CN116684289A - Traffic arrangement method, electronic equipment and device - Google Patents

Traffic arrangement method, electronic equipment and device Download PDF

Info

Publication number
CN116684289A
CN116684289A CN202310791502.XA CN202310791502A CN116684289A CN 116684289 A CN116684289 A CN 116684289A CN 202310791502 A CN202310791502 A CN 202310791502A CN 116684289 A CN116684289 A CN 116684289A
Authority
CN
China
Prior art keywords
traffic
instance
chain
orchestration
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310791502.XA
Other languages
Chinese (zh)
Inventor
王智琦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202310791502.XA priority Critical patent/CN116684289A/en
Publication of CN116684289A publication Critical patent/CN116684289A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0893Assignment of logical groups to network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0663Performing the actions predefined by failover planning, e.g. switching to standby network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The specification provides a traffic arrangement method, electronic equipment and a device, wherein the method comprises the following steps: the method is applied to network equipment, wherein the network equipment is respectively connected to a client, a server and a plurality of security devices, and is provided with a definition instance, an arrangement instance and a forwarding instance based on a virtualization technology, and the method comprises the following steps: the definition instance receives the traffic sent by the client, and if the traffic sent by the client is determined to be the pre-scheduling traffic needing traffic scheduling, the pre-scheduling traffic is led to the scheduling instance; the arrangement example matches a corresponding arrangement chain according to the characteristic information of the received flow, and controls the received flow to pass through each safety device in turn according to the sequence of the preset safety devices in the arrangement chain and then to be forwarded to the forwarding example; and the forwarding instance sends the traffic which is arranged by the arranging instance to the server.

Description

Traffic arrangement method, electronic equipment and device
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a traffic arrangement method, an electronic device, and an apparatus.
Background
With the continuous development of information technology, the network security problem is increasingly emphasized.
In the related technology, a flow arrangement system is deployed at a network entrance outside a server, the flow arrangement system is externally connected with a plurality of safety devices, the flow sent to the server by a user is sequentially guided to each safety device by the flow arrangement system for cleaning, and finally the cleaned flow is sent to the server, so that the safety of the server is ensured.
However, the related art has the disadvantages that, first, the traffic scheduling system performs traffic scheduling on all traffic sent by the user, and cannot select traffic types with traffic scheduling requirements only; secondly, the traffic arrangement system cannot simultaneously realize all functions of guiding traffic sent by a user to the safety devices, intelligently arranging the sequence of the traffic passing through each safety device and forwarding the arranged traffic to the server on the same device.
Disclosure of Invention
In order to overcome the problems in the related art, the present specification provides a traffic arranging method, an electronic device, and an apparatus.
According to a first aspect of embodiments of the present disclosure, there is provided a traffic orchestration method applied to a network device, where the network device is connected to a client, a server, and a plurality of security devices, respectively, and where a definition instance, an orchestration instance, and a forwarding instance are deployed on the network device based on a virtualization technology, the method includes:
The definition instance receives the traffic sent by the client, and if the traffic sent by the client is determined to be the pre-scheduling traffic needing traffic scheduling, the pre-scheduling traffic is led to the scheduling instance;
the arrangement example matches a corresponding arrangement chain according to the characteristic information of the received flow, and controls the received flow to pass through each safety device in turn according to the sequence of the preset safety devices in the arrangement chain and then to be forwarded to the forwarding example;
and the forwarding instance sends the traffic which is arranged by the arranging instance to the server.
According to a second aspect of embodiments of the present specification, there is provided a traffic orchestration method applied to a management platform for managing a network device according to the first aspect, the method comprising:
determining a layout chain related to the layout instance, wherein the layout chain is predefined with related security devices and the sequence thereof;
issuing a first redirection rule to an ingress interface of the orchestration instance, the first redirection rule being configured to instruct the orchestration instance to forward the received traffic to an ingress interface of a first security device in the orchestration chain;
And respectively issuing a second redirection rule to the output interfaces of the safety devices, wherein the second redirection rule is used for indicating any safety device to forward the received traffic to the input interfaces of other safety devices arranged behind any safety device in the arranging chain or the output interfaces of the arranging instance.
According to a third aspect of embodiments of the present specification, there is provided a traffic orchestration apparatus applied to a network device, where the network device is connected to a client, a server, and a plurality of security devices, respectively, and where a definition instance, an orchestration instance, and a forwarding instance are deployed on the network device based on a virtualization technology, the apparatus comprising:
the definition module is configured to receive the traffic sent by the client, and if the traffic sent by the client is determined to be the pre-scheduling traffic needing traffic scheduling, the pre-scheduling traffic is led to the scheduling instance;
the arrangement module is configured to match the arrangement chain corresponding to the arrangement example according to the characteristic information of the received flow, and control the received flow to pass through the safety devices in sequence according to the preset sequence of the safety devices in the arrangement chain and then forward to the forwarding example;
And the forwarding module is configured to send the traffic which is arranged by the arrangement example to the server by the forwarding example.
According to a fourth aspect of embodiments of the present specification, there is provided a traffic orchestration device, for application to a management platform for managing a network device according to the first aspect, comprising:
a determining module configured to determine an orchestration chain related to the orchestration instance, the orchestration chain having predefined therein related security devices and their order;
a first rule module configured to issue a first redirection rule to an ingress interface of the orchestration instance, the first redirection rule being for instructing the orchestration instance to forward received traffic to an ingress interface of a first security device in the orchestration chain;
and the second rule module is used for respectively issuing a second redirection rule to the output interfaces of the safety devices, and the second redirection rule is used for indicating any safety device to forward the received traffic to the input interfaces of other safety devices arranged behind any safety device in the arranging chain or the output interfaces of the arranging instance.
According to a fifth aspect of embodiments of the present specification, there is provided an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method of the first and/or second aspects when the program is executed.
According to a sixth aspect of embodiments of the present description, there is provided a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method according to the first and/or second aspect.
The technical scheme provided by the embodiment of the specification can comprise the following beneficial effects:
in the embodiment of the present disclosure, a network device is deployed with a definition instance, an orchestration instance, and a forwarding instance based on a virtualization technology, so that different functions in a traffic orchestration process can be implemented on the same network device respectively: the definition instance can send the pre-scheduling traffic which is sent by the client and needs to be subjected to traffic scheduling to the scheduling instance so as to realize the functions of traffic scheduling of traffic types with traffic scheduling requirements and drainage of the pre-scheduling traffic to the scheduling instance; the arrangement example matches the corresponding arrangement chain according to the characteristic information of the flow, and controls the flow to sequentially pass through each safety device according to the sequence of the preset safety devices in the arrangement chain so as to realize fine-granularity flow arrangement; the forwarding instance forwards the traffic sent by the orchestration instance to the server to realize the forwarding function of the traffic.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is an application scenario diagram of a traffic orchestration method according to an example embodiment of the present description.
Fig. 2 is a flow diagram of a flow orchestration method according to an example embodiment of the present description.
Fig. 3 is a schematic diagram illustrating the structure of a first virtual service and a first real service in a definition instance according to an exemplary embodiment of the present specification.
Fig. 4 is a schematic diagram of the structure of a second virtual service and a second real service in a forwarding instance according to an exemplary embodiment of the present disclosure.
Fig. 5 is a schematic diagram of an orchestration principle of an orchestration example shown in the present specification according to an example embodiment.
Fig. 6 is a flow diagram of another flow orchestration method according to an example embodiment of the present description.
Fig. 7 is a schematic structural view of an electronic device according to an exemplary embodiment of the present disclosure.
Fig. 8 is a block diagram of a flow orchestration device according to an example embodiment.
Fig. 9 is a block diagram of another flow arrangement shown in accordance with an exemplary embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present description as detailed in the accompanying claims.
The terminology used in the description presented herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in this specification to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
Next, embodiments of the present specification will be described in detail.
When the technical scheme of flow arrangement is realized, the related technology needs to utilize the cooperation of different devices such as a switch, a router and the like to complete the whole flow arrangement work. For example, traffic sent by a client needs to be forwarded to a router through a switch or traffic forwarded by the router is forwarded to a server, and the router is used to connect different security devices for traffic scheduling purposes. Because compatibility of different network devices needs to be considered, the technical scheme not only causes complicated device parameter configuration, but also causes the problem of increased equipment purchase cost.
In view of this, the present disclosure proposes a traffic scheduling method, an electronic device, and an apparatus, so as to achieve the purpose of traffic scheduling on the same network device.
Before introducing a traffic scheduling method provided in an embodiment of the present disclosure, first, an application scenario related to a network device applying the traffic scheduling method provided in the present disclosure is briefly described, as shown in fig. 1, and fig. 1 is a schematic diagram of a traffic scheduling method according to an exemplary embodiment of the present disclosure.
The traffic arrangement method provided in the present specification is applied to the network device 120, where the network device 120 is connected to the client 110, the server 130 and several security devices respectively.
The network device 120 may be a frame device, or a comprehensive network device such as a box device capable of integrating different electronic elements, components and modules, or any switch supporting virtualization technology, for implementing creation of virtual local area networks, virtual switches, virtual ports, etc. in a network, to provide network connection and security isolation for a virtualized environment. The present description does not set any limitation on the type of network device.
And, the network device 120 is deployed with a definition instance 121, an orchestration instance 122, and a forwarding instance 123 based on virtualization technology. The virtualization of the network device 120 may selectively use any one virtualization technology or combination of different virtualization technologies, such as VRF (Virtual Routing and Forwarding, virtual routing), VLAN (Virtual Local Area Network ), VSI (Virtual Switch Interface, virtual switching instance), etc., to implement resource isolation and security between different instances, which is not limited in any way by the virtualization means used by the network device 120 in this specification.
And, several security devices for protecting against various network attacks and security threats may be connected to the outside of the network device 120, where the security devices may be a conventional firewall, an intrusion detection system, a network access control system, or the like, or may be virtual security devices operating in a virtualized environment, and provide the same functions as conventional security devices. The present description does not set any limitation on the type and number of security devices.
The client 110 needs to send traffic to the network device 120 connected to the server 130 for traffic orchestration before sending the traffic to the server 130. First, the definition instance 121 of the network device 120 is configured to receive the traffic sent by the client to the server, then forward the traffic to the orchestration instance 122 for traffic orchestration, and finally, send the orchestrated traffic to the forwarding instance 123, and send the traffic to the server 130 by the forwarding instance 123. The entire orchestration process for the traffic sent by the clients is completed by a single network device 120.
As shown in fig. 2, fig. 2 is a flow chart of a flow programming method according to an exemplary embodiment of the present disclosure, specifically, the flow programming method includes the following steps:
Step 201, defining an instance to receive the traffic sent by the client;
the definition instance is a virtual device which is virtualized to the network device through a virtualization technology, and the device receives traffic sent by the client.
The traffic sent by the client may be different types of traffic such as HTTP traffic, TCP traffic, FTP traffic, etc.
Step 202, determining whether the traffic sent by the client is the pre-scheduling traffic needing traffic scheduling;
if the traffic sent by the client is the pre-scheduling traffic requiring traffic scheduling, step 203a is executed next, and if not, step 203b is executed next, where step 203b may directly forward the traffic sent by the client to the server without any processing on the traffic sent by the client.
The pre-discharge traffic refers to traffic that may have security problems and threats to the server to be accessed and needs security equipment to detect. For the definition of the pre-discharge flow, the definition can be determined according to the actual requirement condition: for example, HTTP traffic may be considered pre-empted traffic, such that network device 120 may orchestrate only HTTP traffic, forwarding non-HTTP traffic directly to the server. For example, the network device 120 may determine the source of the traffic according to the five-tuple information contained in the traffic, schedule the traffic for a certain network segment or access a certain service, and forward the traffic of other sources directly to the server. The present specification does not define any limitation on the definition of the pre-discharge amount and the manner of determining the pre-discharge amount.
Step 203b, draining the pre-drainage flow to the scheduling instance;
as shown in fig. 1, definition instance 121, orchestration instance 122, and forwarding instance 123 of network device 120 may be three VRF instances created by VRF technology, and then communication between different VRF instances may be achieved using VLAN technology, e.g., in this step, pre-drainage traffic may be selectively drained to orchestration instances through a drainage segment interface by VLAN technology. Of course, communication between different VRF instances may also be implemented in other manners, for example, using MPLS VPN (Multiprotocol Label Switching Virtual Private Network ) technology, which is not limited in any way by this description.
In an illustrated embodiment, as shown in fig. 3, a first virtual service 301 and a first real service 302 may be configured in a definition instance 30, where the first virtual service 301 is configured to determine whether traffic sent by a client is pre-drained traffic, forward traffic successfully matched with the first virtual service 301 as pre-drained traffic to the first real service 302, and drain the pre-drained traffic to an orchestration instance through the first real service 302. Alternatively, the first virtual service 301 may be configured with a virtual IP address to enable fast sending of pre-discharge traffic to a different first real service 302. Alternatively, the first real service 302 may correspond to one or more, when the first real service 302 is plural, the traffic received by the first virtual service 301 is sent to a different first real service 302 for processing through a load balancing policy, and all the first real services 302 forward the received traffic to a forwarding instance.
Corresponding to the implementation where the definition instance 30 is configured with the first virtual service 301 and the first real service 302. As shown in fig. 4, a second virtual service 401 and a second real service 402 may be configured in the forwarding instance 40, where, after receiving traffic, the forwarding instance 40 uses the second virtual service 401 to match the traffic received by the forwarding instance 40, and forwards the traffic successfully matched with the second virtual service 401 to the second real service 402, and the second real service 402 uses the traffic acquired from the second virtual service 401 to the server. Optionally, the second virtual service 401 may be configured with a virtual IP address to enable fast forwarding of traffic received by the forwarding instance 40 to a different second real service 402. Alternatively, the second real service 402 may correspond to one or more, when the second real service 402 is plural, the traffic received by the second virtual service 401 is sent to a different second real service 402 for processing through a load balancing policy, and all the second real services 402 forward the received traffic to the server.
Because the virtual service can realize multiple functions through different configurations and parameter settings, besides the function of judging whether the traffic sent by the client is the pre-discharge traffic or not can be realized, the virtual service can be configured with encryption and decryption services aiming at one or more traffic encryption types under the condition that the traffic sent by the client comprises the encryption traffic.
In an illustrated embodiment, in a case where the traffic sent by the client includes encrypted traffic, as shown in fig. 3, the first virtual service 301 may be further configured with a decryption service for one or more traffic encryption types, and after the received traffic is successfully matched with the first virtual service 301, if the successfully matched traffic is encrypted traffic and the encryption type corresponds to the decryption service, the decrypted traffic is decrypted by the decryption service, and then the decrypted traffic is forwarded to the first real service 302. For example, the first virtual service 301 is configured with an SSL offload policy, and when the first virtual service 301 receives HTTPS traffic, the first virtual service decrypts the HTTPS traffic into HTTP traffic by executing the SSL offload policy.
Corresponding to the embodiment where the first virtual service 301 in the definition instance 30 is configured with a decryption service for one or more traffic encryption types, as shown in fig. 4, the second virtual service 401 may also be configured with an encryption service corresponding to the decryption service of the first virtual service 301, where after the received traffic is successfully matched with the second virtual service 401, if the successfully matched traffic has been decrypted, the successfully matched traffic is encrypted by the encryption service, and then the encrypted traffic is forwarded to the second real service 402.
By decrypting the encrypted traffic in advance in the definition instance, the security equipment in the compiling instance does not need to decrypt the encrypted traffic again, and the traffic arranging efficiency is improved; by re-encrypting the decrypted traffic at the forwarding instance, it can be ensured that the content of the traffic sent by the client received by the server has not changed.
Step 204, the arrangement example matches a corresponding arrangement chain according to the characteristic information of the received flow, and controls the received flow to pass through each safety device in turn according to the sequence of the preset safety devices in the arrangement chain and then to be forwarded to the forwarding example;
the feature information of the flow refers to various attributes or features of the flow. Alternatively, the characteristic information may be expressed as quintuple information contained in the traffic. For example, traffic may be matched to different orchestration chains based on five-tuple information contained by the traffic.
The orchestration chain is typically composed of multiple security devices in a certain order, for example, multiple security devices such as a firewall, an intrusion detection system, and a load balancer may be connected in a certain order to form a complete flow processing flow. Each safety device in the compiling chain processes the received traffic, then forwards the processed traffic to the next safety device, and finally forwards the processed traffic to a forwarding instance.
In an illustrated embodiment, corresponding redirection rules may be set through the ingress interface of the orchestration instance involved in the orchestration chain and the egress interface of the security device, so that traffic may flow sequentially through the predefined involved security devices in the orchestration chain based on the redirection rules. Alternatively, the interface of the arranging example and the interface of the security device may be divided into different VLANs by VLAN technology, and the different interfaces are provided with corresponding VLAN tags, so that the traffic to be arranged may be forwarded to the next destination interface containing the VLAN tag by modifying the VLAN tag of the next destination interface to which the traffic to be arranged is forwarded. For example, when the traffic to be arranged meets a certain redirection rule at an input interface of the arrangement instance or an output interface of the security device, a redirection action corresponding to the redirection rule is executed, that is, by modifying a VLAN tag of a next destination interface to which the traffic to be arranged is to be forwarded, so that the traffic to be arranged can be forwarded to the next destination interface containing the VLAN tag. By the embodiment, the logic isolation between different ports, namely the logic isolation between different security devices connected with the arrangement example can be realized, so that the security of a network is improved, and the traffic to be arranged can be ensured to flow the security devices which are predefined in the warp-knitted chain in sequence based on the redirection rule. Alternatively, the redirection rule may be set as an ACL rule. For example, by matching the five-tuple information of the traffic with the ACL rule, when the matching is successful, the traffic is redirected to the next security device to which the ACL rule points.
To further illustrate the principles of traffic orchestration implemented by orchestration examples provided in this specification, the following is described with application examples that combine ACL rules and VLAN technology:
as shown in fig. 5, the ingress interface of the orchestration instance is configured to receive traffic to be orchestrated that defines instance forwarding, and the egress interface is configured to forward orchestrated traffic to the forwarding instance. And the arrangement example is connected with at least one safety device, wherein each safety device can communicate with the arrangement example through two virtual interfaces provided by the arrangement example, an inlet interface of the safety device is used for receiving traffic to be detected, and an outlet interface of the safety device forwards the detected traffic to the next virtual interface. The interfaces of the programming example and the interfaces of the security device are all divided into different VLANs through VLAN technology, and the different interfaces are provided with corresponding VLAN labels.
The overall orchestration procedure of an orchestration example is illustrated below in two different orchestration chains, where the predefined security device connection order of orchestration chain 1 is: a security device 1, a security device 2 and a security device 3; the predefined security device connection sequence of the marshalling chain 2 is: a security device 2 and a security device 4.
And, corresponding to the connection order of the security devices on the composing chain, the input interface of the composing instance and the output interface of the security device related in the composing chain are provided with corresponding ACL rules, so that the traffic can flow the pre-defined related security devices in the composing chain in sequence based on the ACL rules.
For example, taking the compiling chain 1 as an example, after receiving a flow to be compiled, the input interface of the compiling example matches an ACL rule with five-tuple information carried by the flow at the input interface, executes a redirection action corresponding to the satisfied ACL rule, namely modifies a VLAN tag of a security device to be forwarded by the flow to be compiled to a VLAN tag of the input interface 1, so that the flow to be compiled can be forwarded to the next input interface 1 containing the VLAN tag, security detection is carried out on the flow to be compiled by the security device 1, the detected flow is further matched with an ACL rule on the output interface 1, the flow meeting the ACL rule is forwarded to the input interface 2 of the security device 2 by modifying the VLAN tag to be the VLAN tag of the input interface 2, security detection is carried out by the security device 2, the flow meeting the ACL rule is continuously matched with the ACL rule on the output interface 2, the flow meeting the ACL rule is forwarded to the input interface 3 by the security device 3 by modifying the VLAN tag, the security device 3 is carried out by the security device 3, the traffic to the instance is compiled by the security device 3 to the output interface of the instance, and the flow meeting the ACL rule is compiled by the modified example is forwarded to the output interface by the output interface.
Similarly, after receiving the traffic to be programmed, the input interface of the programming example performs security detection on the traffic to be programmed according to the sequence of the security device 2 and the security device 4 at the input interface and the output interface of the security device according to the matched ACL rule, and indicates that the traffic to be programmed is programmed through the programming chain 2.
Step 205, the forwarding instance sends the traffic after the arrangement of the arrangement instance to the server.
The forwarding instance may send the traffic after the arrangement of the arrangement instance to the server through VLAN technology or MPLS VPN technology, similar to the traffic forwarding manner of the foregoing definition instance
Thus, an introduction to the related embodiments of a flow programming method provided in this specification has been completed.
In addition, a management platform may be provided on the network device 120, so that a user may configure, monitor and manage the device. For example, the management platform may design and modify the redirection rules of the composition chain, and issue the redirection rules set by the completed composition chain into the composition instance and the security device. Therefore, the present specification provides another traffic arrangement method according to the above application scenario:
As shown in fig. 6, fig. 6 is a flow chart illustrating another flow arrangement method according to an exemplary embodiment of the present disclosure. Specifically, the flow programming method comprises the following steps:
step 601, determining a scheduling chain related to the scheduling instance;
wherein the security devices involved and their order are predefined in the marshalling chain.
Step 602, issuing a first redirection rule to an input interface of the arrangement example;
wherein the first redirection rule is for instructing the orchestration instance to forward the received traffic to an ingress interface of a first security device in the orchestration chain.
Step 603, respectively issuing a second redirection rule to the output interfaces of the security devices.
The second redirection rule is used for indicating any security device to forward the received traffic to an input interface of other security devices arranged behind the security device in the arranging chain or an output interface of the arranging instance.
Different safety devices can be flexibly combined and configured by the arranging chains so as to meet the requirements of different types of traffic. Meanwhile, all the knitting chains and all the safety devices are not affected and are independent. The present specification also provides the following examples for the characteristics of the above strand chain:
In an illustrated embodiment, the operation of each security device may be detected by a management platform, so that when the security device fails, an adjustment to the orchestration policy may be made in time. Optionally, the management platform may create a health detection device for the security device while creating the security device, and the health detection device may record an IP address of the security device, so as to continuously send a TCP health detection message to the IP address of the security device, and when the number of retransmissions exceeds a preset number of retransmissions, no connection is still established with the security device or a preset duration is exceeded, the management platform may determine that the security device fails, and needs to make adjustments to the arrangement policy in time.
When a security device fails, the present specification provides two different ways to adjust the arrangement policy, where the first way may be to modify, when the management platform monitors that the security device in the arrangement chain fails, a redirection rule corresponding to a security device in the arrangement chain that is adjacent to the failed security device, so that the modified arrangement chain skips the failed security device. The second way may be that, in a case where the failed safety device is configured with at least one spare device, when it is detected that the safety device in the arranging chain fails, a redirection rule corresponding to a safety device adjacent to the failed safety device in the arranging chain is modified, so that the failed safety device in the modified arranging chain is replaced with the spare device.
Corresponding to the embodiments of the aforementioned method, the present specification also provides embodiments of the apparatus and the terminal to which it is applied.
As shown in fig. 7, fig. 7 is a schematic structural diagram of an electronic device according to an exemplary embodiment. At the hardware level, the device includes a processor 702, an internal bus 704, a network interface 706, memory 708, and non-volatile storage 710, although other hardware required by the service is possible. One or more embodiments of the present description may be implemented in a software-based manner, such as by the processor 702 reading a corresponding computer program from the non-volatile storage 710 into the memory 708 and then running. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic module, but may also be a hardware or logic device.
As shown in fig. 8, fig. 8 is a block diagram of a flow orchestration device according to an example embodiment. The device can be applied to the electronic equipment shown in fig. 7 to realize the technical scheme of the specification. The device comprises:
A definition module 802, configured to receive the traffic sent by the client, and if it is determined that the traffic sent by the client is a pre-scheduling traffic that needs to be scheduled, stream the pre-scheduling traffic to the scheduling instance;
the arrangement module 804 is configured to match the arrangement chain corresponding to the arrangement instance according to the characteristic information of the received traffic, and control the received traffic to pass through each security device in turn according to the sequence of the preset security devices in the arrangement chain and then forward to the forwarding instance;
and a forwarding module 806, configured to send the traffic arranged by the arranging example to the server by the forwarding example.
In an embodiment shown, the definition instance may be further configured with a first virtual service for determining whether traffic sent by the client is pre-drained traffic, and a first real service for draining traffic obtained from the first virtual service to the orchestration instance, where the definition module 802 is specifically configured to: and after receiving the traffic sent by the client, the definition instance forwards the traffic successfully matched with the first virtual service as the pre-scheduling traffic to the first real service, and the pre-scheduling traffic is led to the arrangement instance through the first real service.
The forwarding instance may be further configured with a second virtual service and a second real service, where the second virtual service is configured to match traffic received by the forwarding instance, and forward traffic that is successfully matched to the second real service, and the second real service is configured to forward traffic obtained from the second virtual service to the server. The forwarding module 806 is specifically configured to: and after receiving the traffic, the forwarding instance forwards the traffic successfully matched with the second virtual service to the second real service, and sends the received traffic to the server through the second real service.
In an embodiment shown, the first virtual service in the definition instance is further configured with a decryption service for one or more traffic encryption types, and the definition module 802 further includes: and after the received traffic is successfully matched with the first virtual service, if the successfully matched traffic is encrypted traffic and the encryption type corresponds to the decryption service, the definition instance decrypts the encrypted traffic through the decryption service and then forwards the decrypted traffic to the first real service.
The second virtual service in the forwarding instance is further configured with an encrypted service corresponding to the decrypted service of the first virtual service, and the forwarding module 806 further includes: and after the received traffic is successfully matched with the second virtual service, if the successfully matched traffic is decrypted, the forwarding instance encrypts the successfully matched traffic through the encryption service and forwards the encrypted traffic to the second real service.
As shown in fig. 9, fig. 9 is a block diagram of yet another flow arrangement device shown in this specification according to an exemplary embodiment, the device comprising:
a determining module 902 configured to determine an orchestration chain related to the orchestration instance, the orchestration chain having predefined therein related security devices and their order;
a first rule module 904 configured to issue a first redirection rule to an ingress interface of the orchestration instance, the first redirection rule being for instructing the orchestration instance to forward received traffic to an ingress interface of a first security device in the orchestration chain;
and a second rule module 906, configured to issue a second redirection rule to the output interfaces of the respective security devices, where the second redirection rule is used to instruct any security device to forward the received traffic to the input interfaces of other security devices arranged after the any security device in the arranging chain or the output interface of the arranging instance.
In an illustrated embodiment, the flow orchestration device further comprises:
the first modification module is configured to modify a redirection rule corresponding to a safety device adjacent to the safety device with the fault in the arranging chain when the safety device in the arranging chain is monitored to be faulty, so that the modified arranging chain skips the safety device with the fault;
And the second modification module is configured to modify, when the safety equipment in the arranging chain is monitored to be faulty, a redirection rule corresponding to the safety equipment adjacent to the faulty safety equipment in the arranging chain if the faulty safety equipment is provided with at least one standby equipment, so that the faulty safety equipment in the modified arranging chain is replaced by the standby equipment.
The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present description. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The present specification also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of any of the aforementioned traffic orchestration methods provided by the present application.
In particular, computer-readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices (e.g., EPROM, EEPROM, and flash memory devices), magnetic disks (e.g., internal hard disk or removable disks), magneto-optical disks, and CD-ROM and DVD-ROM disks.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It is to be understood that the present description is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The foregoing description of the preferred embodiments is provided for the purpose of illustration only, and is not intended to limit the scope of the disclosure, since any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the disclosure are intended to be included within the scope of the disclosure.

Claims (10)

1. A traffic orchestration method, applied to a network device, where the network device is connected to a client, a server, and a plurality of security devices, respectively, and where the network device is deployed with a definition instance, an orchestration instance, and a forwarding instance based on a virtualization technology, the method includes:
the definition instance receives the traffic sent by the client, and if the traffic sent by the client is determined to be the pre-scheduling traffic needing traffic scheduling, the pre-scheduling traffic is led to the scheduling instance;
the arrangement example matches a corresponding arrangement chain according to the characteristic information of the received flow, and controls the received flow to pass through each safety device in turn according to the sequence of the preset safety devices in the arrangement chain and then to be forwarded to the forwarding example;
And the forwarding instance sends the traffic which is arranged by the arranging instance to the server.
2. The method according to claim 1, characterized in that it comprises: the input interface of the arrangement example is configured with a first redirection rule; wherein, in a case that the ingress interface of the orchestration instance receives traffic, and five-tuple information contained in the received traffic matches the first redirection rule, the first redirection rule is used for: instruct the orchestration instance to forward the received traffic to the ingress interface of the first security device in the orchestration chain;
the output interfaces of the security devices related to the arranging chain are respectively configured with a second redirection rule; wherein, the second redirection rule configured by the output interface of any security device is used for: and indicating the any one of the safety devices to forward the received traffic to the input interfaces of other safety devices arranged behind the any one of the safety devices in the arranging chain or the output interfaces of the arranging examples.
3. The method of claim 1, wherein the defined instance is configured with a first virtual service for determining whether traffic sent by the client is pre-drained traffic and a first real service for draining traffic acquired from the first virtual service to the orchestrated instance;
The definition instance receives the traffic sent by the client, and if the traffic sent by the client is determined to be the pre-scheduling traffic needing traffic scheduling, the pre-scheduling traffic is led to the scheduling instance, which comprises the following steps:
after receiving the traffic sent by the client, the definition instance forwards the traffic successfully matched with the first virtual service as the pre-scheduling traffic to the first real service, and the pre-scheduling traffic is led to the arrangement instance through the first real service;
the forwarding instance is configured with a second virtual service and a second real service, wherein the second virtual service is used for matching traffic received by the forwarding instance and forwarding the traffic successfully matched to the second real service, and the second real service is used for forwarding the traffic acquired from the second virtual service to the server;
the forwarding instance sends the traffic which is arranged by the arranging instance to the server, and the forwarding instance comprises the following steps:
and after receiving the traffic, the forwarding instance forwards the traffic successfully matched with the second virtual service to the second real service, and sends the received traffic to the server through the second real service.
4. A method according to claim 3, wherein in case the traffic sent by the client comprises encrypted traffic, the first virtual service is configured with a decryption service for one or more traffic encryption types, and the second virtual service is configured with an encryption service corresponding to the decryption service of the first virtual service; the method further comprises the steps of:
after the received traffic is successfully matched with the first virtual service, if the successfully matched traffic is encrypted traffic and the encryption type corresponds to the decryption service, the definition instance decrypts the encrypted traffic through the decryption service and then forwards the decrypted traffic to the first real service;
and after the received traffic is successfully matched with the second virtual service, if the successfully matched traffic is decrypted, the forwarding instance encrypts the successfully matched traffic through the encryption service and forwards the encrypted traffic to the second real service.
5. A traffic orchestration method, applied to a management platform for managing network devices according to any one of claims 1-4, the method comprising:
determining a layout chain related to the layout instance, wherein the layout chain is predefined with related security devices and the sequence thereof;
Issuing a first redirection rule to an ingress interface of the orchestration instance, the first redirection rule being configured to instruct the orchestration instance to forward the received traffic to an ingress interface of a first security device in the orchestration chain;
and respectively issuing a second redirection rule to the output interfaces of the safety devices, wherein the second redirection rule is used for indicating any safety device to forward the received traffic to the input interfaces of other safety devices arranged behind any safety device in the arranging chain or the output interfaces of the arranging instance.
6. The method of claim 5, wherein the method further comprises:
when the safety equipment in the arranging chain is monitored to be faulty, the redirection rule corresponding to the safety equipment adjacent to the faulty safety equipment in the arranging chain is modified, so that the modified arranging chain skips the faulty safety equipment;
when the safety equipment in the arranging chain is monitored to be faulty, if the faulty safety equipment is provided with at least one standby equipment, the redirection rule corresponding to the safety equipment adjacent to the faulty safety equipment in the arranging chain is modified, so that the faulty safety equipment in the modified arranging chain is replaced by the standby equipment.
7. A traffic orchestration apparatus, for use with a network device, wherein the network device is connected to a client, a server, and a plurality of security devices, respectively, wherein the network device has a definition instance, an orchestration instance, and a forwarding instance deployed thereon based on virtualization technology, the apparatus comprising:
the definition module is configured to receive the traffic sent by the client, and if the traffic sent by the client is determined to be the pre-scheduling traffic needing traffic scheduling, the pre-scheduling traffic is led to the scheduling instance;
the arrangement module is configured to match the arrangement chain corresponding to the arrangement example according to the characteristic information of the received flow, and control the received flow to pass through the safety devices in sequence according to the preset sequence of the safety devices in the arrangement chain and then forward to the forwarding example;
and the forwarding module is configured to send the traffic which is arranged by the arrangement example to the server by the forwarding example.
8. Traffic orchestration apparatus, applied to a management platform for managing network devices according to any of claims 1-4, the apparatus comprising:
A determining module configured to determine an orchestration chain related to the orchestration instance, the orchestration chain having predefined therein related security devices and their order;
a first rule module configured to issue a first redirection rule to an ingress interface of the orchestration instance, the first redirection rule being for instructing the orchestration instance to forward received traffic to an ingress interface of a first security device in the orchestration chain;
and the second rule module is used for respectively issuing a second redirection rule to the output interfaces of the safety devices, and the second redirection rule is used for indicating any safety device to forward the received traffic to the input interfaces of other safety devices arranged behind any safety device in the arranging chain or the output interfaces of the arranging instance.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any one of claims 1 to 6 when the program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method according to any one of claims 1 to 6.
CN202310791502.XA 2023-06-29 2023-06-29 Traffic arrangement method, electronic equipment and device Pending CN116684289A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310791502.XA CN116684289A (en) 2023-06-29 2023-06-29 Traffic arrangement method, electronic equipment and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310791502.XA CN116684289A (en) 2023-06-29 2023-06-29 Traffic arrangement method, electronic equipment and device

Publications (1)

Publication Number Publication Date
CN116684289A true CN116684289A (en) 2023-09-01

Family

ID=87780994

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310791502.XA Pending CN116684289A (en) 2023-06-29 2023-06-29 Traffic arrangement method, electronic equipment and device

Country Status (1)

Country Link
CN (1) CN116684289A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116886777A (en) * 2023-09-06 2023-10-13 苏州浪潮智能科技有限公司 Service flow distribution method and device for container arrangement platform

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116886777A (en) * 2023-09-06 2023-10-13 苏州浪潮智能科技有限公司 Service flow distribution method and device for container arrangement platform
CN116886777B (en) * 2023-09-06 2024-01-26 苏州浪潮智能科技有限公司 Service flow distribution method and device for container arrangement platform

Similar Documents

Publication Publication Date Title
US11095612B1 (en) Flow metadata exchanges between network and security functions for a security service
US11792138B2 (en) Centralized processing of north-south traffic for logical network in public cloud
EP3485610B1 (en) Extension of network control system into public cloud
JP6430634B2 (en) Chaining network service functions in communication networks
US9979704B2 (en) End-to-end security for virtual private service chains
KR101148707B1 (en) Open platform architecture for integrating multiple heterogeneous network functions
US20220141254A1 (en) Consistent monitoring and analytics for security insights for network and security functions for a security service
AU2021202517A1 (en) Collecting and processing context attributes on a host
EP3993331B1 (en) Flow metadata exchanges between network and security functions for a security service
US11824897B2 (en) Dynamic security scaling
CN116684289A (en) Traffic arrangement method, electronic equipment and device
US9584422B2 (en) Methods and apparatuses for automating return traffic redirection to a service appliance by injecting traffic interception/redirection rules into network nodes
US8332639B2 (en) Data encryption over a plurality of MPLS networks
Tatlicioglu et al. A security services platform for Software Defined Networks
US11108685B2 (en) Intelligent delivery of data packets within a network transmission path based on time intervals
US20080137657A1 (en) Quality of service and encryption over a plurality of mpls networks
Shyam et al. A survey on resolving security issues in SaaS through software defined networks
US11025539B1 (en) Overlay network hardware service chaining
CN102187614A (en) Network security method and apparatus
Moriarty Transport Evolution: The Encrypted Stack
CN115296842A (en) Method and device for arranging service flow, application delivery equipment and medium
CN116346485A (en) Flow control method, system, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination