CN115766260A - Method, device, equipment and storage medium for generating network access white list - Google Patents

Method, device, equipment and storage medium for generating network access white list Download PDF

Info

Publication number
CN115766260A
CN115766260A CN202211477033.6A CN202211477033A CN115766260A CN 115766260 A CN115766260 A CN 115766260A CN 202211477033 A CN202211477033 A CN 202211477033A CN 115766260 A CN115766260 A CN 115766260A
Authority
CN
China
Prior art keywords
identification information
address
cloud service
access
deployable unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211477033.6A
Other languages
Chinese (zh)
Inventor
严伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Pudong Development Bank Co Ltd
Original Assignee
Shanghai Pudong Development Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Pudong Development Bank Co Ltd filed Critical Shanghai Pudong Development Bank Co Ltd
Priority to CN202211477033.6A priority Critical patent/CN115766260A/en
Publication of CN115766260A publication Critical patent/CN115766260A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device, equipment and a storage medium for generating a network access white list. The method is applied to cloud services, and the cloud services comprise: at least one deployable unit, wherein at least one container is arranged in the deployable unit, and the network access policy generation method comprises the following steps: acquiring dynamic data and static data; determining a calling association relationship between cloud services according to the dynamic data and the static data, wherein the calling association relationship between the cloud services comprises: the identification information of the access cloud service, the identification information of the access cloud service and the destination port; according to the technical scheme, the network access white list can be generated, and then the network security strategy is generated according to the network access white list, so that omission and deviation are reduced.

Description

Method, device, equipment and storage medium for generating network access white list
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method, a device, equipment and a storage medium for generating a network access white list.
Background
Currently, although a network policy rule based on cloud-native may provide a visual network traffic topology and may also provide a network security policy setting condition, the network security policy still requires a user to manually set (including for tenant namespaces, tags, IP, and the like) based on statistical information. In addition, the network security policy needs a system administrator and an application administrator to comb based on known services, omission easily occurs in the combing process, the network security policy has more screening and aggregation (such as namespace, label, ip, protocol, port and the like) compared with the traditional security policy, and the formulated network security policy has deviation due to incomplete information obtained in the manual combing process.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a storage medium for generating a network access white list, which solve the problems that the access relation of manual carding application is easy to cause incomplete information acquisition and generates strategy making deviation.
According to an aspect of the present invention, there is provided a network access white list generation method, which is applied to a cloud service, where the cloud service includes: at least one deployable unit, wherein at least one container is arranged in the deployable unit, and the network access policy generation method comprises the following steps:
acquiring dynamic data and static data;
determining a calling incidence relation between cloud services according to the dynamic data and the static data, wherein the calling incidence relation between the cloud services comprises: the identification information of the access cloud service, the identification information of the access cloud service and the destination port;
and generating a network access white list according to the identification information of the access cloud service, the identification information of the access cloud service and the destination port.
According to another aspect of the present invention, there is provided a network access white list generating apparatus, including:
the first acquisition module is used for acquiring dynamic data and static data;
a first determining module, configured to determine a call association relationship between cloud services according to the dynamic data and the static data, where the call association relationship between cloud services includes: the identification information of the accessed cloud service, the identification information of the accessed cloud service and the destination port are obtained;
and the first generation module is used for generating a network access white list according to the identification information of the access cloud service, the identification information of the access cloud service and the destination port.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform a method of network access white list generation according to any of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing computer instructions for causing a processor to implement the method for generating a white list of network access according to any one of the embodiments of the present invention when the computer instructions are executed.
The embodiment of the invention obtains dynamic data and static data; determining a calling association relationship between cloud services according to the dynamic data and the static data, wherein the calling association relationship between the cloud services comprises: the identification information of the access cloud service, the identification information of the access cloud service and the destination port; the network access white list is generated according to the identification information of the access cloud service, the identification information of the access cloud service and the destination port, the problems that information is easily obtained in an access relation of manual carding application and incomplete, and a policy making deviation is generated are solved, the network access white list can be generated, a network security policy is generated according to the network access white list, and omission and deviation are reduced.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a flowchart of a method for generating a network access white list according to a first embodiment of the present invention;
fig. 2 is a schematic structural diagram of a network access white list generation apparatus according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device in a third embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It is understood that before the technical solutions disclosed in the embodiments of the present disclosure are used, the type, the use range, the use scene, etc. of the personal information related to the present disclosure should be informed to the user and obtain the authorization of the user through a proper manner according to the relevant laws and regulations.
Example one
Fig. 1 is a flowchart of a method for generating a white list of network access according to a first embodiment of the present invention, where the method is applied to a cloud service, and the cloud service includes: at least one deployable unit having at least one container disposed therein. It should be noted that there may be a plurality of deployable units in the cloud service, and there may also be a plurality of containers in the deployable units, and one container may access to a plurality of containers, or a plurality of containers may access to a plurality of containers. The present embodiment may be applicable to a case of generating a network quarantine policy, where the method may be executed by a network access white list generation apparatus in the embodiment of the present invention, and the apparatus may be implemented in a software and/or hardware manner, as shown in fig. 1, and the method specifically includes the following steps:
s110, acquiring dynamic data and static data.
The dynamic data comprises a source IP address of the deployable unit, a destination IP address of the deployable unit and a destination port, and the static data comprises label information of the deployable unit and a first IP address of the deployable unit. It should be noted that the first IP address is only used for distinguishing from the source IP address and the destination IP address, which is convenient for the description of the embodiment of the present invention, and has no other meaning.
Specifically, the manner of acquiring the dynamic data and the static data may be: dynamic data and static data can be collected from the ebpf probe.
S120, determining a calling association relationship between the cloud services according to the dynamic data and the static data, wherein the calling association relationship between the cloud services comprises: identification information of the accessed cloud service, and a destination port.
The destination port is a destination port in the dynamic data.
Specifically, the manner of determining the call association relationship between the cloud services according to the dynamic data and the static data may be: obtaining static data corresponding to a source IP address according to the source IP address in the dynamic data, obtaining static data corresponding to a destination IP address according to the destination IP address in the dynamic data, integrating the source IP address in the dynamic data and the static data corresponding to the source IP address to further obtain label information of a deployable unit in the static information corresponding to the source IP address, determining cloud services to which the deployable unit belongs according to the label information of the deployable unit in the static information corresponding to the source IP address, and further determining identification information for accessing the cloud services; integrating a target IP address in the dynamic data and static data corresponding to the target IP address to obtain label information of a deployable unit in the static information corresponding to the target IP address, and determining identification information of the accessed cloud service according to the label information of the deployable unit in the static information corresponding to the target IP address; and determining a calling association relation among the cloud services according to the destination port in the dynamic data, the identification information of the accessed cloud services and the identification information of the accessed cloud services.
Optionally, the dynamic data includes: a source IP address of the deployable unit, a destination IP address of the deployable unit, and a destination port, the static data including: tag information of the deployable unit and a first IP address of the deployable unit;
correspondingly, determining a call association relationship between cloud services according to the dynamic data and the static data includes:
screening the dynamic data and the static data according to the source IP address of the deployable unit, the destination IP address of the deployable unit and the first IP address of the deployable unit to obtain first dynamic data, first static data and second static data, wherein the source IP address of the deployable unit in the first dynamic data is the same as the first IP address in the first static data, and the destination IP address of the deployable unit in the first dynamic data is the same as the first IP address in the second static data;
and generating a call incidence relation among the cloud services according to the first dynamic data, the first static data and the second static data.
Specifically, the manner of obtaining the first dynamic data, the first static data, and the second static data by screening the dynamic data and the static data according to the source IP address of the deployable unit, the destination IP address of the deployable unit, and the first IP address of the deployable unit may be: the method comprises the steps of obtaining source IP addresses of all deployable units of dynamic data and static data, destination IP addresses of the deployable units and first IP addresses of the deployable units, screening the dynamic data and the static data, generating first static data according to the static data with the same first IP addresses as the source IP addresses in the dynamic data in the static data, generating second static data according to the static data with the same first IP addresses in the static data and the source IP addresses in the dynamic data and the destination IP addresses in the static data, and generating first dynamic data according to the dynamic data with the same source IP addresses in the dynamic data and the first IP addresses in the static data and the same destination IP addresses in the dynamic data and the first IP addresses in the static data.
Specifically, the manner of generating the call association relationship among the cloud services according to the first dynamic data, the first static data, and the second static data may be: acquiring label information of a deployable unit in static information corresponding to a source IP address according to first dynamic data and the first static data, acquiring identification information of an accessed cloud service according to the label information of the deployable unit in the static information corresponding to the source IP address, acquiring the label information of the deployable unit in the static information corresponding to a destination IP address according to the first dynamic data and the second static data, acquiring the identification information of the accessed cloud service according to the label information of the deployable unit in the static information corresponding to the destination IP address, acquiring a destination port according to the first dynamic data, and generating a calling incidence relation among the cloud services according to the identification information of the accessed cloud service, the identification information of the accessed cloud service and the destination port.
Optionally, generating a call association relationship between cloud services according to the first dynamic data, the first static data, and the second static data includes:
acquiring identification information of access cloud service corresponding to label information of the deployable unit in the first static information;
acquiring identification information of the accessed cloud service corresponding to the tag information of the deployable unit in the second static information;
acquiring a destination port in the first dynamic information;
and generating a calling association relation among the cloud services according to the identification information of the accessed cloud services, the identification information of the accessed cloud services and the destination port.
The first static information is information corresponding to the first static data, the second static information is information corresponding to the second static data, and the first dynamic information is information corresponding to the first dynamic data. The tag information is information for distinguishing the deployable units.
Specifically, the manner of obtaining the identification information of the access cloud service corresponding to the tag information of the deployable unit in the first static information may be: and acquiring first static information corresponding to the first static data, and determining identification information for accessing the cloud service according to the tag information of the deployable unit in the first static information. It should be noted that, because the first IP address in the first static data is the same as the source IP address in the first dynamic data, the tag information of the deployable unit in the first static information corresponding to the first static data corresponds to the identification information of the access cloud service.
Specifically, the manner of obtaining the identification information of the visited cloud service corresponding to the tag information of the deployable unit in the second static information may be: and acquiring second static information corresponding to the second static data, and determining the identification information of the accessed cloud service according to the tag information of the deployable unit in the second static information. It should be noted that, because the first IP address in the second static data is the same as the destination IP address in the first dynamic data, the tag information of the deployable unit in the second static information corresponding to the second static data corresponds to the identification information of the visited cloud service.
Specifically, the manner of acquiring the destination port in the first dynamic information may be: and acquiring first dynamic information corresponding to the first dynamic data, wherein a destination port in the first dynamic information is a destination port required for generating a call incidence relation between cloud services.
It should be noted that there may be a plurality of first static information, second static information, and first dynamic information, so that a plurality of identification information of the access cloud service, and a plurality of destination ports may be generated, and then a call association relationship between a plurality of cloud services may be generated according to the plurality of identification information of the access cloud service, and the plurality of destination ports.
And S130, generating a network access white list according to the identification information of the access cloud service, the identification information of the accessed cloud service and the destination port.
The network access white list can be a list allowing access, and mainly comprises identification information of access cloud services, identification information of the access cloud services and a destination port, and access can be performed if the identification information of the access cloud services, the identification information of the access cloud services and the destination port of the received access request can find consistent information in the network access white list; if the access request does not find the consistent information in the network access white list, the access cannot be performed.
Specifically, the manner of generating the network access white list according to the identification information of the access cloud service, and the destination port may be: and associating the plurality of data in the dynamic data and the static data in sequence to obtain identification information of the access cloud service, identification information of the access cloud service and a destination port, further obtaining a plurality of calling association relations, establishing a list based on the calling association relations, and further generating a network access white list.
Optionally, the method further includes:
receiving a network access request, wherein the network access request comprises: an IP address of the accessed container, an IP address of the accessed container and an access port;
determining first identification information for accessing the cloud service according to the IP address of the access container;
determining second identification information of the accessed cloud service according to the IP address of the accessed container;
and if the network access white list has the same call incidence relation with the first identification information of the access cloud service, the second identification information of the access cloud service and the access port, executing the network access request.
The IP addresses of the accessed containers can be multiple, the IP addresses of the accessed containers can also be multiple, and many-to-many access can be performed among the containers. It should be noted that the first identification information is identification information for accessing the cloud service, which is determined according to the IP address of the access container in actual application; the second identification information is identification information of the accessed cloud service determined according to the IP address of the accessed container in actual application; the access port is a destination port at the time of actual application.
Specifically, the manner of determining the first identification information for accessing the cloud service according to the IP address of the access container may be: determining label information of the access container according to the IP address of the access container, determining label information of a deployable unit to which the access container belongs according to the label information of the access container, and determining first identification information of the access cloud service according to the label information of the deployable unit.
Specifically, the manner of determining the second identification information of the visited cloud service according to the IP address of the visited container may be: determining label information of the accessed container according to the IP address of the accessed container, determining label information of a deployable unit to which the accessed container belongs according to the label information of the accessed container, and determining second identification information of the accessed cloud service according to the label information of the deployable unit.
Specifically, if the network access white list has a call association relationship that is the same as the first identification information of the access cloud service, the second identification information of the access cloud service, and the access port, the manner of executing the network access request may be: the method comprises the steps of obtaining first identification information of an access cloud service, second identification information of the access cloud service and an access port, obtaining calling association relations among the first identification information of the access cloud service, the second identification information of the access cloud service and the access port, searching a network access white list, executing a network access request if the calling association relations which are the same as the calling association relations among the first identification information of the access cloud service, the second identification information of the access cloud service and the access port exist in the network access white list, and rejecting the network access request if the calling association relations which are the same as the calling association relations among the first identification information of the access cloud service, the second identification information of the access cloud service and the access port do not exist in the network access white list.
Optionally, determining, according to the IP address of the access container, first identification information for accessing the cloud service, includes:
determining first label information of the container according to the IP address of the accessed container;
determining first label information of the deployable unit according to the first label information of the container;
first identification information for accessing the cloud service is determined according to the first tag information of the deployable unit.
The cloud service may store the relationship between the IP address of the access container and the first tag information of the container in advance, or may store the relationship between the IP address of the accessed container and the first tag information of the container in advance, and the storage may be performed in a list manner by storing the relationship between the IP address of the access container and the first tag information of the container, and the relationship between the IP address of the accessed container and the first tag information of the container.
The first label information of the container is label information of the container corresponding to the IP address of the access container and is used for distinguishing the container. The first label information of the deployable unit is the label information of the deployable unit to which the container corresponding to the IP address of the access container belongs.
Optionally, determining second identification information of the visited cloud service according to the IP address of the visited container includes:
determining second label information of the container according to the IP address of the accessed container;
determining second label information of the deployable unit according to the second label information of the container;
and determining second identification information of the accessed cloud service according to the second label information of the deployable unit.
The second label information of the container is the label information of the container corresponding to the IP address of the accessed container, and the second label information of the deployable unit is the label information of the deployable unit to which the container corresponding to the IP address of the accessed container belongs.
Optionally, if a call association relationship that is the same as the first identification information of the access cloud service, the second identification information of the access cloud service, and the access port exists in the network access white list, executing the network access request, including:
generating a first call association relation according to the first identification information of the accessed cloud service, the second identification information of the accessed cloud service and the access port;
and if a second call incidence relation which is the same as the first call incidence relation exists in the network access white list, executing the network access request, wherein first identification information of the access cloud service in the first call incidence relation is the same as identification information of the access cloud service in the second call incidence relation, second identification information of the accessed cloud service in the first call incidence relation is the same as identification information of the accessed cloud service in the second call incidence relation, and an access port in the first call incidence relation is the same as a destination port in the second call incidence relation.
The first calling association relationship is a calling association relationship generated according to the first identification information of the accessed cloud service, the second identification information of the accessed cloud service and the access port in actual application; the second call association relationship is stored in the network access white list and is the same as the first call association relationship.
According to the technical scheme of the embodiment, dynamic data and static data are obtained; determining a calling association relationship between cloud services according to the dynamic data and the static data, wherein the calling association relationship between the cloud services comprises: the identification information of the access cloud service, the identification information of the access cloud service and the destination port; the network access white list is generated according to the identification information of the access cloud service, the identification information of the access cloud service and the destination port, the problems that information is easily obtained in an access relation of manual carding application and incomplete, and a policy making deviation is generated are solved, the network access white list can be generated, a network security policy is generated according to the network access white list, and omission and deviation are reduced.
Example two
Fig. 2 is a schematic structural diagram of a network access white list generation apparatus in the second embodiment of the present invention. The present embodiment may be applicable to the case of generating a network isolation policy, where the apparatus may be implemented in a software and/or hardware manner, and the apparatus may be integrated in any device that provides a function of generating a network access white list, as shown in fig. 2, where the network access white list generating apparatus specifically includes: a first acquisition module 210, a first determination module 220, and a first generation module 230.
The first obtaining module 210 is configured to obtain dynamic data and static data;
a first determining module 220, configured to determine a call association relationship between cloud services according to the dynamic data and the static data, where the call association relationship between cloud services includes: the identification information of the access cloud service, the identification information of the access cloud service and the destination port;
the first generating module 230 is configured to generate a network access white list according to the identification information of the access cloud service, the identification information of the accessed cloud service, and the destination port.
Optionally, the dynamic data includes: a source IP address of the deployable unit, a destination IP address of the deployable unit, and a destination port, the static data comprising: tag information of the deployable unit and a first IP address of the deployable unit;
correspondingly, the first determining module is specifically configured to:
screening the dynamic data and the static data according to the source IP address of the deployable unit, the destination IP address of the deployable unit and the first IP address of the deployable unit to obtain first dynamic data, first static data and second static data, wherein the source IP address of the deployable unit in the first dynamic data is the same as the first IP address in the first static data, and the destination IP address of the deployable unit in the first dynamic data is the same as the first IP address in the second static data;
and generating a call incidence relation among the cloud services according to the first dynamic data, the first static data and the second static data.
Optionally, the first determining module is specifically configured to:
acquiring identification information of access cloud service corresponding to label information of the deployable unit in the first static information;
acquiring identification information of the accessed cloud service corresponding to the tag information of the deployable unit in the second static information;
acquiring a destination port in the first dynamic information;
and generating a calling association relation among the cloud services according to the identification information of the accessed cloud services, the identification information of the accessed cloud services and the destination port.
Optionally, the method further includes:
a first receiving module, configured to receive a network access request, where the network access request includes: an IP address of the accessed container, an IP address of the accessed container and an access port;
the second determining module is used for determining first identification information for accessing the cloud service according to the IP address of the access container;
the third determining module is used for determining second identification information of the accessed cloud service according to the IP address of the accessed container;
the first execution module is used for executing the network access request if the calling association relation which is the same as the first identification information of the access cloud service, the second identification information of the access cloud service and the access port exists in the network access white list.
Optionally, the second determining module is specifically configured to:
determining first label information of the container according to the IP address of the accessed container;
determining first label information of the deployable unit according to the first label information of the container;
first identification information for accessing the cloud service is determined according to the first tag information of the deployable unit.
Optionally, the first execution module is specifically configured to:
generating a first call association relation according to the first identification information of the accessed cloud service, the second identification information of the accessed cloud service and the access port;
and if a second call incidence relation which is the same as the first call incidence relation exists in the network access white list, executing the network access request, wherein first identification information of the access cloud service in the first call incidence relation is the same as identification information of the access cloud service in the second call incidence relation, second identification information of the accessed cloud service in the first call incidence relation is the same as identification information of the accessed cloud service in the second call incidence relation, and an access port in the first call incidence relation is the same as a destination port in the second call incidence relation.
The product can execute the method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
According to the technical scheme of the embodiment, dynamic data and static data are obtained; determining a calling association relationship between cloud services according to the dynamic data and the static data, wherein the calling association relationship between the cloud services comprises: the identification information of the access cloud service, the identification information of the access cloud service and the destination port; the network access white list is generated according to the identification information of the access cloud service, the identification information of the access cloud service and the destination port, the problems that information is easily obtained in an access relation of manual carding application and incomplete, and a policy making deviation is generated are solved, the network access white list can be generated, a network security policy is generated according to the network access white list, and omission and deviation are reduced.
EXAMPLE III
Fig. 3 is a schematic structural diagram of an electronic device in a third embodiment of the present invention. The electronic device 10 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 3, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM13, various programs and data necessary for the operation of the electronic apparatus 10 may also be stored. The processor 11, the ROM12, and the RAM13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
Processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 11 performs the various methods and processes described above, such as the network access white list generation method.
In some embodiments, the network access white list generation method may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM12 and/or the communication unit 19. When the computer program is loaded into RAM13 and executed by processor 11, one or more steps of the network access white list generation method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the network access white list generation method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the Internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A network access white list generation method is applied to a cloud service, and the cloud service comprises the following steps: at least one deployable unit, wherein at least one container is arranged in the deployable unit, and the network access policy generation method comprises the following steps:
acquiring dynamic data and static data;
determining a calling incidence relation between cloud services according to the dynamic data and the static data, wherein the calling incidence relation between the cloud services comprises: the identification information of the access cloud service, the identification information of the access cloud service and the destination port;
and generating a network access white list according to the identification information of the access cloud service, the identification information of the access cloud service and the destination port.
2. The method of claim 1, wherein the dynamic data comprises: a source IP address of the deployable unit, a destination IP address of the deployable unit, and a destination port, the static data comprising: tag information of the deployable unit and a first IP address of the deployable unit;
correspondingly, determining a call association relationship between cloud services according to the dynamic data and the static data includes:
screening the dynamic data and the static data according to the source IP address of the deployable unit, the destination IP address of the deployable unit and the first IP address of the deployable unit to obtain first dynamic data, first static data and second static data, wherein the source IP address of the deployable unit in the first dynamic data is the same as the first IP address in the first static data, and the destination IP address of the deployable unit in the first dynamic data is the same as the first IP address in the second static data;
and generating a call incidence relation among the cloud services according to the first dynamic data, the first static data and the second static data.
3. The method according to claim 2, wherein generating a call association relationship between cloud services according to the first dynamic data, the first static data and the second static data comprises:
acquiring identification information of access cloud service corresponding to the tag information of the deployable unit in the first static information;
acquiring identification information of the accessed cloud service corresponding to the tag information of the deployable unit in the second static information;
acquiring a destination port in the first dynamic information;
and generating a calling association relation among the cloud services according to the identification information of the accessed cloud services, the identification information of the accessed cloud services and the destination port.
4. The method of claim 1, further comprising:
receiving a network access request, wherein the network access request comprises: an IP address of the accessed container, an IP address of the accessed container and an access port;
determining first identification information for accessing the cloud service according to the IP address of the access container;
determining second identification information of the accessed cloud service according to the IP address of the accessed container;
and if the calling incidence relation which is the same as the first identification information of the access cloud service, the second identification information of the access cloud service and the access port exists in the network access white list, executing the network access request.
5. The method of claim 4, wherein determining the first identification information for accessing the cloud service according to the IP address of the access container comprises:
determining first label information of the container according to the IP address of the accessed container;
determining first label information of the deployable unit according to the first label information of the container;
first identification information for accessing the cloud service is determined according to the first tag information of the deployable unit.
6. The method of claim 4, wherein if the same call association relationship exists among the network access white list, the first identification information of the access cloud service, the second identification information of the access cloud service, and the access port, executing the network access request comprises:
generating a first call association relation according to the first identification information of the accessed cloud service, the second identification information of the accessed cloud service and the access port;
and if a second call incidence relation which is the same as the first call incidence relation exists in the network access white list, executing the network access request, wherein first identification information of the access cloud service in the first call incidence relation is the same as identification information of the access cloud service in the second call incidence relation, second identification information of the accessed cloud service in the first call incidence relation is the same as identification information of the accessed cloud service in the second call incidence relation, and an access port in the first call incidence relation is the same as a destination port in the second call incidence relation.
7. A network access white list generation apparatus, wherein the network access white list generation apparatus comprises:
the first acquisition module is used for acquiring dynamic data and static data;
a first determining module, configured to determine a call association relationship between cloud services according to the dynamic data and the static data, where the call association relationship between cloud services includes: the identification information of the access cloud service, the identification information of the access cloud service and the destination port;
and the first generation module is used for generating a network access white list according to the identification information of the access cloud service, the identification information of the accessed cloud service and the destination port.
8. The apparatus of claim 7, wherein the dynamic data comprises: a source IP address of the deployable unit, a destination IP address of the deployable unit, and a destination port, the static data comprising: tag information of the deployable unit and a first IP address of the deployable unit;
correspondingly, the first determining module is specifically configured to:
screening the dynamic data and the static data according to the source IP address of the deployable unit, the destination IP address of the deployable unit and the first IP address of the deployable unit to obtain first dynamic data, first static data and second static data, wherein the source IP address of the deployable unit in the first dynamic data is the same as the first IP address in the first static data, and the destination IP address of the deployable unit in the first dynamic data is the same as the first IP address in the second static data;
and generating a call incidence relation among the cloud services according to the first dynamic data, the first static data and the second static data.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the network access white list generation method of any of claims 1-6.
10. A computer-readable storage medium storing computer instructions for causing a processor to implement the method of generating a network access white list of any one of claims 1-6 when executed.
CN202211477033.6A 2022-11-23 2022-11-23 Method, device, equipment and storage medium for generating network access white list Pending CN115766260A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211477033.6A CN115766260A (en) 2022-11-23 2022-11-23 Method, device, equipment and storage medium for generating network access white list

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211477033.6A CN115766260A (en) 2022-11-23 2022-11-23 Method, device, equipment and storage medium for generating network access white list

Publications (1)

Publication Number Publication Date
CN115766260A true CN115766260A (en) 2023-03-07

Family

ID=85336274

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211477033.6A Pending CN115766260A (en) 2022-11-23 2022-11-23 Method, device, equipment and storage medium for generating network access white list

Country Status (1)

Country Link
CN (1) CN115766260A (en)

Similar Documents

Publication Publication Date Title
CN116611411A (en) Business system report generation method, device, equipment and storage medium
CN116545905A (en) Service health detection method and device, electronic equipment and storage medium
CN115048352B (en) Log field extraction method, device, equipment and storage medium
CN115525659A (en) Data query method and device, electronic equipment and storage medium
CN116155604A (en) Container network micro-isolation protection method, device, equipment and storage medium
CN115766260A (en) Method, device, equipment and storage medium for generating network access white list
CN112860811A (en) Method and device for determining data blood relationship, electronic equipment and storage medium
CN112968876A (en) Content sharing method and device, electronic equipment and storage medium
CN115766048A (en) Reminding method, device, equipment and storage medium
CN114416040A (en) Page construction method, device, equipment and storage medium
CN117749614A (en) Protocol rule determining method and device, electronic equipment and storage medium
CN115883217A (en) Data processing method, device, equipment and storage medium
CN115983222A (en) EasyExcel-based file data reading method, device, equipment and medium
CN114996243A (en) Database operation method and device, electronic equipment and storage medium
CN117216066A (en) Material code generation method, device, equipment and storage medium
CN117156398A (en) Message processing method, device, electronic equipment and storage medium
CN116628107A (en) Data comparison method, device, equipment and medium
CN117171214A (en) Database information comparison method and device, electronic equipment and storage medium
CN116467080A (en) Cloud computing resource supply management method, device and equipment
CN116170188A (en) Network access control method, device, electronic equipment and storage medium
CN115202791A (en) Method and device for determining first screen loading resource, server and storage medium
CN115408233A (en) Service data processing method, device, platform and storage medium
CN117093627A (en) Information mining method, device, electronic equipment and storage medium
CN118093048A (en) Multi-module starting management method, device, equipment and medium
CN114444041A (en) Interface access method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination