CN114285629A - SDN same-region data flow access control method and SDN network - Google Patents
SDN same-region data flow access control method and SDN network Download PDFInfo
- Publication number
- CN114285629A CN114285629A CN202111583983.2A CN202111583983A CN114285629A CN 114285629 A CN114285629 A CN 114285629A CN 202111583983 A CN202111583983 A CN 202111583983A CN 114285629 A CN114285629 A CN 114285629A
- Authority
- CN
- China
- Prior art keywords
- sdn
- security
- access data
- data stream
- data flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000002955 isolation Methods 0.000 claims description 69
- 238000004590 computer program Methods 0.000 claims description 17
- 230000008569 process Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 11
- 208000021236 Hereditary diffuse leukoencephalopathy with axonal spheroids and pigmented glia Diseases 0.000 description 8
- 208000036969 diffuse hereditary with spheroids 1 leukoencephalopathy Diseases 0.000 description 8
- 206010047289 Ventricular extrasystoles Diseases 0.000 description 7
- 238000005129 volume perturbation calorimetry Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 244000035744 Hura crepitans Species 0.000 description 3
- 241000700605 Viruses Species 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002411 adverse Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an SDN same-region data flow access control method and an SDN network, wherein the method comprises the steps of receiving an access data flow transmitted by a user terminal; determining whether the data flow is east-west flow, if so, determining a security control SDN node corresponding to the access data flow; the access data flow is transmitted to the security control SDN node so that the security control SDN node can perform security processing on the access data flow through an external security device and transmit the access data flow after the security processing to a corresponding target terminal.
Description
Technical Field
The invention relates to the technical field of SDN data transmission, in particular to an SDN same-region data flow access control method and an SDN network.
Background
Data flows in an SDN (Software Defined Network) are divided into north-south traffic and east-west traffic. The flow in the north-south direction is mainly data access flow which is not credible and is generated outside, the security requirement level is high, security access control such as region isolation, virus detection, blocking and vulnerability scanning is required to be carried out on the accessed data flow, and the security access control can be realized through traditional security equipment such as a firewall, a sandbox, a WAF, missing scanning and the like.
The east-west traffic is mainly access data flow generated between a trusted local area network (internal network, such as local area network), the security requirement level is relatively low, and port-level access control can be realized. The security access control of the east-west traffic is complex, a plurality of computing resources (hardware resources) are allocated in one vlan or a plurality of vlans, and data interaction among the computing resources flows in the east-west direction inside the SDN, namely the east-west traffic. In the prior art, the security access control cannot be carried out on the access data flow of east-west flow.
Disclosure of Invention
The invention aims to provide an SDN same-region data flow access control method, which is used for solving the problem that security access control cannot be carried out on access data flows of east-west flow in an SDN. Another object of the present invention is to provide an SDN network. It is a further object of this invention to provide such a computer apparatus. It is a further object of this invention to provide such a readable medium.
In order to achieve the above object, in one aspect, the present invention discloses a method for controlling access to data streams in the same area as an SDN, including:
receiving an access data stream transmitted by a user terminal;
determining whether the data flow is east-west flow, if so, determining a security control SDN node corresponding to the access data flow;
and transmitting the access data stream to the security control SDN node so that the security control SDN node performs security processing on the access data stream through an external security device and transmits the access data stream after the security processing to a corresponding target terminal.
Preferably, the method further comprises the following steps:
if not, transmitting the access data flow to a north-south SDN node so that the north-south SDN node performs security processing on the access data flow;
and transmitting the access data stream after the security processing to a corresponding target terminal.
Preferably, the determining the security control SDN node corresponding to the access data flow specifically includes:
determining terminal information of a user terminal which sends the access data stream according to the access data stream;
determining a logic isolation network corresponding to the user terminal according to the terminal information and the setting information of the plurality of logic isolation networks;
determining a security control SDN node corresponding to the user terminal in the logical isolation network.
Preferably, the setting information includes a correspondence between the logical isolation network and terminal information of the user terminal.
Preferably, the method further comprises the step of predetermining setting information of the plurality of logical separation networks.
Preferably, the predetermining the setting information of the plurality of logical isolation networks specifically includes:
dividing security control SDN nodes corresponding to east-west flow into a plurality of logic isolation networks;
dividing all the user terminals into a plurality of user groups according to the terminal information of all the user terminals;
and enabling each logic isolation network to form corresponding relation with a user group to form setting information.
Preferably, the terminal information includes a service type corresponding to the user terminal, and the dividing all the user terminals into a plurality of user groups according to the terminal information of all the user terminals specifically includes:
classifying all user terminals according to service types;
and respectively forming a user group according to the terminal information of the user terminal corresponding to each service type.
Preferably, the determining the logical isolation network corresponding to the user terminal according to the terminal information and the setting information of the plurality of logical isolation networks specifically includes:
determining a target user group corresponding to the user terminal according to the terminal information;
and determining the logic isolation network corresponding to the target user group according to the target user group and the corresponding relation between the logic isolation network and the user group in the setting information.
Preferably, each of the security control SDN nodes is connected to at least one security device;
the transmitting the access data stream to the security control SDN node so that the security control SDN node performs security processing on the access data stream through an external security device specifically includes:
transmitting the access data stream to the security control SDN node to cause the security control SDN node to determine a target security device;
and transmitting the access data stream to the target security device so that the target security device performs security processing on the access data stream.
The invention also discloses an SDN network, which comprises a drainage SDN node and a safety control SDN node;
the drainage SDN node can receive an access data stream transmitted by a user terminal; determining whether the data flow is east-west flow, if so, determining a security control SDN node corresponding to the access data flow; and transmitting the access data stream to the security control SDN node so that the security control SDN node performs security processing on the access data stream through an external security device and transmits the access data stream after the security processing to a corresponding target terminal.
The invention also discloses a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor,
the processor, when executing the program, implements the method as described above.
The invention also discloses a computer-readable medium, having stored thereon a computer program,
which when executed by a processor implements the method as described above.
According to the invention, the access data stream of the east-west flow transmitted by the user terminal is transmitted to the security control SDN node, and the security control SDN node is externally connected with security equipment, so that the security control SDN node corresponding to the east-west flow can transmit the access data stream to the externally connected security equipment for security processing. And transmitting the access data stream subjected to the security processing to a corresponding target terminal. Therefore, the method and the device can safely process the east-west flow, ensure the safety of transmitting the access data flow serving as the east-west flow among the plurality of user terminals through the SDN nodes in the same region, and improve the safety of the east-west flow data flow in the SDN in the same region. In summary, the present invention can stream data streams of east-west traffic, stream access data streams to security devices of security control SDN nodes for processing, and transmit the access data streams after security processing to a target terminal, thereby implementing security control of access to different user terminals in the same area in the SDN by using professional security devices.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart illustrating a method for controlling access to a data flow in a same SDN zone according to a specific embodiment of the present invention;
fig. 2 is a flowchart illustrating a specific embodiment S400 of the SDN co-regional data flow access control method according to the present invention;
fig. 3 is a flowchart illustrating an SDN co-regional data flow access control method according to a specific embodiment S200 of the present invention;
fig. 4 is a flowchart illustrating a specific embodiment S000 of the SDN co-regional data flow access control method according to the present invention;
fig. 5 is a flowchart illustrating an S020 according to a specific embodiment of an SDN co-regional data flow access control method according to the present invention;
fig. 6 is a flowchart illustrating an SDN co-regional data flow access control method according to a specific embodiment S220 of the present invention;
fig. 7 is a flowchart illustrating an SDN co-regional data flow access control method according to a specific embodiment S300 of the present invention;
fig. 8 is a schematic structural diagram illustrating an SDN network setting in a specific example of the SDN co-regional data flow access control method according to the present invention;
FIG. 9 shows a schematic block diagram of a computer device suitable for use in implementing embodiments of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, the security level of access data streams between different user terminals in the same-domain network in the SDN is low, and it is usually required that port-level access control can be realized, that is, it is required that one user terminal in the same-domain network in the SDN can transmit the access data streams to a target user terminal through an SDN node. Therefore, whether the east-west flow in the prior art is safe or not cannot be controlled, that is, whether the east-west flow can generate adverse effects on the terminal and the node in the SDN or not cannot be determined, and the operation stability of the terminal and the node in the SDN is damaged. In order to solve the problem that the east-west flow in the SDN network cannot be safely controlled in the prior art, the invention provides a SDN same-region data flow access control method, which can be used for conducting flow guiding on the data flow of the east-west flow, conducting the flow guiding on the access data flow to safety equipment of a safety control SDN node for processing, and transmitting the access data flow after safety processing to a target terminal, so that the safety control of access in different user terminals in the same region in the SDN by adopting professional safety equipment is realized.
According to one aspect of the invention, the embodiment discloses an SDN same-region data flow access control method. As shown in fig. 1, in this embodiment, the method includes:
s100: and receiving the access data stream transmitted by the user terminal.
S200: and determining whether the data flow is east-west flow, and if so, determining a security control SDN node corresponding to the access data flow.
S300: and transmitting the access data stream to the security control SDN node so that the security control SDN node performs security processing on the access data stream through an external security device and transmits the access data stream after the security processing to a corresponding target terminal.
According to the invention, the access data stream of the east-west flow transmitted by the user terminal is transmitted to the security control SDN node, and the security control SDN node is externally connected with security equipment, so that the security control SDN node corresponding to the east-west flow can transmit the access data stream to the externally connected security equipment for security processing. And transmitting the access data stream subjected to the security processing to a corresponding target terminal. Therefore, the method and the device can safely process the east-west flow, ensure the safety of transmitting the access data flow serving as the east-west flow among the plurality of user terminals through the SDN nodes in the same region, and improve the safety of the east-west flow data flow in the SDN in the same region. In summary, the present invention can stream data streams of east-west traffic, stream access data streams to security devices of security control SDN nodes for processing, and transmit the access data streams after security processing to a target terminal, thereby implementing security control of access to different user terminals in the same area in the SDN by using professional security devices.
In a preferred embodiment, as shown in fig. 2, the method further includes S400:
s410: if not, transmitting the access data flow to a north-south SDN node so that the north-south SDN node can perform security processing on the access data flow.
S420: and transmitting the access data stream after the security processing to a corresponding target terminal.
Specifically, it is understood that the SDN network may transmit not only east-west traffic but also north-south traffic. The data flow is a data flow interacting with a target terminal of an external network (non-co-regional network) when the data flow is not east-west traffic. Therefore, the data flow of the north-south traffic can be transmitted to the north-south SDN node in the SDN, so that the north-south SDN node performs security processing on the access data flow of the north-south traffic, and transmits the access data flow after security processing to a target (user) terminal corresponding to an external network. Similarly, when the external user terminal transmits the north-south traffic to the user terminal in the same-region network, the south-north traffic needs to be subjected to security processing of the SDN node before being transmitted to the corresponding user terminal.
Note that security devices are preset in the north-south SDN nodes set in the SDN network. The security device can perform security access control such as region isolation, virus detection, blocking, vulnerability scanning and the like on data streams of the north-south flow, and the security access control can be realized through traditional security devices such as a firewall, a sandbox, a WAF, missing scanning and the like. Therefore, data interaction between the south-north SDN nodes and external user terminals needs to pass through the security processing process of the security device, and the security of the south-north flow can be guaranteed. The security device is a conventional technical means in the field, and is not described herein again.
In a preferred embodiment, as shown in fig. 3, the determining, by the S200, a security control SDN node corresponding to the access data flow specifically includes:
s210: and determining the terminal information of the user terminal sending the access data stream according to the access data stream.
S220: and determining the logic isolation network corresponding to the user terminal according to the terminal information and the setting information of the plurality of logic isolation networks.
S230: determining a security control SDN node corresponding to the user terminal in the logical isolation network.
In order to further improve the security of accessing the data stream, the influence on other user terminals and SDN nodes is avoided. In the preferred embodiment, all security control SDN nodes in the SDN network are divided into a plurality of logical isolation networks, that is, an access data stream in each logical isolation network can only be transmitted between the SDN node and a user terminal in the corresponding logical isolation network, but cannot be transmitted to other logical isolation networks, and the data stream flows only inside one logical isolation network by controlling the transmission direction of the access data stream, so that logical isolation between different networks is realized. Specifically, in the preferred embodiment, for access data flows of different user terminals, a logical isolation network to which the user terminal belongs may be determined according to terminal information of the user terminal and preset setting information of the logical isolation network, and then an SDN node in the logical isolation network is determined to be a security control SDN node, and the access data flows are directed to the security control SDN node.
In a preferred embodiment, the setting information includes a correspondence between the logical isolation network and terminal information of the user terminal.
The terminal information of the user terminal may include terminal identifiers such as an IP address and a service type. Therefore, the corresponding relation between the logic isolation network and the terminal information such as the IP address or the service type of the user terminal can be preset, the user terminals can be divided according to the terminal information, and the divided user terminals of the same type are distributed to the same logic isolation network.
In a preferred embodiment, the method further includes a step S000 of determining setting information of the plurality of logical isolation networks in advance, as shown in fig. 4, where S000 specifically includes:
s010: and dividing the security control SDN nodes corresponding to the east-west flow into a plurality of logic isolation networks.
S020: and dividing all the user terminals into a plurality of user groups according to the terminal information of all the user terminals.
S030: and enabling each logic isolation network to form corresponding relation with a user group to form setting information.
Specifically, the SDN nodes that process the east-west traffic may be divided into a plurality of logical isolation networks in advance. The logical isolation network comprises at least one security control SDN node and at least one security device connected with each security control SDN node. Each safety device is connected with only one SDN node, and the east-west traffic can be safely processed. For example, the security device may perform security access control such as regional isolation, virus detection, blocking, and vulnerability scanning on an access data stream of east-west traffic transmitted by the SDN node, and the security access control may be implemented by a conventional security device such as a firewall, a sandbox, a WAF, a missing scan, and the like.
Further, all user terminals located in the same area network as the east-west SDN nodes may be divided into a plurality of user groups. Specifically, all the user terminals may be divided into a plurality of user groups according to the terminal information of the user terminals. And then respectively corresponding the logic isolation network and the user group one by one to form the setting information. The subsequent data stream access control node of the SDN may route the access data stream of the east-west flow to the SDN node in the logic isolation network corresponding to the user terminal according to the setting information and the terminal information of the user terminal to perform security processing, and implement the data stream transmission of the east-west flow and the logic isolation of the security processing of the user terminals among different user groups through the setting information, thereby avoiding the influence of the east-west flow in one user group on the user terminals of other user groups and the SDN node in the corresponding logic isolation network, and enhancing the security of respective operation of each user group.
In a preferred embodiment, as shown in fig. 5, the terminal information includes a service type corresponding to the user terminal, and the dividing, by the S020, all the user terminals into a plurality of user groups according to the terminal information of all the user terminals specifically includes:
s021: and classifying all the user terminals according to the service types.
S022: and respectively forming a user group according to the terminal information of the user terminal corresponding to each service type.
Specifically, it can be understood that user groups can be divided for all user terminals according to the service types in the terminal information, and then the access data streams of different service types are transmitted only in one logic isolation network, so as to avoid mutual influence of the data stream processing processes of different service types.
In a preferred embodiment, as shown in fig. 6, the determining, by the S220, the logical isolation network corresponding to the user terminal according to the terminal information and the setting information of the multiple logical isolation networks specifically includes:
s221: and determining a target user group corresponding to the user terminal according to the terminal information.
S222: and determining the logic isolation network corresponding to the target user group according to the target user group and the corresponding relation between the logic isolation network and the user group in the setting information.
Specifically, it can be understood that the access data stream usually includes terminal information of the user terminal, and the terminal information can be obtained by parsing after the access data stream is received, so as to determine a target user group corresponding to the terminal information in all user groups according to the related group information of the preset user group. And then, a logic isolation network corresponding to the target user group is searched in the setting information, so that the security control SDN node of security processing can be determined.
In a preferred embodiment, each of said security control SDN nodes is connected with at least one security device. As shown in fig. 7, the transmitting, by the S300, the access data stream to the security control SDN node so that the security control SDN node performs security processing on the access data stream through an external security device specifically includes:
s310: transmitting the access data stream to the security control SDN node to cause the security control SDN node to determine a target security device.
S320: and transmitting the access data stream to the target security device so that the target security device performs security processing on the access data stream.
In particular, it is understood that the security control SDN node may be connected with one or more security devices, and select an appropriate security device, such as a spare security device, from the one or more security devices in the security control SDN node to perform security processing on the data stream. And after the security device performs security processing on the access data stream, returning the access data stream after the security processing to the corresponding security control SDN node, so that the security control SDN node transmits the access data stream after the security processing to the target terminal.
The present invention will be further described below by way of a specific example. As shown in fig. 8, taking a payment settlement platform system (ALSP) and a mailbox system (MAIL) as an example, the SDN network includes at least one intermediate node spine, a drainage SDN node (Leaf1, Leaf2), and a security control SDN node Leaf 3. In the preset process, all the user terminals can be divided into a plurality of user groups, for example, a plurality of user groups VPC such as VPC01 and VPC02 are obtained by dividing, wherein, the ALSP is deployed in VPC01, the MAIL is deployed in VPC02, the applications of two different VPCs of the ALSP and the MAIL are natural and non-communicable, and when one application has a security risk, the other application is not affected. A plurality of security devices Service-Leaf (VFW01, VFW02 and VFW03) connected with the SDN node Leaf3 are further arranged to form a logic isolation network. In an SDN environment, logically isolated networks are each independent networks isolated by virtual private network routing tables. According to a group of applied user terminals with different service types, the VPCs are divided into different VPCs and corresponding subnets are bound, and the applications in the VPCs generate north-south flow and east-west flow. Carrying out security detection on the north-south traffic through traditional security equipment; different types of east-west flow of application inter-access between VPCs are guided to a virtual security zone in a service chain (namely messages after flow classification by a specific strategy) guiding mode, and the security zone is provided with security equipment such as a firewall and the like, so that higher security access control requirements of internal east-west data flow are met.
In order to meet the implementation of the ALSP service, the ALSP needs to send an email through the MAIL, namely the ALSP needs to communicate with the MAIL through east-west flow, access data flow of the east-west flow is led to a virtual security zone in a service chain leading mode, namely a logic isolation network, and the security processing is carried out by using professional security equipment connected with SDN nodes in the security zone, so that effective access control is realized.
Taking an access data flow of east-west flow of the ALSP accessing the MAIL as an example, the ALSP accesses the SDN through a node Leaf1 and performs flow classification through a Leaf1, the Leaf1 matches a logic isolation network according to a user group VPC01, namely, the data flow is redirected through a route, encapsulates VXLAN, is guided to an SDN node Spine, and is transmitted to a node Leaf3 connected to a security area through the Spine node, and the Leaf3 is a security control SDN node in the logic isolation network. The Leaf3 transmits a data stream formed by the message to the security device in the security area, after the security device completes processing, the security device transmits the data packet back to the Leaf3 through a default route, the Leaf3 transmits the data packet to the Leaf2 through a host route for searching for MAIL, the Leaf2 decapsulates VXLAN, and the data message is sent to MAIL. The backhaul traffic is substantially identical to the procedure described above.
The invention utilizes the characteristic of logic isolation between VPCs to realize that different application systems are naturally isolated and cannot communicate, and ensures that when one application system has a safety risk, no influence is caused on other applications. Meanwhile, the access between the applications is effectively and safely controlled by using professional safety equipment in a route drainage mode.
Based on the same principle, the embodiment also discloses an SDN network. The SDN network comprises a drainage SDN node and a security control SDN node.
The drainage SDN node can receive an access data stream transmitted by a user terminal; determining whether the data flow is east-west flow, if so, determining a security control SDN node corresponding to the access data flow; and transmitting the access data stream to the security control SDN node so that the security control SDN node performs security processing on the access data stream through an external security device and transmits the access data stream after the security processing to a corresponding target terminal.
In a preferred embodiment, the steering SDN node is further configured to transmit the access data flow to a north-south SDN node if no, so that the north-south SDN node performs security processing on the access data flow; and transmitting the access data stream after the security processing to a corresponding target terminal. The south-north SDN nodes are SDN nodes which are arranged in the SDN network and used for processing south-north (extranet) traffic.
In a preferred embodiment, the drainage SDN node is specifically configured to determine, according to the access data flow, terminal information of a user terminal that sends the access data flow; determining a logic isolation network corresponding to the user terminal according to the terminal information and the setting information of the plurality of logic isolation networks; determining a security control SDN node corresponding to the user terminal in the logical isolation network.
In a preferred embodiment, the setting information includes a correspondence between the logical isolation network and terminal information of the user terminal.
In a preferred embodiment, the drainage SDN node is further configured to predetermine setting information of the plurality of logical isolation networks.
In a preferred embodiment, the drainage SDN node is specifically configured to divide a security control SDN node corresponding to east-west traffic into a plurality of logical isolation networks; dividing all the user terminals into a plurality of user groups according to the terminal information of all the user terminals; and enabling each logic isolation network to form corresponding relation with a user group to form setting information.
In a preferred embodiment, the terminal information includes a service type corresponding to a user terminal, and the drainage SDN node is specifically configured to classify all user terminals according to the service type; and respectively forming a user group according to the terminal information of the user terminal corresponding to each service type.
In a preferred embodiment, the drainage SDN node is specifically configured to determine, according to the terminal information, a target user group corresponding to the user terminal; and determining the logic isolation network corresponding to the target user group according to the target user group and the corresponding relation between the logic isolation network and the user group in the setting information.
In a preferred embodiment, each of said security control SDN nodes is connected with at least one security device.
The security control SDN node is specifically configured to transmit the access data stream to the security control SDN node to cause the security control SDN node to determine a target security device; and transmitting the access data stream to the target security device so that the target security device performs security processing on the access data stream.
Since the principle of the SDN network to solve the problem is similar to the above method, the implementation of the SDN network may refer to the implementation of the method, and is not described herein again.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer device, which may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
In a typical example, the computer device specifically comprises a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method performed by the client as described above when executing the program, or the processor implementing the method performed by the server as described above when executing the program.
Referring now to FIG. 9, shown is a schematic diagram of a computer device 600 suitable for use in implementing embodiments of the present application.
As shown in fig. 9, the computer apparatus 600 includes a Central Processing Unit (CPU)601 which can perform various appropriate works and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM)) 603. In the RAM603, various programs and data necessary for the operation of the system 600 are also stored. The CPU601, ROM602, and RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output section 607 including a Cathode Ray Tube (CRT), a liquid crystal feedback (LCD), and the like, and a speaker and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 606 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted as necessary on the storage section 608.
In particular, according to an embodiment of the present invention, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the invention include a computer program product comprising a computer program tangibly embodied on a machine-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (12)
1. An SDN co-regional data flow access control method is characterized by comprising the following steps:
receiving an access data stream transmitted by a user terminal;
determining whether the data flow is east-west flow, if so, determining a security control SDN node corresponding to the access data flow;
and transmitting the access data stream to the security control SDN node so that the security control SDN node performs security processing on the access data stream through an external security device and transmits the access data stream after the security processing to a corresponding target terminal.
2. The SDN co-regional data flow access control method of claim 1, further comprising:
if not, transmitting the access data flow to a north-south SDN node so that the north-south SDN node performs security processing on the access data flow;
and transmitting the access data stream after the security processing to a corresponding target terminal.
3. The SDN co-regional data flow access control method of claim 1, wherein the determining the security control SDN node corresponding to the access data flow specifically comprises:
determining terminal information of a user terminal which sends the access data stream according to the access data stream;
determining a logic isolation network corresponding to the user terminal according to the terminal information and the setting information of the plurality of logic isolation networks;
determining a security control SDN node corresponding to the user terminal in the logical isolation network.
4. The SDN co-regional data flow access control method of claim 3, wherein the setting information includes a correspondence between the logical isolation network and terminal information of a user terminal.
5. The SDN co-regional data flow access control method of claim 4, further comprising the step of predetermining setup information for the plurality of logically isolated networks.
6. The SDN co-regional data flow access control method of claim 5, wherein the predetermining the setting information of the plurality of logical isolation networks specifically comprises:
dividing security control SDN nodes corresponding to east-west flow into a plurality of logic isolation networks;
dividing all the user terminals into a plurality of user groups according to the terminal information of all the user terminals;
and enabling each logic isolation network to form corresponding relation with a user group to form setting information.
7. The SDN co-regional data stream access control method of claim 6, wherein the terminal information includes a service type corresponding to the user terminal, and the dividing all the user terminals into the plurality of user groups according to the terminal information of all the user terminals specifically includes:
classifying all user terminals according to service types;
and respectively forming a user group according to the terminal information of the user terminal corresponding to each service type.
8. The SDN co-regional data flow access control method of claim 6, wherein the determining, according to the terminal information and setting information of multiple logical isolation networks, a logical isolation network corresponding to the user terminal specifically includes:
determining a target user group corresponding to the user terminal according to the terminal information;
and determining the logic isolation network corresponding to the target user group according to the target user group and the corresponding relation between the logic isolation network and the user group in the setting information.
9. The SDN co-regional data flow access control method of claim 1, wherein each security control SDN node is connected to at least one security device;
the transmitting the access data stream to the security control SDN node so that the security control SDN node performs security processing on the access data stream through an external security device specifically includes:
transmitting the access data stream to the security control SDN node to cause the security control SDN node to determine a target security device;
and transmitting the access data stream to the target security device so that the target security device performs security processing on the access data stream.
10. An SDN network, comprising a drainage SDN node and a security control SDN node;
the drainage SDN node can receive an access data stream transmitted by a user terminal; determining whether the data flow is east-west flow, if so, determining a security control SDN node corresponding to the access data flow; and transmitting the access data stream to the security control SDN node so that the security control SDN node performs security processing on the access data stream through an external security device and transmits the access data stream after the security processing to a corresponding target terminal.
11. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor,
the processor, when executing the program, implements the method of any of claims 1-9.
12. A computer-readable medium, having stored thereon a computer program,
the program when executed by a processor implementing the method according to any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111583983.2A CN114285629A (en) | 2021-12-22 | 2021-12-22 | SDN same-region data flow access control method and SDN network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111583983.2A CN114285629A (en) | 2021-12-22 | 2021-12-22 | SDN same-region data flow access control method and SDN network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114285629A true CN114285629A (en) | 2022-04-05 |
Family
ID=80874006
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111583983.2A Pending CN114285629A (en) | 2021-12-22 | 2021-12-22 | SDN same-region data flow access control method and SDN network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114285629A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106572120A (en) * | 2016-11-11 | 2017-04-19 | 中国南方电网有限责任公司 | Access control method and system based on mixed cloud |
| CN107277039A (en) * | 2017-07-18 | 2017-10-20 | 河北省科学院应用数学研究所 | A kind of network attack data analysis and intelligent processing method |
| CN109660526A (en) * | 2018-12-05 | 2019-04-19 | 国网江西省电力有限公司信息通信分公司 | A kind of big data analysis method applied to information security field |
| CN112437072A (en) * | 2020-11-17 | 2021-03-02 | 广州西麦科技股份有限公司 | Virtual machine flow traction system, method, equipment and medium in cloud platform |
| CN112887134A (en) * | 2021-01-21 | 2021-06-01 | 中山大学 | Network service grid arranging method, device, equipment and medium |
-
2021
- 2021-12-22 CN CN202111583983.2A patent/CN114285629A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106572120A (en) * | 2016-11-11 | 2017-04-19 | 中国南方电网有限责任公司 | Access control method and system based on mixed cloud |
| CN107277039A (en) * | 2017-07-18 | 2017-10-20 | 河北省科学院应用数学研究所 | A kind of network attack data analysis and intelligent processing method |
| CN109660526A (en) * | 2018-12-05 | 2019-04-19 | 国网江西省电力有限公司信息通信分公司 | A kind of big data analysis method applied to information security field |
| CN112437072A (en) * | 2020-11-17 | 2021-03-02 | 广州西麦科技股份有限公司 | Virtual machine flow traction system, method, equipment and medium in cloud platform |
| CN112887134A (en) * | 2021-01-21 | 2021-06-01 | 中山大学 | Network service grid arranging method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230283549A1 (en) | Loop prevention in virtual layer 2 networks | |
| CN109565500B (en) | On-demand security architecture | |
| CN110113291A (en) | Method and apparatus for carrying out intercommunication between business function chain domain | |
| WO2018050007A1 (en) | Method and apparatus for accessing local network by user terminal and computer storage medium | |
| Ahmad et al. | Vehicular cloud networks: Architecture, applications and security issues | |
| US9967237B2 (en) | Systems and methods for implementing a layer two tunnel for personalized service functions | |
| US10812489B2 (en) | Method and system for classifying network requests | |
| US7333430B2 (en) | Systems and methods for passing network traffic data | |
| US11496599B1 (en) | Efficient flow management utilizing control packets | |
| US20230208817A1 (en) | Policy based personally identifiable information leakage prevention in cloud native enviroments | |
| CN110784489B (en) | Secure communication system and method thereof | |
| EP3860048A1 (en) | Method for instantiating a network service and corresponding apparatus | |
| US20220217582A1 (en) | User plane replicator | |
| CN114285629A (en) | SDN same-region data flow access control method and SDN network | |
| CN102739524A (en) | Message sending method and equipment based on route control strategy | |
| US11863455B2 (en) | Cloud based cross domain system—CDSaaS | |
| US20230164224A1 (en) | Cloud based cross domain system - virtual data diode | |
| US11689447B2 (en) | Enhanced dynamic encryption packet segmentation | |
| CN115801299A (en) | Meta-universe identity authentication method, device, equipment and storage medium | |
| US11627111B2 (en) | Systems and methods for implementing universal targets in network traffic classification | |
| CN114567678A (en) | Resource calling method and device of cloud security service and electronic equipment | |
| CN109525582B (en) | Message processing method, system and storage medium | |
| US10785114B2 (en) | Fingerprinting BYOD (bring your own device) and IOT (internet of things) IPV6 stations for network policy enforcement | |
| KR102033500B1 (en) | Packing Routing method by Edge Cloud in Distributed Cloud System | |
| CN105791238A (en) | Method for preventing DHCP flooding attacks of wireless local area network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |