CN117938525A

CN117938525A - Firewall configuration method, device, computer equipment and storage medium

Info

Publication number: CN117938525A
Application number: CN202410138300.XA
Authority: CN
Inventors: 孙希发; 马良义
Original assignee: Inspur Jinan data Technology Co ltd
Current assignee: Inspur Jinan data Technology Co ltd
Priority date: 2024-01-30
Filing date: 2024-01-30
Publication date: 2024-04-26

Abstract

The invention relates to the technical field of network security, and discloses a firewall configuration method, a firewall configuration device, computer equipment and a storage medium, wherein the method comprises the following steps: creating a firewall group, wherein the firewall group corresponds to the port group, the firewall group associates a firewall inlet strategy and a firewall outlet strategy of an inlet port and an outlet port, the firewall inlet strategy and the firewall outlet strategy comprise a plurality of firewall rules, the firewall rules are used for indicating the port to execute corresponding actions on the data packet meeting the first matching condition, and the actions comprise allowing the data packet to pass or rejecting the data packet to pass; associating a plurality of first access control rules of the cloud computing network platform at the port group, wherein the first access control rules are determined by converting firewall rules; in the event that the target port is added to the firewall group, the target port is associated to the port group such that the cloud computing network platform sends a firewall flow table to the target port. The cloud computing network platform security management method and device can improve security of the cloud computing network platform.

Description

Firewall configuration method, device, computer equipment and storage medium

Technical Field

The present invention relates to the field of network security technologies, and in particular, to a firewall configuration method, a firewall configuration device, a computer device, and a storage medium.

Background

The cloud computing network platform is used as a novel distributed computing mode based on the Internet, and is widely applied to big data application scenes, cross-platform application scenes and the like by virtue of the characteristics of high efficiency, reliability and easiness in maintenance. Because of the characteristics of virtualization, large scale, openness and the like, the cloud computing network platform has much larger security threat and challenge than the traditional network information system, and brings more security risks.

At present, in a cloud computing network platform, a flow filtering mechanism is mainly realized through a security group, so that security protection is provided for users using the cloud computing network platform, but the security group generally only supports a white list, and the rules are not flexible enough, so that the security of the cloud computing network platform is lower, and the ever-increasing security requirements of the cloud computing network platform may not be met.

Disclosure of Invention

In view of the above, the present invention provides a firewall configuration method, apparatus, computer device and storage medium, so as to solve the problem of low security of the cloud computing network platform.

In a first aspect, the present invention provides a firewall configuration method, where the method includes: creating a firewall group, wherein the firewall group corresponds to a port group, the firewall group associates a firewall inlet policy and a firewall outlet policy of an inlet port and an outlet port, the firewall inlet policy and the firewall outlet policy both comprise a plurality of firewall rules, the firewall rules are used for indicating the port to execute corresponding actions on the data packet meeting a first matching condition, and the actions comprise allowing the data packet to pass or rejecting the data packet to pass; associating a plurality of first access control rules of a cloud computing network platform at the port group, wherein the first access control rules are determined by converting the firewall rules; and under the condition that a target port is added to the firewall group, associating the target port to the port group so that the cloud computing network platform can send a firewall flow table to the target port, wherein the firewall flow table is used for indicating the target port to execute corresponding actions on incoming and outgoing data packets.

According to the firewall configuration method provided by the embodiment, after the firewall group is created, a plurality of first access control rules of the cloud computing network platform are associated with the port group, then the target port is associated with the port group corresponding to the firewall group under the condition that the target port is added to the firewall group, so that the cloud computing network platform sends a firewall flow table to the target port, and the filtering operation of the data packet is realized. According to the embodiment, the firewall can be configured at the port, so that the port can not only carry out releasing operation on the passing data packet, but also reject operation on the passing data packet, and the blacklist and the whitelist are simultaneously supported, thereby improving the safety of the cloud computing network platform, and simultaneously, the port is more in adaptive scene and can meet the diversified demands of users.

In an alternative embodiment, the associating the destination port to the port group includes: and associating the target port to the port group through a preset reference relation.

In this embodiment, the target port is associated to the port group through the preset reference relationship, so that the firewall rule is convenient to modify, and the data processing logic is reduced.

In an alternative embodiment, the port group is stored in a database of the cloud computing network platform, the method further comprising: and when the target port is deleted, releasing the preset reference relation between the target port and the port group.

In this embodiment, since there is a preset reference relationship from port to port group in OVN northbound data, when the target port is deleted, the preset reference relationship between the target port and the port group needs to be released, and the preset reference relationship between the target port and the port group is released, so that the relationship between the port and the access control list can be automatically unbindd, and the first access control rule is removed from the deleted port.

In an alternative embodiment, the method further comprises: creating a security group, wherein the security group corresponds to the port group, and the security group comprises a plurality of security group rules, and the security group rules are used for indicating the port to perform pass-through permission operation on the data packets meeting the second matching condition; associating a plurality of second access control rules of the cloud computing network platform at the port group, wherein the second access control rules are determined by converting the security group rules; configuring a first identifier and a first priority for the first access control rule, and configuring a second identifier and a second priority for the second access control rule, wherein the first identifier and the second identifier are different, and the first priority is greater than the second priority; storing the plurality of first access control rules and the plurality of second access control rules at different locations of the cloud computing network platform; and in the case that the target port is added to the security group, associating the target port to the port group, so that the cloud computing network platform sends a security group flow table to the target port, wherein the security group flow table is used for indicating the target port to perform pass-through permission operation on the data packets meeting the second matching condition.

According to the firewall configuration method provided by the embodiment, the identifier is added to the ACL table of the OVN northbound database to distinguish different access control lists of the firewall group and the security group, when the southbound logic flow table is generated, ACL rules are respectively converted into different logic flow tables according to different identifiers, so that rule conflict of the flow surface layer is avoided, the security group and the firewall coexist, and multi-layer protection of cloud network security is realized. Through adding the priority, the flow table of the firewall is arranged in front of the security group flow table, no matter the flow enters or exits, the data packet can be filtered through the firewall rule, then the data packet is filtered through the security group rule, the multi-layer control of flow filtration can be realized, and the security of the cloud computing platform is further improved.

In an alternative embodiment, the plurality of firewall rules are configured with priorities, the method further comprising: when a target firewall rule is deleted or inserted in a target firewall policy, adjusting the priority of a first access control rule corresponding to a first firewall rule to obtain an updated priority sequence, wherein the target firewall policy is the firewall-in policy or the firewall-out policy, the first firewall rule is a plurality of firewall rules except the target firewall rule under the target firewall policy, and the target firewall rule is configured with priority; and inserting or deleting target access control rules according to the updated priority order, wherein the target access control rules are determined by converting the target firewall rules.

According to the firewall configuration method provided by the embodiment, when the target firewall rule is deleted or inserted in the target firewall policy, the priority of the first access control rule corresponding to the first firewall rule is firstly adjusted, after the updated priority sequence is obtained, the target access control rule is inserted or deleted according to the updated priority sequence, so that the atomic operation is realized, the leakage of the flow in the modification process is prevented, and the filtering influence on the passing network flow is reduced.

In an alternative embodiment, the first access control rules comprise a priority for indicating a matching order among the plurality of first access control rules, a direction for indicating a matching direction of the plurality of first access control rules, a matching threshold for indicating a matching range of the plurality of first access control rules, and the action.

In an alternative embodiment, the matching attribute of the firewall rules includes at least one of a source port, a destination port, a source internet protocol address, a destination internet protocol address, a protocol type, and an address group.

In this embodiment, after the address group is defined, the address group may be referred to in a plurality of firewall rules, so that the definition of the rules is simplified, the number of entries of the rules may be greatly reduced, and the complexity of generating the firewall rules is reduced. Moreover, the firewall rules are richer, and can simultaneously support the attributes of source internet protocol address, destination internet protocol address, port and the like to perform rule matching, so that the firewall rules are applied to a cross-subnet scene.

In a second aspect, the present invention provides a firewall configuration apparatus, the apparatus comprising: a first creating module, configured to create a firewall group, where the firewall group corresponds to a port group, and the firewall group associates a ingress firewall policy and an egress firewall policy of an ingress port, where the ingress firewall policy and the egress firewall policy each include a plurality of firewall rules, where the firewall rules are configured to instruct the port to perform a corresponding action on a data packet that meets a first matching condition, and the action includes allowing the data packet to pass or rejecting the data packet from passing; the first association module is used for associating a plurality of first access control rules of the cloud computing network platform at the port group, wherein the first access control rules are determined by converting the firewall rules; and the second association module is used for associating the target port to the port group under the condition that the target port is added to the firewall group, so that the cloud computing network platform sends a firewall flow table to the target port, wherein the firewall flow table is used for indicating the target port to execute corresponding actions on incoming and outgoing data packets.

In an alternative embodiment, the second association module includes: the first association unit is used for associating the target port to the port group through a preset reference relation.

In an alternative embodiment, the port group is stored in a database of the cloud computing network platform, and the apparatus further comprises: and the releasing module is used for releasing the preset reference relation between the target port and the port group when the target port is deleted.

In an alternative embodiment, the apparatus further comprises: the second creating module is used for creating a security group, wherein the security group corresponds to the port group, the security group comprises a plurality of security group rules, and the security group rules are used for indicating the port to perform pass-through permission operation on the data packets meeting the second matching condition; a third association module, configured to associate, at the port group, a plurality of second access control rules of the cloud computing network platform, where the second access control rules are determined by converting the security group rule; a configuration module, configured to configure a first identifier and a first priority for the first access control rule, and configure a second identifier and a second priority for the second access control rule, where the first priority is greater than the second priority; a storage module for storing the plurality of first access control rules and the plurality of second access control rules at different locations of the cloud computing network platform; and a fourth association module, configured to associate the target port to the port group if the target port is added to the security group, so that the cloud computing network platform sends a security group flow table to the target port, where the security group flow table is used to instruct the target port to perform a pass-through permission operation on a data packet that meets the second matching condition.

In an alternative embodiment, the plurality of firewall rules are configured with priorities, the apparatus further comprising: the adjusting module is used for adjusting the priority of a first access control rule corresponding to a first firewall rule when deleting or inserting the target firewall rule in a target firewall policy to obtain an updated priority sequence, wherein the target firewall policy is the firewall-in policy or the firewall-out policy, the first firewall rule is a plurality of firewall rules except the target firewall rule under the target firewall policy, and the target firewall rule is configured with priority; and the processing module is used for inserting or deleting target access control rules according to the updated priority order, wherein the target access control rules are determined by converting the target firewall rules.

In a third aspect, the present invention provides a computer device comprising: the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions to perform the method of the first aspect or any implementation manner corresponding to the first aspect.

In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of the first aspect or any of its corresponding embodiments.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the related art, the drawings that are required to be used in the description of the embodiments or the related art will be briefly described, and it is apparent that the drawings in the description below are some embodiments of the present invention, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.

FIG. 1 is a flow chart of a firewall configuration method according to an embodiment of the invention;

FIG. 2 is a schematic diagram of the relationship of firewall groups, protection wall policies, and firewall rules according to an embodiment of the invention;

FIG. 3 is a flow chart of another firewall configuration method according to an embodiment of the invention;

FIG. 4 is a diagram of a relationship between an associated port and an access control list according to an embodiment of the present invention;

FIG. 5 is a flow chart of yet another firewall configuration method according to an embodiment of the invention;

fig. 6 is a block diagram of a firewall configuration apparatus according to an embodiment of the invention;

fig. 7 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Cloud computing is an internet-based computing manner, and through cloud computing, shared software and hardware resources and information can be provided to computers and other devices as required. The cloud computing network platform (OpenStack) is an important component of cloud computing, and the basic core of the cloud computing network comprises: virtual two-layer switches, virtual routers, security groups, etc., are required to provide mutual isolation, security functions for the tenant virtual network (Tenant Network), and to implement interworking functions for the open systems interconnection (Open System Interconnection, OSI) network model two and three layers, the two layers typically being the data link layer and the three layers typically being the network layer.

In the cloud computing network platform, the flow filtering mechanism is mainly realized through a security group, but the security group generally only supports a white list (a matching rule allowing a data packet to pass through), and the rule is not flexible enough, so that the security of the cloud computing network platform is low, and the increasing security requirement of the cloud computing network platform may not be met.

In view of this, the present invention provides a firewall configuration method, in which a firewall is configured at a port, so that the port can not only perform a pass operation on a passing data packet, but also perform a reject operation on the passing data packet, and the blacklist and the whitelist are supported simultaneously, thereby improving the security of a cloud computing network platform.

According to an embodiment of the present invention, there is provided a firewall configuration method embodiment, it being noted that the steps shown in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is shown in the flowchart, in some cases the steps shown or described may be performed in an order other than that shown or described herein.

In this embodiment, a firewall configuration method is provided, which may be used for a cloud computing network platform, and fig. 1 is a flow chart of a firewall configuration method according to an embodiment of the present invention, as shown in fig. 1, where the method includes the following steps:

Step S101, a firewall group is created.

The firewall group corresponds to the port group, the firewall group associates a firewall inlet policy and a firewall outlet policy of an inlet port and an outlet port, the firewall inlet policy and the firewall outlet policy both comprise a plurality of firewall rules, and the firewall rules are used for indicating the port to execute corresponding actions on the data packet meeting the first matching condition, and the actions comprise allowing the data packet to pass or rejecting the data packet to pass.

For example, according to the type of the action, the plurality of firewall rules may be divided into a blacklist and a whitelist, wherein the blacklist is a firewall rule that acts to allow the data packet to pass through, and the whitelist is a firewall rule that acts to reject the data packet from passing through.

Specifically, as shown in fig. 2, a firewall group is associated with a port group, for example, a firewall group 1 is associated with a port group 1 and a port group 2, a firewall group 2 is associated with a port group 2 and a port group 3, the firewall group includes a firewall policy in an Ingress direction (i.e., ingress protection wall policy) and a firewall policy in an Egress direction (i.e., egress firewall policy), the firewall policy is an ordered set of firewall rules, for example, the firewall policy 1 includes a firewall rule 1 and a firewall rule 2, the firewall policy 2 includes a firewall rule 1, a firewall rule 2 and a firewall rule 3, the firewall policy 3 includes a firewall rule 2 and a firewall rule 3, the firewall group 1 may use the firewall policy 1 as a firewall policy in an Ingress direction, the firewall policy 2 as a firewall policy in an Egress direction, and the firewall group 2 may use the firewall policy 3 as a firewall policy in an Egress direction.

Among other things, firewall policies can be shared across tenants, firewall rules being a set of attributes specifying matching conditions (e.g., port range of a message, protocol type of a message, internet protocol (Internet Protocol) address or group of addresses of a message, etc.), and actions taken on packets or messages meeting the matching conditions, e.g., allowing packets to pass or rejecting packets to pass. For example, firewall rules may be created by a user using a cloud computing network platform.

For example, a firewall group may be created based on a firewall-as-a-service (FIREWALL AS A SERVICE, FWAAS). Wherein FWaaS is a firewall solution, which is provided as a cloud-based service, and can simplify the infrastructure of Internet Technology (IT), FWaaS is an application programming interface (Application Programming Interface, API) and a driving framework specification in a cloud computing network platform, and the latest version is v2.0.

Step S102, associating a plurality of first access control rules of the cloud computing network platform at the port group.

Wherein the first access control rule is determined by transforming the firewall rule, i.e. the first access control rule is transformed by the firewall rule. Multiple first access control rules may form an access control list

Specifically, the plurality of first access control rules may form an access control list (Access Control List, ACL), where the access control list is a network packet filtering function implemented based on a virtual switch (OpenvSwitch, OVS) flow table built in the virtualized network (Open Virtual Network, OVN), and an ACL logic data table is stored in OVN, and each row is identified as one ACL rule (i.e., the first access control rule).

It should be understood that an OpenFlow table (OpenFlow) protocol is a protocol in a software defined network (Software Defined Network, SDN), where an OpenFlow switch converts a message forwarding process that is originally controlled by the switch to be completed by the OpenFlow switch and a control server together, so as to implement separation of data forwarding and control, and the control server can control a flow table in the OpenFlow switch through a predefined interface operation, so as to achieve the purpose of controlling data forwarding. Thus, the message forwarding function and the message forwarding strategy, namely various software protocols, originally on the same switch device are separated to different hardware devices, so that a unified control end is realized, and the network is controlled more effectively.

In this embodiment, based on FWaaS, OVN driver is added, and based on OVN access control list, port-level firewall function is realized, so that finer subnet or port-level rule control can be provided, and network security control of multiple network architectures and multi-level networks in the cloud is realized, for example, subnet-level network security control is supported, virtual machine-level application security control is supported, and diversified requirements of users are met.

In step S103, in the case that the target port is added to the firewall group, the target port is associated to the port group, so that the cloud computing network platform sends the firewall flow table to the target port.

The firewall flow table is used for indicating the destination port to execute corresponding actions on the incoming and outgoing data packets, and the firewall flow table can be composed of a plurality of first access control rules.

In this embodiment, the type of the destination port is not limited, and for example, the destination port may be a port of a virtual machine, a port of a router, or other ports. For example, the destination port may be determined based on a user's selection.

Specifically, when the user adds the target port to the firewall group, since the firewall group is associated with the port group, the target port can be associated to the port group corresponding to the firewall group, and further the first access control rule corresponding to the firewall rule under the firewall group is associated to the target port, and is applied to the inlet direction or the outlet direction of the target port through the firewall flow table.

In this embodiment, a firewall configuration method is provided, which may be used in a cloud computing network platform, and fig. 3 is a schematic flow chart of another firewall configuration method according to an embodiment of the present invention, as shown in fig. 3, where the method includes the following steps:

Step S301, a firewall group is created.

Specifically, as shown in fig. 4, when one firewall group is created, the firewall policy of the ingress direction and the firewall policy of the egress direction are associated. Meanwhile, a port group is created in the north database of OVN, for example, port group 1 is created when firewall group 1 is created and port group 2 is created when firewall group 2 is created.

Firewall policies associated by the firewall group associate firewall rules, and firewall rules in the firewall policies may be an ordered list, which may provide basis for subsequently specifying priorities of access control rules, e.g., the more forward the firewall rules are in the ordered list, the higher the priority of the corresponding access control rules. In addition, firewall rules belonging to different firewall policies act in different directions of the bottom port, namely, firewall rules in the firewall policies of the inlet direction act in the inlet direction of the bottom port, and firewall rules in the firewall policies of the outlet direction act in the outlet direction of the bottom port.

In an alternative embodiment, the matching attribute of the firewall rules includes at least one of a source port, a destination port, a source IP address, a destination IP address, a protocol type, and an address group. Among other types of protocols, the protocol types may include transmission control protocol (Transmission Control Protocol, TCP), user datagram protocol (User Datagram Protocol, UDP), internet control protocol (Internet Control Message Protocol, ICMP), or other protocols, among others. An address group is a collection of multiple IP addresses.

In this embodiment, after the address group is defined, the address group may be referred to in a plurality of firewall rules, so that the definition of the rules is simplified, the number of entries of the rules may be greatly reduced, and the complexity of generating the firewall rules is reduced. Moreover, the firewall rules are richer, and can simultaneously support the rule matching of the attributes such as the source IP address, the destination IP address, the port and the like, and the firewall rules are applied to the scene of the cross-subnet.

In step S302, a plurality of first access control rules of the cloud computing network platform are associated at the port group.

Specifically, the port group corresponding to the firewall group is associated with first access control rules in different directions, the first access control rules are converted from the firewall rules and are similar to the semantics of the protection wall rules, matching conditions are formed based on matching attributes of the port range, the protocol type, the IP address, the address group and the like, and the port is indicated to execute release operation or discard operation of the data packet.

Illustratively, the first access control rule includes a priority (priority), a direction (direction), a match threshold (match), and an action (action).

The priority is used for indicating the matching sequence among the first access control rules, namely, the higher the priority of the first access control rules is, the higher the priority is, the higher the first access control rules are, the higher the priority is, and the priority among the first access control rules is different. The direction is used for indicating the matching direction of a plurality of first access control rules, the direction comprises an in direction (from-port) and an out direction (to-port), when the direction is the in direction, the first access control rule acts on the in direction of the bottom port, and when the direction is the out direction, the first access control rule acts on the out direction of the bottom port. The match threshold is used to indicate a match range of the plurality of first access control rules, i.e. the match threshold is used to specify a match condition of the first access control rules, e.g. the match condition is a five-tuple, wherein the five-tuple comprises a source IP, a destination IP, a source port, a destination port, and a protocol type.

The actions may be the allowing and rejecting of the packet, and specifically, allowing the data to include passing may include: allow data packets (or messages) and response data packets (or messages) to pass through (allowed or allowed-related) and allow data packets (or messages) to pass through but not allow response data packets (or messages) to pass through (allowed-stateless). Rejecting the packet pass may include: silence discard packets or messages (drop) and discard packets and reply to packets (reject). For example, reply rst for TCP protocol packets or packets, and reply ICMPv4/ICMPv6 unreachable for other types of packets.

In step S303, in the case that the target port is added to the firewall group, the target port is associated to the port group through the preset reference relationship, so that the cloud computing network platform sends the firewall flow table to the target port.

For example, the preset reference relationship may be a weak reference relationship.

Specifically, when the target port is added to the firewall group, that is, when the firewall group acts on a port of a certain Virtual Machine (VM) or a port of a certain Virtual Router (Virtual Router), the port corresponding to the Virtual machine or the Virtual Router is added to the port group corresponding to the firewall group through a weak reference relationship, so as to form a corresponding relationship between an access control list and a corresponding port, so that the first access control rule can insert a corresponding logical flow table into a flow table (pipeline) where the port is located, and finally insert a physical flow table into a physical location where the port is located, thereby realizing a final packet filtering operation. For example, as shown in fig. 4, when the firewall group 2 acts on the port of the virtual machine, the port of the virtual machine may be added to the port group 2 corresponding to the firewall group 2 through a weak reference relationship, so as to form a correspondence relationship between the ACL and the port of the virtual machine; when the firewall group 1 acts on the port of the virtual router, the port of the virtual router can be added to the port group 2 corresponding to the firewall group 1 through the weak reference relationship, so that the corresponding relationship between the ACL and the port of the virtual router is formed.

Illustratively, when the target port is deleted, the preset referencing relationship between the target port and the port group is released. Wherein the preset reference relationship is a weak reference relationship. In this embodiment, since there is a weak reference relationship from port to port group in OVN northbound data, when the target port is deleted, the weak reference relationship between the target port and the port group needs to be released, and the weak reference relationship between the target port and the port group is released, so that the relationship between the port and the access control list can be automatically unbundled, and the first access control rule is removed from the deleted port.

In this embodiment, the target port is associated to the port group through the weak reference relationship, so that modification of the firewall rule is facilitated, and data processing logic is reduced.

Step S304, a security group is created.

The security group corresponds to the port group, and the security group comprises a plurality of security group rules, wherein the security group rules are used for indicating the port to allow the data packets meeting the second matching condition to pass through.

Specifically, the security group rule includes a set of attributes (e.g., port range or IP address, etc.) that constitute a second match condition, and the port will pass the message or packet when the message or packet satisfies the second match condition.

In step S305, a plurality of second access control rules of the cloud computing network platform are associated at the port group.

Wherein the second access control rule is determined by converting the security group rule, i.e. the second access control rule is converted by the security group rule.

Step S306, a first identifier and a first priority are configured for the first access control rule, and a second identifier and a second priority are configured for the second access control rule.

Wherein the first identifier and the second identifier are different, and the first priority is greater than the second priority.

The specific structures of the first identifier and the second identifier are not limited, as long as the first access control rule and the second access control rule can be distinguished. For example, the first and second identifiers may be numerals, letters, characters, or the like.

Step S307, storing the plurality of first access control rules and the plurality of second access control rules at different locations of the cloud computing network platform.

Specifically, the access control list formed by the plurality of first access control rules and the access control list formed by the plurality of second access control rules are stored in different storage positions of the northbound database, so that the firewall group and the security group can be reserved as two independent functions, and the multi-layer security protection of the data path is realized through the two independent functions. For example, a tenant network administrator specifies tenant-level security rules through a firewall group, while an application deployer may define application-specific security rules through the security group.

In step S308, in the case that the target port is added to the security group, the target port is associated to the port group, so that the cloud computing network platform sends the security group flow table to the target port.

The security group flow table is used for indicating the target port to allow the data packets meeting the second matching condition to pass through.

Specifically, when the user adds the target port to the security group, since the security group is associated with the port group, the target port can be associated to the port group corresponding to the security group, and further, the second access control rule corresponding to the security group rule under the security group is associated to the target port, and is applied to the ingress direction or egress direction of the target port through the security group flow table. That is, the ingress or egress direction of the destination port has a firewall flow table and a security group flow table.

For example, a large range of pass-through rules can be defined by the firewall group, the pass-through rules are narrowed by the security group, and for refusal actions, the firewall rules act on the ingress and egress rules of the port, the rules with priority matching can take effect, and the rules with follow-up matching can fail.

In this embodiment, a firewall configuration method is provided, which may be used in a cloud computing network platform, and fig. 5 is a schematic flow chart of another firewall configuration method according to an embodiment of the present invention, as shown in fig. 5, where the method includes the following steps:

In step S501, a firewall group is created.

Please refer to the step S101 of the embodiment shown in fig. 1 or the step S301 of the embodiment shown in fig. 3 in detail, which will not be described herein.

Step S502, associating a plurality of first access control rules of the cloud computing network platform at the port group.

Please refer to the step S102 of the embodiment shown in fig. 1 or the step S302 of the embodiment shown in fig. 3 in detail, which will not be described herein.

In step S503, in a case that the target port is added to the firewall group, the target port is associated to the port group, so that the cloud computing network platform sends the firewall flow table to the target port.

Please refer to the step S103 of the embodiment shown in fig. 1 or the step S303 of the embodiment shown in fig. 3 in detail, which will not be described herein.

Step S504, when deleting or inserting the target firewall rules in the target firewall policy, adjusting the priority of the first access control rule corresponding to the first firewall rules to obtain the updated priority sequence.

The target firewall policy is a firewall-in policy or a firewall-out policy, the first firewall rule is a plurality of firewall rules except for the target firewall rule under the target firewall policy, and the plurality of firewall rules and the target firewall rule are configured with priorities.

In step S505, the target access control rule is inserted or deleted according to the updated priority order.

Wherein the target access control rule is determined by converting the target firewall rule.

When a certain firewall rule is deleted in the firewall entering policy, the priority of the first access control rule corresponding to the remaining firewall rule in the firewall entering policy is adjusted based on the priority of the firewall rule, and after the updated priority order is obtained, the first access control rule corresponding to the firewall rule is deleted, so that the escape of traffic is prevented, and the filtering influence on the passing network traffic is reduced. Wherein the remaining firewall rules are all firewall rules in the firewall policy except for the firewall rule.

When a new firewall rule is inserted into a firewall policy, the priority of a first access control rule corresponding to all firewall rules in the firewall policy is adjusted based on the priority of the new firewall rule, and after the updated priority order is obtained, a first access control flow table corresponding to the new firewall rule is inserted, so that the escape of traffic is prevented, and the filtering influence on the passing network traffic is reduced.

In some alternative embodiments, when the target firewall rule is deleted or inserted in the target firewall policy, the third access control rule is determined, the priority of at least one third access control rule is adjusted, the updated priority order is obtained, and the target access control rule is inserted or deleted based on the updated priority order. The third access control rule is a fourth access control rule with a priority smaller than that of the target access control policy in the fourth access control rules, the fourth access control rule is one of the first access control rules corresponding to the firewall rules in the target firewall policy, and the target access control rule is determined by converting the target firewall rules.

In this embodiment, when the target firewall rule is deleted or inserted in the target firewall policy, after the priority of the third access control rule is adjusted, the target access control rule is inserted or deleted according to the obtained updated priority order, so that the priority of all the first access control rules corresponding to the firewall rules in the target firewall policy does not need to be adjusted, and the modification efficiency can be improved while preventing the leakage of the traffic in the modification process.

The embodiment also provides a firewall configuration device, which is used for implementing the above embodiment and the preferred implementation manner, and the description is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.

The present embodiment provides a firewall configuration apparatus, as shown in fig. 6, including:

A first creating module 601, configured to create a firewall group, where the firewall group corresponds to the port group, and the firewall group associates a firewall ingress policy and a firewall egress policy of an ingress port, where the firewall ingress policy and the firewall egress policy each include a plurality of firewall rules, and the firewall rules are configured to instruct the port to perform a corresponding action on a data packet that meets a first matching condition, where the action includes allowing the data packet to pass or rejecting the data packet to pass;

A first association module 602, configured to associate, at a port group, a plurality of first access control rules of the cloud computing network platform, where the first access control rules are determined by transforming firewall rules;

And a second association module 603, configured to associate the target port to the port group if the target port is added to the firewall group, so that the cloud computing network platform sends a firewall flow table to the target port, where the firewall flow table is used to instruct the target port to perform a corresponding action on the incoming and outgoing data packet.

In some alternative embodiments, the second association module 603 includes:

The first association unit is used for associating the target port to the port group through a preset reference relation.

In some alternative embodiments, the port group is stored in a database of the cloud computing network platform, the apparatus further comprising:

And the releasing module is used for releasing the preset reference relation between the target port and the port group when the target port is deleted.

In some alternative embodiments, the apparatus further comprises:

the second creating module is used for creating a security group, wherein the security group corresponds to the port group, the security group comprises a plurality of security group rules, and the security group rules are used for indicating the port to allow the data packet meeting the second matching condition to pass through;

the third association module is used for associating a plurality of second access control rules of the cloud computing network platform in the port group, wherein the second access control rules are determined by converting the security group rules;

the configuration module is used for configuring a first identifier and a first priority for the first access control rule and configuring a second identifier and a second priority for the second access control rule, wherein the first priority is greater than the second priority;

the storage module is used for storing the first access control rules and the second access control rules at different positions of the cloud computing network platform;

and the fourth association module is used for associating the target port to the port group under the condition that the target port is added to the security group, so that the cloud computing network platform sends a security group flow table to the target port, wherein the security group flow table is used for indicating the target port to perform pass-through permission operation on the data packets meeting the second matching condition.

In some alternative embodiments, the plurality of firewall rules are configured with priorities, the apparatus further comprising:

The adjusting module is used for adjusting the priority of the first access control rule corresponding to the first firewall rule when the target firewall rule is deleted or inserted into the target firewall policy to obtain an updated priority sequence, wherein the target firewall policy is a firewall-entering policy or a firewall-exiting policy, the first firewall rule is a plurality of firewall rules except the target firewall rule under the target firewall policy, and the target firewall rule is configured with priority;

And the processing module is used for inserting or deleting the target access control rule according to the updated priority order, wherein the target access control rule is determined by converting the target firewall rule.

In some alternative embodiments, the first access control rules include a priority for indicating a matching order among the plurality of first access control rules, a direction for indicating a matching direction of the plurality of first access control rules, a matching threshold for indicating a matching range of the plurality of first access control rules, and an action.

In some alternative embodiments, the matching attribute of the firewall rules includes at least one of a source port, a destination port, a source internet protocol address, a destination internet protocol address, a protocol type, and an address group.

Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.

The firewall configuration apparatus in this embodiment is presented in the form of a functional unit, where the unit refers to an Application SPECIFIC INTEGRATED Circuit (ASIC), a processor and a memory that execute one or more software or firmware programs, and/or other devices that can provide the above-described functions.

The embodiment of the invention also provides computer equipment, which is provided with the firewall configuration device shown in the figure 7.

Referring to fig. 7, fig. 7 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, as shown in fig. 7, the computer device includes: one or more processors 710, memory 720, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 710 is illustrated in fig. 7.

Processor 710 may be a central processor, a network processor, or a combination thereof. The processor 710 may further include a hardware chip, among other things. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.

Wherein the memory 720 stores instructions executable by the at least one processor 710 to cause the at least one processor 10 to perform methods embodying the embodiments described above.

Memory 720 may include a storage program area that may store an operating system, at least one application program required for functionality, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, memory 720 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 720 optionally includes memory located remotely from processor 710, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

Memory 720 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; memory 720 may also include a combination of the above types of memory.

The computer device further comprises input means 730 and output means 740. Processor 710, memory 720, input device 730, and output device 740 may be connected by a bus or other means, for example in fig. 7.

The input device 730 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the computer device, such as a touch screen, keypad, mouse, trackpad, touchpad, pointer stick, one or more mouse buttons, trackball, joystick, and the like. The output device 740 may include a display apparatus, auxiliary lighting devices (e.g., LEDs), haptic feedback devices (e.g., vibration motors), and the like. Such display devices include, but are not limited to, liquid crystal displays, light emitting diodes, displays and plasma displays. In some alternative implementations, the display device may be a touch screen.

The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.

Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.

Claims

1. A method for firewall configuration, the method comprising:

Creating a firewall group, wherein the firewall group corresponds to a port group, the firewall group associates a firewall inlet policy and a firewall outlet policy of an inlet port and an outlet port, the firewall inlet policy and the firewall outlet policy both comprise a plurality of firewall rules, the firewall rules are used for indicating the port to execute corresponding actions on the data packet meeting a first matching condition, and the actions comprise allowing the data packet to pass or rejecting the data packet to pass;

Associating a plurality of first access control rules of a cloud computing network platform at the port group, wherein the first access control rules are determined by converting the firewall rules;

and under the condition that a target port is added to the firewall group, associating the target port to the port group so that the cloud computing network platform can send a firewall flow table to the target port, wherein the firewall flow table is used for indicating the target port to execute corresponding actions on incoming and outgoing data packets.

2. The method of claim 1, wherein the associating the target port to the port group comprises:

and associating the target port to the port group through a preset reference relation.

3. The method of claim 2, wherein the port group is stored in a database of the cloud computing network platform, the method further comprising:

And when the target port is deleted, releasing the preset reference relation between the target port and the port group.

4. A method according to any one of claims 1 to 3, further comprising:

Creating a security group, wherein the security group corresponds to the port group, and the security group comprises a plurality of security group rules, and the security group rules are used for indicating the port to perform pass-through permission operation on the data packets meeting the second matching condition;

Associating a plurality of second access control rules of the cloud computing network platform at the port group, wherein the second access control rules are determined by converting the security group rules;

Configuring a first identifier and a first priority for the first access control rule, and configuring a second identifier and a second priority for the second access control rule, wherein the first priority is greater than the second priority;

Storing the plurality of first access control rules and the plurality of second access control rules at different locations of the cloud computing network platform;

And in the case that the target port is added to the security group, associating the target port to the port group, so that the cloud computing network platform sends a security group flow table to the target port, wherein the security group flow table is used for indicating the target port to perform pass-through permission operation on the data packets meeting the second matching condition.

5. A method according to any one of claims 1 to 3, wherein the plurality of firewall rules are configured with priorities, the method further comprising:

When a target firewall rule is deleted or inserted in a target firewall policy, adjusting the priority of a first access control rule corresponding to a first firewall rule to obtain an updated priority sequence, wherein the target firewall policy is the firewall-in policy or the firewall-out policy, the first firewall rule is a plurality of firewall rules except the target firewall rule under the target firewall policy, and the target firewall rule is configured with priority;

And inserting or deleting target access control rules according to the updated priority order, wherein the target access control rules are determined by converting the target firewall rules.

6. A method according to any one of claim 1 to 3, wherein,

The first access control rules include a priority for indicating a matching order among the plurality of first access control rules, a direction for indicating a matching direction of the plurality of first access control rules, a matching threshold for indicating a matching range of the plurality of first access control rules, and the action.

7. A method according to any one of claim 1 to 3, wherein,

The matching attribute of the firewall rules includes at least one of a source port, a destination port, a source internet protocol address, a destination internet protocol address, a protocol type, and an address group.

8. A firewall configuration apparatus, said apparatus comprising:

A first creating module, configured to create a firewall group, where the firewall group corresponds to a port group, and the firewall group associates a ingress firewall policy and an egress firewall policy of an ingress port, where the ingress firewall policy and the egress firewall policy each include a plurality of firewall rules, where the firewall rules are configured to instruct the port to perform a corresponding action on a data packet that meets a first matching condition, and the action includes allowing the data packet to pass or rejecting the data packet from passing;

The first association module is used for associating a plurality of first access control rules of the cloud computing network platform at the port group, wherein the first access control rules are determined by converting the firewall rules;

And the second association module is used for associating the target port to the port group under the condition that the target port is added to the firewall group, so that the cloud computing network platform sends a firewall flow table to the target port, wherein the firewall flow table is used for indicating the target port to execute corresponding actions on incoming and outgoing data packets.

9. A computer device, comprising:

A memory and a processor in communication with each other, the memory having stored therein computer instructions which, upon execution, cause the processor to perform the method of any of claims 1 to 7.

10. A computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of any one of claims 1 to 7.