CN114374526B - Method and device for protecting full-flow network access of cloud host - Google Patents

Method and device for protecting full-flow network access of cloud host Download PDF

Info

Publication number
CN114374526B
CN114374526B CN202111142450.0A CN202111142450A CN114374526B CN 114374526 B CN114374526 B CN 114374526B CN 202111142450 A CN202111142450 A CN 202111142450A CN 114374526 B CN114374526 B CN 114374526B
Authority
CN
China
Prior art keywords
cloud
flow
protection
full
firewall
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111142450.0A
Other languages
Chinese (zh)
Other versions
CN114374526A (en
Inventor
吴中岱
王骏翔
郭磊
胡蓉
韩冰
刘晋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cosco Shipping Technology Co Ltd
Original Assignee
Cosco Shipping Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cosco Shipping Technology Co Ltd filed Critical Cosco Shipping Technology Co Ltd
Priority to CN202111142450.0A priority Critical patent/CN114374526B/en
Publication of CN114374526A publication Critical patent/CN114374526A/en
Application granted granted Critical
Publication of CN114374526B publication Critical patent/CN114374526B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the technical field of cloud computing and information security, in particular to a method and a device for cloud host full-flow network access protection. Under the traditional north-south flow protection, the invention realizes one protection capability of cloud resources in the east-west direction through the cloud computing service arrangement and the automation technology, and forms full-flow network access protection by complementing the north-south flow protection. Specifically, response rules of the distributed firewall are established, response rules of the full-flow firewall are established, a full-flow protection strategy is configured, and requirements of the full-flow protection strategy are obtained and responded, so that protection of full-flow network access is automatically achieved. The invention also provides a corresponding device, and solves the problems that the traditional firewall technology has higher professional requirements, the protection mode has protection strategy configuration conflict, the protection strategy configuration among a plurality of cloud hosts lacks cooperativity, the operation steps are complicated, and the like.

Description

Method and device for protecting full-flow network access of cloud host
Technical Field
The invention relates to the technical field of cloud computing and information security, in particular to a method and a device for cloud host full-flow network access protection.
Background
The firewall is a system composed of computer hardware and software, is deployed at a network boundary, is a connection bridge between an internal network and an external network, and simultaneously protects data entering and exiting the network boundary, prevents malicious intrusion and propagation of malicious codes, and the like, and ensures the safety of internal network data. The firewall technology is an application security technology established on the basis of a network technology and an information security technology, almost all boundaries of the connection between an internal network of an enterprise and an external network (such as the Internet) are provided with firewalls, and the firewalls can perform security filtering and security isolation on harmful network security information and behaviors such as external network attacks and intrusion. But in the face of cloud hosts, the traditional network firewall technology does not meet the requirement of network security.
The cloud host is an important component of cloud computing in infrastructure application, is located at the bottom layer of a pyramid of a cloud computing industry chain, and is derived from a cloud computing platform. The platform integrates three core elements of internet application: computing, storage, network, and providing a user with a public internet infrastructure service. The VPS adopts virtual software, and a plurality of parts similar to independent hosts are virtualized on one host by VZ or VM, so that single-machine multi-user can be realized, each part can be used as an independent operating system, and the management method is the same as that of the host. The cloud host is a part which is similar to a plurality of independent hosts and is virtualized on a group of cluster hosts, and each host in the cluster is provided with a mirror image of the cloud host, so that the safety and stability of the virtual host are greatly improved. With the application and development of cloud hosts, the problem of network security is not negligible, especially the problem of network security among multiple cloud hosts.
At present, a firewall protection strategy is configured for a host where a cloud host is located, so that the requirement of micro-isolation of partial cloud hosts can be met, but the requirements of a thinning strategy and a superposition strategy cannot be met. The south-north protection of the traditional cloud host is completed through a local firewall, and high technical requirements exist for cloud tenants in the ordinary non-professional technical field. Moreover, the protection strategies of the east-west traffic and the north-south traffic of the cloud host are easy to conflict, and if the east-west protection and the north-south protection are configured in the same manner aiming at the same type or network segment area in the configuration process, the conflict on the actual network path exists. For example, a cloud host guard is configured to allow 10.18 x segment access requests to 80 ports, whereas east-west traffic only allows 10.19 x segment access to 80 ports, and both fail to access. The operations of strategy query, new construction, modification and debugging of relevant east-west flow protection and south-north flow protection among a plurality of cloud hosts are complex and lack of cooperativity, and high professional technical requirements exist for cloud tenants.
Disclosure of Invention
The invention discloses a method and a device for full-flow network access protection of cloud hosts, aiming at solving the problems that the traditional firewall technology cannot meet the safety protection of the existing cloud hosts, the professional technical requirement of the south-north protection of the traditional cloud hosts on passing through a local firewall is high, the protection mode of the east-west flow and the south-north flow of the cloud hosts is easy to have conflict of protection strategy configuration, the protection strategy configuration of the east-west flow and the south-north flow of a plurality of cloud hosts is lack of cooperativity, the operation steps are complicated and the like.
The invention requests to protect the following technical scheme:
by utilizing a cloud computing service arrangement technology, seamless interaction between a cloud computing platform and a firewall of a cloud host operating system host and a distributed firewall of a cloud computing virtualization platform is realized in a self-service interactive mode, micro-isolation among cloud hosts is completed, automatic network protection strategy configuration is achieved, and operations such as automatic division of areas, automatic configuration of default rules, custom addition rules and types of the default rules are supported.
A firewall of the cloud host operating system is responsible for managing the north-south flow management; under the traditional three-layer protection of the traditional data center level, the protection strength of one layer of north-south flow is superposed while the cloud host resources are effectively controlled in east-west flow through strategy issuing and configuration application of the self-service cloud host firewall. The function positioning of each firewall is determined, and meanwhile, the problem that collision easily exists in protection strategies can be effectively solved.
The inquiry, the new establishment and the modification of the relevant strategies are uniformly delivered to the cloud platform for management, and the cloud tenant can perform the operations of independent inquiry, application, automatic issuing and the like of the relevant strategies through a set flow, so that the operation steps of the cloud tenant are greatly simplified, an intuitive inquiry interface is provided, and the cooperative configuration of the strategies among multiple devices is facilitated.
Specifically, the method comprises the following steps:
the invention provides a method for protecting full-flow network access facing a cloud host, wherein the full-flow network access protection refers to full-flow network security protection and comprises the following steps: the system comprises a cloud host firewall, south-north flow access protection of a traditional data center firewall and east-west flow access protection of a distributed firewall of a cloud computing platform;
the protection of the north-south flow access comprises the following steps: respectively configuring and implementing the south-north flow access protection on a traditional data center firewall and a cloud host firewall of cloud resources of a group of service systems by using a cloud computing automation technology or using a cloud computing service arrangement technology, wherein the respective configuration refers to the configuration, automatic scheduling and issuing of a south-north flow access protection strategy in modes of an api interface opened for the traditional data center firewall, a port level, a protocol level, a source IP (Internet protocol) level, a target IP level and the like of the cloud host firewall and the like;
the east-west flow access protection means that: according to a network protocol of a heterogeneous cloud basic environment of a cloud resource level, an enhanced adaptation module supporting a distributed firewall is established on a cloud computing platform, and unified configuration of an east-west flow access protection strategy is carried out on a cloud host under a multi-cloud heterogeneous environment on the cloud computing platform, so that east-west flow access protection is realized;
through unified configuration of the entrances of the east-west flow access protection and the north-south flow access protection on the cloud computing platform, and by combining cloud tenants in the cloud computing platform, cloud host service grouping and preset rule strategies, seamless interaction of the north-south flow access protection and the east-west flow access protection is realized, and further, automatic configuration is carried out on a full-flow network access protection strategy, so that protection of full-flow network access of single or multiple cloud resources is realized.
Further, the method comprises the following steps:
s1, establishing a response rule of a distributed firewall, establishing the response rule of the distributed firewall on a cloud host of a cloud computing platform according to a network protocol of a heterogeneous cloud basic environment of a cloud resource level, and automatically realizing east-west flow access protection after an obtained command for configuration, automatic scheduling and issuing of an east-west flow access protection strategy; the distributed firewall is a distributed firewall supporting heterogeneous networks, which is deployed on a cloud resource level on a cloud computing platform in advance through an enhanced adaptation module according to a network protocol of a heterogeneous cloud basic environment;
s2, establishing a response rule of a full-flow firewall, and establishing the response rule of the north-south flow access through the configuration of an api interface opened by a traditional data center firewall and port levels, protocol levels, source IP (Internet protocol) levels, target IP levels and the like of a cloud host firewall by a cloud service arrangement and automation technology; meanwhile, by uniformly configuring the entrances of the east-west protection and the north-south protection and combining with cloud tenants, cloud host service grouping and preset rule strategies in a cloud computing platform, the fusion optimization, automatic division and automatic configuration of bidirectional flow protection strategies of the east-west flow access protection and the north-south flow access protection are realized, and further the response rule of the full-flow firewall is established;
s3, configuring a full-flow protection strategy, configuring relevant north-south flow access protection strategies or east-west flow access protection strategies by a cloud tenant on a terminal display interface according to requirements, and automatically generating a full-flow network access protection strategy requirement order after configuration is completed;
and S4, acquiring and responding to a full-flow protection strategy demand, automatically reading the full-flow network access protection strategy by the cloud host based on the full-flow network access protection strategy demand order submitted by the cloud tenant on the cloud computing platform, automatically responding to the rules in the steps S1 and S2 according to the read strategy, and performing self-adaptive configuration, automatic scheduling and command issuing by continuously acquiring the full-flow protection strategy configured in the step S3 to realize real-time automatic execution of the full-flow network access protection.
Further, in the step S4 of obtaining the requirement of the full traffic protection policy and responding, the automatic execution includes automatic opening when the firewall is not opened.
Further, in the step S4 of acquiring and responding to the requirement of the full-traffic protection policy, according to the application and the audit of the acquired cloud tenant on the cloud platform, and finally, through a cloud service arrangement and automation technology, automatically responding to the issuing and the validation of the full-traffic network access protection policy, so as to achieve an automatic protection capability; all the operations have log record and look up backtracking, and the positioning purpose of debugging operation and maintenance in the future is provided.
The invention also provides a method for realizing the north-south flow access protection facing the cloud host, which is used for carrying out the north-south flow access protection by configuring the cloud host firewall of the cloud resources of a group of service systems by using a cloud computing automation technology or a cloud computing service arrangement technology, wherein the configuration refers to the configuration of the inbound and outbound strategies of the cloud host firewall, so as to realize the configuration, the automatic scheduling and the issuing of the north-south flow access protection strategies; the configuration object of the inbound and outbound policy of the cloud host firewall comprises: port level, protocol level, source IP, and target IP level.
The invention also provides another method for realizing the north-south flow access protection facing the cloud host, which respectively configures and implements the north-south flow access protection on the traditional data center firewall and the cloud host firewall of the cloud resources of a group of service systems by utilizing a cloud computing automation technology or utilizing a cloud computing service arrangement technology, wherein the respective configuration refers to the configuration of an api interface opened for the traditional data center firewall and the inbound outbound strategy of the cloud host firewall, so that the configuration, the automatic scheduling and the issuing of the north-south flow access protection strategy are further realized; the configuration object of the inbound and outbound policy of the cloud host firewall comprises: port level, protocol level, source IP, and target IP level.
The invention also provides a method for realizing east-west flow access protection facing the cloud host, wherein the east-west flow access protection refers to the following steps: according to a network protocol of a heterogeneous cloud basic environment of a cloud resource level, an enhanced adaptation module supporting a distributed firewall is built on a cloud computing platform, and unified configuration of an east-west flow access protection strategy is carried out on a cloud host under a multi-cloud heterogeneous environment on the cloud computing platform, so that east-west flow access protection is achieved.
Further, in the protection method, the protection policies all support cloud tenant customization.
Furthermore, the protection strategies support cloud tenant customization, wherein the cloud tenant configures the related access protection strategies on a terminal display interface according to requirements, and automatically generates corresponding access protection strategy requirement orders after configuration is completed; and obtaining the protection strategy order by a cloud computing platform, and configuring the protection strategy in a self-adaptive manner so as to implement the corresponding protection strategy.
The invention also provides a device for protecting the full-flow network access facing the cloud host, which comprises the following components:
the response rule module of the distributed firewall is used for establishing a response rule of the distributed firewall on a cloud host of the cloud computing platform according to a network protocol of a heterogeneous cloud basic environment of a cloud resource level, and automatically realizing the east-west flow access protection after the obtained commands of configuration, automatic scheduling and issuing of the east-west flow access protection strategy; the distributed firewall is a distributed firewall supporting heterogeneous networks, which is deployed on a cloud resource level on a cloud computing platform in advance through an enhanced adaptation module according to a network protocol of a heterogeneous cloud basic environment;
the response rule module of the full-flow firewall is used for establishing the response rule of the north-south flow access through the configuration of an api interface opened by a traditional data center firewall and port levels, protocol levels, source IP (Internet protocol) levels, target IP levels and the like of a cloud host firewall by a cloud service arrangement and automation technology; meanwhile, by uniformly configuring the entrances of the east-west protection and the north-south protection and combining with cloud tenants, cloud host service grouping and preset rule strategies in a cloud computing platform, the fusion optimization, automatic division and automatic configuration of bidirectional flow protection strategies of the east-west flow access protection and the north-south flow access protection are realized, and further the response rule of the full-flow firewall is established;
configuring a full-flow protection policy module, which is used for a cloud tenant to configure the relevant north-south flow access protection policy or east-west flow access protection policy on a terminal display interface according to needs and automatically generate a full-flow network access protection policy demand order;
the method comprises the steps that a full-flow protection strategy requirement and response module is obtained and used for automatically reading a full-flow network access protection strategy based on a full-flow network access protection strategy requirement order submitted by a cloud tenant on a cloud computing platform, a cloud host automatically reads the full-flow network access protection strategy and automatically responds through a response rule module of a distributed firewall and a response rule module of the full-flow firewall according to the read strategy, and automatic scheduling and command issuing are carried out through continuously obtaining a configured full-flow protection strategy in the configured full-flow protection strategy module, so that real-time automatic execution of full-flow network access protection is realized.
Further, the module for configuring the full traffic protection policy further includes:
the display submodule is used for displaying the interactive order process of the platform on a user terminal interface;
and the self-service configuration submodule is used for supporting user-defined configuration, and the configuration and the operation such as automatic issuing, autonomous query, historical record query and the like are realized by configuring through an interactive order flow of the platform.
The invention also provides an electronic device, which comprises a memory and a processor, wherein the memory is stored with a configuration program system capable of running the device on the processor, and the configuration program can realize the protection method when being executed by the processor.
The present invention also provides a computer readable storage medium having stored thereon a configuration program for the apparatus, the configuration program being executable by one or more processors to implement the method of guarding.
Compared with the prior art, the invention has the advantages that:
the cloud platform is used for carrying out unified management, interactive network protection strategy configuration is achieved, and operations such as automatic region division, automatic default rule configuration, custom addition rule and type of the rule are supported.
Through the firewall of the operating system, the user can carry out more accurate and more targeted south-north flow limitation.
The network communication efficiency of east-west flow is provided through the distributed firewall, the management is more efficient, and the rapid configuration and issuing of the network security policy are realized.
The cloud tenant can realize the operations of automatic configuration issuing, autonomous query, historical record query and the like through an interactive order flow of the platform. The operation experience of the cloud tenants is optimized, and the configuration of the protection strategy can be carried out without carrying out complex operation on the cloud tenants.
Drawings
Fig. 1 shows steps of a method for cloud host full-traffic network access protection.
Fig. 2 is a block diagram of a configuration procedure of a device for cloud host full-traffic network access protection according to the present invention.
Fig. 3 is a sub-block diagram of another configuration procedure for configuring a full-traffic protection policy in a cloud host full-traffic network access protection device according to another embodiment of the present invention.
Fig. 4 is a specific flowchart of another cloud host full-traffic network access protection oriented method provided by the present invention.
FIG. 5 is a configuration program diagram of a first cloud host oriented device for implementing the protection of north-south traffic access provided by the invention.
Fig. 6 is a configuration program diagram of a second device for implementing north-south traffic access protection for a cloud host according to the present invention.
Fig. 7 is a configuration program diagram of a device for implementing east-west traffic access protection facing a cloud host provided by the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:
cloud services orchestration technology is an end-to-end automation of the process of deploying services in a cloud environment. More specifically, IT is the automated arrangement, coordination, and management of complex computer systems, middleware, and services-all of which help to speed up the delivery of IT services while reducing costs. It is used to manage cloud infrastructure that provides and allocates needed cloud resources to customers, such as creating virtual machines, allocating storage capacity, managing network resources, and granting cloud software access. Using a suitable orchestration mechanism, a user may deploy and begin using services on a server or any cloud platform.
The south-north protection of the traditional cloud host is completed through a local firewall, and high technical requirements exist for cloud tenants in the ordinary non-professional technical field. Moreover, the protection strategies of the east-west traffic and the north-south traffic of the cloud host are easy to conflict, and if the east-west protection and the north-south protection are configured in the same manner aiming at the same type or network segment area in the configuration process, the conflict on the actual network path exists. For example, a cloud host guard is configured to allow 10.18 x segment access requests to 80 ports, whereas east-west traffic only allows 10.19 x segment access to 80 ports, and both fail to access. According to the invention, the protection of full-flow network access is realized through a cloud computing service arrangement technology and an automation technology, and the problems are effectively avoided.
In order to make the advantages of the technical solutions of the present invention clearer, the present invention is described in detail below with reference to the accompanying drawings and embodiments.
The invention provides a method for protecting full-flow network access facing a cloud host, wherein the full-flow network access protection refers to full-flow network security protection and comprises the following steps: the firewall comprises a cloud host firewall, northbound flow access protection of a traditional data center firewall, and eastern and western flow access protection of a distributed firewall of a cloud computing platform.
In this embodiment, the cloud host firewall refers to a cloud host operating system firewall in the prior art. A firewall of the cloud host operating system is responsible for managing the north-south traffic; under the traditional three-layer protection of the traditional data center level, through strategy issuing and configuration application of a self-service cloud host firewall, the protection strength of one layer of north-south flow is superposed while cloud host resources are effectively controlled in the east-west flow. The function positioning of each firewall is determined, and meanwhile, the problem that collision easily exists in protection strategies can be effectively solved.
The protection of the north-south flow access comprises the following steps: the method comprises the steps of respectively configuring and implementing the south-north flow access protection on a traditional data center firewall and a cloud host firewall of cloud resources of a group of service systems by utilizing a cloud computing automation technology or utilizing a cloud computing service arrangement technology, wherein the respective configuration refers to the configuration, automatic scheduling and issuing of a south-north flow access protection strategy in modes of an api interface opened for the traditional data center firewall, a port level, a protocol level, a source IP (Internet protocol) level, a target IP level and the like of the cloud host firewall and supports cloud tenant customization.
In this embodiment, the common configuration also refers to configuration, automatic scheduling and issuing of inbound and outbound policies of a firewall of a traditional data center, and supports cloud tenant customization; the cloud tenant is not limited to enterprises and individual users, and the customization refers to the configuration of the cloud tenant on a terminal display interface provided by the system according to the requirement of the cloud tenant.
The east-west flow access protection means that: according to a network protocol of a heterogeneous cloud basic environment of a cloud resource level, an enhanced adaptation module supporting a distributed firewall is established on a cloud computing platform, and unified configuration of an east-west flow access protection strategy is carried out on a cloud host under a multi-cloud heterogeneous environment on the cloud computing platform, so that east-west flow access protection is realized;
in this embodiment, the configuration of the east-west traffic access protection policy includes: carrying out unified protection strategy configuration on the cloud host under the multi-cloud heterogeneous environment on the cloud computing platform; and the cloud computing platform is deeply integrated with cloud tenants, cloud host service groups and the like in the cloud computing platform, so that the automatic configuration and issuing and the effectiveness of strategies under the whole life cycle of cloud resource opening delivery, service group change, resource recovery extinction and the like are realized.
Through unified configuration of the entrances of the east-west flow access protection and the north-south flow access protection on the cloud computing platform, and by combining cloud tenants in the cloud computing platform, cloud host service grouping and preset rule strategies, seamless interaction of the north-south flow access protection and the east-west flow access protection is realized, and further, automatic configuration is carried out on a full-flow network access protection strategy, so that protection of full-flow network access of single or multiple cloud resources is realized.
In this embodiment, the east-west traffic is mainly responsible for external policy configuration of the cloud host service system layer, and the north-south traffic is mainly responsible for external policy protection of the cloud host monomer.
Fig. 1 is a method step of the cloud host full traffic network access protection oriented method provided by the present invention.
As shown in fig. 1, the method for protecting full traffic network access facing a cloud host shown in this embodiment includes the following steps:
s1, establishing a response rule of a distributed firewall, establishing the response rule of the distributed firewall on a cloud host of a cloud computing platform according to a network protocol of a heterogeneous cloud basic environment of a cloud resource level, and automatically realizing east-west flow access protection after an obtained command of configuration, automatic scheduling and issuing of an east-west flow access protection strategy; the distributed firewall is a distributed firewall supporting heterogeneous networks, which is deployed on a cloud resource level on a cloud computing platform in advance through an enhanced adaptation module according to a network protocol of a heterogeneous cloud basic environment.
S2, establishing a response rule of a full-flow firewall, and establishing the response rule of the north-south flow access through the configuration of an api interface opened by a traditional data center firewall and port levels, protocol levels, source IP (Internet protocol) levels, target IP levels and the like of a cloud host firewall by a cloud service arrangement and automation technology; meanwhile, fusion optimization, automatic division and automatic configuration of bidirectional flow protection strategies of east-west flow access protection and south-north flow access protection are realized through unified configuration of inlets of east-west protection and south-north protection and by combining cloud tenants, cloud host service groups and preset rule strategies in a cloud computing platform, and further response rules of the full-flow firewall are established.
S3, configuring a full-flow protection strategy, configuring relevant north-south flow access protection strategies or east-west flow access protection strategies on a terminal display interface by the cloud tenant according to requirements, and automatically generating a full-flow network access protection strategy requirement order after configuration is completed.
In this embodiment, the method specifically includes displaying a preset protection policy generation form corresponding to the cloud host and a cloud tenant terminal interface, so that the cloud tenant fills in relevant north and south traffic access protection policies as required; generating corresponding entries by presetting protection strategies in a working space corresponding to a cloud host, so that cloud tenants can fill related east-west flow access protection strategies as required; and automatically generating a full-flow network access protection policy requirement order.
And S4, acquiring and responding to a full-flow protection strategy demand, automatically reading the full-flow network access protection strategy by the cloud host based on the full-flow network access protection strategy demand order submitted by the cloud tenant on the cloud computing platform, automatically responding to the rules in the steps S1 and S2 according to the read strategy, and performing self-adaptive configuration, automatic scheduling and command issuing by continuously acquiring the full-flow protection strategy configured in the step S3 to realize real-time automatic execution of the full-flow network access protection.
In this embodiment, in the step S4 of obtaining the requirement of the full traffic protection policy and responding, the automatic execution includes automatically turning on when the firewall is not turned on.
In this embodiment, in the step S4, in acquiring and responding to the requirement of the full-traffic protection policy, according to the application and audit uniformly performed on the cloud platform by the acquired cloud tenant, the issuing and validation of the full-traffic network access protection policy is automatically responded to through the cloud service orchestration and automation technology, so as to achieve an automatic protection capability; all operations are provided with log record and look-up backtracking, and the positioning purpose of debugging operation and maintenance in the future is provided.
In this embodiment, the full-traffic network access protection adopts rule access control, which is not limited to access protection, but actually includes that interaction can be performed with a threat information library of a cloud computing platform in policy configuration, and some malicious black lists ip are used as interception policy protection.
Fig. 2 is a block diagram of a configuration procedure of a first device for cloud host full-traffic network access protection according to the present invention.
As shown in fig. 2, an apparatus for protecting full traffic network access facing a cloud host, includes:
the response rule module 101 of the distributed firewall is configured to establish a response rule of the distributed firewall on a cloud host of a cloud computing platform according to a network protocol of a heterogeneous cloud infrastructure of a cloud resource level, and automatically implement east-west traffic access protection after an obtained command for configuration, automatic scheduling and issuing of an east-west traffic access protection policy; the distributed firewall is a distributed firewall supporting heterogeneous networks, which is deployed on a cloud resource level on a cloud computing platform in advance through an enhanced adaptation module according to a network protocol of a heterogeneous cloud basic environment.
The response rule module 102 of the full-flow firewall is used for establishing a response rule of the north-south flow access through an api interface opened by a traditional data center firewall and the configuration of a port level, a protocol level, a source IP (Internet protocol) level, a target IP level and the like of a cloud host firewall by a cloud service arrangement and automation technology; meanwhile, fusion optimization, automatic division and automatic configuration of bidirectional flow protection strategies of east-west flow access protection and south-north flow access protection are realized through unified configuration of inlets of east-west protection and south-north protection and by combining cloud tenants, cloud host service groups and preset rule strategies in a cloud computing platform, and further response rules of the full-flow firewall are established.
And configuring a full-flow protection policy module 103, configured to configure, by the cloud tenant, the relevant north-south flow access protection policy or east-west flow access protection policy on a terminal display interface as needed, and automatically generate a full-flow network access protection policy requirement order.
The full-flow protection strategy demand and response module 104 is used for automatically reading the full-flow network access protection strategy based on a full-flow network access protection strategy demand order submitted by a cloud tenant on a cloud computing platform, automatically responding through a response rule module of the distributed firewall and a response rule module of the full-flow firewall according to the read strategy, and automatically scheduling and issuing commands to automatically execute the full-flow network access protection in real time by continuously obtaining the configured full-flow protection strategy in the configured full-flow protection strategy module.
Fig. 3 is a sub-block diagram of another configuration procedure for configuring a full-traffic protection policy in a cloud host full-traffic network access protection device according to another embodiment of the present invention.
Further, as shown in fig. 3, in another cloud host full traffic oriented network access protection device provided by the present invention, the configuration full traffic protection policy module 103 further includes:
a display sub-module 1031, configured to display an interactive order procedure of the platform on a user terminal interface;
the self-service configuration submodule 1032 is used for supporting user-defined configuration, and comprises an interactive order process of a platform; the cloud tenant can realize the operations of automatic configuration issuing, autonomous query, historical record query and the like through an interactive order flow of the platform; after the cloud tenant determines the south-north flow access protection of the cloud host, the cloud tenant determines a target cloud host and fills a relevant strategy according to a preset form; and/or after the cloud tenant determines the east-west flow access protection of the cloud host, the cloud tenant determines the target working space and fills the relevant strategies according to the preset form.
In the embodiment, after determining the south-north flow access protection of the cloud host, the cloud tenant determines the target cloud host and fills the relevant strategy according to a preset form; and/or after the cloud tenant determines the east-west flow access protection of the cloud host, the cloud tenant determines the target working space and fills the relevant strategies according to the preset form.
Specifically, a preset protection policy generation form corresponding to the cloud host displays an interface with a cloud tenant terminal, so that the cloud tenant fills relevant north-south traffic access protection policies as required; generating corresponding entries by presetting protection strategies in a working space corresponding to a cloud host, so that cloud tenants can fill related east-west flow access protection strategies as required; and automatically generating a full-flow network access protection policy requirement order.
Further, the self-service configuration submodule 1032 supports log recording and look-up backtracking of all operations, and provides a positioning purpose for future operation and maintenance debugging; a query entry is disposed in the interactive order flow.
Fig. 4 is a specific flowchart of another cloud host full-traffic network access protection oriented method provided by the present invention.
As shown in fig. 4, the protection of the full flow is realized by the following process steps: by configuring the full-flow protection policy module 103, the cloud tenant may initiate an application at the client, autonomously select and determine a full-flow access protection order requirement of the cloud host on the display interface, and specifically include: when determining the south-north flow protection of the cloud host, the cloud tenant selects a target cloud host and fills a relevant strategy according to a preset form; when determining that the flow protection of the cloud host in the east-west direction is performed, the cloud tenant selects a target working space and fills the related strategy requirements according to preset items.
After determining the full-flow access protection order requirement of the cloud host, directly submitting the order requirement of the cloud tenant to a cloud computing platform, and automatically carrying out full-flow requirement adaptation by the cloud computing platform according to the order submitted by the user.
Further, in the process of adapting the full-flow demand, the system firstly confirms the flow protection type in the full-flow demand, if the flow protection is in the north-south direction, the cloud host firewall or/and the traditional data center firewall are continuously called, based on the cloud tenant demand, the cloud computing platform obtains the protection strategy, and the corresponding safety protection strategy is configured in a self-adaptive manner; if the flow protection is in the east-west direction, calling the configured distributed firewall, acquiring the protection strategy by the cloud computing platform based on the requirement of the cloud tenant, and adaptively configuring the corresponding security protection strategy; then, the adaptively configured bidirectional traffic protection (east-west and north-south) strategy automatically responds through the response rule module 101 for establishing the distributed firewall and the response rule module 102 for establishing the full-traffic firewall, acquires the full-traffic protection strategy requirement, and the response module 104 issues the strategy and executes the strategy, so as to realize the protection of the full-traffic network access of the cloud host.
Besides the method for realizing the full-flow network access protection, the invention also provides another two methods for realizing the north-south flow access protection by utilizing the cloud computing automation technology or the cloud computing service arrangement technology; wherein, the first and the second end of the pipe are connected with each other,
the first method is as follows: a method for realizing south-north flow access protection facing a cloud host is characterized in that the south-north flow access protection is implemented by configuring a cloud host firewall of cloud resources of a group of service systems by using a cloud computing automation technology or by using a cloud computing service arrangement technology, wherein the configuration refers to the configuration of an inbound outbound strategy of the cloud host firewall, and further the configuration, automatic scheduling and issuing of the south-north flow access protection strategy are realized; the configuration object of the inbound and outbound policy of the cloud host firewall comprises: port level, protocol level, source IP, and target IP level.
Fig. 5 is a configuration program diagram of a first device for implementing north-south traffic access protection for a cloud host according to the present invention. Wherein:
configuration module 201 of cloud host firewall: configuring inbound and outbound policies of a cloud host firewall for cloud resources of a set of business systems, either individually or using cloud computing service orchestration techniques, by using cloud computing automation techniques;
the adaptive response module 202: the self-adaptive response rule is used for establishing a cloud host firewall on a cloud computing platform, and the automatic adaptation, automatic scheduling and issuing of the north-south flow access protection strategy are realized;
the configuration protection policy module 203: the cloud tenant is used for configuring the relevant north-south flow access protection strategy on a terminal display interface according to the requirement, and automatically generating a north-south protection strategy requirement order after the configuration is finished;
get protection policy and response module 204: the cloud host is used for automatically reading the access protection policy based on the access protection policy requirement order submitted by the cloud tenant on the cloud computing platform, automatically responding to the self-adaptive rule according to the read policy, and performing self-adaptive configuration, automatic scheduling and command issuing by continuously acquiring the policy in the configuration protection policy module to realize real-time automatic execution of the north-south flow access protection.
The second method is as follows: the method comprises the steps that a cloud computing automation technology is utilized to respectively configure and implement the north-south flow access protection for a traditional data center firewall and a cloud host firewall of cloud resources of a group of service systems by a single cloud computing service arrangement technology or a cloud computing service arrangement technology, wherein the respective configuration refers to the configuration of an api interface opened for the traditional data center firewall and the inbound and outbound strategy of the cloud host firewall, and further the configuration, automatic scheduling and issuing of the north-south flow access protection strategy are achieved; the configuration object of the inbound and outbound policy of the cloud host firewall comprises: port level, protocol level, source IP, and target IP level.
Fig. 6 is a configuration program diagram of a second device for implementing north-south traffic access protection for a cloud host according to the present invention. Wherein:
firewall configuration module 301: the system comprises a traditional data center firewall and a cloud host firewall, wherein the traditional data center firewall and the cloud host firewall are used for respectively configuring cloud resources of a group of business systems by utilizing a cloud computing automation technology or utilizing a cloud computing service arrangement technology;
the self-adaptation response module 302: the self-adaptive response rule is used for establishing a cloud host firewall on a cloud computing platform, and the automatic adaptation, automatic scheduling and issuing of the north-south flow access protection strategy are realized;
the configuration protection policy module 303: the cloud tenant configures the relevant north-south flow access protection strategy on a terminal display interface according to the requirement, and automatically generates a north-south access protection strategy requirement order after the configuration is completed;
get protection policy and response module 304: the cloud host is used for automatically reading the access protection policy based on the access protection policy requirement order submitted by the cloud tenant on the cloud computing platform, automatically responding to the self-adaptive rule according to the read policy, and performing self-adaptive configuration, automatic scheduling and command issuing by continuously acquiring the policy in the configuration protection policy module to realize real-time automatic execution of the north-south flow access protection.
Besides the method for realizing the full-flow network access protection, the invention also provides a method for realizing east-west flow access protection facing a cloud host by using a cloud computing automation technology or a cloud computing service arrangement technology, wherein the east-west flow access protection refers to the following steps: according to a network protocol of a heterogeneous cloud basic environment of a cloud resource level, an enhanced adaptation module supporting a distributed firewall is built on a cloud computing platform, and unified configuration of an east-west flow access protection strategy is carried out on a cloud host under a multi-cloud heterogeneous environment on the cloud computing platform, so that east-west flow access protection is achieved.
Fig. 7 is a configuration program diagram of a device for implementing east-west traffic access protection for a cloud host according to the present invention. Wherein:
response rules module 401 of the distributed firewall: the distributed firewall access protection method comprises the steps that a response rule of a distributed firewall is established on a cloud host of a cloud computing platform according to a network protocol of a heterogeneous cloud basic environment of a cloud resource level, and after an obtained command for configuration, automatic scheduling and issuing of an east-west flow access protection strategy, east-west flow access protection is automatically achieved; the distributed firewall is a distributed firewall supporting heterogeneous networks, which is deployed on a cloud resource level on a cloud computing platform in advance through an enhanced adaptation module according to a network protocol of a heterogeneous cloud basic environment;
the self-adaptation response module 402: the self-adaptive response rule is used for establishing a cloud host firewall on a cloud computing platform, and the automatic adaptation, automatic scheduling and issuing of the east-west flow access protection strategy are realized;
the configuration protection policy module 403: the cloud tenant configures the relevant east-west flow access protection strategy on a terminal display interface according to the requirement, and automatically generates an order of the east-west access protection strategy requirement after the configuration is completed;
get protection policy and response module 404: the cloud host is used for automatically reading the access protection strategy based on the access protection strategy requirement order submitted by the cloud tenant on the cloud computing platform, automatically responding to the self-adaptive rule according to the read strategy, and performing self-adaptive configuration, automatic scheduling and command issuing through continuously acquiring the strategy in the configuration protection strategy module to realize real-time automatic execution of the east-west flow access protection.
Further, in the above two methods for implementing the northbound flow access protection and the method for implementing the eastern-western flow access protection, the protection policy supports cloud tenant customization, and includes that after a user can configure the protection policy in a customized manner, a cloud computing platform obtains the protection policy and configures the protection policy in a self-adaptive manner, so as to implement the corresponding protection policy.
Further, the automatic execution includes automatically starting when the firewall is not started.
Furthermore, in the step of acquiring policy requirements and responding, according to the acquired application and audit uniformly performed on the cloud platform by the cloud tenants, the issuing and the taking effect of the access protection policy are automatically responded through a cloud service arrangement and automation technology, so that the automatic protection capability is realized; all the operations have log record and look up backtracking, and the positioning purpose of debugging operation and maintenance in the future is provided.
The embodiment further includes an electronic device, which includes a memory and a processor, where the memory stores a configuration program system that can run on the processor, and when the configuration program is executed by the processor, the configuration program system may implement the method for protecting full traffic network access to a cloud host according to the embodiment.
The present embodiment further includes a computer-readable storage medium, where a configuration program of a cloud host full traffic network access protection device as provided in this embodiment is stored on the computer-readable storage medium, and the configuration program may be executed by one or more processors to implement a cloud host full traffic network access protection method as described in this embodiment.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A method for protecting full-flow network access facing a cloud host is characterized in that the full-flow network access protection refers to full-flow network security protection and comprises the following steps: the system comprises a cloud host firewall, south-north flow access protection of a traditional data center firewall and east-west flow access protection of a distributed firewall of a cloud computing platform;
the protection of the north-south flow access refers to: respectively configuring and implementing the south-north flow access protection on a traditional data center firewall and a cloud host firewall of cloud resources of a group of service systems by using a cloud computing automation technology or using a cloud computing service arrangement technology, wherein the respective configuration refers to the configuration, automatic scheduling and issuing of a south-north flow access protection strategy in modes of an api interface opened for the traditional data center firewall, a port level, a protocol level, a source IP (Internet protocol) level, a target IP level and the like of the cloud host firewall and the like;
the east-west flow access protection means that: according to a network protocol of a heterogeneous cloud basic environment of a cloud resource level, an enhanced adaptation module supporting a distributed firewall is established on a cloud computing platform, and unified configuration of an east-west flow access protection strategy is carried out on a cloud host under a multi-cloud heterogeneous environment on the cloud computing platform, so that east-west flow access protection is realized;
through unified configuration of the entrances of the east-west flow access protection and the north-south flow access protection on the cloud computing platform, and by combining cloud tenants in the cloud computing platform, cloud host service grouping and preset rule strategies, seamless interaction of the north-south flow access protection and the east-west flow access protection is realized, and further, automatic configuration is carried out on a full-flow network access protection strategy, so that protection of full-flow network access of single or multiple cloud resources is realized.
2. The method of full-traffic network access protection according to claim 1, further characterized by the steps of:
s1, establishing a response rule of a distributed firewall, establishing the response rule of the distributed firewall on a cloud host of a cloud computing platform according to a network protocol of a heterogeneous cloud basic environment of a cloud resource level, and automatically realizing east-west flow access protection after an obtained command for configuration, automatic scheduling and issuing of an east-west flow access protection strategy; the distributed firewall is a distributed firewall supporting heterogeneous networks, which is deployed on a cloud resource level on a cloud computing platform in advance through an enhanced adaptation module according to a network protocol of a heterogeneous cloud basic environment;
s2, establishing a response rule of a full-flow firewall, and establishing the response rule of the north-south flow access through the configuration of an api interface opened by a traditional data center firewall and port levels, protocol levels, source IP (Internet protocol) levels, target IP levels and the like of a cloud host firewall by a cloud service arrangement and automation technology; meanwhile, by uniformly configuring the entrances of the east-west protection and the north-south protection and combining with cloud tenants, cloud host service grouping and preset rule strategies in a cloud computing platform, the fusion optimization, automatic division and automatic configuration of bidirectional flow protection strategies of the east-west flow access protection and the north-south flow access protection are realized, and further the response rule of the full-flow firewall is established;
s3, configuring a full-flow protection strategy, configuring relevant north-south flow access protection strategies or east-west flow access protection strategies by a cloud tenant on a terminal display interface according to requirements, and automatically generating a full-flow network access protection strategy requirement order after configuration is completed;
and S4, acquiring and responding to a full-flow protection strategy demand, automatically reading the full-flow network access protection strategy by the cloud host based on the full-flow network access protection strategy demand order submitted by the cloud tenant on the cloud computing platform, automatically responding to the rules in the steps S1 and S2 according to the read strategy, and performing self-adaptive configuration, automatic scheduling and command issuing by continuously acquiring the full-flow protection strategy configured in the step S3 to realize real-time automatic execution of the full-flow network access protection.
3. The method of full-traffic network access protection according to claim 1 or 2, further characterized by,
in the step S4, the requirement of the full-flow protection policy is obtained and responded, the automatic execution includes automatic opening when the firewall is not opened.
4. The method for full-flow network access protection according to claim 1 or 2, further characterized in that, in the step S4 of obtaining and responding to the requirements of the full-flow protection policy, according to the obtained applications and audits of the cloud tenants uniformly on the cloud platform, and finally, by means of cloud service orchestration and automation technology, the issuing and validation of the full-flow network access protection policy are automatically responded, so as to achieve an automatic protection capability; all the operations have log record and look up backtracking, and the positioning purpose of debugging operation and maintenance in the future is provided.
5. The method of safeguarding according to claims 1 or 2, further characterized in that the safeguard policies both support cloud tenant customization.
6. The protection method according to claim 5, wherein the protection policies all support cloud tenant customization, including that the cloud tenant configures the access protection policies related to the cloud tenant on a terminal display interface according to requirements, and after configuration is completed, a corresponding access protection policy requirement order is automatically generated; and obtaining the protection strategy order by a cloud computing platform, and configuring the protection strategy in a self-adaptive manner so as to implement the corresponding protection strategy.
7. A device for protecting full-flow network access facing a cloud host is characterized by comprising:
the response rule module of the distributed firewall is used for establishing a response rule of the distributed firewall on a cloud host of the cloud computing platform according to a network protocol of a heterogeneous cloud basic environment of a cloud resource level, and automatically realizing the east-west flow access protection after the obtained commands of configuration, automatic scheduling and issuing of the east-west flow access protection strategy; the distributed firewall is a distributed firewall supporting heterogeneous networks, which is deployed on a cloud resource level on a cloud computing platform in advance through an enhanced adaptation module according to a network protocol of a heterogeneous cloud basic environment;
the response rule module of the full-flow firewall is used for establishing a response rule of the north-south flow access through the configuration of an api interface opened by a traditional data center firewall and port levels, protocol levels, source IP (Internet protocol) levels, target IP levels and the like of a cloud host firewall by a cloud service arrangement and automation technology; meanwhile, by uniformly configuring the entrances of the east-west protection and the north-south protection and combining with cloud tenants, cloud host service grouping and preset rule strategies in a cloud computing platform, the fusion optimization, automatic division and automatic configuration of bidirectional flow protection strategies of the east-west flow access protection and the north-south flow access protection are realized, and further the response rule of the full-flow firewall is established;
configuring a full-flow protection policy module, which is used for a cloud tenant to configure the relevant north-south flow access protection policy or east-west flow access protection policy on a terminal display interface according to needs, and automatically generating a full-flow network access protection policy demand order;
the method comprises the steps that a full-flow protection strategy requirement and response module is obtained and used for automatically reading a full-flow network access protection strategy based on a full-flow network access protection strategy requirement order submitted by a cloud tenant on a cloud computing platform, a cloud host automatically reads the full-flow network access protection strategy and automatically responds through a response rule module of a distributed firewall and a response rule module of the full-flow firewall according to the read strategy, and automatic scheduling and command issuing are carried out through continuously obtaining a configured full-flow protection strategy in the configured full-flow protection strategy module, so that real-time automatic execution of full-flow network access protection is realized.
8. The apparatus of full-traffic network access protection according to claim 7,
the module for configuring the full-flow protection policy further comprises:
the display submodule is used for displaying the interactive order process of the platform on a user terminal interface;
and the self-service configuration submodule is used for supporting user-defined configuration, and the configuration and operation such as automatic issuing, autonomous query, historical record query and the like are realized by configuring through an interactive order flow of the platform.
9. An electronic device, comprising a memory and a processor, wherein the memory stores a configuration program system capable of running the device according to claim 7 or 8 on the processor, and the configuration program is capable of implementing the protection method according to one of claims 1 to 6 when executed by the processor.
10. A computer-readable storage medium, on which a configuration program of the apparatus of claim 7 or 8 is stored, the configuration program being executable by one or more processors to implement the method of safeguarding according to one of claims 1 to 6.
CN202111142450.0A 2021-09-28 2021-09-28 Method and device for protecting full-flow network access of cloud host Active CN114374526B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111142450.0A CN114374526B (en) 2021-09-28 2021-09-28 Method and device for protecting full-flow network access of cloud host

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111142450.0A CN114374526B (en) 2021-09-28 2021-09-28 Method and device for protecting full-flow network access of cloud host

Publications (2)

Publication Number Publication Date
CN114374526A CN114374526A (en) 2022-04-19
CN114374526B true CN114374526B (en) 2023-03-24

Family

ID=81138798

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111142450.0A Active CN114374526B (en) 2021-09-28 2021-09-28 Method and device for protecting full-flow network access of cloud host

Country Status (1)

Country Link
CN (1) CN114374526B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115412466A (en) * 2022-08-26 2022-11-29 济南浪潮数据技术有限公司 Flow monitoring method, device and medium thereof
CN115996136B (en) * 2022-09-29 2024-03-26 华数云科技有限公司 SDN-based cloud security capability implementation method in multi-tenant scene
CN116455680B (en) * 2023-06-19 2023-10-13 卓望数码技术(深圳)有限公司 TCP full-flow collection and aggregation method and system for cloud platform and computer equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491822A (en) * 2020-11-13 2021-03-12 中盈优创资讯科技有限公司 Method and device for automatically issuing security policy
CN112839045A (en) * 2021-01-14 2021-05-25 中盈优创资讯科技有限公司 Implementation method and device for arranging strategies

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10333897B2 (en) * 2015-10-23 2019-06-25 Attala Systems Corporation Distributed firewalls and virtual network services using network packets with security tags

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491822A (en) * 2020-11-13 2021-03-12 中盈优创资讯科技有限公司 Method and device for automatically issuing security policy
CN112839045A (en) * 2021-01-14 2021-05-25 中盈优创资讯科技有限公司 Implementation method and device for arranging strategies

Also Published As

Publication number Publication date
CN114374526A (en) 2022-04-19

Similar Documents

Publication Publication Date Title
CN114374526B (en) Method and device for protecting full-flow network access of cloud host
US11394714B2 (en) Controlling user access to command execution
US20200389502A1 (en) Automated Enforcement of Security Policies in Cloud and Hybrid Infrastructure Environments
CA2697540C (en) Executing programs based on user-specified constraints
EP2457159B1 (en) Dynamically migrating computer networks
RU2646343C1 (en) Objects of virtual network interface
CN110011866B (en) Providing device as a service
US9246765B2 (en) Apparatus and methods for auto-discovery and migration of virtual cloud infrastructure
Insights New Questions
US20120233315A1 (en) Systems and methods for sizing resources in a cloud-based environment
Rochwerger et al. An architecture for federated cloud computing
CN104956332A (en) Master automation service
WO2012125144A1 (en) Systems and methods for sizing resources in a cloud-based environment
CN112099913A (en) Method for realizing safety isolation of virtual machine based on OpenStack
CN111835820A (en) System and method for realizing cloud management
US9774600B1 (en) Methods, systems, and computer readable mediums for managing infrastructure elements in a network system
WO2023050070A1 (en) Method and device for cloud host total traffic network access protection
EP2842045B1 (en) Data center service oriented networking
CN114491452A (en) Method for realizing cloud resource multi-account authority control facing cloud host and cloud bastion machine
US10070195B1 (en) Computing resource service security method
CN110990149B (en) Load balance test method based on ICOS system
Udayakumar Deployment Essentials of AVS
Udayakumar Plan and Prepare AVS
Sindhu et al. Deploying a Kubernetes Cluster with Kubernetes-Operation (kops) on AWS Cloud: Experiments and Lessons Learned

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant