CN115996136A - SDN-based cloud security capability implementation method in multi-tenant scene - Google Patents
SDN-based cloud security capability implementation method in multi-tenant scene Download PDFInfo
- Publication number
- CN115996136A CN115996136A CN202211199981.8A CN202211199981A CN115996136A CN 115996136 A CN115996136 A CN 115996136A CN 202211199981 A CN202211199981 A CN 202211199981A CN 115996136 A CN115996136 A CN 115996136A
- Authority
- CN
- China
- Prior art keywords
- vpc
- cloud
- network
- security
- east
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 230000003993 interaction Effects 0.000 claims abstract description 26
- 238000011217 control strategy Methods 0.000 claims abstract description 13
- 238000007726 management method Methods 0.000 claims description 24
- 238000012550 audit Methods 0.000 claims description 22
- 238000012423 maintenance Methods 0.000 claims description 11
- 238000005516 engineering process Methods 0.000 claims description 9
- 230000002265 prevention Effects 0.000 claims description 8
- 230000002155 anti-virotic effect Effects 0.000 claims description 7
- 238000012384 transportation and delivery Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 5
- 210000001503 joint Anatomy 0.000 description 5
- 230000006399 behavior Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 238000012369 In process control Methods 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010965 in-process control Methods 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a cloud security capability realization method in a multi-tenant scene based on SDN, which aims to solve the problems of slow configuration speed and complexity in the prior art, and comprises the following steps: acquiring a new cloud tenant request, and creating a VPC network in cloud network equipment according to the new cloud tenant request; the method comprises the steps of lowering and deploying a north-south security access strategy in a VPC network; the east-west security access control strategy is downloaded and deployed in the VPC network; the SDN controller is abutted against a secure resource pool in the VPC, the secure resource pool in the VPC is configured in the cloud network equipment, the secure resource pool in the VPC acquires a cloud tenant secure capacity deployment request, and the secure resource pool in the VPC deploys a secure component of the abutted VPC network according to the cloud tenant secure capacity deployment request; and a route intercommunication strategy is issued in the VPC network, and the VPC network and a secure resource pool in the VPC establish data interaction according to the route intercommunication strategy.
Description
Technical Field
The invention belongs to a cloud platform security technology, in particular to a cloud security capability realization method under a multi-tenant scene based on SDN.
Background
With the rapid change of the network security situation, the strategic position of the network space security is gradually highlighted, the international event endangering the network space frequently happens, and the cloud computing infrastructure is used as an important digital asset and service gathering place, so that the faced security situation is particularly severe. Cloud computing data assets are also becoming the primary targets of blackout attacks, and the data centers are also becoming urgent for the requirements of systematic cloud security construction while transforming to cloud computing modes.
The cloud platform bears various businesses in various industries, and along with the continuous increase of business systems, the safety requirements including the secondary protection and the tertiary protection are also continuously increased. Different tenants all need independent security products to ensure self business security. The cloud user also hopes to independently own each security assembly unit while realizing self service security capability, and can more intensively manage all security assemblies and intensively master the overall security situation of self service. The current tenant requirements have not been met using the single deployment virtual machine NFV approach. In order to effectively grasp the running quality and the safety state of the cloud computing service in real time, grasp the safety situation of the cloud network in time and perform normalized safety operation supervision. Therefore, a method for realizing automatic delivery of cloud security capability by means of SDN technology in a huge amount of tenant scenarios is needed.
Disclosure of Invention
In order to overcome the defects and the existing problems in the prior art, the invention provides a cloud security capability realization method in a multi-tenant scene based on SDN.
In order to achieve the above purpose, the invention adopts the following technical scheme:
the cloud security capability implementation method in the multi-tenant scene based on SDN is characterized by comprising the following steps:
step 1: the SDN controller obtains a newly built cloud tenant request, and creates a VPC network in the cloud network equipment according to the newly built cloud tenant request, wherein the VPC network comprises a VPN instance;
step 2: the SDN controller lowers a north-south security access policy in a VPC network, and deploys the north-south security access policy in the VPC network;
step 3: the SDN controller lowers east-west security access control policies in a VPC network, and deploys the east-west security access control policies in the VPC network;
step 4: the SDN controller is used for butting a secure resource pool in the VPC, the VPC secure pool is configured in cloud network equipment, the secure resource pool in the VPC acquires a cloud tenant secure capability deployment request, the secure resource pool in the VPC deploys a secure component for butting the VPC network according to the cloud tenant secure capability deployment request, the secure resource pool in the VPC comprises the secure component, the secure component comprises at least one of host security, a WEB application firewall, database audit, log audit, operation and maintenance audit and vulnerability scanning, and the cloud tenant secure capability deployment request is used for enabling the secure component to be issued to the VPC network;
step 5: the SDN controller lowers a route intercommunication strategy in the VPC network, and the VPC network and a secure resource pool in the VPC establish data interaction according to the route intercommunication strategy.
Preferably, the step 2 specifically includes the following steps:
step 21: the SDN controller puts a north-south security access control strategy in the VPC network, wherein the north-south security access control strategy comprises a north-south five-tuple;
step 22: the SDN controller deploys a north-south security access control policy at the boundary of the VPC network, wherein the boundary of the VPC network deploys a north-south firewall.
Preferably, the step 3 specifically includes the following steps:
step 31: the SDN controller lowers east-west security access control policies in the VPC network, wherein the east-west security access control policies comprise east-west five-tuple;
step 32: the SDN controller deploys east-west security access control policies on east-west fire walls in the VPC network;
step 33: the SDN controller deploys intrusion prevention and anti-virus policies on east-west fire walls in the VPC network;
step 34: the SDN controller adopts a service chain technology to configure the access control of east-west data interaction of the VPC network.
Preferably, the cloud network device is constructed by adopting a leaf-ridge network architecture, the cloud network device constructed by adopting the leaf-ridge network architecture is provided with a two-layer architecture, one layer of architecture is provided with a leaf switch, and the other layer of architecture is provided with a spine switch.
Preferably, the VPC network includes a first service system and a second service system, where the first service system, the second service system and the east-west firewall are respectively configured on a leaf switch, and the leaf switch configured with the first service system and the leaf switch configured with the second service system perform data interaction through the leaf switch configured with the east-west firewall.
Preferably, the step 34 specifically includes the following steps:
step 341: the leaf switch configures data characteristics on east-west data of a first service system and sends the data characteristics to an east-west firewall, wherein the data characteristics comprise a source address, a next hop address, a destination address and a service chain label;
step 342: and the east-west firewall screens east-west data, and the screened east-west data is sent to the second service system.
Preferably, the cloud management system further comprises a cloud management platform, and the cloud management platform and the SDN controller are in butt joint through a NETCONF protocol.
Preferably, the SDN controller is configured with a north interface, and the cloud management platform interfaces with the north interface on the SDN controller.
Preferably, the cloud security service platform is also included, and the cloud security service platform is in butt joint with a secure resource pool in the VPC.
Preferably, the step 5 specifically includes the following steps:
step 51: the SDN controller establishes a virtual link layer and a virtual router on the cloud network equipment;
step 52: the SDN controller configures subnet information of the security component on the virtual link layer;
step 53: the SDN controller configures the virtual router and the safety component subnet information of the virtual link layer to bind;
step 54: the VPC network comprises routers, and the SDN controller interconnects and opens the virtual router and the routers of the VPC network.
Compared with the prior art, the invention has the following outstanding and beneficial technical effects:
(1) In the prior art, the method for deploying the security components by the NFV of the independent virtual machine has the problems of slow delivery and complicated configuration, and in the invention, the automatic configuration and delivery are realized by the south-north security access, the east-west security access and the deployment of the security components in the security pool in the VPC, so that the cloud security capability realization method in the multi-tenant scene based on SDN has the advantages of high security delivery speed and reduced manual configuration time.
(2) In the invention, the automatic configuration of the north-south security access and the east-west security access in the VPC network endows the VPC network with basic cloud security capability, and the cloud tenant can call the security components of the security resource pool in the VPC according to the self requirements, thereby endowing the VPC network with the cloud security capability of personalized configuration so as to facilitate perfecting the security system of the VPC network used by the cloud tenant, therefore, the cloud security capability realization method in the multi-tenant scene based on SDN has the advantages of strong expansibility, convenient management of the security components, meeting the requirements of users with different levels and reasonably utilizing the cloud security resources.
(3) In the invention, the VPC network can adopt the security access control in the north-south direction, the security access control in the east-west direction, the host security, the WEB application firewall, the database audit, the log audit, the operation and maintenance audit and the vulnerability scanning for security protection, and different security components can be combined and packed to form a service package containing various security capabilities, thereby comprehensively and effectively solving the security problem of cloud tenants and realizing better security protection effect.
(4) In the invention, the problem of configuring and delivering cloud security capability of a large number of users is solved by adopting the SDN controller, and because the SDN controller is a virtualized product, the large number of SDN controllers can be established on a limited number, so that the large number of users can respectively configure by adopting different SDN controllers, thereby realizing network isolation effect of configuring and delivering the security capability, greatly improving security protection effect and greatly improving the efficiency of configuring and delivering the security capability.
Drawings
FIG. 1 is a schematic flow diagram of a cloud security capability implementation of the present invention;
fig. 2 is a schematic architecture diagram of a cloud network device according to the present invention;
Detailed Description
The present invention is further described below with reference to the drawings and specific embodiments for the purpose of facilitating understanding by those skilled in the art.
As shown in fig. 1, a method for implementing cloud security capability in a multi-tenant scenario based on SDN includes the following steps:
step 1: the SDN controller obtains a newly built cloud tenant request, and creates a VPC network in the cloud network equipment according to the newly built cloud tenant request, wherein the VPC network comprises a VPN instance;
in the above steps, an SDN (software defined network ) controller is an application in the software defined network and is responsible for controlling traffic processing in the VPC network. The new cloud tenant request refers to a request signal of a new VPC network initiated by the cloud tenant on the SDN controller. The VPC network is a private network for cloud tenants in the cloud network equipment, and in the cloud network equipment, the VPC network comprises a VPN instance, so that the VPN instance realizes that the VPC network has a customized logic isolation network space, and the data security of the cloud tenants using the VPC network is guaranteed. The cloud network device refers to a hardware device for constructing a VPC network. In this embodiment, the cloud network device includes a switch and a router, and the VPN instance is denoted by a VPN-instance.
Step 2: the SDN controller lowers a north-south security access policy in a VPC network, and deploys the north-south security access policy in the VPC network;
in the above steps, the north-south direction refers to data interaction between the VPC network and the external users outside the VPC network. The north-south security access policy refers to configuration parameters of data interactions between the VPC network and users outside the VPC network. In this embodiment, the user other than the VPC network refers to the internet.
Step 3: the SDN controller lowers east-west security access control policies in a VPC network, and deploys the east-west security access control policies in the VPC network;
in the above steps, east-west direction refers to data interaction between servers inside the VPC network. East-west security access control policies refer to configuration parameters for data interactions between servers within the VPC network.
Step 4: the SDN controller is used for butting a secure resource pool in the VPC, the VPC secure pool is configured in cloud network equipment, the secure resource pool in the VPC acquires a cloud tenant secure capability deployment request, the secure resource pool in the VPC deploys a secure component for butting the VPC network according to the cloud tenant secure capability deployment request, the secure resource pool in the VPC comprises the secure component, the secure component comprises at least one of host security, a WEB application firewall, database audit, log audit, operation and maintenance audit and vulnerability scanning, and the cloud tenant secure capability deployment request is used for enabling the secure component to be issued to the VPC network;
in the above steps, the secure resource pool in the VPC refers to the secure application resources formed by the secure components used on the VPC network. The security component refers to an application for protecting cloud tenant data security. The cloud tenant security capability deployment request refers to network configuration parameters of the required usage security components to be deployed on the VPC network. And the secure resource pool in the VPC issues the corresponding secure component to the VPC network according to the cloud tenant secure capability deployment request, so that personalized cloud secure capability is configured in the VPC network. In this embodiment, the cloud tenant may configure the cloud tenant security capability deployment request according to the personal requirement, so as to implement personalized customization of the cloud security capability and automatic deployment of the security components on the VPC network. Host security refers to a secure application delivery application that ensures confidentiality, integrity, and availability of data storage and processing by a host. The WEB application firewall refers to an application program integrating WEB protection, webpage protection, load balancing and application delivery into a whole WEB overall safety protection. Database audit is an application program for guaranteeing the safety of a database, and takes a safety event as a center, takes comprehensive audit and accurate audit as a basis, records database activities on a network in real time, performs compliance management of fine-grained audit on database operation, and alarms the risk behaviors suffered by the database in real time. Log auditing is an application program for ensuring log security, and is used for storing, monitoring, auditing, analyzing, alarming, responding and reporting logs (including running, alarming, operating, information, status and the like) generated in a VPC network. The operation and maintenance audit refers to an application program for guaranteeing operation safety and maintenance safety in the VPC network, effective operation and maintenance operation audit is carried out on the VPC network, the operation and maintenance audit is improved from event audit to operation content audit, the operation and maintenance safety problem of the VPC network is comprehensively solved through pre-prevention, in-process control and post-trace on the operation and maintenance audit, and the operation and maintenance management level of the VPC network is further improved. Vulnerability scanning refers to a security detection application program which detects in a VPC network by a scanning means based on a vulnerability database and further discovers available vulnerabilities. In this embodiment, host security is denoted by waf.
Step 5: the SDN controller lowers a route intercommunication strategy in a VPC network, and the VPC network and a secure resource pool in the VPC establish data interaction according to the route intercommunication strategy;
in the above steps, the route interworking policy refers to route configuration data of the VPC network and route configuration data of the secure resource pool in the VPC, so as to implement data interaction between the VPC network and the secure components of the secure resource pool in the VPC, thereby implementing delivery of the security capability of the VPC network.
The step 2 specifically includes the following steps:
step 21: the SDN controller puts a north-south security access control strategy in the VPC network, wherein the north-south security access control strategy comprises a north-south five-tuple;
in the above steps, the north-south five-tuple includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol for controlling data interaction between the VPC network and a user outside the VPC network.
Step 22: the SDN controller deploys a north-south security access control strategy at the boundary of the VPC network, wherein a north-south firewall is deployed at the boundary of the VPC network;
in the above steps, the north-south firewall refers to software for security management and screening of data interaction between the VPC network and outside the VPC network. The northbound firewall deployed at the boundary of the VPC network is a virtual firewall, and the northbound firewall is built in the cloud network equipment so as to facilitate the deployment of independent northbound firewalls in the cloud network equipment. In this embodiment, the virtual firewall is denoted by vfw.
The step 3 specifically includes the following steps:
step 31: the SDN controller lowers east-west security access control policies in the VPC network, wherein the east-west security access control policies comprise east-west five-tuple;
in the above steps, the eastern western quintuple includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol of data interaction between servers in the VPC network.
Step 32: the SDN controller deploys east-west security access control policies on east-west fire walls in the VPC network;
in the above steps, the east-west firewall refers to software for security management and screening of data interaction between servers in the VPC network. The east-west firewall is a virtual firewall, and the SDN controller adopts a virtualization technology to construct the east-west firewall in the cloud network equipment so as to conveniently deploy independent east-west firewall in the cloud network equipment.
Step 33: the SDN controller deploys intrusion prevention and anti-virus policies on east-west fire walls in the VPC network;
in the above steps, the intrusion prevention is used for monitoring the data interaction behavior between the servers in the VPC network, so that the terminal can timely adjust or isolate some abnormal data interaction behaviors. The anti-virus is used for monitoring data of servers in the VPC network, timely finding out viruses in the data and isolating or killing the viruses in the data. Intrusion prevention and anti-virus policies refer to configuration parameters of intrusion prevention and anti-virus to facilitate the construction of intrusion prevention and anti-virus functions on east-west fire walls.
Step 34: the SDN controller adopts a service chain technology to configure the access control of east-west data interaction of the VPC network;
in the above steps, the service chain technology is based on SDN and is used for configuring configuration data of data interaction between servers in the VPC network, so that data security management is realized during east-west data interaction. In this embodiment, the service chain technique uses VXLAN messaging.
The cloud network equipment is constructed by adopting a leaf-ridge network architecture. The Leaf-Spine network architecture is also known as the Spine-Leaf architecture or large two-tier network. The cloud network equipment constructed by the leaf spine network architecture is provided with a two-layer architecture, wherein one layer of architecture is provided with a leaf switch, and the other layer of architecture is provided with a spine switch.
The VPC network comprises a first service system and a second service system, wherein the blade switches are respectively used for configuring the first service system, the second service system and the east-west firewall, the blade switches can be more than three, the first service system is configured on an independent blade switch, the second service system can be configured on the independent blade switch, and the east-west firewall is configured on the independent blade switch. As shown in fig. 2, the service system is denoted by VM, the first service system is denoted by VM1, the second service system is denoted by VM2, the east-west firewall is denoted by VFW, the leaf switches configured with the first service system and the second service system are denoted by leaf-servers, and the leaf switches configured with the first service system and the leaf switches configured with the second service system perform data interaction through the leaf switches configured with the east-west firewall, that is, access control of east-west data interaction configured with the VPC network.
The step 34 specifically includes the following steps:
step 341: the leaf switch configures data characteristics on east-west data of a first service system and sends the data characteristics to an east-west firewall, wherein the data characteristics comprise a source address, a next hop address, a destination address and a service chain label;
step 342: the east-west firewall screens east-west data, and the screened east-west data is sent to a second service system;
in the above steps, the data feature is used to mark east-west data, so that the leaf switch can classify east-west traffic and stream the east-west traffic to the corresponding nodes of the VPC network according to the service chain label, and the nodes of the VPC network are respectively deployed with the first service system, the second service system, the east-west firewall and the like. In this embodiment, the first service system, the second service system, the firewall in the east-west direction, and the like are configured with IP addresses, where the IP address of the first service system is used as a source address, the IP address of the second service system is used as a destination address, and the IP address of the firewall in the east-west direction is used as a next hop address. The service chain label is used for marking and guiding east-west traffic so as to facilitate data interaction between different VPC networks.
The IP address of the first service system and the IP address of the second service system may each employ a virtual subnet in order to maximize the use of the IP address of the switch. The IP address of the first service system is set to 100.1.1.1, the IP address of the second service system is set to 100.1.1.2, and the IP address of the eastern western firewall is set to 100.1.1.11.
The following configuration information is adopted on a leaf switch of the cloud network equipment:
"# defines an access control list ACL 3001 for matching messages with source address 100.1.1.1 and destination address 100.1.1.2.
< Leaf-server > system-view
[ Leaf-server ] acl advanced 3001
[ Leaf-server-acl-ipv 4-adv-3001]rule 0permit ip source 100.1.1.1 0 destination 100.1.1.2
Node # 0 specifies that all source addresses are 100.1.1.1 and the next hop for the message with destination address 100.1.1.2 is 100.1.1.11.
[ Leaf-server ] policy-based-route secvfw permit node 0
[ Leaf-server-pbr-secvfw-0 ] if-match acl 3001
[ Leaf-server-pbr-secvfw-0 ] apply service-chain path-id 1
[ Leaf-server-pbr-secvfw-0 ] application next-hop vpn-instance vpna 100.1.1.11
And# applying a forwarding strategy route on the three-layer VSI virtual interface, and processing the message received by the interface.
[ Leaf-server ] interface vsi-interface3
[ Leaf-server-Vsi-interface 3] ip policy-based-route secvfw
[ Leaf-server-Vsi-interface 3] quist
Node # 0 designates the next hop for all messages with source address 10.1.1.1 as 100.1.1.11.
[ Leaf-security ] policy-based-route secvfw permit node 0
[ Leaf-security-pbr-secvfw-0 ] if-match service-chain path-id 1
[ Leaf-security-pbr-secvfw-0 ] apply next-hop vpn-instance vpna 100.1.1.11
[ Leaf-safety-pbr-secvfw-0 ] quist ] "
The configuration information on the leaf switch can be written in the SDN controller in advance, and when the SDN controller acquires the east-west security access control strategy, the configuration can be automatically performed on the leaf switch.
The cloud security capability realization method in the multi-tenant scenario based on SDN further comprises a cloud management platform, wherein the cloud management platform and an SDN controller are in butt joint through a NETCONF protocol;
in the above steps, the cloud management platform is a product for performing integrated management on the cloud network device and the SDN controller. In this embodiment, the cloud management platform faces to the cloud network device operator, and the cloud tenant may first send the identity information and the configuration requirement of the cloud tenant to the cloud network device operator, and the cloud network device operator deploys a new cloud tenant request on the cloud management platform according to the identity information and the configuration requirement of the cloud tenant, and then issues the new cloud tenant request to the SDN controller through the cloud management platform. In addition, the cloud network equipment operator can deploy a north-south access security control strategy, an east-west access security control strategy, a cloud tenant security capability deployment request and the like through the cloud management platform.
The north interface is configured on the SDN controller, and the cloud management platform is in butt joint with the north interface on the SDN controller. When the cloud management platform downloads data to the SDN controller, the cloud management platform downloads the data through the northbound interface, wherein the data comprises a newly built cloud tenant request, a northbound access security control strategy and an east-west access security control strategy. In this embodiment, the northbound interface is represented by the RESTFUL API.
The cloud security capability realization method in the multi-tenant scenario based on SDN further comprises a cloud security service platform, wherein the cloud security service platform is in butt joint with a secure resource pool in the VPC.
In this embodiment, the cloud security service platform is constructed by adopting a virtualization technology, the security components in the security resource pool in the VPC are constructed by adopting a virtualization technology, the security component mirror package is called to the cloud security service platform, the security component mirror package is used for calling the security components on the cloud security service platform, the cloud security service platform faces to cloud tenants, and the cloud tenants can manage and issue the security components through the cloud security service platform.
The step 5 specifically includes the following steps:
step 51: the SDN controller establishes a virtual link layer and a virtual router on the cloud network equipment;
in the above steps, creating a virtual link layer and a virtual router on the cloud network device is equivalent to creating two-layer VXLAN tunnel information and three-layer tunnel information in the cloud network device. Since the VPC network has VPN instances, so as to enter the corresponding VPC network according to the VPN instances, virtual link layers and virtual routers are newly built in the corresponding VPC network.
Step 52: the SDN controller configures subnet information of the security component on the virtual link layer;
in the above steps, the subnet information of the security component is used as a network segment used by the security component in the secure resource pool in the VPC.
Step 53: the SDN controller configures the virtual router and the safety component subnet information of the virtual link layer to bind;
step 54: the VPC network comprises a router, and the SDN controller interconnects and opens the virtual router and the router of the VPC network;
in the above steps, if the virtual router and the router of the VPC network are interconnected and communicated, the automatic intercommunication of the data interaction between the network segment of the security component corresponding to the security resource pool and the VPC network is realized.
The above embodiments are only preferred embodiments of the present invention, and are not intended to limit the scope of the present invention in this way, therefore: all equivalent changes in structure, shape and principle of the invention should be covered in the scope of protection of the invention.
Claims (10)
1. The cloud security capability implementation method in the multi-tenant scene based on SDN is characterized by comprising the following steps:
step 1: the SDN controller obtains a newly built cloud tenant request, and creates a VPC network in the cloud network equipment according to the newly built cloud tenant request, wherein the VPC network comprises a VPN instance;
step 2: the SDN controller lowers a north-south security access policy in a VPC network, and deploys the north-south security access policy in the VPC network;
step 3: the SDN controller lowers east-west security access control policies in a VPC network, and deploys the east-west security access control policies in the VPC network;
step 4: the SDN controller is used for butting a secure resource pool in the VPC, the VPC secure pool is configured in cloud network equipment, the secure resource pool in the VPC acquires a cloud tenant secure capability deployment request, the secure resource pool in the VPC deploys a secure component for butting the VPC network according to the cloud tenant secure capability deployment request, the secure resource pool in the VPC comprises the secure component, the secure component comprises at least one of host security, a WEB application firewall, database audit, log audit, operation and maintenance audit and vulnerability scanning, and the cloud tenant secure capability deployment request is used for enabling the secure component to be issued to the VPC network;
step 5: the SDN controller lowers a route intercommunication strategy in the VPC network, and the VPC network and a secure resource pool in the VPC establish data interaction according to the route intercommunication strategy.
2. The method for implementing cloud security capability in a multi-tenant scenario based on SDN of claim 1, wherein in step 2, the method specifically comprises the following steps:
step 21: the SDN controller puts a north-south security access control strategy in the VPC network, wherein the north-south security access control strategy comprises a north-south five-tuple;
step 22: the SDN controller deploys a north-south security access control policy at the boundary of the VPC network, wherein the boundary of the VPC network deploys a north-south firewall.
3. The method for implementing cloud security capability in a multi-tenant scenario based on SDN of claim 1, wherein in step 3, the method specifically comprises the following steps:
step 31: the SDN controller lowers east-west security access control policies in the VPC network, wherein the east-west security access control policies comprise east-west five-tuple;
step 32: the SDN controller deploys east-west security access control policies on east-west fire walls in the VPC network;
step 33: the SDN controller deploys intrusion prevention and anti-virus policies on east-west fire walls in the VPC network;
step 34: the SDN controller adopts a service chain technology to configure the access control of east-west data interaction of the VPC network.
4. The method for implementing cloud security capability in a multi-tenant scenario based on SDN of claim 3, wherein the cloud network device is constructed by adopting a leaf-ridge network architecture, the cloud network device constructed by the leaf-ridge network architecture has a two-layer architecture, one layer of architecture is deployed with a leaf switch, and the other layer of architecture is deployed with a spine switch.
5. The method for implementing cloud security in a multi-tenant scenario based on SDN of claim 4, wherein the VPC network includes a first service system and a second service system, the first service system, the second service system and the eastern western firewall are respectively configured on a leaf switch, and the leaf switch configured with the first service system and the leaf switch configured with the second service system perform data interaction through the leaf switch configured with the eastern western firewall.
6. The method for implementing cloud security capability in a multi-tenant scenario based on SDN of claim 5, wherein in step 34, the method specifically comprises the following steps:
step 341: the leaf switch configures data characteristics on east-west data of a first service system and sends the data characteristics to an east-west firewall, wherein the data characteristics comprise a source address, a next hop address, a destination address and a service chain label;
step 342: and the east-west firewall screens east-west data, and the screened east-west data is sent to the second service system.
7. The method for implementing cloud security capability in a multi-tenant scenario based on SDN of claim 1, further comprising a cloud management platform, wherein the cloud management platform and an SDN controller interface through a netcon f protocol.
8. The method for implementing cloud security capability in a multi-tenant scenario based on SDN of claim 7, wherein a north interface is configured on the SDN controller, and a cloud management platform interfaces with the north interface on the SDN controller.
9. The method for implementing cloud security capability in a multi-tenant scenario based on SDN of claim 1, further comprising a cloud security service platform, the cloud security service platform interfacing with a secure resource pool within the VPC.
10. The method for implementing cloud security capability in a multi-tenant scenario based on SDN of claim 1, wherein in step 5, the method specifically comprises the following steps:
step 51: the SDN controller establishes a virtual link layer and a virtual router on the cloud network equipment;
step 52: the SDN controller configures subnet information of the security component on the virtual link layer;
step 53: the SDN controller configures the virtual router and the safety component subnet information of the virtual link layer to bind;
step 54: the VPC network comprises routers, and the SDN controller interconnects and opens the virtual router and the routers of the VPC network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211199981.8A CN115996136B (en) | 2022-09-29 | 2022-09-29 | SDN-based cloud security capability implementation method in multi-tenant scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211199981.8A CN115996136B (en) | 2022-09-29 | 2022-09-29 | SDN-based cloud security capability implementation method in multi-tenant scene |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115996136A true CN115996136A (en) | 2023-04-21 |
| CN115996136B CN115996136B (en) | 2024-03-26 |
Family
ID=85989427
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211199981.8A Active CN115996136B (en) | 2022-09-29 | 2022-09-29 | SDN-based cloud security capability implementation method in multi-tenant scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115996136B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911258A (en) * | 2017-12-29 | 2018-04-13 | 深信服科技股份有限公司 | A kind of realization method and system in the secure resources pond based on SDN network |
| CN108512811A (en) * | 2017-02-27 | 2018-09-07 | 中国科学院信息工程研究所 | A kind of virtual network partition method and SDN controllers based on SDN |
| CN110875943A (en) * | 2018-09-03 | 2020-03-10 | 深信服科技股份有限公司 | Security service delivery method and related device |
| CN111224821A (en) * | 2019-12-31 | 2020-06-02 | 北京山石网科信息技术有限公司 | Security service deployment system, method and device |
| CN111431914A (en) * | 2020-03-30 | 2020-07-17 | 贵州电网有限责任公司 | Energy internet cloud platform safety protection method and system |
| CN111478846A (en) * | 2020-03-18 | 2020-07-31 | 浪潮思科网络科技有限公司 | Method, device and medium for realizing multi-tenant network in cloud network environment |
| CN112272145A (en) * | 2020-10-26 | 2021-01-26 | 新华三信息安全技术有限公司 | Message processing method, device, equipment and machine readable storage medium |
| CN112291232A (en) * | 2020-10-27 | 2021-01-29 | 中国联合网络通信有限公司深圳市分公司 | Safety capability and safety service chain management platform based on tenants |
| US20220086092A1 (en) * | 2019-05-24 | 2022-03-17 | Huawei Technologies Co., Ltd. | Active-Active Cluster Control Method and Control Node |
| CN114374526A (en) * | 2021-09-28 | 2022-04-19 | 中远海运科技股份有限公司 | Method and device for protecting full-flow network access of cloud host |
-
2022
- 2022-09-29 CN CN202211199981.8A patent/CN115996136B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108512811A (en) * | 2017-02-27 | 2018-09-07 | 中国科学院信息工程研究所 | A kind of virtual network partition method and SDN controllers based on SDN |
| CN107911258A (en) * | 2017-12-29 | 2018-04-13 | 深信服科技股份有限公司 | A kind of realization method and system in the secure resources pond based on SDN network |
| CN110875943A (en) * | 2018-09-03 | 2020-03-10 | 深信服科技股份有限公司 | Security service delivery method and related device |
| US20220086092A1 (en) * | 2019-05-24 | 2022-03-17 | Huawei Technologies Co., Ltd. | Active-Active Cluster Control Method and Control Node |
| CN111224821A (en) * | 2019-12-31 | 2020-06-02 | 北京山石网科信息技术有限公司 | Security service deployment system, method and device |
| CN111478846A (en) * | 2020-03-18 | 2020-07-31 | 浪潮思科网络科技有限公司 | Method, device and medium for realizing multi-tenant network in cloud network environment |
| CN111431914A (en) * | 2020-03-30 | 2020-07-17 | 贵州电网有限责任公司 | Energy internet cloud platform safety protection method and system |
| CN112272145A (en) * | 2020-10-26 | 2021-01-26 | 新华三信息安全技术有限公司 | Message processing method, device, equipment and machine readable storage medium |
| CN112291232A (en) * | 2020-10-27 | 2021-01-29 | 中国联合网络通信有限公司深圳市分公司 | Safety capability and safety service chain management platform based on tenants |
| CN114374526A (en) * | 2021-09-28 | 2022-04-19 | 中远海运科技股份有限公司 | Method and device for protecting full-flow network access of cloud host |
Non-Patent Citations (2)
| Title |
|---|
| 徐俭;: "基于基础架构层的云安全防护技术探究", 电视工程, no. 03, 30 September 2017 (2017-09-30) * |
| 林浩;栾英博;张克刚;刘京川;: "SPN网络保护方案探讨", 广东通信技术, no. 06, 15 June 2020 (2020-06-15) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115996136B (en) | 2024-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111614605B (en) | Method for configuring firewall, security management system and computer readable medium | |
| US11368396B2 (en) | Switch with network services packet processing by service software instances | |
| US9906557B2 (en) | Dynamically generating a packet inspection policy for a policy enforcement point in a centralized management environment | |
| CN108471397B (en) | Firewall configuration, message sending method and device | |
| US11533340B2 (en) | On-demand security policy provisioning | |
| US11349881B2 (en) | Security-on-demand architecture | |
| US8695059B2 (en) | Method and system for providing network security services in a multi-tenancy format | |
| US8627313B2 (en) | Virtual machine liveness determination | |
| US9450981B2 (en) | System and method thereof for mitigating denial of service attacks in virtual networks | |
| US10608881B2 (en) | Application-based network segmentation in a virtualized computing environment | |
| US20180027009A1 (en) | Automated container security | |
| US8713628B2 (en) | Method and system for providing cloud based network security services | |
| US20170054628A1 (en) | Route reflector as a service | |
| US9967346B2 (en) | Passing data over virtual links | |
| WO2016180181A1 (en) | Service function deployment method and apparatus | |
| US9917849B2 (en) | Security system for physical or virtual environments | |
| US11516242B2 (en) | Virtual patching in a label-based segmented network environment | |
| US11824897B2 (en) | Dynamic security scaling | |
| EA036842B1 (en) | Device and method for controlling a communication network | |
| Mantur et al. | Centralized control signature-based firewall and statistical-based network intrusion detection system (NIDS) in software defined networks (SDN) | |
| US11228603B1 (en) | Learning driven dynamic threat treatment for a software defined networking environment | |
| CN103281406A (en) | Message forwarding method for inter-cloud VM (virtual machine) migration, NAT (Network Address Translation) server and network | |
| CN115996136B (en) | SDN-based cloud security capability implementation method in multi-tenant scene | |
| Biswal et al. | Introduction to Software Defined Networking | |
| CN113364734B (en) | Internal network protection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |