPS traffic or the unloaded HTTPS traffic, forwarding the traffic of different tenants to different service chains according to the classification rules.
S105, forwarding the traffic by the forwarding node, and performing safety protection processing on the traffic by the service node;
forwarding is carried out among the forwarding nodes according to the service path corresponding to the service chain, and the service nodes carry out safety protection processing according to the configured safety protection strategy;
after all the service nodes process the traffic, performing SSL loading operation on HTTPS traffic by using NGINX at the forwarding tail node;
s106, the processed flow is guided to an external network or a destination virtual machine in a tenant;
and according to the drainage strategy, draining the processed flow to a destination virtual machine in an external network or a tenant.
It should be noted that although the operations of the method of the present invention have been described in the above embodiments and the accompanying drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the operations shown must be performed, to achieve the desired results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
For a clearer explanation of the traffic protection method in the cloud environment, a specific embodiment is described below, but it should be noted that the embodiment is only for better explaining the present invention and is not to be construed as an undue limitation on the present invention.
In this embodiment, an operation and maintenance worker first builds a virtual security resource pool, and deploys virtual security devices into the virtual security resource pool.
In this embodiment, operation and maintenance personnel need to deploy an SDN controller as a control end of a classifier node, a forwarding node, and a service node;
in the present embodiment, ovs switches are used as the classifier nodes and forwarding nodes.
The specific implementation steps of this embodiment are as follows:
1. firstly, establishing a virtual security resource pool, wherein the virtual security resource pool comprises a classifier node, a plurality of forwarding nodes and a plurality of service nodes, and the service nodes are accessed to a network through the forwarding nodes; wherein, WAF and FW correspond to forwarding node 1, IDS corresponds to forwarding node 2, HSMP corresponds to forwarding node 3, and IPS corresponds to forwarding tail node, as shown in fig. 4;
2. the network controller constructs a service chain according to the tenant identification and the safety service ordered by the tenant, issues the classification rule to the classifier node, and issues the forwarding table to the forwarding node; for example, tenant a subscribes to WAF, IDS, and IPS, then tenant a's service chain is: the method comprises the steps that classifier nodes, a forwarding node 1, a WAF, a forwarding node 2, an IDS, a forwarding tail node and an IPS are connected;
3. the flow of the tenant is guided to a classifier node at the inlet of the virtual security resource pool;
4. the classifier node receives the flow of the tenant A and judges whether the flow is HTTPS flow;
4.1, if the traffic is HTTPS traffic, performing SSL unloading operation on the traffic by using NGINX at the classifier node;
4.2, if the traffic is non-HTTPS traffic or the unloaded HTTPS traffic, forwarding the traffic to a service chain corresponding to the tenant A;
5. the forwarding node forwards the traffic in sequence according to the service chain; for example: the forwarding node 1 receives the traffic, forwards the traffic to the WAF, forwards the traffic to the forwarding node 2 after the WAF is processed, and forwards the traffic to the forwarding tail node after the IDS is processed to the IPS;
6. after all the service nodes process the flow, the forwarding tail node uses NGINX to perform SSL loading operation on the flow, and then the flow is guided to a network outlet.
Based on the same invention concept, the invention also provides a flow protection device in the cloud environment. The implementation of the device can be referred to the implementation of the method, and repeated details are not repeated. The term "module," as used below, may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a schematic structural diagram of a flow protection device in a cloud environment according to an embodiment of the present invention. As shown in fig. 5, the apparatus includes:
a virtual security resource pool 201 for providing security capability to tenants in the form of virtual machines;
the virtual secure resource pool 201 includes: the system comprises a classifier node 204, a plurality of forwarding nodes 203 and a plurality of service nodes 205, wherein the service nodes 205 are accessed to the network through the forwarding nodes 203;
the virtual secure resource pool 201 uses the network controller 202 as a control side for the classifier node 204, the forwarding node 203 and the traffic node 205.
The network controller 202 is configured to generate a service chain, issue the classification rule to the classifier node 204, and issue the forwarding table to the forwarding node 203; the method comprises the following specific steps:
calculating a complete service path according to the tenant identification and the security service ordered by the tenant, generating service chains of different tenants, issuing classification rules to the classifier node 204, and issuing a forwarding table to the forwarding node 203;
when the security service subscribed by the tenant changes, the network controller recalculates the service path, generates a new service chain, and then re-issues the classification rule to the classifier node 204 and re-issues the forwarding table to the forwarding node 203.
A forwarding node 203, configured to forward traffic; the method comprises the following specific steps:
forwarding the traffic in sequence between the forwarding nodes 203 according to the service path corresponding to the service chain;
after all the service nodes 205 process the traffic, the forwarding end node uses NGINX to perform SSL loading operation on the HTTPS traffic.
The classifier node 204 is configured to forward traffic of different tenants to different service chains according to a classification rule; the method comprises the following specific steps:
after receiving the flow of the tenant, judging whether the flow is an HTTPS flow, if the flow is the HTTPS flow, performing SSL (secure socket layer) unloading operation on the HTTPS flow by using NGINX (network virtualization) at the classifier node 204; and if the traffic is non-HTTPS traffic or the unloaded HTTPS traffic, forwarding the traffic of different tenants to different service chains according to the classification rules.
And the service node 205 is configured to perform security protection processing on the traffic according to the configured security protection policy.
It should be noted that although several modules of the traffic guard in a cloud environment are mentioned in the above detailed description, such partitioning is merely exemplary and not mandatory. Indeed, the features and functionality of two or more of the modules described above may be embodied in one module according to embodiments of the invention. Conversely, the features and functions of one module described above may be further divided into embodiments by a plurality of modules.
Based on the aforementioned inventive concept, as shown in fig. 6, the present invention further provides a computer device 300, which includes a memory 310, a processor 320, and a computer program 330 stored in the memory 310 and operable on the processor 320, wherein the processor 320 executes the computer program 330 to implement the aforementioned method for flow protection in a cloud environment.
Based on the foregoing inventive concept, the present invention further provides a computer-readable storage medium storing a computer program for executing the foregoing method for traffic protection in a cloud environment.
According to the traffic protection method and device in the cloud environment, the SFC technology is applied to the virtual security resource pool, and the traffic processing efficiency of the SDN controller and the forwarding node is improved; the trend of the data flow is controlled through the SFC technology, when the safety service of the tenants is changed, the SFC technology enables the flow table of the forwarding node not to change frequently, the processing efficiency of the safety equipment can be improved, each tenant has the service chain of the tenant, and the flow path between the tenants is not affected.
While the spirit and principles of the invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, nor is the division of aspects, which is for convenience only as the features in such aspects may not be combined to benefit. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
The limitation of the protection scope of the present invention is understood by those skilled in the art, and various modifications or changes which can be made by those skilled in the art without inventive efforts based on the technical solution of the present invention are still within the protection scope of the present invention.

Claims (12)

1. A method for protecting traffic in a cloud environment is characterized by comprising the following steps:
establishing a virtual security resource pool;
generating a service chain, issuing the classification rule to a classifier node, and issuing a forwarding table to a forwarding node;
the classifier node forwards the traffic of different tenants to different service chains according to the classification rules;
the forwarding node forwards the traffic, and the service node performs security protection processing on the traffic.
2. The traffic protection method in the cloud environment according to claim 1, wherein the virtual secure resource pool includes: the system comprises a classifier node, a plurality of forwarding nodes and a plurality of service nodes, wherein the service nodes are accessed to a network through the forwarding nodes;
the virtual security resource pool uses a network controller as a control terminal of the classifier node, the forwarding node and the service node.
3. The traffic protection method under the cloud environment according to claim 1, wherein generating a service chain, issuing a classification rule to a classifier node, and issuing a forwarding table to a forwarding node at the same time includes:
the network controller calculates a complete service path according to the tenant identification and the safety service ordered by the tenant, generates a service chain of different tenants, issues the classification rule to the classifier node, and issues the forwarding table to the forwarding node;
when the safety service subscribed by the tenant changes, the network controller recalculates the service path, generates a new service chain, then retransmits the classification rule to the classifier node, and retransmits the forwarding table to the forwarding node.
4. The traffic protection method in the cloud environment according to claim 1, wherein the classifier node forwards traffic of different tenants to different service chains according to the classification rule, and the method comprises:
after receiving the flow of the tenant, the classifier node judges whether the flow is HTTPS flow, and if the flow is the HTTPS flow, SSL unloading operation is carried out on the HTTPS flow by using NGINX at the classifier node; and if the traffic is non-HTTPS traffic or the unloaded HTTPS traffic, forwarding the traffic of different tenants to different service chains according to the classification rules.
5. The method for traffic protection under the cloud environment according to claim 1, wherein the forwarding node forwards the traffic, and the service node performs security protection processing on the traffic, including:
forwarding the traffic in sequence between forwarding nodes according to the service path corresponding to the service chain, and performing security protection processing on the traffic by the service nodes according to the configured security protection strategy;
after all the service nodes process the flow, the forwarding tail node uses NGINX to perform SSL loading operation on the HTTPS flow.
6. A flow protection device in a cloud environment, the device comprising:
the virtual security resource pool is used for providing security capability to the tenant in the form of a virtual machine;
the network controller is used for generating a service chain, issuing the classification rule to the classifier node and issuing the forwarding table to the forwarding node;
the forwarding node is used for forwarding the flow;
the classifier node is used for forwarding the traffic of different tenants to different service chains according to the classification rules;
and the service node is used for carrying out safety protection processing on the flow according to the configured safety protection strategy.
7. The traffic guard in a cloud environment of claim 6, wherein the virtual secure resource pool comprises: the system comprises a classifier node, a plurality of forwarding nodes and a plurality of service nodes, wherein the service nodes are accessed to a network through the forwarding nodes;
the virtual security resource pool uses a network controller as a control terminal of the classifier node, the forwarding node and the service node.
8. The traffic guard in a cloud environment of claim 6, wherein the network controller is specifically configured to:
calculating a complete service path according to the tenant identification and the safety service ordered by the tenant, generating service chains of different tenants, issuing classification rules to the classifier nodes, and issuing a forwarding table to the forwarding nodes;
when the safety service subscribed by the tenant changes, the network controller recalculates the service path, generates a new service chain, then retransmits the classification rule to the classifier node, and retransmits the forwarding table to the forwarding node.
9. The traffic guard in a cloud environment of claim 6, wherein the classifier node is specifically configured to:
after receiving the flow of the tenant, judging whether the flow is HTTPS flow, if the flow is the HTTPS flow, performing SSL unloading operation on the HTTPS flow by using NGINX at the classifier node; and if the traffic is non-HTTPS traffic or the unloaded HTTPS traffic, forwarding the traffic of different tenants to different service chains according to the classification rules.
10. The traffic protection device under the cloud environment according to claim 6, wherein the forwarding node is specifically configured to:
forwarding the traffic in sequence between forwarding nodes according to the service path corresponding to the service chain;
after all the service nodes process the flow, the forwarding tail node uses NGINX to perform SSL loading operation on the HTTPS flow.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1-5 when executing the computer program.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1-5.
CN202111402619.1A 2021-11-24 2021-11-24 Flow protection method and device in cloud environment Pending CN114244576A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111402619.1A CN114244576A (en) 2021-11-24 2021-11-24 Flow protection method and device in cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111402619.1A CN114244576A (en) 2021-11-24 2021-11-24 Flow protection method and device in cloud environment

Publications (1)

Publication Number Publication Date
CN114244576A true CN114244576A (en) 2022-03-25

Family

ID=80750892

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111402619.1A Pending CN114244576A (en) 2021-11-24 2021-11-24 Flow protection method and device in cloud environment

Country Status (1)

Country Link
CN (1) CN114244576A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115296842A (en) * 2022-06-27 2022-11-04 深信服科技股份有限公司 Method and device for arranging service flow, application delivery equipment and medium
CN115297050A (en) * 2022-05-30 2022-11-04 云南电网有限责任公司 Intelligent measurement terminal establishing method based on cloud network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911258A (en) * 2017-12-29 2018-04-13 深信服科技股份有限公司 A kind of realization method and system in the secure resources pond based on SDN network
CN108092934A (en) * 2016-11-21 2018-05-29 中国移动通信有限公司研究院 Safety service system and method
CN109922021A (en) * 2017-12-12 2019-06-21 中国电信股份有限公司 Security protection system and safety protecting method
CN110311838A (en) * 2019-07-24 2019-10-08 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of security service traffic statistics
CN111385270A (en) * 2018-12-29 2020-07-07 北京奇虎科技有限公司 WAF-based network attack detection method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108092934A (en) * 2016-11-21 2018-05-29 中国移动通信有限公司研究院 Safety service system and method
CN109922021A (en) * 2017-12-12 2019-06-21 中国电信股份有限公司 Security protection system and safety protecting method
CN107911258A (en) * 2017-12-29 2018-04-13 深信服科技股份有限公司 A kind of realization method and system in the secure resources pond based on SDN network
CN111385270A (en) * 2018-12-29 2020-07-07 北京奇虎科技有限公司 WAF-based network attack detection method and device
CN110311838A (en) * 2019-07-24 2019-10-08 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of security service traffic statistics

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
兰庆白: "加速架构转型 应对互联网运维挑战——民生银行网络智能流量编排探索" *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115297050A (en) * 2022-05-30 2022-11-04 云南电网有限责任公司 Intelligent measurement terminal establishing method based on cloud network
CN115297050B (en) * 2022-05-30 2023-12-01 云南电网有限责任公司 Cloud network-based intelligent measurement terminal establishment method
CN115296842A (en) * 2022-06-27 2022-11-04 深信服科技股份有限公司 Method and device for arranging service flow, application delivery equipment and medium

Similar Documents

Publication Publication Date Title
EP3704846B1 (en) Cloud-based multi-function firewall and zero trust private virtual network
EP3494682B1 (en) Security-on-demand architecture
US8640239B2 (en) Network intrusion detection in a network that includes a distributed virtual switch fabric
US10091167B2 (en) Network traffic analysis to enhance rule-based network security
US20150089566A1 (en) Escalation security method for use in software defined networks
CN114244576A (en) Flow protection method and device in cloud environment
EP3577589A2 (en) Prevention of malicious automation attacks on a web service
US11252183B1 (en) System and method for ransomware lateral movement protection in on-prem and cloud data center environments
US9661006B2 (en) Method for protection of automotive components in intravehicle communication system
CN105100026A (en) Safe message forwarding method and safe message forwarding device
US11418520B2 (en) Passive security analysis with inline active security device
WO2016191232A1 (en) Mitigation of computer network attacks
WO2014004883A1 (en) Identification of infected devices in broadband environments
Jakaria et al. Dynamic ddos defense resource allocation using network function virtualization
EP3357207B1 (en) Software-defined network threat control
JP2019213182A (en) Network protection device and network protection system
JP2019152912A (en) Unauthorized communication handling system and method
JP5752020B2 (en) Attack countermeasure device, attack countermeasure method, and attack countermeasure program
CN111541658A (en) PCIE prevents hot wall
CN115001823B (en) Network transparent proxy method and device based on flow-by-flow and packet-by-packet filtering
CN110995586A (en) BGP message processing method and device, electronic equipment and storage medium
CN108199965B (en) Flow spec table item issuing method, network device, controller and autonomous system
EP3148123B1 (en) Filtering technique resilient against malware attacks
CN110012033B (en) Data transmission method, system and related components
JP2018098727A (en) Service system, communication program, and communication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination