CN114785549A - Safety protection system and safety protection method - Google Patents
Safety protection system and safety protection method Download PDFInfo
- Publication number
- CN114785549A CN114785549A CN202210290110.0A CN202210290110A CN114785549A CN 114785549 A CN114785549 A CN 114785549A CN 202210290110 A CN202210290110 A CN 202210290110A CN 114785549 A CN114785549 A CN 114785549A
- Authority
- CN
- China
- Prior art keywords
- node
- security
- policy information
- protection system
- security policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000012423 maintenance Methods 0.000 claims abstract description 101
- 238000012545 processing Methods 0.000 claims abstract description 26
- 230000006978 adaptation Effects 0.000 claims description 10
- 230000001360 synchronised effect Effects 0.000 claims description 10
- 238000007726 management method Methods 0.000 description 45
- 230000008569 process Effects 0.000 description 17
- 238000004891 communication Methods 0.000 description 14
- 238000004590 computer program Methods 0.000 description 8
- 230000007123 defense Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a safety protection system and a safety protection method. The security protection method implemented by the access service node comprises the following steps: when the safety protection system is in a maintenance mode, acquiring safety strategy information in a maintenance node; updating the security policy information of the access service node according to the acquired security policy information; and when the safety protection system is in a service mode, providing safety business processing service for the object corresponding to the safety protection system. Therefore, the centralized security management architecture is adopted in the maintenance mode, and all nodes of the whole system can be efficiently and conveniently managed and maintained; the distributed protection architecture is adopted in the service mode, so that the system is efficient, concise, flexible and expandable, and the problems that a management platform under a centralized architecture is easily attacked and single-point failure is caused can be solved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a security protection system and a security protection method.
Background
With the rapid development of network technologies such as 5G and cloud computing, mobile remote cooperative office gradually becomes a new trend of business development, and therefore, users are required to be capable of accessing a business system safely and efficiently at any time, any place and any device. The traditional centralized security service processing mode is more and more difficult to meet the requirements, and a more flat security service processing mode is urgently needed, so that the system is kept to operate simply, efficiently and reliably, and has good flexible expansion capability.
Currently, when security service processing is performed, a headquarters mechanism, such as a headquarters security center, is set, all service flows are accessed to the headquarters security center through a private network, and then centralized processing of security services is performed in the headquarters security center. The business processing must be processed by the headquarter security center in a unified way, so that not only is the network efficiency low, but also the special line cost is high; in addition, the single-point management failure probability is very high, higher safety operation and maintenance guarantee is needed, and the flexibility and expansibility of the service are not high.
At present, a security service processing method is also provided, in which management and service processing are separated, that is, security services are managed remotely and centrally by a security management platform, and security services are sunk to a service access point by the security management platform, and are processed by the service access point. In the management mode, the possibility of single-point management failure is high, and the flexibility and the expansibility of the service are insufficient; in addition, the requirement of centralized remote management on network reliability is high, and the security policy of each service access point is difficult to maintain stable consistency.
Therefore, how to provide a security protection system is one of the technical problems worth considering that the security protection system improves the robustness and the security of the security protection system, avoids single-point management failure, and improves the flexibility and the expansibility of a service under the condition of realizing remote management of the security service.
Disclosure of Invention
In view of this, the present application provides a security protection system and a security protection method, so as to improve robustness and security of the security protection system, avoid failure of single-point management, and improve flexibility and extensibility of a service under the condition of implementing remote management of a security service.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, there is provided a security protection system, including a plurality of access service nodes and a maintenance node, wherein:
the maintenance node is used for controlling a working mode of the safety protection system, wherein the working mode is a maintenance mode or a service mode; when the security protection system is controlled to be in a maintenance mode, synchronizing self security policy information to an access service node;
each access service node is used for acquiring the security policy information in the maintenance node from the maintenance node when the maintenance node controls the security protection system to be in the maintenance mode currently;
the maintenance node is further configured to configure the working mode of the security protection system to a service mode after the node in the security protection system meets the policy synchronization requirement;
each access service node is further configured to provide a security service processing service to an object corresponding to the access service node when the security protection system is in a service mode.
According to a second aspect of the present application, there is provided a security protection method applied in an access service node in a security protection system, where the security protection system further includes a maintenance node, the method including:
when the safety protection system is in a maintenance mode, acquiring safety strategy information in the maintenance node;
updating the security policy information of the access service node according to the acquired security policy information;
and when the safety protection system is in a service mode, providing safety business processing service for the corresponding object.
According to a third aspect of the present application, another security protection method is provided, which is applied to a maintenance node in a security protection system, where the security protection system further includes multiple access service nodes, and the method includes:
controlling the working mode of the safety protection system, wherein the working mode is a maintenance mode or a service mode;
when the security protection system is controlled to be in a maintenance mode, synchronizing self security policy information to an access service node;
and when the nodes in the safety protection system meet the requirement of strategy synchronization, configuring the working mode of the safety protection system into a service mode.
According to a fourth aspect of the present application, there is provided an electronic device, comprising a processor and a machine-readable storage medium, the machine-readable storage medium storing a computer program capable of being executed by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiments of the present application.
According to a fifth aspect of the present application, there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The beneficial effects of the embodiment of the application are as follows:
in the safety protection system provided in this embodiment, the working mode of the safety protection system is switched, so that the safety protection system realizes an integrated centralized safety management mode and a distributed safety protection mode. A centralized security management architecture is adopted in a maintenance mode, so that all nodes of the whole system can be efficiently and conveniently managed and maintained; the distributed protection architecture is adopted in the service mode, so that the system is efficient, concise, flexible and expandable, and the problems that a management platform under a centralized architecture is easily attacked and single-point failure is caused can be solved; and the problems that a single node is easily attacked, a defense line is broken through and the like are avoided, and the robustness and the safety of the whole protection system are effectively improved, so that the flexibility and the expansibility of the service are improved.
Drawings
FIG. 1 is a schematic structural diagram of a safety protection system provided in an embodiment of the present application;
fig. 2 is a schematic structural diagram of an access service node according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a security protection method according to an embodiment of the present application;
FIG. 4 is a schematic flow chart diagram of another security protection method provided in the embodiment of the present application;
fig. 5 is a schematic hardware structure diagram of an electronic device implementing a security protection method according to an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects such as the present application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if," as used herein, may be interpreted as "at … …" or "when … …" or "in response to a determination," depending on the context.
The safety protection system and method provided by the present application are described in detail below.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a security system provided in the present application, where the security system includes a plurality of access service nodes (e.g., access service nodes 1 to N in fig. 1, where the number of N is variable and may be determined according to actual situations) and a maintenance node, where:
the maintenance node is configured to control a working mode of the security protection system, where the working mode is a maintenance mode and a service mode; when the control security protection system is in a maintenance mode, synchronizing self security policy information to the access service node;
each access service node is used for synchronizing the security policy information in the maintenance node from the maintenance node when the maintenance node controls the security protection system to be in the maintenance mode currently; updating the security policy information of the access service node according to the acquired security policy information;
the maintenance node is further configured to configure a working mode of the security protection system to a service mode after the node in the security protection system meets a policy synchronization requirement;
each access service node is further used for providing the security service processing service for the corresponding object when the security protection system is in the service mode.
Specifically, after accessing the security protection system, the maintenance node may be responsible for two working modes of the security protection system, which are a maintenance mode and a service mode. In the maintenance mode, the updating of the security policy in the security protection system and the maintenance work of the nodes in the security protection system are mainly completed; in the service mode, i.e. in the normal working mode, the access service node in the security protection system mainly undertakes all normal security protection functions.
On this basis, the maintenance node may determine whether the security protection system needs to be currently configured in the maintenance mode according to the synchronization condition of the security policies of each access service node in the security protection system, for example, when the security policy synchronization condition of each node in the security protection system does not reach the set synchronization condition, the maintenance node may control the security protection system to be in the maintenance mode to execute the security policy synchronization operation of each node in the security protection system, so that the security policy synchronization condition of each node reaches the set synchronization condition.
In addition, the maintenance node may also control the security protection system to be in the maintenance mode when receiving the new security policy, so that each node in the security protection system can synchronize to the new security policy.
Specifically, when the security policy of each node in the security protection system needs to be updated, the maintenance node controls the security protection system to be in the maintenance mode, and when the security protection system is switched to the maintenance mode, all access service nodes in the security protection system are in the maintenance mode; at this time, the maintenance node is equivalent to a security policy management configuration center in the security protection system, and synchronizes security policy information of itself to the access service node in the security protection system, thereby implementing centralized management of the security policy.
On the basis, the maintenance node monitors the synchronous progress of the security policies in the current security protection system, and when the node in the security protection system is confirmed to meet the policy synchronization requirement, the security protection system is configured into a service mode; therefore, the access service node enters a service mode and can provide security service processing service for the outside, each service node constructs a point-to-point distributed system in the service mode, and the equipment needing security service processing can realize the processing of the security service on the equipment by interacting with the access service node. Therefore, distributed safety business processing service is realized, and the problems that a management platform under a centralized framework is easy to attack and single point failure is caused are avoided; and the problems that a single node is easily attacked, a defense line is broken through and the like are avoided, and the robustness and the safety of the whole protection system are effectively improved.
It should be noted that, when the maintenance node is configured with a new security policy, the new security policy is up to date for all nodes in the security protection system, and at this time, the maintenance node synchronizes security policy information of the new security policy to the access service node, so that the access service node in the security protection system synchronizes to the new security policy information.
Optionally, the maintenance node may also be configured to update and import security policy information, and the maintenance node may access the security protection system through a secure communication channel. In addition, the maintenance node guarantees the safety of the safety protection system through demonstration and audit of maintenance personnel.
It should be noted that, the access service node is further configured to provide a security service processing service with an object corresponding to the access service node when the security protection system is in the maintenance mode, except for obtaining the latest security policy information from the maintenance node.
Specifically, in the maintenance mode, the access service node may still provide the security service processing service to the object corresponding to the access service node, and unlike the service mode, the maintenance node in the maintenance mode may manage and control configuration information of each access service node. Therefore, the consistency of the security policy information of each access service node can be ensured, and the function of providing services to the outside by the access service node is not delayed.
By providing the safety protection system, the simple, efficient and reliable operation of the system is kept, and meanwhile, the safety protection system has good flexible expansion capability. In the security protection system provided in this embodiment, the working mode of the security protection system is switched, so that the security protection system implements a centralized security management mode and a distributed security protection mode. In the maintenance mode, the maintenance node controls the working mode of each node in the safety protection system, so that a centralized safety management architecture is realized, and in the maintenance mode, the synchronization of the safety strategies among the nodes is performed, so that all the nodes of the whole system are managed and maintained efficiently and conveniently; under the service mode, each node provides safe service processing service for the butted object, namely, a distributed protection framework is realized, so that the method is efficient, concise, flexible and extensible, and the problems that a management platform under a centralized framework is easy to attack and single-point failure is caused can be solved; and the problems that a single node is easily attacked, a defense line is broken through and the like are avoided, and the robustness and the safety of the whole protection system are effectively improved.
Optionally, the safety protection system provided in this embodiment further includes: the nodes are demonstrated, as also shown with reference to FIG. 1. The demonstration node is used for authenticating the target node when the target node accesses the safety protection system; after the authentication is passed, sending a corresponding service authority certificate for the target node; the target node is at least one of the maintenance node and the access service node.
In particular, the demo node is used to manage and maintain all nodes and issue service permission credentials for them. The target node is taken as an access service node for example to explain, when the access service node is accessed to the security protection system, a node service application request is initiated to a demonstration node, the demonstration node can check and authenticate the access service node after receiving the request, then after the authentication is passed, a service authority certificate corresponding to the access service node is sent to the access service node, and the access service node can be successfully accessed to the security protection system after receiving the service authority certificate of the access service node. In addition, the access procedure of the maintenance node is similar to that of the access service node, and is not described in detail here.
It should be noted that, the service authority credentials corresponding to different nodes are different, that is, the service authorities corresponding to different nodes are different; and the service authority credentials corresponding to different access service nodes are different. It is worth noting that the demonstration node can transmit through the secure communication channel when issuing the service authority certificate to the maintenance node and the access service node.
By accessing the demonstration node in the safety protection system, the safety certification of the access service node and the maintenance node in the safety protection system is realized, and the access safety of each node in the safety protection system is ensured.
In addition, the maintenance node is also used for performing fault repair and operation check maintenance on the access service node and the demonstration node in the safety protection system.
Optionally, based on any one of the above embodiments, in this embodiment, each access service node is further configured to obtain, when the security protection system is in a service mode, security policy information of other nodes from the other nodes; and updating the security policy information of the access service node according to the acquired security policy information of other nodes.
Optionally, each access service node is specifically configured to determine, according to the security policy information obtained from other nodes, the number of the obtained same security policy information; if the number is larger than the set number, updating the security policy information of the access service node by using the same security policy information; if not, keeping the security policy information of the access service node unchanged.
Specifically, in order to ensure the accuracy and high efficiency of the synchronization of the security policy information of each node in the security protection system, the present embodiment provides that each access service node implements the update of the security policy information by using a ping-pong mechanism, and after the update and verification of the new security policy and configuration are completed, the overall switching is implemented, thereby ensuring that the normal operation of the system is not affected in the maintenance mode. Specifically, when acquiring the security policy information from another node, the number of nodes (that is, the number) acquiring the same security policy information from another node is determined, and when the number of nodes is greater than the set number, it indicates that there are more nodes using the same security policy in the security protection system, and then the security policy information of the security protection system may be updated to the same security policy information. Otherwise, if it is determined that the number of nodes using the same security policy in the current security protection system is not enough, the security policy of the current security protection system is temporarily kept unchanged. Therefore, whether the security policy information among the nodes is consistent or not can be checked in real time, and the consistency of the security policy information of each node in the security protection system is further ensured.
In addition, when the security protection system is still in the maintenance mode, the nodes in the system may continuously check the synchronized security policy information from other nodes in the system, and then perform the above process again until the security policy information of the nodes is updated or the security protection system switches to the service mode.
Similarly, when synchronizing the security policy information with other nodes in the security protection system, the maintenance node may synchronize its security policy information with each node (each access service node and the corresponding demonstration node) in the security protection system using a suitable synchronization consensus algorithm. Therefore, whether the security policy information among the nodes is consistent or not can be checked in real time, and the consistency of the security policy information of each node in the security protection system is further ensured.
Optionally, each access service node maintains an access member table of the access service node accessing the security protection system, where the access member table includes node information of the nodes accessing the security protection system. The access service node is specifically configured to obtain the security policy information from the corresponding node by using a synchronization consensus algorithm according to the node information in the access member table.
In particular, the access membership table may be distributed by an attesting node that manages the security protection system. Specifically, the demonstration node is used for managing each node accessed to the security protection system, and after each node is accessed to the security protection system, the demonstration node authenticates the node, so that the demonstration node can record node information of the nodes (including each access service node, the demonstration node and the maintenance node) currently accessed to the security protection system, maintain the node information in the access member table and then distribute the node information to each node. Based on this, each node in the security protection system will have a table of access members. On the basis, when each access service node acquires the security policy information from other nodes, the access member table can be used for establishing communication with other nodes, and then the synchronization consensus algorithm is adopted for acquiring the security policy information from other nodes, so that the consistency of the security policies on the nodes in the security protection system is ensured.
Optionally, the node information may include, but is not limited to, address information, type information, authority credential information, current state, and other node attribute information.
Based on any of the above embodiments, in this embodiment, each access service node includes a security management unit, an interface adaptation module, and a plurality of security service units, please refer to fig. 2, where:
the security management unit is configured to obtain security policy information from a corresponding access service node by using a synchronous consensus algorithm according to the node information in the access member table; updating the security policy information of the access service node according to the acquired security policy information;
the security management unit is further configured to send the updated security policy information of the access service node to each security service unit through the interface adaptation module;
each security service unit is used for providing security service processing service according to the received security policy information.
Specifically, each access service node includes a security management unit, an interface adaptation module, and a security service unit, and on this basis, for each access service node, in this embodiment, the security management unit maintains an access member list of the access service node, and executes a security policy information synchronization process, that is, based on the access member list, the security policy information of the corresponding node is acquired from other nodes by using a synchronization consensus algorithm, and then whether to update the local security policy information is determined according to the acquired security policy information, and meanwhile, the security management unit synchronizes the local security policy information to other nodes to complete synchronization with the security policy information of other nodes, thereby ensuring consistency of the security policies of each node in the security protection system.
In addition, in order to implement decoupling between the security management unit and the security service unit, an interface adaptation module is added in this embodiment, that is, an interface adaptation module is added between the security management unit and the security service unit, after the security management unit executes the update operation of the security policy information, the security management unit sends the local current security policy information to the security service unit through the interface adaptation module, and then the security service unit provides a security service processing service according to the security policy information. That is, a device requiring security service processing accesses the security service unit, and then the security service unit performs security processing operation on the service on the device according to the security policy.
In addition, the number of the security service units in the access service node can be expanded, when a new security service unit is expanded, only the interface adaptation module needs to provide a communication interface for the new security service unit, and the new security service unit can be connected with the security management unit to communicate by using the communication interface. Therefore, the interface adaptation module can decouple some tasks of the security management unit, and further realize flexible combination and expansion of the security service unit in the access service node.
It should be noted that, when synchronizing security policy information between nodes of the security protection system, the security protection system may be performed through a secure virtual private network, and in addition, a bidirectional demonstration mechanism based on public and private keys may be adopted between nodes. That is, when the access service node acquires the security policy information from another node, a check operation may be performed, where the check operation may include, but is not limited to, checking the access service node by another node, and/or checking the other node by the access service node. In addition, when the synchronous consistency check of each node is carried out, a hash value check mode can be adopted.
By providing any one of the safety protection systems, the working modes of the safety protection systems are switched through the maintenance nodes so as to respectively realize the advantages of centralized safety management and distributed safety protection, and a centralized safety management architecture is adopted in the maintenance mode, so that all the nodes of the whole safety protection system can be efficiently and conveniently managed and maintained; the distributed protection architecture is adopted in the normal service mode, so that not only can the safety service be efficiently provided nearby, but also the online deployment is simple, and the capability of flexibility and expandability is realized; in addition, a new access service node can obtain other node synchronous security policy information from a master node and a slave node as long as the new access service node is accessed into a network, when a working service node is attacked from the outside or has internal error to cause security policy configuration error, correct security policy information can be automatically synchronized from other service nodes to obtain recovery, and the new access service node has certain security self-healing capability.
Based on the same inventive concept, this embodiment provides a security protection method, which is configured to be applied to an access service node in a security protection system, where the security protection system further includes a maintenance node, and when the maintenance node implements the method, the method may include the steps shown in fig. 3:
s301, when the safety protection system is in a maintenance mode, obtaining the safety strategy information in the maintenance node.
And S302, updating the security policy information of the access service node according to the acquired security policy information.
S303, when the safety protection system is in a service mode, providing safety business processing service for the corresponding object.
It should be noted that, the implementation process of steps S301 to S303 may refer to the implementation process of the access service node in the description of any embodiment of the security management system, and is not described in detail here.
Optionally, based on the foregoing embodiment, the safety protection method provided in this embodiment further includes: when the safety protection system is in a service mode, acquiring safety strategy information of other nodes from other nodes; and updating the security policy information of the access service node according to the acquired security policy information of other nodes.
Optionally, updating the security policy information of the access service node according to the obtained security policy information of the other node includes: determining the quantity of the obtained same security policy information according to the security policy information obtained from other nodes; if the number is larger than the set number, updating the security policy information of the access service node by using the same security policy information; if not, keeping the security policy information of the access service node unchanged.
Specifically, the implementation process of this embodiment may refer to the implementation process of the access service node in the description of the corresponding embodiment of the security management system, and details are not described here.
Optionally, based on any one of the embodiments, the access service node in this embodiment maintains an access member table of the access service node accessing the security protection system, where the access member table includes node information of the access service node accessing the security protection system; on the basis, the security policy information in other nodes can be obtained from other nodes according to the following method: and according to the node information in the access member table, acquiring security policy information from a corresponding access service node by using a synchronous consensus algorithm.
Specifically, the implementation process of this embodiment may refer to the implementation process of the access service node in the description of the corresponding embodiment of the security management system, and is not described in detail here.
By implementing the safety protection method provided by the application, the maintenance node is used for switching the working mode of the safety protection system, so that the safety protection system realizes a centralized safety management and distributed safety protection mode. A centralized security management architecture is adopted in a maintenance mode, so that all nodes of the whole system can be efficiently and conveniently managed and maintained; the distributed protection architecture is adopted in the service mode, so that the system is efficient, concise, flexible and expandable, and the problems that a management platform under a centralized architecture is easily attacked and single-point failure is caused can be solved; and the problems that a single node is easily attacked, a defense line is broken through and the like are avoided, and the robustness and the safety of the whole protection system are effectively improved.
Based on the same inventive concept, this embodiment provides a security protection method, which is applied to a maintenance node in a security protection system, where the security protection system further includes an access service node, and when the access service node implements the method, the method may include the steps shown in fig. 4:
s401, controlling the working mode of the safety protection system, wherein the working mode is a maintenance mode and a service mode.
S402, when the security protection system is controlled to be in a maintenance mode, synchronizing self security policy information to an access service node.
S403, when the nodes in the safety protection system meet the requirement of strategy synchronization, configuring the working mode of the safety protection system into a service mode.
It should be noted that, the implementation process of steps S401 to S403 may refer to the implementation process of the maintenance node in the description of any embodiment of the security management system, and details thereof are not described here.
Based on the foregoing embodiment, in this embodiment, synchronizing security policy information of itself to an access service node may be implemented according to the following method: and synchronizing the self security policy information to the access service node by utilizing a synchronization consensus algorithm.
It should be noted that, the implementation process of this embodiment may refer to the implementation process of the maintenance node in the description of any embodiment of the security management system, and details are not described here.
By implementing the safety protection method provided by the application, the maintenance node is used for switching the working mode of the safety protection system, so that the safety protection system realizes a centralized safety management and distributed safety protection mode. A centralized security management architecture is adopted in a maintenance mode, so that all nodes of the whole system can be efficiently and conveniently managed and maintained; the distributed protection architecture is adopted in the service mode, so that the system is efficient, concise, flexible and expandable, and the problems that a management platform under a centralized architecture is easily attacked and single-point failure is caused can be solved; and the problems that a single node is easily attacked, a defense line is broken through and the like are avoided, and the robustness and the safety of the whole protection system are effectively improved.
Based on the same inventive concept, the embodiment of the present application provides an electronic device, which may be the above maintenance node, access service node, or demonstration node. As shown in fig. 5, the electronic device includes a processor 501 and a machine-readable storage medium 502, where the machine-readable storage medium 502 stores a computer program capable of being executed by the processor 501, and the processor 501 is caused by the computer program to execute the security protection method provided in any embodiment of the present application. In addition, the electronic device further comprises a communication interface 503 and a communication bus 504, wherein the processor 501, the communication interface 503 and the machine-readable storage medium 502 are communicated with each other through the communication bus 504.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this is not intended to represent only one bus or type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM), a DDR SRAM (Double Data Synchronous Random Access Memory), and a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In addition, the embodiment of the present application provides a machine-readable storage medium, which stores a computer program, and when the computer program is called and executed by a processor, the computer program causes the processor to execute the security protection method provided by the embodiment of the present application.
For the embodiments of the electronic device and the machine-readable storage medium, since the contents of the related methods are substantially similar to those of the foregoing embodiments of the methods, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the embodiments of the methods.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
The specific details of the implementation process of the functions and actions of each unit/module in the above device are the implementation processes of the corresponding steps in the above method, and are not described herein again.
For the device embodiment, since it basically corresponds to the method embodiment, reference may be made to the partial description of the method embodiment for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the units/modules described as separate parts may or may not be physically separate, and the parts displayed as units/modules may or may not be physical units/modules, may be located in one place, or may be distributed on a plurality of network units/modules. Some or all of the units/modules can be selected according to actual needs to achieve the purpose of the solution of the present application. One of ordinary skill in the art can understand and implement without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (12)
1. A security protection system comprising a maintenance node and a plurality of access service nodes, wherein:
the maintenance node is used for controlling the working mode of the safety protection system, and the working mode is a maintenance mode and a service mode; when the security protection system is controlled to be in a maintenance mode, synchronizing self security policy information to an access service node;
each access service node is used for acquiring the security policy information in the maintenance node from the maintenance node when the maintenance node controls the security protection system to be in a maintenance mode currently; updating the security policy information of the access service node according to the acquired security policy information;
the maintenance node is further configured to configure the working mode of the security protection system to a service mode after the node in the security protection system meets the policy synchronization requirement;
each access service node is further configured to provide a security service processing service to an object corresponding to the access service node when the security protection system is in a service mode.
2. The system of claim 1, further comprising:
the demonstration node is used for authenticating the target node when the target node accesses the safety protection system; after the authentication is passed, sending a corresponding service authority certificate for the target node; the target node is at least one of the maintenance node and the access service node.
3. The system of claim 1,
each access service node is also used for acquiring the security policy information of other nodes from other nodes when the security protection system is in a service mode; and updating the security policy information of the access service node according to the acquired security policy information of other nodes.
4. The system of claim 3,
the access service node is specifically configured to determine the number of the obtained same security policy information; if the number is larger than the set number, updating the security policy information of the access service node by using the same security policy information; if not, keeping the security policy information of the access service node unchanged.
5. The system of claim 3, wherein each access service node maintains an access membership table of access service nodes accessing the security system, the access membership table including node information of nodes accessing the security system;
the access service node is specifically configured to acquire security policy information from a corresponding node by using a synchronization consensus algorithm according to the node information in the access member table.
6. The system of claim 4, wherein each access service node comprises a security management unit, an interface adaptation module, and a plurality of security traffic units, wherein:
the security management unit is used for acquiring security policy information from a corresponding access service node by using a synchronous consensus algorithm according to the node information in the access member table; updating the security policy information of the access service node according to the acquired security policy information;
the security management unit is also used for sending the updated security policy information of the access service node to each security service unit through the interface adaptation module;
each security service unit is used for providing security service processing service according to the received security policy information.
7. A security protection method is applied to an access service node in a security protection system, the security protection system further comprises a maintenance node, and the method comprises the following steps:
when the safety protection system is in a maintenance mode, acquiring safety strategy information in the maintenance node;
updating the security policy information of the access service node according to the acquired security policy information;
and when the safety protection system is in a service mode, providing safety business processing service for the corresponding object.
8. The method of claim 7, further comprising:
when the safety protection system is in a service mode, acquiring the safety strategy information of other nodes from other nodes;
and updating the security policy information of the access service node according to the acquired security policy information of other nodes.
9. The method of claim 8, wherein updating the security policy information of the access service node according to the obtained security policy information of the other node comprises:
determining the quantity of the obtained same security policy information according to the security policy information obtained from other nodes;
if the number is larger than the set number, updating the security policy information of the access service node by using the same security policy information;
if not, keeping the security policy information of the access service node unchanged.
10. The method of claim 8, wherein the access service node maintains an access membership table of access service nodes accessing the security system, and wherein the access membership table comprises node information of the access service nodes accessing the security system;
acquiring security policy information of other nodes from the other nodes, including:
and according to the node information in the access member table, acquiring security policy information from a corresponding access service node by using a synchronous consensus algorithm.
11. A security protection method is applied to a maintenance node in a security protection system, the security protection system further comprises a plurality of access service nodes, and the method comprises the following steps:
controlling the working mode of the safety protection system, wherein the working mode is a maintenance mode and a service mode;
when the security protection system is controlled to be in a maintenance mode, synchronizing self security policy information to an access service node;
and when the nodes in the safety protection system meet the requirement of strategy synchronization, configuring the working mode of the safety protection system into a service mode.
12. The method of claim 11, wherein synchronizing security policy information of the access service node with the access service node comprises:
and synchronizing the self security policy information to the access service node by utilizing a synchronization consensus algorithm.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210290110.0A CN114785549B (en) | 2022-03-23 | 2022-03-23 | Safety protection system and safety protection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210290110.0A CN114785549B (en) | 2022-03-23 | 2022-03-23 | Safety protection system and safety protection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114785549A true CN114785549A (en) | 2022-07-22 |
CN114785549B CN114785549B (en) | 2024-03-12 |
Family
ID=82424332
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210290110.0A Active CN114785549B (en) | 2022-03-23 | 2022-03-23 | Safety protection system and safety protection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114785549B (en) |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080109620A1 (en) * | 2006-11-08 | 2008-05-08 | Hitachi, Ltd | Storage system and controller for controlling remote copying |
CN101521604A (en) * | 2009-04-03 | 2009-09-02 | 南京邮电大学 | Strategy-based distributed performance monitoring method |
WO2015123974A1 (en) * | 2014-02-24 | 2015-08-27 | 华为技术有限公司 | Data distribution policy adjustment method, device and system |
CN105978882A (en) * | 2016-05-17 | 2016-09-28 | 浪潮电子信息产业股份有限公司 | Host security policy issuing method controlled by using presence and security switch on centralized management platform |
CN106302484A (en) * | 2016-08-22 | 2017-01-04 | 浪潮电子信息产业股份有限公司 | Method for centralized management of strategies |
CN108040055A (en) * | 2017-12-14 | 2018-05-15 | 广东天网安全信息科技有限公司 | A kind of fire wall combined strategy and safety of cloud service protection |
CN109150866A (en) * | 2018-08-09 | 2019-01-04 | 郑州云海信息技术有限公司 | A kind of policy distribution feedback and check system and method |
CN109327434A (en) * | 2018-09-04 | 2019-02-12 | 郑州云海信息技术有限公司 | A kind of system and method for mixed management security strategy |
CN112270012A (en) * | 2020-11-19 | 2021-01-26 | 北京炼石网络技术有限公司 | Device, method and system for distributed data security protection |
CN112507329A (en) * | 2020-12-11 | 2021-03-16 | 海信电子科技(武汉)有限公司 | Safety protection method and device |
-
2022
- 2022-03-23 CN CN202210290110.0A patent/CN114785549B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080109620A1 (en) * | 2006-11-08 | 2008-05-08 | Hitachi, Ltd | Storage system and controller for controlling remote copying |
CN101521604A (en) * | 2009-04-03 | 2009-09-02 | 南京邮电大学 | Strategy-based distributed performance monitoring method |
WO2015123974A1 (en) * | 2014-02-24 | 2015-08-27 | 华为技术有限公司 | Data distribution policy adjustment method, device and system |
CN105978882A (en) * | 2016-05-17 | 2016-09-28 | 浪潮电子信息产业股份有限公司 | Host security policy issuing method controlled by using presence and security switch on centralized management platform |
CN106302484A (en) * | 2016-08-22 | 2017-01-04 | 浪潮电子信息产业股份有限公司 | Method for centralized management of strategies |
CN108040055A (en) * | 2017-12-14 | 2018-05-15 | 广东天网安全信息科技有限公司 | A kind of fire wall combined strategy and safety of cloud service protection |
CN109150866A (en) * | 2018-08-09 | 2019-01-04 | 郑州云海信息技术有限公司 | A kind of policy distribution feedback and check system and method |
CN109327434A (en) * | 2018-09-04 | 2019-02-12 | 郑州云海信息技术有限公司 | A kind of system and method for mixed management security strategy |
CN112270012A (en) * | 2020-11-19 | 2021-01-26 | 北京炼石网络技术有限公司 | Device, method and system for distributed data security protection |
CN112507329A (en) * | 2020-12-11 | 2021-03-16 | 海信电子科技(武汉)有限公司 | Safety protection method and device |
Non-Patent Citations (2)
Title |
---|
MORRIS SLOMAN: "Policy driven management for distributed systems", 《JOURNAL OF NETWORK AND SYSTEMS MANAGEMENT》 * |
陈世强;: "安全策略系统SPS的一种改进", 湖北民族学院学报(自然科学版), no. 02 * |
Also Published As
Publication number | Publication date |
---|---|
CN114785549B (en) | 2024-03-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110430087B (en) | Block chain hot upgrade architecture design and implementation | |
CN107295080B (en) | Data storage method applied to distributed server cluster and server | |
US8347378B2 (en) | Authentication for computer system management | |
CN102137149B (en) | Method for realizing Distributed mesh network | |
US9594922B1 (en) | Non-persistent shared authentication tokens in a cluster of nodes | |
CN111737104B (en) | Block chain network service platform, test case sharing method thereof and storage medium | |
EP3647955A1 (en) | Consensus-forming method in network, and node for configuring network | |
CN105718785A (en) | Authentication-Free Configuration For Service Controllers | |
CN105704249A (en) | Composite cloud desktop system | |
US9992058B2 (en) | Redundant storage solution | |
WO2012145963A1 (en) | Data management system and method | |
EP2360614B1 (en) | Information processing device and hardware setting method for said information processing device | |
CN104380301A (en) | Managing distributed operating system physical resources | |
CN111597536B (en) | Hadoop cluster kerberos high availability authentication method | |
US8930532B2 (en) | Session management in a thin client system for effective use of the client environment | |
CN109891849A (en) | Highly usable and reliable secret distribution infrastructure | |
CN115604120A (en) | Multi-cloud cluster resource sharing method, device, equipment and storage medium | |
CN104516744A (en) | Software updating method and system | |
CN111064643B (en) | Node server and data interaction method and related device thereof | |
CN114785549B (en) | Safety protection system and safety protection method | |
CN111611550A (en) | Computer system, computer device and authorization management method | |
EP3884648B1 (en) | Geo-replicated iot hub | |
TW201408885A (en) | System and method for controlling sharing of fans | |
US10303568B2 (en) | Systems and methods for high availability of management controllers | |
CN108038782B (en) | Security system for securities trading and security verification method for securities trading |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |