CN116599716A - Network security protection method, device, equipment and medium - Google Patents

Abstract

The embodiment of the disclosure provides a network security protection method, device, equipment and medium. The method comprises the following steps: copying the data packet of the first network card to form a mirror image data packet; transmitting the mirror image data packet to a second network card through the first network card; transmitting the mirror image data packet to the drainage module through the second network card; wherein, the drainage module is positioned on the third host; transmitting the mirror image data packet to the security device through the drainage module; and carrying out safety protection on the current network based on the safety log output by the safety equipment. According to the embodiment of the disclosure, the data packet passing through the first network card is copied to form the mirror image data packet, the mirror image data packet is sent to the drainage module, the mirror image data packet is sent to the security device through the drainage module, and the current network is protected based on the security log output by the security device, so that the network security protection is realized, the load of a network link is reduced, and the delay time of data packet communication is reduced.

Description

Network security protection method, device, equipment and medium

Technical Field

The embodiments of the present disclosure relate to the field of computer technology, and in particular to a network security protection method, device, equipment and medium.

Background Art

With the continuous development of information technology, network security has become increasingly important. In order to maintain network security, network traffic needs to be detected. For example, when a virtual machine generates mining behavior, the cloud platform needs to analyze all the Domain Name System (DNS) request data packets in the entire area and promptly eliminate mining behavior based on the domain name characteristics. For another example, the cloud platform's business Internet Protocol (IP), physical machines, virtual hosts and other resources need to provide security protection for network traffic. Tenants will set up north-south (access within and outside the cloud) and east-west (access between intranets) network protection according to their own business characteristics. The east-west traffic, that is, the intranet traffic, is often particularly large. Some business characteristics have requirements for east-west network delays. Excessive delays will affect the normal operation of the business.

Both of the above situations will generate large traffic. When a large number of data packets are pulled to the network security device for real-time analysis and protection, there are the following disadvantages:

1) As the network link becomes longer and the analysis of security equipment takes a certain amount of time, the communication time per unit data packet will be extended, causing the network delay to increase.

2) A large number of data packets are pulled to the security devices, which in turn generates a large amount of round-trip traffic between cloud resources and the security devices, increasing the load on the network link.

3) Since "set behavior attack" is a persistent behavior, and east-west traffic is communication between intranets, generally speaking, the external network cannot access the intranet, and the intranet itself is relatively safe. Therefore, real-time protection of all traffic is too heavy. Among them, set behavior can be understood as a process of performing algorithm calculations. From the perspective of computers and codes, it is a specific process of repeatedly executing hash functions and detecting the execution results. Set behavior can also be understood as the process of using computer computing resources (or cloud resources) to access set URLs and repeatedly run algorithms.

Summary of the invention

The embodiments of the present disclosure provide a network security protection method, apparatus, device and medium, which can reduce the load of a network link while achieving network security protection.

In a first aspect, an embodiment of the present disclosure provides a network security protection method, comprising: copying a data packet of a first network card to form a mirror data packet; wherein the first network card is installed on a first host machine; sending the mirror data packet to a second network card through the first network card; wherein the second network card is installed on a second host machine; sending the mirror data packet to a drainage module through the second network card; wherein the drainage module is located on a third host machine; sending the mirror data packet to a security device through the drainage module; and performing security protection on the current network based on a security log output by the security device.

In the second aspect, the embodiment of the present disclosure also provides a network security protection device, including: a data packet copying module, used to copy the data packet of the first network card to form a mirror data packet; wherein the first network card is installed on the first host machine; a first mirror data packet sending module, used to send the mirror data packet to the second network card through the first network card; wherein the second network card is installed on the second host machine; a second mirror data packet sending module, used to send the mirror data packet to the drainage module through the second network card; wherein the drainage module is located on the third host machine; a third mirror data packet sending module, used to send the mirror data packet to the security device through the drainage module; a security protection module, used to perform security protection on the current network based on the security log output by the security device.

In a third aspect, an embodiment of the present disclosure further provides an electronic device, the electronic device comprising:

one or more processors;

a storage device for storing one or more programs,

When the one or more programs are executed by the one or more processors, the one or more processors implement the network security protection method as described in the embodiment of the present disclosure.

In a fourth aspect, an embodiment of the present disclosure further provides a storage medium comprising computer executable instructions, which, when executed by a computer processor, are used to execute the network security protection method as described in the embodiment of the present disclosure.

The technical solution of the disclosed embodiment is to copy the data packet of the first network card to form a mirror data packet; wherein the first network card is installed on the first host machine; the mirror data packet is sent to the second network card through the first network card; wherein the second network card is installed on the second host machine; the mirror data packet is sent to the drainage module through the second network card; wherein the drainage module is located on the third host machine; the mirror data packet is sent to the security device through the drainage module; and the current network is protected based on the security log output by the security device. The disclosed embodiment copies the data packet passing through the first network card to form a mirror data packet, sends the mirror data packet to the drainage module, sends the mirror data packet to the security device through the drainage module, and protects the current network based on the security log output by the security device. This can reduce the load of the network link and reduce the delay time of data packet communication while achieving network security protection.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other features, advantages and aspects of the embodiments of the present disclosure will become more apparent with reference to the following detailed description in conjunction with the accompanying drawings. Throughout the accompanying drawings, the same or similar reference numerals represent the same or similar elements. It should be understood that the drawings are schematic and the originals and elements are not necessarily drawn to scale.

FIG1 is a schematic diagram of a network security protection method provided by an embodiment of the present disclosure;

FIG2 is a schematic diagram of a network security protection effect provided by an embodiment of the present invention;

FIG3 is a schematic diagram of the structure of a network security protection device provided by an embodiment of the present disclosure;

FIG. 4 is a schematic diagram of the structure of an electronic device provided by an embodiment of the present disclosure.

DETAILED DESCRIPTION

Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although certain embodiments of the present disclosure are shown in the accompanying drawings, it should be understood that the present disclosure can be implemented in various forms and should not be construed as being limited to the embodiments described herein, which are instead provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are only for exemplary purposes and are not intended to limit the scope of protection of the present disclosure.

It should be understood that the various steps described in the method embodiments of the present disclosure may be performed in different orders and/or in parallel. In addition, the method embodiments may include additional steps and/or omit the steps shown. The scope of the present disclosure is not limited in this respect.

The term "including" and its variations used in this article are open inclusions, that is, "including but not limited to". The term "based on" means "based at least in part on". It is understood that the data involved in this technical solution (including but not limited to the data itself, the acquisition or use of the data) shall comply with the requirements of relevant laws, regulations and relevant provisions.

FIG1 is a flowchart of a network security protection method provided by an embodiment of the present disclosure. The embodiment of the present disclosure is applicable to the situation of performing security protection on a network. The method can be executed by a network security protection device, which can be implemented in the form of software and/or hardware. Optionally, it can be implemented by an electronic device, which can be a mobile terminal, a PC or a server. As shown in FIG1 , the method includes:

S110 , copying the data packet of the first network card to form a mirrored data packet.

The first network card is installed on the first host machine. In this embodiment, all data packets passing through the first network card can be acquired, and the data packets can be copied, and the copied data packets can be used as mirror data packets.

Optionally, copying the data packet of the first network card to form a mirrored data packet includes: obtaining a request data packet and/or a response data packet passing through the first network card; and copying the request data packet and/or the response data packet to obtain the mirrored data packet.

It should be noted that the first network card may be a network card of a first host machine corresponding to the virtual machine (or cloud host), and all data packets interacting between the virtual machine and the Internet or the target host pass through the first network card.

Specifically, take the example of a virtual machine sending a request data packet to a target host, or a virtual machine receiving a response data packet from a target host. The first network card sends the request data packet generated by the virtual machine to the target host. When the request data packet passes through the first network card, the request data packet is copied (the request data packet at this time, for the first network card, can be a data packet in the incoming direction) to form a first mirror data packet. Or; the first network card receives a response data packet sent by the target host, and sends the response data packet to the virtual machine. When the response data packet passes through the first network card, the response data packet is copied (the response data packet at this time, for the first network card, can be a data packet in the outgoing direction) to form a second mirror data packet. Wherein, the mirror data packet includes a first mirror data packet and/or a second mirror data packet.

S120. Send the mirrored data packet to the second network card through the first network card.

The second network card is installed on the second host machine. In this embodiment, the traffic control (TC) provided by the operating system (such as the Linux system) can be executed to enable the first network card to send the mirror data packet to the second network card.

S130. Send the mirrored data packet to the traffic diversion module through the second network card.

Among them, the drainage module is located on the third host machine. The second host machine and the third host machine can be the same or different. Among them, the drainage module includes a third network card. The second network card and the third network card are a pair of virtual network cards, and the characteristics of the virtual network card are one-way in and one-way out. In this embodiment, the mirror data packet (the mirror data packet at this time, for the second network card, is a data packet in the outbound direction) can be sent to the third network card in the drainage module through the second network card. In this embodiment, for the second network card, because there is no need for "data packet injection", that is, returning by the original route, there are only mirror data packets in the outbound direction, and no data packets in the inbound direction. The drainage module can be an independent network space environment implemented using the netns (network namespace) of an operating system (such as a Linux system).

Optionally, the mirror data packet includes a target address, and sending the mirror data packet to the diversion module through the second network card includes: modifying the target address in the mirror data packet to the target address corresponding to the third network card through the second network card; and sending the mirror data packet to the diversion module based on the modified target address.

In this embodiment, after receiving the mirrored data packet, the second network card modifies the target address in the mirrored data packet to the target address corresponding to the third network card, and sends the mirrored data packet to the traffic diversion module based on the modified target address, thereby ensuring that the second network card accurately sends the mirrored data packet to the third network card, and the third network card can receive the mirrored data packet. The target address can be a MAC address.

S140. Send the mirrored data packet to the security device through the traffic diversion module.

Among them, the diversion module includes a fourth network card. In this embodiment, the fourth network card can send the mirrored data packet to the security device through routing information. The security device can also be called a security instance, a security engine, etc. The security device can be a cloud host or a physical machine with firewall security software installed. The firewall security software can be a next-generation firewall (NextGeneration Firewall, NGFW) and a Web Application Firewall (Web Application Firewall, WAF), etc. It should be noted that the routing information has only one-way routing, that is, the mirrored data packet of the third network card is routed to the security device through the fourth network card.

Optionally, sending the mirrored data packet to the security device through the traffic diversion module includes: acquiring routing information; the routing information includes address information of at least one security device; and sending the mirrored data packet to the corresponding security device based on the routing information.

In this embodiment, the traffic diversion module may send the mirrored data packet to multiple security devices. Specifically, the traffic diversion module may obtain routing information and send the mirrored data packet to the corresponding security device based on the routing information.

S150. Perform security protection on the current network based on the security log output by the security device.

In this embodiment, the mirrored data packet can be checked by the firewall software in the security device to obtain the inspection result, obtain the security log according to the inspection result, and perform security protection according to the security log.

Optionally, the security log is generated in the following manner: the security device performs a security check on the mirrored data packet based on the firewall security software to obtain the check result; if the check result is that the mirrored data packet is an attack mirrored data packet, the security log is output; wherein the security log includes five-tuple information and the attack type of the attack mirrored data packet.

The five-tuple information may refer to the source IP address (i.e., the attacking host IP address), the source port (i.e., the attacking host port), the destination IP address (i.e., the attacked host IP address), the destination port (i.e., the attacked host port) and the transport layer protocol. This embodiment does not limit the specific attack type, for example, it may be a denial of service attack and a set behavior attack. In this embodiment, the security device performs a security check on the mirror data packet based on the firewall security software to obtain the inspection result; if the inspection result is that the mirror data packet is an attack mirror data packet, that is, when the security device detects that the network is under a security threat, it outputs a security log and discards the attack mirror data packet; if the inspection result is that the mirror data packet is a non-attack mirror data packet, it is directly discarded.

It is worth noting that if the security device does not have the ability to "directly discard", at this time, you can select an "invalid" IP address as the gateway in the second-layer network NET.X (as shown in Figure 2). This IP address does not exist and the address resolution protocol ARP request will not respond to the address. Send the data packets that need to be "directly discarded" to this gateway, thereby achieving a discarding effect similar to a black hole.

Optionally, security protection is performed on the current network based on the security log output by the security device, including: storing the security log in a database; setting the status identifier of the stored security log; wherein the status identifier includes unprocessed, processing, and processing completed; determining a protection strategy based on the attack type and status identifier of the mirrored data packet; and protecting network security based on the protection strategy.

Optionally, determining a protection strategy according to the attack type and state identifier of the mirrored data packet includes: if the state identifier is unprocessed, determining a protection strategy according to the attack type, and updating the state identifier to being processed.

Among them, the database can be any type of database, and this embodiment does not limit this. For example, it can be a relational database MySQL, or it can be other types of databases, such as an elasticsearch database. In this embodiment, the security device can send the security log to the management software in the cloud platform. The management software in the cloud platform can be a security threat service provided by the cloud platform. The management software in the cloud platform can store the security log in the database and set the status mark of the stored security log. If the status mark is unprocessed, the protection strategy is determined according to the attack type, and the status mark is updated to processing. Network security is protected based on the protection strategy, and after the network security is protected, the status mark is updated to processing completed. In this embodiment, concurrent repeated operations can be prevented by the status mark.

Optionally, a protection strategy is determined based on the attack type, including: if the attack type is a denial of service attack, the protection strategy is to block the address of the attacking host and the port of the attacked host based on a set time; if the attack type is a set behavior attack, the protection strategy is to shut down the attacking host.

In this embodiment, if the attack type is a denial of service attack, the protection strategy is to block the address of the attacking host and the port of the attacked host for a set time. If the attack type is a set behavior attack, the protection strategy is to shut down the attacking host.

In this embodiment, the first network card, the virtual machine, the second network card, the third network card, the fourth network card, the traffic diversion module and the security device are all located in the cloud platform.

It should be noted that this embodiment does not impose any specific restrictions on the mirroring data packet method, traffic traction (diversion) method, security threat service analysis and processing method, etc. There are many ways to achieve the effects of each step in this solution in actual production.

The technical solution of the disclosed embodiment is to copy the data packet of the first network card to form a mirror data packet; wherein the first network card is installed on the first host machine; the mirror data packet is sent to the second network card through the first network card; wherein the second network card is installed on the second host machine; the mirror data packet is sent to the drainage module through the second network card; wherein the drainage module is located on the third host machine; the mirror data packet is sent to the security device through the drainage module; and the current network is protected based on the security log output by the security device. The disclosed embodiment copies the data packet passing through the first network card to form a mirror data packet, sends the mirror data packet to the drainage module, sends the mirror data packet to the security device through the drainage module, and protects the current network based on the security log output by the security device. This can reduce the load of the network link and reduce the delay time of data packet communication while achieving network security protection.

As shown in Figure 2, Figure 2 is a schematic diagram of a network security protection effect provided by an embodiment of the present invention. In Figure 2, VM2 is virtual machine 2, eth0 in VM2 is the network card in virtual machine 2, and tap1 is the network card of the host machine corresponding to VM2. VM1 is virtual machine 1, eth0 in VM1 is the network card in virtual machine 1, and tap0 is the first network card. If0 is the second network card, if0p is the third network card, tt.netns is the drainage module, if.x is the fourth network card, NET.X is the network, NGFW is the security device, internet is the Internet, and bridge is the bridge, which expresses that the accessed network is reachable at layer 2 or layer 3. Both virtual machine 1 and virtual machine 2 can be hosts or cloud hosts.

Assume that vm1 and vm2 visit each other. The original network path is: vm1->vm1.bridge->vm2.bridge->vm2, the same route for both directions.

Network security protection is provided for the inbound and outbound data packets of vm1. The traditional network path for timely diversion and security protection is: vm1->[tt.netns->NGFW–>tt.netns]->vm1.bridge->vm2.bridge->vm2, the same route for both round trips.

The network path of the business data packet in this solution remains unchanged and is consistent with the original network path. The network path of the "mirror" data packet is: vm1->mirror data packet [tt.netns->ngfw].

It can be seen that for the east-west traffic between vm1 and vm2, the timely network security protection will pull (drain) all data packets, and after pulling to the security device, it will return along the original path (tt.netns->NGFW->tt.netns), which increases the load of the network link. In addition, the link path becomes longer, which increases the delay time of the unit data packet communication.

In this embodiment, the data packet passing through the first network card is copied to form a mirror data packet, and the mirror data packet is transmitted to the security device, that is, the traffic mirroring method is used, which will not affect the original data packet communication, will not change the network link of the original data packet communication, and the network delay will hardly change relative to the original data packet communication. The "mirrored data packet" only needs to be transmitted in one direction from the cloud resource to the security device. After the security device checks, if the inspection result is that the mirror data packet is an attack mirror data packet, the corresponding security log will be issued, otherwise it will not be processed. In the end, these data packets will be directly discarded without "returning to the original route". Compared with the "traditional traffic traction" method of performing instant network security protection, the traffic increment is reduced by one half. For threats such as "persistent" malicious behavior, attack behavior, and east-west traffic, that is, communication between intranets, in a certain trade-off, instant analysis and protection can become unimportant, and "timeliness" can be sacrificed in exchange for performance.

In this embodiment, it will appear more cost-effective under the inherent conditions that the network environment is a "closed intranet" and "basic security"; it will appear just right under the unique conditions that the security threat is "persistent" and "weak (or non-destructive)".

For example, take virtual machine 2 performing a denial of service attack on virtual machine vm1 as an example, and also refer to FIG. 2 .

Step 1: VM2 sends a syn_flood (denial of service attack) to attack VM1.

The IP address of VM1 is 10.73.14.154. The specific operation is: hping3-i u1-S-p808010.73.14.154. At this time, VM2 will initiate a large number of tcp syn packets to port 8080 of vm1.

Step 2: The security device outputs the security log and sends it to the security threat service.

The specific operation is: Mar 1316:21:51CFW; 530011001137646833922603; ipv4; 3; security_flood: user_name =; src_ip = 192.168.12.9; src_port = 2411; dst_ip = 10.73.14.154; dst_port = 8080; name = synflood; type = flood-attack; protocol = TCP; mac = 52:54: d5: a6: a0: ae; count = 1924; level = 4; in_if_name = ge1; create_time = 1678695686; end_time = 1678695687; extend =. After receiving the security log, the security threat service stores it in the database and sets the status flag of the stored security log.

Step 3: The security threat service analyzes the security log.

By analyzing the security logs, we can determine that the source IP is 192.168.12.9 (the IP address of VM2), which attacked 1924 times in one second and carried out a syncflood attack on port 8080 of 10.73.14.154.

Step 4: If the status indicator is unprocessed, determine the protection strategy according to the denial of service attack and update the status indicator to processing.

The protection strategy is: configure rules, block the address of the attacking host and the port of the attacked host based on the set time, and update the status flag to complete the processing.

Specifically, iptables –t filter-A FW_VM1 -p tcp -s 192.168.12.9 --dport8080 -mtime --datestart 2023-03-13T16:21:51 --datestop

2023-03-13T16:31:51-j DROP.

Faced with this kind of massive data packet attack on the intranet, the amount of data is particularly large. In actual production, due to cost and other factors, the security equipment may be underloaded or even unable to handle it, resulting in "timely processing" slipping through the net, causing network stability problems. In addition, there are usually a large number of business data packets that need to be processed "in a timely manner", which will slow down the network transmission efficiency and increase the network load, making the business production efficiency lower. Therefore, this "asynchronous method" of this solution provides security protection for the current network. Although the original network was not protected for a short period of time before the protection, once protected, the problem can be solved based on the protection strategy of this solution, thereby ensuring the stability of the network within a tolerable time and maintaining the stability of the business.

Exemplarily, the technical solution provided in this embodiment takes the Linux system as an example and uses tc+iptables+routing information to divert data packets for network security protection.

Among them, tc is the flow control module that comes with the Linux system kernel, which can perform functions such as packet redirection, packet editing, and packet marking. Iptables is the IPv4 packet management module that comes with the Linux system kernel, which can perform functions such as packet marking and generating connection records. Ip_rule is the routing rule (or routing information) management function that comes with the Linux system kernel, which can configure the destination of the route according to the packet marking.

In actual production, network security protection effect diagrams are complex and diverse, and the configurations will also be different, not limited to this. However, the main working methods and data packet processing procedures are basically the same. In actual production, tap0 may also be in a certain netns, because the processing method is also the same, so here we take the simplest tap0 in the default network space of the host machine as an example to illustrate.

General configuration method:

The defined data packet markers (bitmap) are:

#bitmap, binary expansion

FWMARK_PASS＝'0xc000' #1100000000000000

FWMARK_SNAT＝'0xa000' #1010000000000000

FWMARK_DNAT＝'0x9000' #1001000000000000

FWMARK_TRACTION＝'0x8800' #1000100000000000

FWMARK_HASH_ROUTE1＝0x8100 #1000000100000000

Occupies 16-bit mark, from left to right:

The first expression data packet has been processed by the traffic diversion module;

The second bit expresses that the data packet does not need to be drained;

The third bit expresses that the packet requires source address translation;

The fourth bit expresses that the packet requires destination address translation;

The fifth bit indicates that the data packet needs to be diverted, which is used in the "north-south only" diversion mode;

The sixth and seventh positions are reserved;

The eighth bit expresses the packet routing object, which is the offset for hash calculation;

The remaining 8 bits, i.e. 0xff, express the drainage target, i.e. ngfw. There may be multiple drainage targets, which are numbered in sequence to distinguish them.

For example, if the hash calculation value is 1, which represents ngfw number 1, then the packet tag value is 0x8100+1=0x8101. The routing policy corresponding to the 0x8101 tag will be pre-set in the routing rules (routing information), so that the data packets can be distributed to different routes, that is, different diversion targets (ngfw) according to the hash calculation to achieve load balancing. It should be noted that the above-mentioned "drainage" is only performed on "mirrored data packets".

Step 1: Configure the network namespace tt.netns.

Create an ipset (ip set) to record the tenant network (tenant_networks) information. The tenant network is known to the cloud platform. The ipset here will be used in the "tenant network" configuration step mentioned later. The configuration is as follows

#The tenant network is 10.67.0.0/24. This IP set can be configured with multiple network address segments.

root@topsail:～#ipset list tenant_networks

Name:tenant_networks

Type:hash:net

Revision:6

Header:family inet hashsize 1024maxelem 65536

Size in memory:504

References:6

Number of entries:1

Members:

10.67.0.0/24

Step 2: Configure routing rules.

The data packet needs to be sent to the diversion target, that is, ngfw. When there are multiple ngfws, multiple rules are required. You can number the ngfws, and then add the offset calculated by the hash of the above 0x8100 data packet routing object to get the data packet routing tag value. The configuration is as follows:

#0x8101 is the route tag value of ngfw number 1

root@topsail:～#ip rule|grep 0x81ff

32764: from all fwmark 0x8102/0x81ff lookup 33026

32765: from all fwmark 0x8101/0x81ff lookup 33025

#The ldst-br_0_p here corresponds to if.x in Figure 2, and 100.64.1.2 is the IP address of ngfw.

root@topsail:～#ip route show table 0x8101

default via 100.64.1.2dev ldst-br_0_p

100.64.1.2dev ldst-br_0_p scope link

Step 3: Configure the "in" (data packets entering netns) direction of the third network card if0p.

Specifically, there are several parts: The first part is to set the packet discarding rules. When the third network card if0 is configured on the bridge, if0 often receives some broadcast or multicast packets. At this time, if0p will also receive these packets, and these packets can be directly discarded without processing. The specific processing method can be: 1) set the multicast and broadcast data packets to be marked as "no diversion"; 2) set to discard when matching the "no diversion" mark. In addition, the cloud platform or users can also configure control strategies such as non-diverting IP, protocol or port as needed. When the if0 network card is not on any bridge, it will not passively receive data packets, so this part does not need to be configured.

The second part is to calculate/query to obtain the packet routing tag. Hash calculation is used to obtain the packet tag of the diversion target. When there are multiple diversion targets, i.e., ngfw, load balancing can be achieved. It is worth mentioning that connection records (conntrack) are made here. When a new packet comes in, the connection record can be queried to obtain the packet tag value, so that hash calculation does not need to be performed on each packet. Turning on "connection records" will consume memory, but will reduce the CPU usage of the central processing unit and facilitate tracking of session connections. Not turning on "connection records" will increase the CPU usage of the central processing unit and will not be able to track session connections. Preferably, turn on "connection records".

The third part is setting the packet NAT tag.

Customize some policies to mark whether the data packet needs source address translation or destination address translation. Taking north-south traffic as an example, the following policies can be made: when the source address and destination address of the data packet both belong to the tenant network, NAT is not required; when the source address is the tenant network and the destination address is not the tenant network, set the source address translation mark; when the source address is the non-tenant network and the destination address is the tenant network, set the destination address translation mark. The purpose of this setting is to allow ngfw to record the actual Internet session information, rather than the private IP to Internet IP session. Of course, it is also possible not to set NAT, depending on the needs.

The configuration is as follows:

Part 1: Setting packet dropping rules.

Set the multicast and broadcast data packets to "not divert traffic"

filter protocol ip pref 162u32 fh 801::803order 2051key ht 801bkt0terminal flowid? ? ? not_in_hw

match IP dst 224.0.0.0/4

action order 1:skbedit mark 49152/0xc000 continue

filter protocol ip pref 162u32 fh 801::804order 2052key ht 801bkt0terminal flowid? ? ? not_in_hw

match IP dst 255.255.255.255/32

action order 1:skbedit mark 49152/0xc000 continue

filter protocol all pref 240fw handle 0xc000/0xc000

action order 1:gact action pass

#Discard the packet marked as "not draining"

root@topsail:～#iptables-t mangle-S|grep MARK_SRC

-A PREROUTING-i if0p-j TT_MARK_SRC

-A TT_MARK_SRC-m mark--mark 0xc000/0xc000-j DROP.

The second part: calculate/query to get the packet routing tag.

#Set if0p network card to enable connection recording, which is disabled by default.

#root@topsail:～#iptables-t raw-S PREROUTING

-A PREROUTING -i if0p -j ACCEPT

-A PREROUTING -j CT --notrack

#Packet routing mark

root@topsail:～#iptables-t mangle-S|grep HMARK

-A TT_MARK_HMARK-m conntrack--ctstate RELATED,ESTABLISHED-jCONNMARK--restore-mark--nfmask 0xffffffff--ctmask 0xffffffff#Query from the connection record

-A TT_MARK_HMARK-m comment--comment hash_mark-m mark！ --mark0x8100/0x8100-j HMARK--hmark-src-prefix 32--hmark-dst-prefix 32--hmark-rnd0x000f4243--hmark-mod 2--hmark-offset 33025#If not found, perform hash calculation. The modulus here is 2, which means that there are 2 drainage targets, namely ngfw.

-A TT_MARK_HMARK-m conntrack--ctstate NEW-m mark--mark0x8100/0x8100-jCONNMARK--save-mark--nfmask 0xffffffff--ctmask0xffffffff#When a new connection is generated and the routing mark of the data packet has been successfully calculated, the connection record is saved (conntrack)

-A TT_MARK_SRC -j TT_MARK_HMARK.

The third part sets the packet NAT tag.

# Take north-south traffic as an example

root@topsail:～#iptables-t mangle-S|grep NAT

-A TT_MARK_NAT-m set--match-set tenant_networks src-m set--match-settenant_networks dst-j ACCEPT

-A TT_MARK_NAT-m comment--comment snat_mark-m set--match-set tenant_networks src-j MARK--set-xmark 0xa000/0xa000

-A TT_MARK_NAT-m comment--comment dnat_mark-m set--match-set tenant_networks dst-j MARK--set-xmark 0x9000/0x9000

-A TT_MARK_SRC -j TT_MARK_NAT.

Step 4: Configure the "out" (leave netns) direction of the fourth network card if.x.

Data packet editing. Modify the IP address according to the NAT data packet tag. If the source address translation tag is matched, modify the source address. If the destination address translation tag is matched, modify the destination address. After modifying the address, recalculate and modify the csum value (checksum).

The configuration is as follows:

In this embodiment, only the "mirrored data packet" needs to be sent to the security device, and the security device does not need to send it back along the original route, and does not need a back-injection route.

In terms of networking, you only need to build a Layer 2 network of security devices and traffic diversion modules. The security devices do not need to be configured with back-injection routes. That is, after the data packets reach the security devices and are analyzed and processed, they can be discarded or black-holed.

Figure 3 is a schematic diagram of the structure of a network security protection device provided by an embodiment of the present disclosure. As shown in Figure 3, the device includes: a data packet copy module 310, a first mirror data packet sending module 320, a second mirror data packet sending module 330, a third mirror data packet sending module 340 and a security protection module 350.

The data packet copy module 310 is used to copy the data packet of the first network card to form a mirror data packet; wherein the first network card is installed on the first host machine;

A first mirrored data packet sending module 320, configured to send the mirrored data packet to a second network card via a first network card; wherein the second network card is installed on a second host machine;

A second mirrored data packet sending module 330, configured to send the mirrored data packet to a traffic diversion module through the second network card; wherein the traffic diversion module is located on a third host machine;

A third mirrored data packet sending module 340, configured to send the mirrored data packet to a security device through the traffic diversion module;

The security protection module 350 is used to perform security protection on the current network based on the security log output by the security device.

The technical solution of the disclosed embodiment is that the data packet copying module copies the data packet of the first network card to form a mirror data packet; wherein the first network card is installed on the first host machine; the first mirror data packet sending module sends the mirror data packet to the second network card through the first network card; wherein the second network card is installed on the second host machine; the second mirror data packet sending module sends the mirror data packet to the drainage module through the second network card; wherein the drainage module is located on the third host machine; the third mirror data packet sending module sends the mirror data packet to the security device through the drainage module; the security protection module performs security protection on the current network based on the security log output by the security device. The disclosed embodiment forms a mirror data packet by copying the data packet passing through the first network card, sends the mirror data packet to the drainage module, sends the mirror data packet to the security device through the drainage module, and performs security protection on the current network based on the security log output by the security device. This can reduce the load of the network link and the delay time of data packet communication while achieving network security protection.

Optionally, the data packet copy module is specifically used to: obtain a request data packet and/or a response data packet passing through the first network card; and copy the request data packet and/or the response data packet to obtain a mirrored data packet.

Optionally, the traffic diversion module includes a third network card; the mirror data packet includes a target address. Optionally, the second mirror data packet sending module is specifically used to: modify the target address in the mirror data packet to the target address corresponding to the third network card through the second network card; and send the mirror data packet to the traffic diversion module based on the modified target address.

Optionally, the traffic diversion module includes a fourth network card. Optionally, the third mirrored data packet sending module is specifically used to: obtain routing information; the routing information includes address information of at least one security device; and send the mirrored data packet to a corresponding security device based on the routing information.

Optionally, the security device is installed with firewall security software; the security log is generated as follows: the security device performs a security check on the mirror data packet based on the firewall security software to obtain a check result; if the check result is that the mirror data packet is an attack mirror data packet, a security log is output; wherein the security log includes five-tuple information and the attack type of the attack mirror data packet.

Optionally, the security protection module is specifically used to: store the security log in a database; set a status identifier for the stored security log; wherein the status identifier includes unprocessed, processing, and processing completed; determine a protection strategy based on the attack type of the mirrored data packet and the status identifier; and protect network security based on the protection strategy.

Optionally, the security protection module is further used to: if the status is marked as unprocessed, determine a protection strategy according to the attack type, and update the status to being processed.

Optionally, the security protection module is also used for: if the attack type is a denial of service attack, the protection strategy is to block the address of the attacking host and the port of the attacked host based on a set time; if the attack type is a set behavior attack, the protection strategy is to shut down the attacking host.

A network security protection device provided in an embodiment of the present disclosure can execute a network security protection method provided in any embodiment of the present disclosure, and has functional modules and beneficial effects corresponding to the execution method.

It is worth noting that the various units and modules included in the above-mentioned device are only divided according to functional logic, but are not limited to the above-mentioned division, as long as the corresponding functions can be achieved; in addition, the specific names of the functional units are only for the convenience of distinguishing each other, and are not used to limit the protection scope of the embodiments of the present disclosure.

FIG4 is a schematic diagram of the structure of an electronic device provided by an embodiment of the present disclosure. Referring to FIG4 below, a schematic diagram of the structure of an electronic device (e.g., a terminal device or server in FIG4 ) 400 suitable for implementing an embodiment of the present disclosure is shown. The terminal device in the embodiment of the present disclosure may include, but is not limited to, mobile terminals such as mobile phones, laptop computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), vehicle-mounted terminals (e.g., vehicle-mounted navigation terminals), etc., and fixed terminals such as digital TVs, desktop computers, etc. The electronic device shown in FIG3 is merely an example and should not impose any limitations on the functions and scope of use of the embodiments of the present disclosure.

As shown in FIG4 , the electronic device 400 may include a processing device (e.g., a central processing unit, a graphics processing unit, etc.) 401, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 402 or a program loaded from a storage device 408 into a random access memory (RAM) 403. Various programs and data required for the operation of the electronic device 400 are also stored in the RAM 403. The processing device 401, the ROM 402, and the RAM 403 are connected to each other via a bus 404. An edit/output (I/O) interface 406 is also connected to the bus 404.

Typically, the following devices may be connected to the I/O interface 406: input devices 406 including, for example, a touch screen, a touchpad, a keyboard, a mouse, a camera, a microphone, an accelerometer, a gyroscope, etc.; output devices 407 including, for example, a liquid crystal display (LCD), a speaker, a vibrator, etc.; storage devices 408 including, for example, a magnetic tape, a hard disk, etc.; and communication devices 409. The communication device 409 may allow the electronic device 400 to communicate wirelessly or wired with other devices to exchange data. Although FIG. 4 shows an electronic device 400 with various devices, it should be understood that it is not required to implement or have all the devices shown. More or fewer devices may be implemented or have alternatively.

In particular, according to an embodiment of the present disclosure, the process described above with reference to the flowchart can be implemented as a computer software program. For example, an embodiment of the present disclosure includes a computer program product, which includes a computer program carried on a non-transitory computer-readable medium, and the computer program contains program code for executing the method shown in the flowchart. In such an embodiment, the computer program can be downloaded and installed from the network through the communication device 409, or installed from the storage device 408, or installed from the ROM 402. When the computer program is executed by the processing device 401, the above-mentioned functions defined in the method of the embodiment of the present disclosure are executed.

The names of the messages or information exchanged between multiple devices in the embodiments of the present disclosure are only used for illustrative purposes and are not used to limit the scope of these messages or information.

The electronic device provided in the embodiment of the present disclosure and the network security protection method provided in the above embodiment belong to the same inventive concept. The technical details not fully described in this embodiment can be referred to the above embodiment, and this embodiment has the same beneficial effects as the above embodiment.

An embodiment of the present disclosure provides a computer storage medium on which a computer program is stored. When the program is executed by a processor, the network security protection method provided by the above embodiment is implemented.

It should be noted that the computer-readable medium disclosed above may be a computer-readable signal medium or a computer-readable storage medium or any combination of the above two. The computer-readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination of the above. More specific examples of computer-readable storage media may include, but are not limited to: an electrical connection with one or more wires, a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the above. In the present disclosure, a computer-readable storage medium may be any tangible medium containing or storing a program that may be used by or in combination with an instruction execution system, device or device. In the present disclosure, a computer-readable signal medium may include a data signal propagated in a baseband or as part of a carrier wave, in which a computer-readable program code is carried. This propagated data signal may take a variety of forms, including but not limited to an electromagnetic signal, an optical signal, or any suitable combination of the above. The computer readable signal medium may also be any computer readable medium other than a computer readable storage medium, which may send, propagate or transmit a program for use by or in conjunction with an instruction execution system, apparatus or device. The program code contained on the computer readable medium may be transmitted using any suitable medium, including but not limited to: wires, optical cables, RF (radio frequency), etc., or any suitable combination of the above.

In some embodiments, the client and the server may communicate using any currently known or future developed network protocol such as HTTP (HyperText Transfer Protocol), and may be interconnected with any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), an internet (e.g., the Internet), and a peer-to-peer network (e.g., an ad hoc peer-to-peer network), as well as any currently known or future developed network.

The computer-readable medium may be included in the electronic device, or may exist independently without being installed in the electronic device.

The computer-readable medium carries one or more programs. When the one or more programs are executed by the electronic device, the electronic device:

The above-mentioned computer-readable medium carries one or more programs. When the above-mentioned one or more programs are executed by the electronic device, the electronic device: copies the data packet of the first network card to form a mirror data packet; wherein the first network card is installed on the first host machine; sends the mirror data packet to the second network card through the first network card; wherein the second network card is installed on the second host machine; sends the mirror data packet to the diversion module through the second network card; wherein the diversion module is located on the third host machine; sends the mirror data packet to the security device through the diversion module; and performs security protection on the current network based on the security log output by the security device.

Computer program code for performing the operations of the present disclosure may be written in one or more programming languages or a combination thereof, including, but not limited to, object-oriented programming languages, such as Java, Smalltalk, C++, and conventional procedural programming languages, such as "C" or similar programming languages. The program code may be executed entirely on the user's computer, partially on the user's computer, as a separate software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving a remote computer, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computer (e.g., through the Internet using an Internet service provider).

The flow chart and block diagram in the accompanying drawings illustrate the possible architecture, function and operation of the system, method and computer program product according to various embodiments of the present disclosure. In this regard, each square box in the flow chart or block diagram can represent a module, a program segment or a part of a code, and the module, the program segment or a part of the code contains one or more executable instructions for realizing the specified logical function. It should also be noted that in some implementations as replacements, the functions marked in the square box can also occur in a sequence different from that marked in the accompanying drawings. For example, two square boxes represented in succession can actually be executed substantially in parallel, and they can sometimes be executed in the opposite order, depending on the functions involved. It should also be noted that each square box in the block diagram and/or flow chart, and the combination of the square boxes in the block diagram and/or flow chart can be implemented with a dedicated hardware-based system that performs the specified function or operation, or can be implemented with a combination of dedicated hardware and computer instructions.

The units involved in the embodiments described in the present disclosure may be implemented by software or hardware. The name of a unit does not limit the unit itself in some cases. For example, the first acquisition unit may also be described as a "unit for acquiring at least two Internet Protocol addresses".

The functions described above herein may be performed at least in part by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), application specific standard products (ASSPs), systems on chip (SOCs), complex programmable logic devices (CPLDs), and the like.

In the context of the present disclosure, a machine-readable medium may be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, device, or equipment. A machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or equipment, or any suitable combination of the foregoing. A more specific example of a machine-readable storage medium may include an electrical connection based on one or more lines, a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The above description is only a preferred embodiment of the present disclosure and an explanation of the technical principles used. Those skilled in the art should understand that the scope of disclosure involved in the present disclosure is not limited to the technical solutions formed by a specific combination of the above technical features, but should also cover other technical solutions formed by any combination of the above technical features or their equivalent features without departing from the above disclosed concept. For example, the above features are replaced with the technical features with similar functions disclosed in the present disclosure (but not limited to) by each other.

In addition, although each operation is described in a specific order, this should not be understood as requiring these operations to be performed in the specific order shown or in a sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Similarly, although some specific implementation details are included in the above discussion, these should not be interpreted as limiting the scope of the present disclosure. Some features described in the context of a separate embodiment can also be implemented in a single embodiment in combination. On the contrary, the various features described in the context of a single embodiment can also be implemented in multiple embodiments individually or in any suitable sub-combination mode.

Although the subject matter has been described in language specific to structural features and/or methodological logical actions, it should be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or actions described above. On the contrary, the specific features and actions described above are merely example forms of implementing the claims.

Claims (11)

1. A method of protecting network security, comprising:

copying the data packet of the first network card to form a mirror image data packet; the first network card is installed on a first host;

transmitting the mirror image data packet to a second network card through the first network card; the second network card is installed on a second host;

transmitting the mirror image data packet to a drainage module through the second network card; wherein, the drainage module is positioned on a third host;

transmitting the mirror image data packet to a security device through the drainage module;

and carrying out safety protection on the current network based on the safety log output by the safety equipment.

2. The method of claim 1, wherein copying the data packets of the first network card to form mirrored data packets comprises:

acquiring a request data packet and/or a response data packet passing through the first network card;

Copying the request data packet and/or the response data packet to obtain a mirror image data packet.

3. The method of claim 1, wherein the drainage module comprises a third network card; the mirror image data packet includes a target address, and the mirror image data packet is sent to a drainage module through the second network card, including:

modifying a target address in the mirror image data packet into a target address corresponding to the third network card through the second network card;

and sending the mirror image data packet to the drainage module based on the modified target address.

4. The method of claim 1, wherein the drainage module comprises a fourth network card; transmitting, by the drainage module, the mirrored data packet to a security device, including:

acquiring route information; the routing information includes address information of at least one security device;

and sending the mirror image data packet to a corresponding safety device based on the routing information.

5. The method of claim 1, wherein the security device is installed with firewall security software; the generation mode of the security log is as follows:

the security device carries out security inspection on the mirror image data packet based on the firewall security software to obtain an inspection result;

If the checking result is that the mirror image data packet is an attack mirror image data packet, outputting a security log; the security log comprises quintuple information and an attack type of the attack mirror image data packet.

6. The method of claim 5, wherein securing the current network based on the security log output by the security device comprises:

storing the security log into a database;

setting a state identifier of a stored security log; wherein, the state identification comprises unprocessed, processed and processed completion;

determining a protection strategy according to the attack type of the mirror image data packet and the state identifier;

and protecting the network safety based on the protection strategy.

7. The method of claim 6, wherein determining a protection policy based on the type of attack of the mirrored data packet and the status identifier comprises:

and if the state identifier is unprocessed, determining a protection strategy according to the attack type, and updating the state identifier into processing.

8. The method of claim 6, wherein determining a protection policy based on the attack type comprises:

If the attack type is denial of service attack, the protection strategy is to seal the address of the attack host and the port of the attacked host based on the set time;

if the attack type is the set behavior attack, the protection strategy is to close the attack host.

9. A network security appliance, comprising:

the data packet copying module is used for copying the data packet of the first network card to form a mirror image data packet; the first network card is installed on a first host;

the first mirror image data packet sending module is used for sending the mirror image data packet to the second network card through the first network card; the second network card is installed on a second host;

the second mirror image data packet sending module is used for sending the mirror image data packet to the drainage module through the second network card; wherein, the drainage module is positioned on a third host;

the third mirror image data packet sending module is used for sending the mirror image data packet to the safety equipment through the drainage module;

and the safety protection module is used for carrying out safety protection on the current network based on the safety log output by the safety equipment.

10. An electronic device, the electronic device comprising:

One or more processors;

storage means for storing one or more programs,

the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the network security protection method of any of claims 1-8.

11. A storage medium containing computer executable instructions for performing the network security protection method of any of claims 1-8 when executed by a computer processor.