CN112187737A - WAF-combined protection method in PaaS container cloud platform environment - Google Patents

WAF-combined protection method in PaaS container cloud platform environment Download PDF

Info

Publication number
CN112187737A
CN112187737A CN202010948915.0A CN202010948915A CN112187737A CN 112187737 A CN112187737 A CN 112187737A CN 202010948915 A CN202010948915 A CN 202010948915A CN 112187737 A CN112187737 A CN 112187737A
Authority
CN
China
Prior art keywords
waf
haproxy
domain name
protection
platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010948915.0A
Other languages
Chinese (zh)
Inventor
尹钦
闫帅帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Citic Bank Corp Ltd
Original Assignee
China Citic Bank Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Citic Bank Corp Ltd filed Critical China Citic Bank Corp Ltd
Priority to CN202010948915.0A priority Critical patent/CN112187737A/en
Publication of CN112187737A publication Critical patent/CN112187737A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention aims to provide a WAF-combined protection method in a PaaS container cloud platform environment, which can decouple platform services from WAFs while performing security protection on services in a cloud platform, can dynamically add or remove WAF protection for a service system specified on the platform, realizes customized protection according to a domain name, and does not need dns resolution.

Description

WAF-combined protection method in PaaS container cloud platform environment
Technical Field
The invention relates to a protection method combining WAF under a PaaS container cloud platform.
Background
Paas (platform as a service), platform as a service, refers to a platform (or business infrastructure) developed by software and provided to a user as a service. OpenShift is PaaS developed by red hat corporation, a cloud computing platform that provides free and open source code, enabling developers to create, test, and run corresponding applications, and to deploy them into the cloud.
The Web Application protection system (WAF), also known as the "Web Application level intrusion prevention system," is a product that specifically provides protection for Web applications by enforcing a series of security policies against HTTP/HTTPs.
At present, the WAFs on the market mainly have two forms, one is a traditional hardware WAF, which is generally a deployed enterprise network entrance and is used for detecting all traffic; the other is public cloud WAF, namely WAF protection provided for a customer by a cloud platform manufacturer in a SaaS mode, and the basic principle is that the customer fills in relevant information such as a domain name to be protected, a source IP (Internet protocol), a source port and the like on a WAF product interface of a cloud platform, then the WAF of the cloud platform returns a domain name A to the customer, the customer changes a dns cname record of the domain name and points to the domain name A returned by the WAF of the cloud platform, and therefore the flow of the domain name of the customer is guided to the WAF of the cloud platform firstly, and the WAF performs attack detection and then forwards the flow to the source IP of the domain name of the customer.
However, the current WAF has the following disadvantages:
the public cloud WAF provides charge protection for customers in a SaaS form, is dragged by dins analysis, requires a customer server to be in a public network, and needs to change dins records; because the traditional hardware WAF is deployed at an enterprise network entrance, the requests of all domain names can be protected, and customized protection can not be performed according to the domain names;
disclosure of Invention
The invention aims to provide a WAF-combined protection method under a PaaS container cloud platform environment, which can decouple platform services from WAFs while performing safety protection on services in a cloud platform, can dynamically add or remove WAF protection for a specified service system on the platform, realizes customized protection according to a domain name and does not need dns resolution; meanwhile, the WAF state can be monitored, WAF protection can be removed for all domain names under the condition that the WAF fails, and the service cannot be influenced by the failure of the WAF.
In order to solve the technical problems, the invention provides the following technical scheme:
taking an Openshift platform as an example, a data flow diagram of a service of a general PaaS container cloud platform is shown in fig. 1, after a user creates and releases a service on the platform, the platform will create a specified number of pods for the service and allocate a load-balanced virtual IP to point to the pods, and at the same time, allocate a domain name for the service, where a mapping relationship between the domain name and the virtual IP will exist in a configuration file in a Router (routing module), and when a client initiates a request for the domain name, the Router will forward the request to the virtual IP, and the virtual IP is then load-balanced to the pod where the service really runs.
Therefore, the invention provides a protection method combining with WAF under a PaaS container cloud platform, which comprises the following steps:
configuring information in a routing module, wherein the information comprises a specified domain name needing WAF protection;
a judgment condition is configured in the routing module, wherein the judgment condition comprises that whether the access domain name is in the protection domain name list or not;
after the judgment, if the judgment condition result is satisfied, the request is forwarded to the WAF.
Further, if the result of the judgment condition is not satisfied, the routing module forwards the request to the service Pod.
Further, the protection method is suitable for the Openshift platform.
Furthermore, the protection method realizes the related functions of the routing module through Haproxy.
Further, the condition that the judgment condition result satisfies is as follows: all the judgment results are true.
Further, the request is denied if the WAF detects an attack.
Further, if no attack is detected, the request is forwarded to Haproxy.
Furthermore, configuring an IP and a Port of upstream as an IP and a Port of Haproxy on the WAF;
the information prepared in Haproxy also comprises IP and Port of WAF node;
and configuring a judgment condition in Haproxy, wherein the judgment condition comprises whether the source IP is not the IP of the WAF node.
Further, health check of WAF is also configured in Haproxy; and configuring a judgment condition in Haproxy, and further comprising whether the WAF node normally operates.
Further, the deployment of the WAF may take a single point or a cluster manner; the deployment form can be hardware, software or docker; may be deployed outside or within the container platform.
Further, in the method of the present invention, the method for modifying the designated protection domain name comprises: adding the domain name into a protection domain name list on a Haproxy, and configuring a rear-end address of the domain name on a WAF as an address of the Haproxy;
therefore, the method can realize customized protection of the domain name without configuring a back-end address on the WAF for the domain name needing protection or switching dns. Meanwhile, the Haproxy checks whether the WAF cluster normally operates, and if all nodes of the WAF cluster are abnormal, the Haproxy does not forward the request to the WAF until the nodes of the WAF cluster are recovered to be normal.
Drawings
FIG. 1 PaaS platform dataflow graph
FIG. 2 is a data flow diagram of a PaaS platform with WAF protection according to the present invention
FIG. 3 is a system flow diagram
Detailed Description
In order to make the objects, technical solutions and advantages of the present application clearer, the following will describe embodiments of the present application in further detail, and describe the technical solutions of the present application and how to solve the above technical problems in specific embodiments. It should be understood, however, that the present invention may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The embodiment of the application provides a protection method combining with WAF under a PaaS platform environment, which comprises the following steps:
the WAF deployment can be in a single-point or cluster mode, the deployment form can be hardware, software or docker, and the WAF deployment can be deployed outside or inside the container platform. The embodiment of the application adopts the following modes: and the WAF cluster is deployed and comprises 3 nodes which are all deployed in a software form. The increase of the number of the WAF cluster nodes can ensure that under the condition that some nodes are in failure, other normally operated nodes can still enable protection to continue. Meanwhile, the ip and port of the upstream are configured as the ip and port of Haproxy on the WAF. Therefore, the data after WAF detection will still be returned to Haproxy.
For configuring a specified domain name needing WAF protection and a node ip of a WAF cluster in a Haproxy, the embodiment of the application adopts the following mode: creating domain.lst, writing all protection domain names into a file, wherein one domain name occupies one row; lst is created in Haproxy, and the ip of 3 nodes of the WAF cluster is written into a file, and one ip occupies one line.
For the step of performing condition judgment, the embodiment of the present application is implemented in the following manner: adding an ACL for configuring an access Host in a front block of a Haproxy and naming the ACL as hit-domain, judging that the access Host is equal to a certain domain name in domain.lst under the condition that the access Host is judged, wherein a matching object is the access Host, and a matching value is the domain name of a file domain.lst; and adding ACL for configuring a source IP in a front block of Haproxy and naming the ACL as from-waf, judging that the source IP is equal to a certain node IP of the waf cluster, wherein a matched object is the source IP, and a matched value is a file wap.
A declaration, named WAF, is added in the Haproxy configuration file, and the server address of the declaration is the ip and the port of 3 WAF nodes. Configuring and using the waf backup in the front block of Haproxy, if hit-domain is satisfied and from-waf is not satisfied. The function of the method is to transmit data which do not meet the judgment condition to the WAF for subsequent attack detection.
Further, the steps of preparing the health examination in the embodiment of the present application are as follows: configuring health checks for 3 servers in the fronted block of Haproxy; and adding ACL for configuring the normal operation of the WAF cluster in a fronted block of Haproxy and naming the ACL as WAF-up, and judging the condition that the survival number of the WAF nodes is not 0. Under this condition, the condition for using the waf backup also includes that the waf-up is satisfied. In summary, under such a condition, the system operation flow chart is shown in fig. 3. It should be noted that the determination conditions in the embodiment of the present application are not in a sequential order, and fig. 3 is only one of the cases.
The method for modifying the domain name required to be protected in the embodiment of the application is that the domain name in the list is dynamically added or deleted by using runtime api of Haproxy, and the rear-end address of the domain name is configured on the WAF and is the address of the Haproxy.
The Openshift container cloud platform can generate domain names and virtual ip for each service and write the domain names and the virtual ip in a Hasproxy configuration file.
The method of the invention carries out health check on the WAF node, if the WAF cluster is abnormal, the ACL check can not pass, the request can be forwarded to the service Server, and the condition of service interruption can not be caused.
Lst file, if need add or delete domain name temporarily, can use the runtime api of Haproxy to add or delete dynamically, need not to restart the service, will not interrupt the business.

Claims (14)

1. A WAF protection method applied to a PaaS container cloud platform is characterized by comprising the following steps:
configuring information in a routing module, wherein the information comprises a specified domain name needing WAF protection;
a judgment condition is configured in the routing module, wherein the judgment condition comprises that whether the access domain name is in the protection domain name list or not;
after the judgment, if the judgment condition result is satisfied, the request is forwarded to the WAF.
2. The protection method according to claim 1, wherein if the result of the determination condition is not satisfied, the routing module forwards the request to the service Pod.
3. The defense method as recited in claim 2, wherein the PaaS platform is an Openshift platform.
4. A prevention method as claimed in claim 3, characterized in that the routing module function is implemented by a HAproxy.
5. The protection method according to claim 4, wherein the condition that the judgment condition result satisfies is: the results of all the judgment conditions are true.
6. The securing method according to claim 5, wherein if the WAF detects an attack, the request is denied.
7. The securing method according to claim 6, wherein if the WAF does not detect an attack, the request is forwarded to Haproxy.
8. The method of safeguarding as defined in claim 7, comprising:
the ip and port of the upstream of WAF are prepared into the ip and port of Haproxy;
the information prepared in Haproxy also comprises IP and Port of WAF node;
preparing a judgment condition in Haproxy, and further comprising whether an access source IP is not the IP of the WAF node;
9. the method according to claim 8, wherein health checks of the WAF nodes are also formulated in Haproxy.
10. The method of claim 9, wherein the determination condition further comprises "whether the WAF node is functioning properly".
11. The method according to any of claims 1-10, wherein the WAF is deployed in a single point or cluster manner.
12. The method according to any of claims 1-10, wherein the WAF is deployed in hardware, software, or docker.
13. The method according to any of claims 1-10, wherein the WAF is deployed off-platform or within-platform.
14. A method for modifying the list of domain names according to any one of claims 4 to 10, wherein the domain name is added to the list of guard domain names on Haproxy, and the address of the backend address of the domain name is configured on WAF as the address of Haproxy.
CN202010948915.0A 2020-09-10 2020-09-10 WAF-combined protection method in PaaS container cloud platform environment Pending CN112187737A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010948915.0A CN112187737A (en) 2020-09-10 2020-09-10 WAF-combined protection method in PaaS container cloud platform environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010948915.0A CN112187737A (en) 2020-09-10 2020-09-10 WAF-combined protection method in PaaS container cloud platform environment

Publications (1)

Publication Number Publication Date
CN112187737A true CN112187737A (en) 2021-01-05

Family

ID=73920513

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010948915.0A Pending CN112187737A (en) 2020-09-10 2020-09-10 WAF-combined protection method in PaaS container cloud platform environment

Country Status (1)

Country Link
CN (1) CN112187737A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172906A (en) * 2021-12-10 2022-03-11 中国人寿保险股份有限公司上海数据中心 Elastic expansion method, system, equipment and medium for WAF cluster computing resources

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107360162A (en) * 2017-07-12 2017-11-17 北京奇艺世纪科技有限公司 A kind of network application means of defence and device
CN107426206A (en) * 2017-07-17 2017-12-01 北京上元信安技术有限公司 A kind of protector and method to web server
CN109587122A (en) * 2018-11-20 2019-04-05 四川长虹电器股份有限公司 Realize that self ensures the system and method for Web subsystem safety based on WAF system function
CN109905410A (en) * 2019-04-17 2019-06-18 北京搜狐新媒体信息技术有限公司 Web application safety protecting method and Web application firewall system
CN110213375A (en) * 2019-06-04 2019-09-06 杭州安恒信息技术股份有限公司 A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF
CN110505235A (en) * 2019-09-02 2019-11-26 四川长虹电器股份有限公司 A kind of detection system and method for the malicious requests around cloud WAF
CN110581855A (en) * 2019-09-12 2019-12-17 中国工商银行股份有限公司 Application control method and device, electronic equipment and computer readable storage medium
WO2020147396A1 (en) * 2019-01-17 2020-07-23 平安科技(深圳)有限公司 Method for dynamically configuring service domain name, device, apparatus, and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107360162A (en) * 2017-07-12 2017-11-17 北京奇艺世纪科技有限公司 A kind of network application means of defence and device
CN107426206A (en) * 2017-07-17 2017-12-01 北京上元信安技术有限公司 A kind of protector and method to web server
CN109587122A (en) * 2018-11-20 2019-04-05 四川长虹电器股份有限公司 Realize that self ensures the system and method for Web subsystem safety based on WAF system function
WO2020147396A1 (en) * 2019-01-17 2020-07-23 平安科技(深圳)有限公司 Method for dynamically configuring service domain name, device, apparatus, and storage medium
CN109905410A (en) * 2019-04-17 2019-06-18 北京搜狐新媒体信息技术有限公司 Web application safety protecting method and Web application firewall system
CN110213375A (en) * 2019-06-04 2019-09-06 杭州安恒信息技术股份有限公司 A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF
CN110505235A (en) * 2019-09-02 2019-11-26 四川长虹电器股份有限公司 A kind of detection system and method for the malicious requests around cloud WAF
CN110581855A (en) * 2019-09-12 2019-12-17 中国工商银行股份有限公司 Application control method and device, electronic equipment and computer readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172906A (en) * 2021-12-10 2022-03-11 中国人寿保险股份有限公司上海数据中心 Elastic expansion method, system, equipment and medium for WAF cluster computing resources

Similar Documents

Publication Publication Date Title
US9769250B2 (en) Fight-through nodes with disposable virtual machines and rollback of persistent state
EP3362938B1 (en) Automated construction of network whitelists using host-based security controls
US9294505B2 (en) System, method, and computer program product for preventing a modification to a domain name system setting
EP2283611B1 (en) Distributed security provisioning
CN107547654B (en) Distributed object storage cluster, deployment and service method and system
US20160164895A1 (en) Management of security actions based on computing asset classification
US10715554B2 (en) Translating existing security policies enforced in upper layers into new security policies enforced in lower layers
US10320833B2 (en) System and method for detecting creation of malicious new user accounts by an attacker
EP2132643B1 (en) System and method for providing data and device security between external and host devices
US11374964B1 (en) Preventing lateral propagation of ransomware using a security appliance that dynamically inserts a DHCP server/relay and a default gateway with point-to-point links between endpoints
US20220239630A1 (en) Graphical representation of security threats in a network
JP2010528550A (en) System and method for providing network and computer firewall protection to a device with dynamic address separation
CN109922062B (en) Source code leakage monitoring method and related equipment
EP2318975A2 (en) Protecting a virtual guest machine from attacks by an infected host
US9794275B1 (en) Lightweight replicas for securing cloud-based services
US8285850B1 (en) Configuration and dynamic detection of connection-based backup policies
US11874845B2 (en) Centralized state database storing state information
CN112187737A (en) WAF-combined protection method in PaaS container cloud platform environment
JP6491221B2 (en) Distributed network security using a logical multidimensional label-based policy model
CN112187735A (en) WAF-combined protection method in PaaS container cloud platform environment
US20230156014A1 (en) Adjusting behavior of an endpoint security agent based on network location
US20230247040A1 (en) Techniques for cloud detection and response from cloud logs utilizing a security graph
CN111786940A (en) Data processing method and device
Silva et al. Rave: Replicated antivirus engine
US10250625B2 (en) Information processing device, communication history analysis method, and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination