CN107888597A - A kind of FWaaS security domains collocation method and device - Google Patents
A kind of FWaaS security domains collocation method and device Download PDFInfo
- Publication number
- CN107888597A CN107888597A CN201711135348.1A CN201711135348A CN107888597A CN 107888597 A CN107888597 A CN 107888597A CN 201711135348 A CN201711135348 A CN 201711135348A CN 107888597 A CN107888597 A CN 107888597A
- Authority
- CN
- China
- Prior art keywords
- fwaas
- security domain
- rules
- mark
- outer net
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a kind of FWaaS security domains collocation method, and applied to OpenStack, methods described includes:FWaaS rules to be configured are obtained, it includes source security domain field and purpose security domain field;It is retrieved as the Intranet mark that intranet security domain is pre-set and the outer net mark pre-set for outer net security domain;Identified for the source security domain field configuration Intranet mark in the FWaaS rules to be configured or outer net, and be the purpose security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured.
Description
Technical field
The application is related to communication technical field, more particularly to a kind of FWaaS security domains collocation method and device.
Background technology
OpenStack is the cloud computing increased income a management platform project, is combined completion by several main components
Specific works.Its target is to provide that implementation is simple, can on a large scale extend, enrich, the cloud computing management platform that standard is unified.
OpenStack covers the various aspects such as network, virtualization, operating system, server, passes through the multiple components included, carries
Expand for the kernel services such as calculating, network, storage, and FWaaS (FireWall as a Service, fire wall service) etc.
Exhibition service.The wherein OpenStack FWaaS of itself, because FWaaS configuration interfaces can not be configured similarly to the peace of traditional firewall
Universe function, i.e. the OpenStack FWaaS of itself do not include security domain configuration feature, cause FWaaS functions not perfect enough, deposit
In defect.Accordingly due in OpenStack FWaaS can not configure safe domain-functionalities, can only before the network equipment this sidelong glance
Security domain is generated by way of hard coded, each virtual firewall is had the security domain of a specific names, it is given birth to
Into security domain there is unicity, and can not be shown in running background, pacified for the hardware device that the network equipment possesses
Universe, its due function can not be played.
The content of the invention
In view of this, the application provides a kind of FWaaS security domains collocation method and device.
Specifically, the application is achieved by the following technical solution:
A kind of FWaaS security domains collocation method, applied to OpenStack, methods described includes:
FWaaS rules to be configured are obtained, it includes source security domain field and purpose security domain field;
It is retrieved as the Intranet mark that intranet security domain is pre-set and the outer net mark pre-set for outer net security domain;
For the source security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured, Yi Jiwei
Purpose security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured.
A kind of FWaaS security domain generation methods based on FWaaS security domain collocation methods, it is described applied to the network equipment
Method includes:
Obtain the strategy that the OpenStack is issued, the FWaaS that the strategy has been configured by user in OpenStack
Rule is formed;
Obtain the destination virtual router that user specifies;
The virtual firewall being pre-created is associated with described tactful and described destination virtual router;
It is raw after the virtual firewall being pre-created associates with described tactful and described destination virtual router
Into FWaaS security domains corresponding to the destination virtual router.
A kind of FWaaS security domains configuration device, applied to OpenStack, described device includes:
FWaaS Rule units, for obtaining FWaaS rules to be configured, it includes source security domain field and purpose
Security domain field;
Mark acquiring unit, for being retrieved as Intranet mark that intranet security domain pre-sets and advance for outer net security domain
The outer net mark of setting;
FWaaS rule dispensing units, for for the source security domain field configuration Intranet in the FWaaS rules to be configured
Mark or outer net mark, and be the purpose security domain field configuration Intranet mark or outer in the FWaaS rules to be configured
Network mark is known.
A kind of FWaaS security domain generating means based on FWaaS security domain configuration devices, it is described applied to the network equipment
Device includes:
Tactful acquiring unit, the strategy issued for obtaining the OpenStack, the strategy are existed by user
The FWaaS rules configured in OpenStack are formed;
Destination virtual router acquiring unit, the destination virtual router specified for obtaining user;
Associative cell, for the virtual firewall being pre-created and described tactful and described destination virtual router to be closed
Connection;
FWaaS security domain generation units, for the virtual firewall being pre-created with it is described tactful and described
After the association of destination virtual router, FWaaS security domains corresponding to the destination virtual router are generated.
The Intranet and the interactive service of outer net that this programme provides according to virtual router, it is intranet security domain to determine Intranet,
It is outer net security domain to determine outer net, and is intranet security domain Intranet mark corresponding with the setting of outer net security domain and outer net mark;
By the source security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured of acquisition, FWaaS to be configured
Purpose security domain field in rule can configure Intranet mark or outer net mark.The FWaaS rules configured are formed
The destination virtual that the virtual firewall being pre-created is specified with the strategy and user is route by policy distribution to the network equipment
After device association, FWaaS security domains corresponding to the destination virtual router are generated.Compared with prior art,
FWaaS configuration interfaces can configure FWaaS security domains in OpenStack, and it is due can to give full play to hardware device security domain
Function.The FWaaS security domains of generation, corresponding two security domains of a virtual router, can distinguish source security domain and purpose peace
Universe;User level can reduce O&M difficulty without interfacing concept;FWaaS peaces corresponding with FWaaS rules can be checked at any time
Universe.
Brief description of the drawings
It is attached required in being described below to embodiment in order to illustrate more clearly of the technical scheme of the embodiment of the present application
Figure is briefly described, it should be apparent that, drawings in the following description are only some embodiments described in the application, for
For those of ordinary skill in the art, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of partition security domain schematic diagram shown in the exemplary embodiment of the application one;
Fig. 2 is a kind of implementing procedure figure of the FWaaS security domain collocation methods shown in the exemplary embodiment of the application one;
Fig. 3 is a kind of implementing procedure figure of the FWaaS security domain generation methods shown in the exemplary embodiment of the application one;
Fig. 4 is a kind of application scenarios schematic diagram shown in the exemplary embodiment of the application one;
Fig. 5 is a kind of structural representation of the FWaaS security domain configuration devices shown in the exemplary embodiment of the application one;
Fig. 6 is a kind of structural representation of the FWaaS security domain generating means shown in the exemplary embodiment of the application one.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects be described in detail in claims, the application.
It is only merely for the purpose of description specific embodiment in term used in this application, and is not intended to be limiting the application.
" one kind " of singulative used in the application and appended claims, " described " and "the" are also intended to including majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wrapped
Containing the associated list items purpose of one or more, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, do not departing from
In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
A kind of FWaaS security domains collocation method provided first the embodiment of the present application illustrates, and this method can wrap
Include following steps:
FWaaS rules to be configured are obtained, it includes source security domain field and purpose security domain field;
It is retrieved as the Intranet mark that intranet security domain is pre-set and the outer net mark pre-set for outer net security domain;
For the source security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured, Yi Jiwei
Purpose security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured.
Stated in the background, OpenStack is cloud service management platform, according to virtual router in OpenStack
The Intranet of offer and the interactive service of outer net, the Intranet of virtual router connection, the IP that its network equipment included uses
Location belongs to an IP section, the outer net of virtual router connection, the IP that the IP address that its network equipment included uses belongs to
Section, it is different from the IP sections of Intranet equipment, it can determine that Intranet is intranet security domain according to this feature, outer net is outer net security domain,
Intranet is set to identify for intranet security domain accordingly, outer net security domain sets outer net to identify.Intranet security domain mentioned here with
Outer net security domain is logical concept, and it is only to show to divide intranet security domain and outer net security domain here according to different IP sections accordingly
Example property, there is also other division methods, no longer repeat one by one here.
FWaaS rules to be configured are obtained, wherein including source security domain field and purpose security domain field, source security domain word
Section and purpose security domain field are typically defaulted as sky, naturally it is also possible to be above-mentioned described Intranet mark and outer net mark it is any its
Middle one kind;Obtain above-mentioned described Intranet mark and outer net mark;Configured for FWaaS rules to be configured, wherein waiting to match somebody with somebody
Source security domain field in the FWaaS rules put can configure Intranet mark or outer net identifies, in FWaaS rules to be configured
Purpose security domain field can equally configure Intranet mark or outer net mark.
A kind of FWaaS security domains collocation method of the present invention, below first to how to divide intranet security domain and outer net security domain
Citing illustrates, and it specifically includes following steps:
The Intranet provided according to virtual router in OpenStack and the interactive service of outer net, and virtual router connect
The Intranet connect IP sections different from outer net, it is intranet security domain to determine Intranet, and it is outer net security domain to determine outer net, and is Intranet
Security domain Intranet mark corresponding with the setting of outer net security domain and outer net mark;
In one embodiment, exemplary application schematic diagram of a scenario as shown in Figure 1, in figure virtual router provide Intranet with
The interactive service of outer net, virtual router represent that Intranet user needs to access outer net by virtual router with Vrouter,
Similarly external user needs to access Intranet by virtual router.Due to the IP sections in the Intranet and outer net of virtual router connection
IP address used in difference, i.e. Intranet user belongs to same IP sections, such as IP sections can be 192.168.1.0/24,
It is exactly 192.168.1.1-192.168.1.255, Intranet user can arbitrarily select wherein some IP address, or specify wherein
Some IP address, the IP sections of corresponding external user can be 192.168.2.0/24, that is, 192.168.2.1-
192.168.2.255.It can determine that Intranet is intranet security domain according to this feature, outer net is outer net security domain, and is pacified for Intranet
Universe Intranet mark corresponding with the setting of outer net security domain and outer net mark, wherein corresponding relation is as shown in table 1 below.
Security domain title | Mark |
Intranet security domain | Intranet zone |
Outer net security domain | Extranet zone |
Table 1
A kind of implementing procedure figure of the application FWaaS security domain collocation methods is illustrated in figure 2, wherein specifically including following
Step:
S101, FWaaS rules to be configured are obtained, it includes source security domain field and purpose security domain field;
In one embodiment, FWaaS rules to be configured are obtained, FWaaS rules can configure source security domain and purpose peace
Universe, therefore FWaaS rules include source security domain field and purpose security domain field, the source security domain field in FWaaS rules
There is configurable content corresponding to its own with purpose security domain field.
S102, it is retrieved as Intranet mark and the outer network mark pre-set for outer net security domain that intranet security domain is pre-set
Know;
It is that intranet security domain Intranet mark corresponding with the setting of outer net security domain and outer net identify in mistake mentioned above, its
Middle corresponding relation is as shown in table 1, the FWaaS rules to be configured based on above-mentioned acquisition, be to the source security domain in FWaaS rules
Field and purpose security domain field are configured, it is therefore desirable to are obtained the above-mentioned Intranet mark and outer net mark set, that is, obtained
Intranet corresponding to intranet security domain is taken to identify Intranet zone, outer net corresponding to outer net security domain identifies Extranet
zone。
S103, identified for the source security domain field configuration Intranet mark in the FWaaS rules to be configured or outer net, with
And it is the purpose security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured.
In one embodiment, above-mentioned Intranet mark Intranet zone and outer net mark Extranet are successfully being obtained
It is that the source security domain field in the FWaaS rules to be configured is configured with purpose security domain field after zone.It is described to treat
Source security domain field in the FWaaS rules of configuration can configure Intranet mark or outer net mark, i.e. source security domain field can be with
Intranet mark Intranet zone are configured, or outer net mark Extranet zone can be configured;It is described to be configured
Purpose security domain field in FWaaS rules can also equally configure Intranet mark or outer net mark, i.e. purpose security domain field
Intranet mark Intranet zone can be configured, or outer net mark Extranet zone can be configured.Accordingly right
The FWaaS rules to be configured are configured, and three kinds of legal source security domain fields and purpose security domain field configuration be present
Method, corresponding source security domain field and purpose security domain field and Intranet mark, the corresponding relation such as table 2 below institute of outer net mark
Show.
Source security domain field | Purpose security domain field |
Intranet zone | Intranet zone |
Extranet zone | Intranet zone |
Intranet zone | Extranet zone |
Table 2
Be present legal configuration in source security domain field and purpose security domain field configuration method, also there is accordingly illegal
Collocation method, i.e., if source security domain field and purpose security domain field are all configured with outer net mark Extranet simultaneously
zone.The Intranet provided according to virtual router in above-mentioned described OpenStack and the interactive service of outer net, wherein also including
The interactive service of Intranet and Intranet, but the interactive service of outer net and outer net is not provided, it is not present in this formal theory, it is empty
Intend the interactive service that router provides Intranet and outer net, therefore this collocation method is illegal.To FWaaS rules
In source security domain field and purpose security domain field configuration after the completion of need to detect configuration result, detect first
Whether the source security domain field and purpose security domain field configuration content in FWaaS rules are consistent, i.e., whether are simultaneously Intranets
Mark or outer net mark.Source security domain field in the FWaaS rules feelings consistent with purpose security domain field configuration content
Under condition, detect whether the configuration content is outer net mark.Source security domain field and purpose security domain word in FWaaS rules
In the case that section configuration content is unanimously and configuration content is outer net mark, it is possible to determine that the configuration result is illegal.
As shown in figure 3, based on a kind of above-mentioned FWaaS security domains collocation method, corresponding FWaaS security domains generation method
Comprise the following steps:
S201, the strategy that the OpenStack is issued is obtained, what the strategy had been configured by user in OpenStack
FWaaS rules are formed;
In one embodiment, selected based on above-mentioned FWaaS security domain collocation methods, user in OpenStack configuration interfaces
FWaaS rules to be configured are selected, the source security domain field in FWaaS rules and purpose security domain field are configured, wherein
Intranet mark or outer net mark can be respectively configured in source security domain field and purpose security domain field, when the configuration result is legal
Form policy distribution and obtain the strategy issued by OpenStack to the network equipment, the network equipment.Such as user is FWaaS rules
In source security domain field configuration be Intranet mark, be that the purpose security domain field configuration in FWaaS rules is outer network mark
Know, the FWaaS rules formation policy distribution that this has been configured to the network equipment, can be got in this side of the network equipment by
The strategy that OpenStack is issued.
S202, obtain the destination virtual router that user specifies;
In one embodiment, in the network environment residing for user itself, application scenarios schematic diagram as shown in Figure 4, net
Network equipment is unique in IP address used in current network, therefore virtual router is also only in the IP address of current network
One, user can specify destination virtual router according to this feature, and most easy mode is according further to router name certainly
Claim to specify destination virtual router, naturally it is also possible to specified according to the MAC Address of router, no longer repeated one by one here,
The features of other virtual routers can be different from according to some of itself of virtual router in a word to specify destination virtual to route
Device.Application scenarios schematic diagram as shown in Figure 4 above, it is mesh that virtual router Vrouter1 can be specified according to router rs name
Mark virtual router.
S203, the virtual firewall being pre-created is associated with described tactful and described destination virtual router;
In one embodiment, generally for cost of investment is reduced, a fire wall can be logically divided into more
Virtual fire wall, each virtual firewall system can be regarded as a completely self-contained firewall box, can possess
Independent system resource, keeper, security strategy, user authentication data storehouse etc..Therefore need to be pre-created virtual firewall, temporarily
And the virtual firewall that is pre-created is represented with VFW1, by the virtual firewall VFW1 being pre-created and above-mentioned acquisition by
The strategy that OpenStack is issued, and the above-mentioned destination virtual router Router1 associations specified according to router rs name.Institute
State association and also imply that three is connected with each other, influenced each other.
S204, it is associated with described tactful and described destination virtual router in the virtual firewall being pre-created
Afterwards, FWaaS security domains corresponding to the destination virtual router are generated.
In the virtual firewall VFW1 being pre-created and the strategy issued by OpenStack of above-mentioned acquisition, and
After the above-mentioned destination virtual router Router1 associations specified according to router rs name, generated according in the FWaaS rules
FWaaS security domains corresponding to the destination virtual router.It is regular by above-mentioned described FWaaS, source security domain field configuration
It is Intranet mark, i.e. Intranet zone, purpose security domain field configuration is outer net mark, i.e. Extranet zone are raw
Into FWaaS security domains corresponding to the destination virtual router Router1, the intranet security domain name of generation claims be router
Title adds Intranet to identify, and the outer net security domain title of generation can be that router rs name adds outer net to identify, such as intranet security domain
Title can be that Router1 adds Intranet zone, and outer net security domain title can be that Router1 adds Extranet zone.
And security domain title, domain action, description.Security domain priority etc. can be changed.
Wherein when generating FWaaS security domains, interface that intranet security domain includes, such as virtual router association subnet production
Raw interface interfaces (VLAN interface etc.), also hardware firewall equipment docked with gateway device caused by Intranet connect
Mouthful etc., the interface that outer net security domain includes, such as the CGI(Common gateway interface) of virtual router, hardware firewall equipment are set with gateway
Outer network interface etc., according to the demand of client, is added to the FWaaS security domains by way of coding caused by standby docking,
And it is invisible to user, like this it can reduce O&M difficulty without interfacing concept in user level.
After the FWaaS security domains are generated, destination virtual router Router1 possesses two security domains, is interior respectively
Net security domain and outer net security domain, now the source security domain field in FWaaS rules is Intranet mark, and purpose security domain field is
Outer net is identified, it is necessary to Intranet mark be replaced with into intranet security domain, outer net mark replaces with outer net security domain, and is grasped on backstage
Make.When user needs to check security domain, current safety domain is checked by obtaining back-end data can.
Take above technical scheme, FWaaS configuration interfaces can configure FWaaS security domains in OpenStack, can be abundant
Play the due function of hardware device security domain.The FWaaS security domains of generation, corresponding two security domains of a virtual router,
Source security domain and purpose security domain can be distinguished;User level can reduce O&M difficulty without interfacing concept;It can check at any time
FWaaS security domains corresponding with FWaaS rules.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through
Programmed instruction related hardware is completed, and foregoing program can be stored in computer read/write memory medium, and the program exists
During execution, execution the step of including above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or CD
Etc. it is various can be with the medium of store program codes.
Corresponding with a kind of foregoing FWaaS security domains collocation method embodiment, present invention also provides a kind of FWaaS safety
The embodiment of configuration of territory device, as shown in figure 5, including FWaaS Rules unit 310, mark acquiring unit 320, FWaaS rule
Then dispensing unit 330.
The FWaaS Rules unit 310, for obtaining FWaaS rules to be configured, it includes source security domain field
With purpose security domain field;
The mark acquiring unit 320, for being retrieved as Intranet mark that intranet security domain pre-sets and pacifying for outer net
The outer net mark that universe is pre-set;
The FWaaS rules dispensing unit 330, for for the source security domain field in the FWaaS rules to be configured
Intranet mark or outer net mark are configured, and is the purpose security domain field configuration Intranet in the FWaaS rules to be configured
Mark or outer net mark.
In a kind of embodiment of the application, described device also includes:Detection unit 340, illegal FWaaS rule
Then setting unit 350
The detection unit 340, for for the source security domain field in the FWaaS rules to be configured and purpose safety
The FWaaS obtained after the completion of the field configuration of domain is regular, source security domain field and purpose in the FWaaS rules obtained described in detection
Whether security domain field configuration content is consistent;
The illegal FWaaS rule settings unit 350, for the source in the obtained FWaaS rules are detected
Security domain field is consistent with purpose security domain field configuration content and is in the case that outer net identifies, by the FWaaS rule settings
For illegal FWaaS rules.
It is corresponding with a kind of foregoing FWaaS security domain generation method embodiments based on FWaaS security domain collocation methods, this
Application additionally provides a kind of embodiment of the FWaaS security domain generating means based on FWaaS security domain configuration devices, such as Fig. 6 institutes
Show, including the generation of tactful acquiring unit 410, destination virtual router acquiring unit 420, associative cell 430, FWaaS security domains
Unit 440.
The tactful acquiring unit 410, the strategy issued for obtaining the OpenStack, the strategy are existed by user
The FWaaS rules configured in OpenStack are formed;
The destination virtual router acquiring unit 420, the destination virtual router specified for obtaining user;
The associative cell 430, for by the virtual firewall being pre-created and the described tactful and destination virtual
Router associates;
The FWaaS security domains generation unit 440, for the virtual firewall being pre-created with it is described strategy with
And after the destination virtual router association, generate FWaaS security domains corresponding to the destination virtual router.
In a kind of embodiment of the application, described device also includes:Interface adding device 450, replacement unit
460
The interface adding device 450, interface and the outer net safety that the intranet security domain for user to be needed includes
The interface that domain includes is added to FWaaS security domains corresponding to the destination virtual router;
The replacement unit 460, for FWaaS safety corresponding to the destination virtual router according to the generation
Domain, in the source security domain field and purpose security domain field that are included to the FWaaS rules configured, the interior network mark that is configured
Know and outer net mark replaces with corresponding intranet security domain or outer net security domain.
The effect implementation process of unit specifically refers to the implementation process that step is corresponded in the above method in said system,
It will not be repeated here.
For system embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method
Apply the part explanation of example.System embodiment described above is only schematical, wherein described be used as separating component
The unit of explanation can be or may not be physically separate, can be as the part that unit is shown or can also
It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality
Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The present invention can be described in the general context of the calculated value executable instruction performed by computer, such as program
Module.Usually, program module includes performing particular task or realizes routine, program, object, the group of particular abstract data type
Part, data structure etc..The present invention can also be put into practice in a distributed computing environment, in these DCEs, by
Task is performed and connected remote processing devices by communication network.In a distributed computing environment, program module can be with
In the local and remote computer-readable storage medium including storage device.
Described above is only the embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (10)
1. a kind of FWaaS security domains collocation method, it is characterised in that applied to OpenStack, methods described includes:
FWaaS rules to be configured are obtained, it includes source security domain field and purpose security domain field;
It is retrieved as the Intranet mark that intranet security domain is pre-set and the outer net mark pre-set for outer net security domain;
Identified for the source security domain field configuration Intranet mark in the FWaaS rules to be configured or outer net, and be described
Purpose security domain field configuration Intranet mark or outer net mark in FWaaS rules to be configured.
2. according to the method for claim 1, it is characterised in that methods described also includes:
For what is obtained after the completion of the source security domain field and purpose security domain field configuration in the FWaaS rules to be configured
FWaaS is regular, and whether the source security domain field and purpose security domain field configuration content in the FWaaS rules obtained described in detection
Unanimously.
3. the method according to claim 2, it is characterised in that methods described also includes:
Source security domain field in the obtained FWaaS rules are detected it is consistent with purpose security domain field configuration content and
It is illegal FWaaS rules by the FWaaS rule settings in the case of being identified for outer net.
4. a kind of FWaaS security domain generation methods based on such as any one of claims 1 to 3 method, it is characterised in that be applied to
The network equipment, methods described include:
Obtain the strategy that the OpenStack is issued, the FWaaS rules that the strategy has been configured by user in OpenStack
Formed;
Obtain the destination virtual router that user specifies;
The virtual firewall being pre-created is associated with described tactful and described destination virtual router;
After the virtual firewall being pre-created associates with described tactful and described destination virtual router, institute is generated
State FWaaS security domains corresponding to destination virtual router.
5. according to the method for claim 4, it is characterised in that methods described also includes:
It is empty that the interface that the interface and outer net security domain that the intranet security domain that user needs is included include is added to the target
Intend FWaaS security domains corresponding to router.
6. according to the method for claim 4, it is characterised in that methods described also includes:
According to FWaaS security domains corresponding to the destination virtual router of the generation, to the FWaaS rules configured
Comprising source security domain field and purpose security domain field in, the Intranet that is configured mark and outer net mark replace with corresponding in
Net security domain or outer net security domain.
7. a kind of FWaaS security domains configuration device, it is characterised in that applied to OpenStack, described device includes:
FWaaS Rule units, for obtaining FWaaS rules to be configured, it includes source security domain field and purpose safety
Domain field;
Mark acquiring unit, for being retrieved as Intranet mark that intranet security domain pre-sets and being pre-set for outer net security domain
Outer net mark;
FWaaS rule dispensing units, for being that the source security domain field in the FWaaS rules to be configured is matched somebody with somebody in processing stage
Intranet mark or outer net mark are put, and is network mark in the purpose security domain field configuration in the FWaaS rules to be configured
Know or outer net identifies.
8. device according to claim 7, it is characterised in that described device also includes:Detection unit
The detection unit, for for the source security domain field and purpose security domain field in the FWaaS rules to be configured
The FWaaS obtained after the completion of configuration is regular, source security domain field and purpose security domain in the FWaaS rules obtained described in detection
Whether field configuration content is consistent.
9. device according to claim 8, it is characterised in that described device also includes:Illegal FWaaS rule settings list
Member
The source security domain word that the illegal FWaaS rule settings unit is used in the obtained FWaaS rules are detected
Section is consistent with purpose security domain field configuration content and is in the case that outer net identifies, and is illegal by the FWaaS rule settings
FWaaS rules.
A kind of 10. FWaaS security domain generating means based on any one of such as claim 7 to 9 device, it is characterised in that application
In the network equipment, described device includes:
Tactful acquiring unit, the strategy issued for obtaining the OpenStack, the strategy is by user in OpenStack
The FWaaS rules configured are formed;
Destination virtual router acquiring unit, the destination virtual router specified for obtaining user;
Associative cell, for the virtual firewall being pre-created to be associated with described tactful and described destination virtual router;
FWaaS security domain generation units, in the virtual firewall being pre-created and described tactful and described target
After virtual router association, FWaaS security domains corresponding to the destination virtual router are generated.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711135348.1A CN107888597A (en) | 2017-11-16 | 2017-11-16 | A kind of FWaaS security domains collocation method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711135348.1A CN107888597A (en) | 2017-11-16 | 2017-11-16 | A kind of FWaaS security domains collocation method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107888597A true CN107888597A (en) | 2018-04-06 |
Family
ID=61776918
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711135348.1A Pending CN107888597A (en) | 2017-11-16 | 2017-11-16 | A kind of FWaaS security domains collocation method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107888597A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109962914A (en) * | 2019-03-12 | 2019-07-02 | 杭州迪普科技股份有限公司 | A kind of firewall configuration method and device |
CN113810283A (en) * | 2021-09-16 | 2021-12-17 | 中国联合网络通信集团有限公司 | Network security configuration method, device, server and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104852840A (en) * | 2015-05-28 | 2015-08-19 | 杭州华三通信技术有限公司 | Method and device for controlling mutual access between virtual machines |
CN106572120A (en) * | 2016-11-11 | 2017-04-19 | 中国南方电网有限责任公司 | Access control method and system based on mixed cloud |
CN107153565A (en) * | 2016-03-03 | 2017-09-12 | 华为技术有限公司 | Configure the method and its network equipment of resource |
-
2017
- 2017-11-16 CN CN201711135348.1A patent/CN107888597A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104852840A (en) * | 2015-05-28 | 2015-08-19 | 杭州华三通信技术有限公司 | Method and device for controlling mutual access between virtual machines |
CN107153565A (en) * | 2016-03-03 | 2017-09-12 | 华为技术有限公司 | Configure the method and its network equipment of resource |
CN106572120A (en) * | 2016-11-11 | 2017-04-19 | 中国南方电网有限责任公司 | Access control method and system based on mixed cloud |
Non-Patent Citations (1)
Title |
---|
董建伟: "山石网科FwaaS领跑云数据中心防护之道", 《云栖社区》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109962914A (en) * | 2019-03-12 | 2019-07-02 | 杭州迪普科技股份有限公司 | A kind of firewall configuration method and device |
CN109962914B (en) * | 2019-03-12 | 2021-07-23 | 杭州迪普科技股份有限公司 | Firewall configuration method and device |
CN113810283A (en) * | 2021-09-16 | 2021-12-17 | 中国联合网络通信集团有限公司 | Network security configuration method, device, server and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11354039B2 (en) | Tenant-level sharding of disks with tenant-specific storage modules to enable policies per tenant in a distributed storage system | |
US10581801B2 (en) | Context-aware distributed firewall | |
US11652852B2 (en) | Intrusion detection and mitigation in data processing | |
CN103946834B (en) | virtual network interface objects | |
CN103095546B (en) | A kind of method, device and data center network processing message | |
US20160094460A1 (en) | Packet Key Parser for Flow-Based Forwarding Elements | |
CN109600368B (en) | Method and device for determining firewall policy | |
US10938658B2 (en) | Tracking logical network entity state | |
CN104572243B (en) | Method and system for sharing Java Virtual Machine | |
US11240263B2 (en) | Responding to alerts | |
US20180375832A1 (en) | Using headerspace analysis to identify unneeded distributed firewall rules | |
CN103685608B (en) | A kind of method and device for automatically configuring secure virtual machine IP address | |
CN104937892A (en) | Multi-node virtual switching system (MVSS) | |
CN109661652A (en) | Use the abnormality detection of system call sequence | |
US20230336421A1 (en) | Virtualized Network Functions | |
CN107800709A (en) | A kind of method and device for generating network attack detection strategy | |
CN107888597A (en) | A kind of FWaaS security domains collocation method and device | |
CN107896188A (en) | Data forwarding method and device | |
CN102014131B (en) | Device safety check method combining off-line check and central summary | |
CN115470489A (en) | Detection model training method, detection method, device and computer readable medium | |
US20180152321A1 (en) | Efficient update of per-interface address groupings | |
JP2018110345A (en) | Setting program, setting method, and setting device | |
US20210297426A1 (en) | Identifying large database transactions | |
CN112953741B (en) | Method and device for controlling and managing secure access ports of metropolitan area network | |
CN115996150B (en) | Virtual studio creation method and system storage medium and data verification method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180406 |