CN116800451A - Network protection system, method and storage medium - Google Patents
Network protection system, method and storage medium Download PDFInfo
- Publication number
- CN116800451A CN116800451A CN202211240901.9A CN202211240901A CN116800451A CN 116800451 A CN116800451 A CN 116800451A CN 202211240901 A CN202211240901 A CN 202211240901A CN 116800451 A CN116800451 A CN 116800451A
- Authority
- CN
- China
- Prior art keywords
- protection
- instance
- service
- information
- source station
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 75
- 238000012545 processing Methods 0.000 claims abstract description 108
- 238000005096 rolling process Methods 0.000 claims description 13
- 238000004140 cleaning Methods 0.000 claims description 9
- 238000001514 detection method Methods 0.000 claims description 7
- 230000007423 decrease Effects 0.000 claims description 6
- 230000003247 decreasing effect Effects 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000007726 management method Methods 0.000 description 78
- 230000006870 function Effects 0.000 description 19
- 238000002955 isolation Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 6
- 238000013499 data model Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000012856 packing Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- KLDZYURQCUYZBL-UHFFFAOYSA-N 2-[3-[(2-hydroxyphenyl)methylideneamino]propyliminomethyl]phenol Chemical compound OC1=CC=CC=C1C=NCCCN=CC1=CC=CC=C1O KLDZYURQCUYZBL-UHFFFAOYSA-N 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 201000001098 delayed sleep phase syndrome Diseases 0.000 description 1
- 208000033921 delayed sleep phase type circadian rhythm sleep disease Diseases 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The embodiment of the application discloses a network protection system, a deployment method and a storage medium, wherein the system comprises the following components: a management node and a data processing node; the management node comprises a service opening module and a configuration management module; the service opening module is used for receiving a service opening request and opening a corresponding service based on the service opening request; recording service information and user information corresponding to the service; and sending the service information to the data processing node; the configuration management module is used for creating a safety protection source station corresponding to the user information; configuring protection information corresponding to a safety protection source station on the safety protection source station; and sending protection information to the data processing node; the data processing node is used for creating a protection instance corresponding to the user information based on the service information and the protection information, and forwarding the access traffic corresponding to the safety protection source station to the protection instance so as to enable the protection instance to detect the access traffic and clean the traffic.
Description
Technical Field
The present application relates to the field of network security protection, and in particular, to a network security protection system, method and storage medium.
Background
In the prior art, each cloud service manufacturer and security service manufacturer create a cloud mode of a network application protection system (Web Application Firewall, WAF), provide software, namely service (Software as a Service, saaS), for tenants on or under cloud service, and select a protection policy corresponding to a source station from various basic protection policies provided by the cloud WAF to protect the source station according to source station protection requirements.
At present, the implementation technology of the cloud WAF is mainly implemented by using a high-security agent technology and a security resource pool, while the cloud WAF implemented by using the high-security agent technology and the security resource pool still shares a security protection system in the process of processing access traffic data of different tenants, so that a protection instance cannot be deployed for each tenant individually, and if the shared security protection system fails, the service security protection function of each tenant is affected, which results in poor service security protection function corresponding to each tenant.
Disclosure of Invention
In view of this, embodiments of the present application are expected to provide a network protection system, a method, and a storage medium, which can deploy a protection instance for each tenant individually, so as to isolate service security protection functions between different tenants, and improve the service security protection functions of each tenant.
In order to achieve the above purpose, the technical scheme of the application is realized as follows:
in a first aspect, an embodiment of the present application provides a network protection system, including: a management node and a data processing node; the management node comprises a service opening module and a configuration management module; the service opening module is used for receiving a service opening request and opening a corresponding service based on the service opening request; recording service information and user information corresponding to the service; and sending the service information to the data processing node; the configuration management module is used for creating a safety protection source station corresponding to the user information; configuring protection information corresponding to a safety protection source station on the safety protection source station; and sending protection information to the data processing node; the data processing node is used for creating a protection instance corresponding to the user information based on the service information and the protection information, and forwarding the access traffic corresponding to the safety protection source station to the protection instance so as to enable the protection instance to detect the access traffic and clean the traffic.
In a second aspect, an embodiment of the present application provides a network protection method, applied to a network protection system, where the method includes:
The service opening module opens corresponding service based on the service opening request under the condition that the service opening request is received; recording service information and user information corresponding to the service; and sending the service information to a data processing node;
the configuration management module creates a safety protection source station corresponding to the user information; configuring protection information corresponding to the safety protection source station on the safety protection source station; and sending protection information to the data processing node;
the data processing node creates a protection instance corresponding to the user information based on the service information and the protection information, and forwards the access traffic corresponding to the safety protection source station to the protection instance so as to enable the protection instance to detect the access traffic and clean the traffic.
In a third aspect, an embodiment of the present application provides a storage medium having stored thereon a computer program that when executed implements the network protection method described above.
The embodiment of the application provides a network protection system, a network protection method and a storage medium, wherein the network protection system comprises the following components: the management node and the data processing node management node comprise a service opening module and a configuration management module; the service opening module is used for receiving a service opening request and opening a corresponding service based on the service opening request; recording service information and user information corresponding to the service; and sending the service information to the data processing node; the configuration management module is used for creating a safety protection source station corresponding to the user information; configuring protection information corresponding to a safety protection source station on the safety protection source station; and sending protection information to the data processing node; the data processing node is used for creating a protection instance corresponding to the user information based on the service information and the protection information, and forwarding the access traffic corresponding to the safety protection source station to the protection instance so as to enable the protection instance to detect the access traffic and clean the traffic. By adopting the implementation scheme of the network protection system, in the process of network protection, the tenants can open corresponding services through the service opening module in the management node, different tenants create corresponding safety protection source stations in the opened corresponding services, safety protection information corresponding to different tenants is set in the source stations, the data processing node creates protection examples corresponding to the protection source stations of different tenants according to the safety protection information set in different source stations, when access traffic arrives, the access traffic of different tenants is forwarded to the corresponding protection examples according to the corresponding forwarding strategy for detection and cleaning, interference among the tenants in the protection process of the source stations is avoided, and under the condition that the protection example of one tenant fails, the protection function of the protection source station by the protection example corresponding to other tenants is not influenced, isolation of the safety protection function among different tenants can be realized, and the service safety protection function of each tenant is improved.
Drawings
Fig. 1 is a schematic diagram of a network protection system according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an exemplary protection instance upgrade process provided by an embodiment of the present application;
fig. 3 is a schematic diagram of a network protection system according to an embodiment of the present application;
fig. 4 is a flowchart of a network protection method according to an embodiment of the present application.
Detailed Description
In order to more fully understand the features and technical content of the embodiments of the present application, the following detailed description of the embodiments of the present application is provided with reference to the accompanying drawings, which are not intended to limit the embodiments of the present application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict. It should also be noted that the term "first/second/third" is used merely to distinguish similar objects and does not represent a specific ordering of objects, it being understood that the "first/second/third" may be interchanged with a specific order or sequence, as permitted, to enable embodiments of the application described herein to be implemented in an order other than that illustrated or described herein.
In the prior art, in the network protection process by utilizing cloud WAF, the following technical problems exist: the multi-tenant isolation is only the storage isolation of different security configuration data, but the security protection capability at the bottom layer of the protection system is still shared, one security protection instance of one tenant cannot be deployed independently, and once the security protection capability shared at the bottom layer fails, the failure of all the multi-tenant security protection services can be affected; in addition, the shared safety protection instance cannot realize self-healing after failure, needs manual recovery, cannot realize gray release, and influences service continuity and user experience; finally, the new security vulnerability protection rule is globally effective when updated, a specific template cannot be provided for a specific tenant, and one-key upgrading and rollback operations cannot be performed for the specific template.
In order to solve the technical problems in the prior art, the network protection system 1 provided in the embodiment of the present application, as shown in fig. 1, the network protection system 1 includes:
a management node 10 and a data processing node 11; the management node 10 comprises a service opening module 100 and a configuration management module 101; the service opening module 100 is configured to receive a service opening request, and open a corresponding service based on the service opening request; recording service information and user information corresponding to the service; and sending the service information to the data processing node; a configuration management module 101, configured to create a security protection source station corresponding to the user information; configuring protection information corresponding to a safety protection source station on the safety protection source station; and sends protection information to the data processing node 11; the data processing node 11 is configured to create a protection instance corresponding to the user information based on the service information and the protection information, and forward the access traffic corresponding to the security protection source station to the protection instance, so that the protection instance detects the access traffic and cleans the traffic.
In the embodiment of the application, the cloud WAF is a cloud mode of a Web application firewall, is a protection product specially aiming at website Web application attack, is developed based on the cloud, and can realize website protection by only registering an account on a webpage, adding related information such as a domain name, an ip, a record number and the like and analyzing the domain name to a WAF protection node without installing a software product by a user.
In the embodiment of the application, when the cloud WAF protection system is deployed, firstly, the cloud WAF protection systems of different tenants are subjected to instantiation operation, and then, the cloud WAF protection systems after instantiation are deployed by utilizing a Kubernetes container technology.
In embodiments of the present application, kubernetes, also known as K8s or Kube, is the most popular container orchestrator tool in the industry for google push-out for open source container orchestrator technology for automated deployment, expansion, and management of containerized applications. K8s makes it simple to deploy and manage micro-service architecture applications. It achieves this by forming an abstraction layer over the cluster, allowing the development team to smoothly deploy applications, K8s being mainly used to control and manage the use of resources by the applications; requests between multiple instances of an automatic load balancing application; monitoring resource usage and resource limitations; when the host resources are exhausted or the host crashes, the application program instance is migrated from one host to another host; when a new host joins the cluster, the newly added additional resources can be automatically used.
In the embodiment of the application, the cloud WAF security protection system comprises a management node 10 and a data processing node 11, wherein the management node 10 and the data processing node 11 can be deployed in a K8s cluster, the management node 10 can realize management work on the whole cluster, and the data processing node 11 is a node for really processing services.
In the embodiment of the application, in the K8s cluster, the management node 10 of the cloud WAF security protection system comprises a service opening module 100, a tenant can initiate a request message for opening the service in the service opening module 100 according to own requirements, and the service opening module 100 is utilized to process the request message for opening the WAF service of the tenant, so that the corresponding WAF service can be opened for the tenant initiating the request.
In the embodiment of the application, when the tenant WAF service is opened, tenant information corresponding to the opened WAF service and opened service information are recorded, wherein the tenant information can be specific operation companies or specific personal information and the like; the service information may be guard bandwidth, traffic bandwidth, number of transactions per second requested QPS, etc.
In the embodiment of the application, after the service opening module records the tenant information corresponding to the opened WAF service and the opened service information, the recorded service information can be sent to the data processing node, and the data processing node can process the corresponding service by utilizing the received service information.
In the embodiment of the present application, the management node 10 further includes a configuration management module 101, and the configuration management module 101 is used to configure corresponding protection information for the WAF service opened by the tenant.
In the embodiment of the application, after the WAF service corresponding to the tenant is opened, the tenant may create a security protection source station corresponding to the tenant information through the configuration management module 101 in the management node 10.
Illustratively, a WAF service opened by the tenant a is created, and a security protection source station 1 is created for the tenant a, and a WAF service is also opened by the tenant B, and a security protection source station 2 is created for the tenant B.
In the embodiment of the present application, after the configuration management module 101 creates the security protection source station corresponding to the tenant information, the configuration management module 101 is utilized to configure protection information corresponding to the tenant information on the security protection source station, where the protection information may be a protected source station IP, a source station port number, security protocol channel SSL certificate information, and the like.
It should be noted that the protection information may be selected according to actual situations, and the present application is not limited specifically.
In the embodiment of the present application, in the K8s cluster, the cloud WAF security protection system further includes a data processing node 11, and when the configuration management module 101 configures the source station IP, the source station port number, and the security protocol channel SSL certificate information for protection, an instruction message for creating a protection instance vWAF pod corresponding to the WAF service opened by the tenant is further sent to the data processing node 11.
The instruction message sent by the configuration management module 101 carries the protection source station IP, the source station port number, the SSL certificate information of the security protocol channel, and the like, which correspond to the protection information.
In the embodiment of the application, when the protection instance vWAF pod corresponding to the WAF service opened by the tenant is created, the data processing node can create the protection instance vWAF pod corresponding to the WAF service opened by the tenant according to the service information sent by the service opening module, including protection bandwidth, QPS information and the like.
It should be noted that one tenant may correspond to a plurality of protection instances vWAF pod.
It should be noted that, the specific implementation process of creating the protection instance vWAF pod is not limited to the method implemented in the present application, and specifically, may be selected according to the actual situation, which is not specifically limited in the present application.
In the embodiment of the application, after the corresponding protection instance vWAF pod is successfully created for the tenant, the protection information, the service information and the like carried in the corresponding sending instruction of the protection instance vWAF pod are set in the protection instance vWAF pod, and specifically, the source station IP, the source station port number, the protection bandwidth, the QPS information and the like can be set in the protection instance vWAF pod.
In the embodiment of the present application, after the configuration management module 101 sets the corresponding protection information and service information in the protection instance vWAF pod, the data processing node 11 may process the protection information and service information to obtain the protection instance tag corresponding to the protection instance, determine the protection instance corresponding to the access traffic through the protection instance tag, and forward the access traffic corresponding to the security protection source station to the corresponding protection instance.
In the embodiment of the application, the vWAF pod label corresponding to the protection instance can be generated by utilizing a specific rule according to the protection information and the service information set in the protection instance. Specifically, the manner of generating the vWAF pod label may be selected according to practical situations, and the present application is not limited in particular.
In the embodiment of the application, the vWAF pod label and the protection instance vWAF pod are in one-to-one correspondence, a unique corresponding protection instance vWAF pod can be determined according to the vWAF pod label, and when the source station to be protected by the tenant is accessed by the access flow, the protection instance vWAF pod corresponding to the source station to be protected by the tenant can be determined according to the vWAF pod label.
It should be noted that, in the present application, by creating different protection instances vWAF pod for different tenants, the protection capability between different tenants in the data processing node is isolated from each other.
In the embodiment of the present application, the management node 10 further includes an object creation module, and the object creation module may create a flow forwarding object for the data processing node 11, and associate the flow forwarding object with the protection instance, so as to forward the access flow corresponding to the security protection source station to the corresponding protection instance through the flow forwarding object, thereby implementing detection and flow cleaning of the access flow.
In the embodiment of the present application, after the data processing node 11 completes the creation of the guard instance vWAF pod, the user may create an object service for traffic forwarding in the data processing node 11 through an object creation module in the management node 10.
In the embodiment of the application, when the traffic forwarding object service is created, the created traffic forwarding object service and the generated vWAF pod label can be associated through the fields set in the data table, the access traffic can be forwarded to different vWAF pod labels through the object service object, and the detection and cleaning of the access traffic corresponding to the protection instance of the tenant are performed on the corresponding protection instance vWAF pod determined through the vWAF pod label.
In the embodiment of the application, in the process of accessing and forwarding the traffic through the object service, an entry Ingress object for forwarding the traffic through the object service is also required to be created.
In the embodiment of the application, the Ingress object can be created according to service information or protection information configured in the protection source station.
It should be noted that, the creation of the entry object may be created by other ways than the present application, specifically, may be selected according to the actual situation, and the present application is not limited specifically.
In the embodiment of the application, after the creation of the Ingress object is completed, forwarding object services corresponding to domain name binding of different protection source stations are set in the Ingress object, access traffic corresponding to different protection source stations can be forwarded to different forwarding object services through the Ingress object by the relation between the Ingress object and the forwarding object services, and then a protection instance vWAF Pod for protecting the access traffic is determined by the relation between the forwarding object services and the vWAF Pod label, so that the protection of the vWAF Pod on a plurality of user sites is realized.
In the embodiment of the present application, the data processing node 11 may determine, through the Ingress object, the vWAF pod label to be forwarded according to the access traffic corresponding to the security protection source station through the forwarding object service associated with the Ingress object, further determine, through the vWAF pod label, the protection instance corresponding to the security protection source station, and detect and clean the access traffic through the determined security protection instance.
After the access flow is detected and the flow is cleaned in the security protection instance, the cleaned flow agent is returned to the tenant source station, so that the security protection of the tenant source station is realized.
Optionally, in the embodiment of the present application, the management node 10 further includes a log center, and outputs the attack information when the protection instance detects that the attack information corresponding to the attack traffic exists in the access traffic and transmits the attack information to the log center.
In the embodiment of the application, when the flow accessed to the tenant source station is forwarded to the corresponding protection instance vWAF pod of the tenant, the protection instance vWAF pod in the data processing node 11 detects the access flow, when the protection instance vWAF pod in the data processing node 11 detects that the attack flow exists in the access flow, an Agent log reporting module deployed in a Sidecar mode Sidecar in the protection instance vWAF pod can collect detailed information of the attack flow and transmit the detailed information of the attack flow to a log center in the management node 10, and the tenant can check the detailed information of the attack information through the log center in the management node 10.
It should be noted that, in the conventional log collection manner, the log collection module Agent needs to be deployed in advance into the protection instance, and the collection rule is configured after the protection instance is configured. The Agent log reporting module for the Sidecar mode Sidecar operation is used for automatically creating and configuring the Agent log with the user service creation by packing the Agent log acquisition module with the protection instance vWAF Pod, so that the efficiency is improved, normal acquisition and presentation of other user logs are not affected when faults occur, and fault isolation among different tenant protection source stations can be realized.
Optionally, in an embodiment of the present application, the management node 10 further includes a policy management module, where the policy management module is configured to configure a security protection policy for the protection instance, so that the protection instance uses the security protection policy to detect the access traffic and wash the traffic.
In the embodiment of the application, in the process of creating the protection instance and protecting the source station of the tenant by using the protection instance, the tenant can also set a self-defined security protection policy. Specifically, the tenant may further customize security protection policy configuration information in a policy management module in the management node according to a requirement of the protection source station in the service, where the custom security protection policy configuration may be a custom policy such as an IP black-and-white list, a URL black-and-white list, and a traffic label.
In the embodiment of the application, the tenant can set the self-defined security protection policy in the protection instance corresponding to the protection source station according to the current requirement of the protection source station through the management node, and the protection instance can carry out safer protection on the protection source station according to the set security protection policy, so that the security of the protection source station is higher.
Optionally, the management node 10 further includes a mirror image center module, where the mirror image center module is configured to process the security protection policy, and generate a mirror image file corresponding to the security protection policy, so as to implement templated configuration of the security protection policy by using the mirror image file.
In the embodiment of the application, when the tenant modifies the created protection instance vWAF Pod according to the current requirement of the protection source station, the customized protection instance vWAF Pod of the tenant is obtained.
In the embodiment of the application, the tenant can customize the security protection policy in the protection instance, the mirror image center module can generate the security protection configuration template from the protection instance vWAF Pod provided with the security protection policy customized by the tenant, and the security protection configuration template is stored in a database corresponding to the mirror image center module in a mirror image mode.
It should be noted that, the protection instance vWAF Pod corresponding to the customized different security protection policies may generate different security protection configuration templates, where the different security protection configuration templates correspond to the protection instance vWAF Pod of different versions.
In the embodiment of the application, when the configuration of the safety protection instance is carried out, the templated configuration of different safety protection instances can be realized by directly acquiring the safety protection instance of the corresponding version.
In the embodiment of the application, when a tenant needs to add one security protection instance, the mirror image file of the corresponding security protection instance can be obtained through the mirror image center module, and the mirror image file of the obtained security protection instance is directly utilized to realize the self-defined security protection policy setting for the newly added security protection instance, so that the self-defined configuration for the newly added security protection instance is not needed.
It should be noted that, by using the method of controlling the mirror version, the templated version control of the WAF with different protection strategies is realized, so that the mirror images with different versions are selected for carrying out WAF instance deployment according to different protection requirements.
Optionally, in the embodiment of the present application, the image center module is further configured to process each version of protection instance to obtain multiple versions of protection instance image files, determine a target version of protection instance image file from the multiple versions of protection instance image files by using a preset rolling upgrade policy, and change a current protection instance version based on the target version of protection instance image file.
In the embodiment of the application, when the protection function of the protection instance vWAF Pod corresponding to the tenant is upgraded, in the process of publishing the development software of the protection instance corresponding to each version of the protection instance vWAF Pod completed, the image files corresponding to the protection instances of different versions can be generated by processing the protection instance vWAF Pod of different versions, the generated image files are transmitted to the image center module, the tenant associates the new image files with the protection source station by selecting the new image files corresponding to the protection instance from the image center module in the management node 10, and K8s gradually utilizes the protection instance vWAF Pod of the new version to replace the protection instance vWAF Pod of the old version by utilizing a rolling upgrade strategy, so as to complete the process of upgrading the protection instance vWAF Pod version.
As shown in fig. 2, by using the controller RC in the K8s, multiple protection instance vWAF Pod may be associated under one controller RC, when the protection instance vWAF Pod is upgraded from the version v1 to the version v2, the rolling upgrade policy may be used to select the protection instance vWAF Pod of the first version v1 first, then select the protection instance vWAF Pod of the version v2 from the mirror center, replace the protection instance vWAF Pod of the first version v1 with the protection instance vWAF Pod of the version v2, complete the upgrade of one protection instance vWAF Pod in the protection instance corresponding to the tenant, select the protection instance vWAF Pod of the second version v1, and then select the protection instance vWAF Pod of the version v2 from the mirror center, replace the instance vWAF Pod of the second version v1 with the protection instance vWAF Pod of the version v2, and complete the upgrade of the second instance vWAF Pod in the protection instance corresponding to the tenant to all the protection instances vWAF Pod of the version v 1.
It should be noted that, when one or more protection instances in the RC-associated protection instance vWAF Pod fail, the data processing node creates a new protection instance vWAF Pod to ensure that the number of running protection instances vWAF Pod reaches the expected number.
In another embodiment of the present application, when an upgrade is required to be performed on a protection policy corresponding to a protection instance, where the protection policy corresponding to the protection instance may be a policy of 0day vulnerability protection, or the upgrade process of the version of the protection instance vWAF Pod is completed by making the protection instance corresponding to the updated protection policy into an image file, uploading the image file to an image center, selecting, by a tenant, a new image file corresponding to the protection instance from an image center module in a management node, and associating the new image file to a protection source station, where K8s uses a rolling upgrade policy, and gradually uses a new version of the protection instance vWAF Pod to replace the old version of the protection instance vWAF Pod.
It should be noted that, the rolling upgrade method adopted when upgrading the protection policy in the protection instance is the same as the process when upgrading the protection function of the protection instance vWAF Pod corresponding to the tenant, specifically, reference may be made to the implementation process as illustrated in fig. 2, which is not described herein again.
After the protection policy corresponding to the protection instance is upgraded, when the protection effect of the protection policy in the upgraded protection instance on the protection source station is not good, the upgraded version can be rolled back, and when the version of the protection instance is rolled back, the image file version corresponding to the protection instance which needs to be replaced is selected from the image center module, and the image file version corresponding to the upgraded protection instance is replaced by the selected image file version.
It should be noted that, the protection instance version rollback mode and the protection instance version upgrade mode are the same, and are processed in a way of replacing one by one, specifically, the implementation process of the protection instance version upgrade may be referred to, which is not described herein.
It should be noted that, in the embodiment of the present application, the protection system is implemented in a containerized manner, so that gray level issue and fault self-healing of the protection system can be implemented.
Optionally, the management node 10 further includes a monitoring center module, where the monitoring center module is configured to monitor a used memory space of the protection instance in the running process, send an instance increasing instruction to the data processing node when the used memory space is greater than a preset memory space threshold, and send an instance decreasing instruction to the data processing node when the used memory space is monitored to be less than the preset memory space threshold; the data processing node increases the protection instance corresponding to the safety protection source station according to the instance increasing instruction, and decreases the protection instance corresponding to the safety protection source station according to the instance decreasing instruction.
In the embodiment of the application, when the monitoring center module monitors that the processing capacity of the whole cluster is insufficient in the running process of the whole cluster, the processing capacity of the whole cluster can be improved by dynamically adding a new K8s node; specifically, when the use of the CPU exceeds a set threshold in the running process of the protection instance vWAF Pod corresponding to the tenant, the data processing node may automatically create a new protection instance vWAF Pod to relieve the load pressure of the operation of the protection instance vWAF Pod in the current cluster; when the CPU usage threshold is reduced, the vWAF Pod is dynamically reduced, and resource waste in the cluster is avoided.
It should be noted that the memory threshold may be selected according to practical situations, and the present application is not limited in particular.
It should be noted that, in the network protection system provided by the embodiment of the present application, by containerizing a WAF protection instance and performing multi-instance deployment on the containerized protection instance through a K8s technology, different tenants are implemented to correspond to one WAF protection instance, and association between a tenant protection source station and the WAF protection instance is implemented through an upper management node 10, so that protection functions of different tenants on a data processing node 11 are isolated, and meanwhile, whether an operating protection instance is abnormal or not can be detected through an RC in a K8s, and when the abnormality occurs, a new WAF instance is automatically created, so as to implement self-healing of faults; furthermore, gray level release of the protection instance can be realized by utilizing a rolling upgrading strategy, and service continuity and user experience are improved.
It can be understood that in the network protection process, the tenant can open the corresponding service through the service opening module in the management node, different tenants create the corresponding safety protection source station in the opened corresponding service, and set the safety protection information corresponding to different tenants in the source station, the data processing node creates the protection instance corresponding to the protection source station of different tenants according to the safety protection information set in different source stations, and when the access traffic arrives, the access traffic of different tenants is forwarded to the corresponding protection instance for detection and cleaning according to the corresponding forwarding policy, and in the protection process of the source station, the protection functions of the protection source station by the protection instance corresponding to other tenants are not affected, so that the isolation of the safety protection functions of different tenants can be realized, and the service safety protection function of each tenant is improved.
Based on the above embodiment, through designing the core data object model to realize different WAF instance association and multi-tenant isolation of different tenants, the core data object model and part of fields corresponding to the network protection system in the present application can be represented by the following correspondence:
(1) The tenant object data model is shown in table 1:
TABLE 1
| Tenant identification | Protected source station | Bandwidth of a communication device |
| User 1 | www.xxx.com | 5M |
(2) The guard instance vWAF Pod object data model is shown in table 2:
TABLE 2
| Protection instance identification | Protection instance name | Protection instance version |
| Protection instance identification 1 | Protection instance name 1 | Protection instance version 1 |
| Protection instance identification 2 | Protection instance name 2 | Protection instance version 2 |
(3) The access traffic forwarding object service data model is shown in table 3:
TABLE 3 Table 3
| Traffic forwarding object identification | Traffic forwarding object name | Traffic forwarding object version |
| Traffic forwarding object identification 1 | Flow forwarding object name 1 | Version 1 |
(4) The access traffic entry object data model is shown in table 4:
TABLE 4 Table 4
| Accessing traffic entry object identification | Accessing traffic entry object names | Accessing traffic entry object name versions |
| Access traffic entry object identification 1 | Accessing traffic entry object name 1 | Version 1 |
(5) The correspondence between tenant object and access traffic entry identifier is shown in table 5:
TABLE 5
| Tenant identification | Access traffic entry identification |
| Tenant 1 | Access to traffic portal 1 |
Wherein the user identification and the access traffic entry identification are associated.
(6) The correspondence between the access traffic entry and the access traffic forwarding object is shown in table 6:
TABLE 6
| Access traffic entry identification | Traffic forwarding object identification |
| Access to traffic portal 1 | Traffic forwarding object identification 1 |
Wherein the access traffic entry identification is associated with an identification of the traffic forwarding object service.
(7) The correspondence between the access traffic forwarding object and the protection instance is shown in table 7:
TABLE 7
| Traffic forwarding object identification | Protection instance identification |
| Traffic forwarding object identification 1 | Protection instance identification 1 |
| Traffic forwarding object identification 2 | Protection instance identification 2 |
The identification information of the traffic forwarding object service is associated with the protection instance identification.
Based on the above embodiments, a network protection system provided in the present application, as shown in fig. 3, includes a management node, a data processing node, and a database; the management node comprises a service opening module, a configuration management module, a strategy management module, a monitoring center module, an object creation module, a log center and a mirror image center; the data processing node is mainly responsible for detecting and cleaning attack flow in the protection tenant source station, and reinjecting the cleaned flow agent into the tenant source station to realize safety protection of the source station; the data processing node is provided with an entry Ingress object, a forwarding object service, a protection instance vWAF Pod and a log acquisition module running in a side car mode.
The service opening module is used for receiving a service opening request and opening a corresponding service based on the service opening request; recording service information and user information corresponding to the service; and sending the service information to a data processing node;
the configuration management module is used for creating a safety protection source station corresponding to the user information; configuring protection information corresponding to a safety protection source station on the safety protection source station; and sending protection information to the data processing node;
and the policy management module is used for configuring a security protection policy for the protection instance so that the protection instance can detect the access traffic and clean the traffic by using the security protection policy.
The monitoring center module is used for monitoring the used memory space of the protection instance in the running process, sending an instance increasing instruction to the data processing node when the used memory space is larger than a preset memory space threshold value, and sending an instance decreasing instruction to the data processing node when the used memory space is smaller than the preset memory space threshold value;
the object creation module is used for creating a flow forwarding object for the data processing node and associating the flow forwarding object with the protection instance so as to forward the access flow corresponding to the safety protection site to the corresponding protection instance through the flow forwarding object and detect the access flow and clean the flow.
The log center is used for outputting the attack information when the protection instance detects that the attack information corresponding to the attack traffic exists in the access traffic and transmits the attack information to the log center.
The mirror image center module is used for processing the security protection policy and generating a mirror image file corresponding to the security protection policy so as to realize templated configuration of the security protection policy by utilizing the mirror image file.
The image center module is further used for processing the protection instance of each version, generating a corresponding protection instance image file of one version to obtain protection instance image files of a plurality of versions, determining a protection instance image file of a target version from the protection instance image files of the plurality of versions by utilizing a preset rolling upgrading strategy, and changing the current protection instance version based on the protection instance image file of the target version.
The data processing node is used for creating a protection instance corresponding to the user information based on the service information and the protection information, and forwarding the access traffic corresponding to the safety protection source station to the protection instance so as to enable the protection instance to detect the access traffic and clean the traffic.
The data processing node is further configured to increase a protection instance corresponding to the safety protection source station according to the instance increase instruction, and decrease the protection instance corresponding to the safety protection source station according to the instance decrease instruction.
The data processing node is further used for processing the protection information and the service information to obtain a protection instance label corresponding to the protection instance, determining the protection instance corresponding to the access flow through the protection instance label, and forwarding the access flow corresponding to the safety protection source station to the corresponding protection instance.
The protection instance vWAF Pod is used for collecting attack information corresponding to the attack traffic and transmitting the attack information to the log center under the condition that the attack traffic exists in the access traffic.
The access object is applied to access the access of the traffic into the protection instance, and the service object to be forwarded is determined through the access object.
The forwarding object service is applied to forwarding the access traffic to the corresponding protection instance through the forwarding object service when the access traffic is forwarded.
The log acquisition module is used for acquiring attack information corresponding to the attack flow and transmitting the attack information to the log center.
The embodiment of the application provides a network protection method, which is applied to a network protection system, as shown in fig. 4, and comprises the following steps:
s101, under the condition that a service opening request is received, a service opening module opens corresponding service based on the service opening request; recording service information and user information corresponding to the service; and sends service information to the data processing node.
In the embodiment of the application, the cloud WAF safety protection system comprises a management node and a data processing node, wherein the management node and the data processing node can be deployed in a K8s cluster, the management node can realize management work of the whole cluster, and the data processing node is a node for really processing service.
In the embodiment of the application, in the K8s cluster, a service opening module is included in a management node of the cloud WAF security protection system, a tenant can initiate a service opening request message in the service opening module according to own requirements, and the service opening module processes the request message of opening WAF service of the tenant and opens corresponding WAF service for the tenant.
In the embodiment of the application, in the process of opening the WAF service of the tenant, recording tenant information corresponding to the WAF service and the opened service information, wherein the tenant information can be specific operation companies or specific personal information and the like; the service information may be guard bandwidth, traffic bandwidth, number of transactions per second requested QPS, etc.
In the embodiment of the application, after the service opening module records the tenant information corresponding to the opened WAF service and the opened service information, the recorded service information can be sent to the data processing node, and the data processing node can process the corresponding service by utilizing the received service information.
S102, a configuration management module creates a safety protection source station corresponding to user information; configuring protection information corresponding to the safety protection source station on the safety protection source station; and sending protection information to the data processing node;
in the application embodiment, after the WAF service corresponding to the tenant is opened, the tenant may create a security protection source station corresponding to the tenant information through a configuration management module in the management node.
Illustratively, a WAF service opened by the tenant a is created, and a security protection source station 1 is created for the tenant a, and a WAF service is also opened by the tenant B, and a security protection source station 2 is created for the tenant B.
In the embodiment of the application, after the security protection source station corresponding to the tenant information is created through the configuration management module, the protection information corresponding to the tenant is configured on the created security protection source station, wherein the protection information can be the protection source station IP, the source station port number, the security protocol channel SSL certificate information and the like.
In the embodiment of the application, the protection information can be also sent to the data processing node through the sent instruction message by carrying the protection information in the instruction message in the configuration management module.
S103, the data processing node creates a protection instance corresponding to the user information based on the service information and the protection information, and forwards the access traffic corresponding to the safety protection source station to the protection instance so as to enable the protection instance to detect the access traffic and clean the traffic.
In the embodiment of the application, when the protected source station IP, the source station port number and the security protocol channel SSL certificate information are configured, an instruction message for creating a protection instance vWAF pod corresponding to the WAF service opened by the tenant is sent to the data processing node.
The sent instruction message carries the protected source station IP, source station port number, security protocol channel SSL certificate information and the like corresponding to the protection information.
In the embodiment of the application, when the protection instance vWAF pod corresponding to the WAF service opened by the tenant is created, the protection instance vWAF pod corresponding to the WAF service opened by the tenant is created according to the protection bandwidth and the QPS information in the service information carried in the instruction.
It should be noted that one tenant may correspond to a plurality of protection instances vWAF pod.
It should be noted that, the specific implementation process of creating the protection instance vWAF pod is not limited to the method implemented in the present application, and specifically, may be selected according to the actual situation, which is not specifically limited in the present application.
In the embodiment of the application, after the corresponding protection instance vWAF pod is successfully created for the tenant, the protection information, the service information and the like corresponding to the protection instance vWAF pod are set in the protection instance vWAF pod, and the source station IP, the source station port number, the QPS information and the like can be set in the protection instance vWAF pod.
In the embodiment of the application, after the corresponding protection information and service information are set in the protection instance vWAF pod, the data processing node can process the protection information and the service information to obtain the protection instance label corresponding to the protection instance; and determining a protection instance corresponding to the access traffic through the protection instance tag, and forwarding the access traffic corresponding to the safety protection source station to the corresponding protection instance.
In the embodiment of the application, the vWAF pod label corresponding to the protection instance can be generated by utilizing a specific rule according to the protection information and the service information set in the protection instance. Specifically, the manner of generating the vWAF pod label may be selected according to practical situations, and the present application is not limited in particular.
In the embodiment of the application, the vWAF pod label and the protection instance vWAF pod are in one-to-one correspondence, a unique corresponding protection instance vWAF pod can be determined according to the vWAF pod label, and when the source station to be protected by the tenant is accessed by the access flow, the protection instance vWAF pod corresponding to the source station to be protected by the tenant can be determined according to the vWAF pod label.
It should be noted that, in the present application, by creating different protection instances vWAF pod for different tenants, the protection capability between different tenants in the data processing node is isolated from each other.
In the embodiment of the application, the management node also comprises an object creation module, and the traffic forwarding object can be created for the data processing node by using the object creation module; and the flow forwarding object is associated with the protection instance so as to realize the processes of forwarding the access flow corresponding to the safety protection source station to the corresponding protection instance, and detecting and cleaning the access flow.
In the embodiment of the application, after the data processing node completes the creation of the protection instance vWAF pod, a user can create an object service for traffic forwarding in the data processing node through an object creation module in the management node.
In the embodiment of the application, when the traffic forwarding object service is created, the created traffic forwarding object service and the generated vWAF pod label can be associated through the fields set in the data table, the access traffic can be forwarded to different vWAF pod labels through the object service object, and the detection and cleaning of the access traffic corresponding to the protection instance of the tenant are performed on the corresponding protection instance vWAF pod determined through the vWAF pod label.
In the embodiment of the application, in the process of accessing and forwarding the traffic through the object service, an entry Ingress object for forwarding the traffic through the object service is also required to be created.
In the embodiment of the application, the Ingress object can be created according to service information or protection information configured in the protection source station.
It should be noted that, the creation of the entry object may be created by other ways than the present application, specifically, may be selected according to the actual situation, and the present application is not limited specifically.
In the embodiment of the application, after the creation of the Ingress object is completed, forwarding object services corresponding to domain name binding of different protection source stations are set in the Ingress object, access traffic corresponding to different protection source stations can be forwarded to different forwarding object services through the Ingress object by the relation between the Ingress object and the forwarding object services, and then a protection instance vWAF Pod for protecting the access traffic is determined by the relation between the forwarding object service v and the vWAF Pod label, so that the protection of multiple user sites by the vWAF Pod is realized.
In the embodiment of the application, the data processing node can determine the vWAF pod label to be forwarded by the access flow corresponding to the safety protection source station through the access entry object and the forwarding object service associated with the access flow, further determine the protection instance corresponding to the safety protection source station through the vWAF pod label, and detect and clean the access flow through the determined safety protection instance.
After the access flow is detected and the flow is cleaned in the security protection instance, the cleaned flow agent is returned to the tenant source station, so that the security protection of the tenant source station is realized.
Optionally, in the embodiment of the present application, when the protection instance detects that attack information corresponding to the attack traffic exists in the access traffic, and transmits the attack information to a log center in the management node, the attack information is output through the log center.
In the embodiment of the application, when the flow accessed to the tenant source station is forwarded to the corresponding protection instance vWAF pod of the tenant, the protection instance vWAF pod in the data processing node detects the access flow, and when the protection instance vWAF pod in the data processing node detects that the attack flow exists in the access flow, an Agent log reporting module running in a Sidecar mode Sidecar in the protection instance vWAF pod can acquire detailed information of the attack flow and transmit the detailed information of the attack flow to a log center in the management node, and the tenant can check the detailed information of the attack information through the log center in the management node.
It should be noted that, in the conventional log collection manner, the log collection module Agent needs to be deployed in advance into the protection instance, and the collection rule is configured after the protection instance is configured. The Agent log reporting module for the Sidecar mode Sidecar operation is used for automatically creating and configuring the Agent log with the user service creation by packing the Agent log acquisition module with the protection instance vWAF Pod, so that the efficiency is improved, normal acquisition and presentation of other user logs are not affected when faults occur, and fault isolation among different tenant protection source stations can be realized.
Optionally, in an embodiment of the present application, a policy management module in the management node may configure a security protection policy for the protection instance, so that the protection instance uses the security protection policy to detect and clean the access traffic.
In the embodiment of the application, in the process of creating the protection instance and protecting the source station of the tenant by using the protection instance, the tenant can also set a self-defined security protection policy. Specifically, the tenant may further customize security protection policy configuration information in a policy management module in the management node according to a requirement of the protection source station in the service, where the custom security protection policy configuration may be a custom policy such as an IP black-and-white list, a URL black-and-white list, and a traffic label.
In the embodiment of the application, the tenant can set the self-defined security protection policy in the protection instance corresponding to the protection source station according to the current protection requirement of the protection source station through the management node, and the protection instance can carry out safer protection on the protection source station according to the set security protection policy, so that the security of the protection source station is higher.
Optionally, the mirror image center module in the management node may further process the security protection policy, and generate a mirror image file corresponding to the security protection policy, so as to implement templated configuration of the security protection policy by using the mirror image file.
In the embodiment of the application, when the tenant modifies the created protection instance vWAF Pod according to the current requirement of the protection source station, the customized protection instance vWAF Pod of the tenant is obtained.
In the embodiment of the application, the tenant can customize the security protection policy in the protection instance, the mirror image center module can generate the security protection configuration template from the protection instance vWAF Pod provided with the security protection policy customized by the tenant, and the security protection configuration template is stored in a database corresponding to the mirror image center module in a mirror image mode.
It should be noted that, the protection instance vWAF Pod corresponding to the customized different security protection policies may generate different security protection configuration templates, where the different security protection configuration templates correspond to the protection instance vWAF Pod of different versions.
In the embodiment of the application, when the configuration of the safety protection instance is carried out, the templated configuration of different safety protection instances can be realized by directly acquiring the safety protection instance of the corresponding version.
In the embodiment of the application, when a tenant needs to add one security protection instance, the mirror image file of the corresponding security protection instance can be obtained through the mirror image center module, and the mirror image file of the obtained security protection instance is directly utilized to realize the self-defined security protection policy setting for the newly added security protection instance, so that the self-defined configuration for the newly added security protection instance is not needed.
Optionally, in the embodiment of the present application, the image center module may also be used to process each version of the protection instance to obtain multiple versions of protection instance image files, and a preset rolling upgrade policy is used to determine a target version of protection instance image file from the multiple versions of protection instance image files, and change the current protection instance version based on the target version of protection instance image file.
In the embodiment of the application, when the protection function of the protection instance vWAF Pod corresponding to the tenant is upgraded, the development software of the protection instance corresponding to each version is released, the image files corresponding to the protection instances of different versions can be generated by processing the protection instance vWAF Pod of different versions, the generated image files are transmitted to the image center module, the tenant associates the new image files to the protection source station by selecting the new image files corresponding to the protection instance from the image center module in the management node, K8s utilizes a rolling upgrade strategy to gradually utilize the protection instance vWAF Pod of new version to replace the protection instance vWAF Pod of old version, and the process of upgrading the protection instance vWAF Pod version is completed.
As shown in fig. 2, by using the controller RC in the K8s, multiple protection instance vWAF Pod may be associated under one controller RC, when the protection instance vWAF Pod is upgraded from the version v1 to the version v2, the rolling upgrade policy may be used to select the protection instance vWAF Pod of the first version v1 first, then select the protection instance vWAF Pod of the version v2 from the mirror center, replace the protection instance vWAF Pod of the first version v1 with the protection instance vWAF Pod of the version v2, complete the upgrade of one protection instance vWAF Pod in the protection instance corresponding to the tenant, select the protection instance vWAF Pod of the second version v1, and then select the protection instance vWAF Pod of the version v2 from the mirror center, replace the instance vWAF Pod of the second version v1 with the protection instance vWAF Pod of the version v2, and complete the upgrade of the second instance vWAF Pod in the protection instance corresponding to the tenant to all the protection instances vWAF Pod of the version v 1.
It should be noted that, when one or more protection instances in the RC-associated protection instance vWAF Pod fail, the data processing node creates a new protection instance vWAF Pod to ensure that the number of running protection instances vWAF Pod reaches the expected number.
In another embodiment of the present application, when an upgrade is required to be performed on a protection policy corresponding to a protection instance, where the protection policy corresponding to the protection instance may be a policy of 0day vulnerability protection, or the upgrade process of the version of the protection instance vWAF Pod is completed by making the protection instance corresponding to the updated protection policy into an image file, uploading the image file to an image center, selecting, by a tenant, a new image file corresponding to the protection instance from an image center module in a management node, and associating the new image file to a protection source station, where K8s uses a rolling upgrade policy, and gradually uses a new version of the protection instance vWAF Pod to replace the old version of the protection instance vWAF Pod.
It should be noted that, the rolling upgrade method adopted when upgrading the protection policy in the protection instance is the same as the process when upgrading the protection function of the protection instance vWAF Pod corresponding to the tenant, specifically, reference may be made to the implementation process as illustrated in fig. 2, which is not described herein again.
After the protection policy corresponding to the protection instance is upgraded, when the protection effect of the protection policy in the upgraded protection instance on the protection source station is not good, the upgraded version can be rolled back, and when the version of the protection instance is rolled back, the image file version corresponding to the protection instance which needs to be replaced is selected from the image center module, and the image file version corresponding to the upgraded protection instance is replaced by the selected image file version.
It should be noted that, the protection instance version rollback mode and the protection instance version upgrade mode are the same, and are processed in a way of replacing one by one, specifically, the implementation process of the protection instance version upgrade may be referred to, which is not described herein.
It should be noted that, in the embodiment of the present application, the protection system is implemented in a containerized manner, so that gray level issue and fault self-healing of the protection system can be implemented.
Optionally, the management node further includes a monitoring center module, where the monitoring center module is configured to monitor a used memory space of the protection instance in the operation process, send an instance increasing instruction to the data processing node when the used memory space is greater than a preset memory space threshold, and send an instance decreasing instruction to the data processing node when the used memory space is monitored to be less than the preset memory space threshold; the data processing node increases the protection instance corresponding to the safety protection source station according to the instance increasing instruction, and decreases the protection instance corresponding to the safety protection source station according to the instance decreasing instruction.
In the embodiment of the application, when the monitoring center module monitors that the processing capacity of the whole cluster is insufficient in the running process of the whole cluster, the processing capacity of the whole cluster can be improved by dynamically adding a new K8s node; specifically, when the use of the CPU exceeds a set threshold in the running process of the protection instance vWAF Pod corresponding to the tenant, the data processing node may automatically create a new protection instance vWAF Pod to relieve the load pressure of the operation of the protection instance vWAF Pod in the current cluster; when the CPU usage threshold is reduced, the vWAF Pod is dynamically reduced, so that the resource waste in the cluster is avoided, and the effect of dynamic capacity expansion is realized.
It should be noted that the memory threshold may be selected according to practical situations, and the present application is not limited in particular.
It should be noted that, the data model adopted in the network protection method may be set with reference to the data object model and a part of fields related in the network protection system, which are not described herein.
It can be appreciated that in the network protection process, the tenant can open the corresponding service through the service opening module in the management node, different tenants create the corresponding safety protection source station in the opened corresponding service, and set the safety protection information corresponding to different tenants in the source station, the data processing node creates the protection instance corresponding to the protection source station of different tenants according to the safety protection information set in different source stations, and when the access traffic arrives, the access traffic of different tenants is forwarded to the corresponding protection instance for detection and cleaning according to the corresponding forwarding policy, and in the protection process of the source station, the protection functions of the protection source station by the protection instance corresponding to other tenants are not affected, so that the isolation of the safety protection functions of different tenants can be realized, and the service safety protection function of each tenant is improved.
The embodiment of the application provides a storage medium, on which a computer program is stored, where the computer readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors, and the computer program is applied to the network protection system 1, and the computer program implements a network protection method as described above. The processor may be at least one of an application specific integrated circuit (ASIC, application Specific Integrated Circuit), a digital signal processor (DSP, digital Signal Processor), a digital signal processing image processing device (DSPD, digital Signal Processing Device), a programmable logic image processing device (PLD, programmable Logic Device), a field programmable gate array (FPGA, field Programmable Gate Array), a CPU, a controller, a microcontroller, a microprocessor. It will be appreciated that the electronics for implementing the above-described processor functions may be other for different devices, and the present embodiment is not particularly limited.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present disclosure may be embodied essentially or in a part contributing to the related art in the form of a software product stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), including several instructions for causing an image display device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method described in the embodiments of the present disclosure.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A network protection system, the system comprising: a management node and a data processing node; the management node comprises a service opening module and a configuration management module;
The service opening module is used for receiving a service opening request and opening corresponding service based on the service opening request; recording service information and user information corresponding to the service; and sending the service information to the data processing node;
the configuration management module is used for creating a safety protection source station corresponding to the user information; configuring protection information corresponding to the safety protection source station on the safety protection source station; and sending the protection information to the data processing node;
the data processing node is configured to create a protection instance corresponding to the user information based on the service information and the protection information, and forward the access traffic corresponding to the security protection source station to the protection instance, so that the protection instance detects the access traffic and cleans the traffic.
2. The system of claim 1, wherein the management node further comprises: a monitoring center module;
the monitoring center module is used for monitoring the use memory space of the protection instance in the running process, sending an instance increasing instruction to the data processing node when the use memory space is larger than a preset memory space threshold value, and sending an instance decreasing instruction to the data processing node when the use memory space is smaller than the preset memory space threshold value;
The data processing node is configured to increase the protection instance corresponding to the safety protection source station according to the instance increase instruction, and decrease the protection instance corresponding to the safety protection source station according to the instance decrease instruction.
3. The system of claim 1, wherein the management node further comprises: a policy management module;
the policy management module is configured to configure a security protection policy for the protection instance, so that the protection instance detects and cleans the access traffic by using the security protection policy.
4. The system of claim 3, wherein the management node further comprises: a mirror image center module;
the mirror image center module is used for processing the safety protection strategy and generating a mirror image file corresponding to the safety protection strategy so as to realize templated configuration of the safety protection strategy by utilizing the mirror image file.
5. The system of claim 4, wherein the system further comprises a controller configured to control the controller,
the mirror image center module is further used for processing the protection instance of each version to obtain a plurality of protection instance mirror images of the versions, determining the protection instance mirror images of the target version from the protection instance mirror images of the versions by utilizing a preset rolling upgrading strategy, and changing the current protection instance version based on the protection instance mirror images of the target version.
6. The system according to claim 1, wherein the management node further comprises: an object creation module;
the object creation module is configured to create a flow forwarding object for the data processing node, and associate the flow forwarding object with the protection instance, so as to forward an access flow corresponding to a security protection source station to the corresponding protection instance through the flow forwarding object, thereby implementing detection and flow cleaning of the access flow.
7. The system of claim 1, wherein the system further comprises a controller configured to control the controller,
the data processing node is further configured to process the protection information and the service information to obtain a protection instance tag corresponding to the protection instance, determine, by using the protection instance tag, a protection instance corresponding to the access traffic, and forward the access traffic corresponding to the security protection source station to the corresponding protection instance.
8. The system of claim 1, wherein the management node further comprises: a log center;
the log center is configured to output attack information when the protection instance detects that attack information corresponding to attack traffic exists in the access traffic and transmits the attack information to the log center.
9. A network protection method, applied in the network protection system of any one of claims 1 to 8, comprising:
the service opening module opens corresponding service based on the service opening request under the condition that the service opening request is received; and recording service information and user information corresponding to the service; and sending the service information to a data processing node;
the configuration management module creates a safety protection source station corresponding to the user information; configuring protection information corresponding to the safety protection source station on the safety protection source station; and sending the protection information to the data processing node;
and the data processing node creates a protection instance corresponding to the user information based on the service information and the protection information, and forwards the access traffic corresponding to the safety protection source station to the protection instance so as to enable the protection instance to detect the access traffic and clean the traffic.
10. A storage medium having stored thereon a computer program which, when executed, implements the method as claimed in claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211240901.9A CN116800451A (en) | 2022-10-11 | 2022-10-11 | Network protection system, method and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211240901.9A CN116800451A (en) | 2022-10-11 | 2022-10-11 | Network protection system, method and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116800451A true CN116800451A (en) | 2023-09-22 |
Family
ID=88048628
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211240901.9A Pending CN116800451A (en) | 2022-10-11 | 2022-10-11 | Network protection system, method and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116800451A (en) |
-
2022
- 2022-10-11 CN CN202211240901.9A patent/CN116800451A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11632392B1 (en) | Distributed malware detection system and submission workflow thereof | |
| CN109560955B (en) | Method and device for determining deployment information of network | |
| CA2943271C (en) | Method and system for providing security aware applications | |
| CN106464533B (en) | Fault processing method and device based on network function virtualization | |
| CN101194233A (en) | System and method of testing wireless component applications | |
| US20200233773A1 (en) | Methods and systems for status determination | |
| US20190335349A1 (en) | Assurance framework for cp and dp slices | |
| US20160366030A1 (en) | Interface management service entity, function service entity, and element management method | |
| WO2017206576A1 (en) | Gateway service processing method and apparatus | |
| CN103647820A (en) | Arbitration method and arbitration apparatus for distributed cluster systems | |
| CN103281410A (en) | Broadcast television network intelligent obstacle pretreatment method and system | |
| CN105429799A (en) | Server backup method and device | |
| WO2014056345A1 (en) | Management method and apparatus for monitoring task | |
| CN112256498A (en) | Fault processing method and device | |
| CN105323639A (en) | Method, apparatus and system for repairing STB | |
| CN109246257B (en) | Flow allocation method and device, computer equipment and storage medium | |
| CN112202879B (en) | Middleware management method and device, electronic equipment and storage medium | |
| CN111124591A (en) | Mirror image transmission method and device, electronic equipment and storage medium | |
| CN109361675B (en) | Information security protection method, system and related components | |
| US8677323B2 (en) | Recording medium storing monitoring program, monitoring method, and monitoring system | |
| CN113193990A (en) | Fault processing method and device | |
| US20180322412A1 (en) | Ticket Routing | |
| CN110011850B (en) | Management method and device for services in cloud computing system | |
| CN116800451A (en) | Network protection system, method and storage medium | |
| CN111600971A (en) | Equipment management method and equipment management device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |