CN107888597A - A kind of FWaaS security domains collocation method and device - Google Patents

A kind of FWaaS security domains collocation method and device Download PDF

Info

Publication number
CN107888597A
CN107888597A CN201711135348.1A CN201711135348A CN107888597A CN 107888597 A CN107888597 A CN 107888597A CN 201711135348 A CN201711135348 A CN 201711135348A CN 107888597 A CN107888597 A CN 107888597A
Authority
CN
China
Prior art keywords
fwaas
security domain
rules
mark
outer net
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711135348.1A
Other languages
Chinese (zh)
Inventor
胡有福
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201711135348.1A priority Critical patent/CN107888597A/en
Publication of CN107888597A publication Critical patent/CN107888597A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a kind of FWaaS security domains collocation method, and applied to OpenStack, methods described includes:FWaaS rules to be configured are obtained, it includes source security domain field and purpose security domain field;It is retrieved as the Intranet mark that intranet security domain is pre-set and the outer net mark pre-set for outer net security domain;Identified for the source security domain field configuration Intranet mark in the FWaaS rules to be configured or outer net, and be the purpose security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured.

Description

A kind of FWaaS security domains collocation method and device
Technical field
The application is related to communication technical field, more particularly to a kind of FWaaS security domains collocation method and device.
Background technology
OpenStack is the cloud computing increased income a management platform project, is combined completion by several main components Specific works.Its target is to provide that implementation is simple, can on a large scale extend, enrich, the cloud computing management platform that standard is unified. OpenStack covers the various aspects such as network, virtualization, operating system, server, passes through the multiple components included, carries Expand for the kernel services such as calculating, network, storage, and FWaaS (FireWall as a Service, fire wall service) etc. Exhibition service.The wherein OpenStack FWaaS of itself, because FWaaS configuration interfaces can not be configured similarly to the peace of traditional firewall Universe function, i.e. the OpenStack FWaaS of itself do not include security domain configuration feature, cause FWaaS functions not perfect enough, deposit In defect.Accordingly due in OpenStack FWaaS can not configure safe domain-functionalities, can only before the network equipment this sidelong glance Security domain is generated by way of hard coded, each virtual firewall is had the security domain of a specific names, it is given birth to Into security domain there is unicity, and can not be shown in running background, pacified for the hardware device that the network equipment possesses Universe, its due function can not be played.
The content of the invention
In view of this, the application provides a kind of FWaaS security domains collocation method and device.
Specifically, the application is achieved by the following technical solution:
A kind of FWaaS security domains collocation method, applied to OpenStack, methods described includes:
FWaaS rules to be configured are obtained, it includes source security domain field and purpose security domain field;
It is retrieved as the Intranet mark that intranet security domain is pre-set and the outer net mark pre-set for outer net security domain;
For the source security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured, Yi Jiwei Purpose security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured.
A kind of FWaaS security domain generation methods based on FWaaS security domain collocation methods, it is described applied to the network equipment Method includes:
Obtain the strategy that the OpenStack is issued, the FWaaS that the strategy has been configured by user in OpenStack Rule is formed;
Obtain the destination virtual router that user specifies;
The virtual firewall being pre-created is associated with described tactful and described destination virtual router;
It is raw after the virtual firewall being pre-created associates with described tactful and described destination virtual router Into FWaaS security domains corresponding to the destination virtual router.
A kind of FWaaS security domains configuration device, applied to OpenStack, described device includes:
FWaaS Rule units, for obtaining FWaaS rules to be configured, it includes source security domain field and purpose Security domain field;
Mark acquiring unit, for being retrieved as Intranet mark that intranet security domain pre-sets and advance for outer net security domain The outer net mark of setting;
FWaaS rule dispensing units, for for the source security domain field configuration Intranet in the FWaaS rules to be configured Mark or outer net mark, and be the purpose security domain field configuration Intranet mark or outer in the FWaaS rules to be configured Network mark is known.
A kind of FWaaS security domain generating means based on FWaaS security domain configuration devices, it is described applied to the network equipment Device includes:
Tactful acquiring unit, the strategy issued for obtaining the OpenStack, the strategy are existed by user The FWaaS rules configured in OpenStack are formed;
Destination virtual router acquiring unit, the destination virtual router specified for obtaining user;
Associative cell, for the virtual firewall being pre-created and described tactful and described destination virtual router to be closed Connection;
FWaaS security domain generation units, for the virtual firewall being pre-created with it is described tactful and described After the association of destination virtual router, FWaaS security domains corresponding to the destination virtual router are generated.
The Intranet and the interactive service of outer net that this programme provides according to virtual router, it is intranet security domain to determine Intranet, It is outer net security domain to determine outer net, and is intranet security domain Intranet mark corresponding with the setting of outer net security domain and outer net mark; By the source security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured of acquisition, FWaaS to be configured Purpose security domain field in rule can configure Intranet mark or outer net mark.The FWaaS rules configured are formed The destination virtual that the virtual firewall being pre-created is specified with the strategy and user is route by policy distribution to the network equipment After device association, FWaaS security domains corresponding to the destination virtual router are generated.Compared with prior art, FWaaS configuration interfaces can configure FWaaS security domains in OpenStack, and it is due can to give full play to hardware device security domain Function.The FWaaS security domains of generation, corresponding two security domains of a virtual router, can distinguish source security domain and purpose peace Universe;User level can reduce O&M difficulty without interfacing concept;FWaaS peaces corresponding with FWaaS rules can be checked at any time Universe.
Brief description of the drawings
It is attached required in being described below to embodiment in order to illustrate more clearly of the technical scheme of the embodiment of the present application Figure is briefly described, it should be apparent that, drawings in the following description are only some embodiments described in the application, for For those of ordinary skill in the art, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of partition security domain schematic diagram shown in the exemplary embodiment of the application one;
Fig. 2 is a kind of implementing procedure figure of the FWaaS security domain collocation methods shown in the exemplary embodiment of the application one;
Fig. 3 is a kind of implementing procedure figure of the FWaaS security domain generation methods shown in the exemplary embodiment of the application one;
Fig. 4 is a kind of application scenarios schematic diagram shown in the exemplary embodiment of the application one;
Fig. 5 is a kind of structural representation of the FWaaS security domain configuration devices shown in the exemplary embodiment of the application one;
Fig. 6 is a kind of structural representation of the FWaaS security domain generating means shown in the exemplary embodiment of the application one.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent apparatus and method of some aspects be described in detail in claims, the application.
It is only merely for the purpose of description specific embodiment in term used in this application, and is not intended to be limiting the application. " one kind " of singulative used in the application and appended claims, " described " and "the" are also intended to including majority Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wrapped Containing the associated list items purpose of one or more, any or all may be combined.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, do not departing from In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determining ".
A kind of FWaaS security domains collocation method provided first the embodiment of the present application illustrates, and this method can wrap Include following steps:
FWaaS rules to be configured are obtained, it includes source security domain field and purpose security domain field;
It is retrieved as the Intranet mark that intranet security domain is pre-set and the outer net mark pre-set for outer net security domain;
For the source security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured, Yi Jiwei Purpose security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured.
Stated in the background, OpenStack is cloud service management platform, according to virtual router in OpenStack The Intranet of offer and the interactive service of outer net, the Intranet of virtual router connection, the IP that its network equipment included uses Location belongs to an IP section, the outer net of virtual router connection, the IP that the IP address that its network equipment included uses belongs to Section, it is different from the IP sections of Intranet equipment, it can determine that Intranet is intranet security domain according to this feature, outer net is outer net security domain, Intranet is set to identify for intranet security domain accordingly, outer net security domain sets outer net to identify.Intranet security domain mentioned here with Outer net security domain is logical concept, and it is only to show to divide intranet security domain and outer net security domain here according to different IP sections accordingly Example property, there is also other division methods, no longer repeat one by one here.
FWaaS rules to be configured are obtained, wherein including source security domain field and purpose security domain field, source security domain word Section and purpose security domain field are typically defaulted as sky, naturally it is also possible to be above-mentioned described Intranet mark and outer net mark it is any its Middle one kind;Obtain above-mentioned described Intranet mark and outer net mark;Configured for FWaaS rules to be configured, wherein waiting to match somebody with somebody Source security domain field in the FWaaS rules put can configure Intranet mark or outer net identifies, in FWaaS rules to be configured Purpose security domain field can equally configure Intranet mark or outer net mark.
A kind of FWaaS security domains collocation method of the present invention, below first to how to divide intranet security domain and outer net security domain Citing illustrates, and it specifically includes following steps:
The Intranet provided according to virtual router in OpenStack and the interactive service of outer net, and virtual router connect The Intranet connect IP sections different from outer net, it is intranet security domain to determine Intranet, and it is outer net security domain to determine outer net, and is Intranet Security domain Intranet mark corresponding with the setting of outer net security domain and outer net mark;
In one embodiment, exemplary application schematic diagram of a scenario as shown in Figure 1, in figure virtual router provide Intranet with The interactive service of outer net, virtual router represent that Intranet user needs to access outer net by virtual router with Vrouter, Similarly external user needs to access Intranet by virtual router.Due to the IP sections in the Intranet and outer net of virtual router connection IP address used in difference, i.e. Intranet user belongs to same IP sections, such as IP sections can be 192.168.1.0/24, It is exactly 192.168.1.1-192.168.1.255, Intranet user can arbitrarily select wherein some IP address, or specify wherein Some IP address, the IP sections of corresponding external user can be 192.168.2.0/24, that is, 192.168.2.1- 192.168.2.255.It can determine that Intranet is intranet security domain according to this feature, outer net is outer net security domain, and is pacified for Intranet Universe Intranet mark corresponding with the setting of outer net security domain and outer net mark, wherein corresponding relation is as shown in table 1 below.
Security domain title Mark
Intranet security domain Intranet zone
Outer net security domain Extranet zone
Table 1
A kind of implementing procedure figure of the application FWaaS security domain collocation methods is illustrated in figure 2, wherein specifically including following Step:
S101, FWaaS rules to be configured are obtained, it includes source security domain field and purpose security domain field;
In one embodiment, FWaaS rules to be configured are obtained, FWaaS rules can configure source security domain and purpose peace Universe, therefore FWaaS rules include source security domain field and purpose security domain field, the source security domain field in FWaaS rules There is configurable content corresponding to its own with purpose security domain field.
S102, it is retrieved as Intranet mark and the outer network mark pre-set for outer net security domain that intranet security domain is pre-set Know;
It is that intranet security domain Intranet mark corresponding with the setting of outer net security domain and outer net identify in mistake mentioned above, its Middle corresponding relation is as shown in table 1, the FWaaS rules to be configured based on above-mentioned acquisition, be to the source security domain in FWaaS rules Field and purpose security domain field are configured, it is therefore desirable to are obtained the above-mentioned Intranet mark and outer net mark set, that is, obtained Intranet corresponding to intranet security domain is taken to identify Intranet zone, outer net corresponding to outer net security domain identifies Extranet zone。
S103, identified for the source security domain field configuration Intranet mark in the FWaaS rules to be configured or outer net, with And it is the purpose security domain field configuration Intranet mark or outer net mark in the FWaaS rules to be configured.
In one embodiment, above-mentioned Intranet mark Intranet zone and outer net mark Extranet are successfully being obtained It is that the source security domain field in the FWaaS rules to be configured is configured with purpose security domain field after zone.It is described to treat Source security domain field in the FWaaS rules of configuration can configure Intranet mark or outer net mark, i.e. source security domain field can be with Intranet mark Intranet zone are configured, or outer net mark Extranet zone can be configured;It is described to be configured Purpose security domain field in FWaaS rules can also equally configure Intranet mark or outer net mark, i.e. purpose security domain field Intranet mark Intranet zone can be configured, or outer net mark Extranet zone can be configured.Accordingly right The FWaaS rules to be configured are configured, and three kinds of legal source security domain fields and purpose security domain field configuration be present Method, corresponding source security domain field and purpose security domain field and Intranet mark, the corresponding relation such as table 2 below institute of outer net mark Show.
Source security domain field Purpose security domain field
Intranet zone Intranet zone
Extranet zone Intranet zone
Intranet zone Extranet zone
Table 2
Be present legal configuration in source security domain field and purpose security domain field configuration method, also there is accordingly illegal Collocation method, i.e., if source security domain field and purpose security domain field are all configured with outer net mark Extranet simultaneously zone.The Intranet provided according to virtual router in above-mentioned described OpenStack and the interactive service of outer net, wherein also including The interactive service of Intranet and Intranet, but the interactive service of outer net and outer net is not provided, it is not present in this formal theory, it is empty Intend the interactive service that router provides Intranet and outer net, therefore this collocation method is illegal.To FWaaS rules In source security domain field and purpose security domain field configuration after the completion of need to detect configuration result, detect first Whether the source security domain field and purpose security domain field configuration content in FWaaS rules are consistent, i.e., whether are simultaneously Intranets Mark or outer net mark.Source security domain field in the FWaaS rules feelings consistent with purpose security domain field configuration content Under condition, detect whether the configuration content is outer net mark.Source security domain field and purpose security domain word in FWaaS rules In the case that section configuration content is unanimously and configuration content is outer net mark, it is possible to determine that the configuration result is illegal.
As shown in figure 3, based on a kind of above-mentioned FWaaS security domains collocation method, corresponding FWaaS security domains generation method Comprise the following steps:
S201, the strategy that the OpenStack is issued is obtained, what the strategy had been configured by user in OpenStack FWaaS rules are formed;
In one embodiment, selected based on above-mentioned FWaaS security domain collocation methods, user in OpenStack configuration interfaces FWaaS rules to be configured are selected, the source security domain field in FWaaS rules and purpose security domain field are configured, wherein Intranet mark or outer net mark can be respectively configured in source security domain field and purpose security domain field, when the configuration result is legal Form policy distribution and obtain the strategy issued by OpenStack to the network equipment, the network equipment.Such as user is FWaaS rules In source security domain field configuration be Intranet mark, be that the purpose security domain field configuration in FWaaS rules is outer network mark Know, the FWaaS rules formation policy distribution that this has been configured to the network equipment, can be got in this side of the network equipment by The strategy that OpenStack is issued.
S202, obtain the destination virtual router that user specifies;
In one embodiment, in the network environment residing for user itself, application scenarios schematic diagram as shown in Figure 4, net Network equipment is unique in IP address used in current network, therefore virtual router is also only in the IP address of current network One, user can specify destination virtual router according to this feature, and most easy mode is according further to router name certainly Claim to specify destination virtual router, naturally it is also possible to specified according to the MAC Address of router, no longer repeated one by one here, The features of other virtual routers can be different from according to some of itself of virtual router in a word to specify destination virtual to route Device.Application scenarios schematic diagram as shown in Figure 4 above, it is mesh that virtual router Vrouter1 can be specified according to router rs name Mark virtual router.
S203, the virtual firewall being pre-created is associated with described tactful and described destination virtual router;
In one embodiment, generally for cost of investment is reduced, a fire wall can be logically divided into more Virtual fire wall, each virtual firewall system can be regarded as a completely self-contained firewall box, can possess Independent system resource, keeper, security strategy, user authentication data storehouse etc..Therefore need to be pre-created virtual firewall, temporarily And the virtual firewall that is pre-created is represented with VFW1, by the virtual firewall VFW1 being pre-created and above-mentioned acquisition by The strategy that OpenStack is issued, and the above-mentioned destination virtual router Router1 associations specified according to router rs name.Institute State association and also imply that three is connected with each other, influenced each other.
S204, it is associated with described tactful and described destination virtual router in the virtual firewall being pre-created Afterwards, FWaaS security domains corresponding to the destination virtual router are generated.
In the virtual firewall VFW1 being pre-created and the strategy issued by OpenStack of above-mentioned acquisition, and After the above-mentioned destination virtual router Router1 associations specified according to router rs name, generated according in the FWaaS rules FWaaS security domains corresponding to the destination virtual router.It is regular by above-mentioned described FWaaS, source security domain field configuration It is Intranet mark, i.e. Intranet zone, purpose security domain field configuration is outer net mark, i.e. Extranet zone are raw Into FWaaS security domains corresponding to the destination virtual router Router1, the intranet security domain name of generation claims be router Title adds Intranet to identify, and the outer net security domain title of generation can be that router rs name adds outer net to identify, such as intranet security domain Title can be that Router1 adds Intranet zone, and outer net security domain title can be that Router1 adds Extranet zone. And security domain title, domain action, description.Security domain priority etc. can be changed.
Wherein when generating FWaaS security domains, interface that intranet security domain includes, such as virtual router association subnet production Raw interface interfaces (VLAN interface etc.), also hardware firewall equipment docked with gateway device caused by Intranet connect Mouthful etc., the interface that outer net security domain includes, such as the CGI(Common gateway interface) of virtual router, hardware firewall equipment are set with gateway Outer network interface etc., according to the demand of client, is added to the FWaaS security domains by way of coding caused by standby docking, And it is invisible to user, like this it can reduce O&M difficulty without interfacing concept in user level.
After the FWaaS security domains are generated, destination virtual router Router1 possesses two security domains, is interior respectively Net security domain and outer net security domain, now the source security domain field in FWaaS rules is Intranet mark, and purpose security domain field is Outer net is identified, it is necessary to Intranet mark be replaced with into intranet security domain, outer net mark replaces with outer net security domain, and is grasped on backstage Make.When user needs to check security domain, current safety domain is checked by obtaining back-end data can.
Take above technical scheme, FWaaS configuration interfaces can configure FWaaS security domains in OpenStack, can be abundant Play the due function of hardware device security domain.The FWaaS security domains of generation, corresponding two security domains of a virtual router, Source security domain and purpose security domain can be distinguished;User level can reduce O&M difficulty without interfacing concept;It can check at any time FWaaS security domains corresponding with FWaaS rules.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through Programmed instruction related hardware is completed, and foregoing program can be stored in computer read/write memory medium, and the program exists During execution, execution the step of including above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or CD Etc. it is various can be with the medium of store program codes.
Corresponding with a kind of foregoing FWaaS security domains collocation method embodiment, present invention also provides a kind of FWaaS safety The embodiment of configuration of territory device, as shown in figure 5, including FWaaS Rules unit 310, mark acquiring unit 320, FWaaS rule Then dispensing unit 330.
The FWaaS Rules unit 310, for obtaining FWaaS rules to be configured, it includes source security domain field With purpose security domain field;
The mark acquiring unit 320, for being retrieved as Intranet mark that intranet security domain pre-sets and pacifying for outer net The outer net mark that universe is pre-set;
The FWaaS rules dispensing unit 330, for for the source security domain field in the FWaaS rules to be configured Intranet mark or outer net mark are configured, and is the purpose security domain field configuration Intranet in the FWaaS rules to be configured Mark or outer net mark.
In a kind of embodiment of the application, described device also includes:Detection unit 340, illegal FWaaS rule Then setting unit 350
The detection unit 340, for for the source security domain field in the FWaaS rules to be configured and purpose safety The FWaaS obtained after the completion of the field configuration of domain is regular, source security domain field and purpose in the FWaaS rules obtained described in detection Whether security domain field configuration content is consistent;
The illegal FWaaS rule settings unit 350, for the source in the obtained FWaaS rules are detected Security domain field is consistent with purpose security domain field configuration content and is in the case that outer net identifies, by the FWaaS rule settings For illegal FWaaS rules.
It is corresponding with a kind of foregoing FWaaS security domain generation method embodiments based on FWaaS security domain collocation methods, this Application additionally provides a kind of embodiment of the FWaaS security domain generating means based on FWaaS security domain configuration devices, such as Fig. 6 institutes Show, including the generation of tactful acquiring unit 410, destination virtual router acquiring unit 420, associative cell 430, FWaaS security domains Unit 440.
The tactful acquiring unit 410, the strategy issued for obtaining the OpenStack, the strategy are existed by user The FWaaS rules configured in OpenStack are formed;
The destination virtual router acquiring unit 420, the destination virtual router specified for obtaining user;
The associative cell 430, for by the virtual firewall being pre-created and the described tactful and destination virtual Router associates;
The FWaaS security domains generation unit 440, for the virtual firewall being pre-created with it is described strategy with And after the destination virtual router association, generate FWaaS security domains corresponding to the destination virtual router.
In a kind of embodiment of the application, described device also includes:Interface adding device 450, replacement unit 460
The interface adding device 450, interface and the outer net safety that the intranet security domain for user to be needed includes The interface that domain includes is added to FWaaS security domains corresponding to the destination virtual router;
The replacement unit 460, for FWaaS safety corresponding to the destination virtual router according to the generation Domain, in the source security domain field and purpose security domain field that are included to the FWaaS rules configured, the interior network mark that is configured Know and outer net mark replaces with corresponding intranet security domain or outer net security domain.
The effect implementation process of unit specifically refers to the implementation process that step is corresponded in the above method in said system, It will not be repeated here.
For system embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method Apply the part explanation of example.System embodiment described above is only schematical, wherein described be used as separating component The unit of explanation can be or may not be physically separate, can be as the part that unit is shown or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The present invention can be described in the general context of the calculated value executable instruction performed by computer, such as program Module.Usually, program module includes performing particular task or realizes routine, program, object, the group of particular abstract data type Part, data structure etc..The present invention can also be put into practice in a distributed computing environment, in these DCEs, by Task is performed and connected remote processing devices by communication network.In a distributed computing environment, program module can be with In the local and remote computer-readable storage medium including storage device.
Described above is only the embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims (10)

1. a kind of FWaaS security domains collocation method, it is characterised in that applied to OpenStack, methods described includes:
FWaaS rules to be configured are obtained, it includes source security domain field and purpose security domain field;
It is retrieved as the Intranet mark that intranet security domain is pre-set and the outer net mark pre-set for outer net security domain;
Identified for the source security domain field configuration Intranet mark in the FWaaS rules to be configured or outer net, and be described Purpose security domain field configuration Intranet mark or outer net mark in FWaaS rules to be configured.
2. according to the method for claim 1, it is characterised in that methods described also includes:
For what is obtained after the completion of the source security domain field and purpose security domain field configuration in the FWaaS rules to be configured FWaaS is regular, and whether the source security domain field and purpose security domain field configuration content in the FWaaS rules obtained described in detection Unanimously.
3. the method according to claim 2, it is characterised in that methods described also includes:
Source security domain field in the obtained FWaaS rules are detected it is consistent with purpose security domain field configuration content and It is illegal FWaaS rules by the FWaaS rule settings in the case of being identified for outer net.
4. a kind of FWaaS security domain generation methods based on such as any one of claims 1 to 3 method, it is characterised in that be applied to The network equipment, methods described include:
Obtain the strategy that the OpenStack is issued, the FWaaS rules that the strategy has been configured by user in OpenStack Formed;
Obtain the destination virtual router that user specifies;
The virtual firewall being pre-created is associated with described tactful and described destination virtual router;
After the virtual firewall being pre-created associates with described tactful and described destination virtual router, institute is generated State FWaaS security domains corresponding to destination virtual router.
5. according to the method for claim 4, it is characterised in that methods described also includes:
It is empty that the interface that the interface and outer net security domain that the intranet security domain that user needs is included include is added to the target Intend FWaaS security domains corresponding to router.
6. according to the method for claim 4, it is characterised in that methods described also includes:
According to FWaaS security domains corresponding to the destination virtual router of the generation, to the FWaaS rules configured Comprising source security domain field and purpose security domain field in, the Intranet that is configured mark and outer net mark replace with corresponding in Net security domain or outer net security domain.
7. a kind of FWaaS security domains configuration device, it is characterised in that applied to OpenStack, described device includes:
FWaaS Rule units, for obtaining FWaaS rules to be configured, it includes source security domain field and purpose safety Domain field;
Mark acquiring unit, for being retrieved as Intranet mark that intranet security domain pre-sets and being pre-set for outer net security domain Outer net mark;
FWaaS rule dispensing units, for being that the source security domain field in the FWaaS rules to be configured is matched somebody with somebody in processing stage Intranet mark or outer net mark are put, and is network mark in the purpose security domain field configuration in the FWaaS rules to be configured Know or outer net identifies.
8. device according to claim 7, it is characterised in that described device also includes:Detection unit
The detection unit, for for the source security domain field and purpose security domain field in the FWaaS rules to be configured The FWaaS obtained after the completion of configuration is regular, source security domain field and purpose security domain in the FWaaS rules obtained described in detection Whether field configuration content is consistent.
9. device according to claim 8, it is characterised in that described device also includes:Illegal FWaaS rule settings list Member
The source security domain word that the illegal FWaaS rule settings unit is used in the obtained FWaaS rules are detected Section is consistent with purpose security domain field configuration content and is in the case that outer net identifies, and is illegal by the FWaaS rule settings FWaaS rules.
A kind of 10. FWaaS security domain generating means based on any one of such as claim 7 to 9 device, it is characterised in that application In the network equipment, described device includes:
Tactful acquiring unit, the strategy issued for obtaining the OpenStack, the strategy is by user in OpenStack The FWaaS rules configured are formed;
Destination virtual router acquiring unit, the destination virtual router specified for obtaining user;
Associative cell, for the virtual firewall being pre-created to be associated with described tactful and described destination virtual router;
FWaaS security domain generation units, in the virtual firewall being pre-created and described tactful and described target After virtual router association, FWaaS security domains corresponding to the destination virtual router are generated.
CN201711135348.1A 2017-11-16 2017-11-16 A kind of FWaaS security domains collocation method and device Pending CN107888597A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711135348.1A CN107888597A (en) 2017-11-16 2017-11-16 A kind of FWaaS security domains collocation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711135348.1A CN107888597A (en) 2017-11-16 2017-11-16 A kind of FWaaS security domains collocation method and device

Publications (1)

Publication Number Publication Date
CN107888597A true CN107888597A (en) 2018-04-06

Family

ID=61776918

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711135348.1A Pending CN107888597A (en) 2017-11-16 2017-11-16 A kind of FWaaS security domains collocation method and device

Country Status (1)

Country Link
CN (1) CN107888597A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109962914A (en) * 2019-03-12 2019-07-02 杭州迪普科技股份有限公司 A kind of firewall configuration method and device
CN113810283A (en) * 2021-09-16 2021-12-17 中国联合网络通信集团有限公司 Network security configuration method, device, server and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104852840A (en) * 2015-05-28 2015-08-19 杭州华三通信技术有限公司 Method and device for controlling mutual access between virtual machines
CN106572120A (en) * 2016-11-11 2017-04-19 中国南方电网有限责任公司 Access control method and system based on mixed cloud
CN107153565A (en) * 2016-03-03 2017-09-12 华为技术有限公司 Configure the method and its network equipment of resource

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104852840A (en) * 2015-05-28 2015-08-19 杭州华三通信技术有限公司 Method and device for controlling mutual access between virtual machines
CN107153565A (en) * 2016-03-03 2017-09-12 华为技术有限公司 Configure the method and its network equipment of resource
CN106572120A (en) * 2016-11-11 2017-04-19 中国南方电网有限责任公司 Access control method and system based on mixed cloud

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
董建伟: "山石网科FwaaS领跑云数据中心防护之道", 《云栖社区》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109962914A (en) * 2019-03-12 2019-07-02 杭州迪普科技股份有限公司 A kind of firewall configuration method and device
CN109962914B (en) * 2019-03-12 2021-07-23 杭州迪普科技股份有限公司 Firewall configuration method and device
CN113810283A (en) * 2021-09-16 2021-12-17 中国联合网络通信集团有限公司 Network security configuration method, device, server and storage medium

Similar Documents

Publication Publication Date Title
US11354039B2 (en) Tenant-level sharding of disks with tenant-specific storage modules to enable policies per tenant in a distributed storage system
US10581801B2 (en) Context-aware distributed firewall
US11652852B2 (en) Intrusion detection and mitigation in data processing
CN103946834B (en) virtual network interface objects
CN103095546B (en) A kind of method, device and data center network processing message
US20160094460A1 (en) Packet Key Parser for Flow-Based Forwarding Elements
CN109600368B (en) Method and device for determining firewall policy
US10938658B2 (en) Tracking logical network entity state
CN104572243B (en) Method and system for sharing Java Virtual Machine
US11240263B2 (en) Responding to alerts
US20180375832A1 (en) Using headerspace analysis to identify unneeded distributed firewall rules
CN103685608B (en) A kind of method and device for automatically configuring secure virtual machine IP address
CN104937892A (en) Multi-node virtual switching system (MVSS)
CN109661652A (en) Use the abnormality detection of system call sequence
US20230336421A1 (en) Virtualized Network Functions
CN107800709A (en) A kind of method and device for generating network attack detection strategy
CN107888597A (en) A kind of FWaaS security domains collocation method and device
CN107896188A (en) Data forwarding method and device
CN102014131B (en) Device safety check method combining off-line check and central summary
CN115470489A (en) Detection model training method, detection method, device and computer readable medium
US20180152321A1 (en) Efficient update of per-interface address groupings
JP2018110345A (en) Setting program, setting method, and setting device
US20210297426A1 (en) Identifying large database transactions
CN112953741B (en) Method and device for controlling and managing secure access ports of metropolitan area network
CN115996150B (en) Virtual studio creation method and system storage medium and data verification method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180406