CN115426324A - Method and device for accessing entity equipment to network target range - Google Patents
Method and device for accessing entity equipment to network target range Download PDFInfo
- Publication number
- CN115426324A CN115426324A CN202211031972.8A CN202211031972A CN115426324A CN 115426324 A CN115426324 A CN 115426324A CN 202211031972 A CN202211031972 A CN 202211031972A CN 115426324 A CN115426324 A CN 115426324A
- Authority
- CN
- China
- Prior art keywords
- entity
- network
- equipment
- data forwarding
- entity equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000005540 biological transmission Effects 0.000 claims abstract description 42
- 238000012545 processing Methods 0.000 claims description 23
- 238000004891 communication Methods 0.000 claims description 11
- 238000012544 monitoring process Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 11
- 238000004590 computer program Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000004088 simulation Methods 0.000 description 5
- 238000012549 training Methods 0.000 description 5
- 230000007123 defense Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000002474 experimental method Methods 0.000 description 4
- 238000013519 translation Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000008685 targeting Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/25—Routing or path finding in a switch fabric
- H04L49/252—Store and forward routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/76—Admission control; Resource allocation using dynamic resource allocation, e.g. in-call renegotiation requested by the user or requested by the network in response to changing network conditions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/76—Admission control; Resource allocation using dynamic resource allocation, e.g. in-call renegotiation requested by the user or requested by the network in response to changing network conditions
- H04L47/765—Admission control; Resource allocation using dynamic resource allocation, e.g. in-call renegotiation requested by the user or requested by the network in response to changing network conditions triggered by the end-points
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
Abstract
The application discloses a method and a device for accessing a physical device to a network target range, which are used for improving the efficiency and the success rate of accessing the physical device to the network target range. The method comprises the following steps: when detecting that the entity equipment is connected with gateway equipment of a network target range, acquiring an access address of the entity equipment; generating a data forwarding rule aiming at the entity equipment according to the access address, the address of each virtual machine contained in the network target range and a pre-configured data forwarding algorithm; the data forwarding rule is used for representing a transmission mode of data related to the entity equipment; and sending the data forwarding rule to the gateway equipment.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a method and an apparatus for accessing a physical device to a network target range.
Background
The network shooting range simulates and simulates a real Sayboat space attack and defense combat environment by combining a virtual environment and real entity equipment, and can be used for the aspects of cultivation of network security talents, network attack and defense training, security product evaluation, verification of network new technology and the like. The fidelity of the simulation scene of the network target range is an important index for measuring whether the network target range is effective, so that the simulation construction of the target network in the network target range receives more and more attention.
However, the simulation scenario often includes many physical devices that do not have a virtualization condition, for example, for an operating system with high privacy, the operating code of the operating system cannot be acquired for analog simulation. For such entity devices, it is proposed in the related art that when the entity device is accessed to a network target, network information (such as an IP address and port information) of the entity device is manually configured into a physical switch of the network target, and a character string command is manually input to configure a traffic forwarding rule between the entity device and the network target. The existing manual configuration mode has high requirements on professional level of workers, wastes manual resources and has high error rate.
Disclosure of Invention
The application provides a method and a device for accessing entity equipment to a network target range, which are used for solving the problems of high error rate and the like existing in the conventional method for configuring a flow forwarding rule between the entity equipment and the network target range manually and are used for improving the efficiency and the success rate of accessing the entity equipment to the network target range.
In a first aspect, the present application provides a method for accessing a network range by an entity device, including:
when detecting that entity equipment is connected with gateway equipment of a network target range, acquiring an access address of the entity equipment;
generating a data forwarding rule aiming at the entity equipment according to the access address, the address of each virtual machine contained in the network target range and a pre-configured data forwarding algorithm; the data forwarding rule is used for representing a transmission mode of data related to the entity equipment;
and sending the data forwarding rule to the gateway equipment.
In some embodiments, the obtaining the access address of the entity device includes:
acquiring an access address of the entity equipment from a database according to the category of the network target range; the database comprises pre-stored access addresses of a plurality of devices and categories to which the devices belong respectively; alternatively, the first and second electrodes may be,
and responding to the operation of inputting the access address of the entity equipment by a user, and acquiring the address of the entity equipment.
In some embodiments, the generating a data forwarding rule for the entity device according to an access address, an address of each virtual machine included in the network target range, and a preconfigured data forwarding algorithm includes:
aiming at any virtual machine in the virtual machines, calculating a path for data transmission between the entity equipment and the virtual machine according to the data forwarding algorithm;
and generating a data forwarding rule between the entity equipment and the any virtual machine according to the address of the any virtual machine, the access address of the entity equipment and the path.
In some embodiments, after sending the data forwarding rule to the gateway device, the method further comprises:
monitoring the port of the entity equipment at each interval set period, and determining that data transmission exists between the entity equipment and the network target range.
In a second aspect, the present application provides an apparatus for a physical device to access a network range, the apparatus comprising:
a processing unit configured to perform:
when detecting that entity equipment is connected with gateway equipment of a network target range, acquiring an access address of the entity equipment;
generating a data forwarding rule aiming at the entity equipment according to the access address, the address of each virtual machine contained in the network target range and a pre-configured data forwarding algorithm; the data forwarding rule is used for representing a transmission mode of data related to the entity equipment;
and the communication unit is used for sending the data forwarding rule to the gateway equipment.
In some embodiments, the processing unit is specifically configured to:
acquiring an access address of the entity equipment from a database according to the category of the network target range; the database comprises pre-stored access addresses of a plurality of devices and categories to which the devices belong respectively; alternatively, the first and second electrodes may be,
and responding to the operation of inputting the access address of the entity equipment by a user, and acquiring the address of the entity equipment.
In some embodiments, the processing unit is specifically configured to:
aiming at any virtual machine in the virtual machines, calculating a data transmission path between the entity equipment and the virtual machine according to the data forwarding algorithm;
and generating a data forwarding rule between the entity equipment and the any virtual machine according to the address of the any virtual machine, the access address of the entity equipment and the path.
In some embodiments, the processing unit is further configured to:
and monitoring the port of the entity equipment at set periods every interval, and determining that data transmission exists between the entity equipment and the network target range.
In a third aspect, an electronic device is provided that includes a controller and a memory. The memory is used for storing computer-executable instructions, and the controller executes the computer-executable instructions in the memory to perform the operational steps of any one of the possible implementations of the method according to the first aspect by using hardware resources in the controller.
In a fourth aspect, a computer-readable storage medium is provided having stored therein instructions which, when executed on a computer, cause the computer to perform the method of the above aspects.
According to the method and the device, the related data forwarding rules of the entity devices connected with the network target range are not configured manually any more, but when the entity devices are connected with the network target range, the data forwarding rules related to the entity devices are automatically generated according to a pre-configured algorithm and are automatically configured into the gateway device, so that the entity devices are accessed into the network target range, and the problems that manual configuration is easy to make mistakes and the efficiency is low are solved. In addition, the application also provides that the information of the entity equipment is stored in a database of the network target range, and the unified management of the entity equipment is realized.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a diagram of a network system architecture according to an embodiment of the present application;
fig. 2 is a flowchart of a method for accessing a network target by a physical device according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of a display interface provided in an embodiment of the present application;
fig. 4 is a flowchart of another method for accessing a network range by a physical device according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an apparatus for implementing a physical device to access a network target range according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention.
It should be noted that the terms "first," "second," and the like in this application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are capable of operation in sequences other than those illustrated or otherwise described herein. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
In recent years, the form of home and abroad network security is becoming more severe, and the problem of network security frequently occurs, so that it is imperative to increase the investment on information security guarantee, wherein professional network security talents need to be trained in addition to the investment on hardware and software technology equipment. Since a new network security technology, such as training and practicing of defense and attack technologies and experiments, in a real internet environment can cause irreversible damage to the internet environment, the method of training talents, verifying equipment security and verifying network security technology by constructing a network shooting range is widely applied at present.
The network shooting range simulates and simulates a real attack and defense combat environment of the Saybook space by combining a virtual environment and real entity equipment. Network security activities are carried out in a network target range, so that occupation and consumption of real network resources can be avoided, and the resources can be recycled. The damage caused by each safety experiment performed in the network target range is controllable and detectable, and the collected test data can be analyzed and researched after the experiment is finished. The network shooting range can improve the technology of network security talents on the premise of not influencing the real environment, and can also find the bugs and problems of the security products, thereby improving the performance of the security products.
The process of constructing the network target range comprises the steps of building a network topological structure and operating a target network. And building a network topological structure to design each virtual device and each entity device contained in a network target range, wherein the virtual devices and the entity devices comprise routing devices, gateway devices, stand-alone devices and the like. Further, all the devices are configured and connected according to the topological graph, and a network environment structure required by the experiment is generated. The operation target network provides an environment for operations such as data transmission between the devices. For example, various network activities such as chatting, playing games, or swiping videos exist all the time in a real network environment, the activities generate data transmission, and the target network in the network shooting range is operated to simulate the activities generating data transmission to construct a virtual network operation environment. The application provides a method for accessing entity equipment in a network target range in order to improve the authenticity of network target range simulation.
In order to facilitate understanding of the scheme for accessing the entity device to the network range, the technical terms related to the present application are first introduced:
(1) The Saybook space: is an abstract concept in the fields of philosophy and computers, and refers to virtual reality in computers and computer networks.
(2) Software Defined Network (SDN): is a network design concept. The network switching equipment can manage in a centralized mode, the control layer and the forwarding layer are separated, and network programmability is achieved.
(3) Open source virtual switch (OVS): the virtual switch is a high-quality virtual switch supporting multi-layer data forwarding, has better programming expansibility compared with the traditional switch, and simultaneously has the network isolation and data forwarding functions realized by the traditional switch.
(4) Network Address Translation (NAT): NAT methods can be used for address translation when some hosts inside a private network have been assigned a local IP address (i.e., a private address used only within the private network) but want to communicate with hosts on the internet.
(5) Open Virtual Network (OVN): is a software system that supports virtual network abstraction. The OVN is expanded to some extent in the existing OVS functions, such as basic virtual L2/L3 network switching and high-order network address translation, NAT and network access control.
(6) OpenFlow: a network communication protocol belongs to a data link layer and can control a forwarding plane (forwarding plane) of a switch or a router on a network, thereby changing a network path taken by a network data packet.
(7) FlowTable: in a conventional network device, data forwarding of a switch and a router needs to rely on a two-layer Media Access Control (MAC) address forwarding table or a three-layer IP address routing table stored in the device, and a FlowTable flow table used in an OpenFlow switch is used for data transmission.
Next, a network system architecture diagram according to the present application will be described. Referring to fig. 1, a system architecture diagram according to an embodiment of the present application is provided. It should be understood that the embodiments of the present application are not limited to the system shown in fig. 1, and the apparatus in fig. 1 may be hardware, software divided from functions, or a combination of the two. As shown in fig. 1, a system architecture provided in the embodiment of the present application includes a network target and entity devices accessing the network target, and further includes a gateway device, a virtual gateway routing device, a virtual switch, and a plurality of virtual machines included in the network target.
Alternatively, the entity device accessing the network range shown in fig. 1 may be one or more hardware devices, such as a PC or a server. The gateway device included in the network target range shown in fig. 1 may be a physical network card, a physical switch, or a switch deployed in the physical network card, and the virtual gateway routing device, the virtual routing device, and the virtual switch may be OVS devices.
It should be noted that fig. 1 is only an example, and the present application is not limited to the number of physical devices accessing the network target, nor to the number of individual devices (including various types of network devices or virtual machines) included in the network target.
In the related art, when the entity device accesses the network target, a worker typically manually configures information (such as an IP address or a MAC address of the entity device) of the entity device and a rule for forwarding data between the entity device and the network target to a switch of the network target. The manual configuration mode is not only low in efficiency, but also high in error rate.
In order to solve the above problem, embodiments of the present application provide a method and an apparatus for accessing an entity device to a network target, where when it is determined that an entity device is connected to a switching device of the network target, an access address of the entity device is obtained, and according to the access address of the entity device, addresses of virtual machines included in the network target, and a pre-configured data forwarding algorithm, a data forwarding rule related to the entity device is automatically generated. And instructing the gateway equipment of the network target range to realize the data transmission of the entity equipment and the network target range according to the automatically generated data forwarding rule. The method for accessing the entity equipment to the network target range does not need manual data configuration, and the success rate and the efficiency of accessing the entity equipment to the network target range are improved.
The following describes a method and an apparatus for accessing a network target range by a physical device according to the present application. In the following embodiments of the present application, "and/or" describes an association relationship of associated objects, which means that three relationships may exist, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple. The singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, such as "one or more", unless the context clearly indicates otherwise. And, unless stated to the contrary, the embodiments of the present application refer to the ordinal numbers "first", "second", etc., for distinguishing between a plurality of objects, and do not limit the sequence, timing, priority or importance of the plurality of objects. For example, the first task execution device and the second task execution device are only for distinguishing different task execution devices, and do not indicate a difference in priority, degree of importance, or the like between the two task execution devices.
Reference throughout this specification to "one embodiment" or "some embodiments," or the like, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," or the like, in various places throughout this specification are not necessarily all referring to the same embodiment, but rather mean "one or more but not all embodiments" unless specifically stated otherwise. The terms "comprising," "including," "having," and variations thereof mean "including, but not limited to," unless expressly specified otherwise.
Based on the system architecture shown in fig. 1, the present application provides a method for accessing a network target by an entity device, and refers to fig. 2, which is a flowchart of a method for accessing a network target by an entity device according to an embodiment of the present application. Alternatively, the method flow shown in fig. 2 may be executed by a device, a processor, or any processing device with computing resources included in the network target site, for example, a virtual SDN controller based on the OVN network system, and the application is not limited to the execution subject of the method for accessing the network target site by the entity device. The method flow shown in fig. 2 specifically includes:
201, when detecting that the entity device is connected to the gateway device of the network target range, acquiring the access address of the entity device.
Optionally, the connection between the entity device and the gateway device may be through a network cable, or may be through an address configuration. Alternatively, the access address of the entity device may include an IP address, a MAC address of the entity device, or port information of a gateway device accessed by the entity device.
And 202, generating a data forwarding rule aiming at the entity equipment according to the access address of the entity equipment, the address of each virtual machine contained in the network target range and a pre-configured data forwarding algorithm.
The data forwarding rule is used for representing a transmission mode of data related to the entity equipment. For example, the forwarding rule of data targeting the entity device may include a transmission path of the data, addresses of respective nodes in the transmission path, and the like.
And 203, sending the data forwarding rule to the gateway device.
The gateway device is a gateway device to which the entity device is connected. And configuring the data forwarding rule to the gateway device for the gateway device to transmit data according to the data forwarding rule when the gateway device transmits data related to the entity device in the subsequent process.
Optionally, the data forwarding rule may also be sent to a relevant routing device in the network target range, so that when the relevant routing device subsequently transmits data related to the entity device, the data transmission may be performed according to the data forwarding rule. The relevant routing device refers to a routing device included in a data transmission path indicated by the data forwarding rule.
Based on the scheme, the method and the device have the advantages that the related data forwarding rules of the entity devices connected with the network target range are not configured manually any more, but the related data forwarding rules of the entity devices are automatically generated according to a pre-configured algorithm when the entity devices are connected with the network target range and are automatically configured into the gateway device, so that the entity devices are accessed into the network target range, and the problems that manual configuration is prone to errors and low in efficiency are solved.
In some embodiments, the obtained access address of the entity device may be input by the user when the entity device connects to the gateway device. Optionally, when the entity device is connected to the gateway device of the network target range for the first time, the access address of the entity device may be acquired in response to an operation of inputting the access address of the entity device by a user.
As an optional manner, the embodiment of the present application provides that when the entity device is connected to the gateway device for the first time, the user may be instructed to input the network information of the entity device, for example, the input network information may include information such as a name, a model, a category of the entity device, an IP address, an MAC address, interface information, a description, and a sharing state of the entity device. As an example, the user may be instructed to input the network information related to the entity device by displaying a display interface as shown in fig. 3 in the display screen.
In some possible implementation manners, after the network information related to the entity device input by the user is obtained, the network information of the entity device and the category of the entity device may also be stored in a database of the network range in an associated manner. Referring to fig. 3, several categories to which the entity device belongs are exemplarily shown, it should be noted that fig. 3 is only an example, and the application does not limit the categories to which the entity device belongs and the number of the categories.
In other embodiments, when the access address of the entity device is obtained, the access address of the entity device may also be obtained from the database according to the category of the network range. Wherein the class of network range is used to characterize the role of the target network deployed in the network range. For example, if the target network is used to authenticate the security device, the access address of the entity device classified as the security device may be obtained from the database. Optionally, reference may be made to the foregoing embodiment regarding a database, where the database may include various network information of the entity device, and when the method for automatically accessing the network range by the entity device provided by the present application is implemented, the access address of the entity device may be obtained from the various network information.
In a possible implementation manner, after the access address of the entity device is obtained, a data forwarding rule for the entity device may be generated according to the access address, the addresses of the virtual machines included in the network target range, and a pre-configured data forwarding algorithm.
As an optional manner, when generating the data forwarding rule, an address of any virtual machine may be obtained for any virtual machine in each virtual machine in the network target range, and a data transmission path between any virtual machine and the entity device model is calculated according to a data forwarding algorithm, for example, the data transmission path may be a shortest path for data transmission. For example, the preconfigured data forwarding algorithm may calculate a shortest path for data transmission between the entity device and any one of the Virtual machines based on Network configuration information in the Network target yard, an IP address of the entity device, an MAC address of the entity device, a Virtual Local Area Network (VLAN) ID, port information of a gateway device accessed by the entity device, configuration information of a Virtual gateway routing device in the Network target yard, and configuration information of a Virtual switch included in the Network target yard.
Further, a data forwarding rule between the entity device and any one of the virtual machines, such as generating a FlowTable associated with the entity device, may be generated according to the calculated path, the address of any one of the virtual machines, and the address of the entity device. For example, the generated FlowTable may include information of an input port, a source MAC address, a destination MAC address, a VLAN ID, a source IP address, a destination IP address, a source port, a destination port, and a transmission action during data transmission.
Optionally, after generating the data forwarding rule related to the entity device, the data forwarding rule may be stored in a database, and the data forwarding rule may also be sent to the gateway device and the related routing device, so that the gateway device and the routing device transmit data related to the entity device accordingly. The FlowTable is continuously introduced as an example, and the FlowTable may be issued to the gateway device according to an Application Programming Interface (API) under the REST architecture provided by the gateway device. Optionally, the FlowTable may be sent to a virtual gateway routing device of the network target and a related virtual routing device, and a physical network card in the network target, where the gateway device is deployed, may be bound to a bridge of the virtual gateway routing device to implement connection between the gateway device and the virtual gateway routing device, for example, connection of the bridge may be implemented through a patch port of the virtual gateway routing device. And then, the gateway device, the virtual routing device in the network target range and the virtual gateway routing device acquire the FlowTable, so that the subsequent transmission of data related to the entity device can be realized. As an example, the virtual routing device, the gateway device, and the virtual switch in the present application may all adopt network devices in the form of OVSs.
As an optional implementation manner, after configuring the generated data forwarding rule related to the entity device to the gateway device and the routing device, the connectivity status between the entity device and the network target range may be further monitored, so as to ensure the availability of the entity device. As an alternative, the port of the entity device may be monitored at set intervals, and it may be determined that data transmission exists between the entity device and the network shooting range. Or, the port of the gateway device connected to the entity device may also be monitored to determine the online status of the entity device. Optionally, if data transmission is not monitored in a set number of periods, it may be determined that the entity device is in an offline state, and an alarm message may be sent to the worker device to indicate that the current entity device is unavailable.
To further understand the solution of the present application, the method for accessing a network target by a physical device presented in the present application is described below with reference to each processing module in the network target. Illustratively, the processing resources of the network range may be divided into an entity device management module, a network range rule generation module, and a network range rule issuing module based on different functions.
Optionally, the entity device management module may be configured to instruct the user to input network information related to the entity device when the entity device is connected to the network range, and store the network information of the entity device input by the user and the category to which the entity device belongs in an associated manner.
Optionally, the network range rule generating module is configured to obtain address information of each device (including each virtual machine and each type of network device) in the network range and an access address of the entity device. And the method is also used for calculating the paths of the entity equipment for respectively carrying out data transmission with the virtual machines according to the addresses of the virtual machines and the addresses of the entity equipment based on a pre-configured data forwarding algorithm. And generating a data forwarding rule related to the entity device according to the calculated path, the address of each virtual machine and the address of the entity device.
Optionally, the network range rule issuing module is configured to send the data forwarding rule generated by the network range rule generating module to the gateway device, so that the gateway device performs subsequent data transmission according to the data forwarding rule. The network target range rule issuing module is also used for determining the routing equipment related to the data transmission path indicated by the data forwarding rule and issuing the data forwarding rule to the determined routing equipment.
The scheme proposed in the present application is specifically described below with reference to the respective modules. Referring to fig. 4, a flowchart of a method for accessing a network target by an entity device according to an embodiment of the present application specifically includes:
the entity device management module, 401, instructs the user to input the network information related to the entity device when determining that the entity device is connected to the gateway device of the network target.
Optionally, contents included in the network information related to the entity device may refer to descriptions in the foregoing embodiments, and are not described herein again.
402, the network target rule generating module obtains an access address of the entity device and addresses of virtual machines in the network target.
403, the network target range rule generating module calculates a path for data transmission between the entity device and each virtual machine included in the network target range based on a pre-configured data forwarding algorithm.
And 404, the network target range rule generating module generates a data forwarding rule according to the calculated path, the address of the entity device and the address of each virtual machine in the network target range.
405, the network range rule issuing module sends the data forwarding rule to the gateway device and the relevant routing device in the network range.
In the above, the implementation process of accessing the network target by the entity device is described, and in the following, the data transmission process after accessing the network target by the entity device is described with reference to the scenario shown in fig. 1.
In one possible case, the source address of the data to be transmitted is the virtual machine a of the network shooting range, and the target address is the physical device. The specific data transmission process is as follows: the virtual machine A sends data to be transmitted to a virtual switch A, the virtual switch A sends the data to be transmitted to virtual routing equipment, the virtual routing equipment sends the data to be transmitted to virtual gateway routing equipment according to a data forwarding rule configured by the virtual routing equipment, the virtual gateway routing equipment sends the data to be transmitted to gateway equipment according to the data forwarding rule configured by the virtual gateway routing equipment, and the gateway equipment sends the data to be transmitted to entity equipment according to the data forwarding rule configured by the gateway equipment.
In another possible case, the source address of the data to be transmitted is the entity device, and the destination address is the virtual machine a. The specific data transmission process is as follows: the entity equipment sends data to be transmitted to the gateway equipment, the gateway equipment sends the data to be transmitted to the virtual gateway routing equipment according to the data forwarding rule configured by the gateway equipment, the virtual gateway routing equipment sends the data to be transmitted to the virtual routing equipment according to the data forwarding rule configured by the virtual gateway routing equipment, the virtual routing equipment sends the data to be transmitted to the virtual switch A according to the data forwarding rule configured by the virtual router equipment, and the virtual switch A sends the data to be transmitted to the virtual machine A.
Based on the same concept as the method described above, referring to fig. 5, an apparatus 500 for implementing a physical device to access a network target range is provided for an embodiment of the present application. The apparatus 500 is used for performing the steps of the above method, and the details are not repeated here to avoid repetition. The apparatus 500 comprises: a processing unit 501 and a communication unit 502.
A processing unit 501 configured to perform:
when detecting that the entity equipment is connected with gateway equipment of a network target range, acquiring an access address of the entity equipment;
generating a data forwarding rule aiming at the entity equipment according to the access address, the address of each virtual machine contained in the network target range and a pre-configured data forwarding algorithm; the data forwarding rule is used for representing a transmission mode of data related to the entity equipment;
a communication unit 502, configured to send the data forwarding rule to the gateway device.
In some embodiments, the processing unit 501 is specifically configured to:
acquiring an access address of the entity equipment from a database according to the category of the network target range; the database comprises pre-stored access addresses of a plurality of devices and categories to which the devices belong respectively; alternatively, the first and second electrodes may be,
and responding to the operation of inputting the access address of the entity equipment by the user, and acquiring the address of the entity equipment.
In some embodiments, the processing unit 501 is specifically configured to:
aiming at any virtual machine in the virtual machines, calculating a path for data transmission between the entity equipment and the virtual machine according to the data forwarding algorithm;
and generating a data forwarding rule between the entity equipment and the virtual machine according to the address of the virtual machine, the access address of the entity equipment and the path.
In some embodiments, the processing unit 501 is further configured to:
and monitoring the port of the entity equipment at set periods every interval, and determining that data transmission exists between the entity equipment and the network target range.
Fig. 6 shows a schematic structural diagram of an electronic device 600 provided in an embodiment of the present application. The electronic device 600 in this embodiment may further include a communication interface 603, where the communication interface 603 is, for example, a network interface, and the electronic device may transmit data through the communication interface 603, for example, the communication interface 603 may implement the function of the communication unit 502 described in the foregoing embodiment.
In the embodiment of the present application, the memory 602 stores instructions executable by the at least one controller 601, and the at least one controller 601 may be configured to execute the steps in the method described above by executing the instructions stored in the memory 602, for example, the controller 601 may implement the functions of the processing unit 501 in fig. 5 described above.
The controller 601 is a control center of the electronic device, and may connect various parts of the whole electronic device by using various interfaces and lines, by executing or executing instructions stored in the memory 602 and by calling data stored in the memory 602. Alternatively, the controller 601 may include one or more processing units, and the controller 601 may integrate an application controller and a modem controller, wherein the application controller mainly processes an operating system, an application program, and the like, and the modem controller mainly processes wireless communication. It will be appreciated that the modem controller described above may not be integrated into the controller 601. In some embodiments, the controller 601 and the memory 602 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The controller 601 may be a general-purpose controller, such as a Central Processing Unit (CPU), a digital signal controller, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present application. The general controller may be a microcontroller or any conventional controller or the like. The steps executed by the data statistics platform disclosed in the embodiments of the present application may be directly executed by a hardware controller, or may be executed by a combination of hardware and software modules in the controller.
The memory 602, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 602 may include at least one type of storage medium, such as a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charged Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and the like. The memory 602 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 602 in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.
By programming the controller 601, for example, the code corresponding to the training method of the neural network model described in the foregoing embodiment may be fixed in the chip, so that the chip can execute the steps of the training method of the neural network model when running.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a controller of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the controller of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A method for a physical device to access a network range, the method comprising:
when detecting that entity equipment is connected with gateway equipment of a network target range, acquiring an access address of the entity equipment;
generating a data forwarding rule aiming at the entity equipment according to the access address, each virtual machine address contained in the network target range and a pre-configured data forwarding algorithm; the data forwarding rule is used for representing a transmission mode of data related to the entity equipment;
and sending the data forwarding rule to the gateway equipment.
2. The method of claim 1, wherein the obtaining the access address of the physical device comprises:
acquiring an access address of the entity equipment from a database according to the category of the network target range; the database comprises pre-stored access addresses of a plurality of devices and categories to which the devices belong respectively; alternatively, the first and second electrodes may be,
and responding to the operation of inputting the access address of the entity equipment by a user, and acquiring the address of the entity equipment.
3. The method of claim 1 or 2, wherein generating the data forwarding rule for the entity device according to the access address, the address of each virtual machine included in the network shooting range, and a pre-configured data forwarding algorithm comprises:
aiming at any virtual machine in the virtual machines, calculating a path for data transmission between the entity equipment and the virtual machine according to the data forwarding algorithm;
and generating a data forwarding rule between the entity equipment and the any virtual machine according to the address of the any virtual machine, the access address of the entity equipment and the path.
4. The method of claim 1 or 2, wherein after sending the data forwarding rule to the gateway device, the method further comprises:
and monitoring the port of the entity equipment at set periods every interval, and determining that data transmission exists between the entity equipment and the network target range.
5. An apparatus for a physical device to access a network range, the apparatus comprising:
a processing unit configured to perform:
when detecting that entity equipment is connected with gateway equipment of a network target range, acquiring an access address of the entity equipment;
generating a data forwarding rule aiming at the entity equipment according to the access address, the address of each virtual machine contained in the network target range and a pre-configured data forwarding algorithm; the data forwarding rule is used for representing a transmission mode of data related to the entity equipment;
and the communication unit is used for sending the data forwarding rule to the gateway equipment.
6. The apparatus according to claim 5, wherein the processing unit is specifically configured to:
acquiring an access address of the entity equipment from a database according to the category of the network target range; the database comprises pre-stored access addresses of a plurality of devices and categories to which the devices belong respectively; alternatively, the first and second electrodes may be,
and responding to the operation of inputting the access address of the entity equipment by the user, and acquiring the address of the entity equipment.
7. The apparatus according to claim 5 or 6, wherein the processing unit is specifically configured to:
aiming at any virtual machine in the virtual machines, calculating a path for data transmission between the entity equipment and the virtual machine according to the data forwarding algorithm;
and generating a data forwarding rule between the entity equipment and the virtual machine according to the address of the virtual machine, the access address of the entity equipment and the path.
8. The apparatus according to claim 5 or 6, wherein the processing unit is further configured to:
and monitoring the port of the entity equipment at set periods every interval, and determining that data transmission exists between the entity equipment and the network target range.
9. An electronic device, comprising: a memory and a controller;
a memory for storing program instructions;
a controller for calling program instructions stored in said memory to execute the method of any one of claims 1 to 4 in accordance with the obtained program.
10. A computer storage medium storing computer-executable instructions for performing the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211031972.8A CN115426324A (en) | 2022-08-26 | 2022-08-26 | Method and device for accessing entity equipment to network target range |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211031972.8A CN115426324A (en) | 2022-08-26 | 2022-08-26 | Method and device for accessing entity equipment to network target range |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115426324A true CN115426324A (en) | 2022-12-02 |
Family
ID=84201237
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211031972.8A Pending CN115426324A (en) | 2022-08-26 | 2022-08-26 | Method and device for accessing entity equipment to network target range |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115426324A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116132221A (en) * | 2023-04-04 | 2023-05-16 | 鹏城实验室 | Virtual-real interconnection method, device, equipment and storage medium of network target range platform |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070076857A1 (en) * | 2003-02-07 | 2007-04-05 | Chava Venkatesh Ven | Intermediary network system and method for facilitating message exchange between wireless networks |
| CN109743293A (en) * | 2018-12-13 | 2019-05-10 | 烽台科技(北京)有限公司 | The access method and network target range system, computer storage medium in network target range |
| US20190173888A1 (en) * | 2016-08-09 | 2019-06-06 | Huawei Technologies Co., Ltd. | Method for virtual machine to access physical server in cloud computing system, apparatus, and system |
| CN111600913A (en) * | 2020-07-22 | 2020-08-28 | 南京赛宁信息技术有限公司 | Self-adaptive access method and system for real equipment in attack and defense scene of network shooting range |
| CN111711557A (en) * | 2020-08-18 | 2020-09-25 | 北京赛宁网安科技有限公司 | Remote access system and method for network target range users |
| CN114363021A (en) * | 2021-12-22 | 2022-04-15 | 绿盟科技集团股份有限公司 | Network shooting range system, virtual network implementation method and device of network shooting range system |
-
2022
- 2022-08-26 CN CN202211031972.8A patent/CN115426324A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070076857A1 (en) * | 2003-02-07 | 2007-04-05 | Chava Venkatesh Ven | Intermediary network system and method for facilitating message exchange between wireless networks |
| US20190173888A1 (en) * | 2016-08-09 | 2019-06-06 | Huawei Technologies Co., Ltd. | Method for virtual machine to access physical server in cloud computing system, apparatus, and system |
| CN109743293A (en) * | 2018-12-13 | 2019-05-10 | 烽台科技(北京)有限公司 | The access method and network target range system, computer storage medium in network target range |
| CN111600913A (en) * | 2020-07-22 | 2020-08-28 | 南京赛宁信息技术有限公司 | Self-adaptive access method and system for real equipment in attack and defense scene of network shooting range |
| CN111711557A (en) * | 2020-08-18 | 2020-09-25 | 北京赛宁网安科技有限公司 | Remote access system and method for network target range users |
| CN114363021A (en) * | 2021-12-22 | 2022-04-15 | 绿盟科技集团股份有限公司 | Network shooting range system, virtual network implementation method and device of network shooting range system |
Non-Patent Citations (2)
| Title |
|---|
| 刘映国: "《美军网络安全试验鉴定》", 31 July 2018, 国防工业出版社, pages: 155 * |
| 詹姆斯·库罗斯 等著: "网络工程设计教程系统集成方法 第4版》", 30 June 2021, 西安电子科技大学出版社, pages: 326 - 327 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116132221A (en) * | 2023-04-04 | 2023-05-16 | 鹏城实验室 | Virtual-real interconnection method, device, equipment and storage medium of network target range platform |
| CN116132221B (en) * | 2023-04-04 | 2023-08-25 | 鹏城实验室 | Virtual-real interconnection method, device, equipment and storage medium of network target range platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107222353B (en) | The unrelated software defined network virtual management platform of supported protocol | |
| CN103930882B (en) | The network architecture with middleboxes | |
| US8978102B2 (en) | Network stimulation engine | |
| CN112153010B (en) | Network security shooting range system and operation method thereof | |
| CN104090825B (en) | Dynamic migration computer network | |
| RU2637419C2 (en) | Method and system for protection of virtual network image and computer data media | |
| CN114363021B (en) | Network target range system, virtual network implementation method and device of network target range system | |
| CN107852604A (en) | System and method for providing global virtual network (GVN) | |
| CN106712988B (en) | A kind of virtual network management method and device | |
| CN107667505A (en) | System for monitoring and managing data center | |
| CN104243193A (en) | Network topology dynamic allocation and display method and device | |
| CN107005584A (en) | Inline service switch | |
| CN106452925A (en) | Method, apparatus and system for detecting faults in NFV system | |
| CN107005482A (en) | For software defined network, storage and the compiler and method for calculating execution operation | |
| CN109840533A (en) | A kind of applied topology figure recognition methods and device | |
| CN109617878A (en) | A kind of construction method and system, computer readable storage medium of honey net | |
| CN108494607A (en) | The design method and system of big double layer network framework based on container | |
| CN108965021A (en) | The creation method and device of virtual rehearsal network | |
| CN107104824A (en) | A kind of network topology determines method and apparatus | |
| CN110351271A (en) | Network-combination yarn experimental system building method, system, device and storage medium | |
| CN108718297A (en) | Ddos attack detection method, device, controller and medium based on BP neural network | |
| CN108011894A (en) | Botnet detecting system and method under a kind of software defined network | |
| CN103701822A (en) | Access control method | |
| CN115426324A (en) | Method and device for accessing entity equipment to network target range | |
| CN109039959A (en) | A kind of the consistency judgment method and relevant apparatus of SDN network rule |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |