CN105450668A - Cloud security service implementing system and cloud security service implementing method - Google Patents
Cloud security service implementing system and cloud security service implementing method Download PDFInfo
- Publication number
- CN105450668A CN105450668A CN201511024444.XA CN201511024444A CN105450668A CN 105450668 A CN105450668 A CN 105450668A CN 201511024444 A CN201511024444 A CN 201511024444A CN 105450668 A CN105450668 A CN 105450668A
- Authority
- CN
- China
- Prior art keywords
- security service
- cloud
- service resource
- container
- cloud security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/40—Support for services or applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/2871—Implementation details of single intermediate entities
Abstract
The invention discloses a cloud security service implementing system and a cloud security service implementing method. The cloud security service implementing system comprises a self-help service portal, a cloud security service middleware and a cloud security service container, wherein the self-help service portal is used for generating a corresponding security service resource request form according to the selection of a lessee; the cloud security service middleware is used for detecting whether all security service resources recorded in the security service resource request form is included in a security service resource pool, and generating a corresponding instantiation instruction when the detection result is yes; and the cloud security service container is used for performing instantiation processing according to the received instantiation instruction, and packaging each instantiated security service resource into an independent sub-container, thus allowing the security service resources in the independent sub-containers to provide isolated cloud security service for the lessee. According to the cloud security service implementing system and method, the safe, independent and self-help type cloud security service can be provided under the cloud computing environment for the lessee.
Description
Technical field
The present invention relates to communication technical field, particularly a kind of cloud security service realizes system and cloud security service implementation method.
Background technology
Cloud security promotes information security technology to realize on-demand service, promote the brand-new form that information security technology and secured data resource make full use of.Cloud security is as a kind of innovation and application pattern of field of information security technology, enjoyed international and domestic extensive concern since its concept is born always, be counted as the core that generation information safe practice is changed and business model is changed in recent years, there are wide market prospects.Main flow secure enterprise nearly all has at present participated in cloud security field all, and each company marches cloud security according to the conventional security technical field of oneself and market strategy from all directions.
Cloud computing is that a kind of IT infrastructure is paid and using forestland, is also a kind of information service payment and using forestland, simultaneously or a kind of novel computation schema sharing information resources based on the Internet.Cloud computing be a kind of by scalable, elasticity, shared physics and virtual resource pond to supply from the mode of service and to manage as required, and provide the pattern of access to netwoks.One of feature of cloud computing provides service as required by after relevant resource pool exactly, traditional sense is said, resource comprises computational resource, storage resources, Internet resources, but along with the development of information technology and the demand of relevant tenant, and secure resources possesses equally can the attribute in pond.Share just because of relevant resource poolization, cloud computing tenant is except facing traditional Information Security Risk, also be faced with the increment risk that cloud computing technology is introduced, how farthest dissolve the biggest problem avoiding associated safety risk to become accelerating cloud computing project and land.
Cloud computing tenant generally wishes can to using calculation services, stores service, network service the same; flexible self-service application use safety service as required; the increment risk that Network Isolation, data protection, access control etc. under solution cloud computing environment between each tenant are introduced due to cloud computing technology; the conventional security services such as such as VPN, IDS, UTM can be used as required again; solve traditional Information Security Risk; protect the data securities such as tenant's information system to greatest extent, and save cost payout greatly.
Based on the above characteristic of cloud computing, in conjunction with conventional information safe practice or safety information product, under cloud computing environment, self-service cloud security service is provided to become possibility by the mode of software definition by being required to be tenant.
Summary of the invention
The invention provides a kind of cloud security service and realize system and cloud security service implementation method, under cloud computing environment, for tenant provides safe, independent, self-service cloud security service.
For achieving the above object, the invention provides a kind of cloud security service and realize system, comprising:
Self-help service door, for generating corresponding security service resource request list according to the selection of tenant, and by described security service resource request table single transmit to cloud security service middleware, in described security service resource request list, record each security service resource that tenant request is rented;
Described cloud security service middleware, for the described security service resource request list that basis receives, detect in security service resource pool and whether include the whole described security service resource recorded in described security service resource request list, and when detecting in security service resource pool the whole described security service resource including and record in described security service resource request list, generate corresponding instantiation instruction according to described security service resource request list, and described instantiation instruction is sent to cloud security service container;
Described cloud security service container, for the described instantiation instruction that basis receives, by each described security service resource instances recorded in the described security service resource request list in security service resource pool, and by a sub-container of independence in each described security service Resource Encapsulation after instantiation to described cloud security service container, the sub-container of described independence provides running environment for each described security service resource, for the described security service resource in the sub-container of described independence for described tenant provides the cloud security service of isolation.
Alternatively, described cloud security service middleware also for the described security service resource in the sub-container of described independence for before described tenant provides the cloud security service of isolation, according to preset arrangement rule, layout is carried out to each described security service resource in the sub-container of described independence.
Alternatively, also comprise:
Described cloud security service controller, for obtaining the topological structure of the virtual network residing for described tenant, and generate the routed path of described tenant to described cloud security service container according to described topological structure, the pending data sent to make described tenant are before entering the sub-container of described independence, and first traction is to described cloud security service middleware;
Described cloud security service middleware is also for calculating network traffics corresponding to described pending data.
Alternatively, described cloud security service controller is SDN controller.
For achieving the above object, present invention also offers a kind of cloud security service implementation method, comprising:
Self-help service door generates corresponding security service resource request list according to the selection of tenant, and by described security service resource request table single transmit to cloud security service middleware, in described security service resource request list, record each security service resource that tenant request is rented;
Described cloud security service middleware, according to the described security service resource request list received, detects in security service resource pool whether include the whole described security service resource recorded in described security service resource request list;
When detecting in security service resource pool the whole described security service resource including and record in described security service resource request list, described cloud security service middleware generates corresponding instantiation instruction according to described security service resource request list, and described instantiation instruction is sent to cloud security service container;
Described cloud security service container is according to the described instantiation instruction received, by each described security service resource instances recorded in the described security service resource request list in security service resource pool, and by each described security service Resource Encapsulation after instantiation in a sub-container of independence in described cloud security service container, the sub-container of described independence provides running environment for each described security service resource;
Described security service resource in the sub-container of described independence provides the cloud security service of isolation for described tenant.
Alternatively, the described security service resource in the sub-container of described independence, for before described tenant provides the step of cloud security service, also comprises:
Described cloud security service middleware carries out layout according to preset arrangement rule to each described security service resource in the sub-container of described independence.
Alternatively, after detecting in security service resource pool the whole described security service resource including and record in described security service resource request list, also comprise:
Described cloud security service controller obtains the topological structure of the virtual network residing for described tenant, and generate the routed path of described tenant to described cloud security service container according to described topological structure, the pending data sent to make tenant are before entering the sub-container of described independence, and first traction is to described cloud security service middleware;
Described security service resource in the sub-container of described independence, for while described tenant provides the cloud security service of isolation, also comprises:
Described cloud security service middleware calculates network traffics corresponding to described pending data.
Alternatively, described cloud security service controller is SDN controller.
The present invention has following beneficial effect:
The invention provides a kind of cloud security service and realize system and cloud security service implementation method, technical scheme of the present invention based on resource pool technology by security service resource allocation pond, and provided by the cloud security service that container technique is each tenant request be isolated from each other, the running environment of inaccessible, to realize under cloud computing environment, for tenant provides safe, independent, self-service cloud security service.
Accompanying drawing explanation
Fig. 1 realizes the structural representation of system for a kind of cloud security service that the embodiment of the present invention one provides;
The flow chart of a kind of cloud security service implementation method that Fig. 2 provides for the embodiment of the present invention two;
The flow chart of a kind of cloud security service implementation method that Fig. 3 provides for the embodiment of the present invention three.
Embodiment
For making those skilled in the art understand technical scheme of the present invention better, below in conjunction with accompanying drawing system is realized to a kind of cloud security service provided by the invention and cloud security service implementation method is described in detail.
Embodiment one
Fig. 1 realizes the structural representation of system for a kind of cloud security service that the embodiment of the present invention one provides, as shown in Figure 1, this cloud security service realizes system and comprises: self-help service door 1, cloud security service middleware 2, cloud security service container 4 (Container) and security service resource pool 3 (ResourcesPool).
Wherein, self-help service door 1 is for generating corresponding security service resource request list according to the selection of tenant, and by security service resource request table single transmit to cloud security service middleware 2, in security service resource request list, record each security service resource that tenant request is rented.
Cloud security service middleware 2, for the security service resource request list that basis receives, detect in security service resource pool 3 and whether include in security service resource request list the whole security service resources recorded, and when detecting in security service resource pool 3 the whole security service resource including and record in security service resource request list, generate corresponding instantiation instruction according to security service resource request list, and instantiation instruction is sent to cloud security service container 4.
The instantiation instruction that cloud security service container 4 receives for basis, the each security service resource recorded in security service resource request list in security service resource pool 3 is carried out instantiation by container, and by each security service Resource Encapsulation after instantiation in the sub-container of the independence of in cloud security service container 4, independent sub-container provides running environment for each security service resource, for the security service resource in independent sub-container for tenant provides the cloud security service of isolation.
In the present embodiment, container is a kind of software engineering, and various service of can packing application and dependence bag are in a transplantable container.Container uses sandbox mechanism completely, do not have any interface each other, almost do not have performance cost, can run in machine and data center easily.The most important thing is, they do not rely on any language, framework comprises system, the isolation of different security service application can well be realized by container technique, there is elasticity, autgmentability.
It should be noted that, in security service resource pool 3, rely on resource virtualizing technique, be resource pool by distributed heterogeneous security service resource virtualizing, make it can be carried out unified management and allocation schedule according to service condition and tenant to the application situation of resource.Be polymerized security service resource (also can be called " security service node ") that is dissimilar, difference in functionality in this security service resource pool 3, these security service resources can be hardware state (the server physical node of isomery dispersion) or software forms (the isomery virtual resources formed by virtualization software is trooped).
For convenience of those skilled in the art, technical scheme of the present invention is understood, below the cloud security service system provided the present embodiment is realized providing course of work during cloud security service to be described in detail to single tenant.
First, tenant logs in self-help service door 1 page, and self-help service door 1 provides the cloud security service list of menu mode, selects corresponding security service resource for tenant according to self-demand.Wherein, this cloud security service list can be sorted to each security service resource according to modes such as the classification of security service resource, existing forms, network access mode, protection intensity and categorical filtering shows.It should be noted that, when tenant selects required security service resource, tenant can also carry out customizing configuration (such as: the unlatching of the partial function of security service resource or closedown) to the relevant parameter of selected security service resource.If tenant is not configured the relevant parameter of security service resource, then self-help service door 1 can be defaulted as the relevant parameter employing default parameters of this security service resource.
After the cloud security service of tenant required for self selects corresponding one or more security service resource, 1, self-help service door generates corresponding security service resource request list according to the selection of tenant, and by security service resource request table single transmit to cloud security service middleware 2.Wherein, in this security service resource request list, record the ID that each security service resource selected by tenant is corresponding, and the relevant parameter that each security service resource is corresponding.
Then, cloud security service middleware 2, according to the security service resource request list received, detects in security service resource pool 3 whether include in security service resource request list the whole security service resources recorded.When cloud security service middleware 2 detects in security service resource pool 3 the whole security service resource including and record in security service resource request list, then cloud security service middleware 2 generates corresponding instantiation instruction according to this security service resource request list; When cloud security service middleware 2 detects in security service resource pool 3 at least one the security service resource not existing and record in security service resource request list, then to tenant's feedback security service request failure information.It should be noted that, can carry in this security service request failure information tenant ask but the title of non-existent each security service resource in security service resource pool 3, so that tenant selects other security service resources in time.
Generate instantiation instruction in cloud security service middleware 2 after, this instantiation instruction can be sent to cloud security service container 4 by cloud security service middleware 2.Cloud security service container 4 is according to the instantiation instruction received, the each security service resource instances recorded will be corresponded in security service resource request list in security service resource pool 3, and by each security service Resource Encapsulation after instantiation in the sub-container of the independence of in cloud security service container 4, independent sub-container provides running environment for each security service resource, for the security service resource in independent sub-container for tenant provides the cloud security service of isolation.It should be noted that, after security service resource carries out instantiation by container, for tenant, when selecting and use certain security service, can not determine that this security service is provided by physical server, or packaged by container technique.Major part safety applications is all provide service by network, and tenant cannot determine that certain network IP by which kind of technology provided.
It should be noted that, if tenant is when selecting security service resource, relevant parameter for one or more security service resource has carried out customizing configuration, then when carrying out instantiation to corresponding security service resource, need to adjust accordingly the relevant parameter of these security service resources according to the customization configuration of tenant.And do not carry out the security service resource customizing configuration, then adopt default parameters to carry out instantiation.
The cloud security service that the present embodiment provides realizes system and has specific as follows:
1. tenant's isolation and service exclusively enjoy.This cloud security service realize system provided by the cloud security service that container technique is each tenant request be isolated from each other, the running environment of inaccessible, thus when this system provides cloud security service for many tenants, ensure that the fail safe of each tenant data in the process using cloud security service.
2. convenient, self-help service is provided.Realizing system in cloud security service provides in the process of cloud security service for tenant, only needs tenant applied for by self-help service door 1 and configure the cloud security service meeting self-demand, and without the need to extra man-machine interactively.In whole process, the time cost that tenant spends and running cost lower.
3. system flexibility is strong.For tenant, the security service resource in security service resource pool 3 is unlimited many, and tenant can ask any amount of security service resource at any time, and request amount is only by the restriction of cloud security service agreement.In addition, because each security service resource in security service resource pool 3 can be supplied with changing fast and automatically, therefore tenant can be increased the security service resource in the cloud security service of request or reduce fast by self-help service door 1.
In the present embodiment, alternatively, cloud security service middleware 2 carries out layout according to preset arrangement rule to each security service resource in independent sub-container before also providing the cloud security service of isolation for the security service resource in independent sub-container for tenant.Particularly, carry out layout by the network configuration changing resource pool to security service resource, network configuration can be the various ways based on multiple network agreement, includes but not limited to the OpenFlow agreement etc. supported based on open source software OpenVswitch.Carrying out layout to security service resource can raising efficiency, and dissimilar safety means, before which should be placed on, which should be put behind, and effect is different.Before such as DDoS equipment being placed on UTM equipment, when there is ddos attack, first can filtering out most of invalid traffic by DDoS safeguard, then carrying out security protection by UTM, avoid super-flow to exceed bandwidth restriction that UTM can effectively process.
It should be noted that, in actual applications, cloud security service provider according to the type of protection of security service resource each in security service resource pool 3, can carry out respective settings to this preset arrangement rule.Such as: before distributed denial of service (DistributedDenialofService is called for short DDoS) security service resource generally should be deployed in security gateway (UnifiedThreatManagement is called for short UTM) security service resource.
Alternatively, this security service realizes system and also comprises: cloud security service controller 5, this cloud security service controller 5 is deployed in cloud environment, cloud security service controller 5 is for detecting in security service resource pool 3 the whole security service resource including and record in security service resource request list during at cloud security service middleware 2, obtain the topological structure of the virtual network residing for tenant, and generate the routed path of tenant to cloud security service container 4 according to the topological structure of virtual network, using the pending data sent in cloud security service process before entering cloud security service container 4 to make tenant, first draw to cloud security service middleware 2.Therefore, the security service resource in independent sub-container provides the cloud security service of isolation during for tenant, cloud security service middleware 2 can also calculate network traffics corresponding to pending data.Certainly, this cloud security service middleware 2 also can measure the flow feeding back to tenant after the security service application that have passed through in container of pending data processes.
It should be noted that, because different tenants may be in different cloud environment networks, therefore can all arrange a cloud security service controller 5 in variant cloud environment network, this cloud security service controller 5 can by the virtual network flow lead of each tenant in corresponding cloud environment network to cloud security service middleware 2.In the present embodiment, by software defined network (SoftwareDefinedNetwork, be called for short SDN) technology, can under the prerequisite of the physical topological structure without the need to changing network, by tenant to the virtual network flow lead of independent sub-container to cloud security service middleware 2.Alternatively, cloud security service controller 5 is SDN controller.
In the present embodiment, by cloud security service controller, pending data are drawn to cloud security service middleware, thus the network traffics can treating deal with data are measured.Now, cloud security service provider can carry out charging based on these network traffics to corresponding tenant, thus makes cloud security service metrizability.
Embodiment two
The flow chart of a kind of cloud security service implementation method that Fig. 2 provides for the embodiment of the present invention two, as shown in Figure 2, this cloud security service implementation method realizes system based on cloud security service, wherein this cloud security service realizes the cloud security service that system adopts above-described embodiment one to provide and realizes system, and this cloud security service implementation method comprises:
Step 101: self-help service door generates corresponding security service resource request list according to the selection of tenant, and by security service resource request table single transmit to cloud security service middleware.
Wherein, each security service resource that tenant request is rented is recorded in security service resource request list.
Step 102: cloud security service middleware, according to the security service resource request list received, detects in security service resource pool whether include in security service resource request list the whole security service resources recorded.
When detecting in security service resource pool the whole security service resource including and record in security service resource request list, then perform step 103; Otherwise, cloud security service middleware is to tenant's feedback security service request failure information, can carry in this security service request failure information tenant ask but the title of non-existent each security service resource in security service resource pool, so that tenant selects other security service resources in time.
Step 103: cloud security service middleware generates corresponding instantiation instruction according to security service resource request list, and instantiation instruction is sent to cloud security service container.
Step 104: cloud security service container is according to the instantiation instruction received, by each security service resource instances recorded in the security service resource request list in security service resource pool, and by each security service Resource Encapsulation after instantiation in the sub-container of the independence of in cloud security service container, independent sub-container provides running environment for each security service resource.
Step 105: for the security service resource in independent sub-container for tenant provides the cloud security service of isolation.
It should be noted that, for the specific descriptions of step each in the present embodiment, see corresponding contents in above-described embodiment one, can repeat no more herein.
The technical scheme that the present embodiment provides, the cloud security service being each tenant request by container technique provide be isolated from each other, the running environment of inaccessible, thus ensure that the fail safe of each tenant data in the process using cloud security service.
Embodiment three
The flow chart of the another kind of cloud security service implementation method that Fig. 3 provides for the embodiment of the present invention three, as shown in Figure 3, this cloud security service implementation method realizes system based on cloud security service, wherein this cloud security service realizes the cloud security service that system adopts above-described embodiment one to provide and realizes system, and this cloud security service implementation method comprises:
Step 201: self-help service door generates corresponding security service resource request list according to the selection of tenant, and by security service resource request table single transmit to cloud security service middleware, in security service resource request list, record each security service resource that tenant request is rented.
Step 202: cloud security service middleware, according to the security service resource request list received, detects in security service resource pool whether include in security service resource request list the whole security service resources recorded.
When detecting in security service resource pool the whole security service resource including and record in security service resource request list, then perform step 203; Otherwise, cloud security service middleware is to tenant's feedback security service request failure information, can carry in this security service request failure information tenant ask but the title of non-existent each security service resource in security service resource pool, so that tenant selects other security service resources in time.
Step 203: cloud security service controller obtains the topological structure of the virtual network residing for tenant, and generate the routed path of tenant to cloud security service container according to topological structure.
By step 203, can setting to the routed path of cloud security service container tenant, to make tenant using the pending data sent in cloud security service process before entering cloud security service container, first drawing to cloud security service middleware.
In step 203, alternatively, cloud security service controller is SDN controller.
Step 204: cloud security service middleware generates corresponding instantiation instruction according to security service resource request list, and instantiation instruction is sent to cloud security service container.
Step 205: cloud security service container is according to the instantiation instruction received, by each security service resource instances recorded in the security service resource request list in security service resource pool, and by each security service Resource Encapsulation after instantiation in the sub-container of the independence of in cloud security service container, independent sub-container provides running environment for each security service resource.
Step 206: cloud security service middleware, according to preset arrangement rule, carries out layout to each security service resource in independent sub-container.
In the present embodiment, when carrying out layout to each security service resource in independent sub-container, without the need to network O&M administrative staff to operations such as machine room scene plug netting twines, only need the long-range mode by software namely can to achieve the goal.
Step 207: each security service resource in independent sub-container provides the cloud security service of isolation for tenant, and cloud security service middleware calculates network traffics corresponding to pending data.
It should be noted that, for the specific descriptions of step each in the present embodiment, see corresponding contents in above-described embodiment one, can repeat no more herein.
In addition, as possibility a kind of in the present embodiment, when the testing result detected in step 202 is "Yes", next step performs step 204, now step 203 can perform with step 204 simultaneously, or to be positioned at after step 204 and any instant before being positioned at step 207 performs, particular content is not described in detail herein.
Compared with above-described embodiment two, the technical scheme of the present embodiment not only can be implemented as tenant provides safety, self-service cloud security service, but also can realize the metrizability of cloud security service.
Be understandable that, the illustrative embodiments that above execution mode is only used to principle of the present invention is described and adopts, but the present invention is not limited thereto.For those skilled in the art, without departing from the spirit and substance in the present invention, can make various modification and improvement, these modification and improvement are also considered as protection scope of the present invention.
Claims (8)
1. cloud security service realizes a system, it is characterized in that, comprising:
Self-help service door, for generating corresponding security service resource request list according to the selection of tenant, and by described security service resource request table single transmit to cloud security service middleware, in described security service resource request list, record each security service resource that tenant request is rented;
Described cloud security service middleware, for the described security service resource request list that basis receives, detect in security service resource pool and whether include the whole described security service resource recorded in described security service resource request list, and when detecting in security service resource pool the whole described security service resource including and record in described security service resource request list, generate corresponding instantiation instruction according to described security service resource request list, and described instantiation instruction is sent to cloud security service container;
Described cloud security service container, for the described instantiation instruction that basis receives, by each described security service resource instances recorded in the described security service resource request list in security service resource pool, and by a sub-container of independence in each described security service Resource Encapsulation after instantiation to described cloud security service container, the sub-container of described independence provides running environment for each described security service resource, for the described security service resource in the sub-container of described independence for described tenant provides the cloud security service of isolation.
2. cloud security service according to claim 1 realizes system, it is characterized in that, described cloud security service middleware also for the described security service resource in the sub-container of described independence for before described tenant provides the cloud security service of isolation, according to preset arrangement rule, layout is carried out to each described security service resource in the sub-container of described independence.
3. cloud security service according to claim 1 realizes system, it is characterized in that, also comprises:
Described cloud security service controller, for obtaining the topological structure of the virtual network residing for described tenant, and generate the routed path of described tenant to described cloud security service container according to described topological structure, the pending data sent to make described tenant are before entering the sub-container of described independence, and first traction is to described cloud security service middleware;
Described cloud security service middleware is also for calculating network traffics corresponding to described pending data.
4. cloud security service according to claim 3 realizes system, it is characterized in that, described cloud security service controller is SDN controller.
5. a cloud security service implementation method, is characterized in that, comprising:
Self-help service door generates corresponding security service resource request list according to the selection of tenant, and by described security service resource request table single transmit to cloud security service middleware, in described security service resource request list, record each security service resource that tenant request is rented;
Described cloud security service middleware, according to the described security service resource request list received, detects in security service resource pool whether include the whole described security service resource recorded in described security service resource request list;
When detecting in security service resource pool the whole described security service resource including and record in described security service resource request list, described cloud security service middleware generates corresponding instantiation instruction according to described security service resource request list, and described instantiation instruction is sent to cloud security service container;
Described cloud security service container is according to the described instantiation instruction received, by each described security service resource instances recorded in the described security service resource request list in security service resource pool, and by each described security service Resource Encapsulation after instantiation in a sub-container of independence in described cloud security service container, the sub-container of described independence provides running environment for each described security service resource;
Described security service resource in the sub-container of described independence provides the cloud security service of isolation for described tenant.
6. cloud security service implementation method according to claim 5, is characterized in that, the described security service resource in the sub-container of described independence, for before described tenant provides the step of cloud security service, also comprises:
Described cloud security service middleware carries out layout according to preset arrangement rule to each described security service resource in the sub-container of described independence.
7. cloud security service implementation method according to claim 5, is characterized in that, after detecting in security service resource pool the whole described security service resource including and record in described security service resource request list, also comprises:
Described cloud security service controller obtains the topological structure of the virtual network residing for described tenant, and generate the routed path of described tenant to described cloud security service container according to described topological structure, the pending data sent to make tenant are before entering the sub-container of described independence, and first traction is to described cloud security service middleware;
Described security service resource in the sub-container of described independence, for while described tenant provides the cloud security service of isolation, also comprises:
Described cloud security service middleware calculates network traffics corresponding to described pending data.
8. cloud security service implementation method according to claim 7, is characterized in that, described cloud security service controller is SDN controller.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511024444.XA CN105450668A (en) | 2015-12-30 | 2015-12-30 | Cloud security service implementing system and cloud security service implementing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201511024444.XA CN105450668A (en) | 2015-12-30 | 2015-12-30 | Cloud security service implementing system and cloud security service implementing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105450668A true CN105450668A (en) | 2016-03-30 |
Family
ID=55560444
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201511024444.XA Pending CN105450668A (en) | 2015-12-30 | 2015-12-30 | Cloud security service implementing system and cloud security service implementing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105450668A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107786517A (en) * | 2016-08-30 | 2018-03-09 | 中国电信股份有限公司 | Dispositions method, system and the safety control system of Yunan County's full-service |
| CN108334396A (en) * | 2017-01-19 | 2018-07-27 | 阿里巴巴集团控股有限公司 | The creation method and device of a kind of data processing method and device, resource group |
| CN108810108A (en) * | 2018-05-25 | 2018-11-13 | 中国科学院计算机网络信息中心 | Combination of resources method, apparatus and storage medium |
| CN108809963A (en) * | 2018-05-24 | 2018-11-13 | 中国科学院计算机网络信息中心 | Secure resource sharing method, apparatus and storage medium |
| CN108984294A (en) * | 2018-05-25 | 2018-12-11 | 中国科学院计算机网络信息中心 | Resource regulating method, device and storage medium |
| CN109412878A (en) * | 2019-01-16 | 2019-03-01 | 紫光云数科技有限公司 | Multi-tenant service access implementation method, device and electronic equipment |
| CN109565505A (en) * | 2016-08-05 | 2019-04-02 | 甲骨文国际公司 | Tenant's Self-Service troubleshooting for multi-tenant identity and data safety management cloud service |
| CN109688235A (en) * | 2019-03-18 | 2019-04-26 | 北京金山云网络技术有限公司 | Virtual network method for processing business, device and system, controller, storage medium |
| CN109947534A (en) * | 2019-03-12 | 2019-06-28 | 中山大学 | A kind of Yunan County's global function scheduling system based on SDN |
| CN109962891A (en) * | 2017-12-25 | 2019-07-02 | ***通信集团安徽有限公司 | Monitor method, apparatus, equipment and the computer storage medium of cloud security |
| CN110719293A (en) * | 2019-10-17 | 2020-01-21 | 华夏银行股份有限公司 | Security service generation method and related equipment |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120204251A1 (en) * | 2011-02-08 | 2012-08-09 | Verizon Patent And Licensing Inc. | Method and system for providing cloud based network security services |
| CN102684903A (en) * | 2011-12-23 | 2012-09-19 | 中兴通讯股份有限公司 | Management platform, system and method for realizing access of multiple cloud storage resource nodes |
| CN103049383A (en) * | 2012-12-31 | 2013-04-17 | 博彦科技(上海)有限公司 | Development and testing cloud system |
| CN103139159A (en) * | 2011-11-28 | 2013-06-05 | 上海贝尔股份有限公司 | Safety communication among virtual machines in cloud computing framework |
| CN103167003A (en) * | 2011-12-16 | 2013-06-19 | 上海博腾信息科技有限公司 | Cloud computing application platform |
| CN103428241A (en) * | 2012-05-18 | 2013-12-04 | 中兴通讯股份有限公司 | Method and system for deploying services |
| CN103607426A (en) * | 2013-10-25 | 2014-02-26 | 中兴通讯股份有限公司 | Security service ordering method and security service ordering device |
| CN103973741A (en) * | 2013-01-31 | 2014-08-06 | 国际商业机器公司 | Method and device for performing remote debugging in cloud system |
| CN104104520A (en) * | 2013-04-10 | 2014-10-15 | 华为技术有限公司 | Charging method and system based on OPenFlow protocol |
| CN104317633A (en) * | 2014-09-29 | 2015-01-28 | 天津大学 | Cloud computing method facing high-performance scientific computation |
| CN104378214A (en) * | 2014-11-14 | 2015-02-25 | 杭州华三通信技术有限公司 | Flow billing method and device |
| CN104378749A (en) * | 2013-08-12 | 2015-02-25 | 中兴通讯股份有限公司 | Billing method and system based on SDN EPC network |
| CN104618379A (en) * | 2015-02-04 | 2015-05-13 | 北京天地互连信息技术有限公司 | IDC service scene-oriented security service arranging method and network structure |
-
2015
- 2015-12-30 CN CN201511024444.XA patent/CN105450668A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120204251A1 (en) * | 2011-02-08 | 2012-08-09 | Verizon Patent And Licensing Inc. | Method and system for providing cloud based network security services |
| CN103139159A (en) * | 2011-11-28 | 2013-06-05 | 上海贝尔股份有限公司 | Safety communication among virtual machines in cloud computing framework |
| CN103167003A (en) * | 2011-12-16 | 2013-06-19 | 上海博腾信息科技有限公司 | Cloud computing application platform |
| CN102684903A (en) * | 2011-12-23 | 2012-09-19 | 中兴通讯股份有限公司 | Management platform, system and method for realizing access of multiple cloud storage resource nodes |
| CN103428241A (en) * | 2012-05-18 | 2013-12-04 | 中兴通讯股份有限公司 | Method and system for deploying services |
| CN103049383A (en) * | 2012-12-31 | 2013-04-17 | 博彦科技(上海)有限公司 | Development and testing cloud system |
| CN103973741A (en) * | 2013-01-31 | 2014-08-06 | 国际商业机器公司 | Method and device for performing remote debugging in cloud system |
| CN104104520A (en) * | 2013-04-10 | 2014-10-15 | 华为技术有限公司 | Charging method and system based on OPenFlow protocol |
| CN104378749A (en) * | 2013-08-12 | 2015-02-25 | 中兴通讯股份有限公司 | Billing method and system based on SDN EPC network |
| CN103607426A (en) * | 2013-10-25 | 2014-02-26 | 中兴通讯股份有限公司 | Security service ordering method and security service ordering device |
| CN104317633A (en) * | 2014-09-29 | 2015-01-28 | 天津大学 | Cloud computing method facing high-performance scientific computation |
| CN104378214A (en) * | 2014-11-14 | 2015-02-25 | 杭州华三通信技术有限公司 | Flow billing method and device |
| CN104618379A (en) * | 2015-02-04 | 2015-05-13 | 北京天地互连信息技术有限公司 | IDC service scene-oriented security service arranging method and network structure |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109565505B (en) * | 2016-08-05 | 2021-06-29 | 甲骨文国际公司 | Tenant self-service troubleshooting for multi-tenant identity and data security management cloud services |
| CN109565505A (en) * | 2016-08-05 | 2019-04-02 | 甲骨文国际公司 | Tenant's Self-Service troubleshooting for multi-tenant identity and data safety management cloud service |
| CN107786517A (en) * | 2016-08-30 | 2018-03-09 | 中国电信股份有限公司 | Dispositions method, system and the safety control system of Yunan County's full-service |
| CN108334396A (en) * | 2017-01-19 | 2018-07-27 | 阿里巴巴集团控股有限公司 | The creation method and device of a kind of data processing method and device, resource group |
| CN109962891A (en) * | 2017-12-25 | 2019-07-02 | ***通信集团安徽有限公司 | Monitor method, apparatus, equipment and the computer storage medium of cloud security |
| CN109962891B (en) * | 2017-12-25 | 2021-10-22 | ***通信集团安徽有限公司 | Method, device and equipment for monitoring cloud security and computer storage medium |
| CN108809963A (en) * | 2018-05-24 | 2018-11-13 | 中国科学院计算机网络信息中心 | Secure resource sharing method, apparatus and storage medium |
| CN108810108A (en) * | 2018-05-25 | 2018-11-13 | 中国科学院计算机网络信息中心 | Combination of resources method, apparatus and storage medium |
| CN108984294A (en) * | 2018-05-25 | 2018-12-11 | 中国科学院计算机网络信息中心 | Resource regulating method, device and storage medium |
| CN108984294B (en) * | 2018-05-25 | 2022-03-29 | 中国科学院计算机网络信息中心 | Resource scheduling method, device and storage medium |
| CN109412878A (en) * | 2019-01-16 | 2019-03-01 | 紫光云数科技有限公司 | Multi-tenant service access implementation method, device and electronic equipment |
| CN109947534A (en) * | 2019-03-12 | 2019-06-28 | 中山大学 | A kind of Yunan County's global function scheduling system based on SDN |
| CN109947534B (en) * | 2019-03-12 | 2022-12-27 | 中山大学 | Cloud security function scheduling system based on SDN |
| WO2020186909A1 (en) * | 2019-03-18 | 2020-09-24 | 北京金山云网络技术有限公司 | Virtual network service processing method, apparatus and system, and controller and storage medium |
| CN109688235B (en) * | 2019-03-18 | 2019-07-05 | 北京金山云网络技术有限公司 | Virtual network method for processing business, device and system, controller, storage medium |
| CN109688235A (en) * | 2019-03-18 | 2019-04-26 | 北京金山云网络技术有限公司 | Virtual network method for processing business, device and system, controller, storage medium |
| CN110719293A (en) * | 2019-10-17 | 2020-01-21 | 华夏银行股份有限公司 | Security service generation method and related equipment |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN114944952B (en) * | 2022-05-20 | 2023-11-07 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105450668A (en) | Cloud security service implementing system and cloud security service implementing method | |
| CN112134741B (en) | Client-directed networking restrictions in a distributed system | |
| CN105190558B (en) | For creating the method and system of logical resource | |
| CN106612225B (en) | Openstack-based agent deployment system and method | |
| CN105530259B (en) | Message filtering method and equipment | |
| US9825817B2 (en) | Network configuration auto-deployment | |
| CN102255903B (en) | Safety isolation method for virtual network and physical network of cloud computing | |
| CN110392052A (en) | A kind of block chain intelligence contract processing system and method | |
| CN105683918B (en) | Centralized networking configuration in distributed systems | |
| CN105827523B (en) | A kind of virtual gateway for realizing dynamic adjustment to the bandwidth of multi-tenant in cloud storage environment | |
| CN108040055A (en) | A kind of fire wall combined strategy and safety of cloud service protection | |
| CN103067380B (en) | A kind of deployment configuration method and system of virtual secure equipment | |
| CN105282191B (en) | SiteServer LBS, controller and method | |
| CN105074692A (en) | Distributed network management system using a logical multi-dimensional label-based policy model | |
| CN104584484A (en) | System and method providing policy based data center network automation | |
| CN108092934A (en) | Safety service system and method | |
| CN106941516A (en) | Isomery field apparatus Control management system based on industry internet operating system | |
| EP3062479A1 (en) | Security service customizing method and apparatus | |
| CN106411785A (en) | Openstack network system based on whole OPENFLOW physical switch network and realization method thereof | |
| CN107819742A (en) | A kind of system architecture and its method of Dynamical Deployment Network Security Service | |
| CN106301822A (en) | A kind of methods, devices and systems that AP is configured | |
| CN106850549A (en) | A kind of distributed cryptographic services gateway and implementation method | |
| CN105656916A (en) | Cloud data center service subnet security management method and system | |
| CN109714439A (en) | Data processing method and system based on edge calculations | |
| CN104506548B (en) | A kind of data packet redirection device, secure virtual machine guard method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160330 |