CN115242788A - Flow data control method, device and medium - Google Patents
Flow data control method, device and medium Download PDFInfo
- Publication number
- CN115242788A CN115242788A CN202210893138.3A CN202210893138A CN115242788A CN 115242788 A CN115242788 A CN 115242788A CN 202210893138 A CN202210893138 A CN 202210893138A CN 115242788 A CN115242788 A CN 115242788A
- Authority
- CN
- China
- Prior art keywords
- message
- mac
- destination
- preset
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 86
- 230000008569 process Effects 0.000 claims abstract description 29
- 238000012545 processing Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 12
- 230000006870 function Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003578 releasing effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/38—Flow based routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to the field of cloud computing, and discloses a flow data control method, a device and a medium, which comprise the following steps: the method comprises the steps of obtaining a first message and analyzing the first message to obtain a source IP, a destination IP and a destination MAC of the first message, so that the first message is conveniently determined according to IP information and MAC information of the first message to process the message. And sending the IP information to the open virtual network controller so that the open virtual network controller can judge whether the first message meets a first preset condition according to the source IP and the destination MAC, and if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the message. In the scheme, the open virtual network controller judges whether the first message meets the preset condition so as to classify the message, and sends the message meeting the preset condition to the safety network element so as to safely process the message. And additional physical safety equipment is not required to be installed, and the system cost is low.
Description
Technical Field
The present application relates to the field of cloud computing, and in particular, to a method, an apparatus, and a medium for controlling traffic data.
Background
With the development of cloud computing technology, more and more enterprises choose to construct their own cloud platforms as internal office platforms. In application scenes of office in different places and the like, a service running on a cloud platform needs to be connected with an external network to acquire related information to provide service for an internal user, so that the cloud platform needs to communicate with the external network, and the cloud platform is influenced by receiving external malicious attacks.
Currently, enterprises mostly process cloud platform traffic through physical security hardware equipment to achieve security protection. However, in this method, planning and deployment need to be performed at a network planning node, and configuration and debugging are performed one by one, which not only increases the cost of equipment, but also prevents flexible adjustment according to cloud platform update.
Therefore, how to provide a lower-cost way to process the data traffic of the cloud platform is an urgent problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a flow data control method, which is applied to an OpenStack platform virtual router and comprises the following steps:
acquiring a first message and analyzing the first message to acquire a source IP, a destination IP and a destination MAC of the first message;
sending the source IP, the destination IP and the destination MAC to an open virtual network controller so that the open virtual network controller can judge whether the first message meets a first preset condition;
and if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the first message.
Preferably, the first preset condition includes:
the source IP of the first message is a preset IP, and the destination MAC of the first message is a first preset MAC;
or the destination IP of the first message is the preset IP and the destination MAC is not the second preset MAC.
Preferably, after the step of sending the source IP, the destination IP, and the destination MAC to the open virtual network controller so that the open virtual network controller determines whether the first packet meets the first preset condition, the method further includes:
if the first preset condition is not met, judging whether the first message meets a second preset condition or not;
if the second preset condition is met, forwarding the first message according to the target IP;
the second preset condition includes: the target IP of the first message is a preset IP and the target MAC of the first message is a second preset MAC; or the source IP of the first message is a preset IP and the source MAC of the first message is a second preset MAC.
Preferably, when a plurality of security network elements exist in the OpenStack platform, the sending the first packet to the security network elements includes:
determining a target security network element by using a hash algorithm;
and sending the first message to the target security network element. In order to solve the above technical problem, the present application further provides a traffic data control method, which is applied to an OpenStack platform security network element, and includes:
acquiring a message to be processed, wherein the first message is a first message which is sent by an OpenStack platform virtual router and meets a first preset condition with a source IP and a target MAC;
performing security processing on data in the message to be processed to generate a second message;
and sending the second message to the virtual router.
Preferably, the performing security processing on the data in the message to be processed to generate a second message includes:
judging whether the source IP of the second message is a preset IP or not;
if the source IP of the second message is a preset IP, encrypting the data in the second message;
if the source IP of the second message is not the preset IP, determining whether the destination IP of the second message is the preset IP;
and if the destination IP of the second message is a preset IP, performing content security check and decryption operation on the data in the second message.
Preferably, the sending the second packet to the virtual router includes:
and changing the source MAC of the second message into the MAC of the safety network element, and changing the MAC of the second message into a second preset MAC.
In order to solve the above technical problem, the present application further provides a data flow control device, which is applied to an OpenStack platform virtual router, and the device includes:
the analysis module is used for acquiring a first message and analyzing the first message to acquire a source IP, a destination IP and a destination MAC of the first message;
the judging module is used for sending the source IP, the destination IP and the destination MAC to the open virtual network controller so as to facilitate the open virtual network controller to judge whether the first message meets a first preset condition;
and the sending module is used for sending the first message to a safety network element if the first preset condition is met so that the safety network element can safely process the first message.
In order to solve the above technical problem, the present application further provides a data flow control apparatus, including a memory for storing a computer program;
and the processor is used for realizing the steps of the data flow control method when executing the computer program.
In order to solve the above technical problem, the present application further provides a computer-readable storage medium, where a computer program is stored, and the computer program, when executed by a processor, implements the steps of the data traffic control method.
The application provides a flow data control method, which comprises the following steps: the method comprises the steps of obtaining a first message and analyzing the first message to obtain a source IP, a destination IP and a destination MAC of the first message, so that the first message is conveniently determined according to IP information and MAC information of the first message to process the message. And sending the source IP, the destination IP and the destination MAC to an open virtual network controller so that the open virtual network controller judges whether the first message meets a first preset condition according to the source IP and the destination MAC, and if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the first message. Therefore, in the scheme, the open virtual network controller of the OpenStack platform is used for judging whether the first message meets the preset condition so as to classify the message, and the message meeting the preset condition is sent to the safety network element so as to be safely processed. Additional physical safety equipment does not need to be installed, and the system cost is low.
In addition, the application also provides a flow data control device and a medium, which correspond to the method and have the same effects.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a flow data control method according to an embodiment of the present application;
fig. 2 is a flowchart of traffic data forwarding according to an embodiment of the present application;
fig. 3 is a flowchart of a flow data control method according to an embodiment of the present application;
FIG. 4 is a block diagram of a data flow control device according to an embodiment of the present application;
fig. 5 is a structural diagram of a traffic data control apparatus according to another embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
The core of the application is to provide a traffic data control method, a traffic data control device and a traffic data control medium, so as to reduce the equipment cost for performing safe processing on the traffic data of the cloud platform.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings.
In a working scene of a cloud platform, the cloud computing platform needs to be connected with an external network for data exchange, so that the cloud computing platform faces a security risk of external network attack. In order to solve the problem, the application provides a flow data control method, which is applied to a virtual router and a security network element of an OpenStack platform, and classifies messages by judging the message state through an open virtual network controller. The method specifically comprises the steps of obtaining a first message and analyzing the first message to obtain a source IP, a destination IP and a destination MAC of the first message, so that the type of the first message can be determined according to the IP information and the MAC information of the first message, and the message can be processed. And sending the source IP, the destination IP and the destination MAC to an open virtual network controller so that the open virtual network controller judges whether the first message meets a first preset condition according to the source IP and the destination MAC, and if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the first message. Therefore, in the scheme, the open virtual network controller of the OpenStack platform is used for judging whether the first message meets the preset condition so as to classify the message, and the message meeting the preset condition is sent to the safety network element so as to be safely processed. And additional physical safety equipment is not required to be installed, and the system cost is low.
Fig. 1 is a flowchart of a method for controlling traffic data according to an embodiment of the present application, where the method is applied to an OpenStack platform virtual router, and as shown in fig. 1, the method includes:
s10: and acquiring a first message and analyzing the first message to acquire a source IP, a destination IP and a destination MAC of the first message.
The first message comprises an access message for accessing the external network sent by the virtual machine in the cloud platform and a response message for responding the cloud platform request by the external network. The source IP of the access message is the IP address of the subnet where the virtual machine is located, the target IP is the IP address of the accessed external network, the source MAC is the MAC address of the subnet where the virtual machine is located, and the target MAC is the MAC address of the network segment where the router is located.
Fig. 2 is a flow chart of traffic data forwarding provided in an embodiment of the present application, and as shown in fig. 2, a dotted line is a south-north wave forwarding path without injecting security service, and a router matches a destination IP address to forward a packet and access an external network. The solid line is a flow forwarding path after the security service injection function is added, the source IP address and the destination MAC in the message are matched in the router, the flow meeting the first preset condition is forwarded to the security network element virtual machine, the security network element processes the message and then retransmits the message to the router, and the router retransmits the flow data to an external network according to the destination IP address.
In specific implementation, after acquiring a request message sent by a cloud computing platform virtual machine or a response message sent by an external network, a router analyzes a first message to acquire information of a source IP, a destination MAC, request data and the like of the first message.
S11: and sending the source IP, the destination IP and the destination MAC to the open virtual network controller so that the open virtual network controller can conveniently judge whether the first message meets a first preset condition.
S12: and if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the first message.
In specific implementation, the first preset condition may be data predetermined by operation and maintenance personnel of the cloud platform, or may be data customized by a user. It can be understood that, because the update frequency of the virtual machine in the cloud computing platform is high, the IP information and the MAC information of the virtual machine change quickly, and if the corresponding relationship between the security network element and the virtual machine, the router is configured manually, the workload of the user may be increased. Therefore, a responsive interface function can be preset in the OpenStack cloud environment, and a user can update the first preset condition by calling the interface function.
In this embodiment, in order to more conveniently determine whether the first packet meets the first preset condition, the open virtual network controller is selected to determine the first packet. The first preset condition includes: the source IP of the first message is a preset IP, and the destination MAC of the first message is a first preset MAC; or the destination IP of the first message is the preset IP and the destination MAC is not the second preset MAC. Specifically, based on the policy routing function of the open virtual network controller, after receiving a packet, the virtual router first determines a destination IP and a destination MAC of the packet, and if the first forwarding policy of the virtual router is matched, it determines that the packet is forwarded from the security network element to the router, and then forwards the packet to the virtual machine corresponding to the destination IP. If the first issuing strategy is not matched, the source IP address and the destination MAC of the message are judged, and if the second issuing strategy of the virtual router is matched, the message is determined to be the message of the internal virtual machine of the cloud platform accessing the external network, and the message is forwarded to the security network element. If the second issuing strategy is not matched, the target IP of the message is judged, and if the third issuing strategy is matched, the message is determined to be the message of the external network accessing the internal virtual machine, and the message is forwarded to the safety network element.
The application provides a flow data control method, which comprises the following steps: the method comprises the steps of obtaining a first message and analyzing the first message to obtain a source IP, a destination IP and a destination MAC of the first message, so that the type of the first message can be determined according to the IP information and the MAC information of the first message, and the message can be processed. And sending the source IP, the destination IP and the destination MAC to an open virtual network controller so that the open virtual network controller judges whether the first message meets a first preset condition according to the source IP and the destination MAC, and if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the first message. Therefore, in the scheme, the open virtual network controller of the OpenStack platform is used for judging whether the first message meets the preset condition so as to classify the message, and the message meeting the preset condition is sent to the safety network element so as to be safely processed. And additional physical safety equipment is not required to be installed, and the system cost is low.
As a preferred embodiment, the first preset condition includes: the source IP of the first message is a preset IP, and the destination MAC of the first message is a first preset MAC; or the destination IP of the first message is a preset IP and the destination MAC is not the second preset MAC.
In a specific implementation, if the source IP of the first message is the preset IP and the destination MAC of the first message is the first preset MAC, it indicates that the message is a message for accessing the external network by the virtual machine in the cloud computing platform, and if the destination IP of the first message is the preset IP and the destination MAC is not the second preset MAC, it indicates that the message is a message for accessing the virtual machine by the external network. In order to ensure the information security of the cloud computing platform, the message meeting the first preset condition needs to be sent to the security network element, so that the security network element can safely process the message.
It should be noted that, in the present application, the first preset MAC is a MAC of a designated subnet gateway, and the second preset MAC is a subnet gateway MAC where the security network element is located.
It can be understood that the cloud computing platform is used for providing virtual machines for different users, and the requirements of the different users on the security of the cloud computing platform are different. If the messages of all the virtual machines are processed safely, the workload of the safety network element is too large, and the waste of computing resources is caused. In order to solve this problem, in this embodiment, only the virtual machine whose source IP is the preset IP and source MAC is the preset MAC is subjected to security processing.
In specific implementation, a virtual machine sends a message for accessing an external network to a virtual machine router of a cloud computing platform, the virtual router performs conventional routing according to a destination IP, and then matches whether a source IP address is an IP address in a specified subnet section or not, whether a destination MAC is an MAC of a specified subnet gateway or not, and if the source IP address is matched with the IP address in the specified subnet section or not, a next hop destination address of the message is set as an address of a safe network element virtual machine and is forwarded. And after entering the cloud platform, a message responded by the external network firstly reaches the router, and if the strategy routing is matched that the destination IP address of the message is the IP of the designated subnet, rerouting is carried out, and the next hop destination of the message is set as a safety network element and is forwarded to a safety network element virtual machine.
In this embodiment, a first preset condition is set that a source IP of the first packet is a preset IP, and a destination MAC of the first packet is a first preset MAC; or the destination IP of the first message is the preset IP and the destination MAC is not the second preset MAC, so that the message of the virtual machine accessing the external network and the message of the external network accessing the virtual machine are sent to the safety network element, and the messages are conveniently subjected to harmless treatment.
As a preferred embodiment, after the step of sending the source IP, the destination IP, and the destination MAC to the open virtual network controller so that the open virtual network controller determines whether the first packet satisfies the first preset condition, the method further includes: if the first preset condition is not met, judging whether the first message meets a second preset condition or not; if the second preset condition is met, forwarding the first message according to the target IP; the second preset condition includes: the destination IP of the first message is a preset IP and the destination MAC of the first message is a second preset MAC; or the source IP of the first message is the preset IP and the source MAC of the first message is the second preset MAC.
In a specific implementation, the virtual router needs to send a message, which is processed by the security network element, to the target virtual machine or the external network, in addition to receiving a request for accessing the external network, which is sent by the virtual machine. It can be understood that when the message does not satisfy the first preset condition, if the destination IP of the first message is the preset IP and the destination MAC of the first message is the second preset MAC, it indicates that the first message is a message for accessing the cloud computing platform through the external network; or the source IP of the first message is the preset IP and the source MAC of the first message is the second preset MAC, the first message is the message for accessing the external network.
It can be understood that, in order to ensure that the cloud computing system can work normally when a large number of messages exist, a plurality of security network elements need to be set in the cloud computing platform. When a plurality of security network elements exist in the OpenStack platform, sending the first message to the security network elements includes: and determining a target safety network element by using a hash algorithm, and sending the first message to the target safety network element.
Fig. 3 is a flowchart of a traffic data control method provided in an embodiment of the present application, and is applied to an OpenStack platform security network element, and as shown in fig. 3, the method includes:
s20: acquiring a message to be processed, wherein the first message is a first message which is sent by an OpenStack platform virtual router and meets a first preset condition with a source IP and a target MAC;
s21: performing security processing on data in the message to be processed to generate a second message;
s22: and sending the second message to the virtual router.
After the message reaches the security network element, firstly, the data in the message is processed safely to generate a second message, and then the second message is forwarded to the router, the security network element does not change the destination IP and the source IP of the message, only changes the message source MAC and the destination MAC, at the moment, the source MAC of the message is the MAC of the security network element, and the destination MAC is the MAC of the subnet gateway where the security network element is located.
After the message reaches the router, the strategy route is matched with a destination IP address which is an appointed address in the service subnet, the destination MAC is a subnet gateway MAC where the safety network element is located, the releasing action is executed without processing, and the message is forwarded to a destination virtual machine according to the destination IP, so that all routes for forwarding the message are completed.
The embodiment provides a method for controlling flow data injected by security service in the north-south direction based on openstack, which is suitable for openstack cloud environment using ovn by a control surface, and introduces the flow in the north-south direction into a security network element virtual machine by using strategy routing of ovn by utilizing the characteristic that the flow in the north-south direction needs to pass through a virtual machine router, thereby realizing the effect of injection of the security network element. The invention can allow the cloud platform to access the security network element of the third party, ensure the security of the data in the north-south direction, also provide the function of load balancing of a plurality of security network elements, greatly improve the bandwidth of security service and meet the iterative upgrade of the bandwidth requirement of customers.
The application provides a flow data control method, which comprises the following steps: the method comprises the steps of obtaining a first message and analyzing the first message to obtain a source IP, a destination IP and a destination MAC of the first message, so that the first message is conveniently determined according to IP information and MAC information of the first message to process the message. And sending the source IP, the destination IP and the destination MAC to an open virtual network controller so that the open virtual network controller judges whether the first message meets a first preset condition according to the source IP and the destination MAC, and if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the first message. Therefore, in the scheme, the open virtual network controller of the OpenStack platform is used for judging whether the first message meets the preset condition so as to classify the message, and the message meeting the preset condition is sent to the safety network element so as to be safely processed. Additional physical safety equipment does not need to be installed, and the system cost is low.
In a preferred embodiment, the performing security processing on the data in the message to be processed to generate the second message includes: judging whether the source IP of the second message is a preset IP or not;
if the source IP of the second message is the preset IP, the second message is a message of the virtual machine accessing the external network, and the data in the second message is encrypted;
if the source IP of the second message is not the preset IP, determining whether the destination IP of the second message is the preset IP;
and if the destination IP of the second message is the preset IP, the second message is a message of accessing the virtual machine in the cloud computing platform by the external network, and content security check and decryption operation are performed on the data in the second message.
In the foregoing embodiments, detailed descriptions are given to the data flow control method, and the present application also provides embodiments corresponding to the data flow control device. It should be noted that the present application describes the embodiments of the apparatus portion from two perspectives, one is from the perspective of the function module, and the other is from the perspective of the hardware.
Fig. 4 is a structural diagram of a data flow control apparatus provided in an embodiment of the present application, where the apparatus is applied to an OpenStack platform virtual router, and as shown in fig. 4, the apparatus includes:
the parsing module 10 is configured to obtain the first packet and parse the first packet to obtain a source IP, a destination IP, and a destination MAC of the first packet.
The determining module 11 is configured to send the source IP, the destination IP, and the destination MAC to the open virtual network controller, so that the open virtual network controller determines whether the first packet meets a first preset condition.
The sending module 12 is configured to send the first packet to the security network element if the first preset condition is met, so that the security network element performs security processing on the first packet.
The specific process of processing a packet by the data flow control apparatus provided in this embodiment includes:
the virtual machine sends a message for accessing an external network to a router, the router performs conventional routing according to a target IP, then matches whether a source IP address is an IP address in a specified subnet section and whether a target MAC is an MAC of a specified subnet gateway, if the source IP address is matched with the target IP address, the next hop target address of the message is set as the address of the safety network element virtual machine and is forwarded, and if a plurality of safety network element loads are balanced, one of the messages is selected as the next hop through a hash algorithm according to message information.
And after entering the cloud platform, a message responded by the external network firstly reaches the router, and if the strategy routing is matched that the destination IP address of the message is the IP of the designated subnet, rerouting is carried out, and the next hop destination of the message is set as a safety network element and is forwarded to a safety network element virtual machine. And if a plurality of safety network elements are used for load balancing, selecting one as the next hop through a hash algorithm according to the message information.
After the message reaches the safety network element, firstly, the data in the message is safely processed and then transferred out to the router, the safety network element does not change the destination IP and the source IP of the message, only changes the message source MAC and the destination MAC, the source MAC of the message is the MAC of the safety network element at the moment, and the destination MAC is the MAC of the subnet gateway where the safety network element is located.
And after the message reaches the router, the strategy route is matched with a destination F address which is an appointed address in the service subnet, the destination MAC is a subnet gateway MAC where the safety network element is located, the releasing action is executed without processing, and the message is forwarded to a destination virtual machine according to a destination IP, so that all routes for forwarding the message are completed.
Since the embodiments of the apparatus portion and the method portion correspond to each other, please refer to the description of the embodiments of the method portion for the embodiments of the apparatus portion, which is not repeated here.
The application provides a flow data control device, includes: the method comprises the steps of obtaining a first message and analyzing the first message to obtain a source IP, a destination IP and a destination MAC of the first message, so that the first message is conveniently determined according to IP information and MAC information of the first message to process the message. And sending the source IP, the destination IP and the destination MAC to an open virtual network controller so that the open virtual network controller judges whether the first message meets a first preset condition according to the source IP and the destination MAC, and if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the first message. Therefore, in the scheme, the open virtual network controller of the OpenStack platform is used for judging whether the first message meets the preset condition so as to classify the message, and the message meeting the preset condition is sent to the safety network element so as to be safely processed. Additional physical safety equipment does not need to be installed, and the system cost is low.
Fig. 5 is a structural diagram of a flow data control device according to another embodiment of the present application, and as shown in fig. 5, the flow data control device includes: a memory 20 for storing a computer program;
a processor 21 for implementing the steps of the flow data control method as described in the above embodiments when executing the computer program.
The terminal device provided by the embodiment may include, but is not limited to, a smart phone, a tablet computer, a notebook computer, or a desktop computer.
The processor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The Processor 21 may be implemented in at least one hardware form of a Digital Signal Processor (DSP), a Field-Programmable Gate Array (FPGA), and a Programmable Logic Array (PLA). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with a Graphics Processing Unit (GPU) which is responsible for rendering and drawing the content required to be displayed by the display screen. In some embodiments, the processor 21 may further include an Artificial Intelligence (AI) processor for processing computational operations related to machine learning.
The memory 20 may include one or more computer-readable storage media, which may be non-transitory. Memory 20 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 20 is at least used for storing the following computer program 201, wherein after being loaded and executed by the processor 21, the computer program can implement the relevant steps of the flow data control method disclosed in any of the foregoing embodiments. In addition, the resources stored in the memory 20 may also include an operating system 202, data 203, and the like, and the storage manner may be a transient storage manner or a permanent storage manner. Operating system 202 may include, among other things, windows, unix, linux, etc. The data 203 may include, but is not limited to, a first message, a second message, a preset IP, and the like.
In some embodiments, the flow data control device may further include a display 22, an input/output interface 23, a communication interface 24, a power supply 25, and a communication bus 26.
Those skilled in the art will appreciate that the configuration shown in fig. 5 does not constitute a limitation of the flow data control apparatus and may include more or fewer components than those shown.
The flow data control device provided by the embodiment of the application comprises a memory and a processor, wherein when the processor executes a program stored in the memory, the following method can be realized:
and acquiring a first message and analyzing the first message to acquire a source IP, a destination IP and a destination MAC of the first message.
And sending the source IP, the destination IP and the destination MAC to the open virtual network controller so that the open virtual network controller can conveniently judge whether the first message meets a first preset condition.
And if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the first message.
The application provides a flow data control device, includes: the method comprises the steps of obtaining a first message and analyzing the first message to obtain a source IP, a destination IP and a destination MAC of the first message, so that the first message is conveniently determined according to IP information and MAC information of the first message to process the message. And sending the source IP, the destination IP and the destination MAC to an open virtual network controller so that the open virtual network controller can judge whether the first message meets a first preset condition according to the source IP and the destination MAC, and if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the first message. Therefore, in the scheme, the open virtual network controller of the OpenStack platform is used for judging whether the first message meets the preset condition so as to classify the message, and the message meeting the preset condition is sent to the safety network element so as to be safely processed. And additional physical safety equipment is not required to be installed, and the system cost is low.
Finally, the application also provides a corresponding embodiment of the computer readable storage medium. The computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps as set forth in the above-mentioned method embodiments.
The application provides a flow data control device, includes: the method comprises the steps of obtaining a first message and analyzing the first message to obtain a source IP, a destination IP and a destination MAC of the first message, so that the first message is conveniently determined according to IP information and MAC information of the first message to process the message. And sending the source IP, the destination IP and the destination MAC to an open virtual network controller so that the open virtual network controller judges whether the first message meets a first preset condition according to the source IP and the destination MAC, and if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the first message. Therefore, in the scheme, the open virtual network controller of the OpenStack platform is used for judging whether the first message meets the preset condition so as to classify the message, and the message meeting the preset condition is sent to the safety network element so as to be safely processed. And additional physical safety equipment is not required to be installed, and the system cost is low.
It is to be understood that if the method in the above embodiments is implemented in the form of software functional units and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium and executes all or part of the steps of the methods described in the embodiments of the present application, or all or part of the technical solutions. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The flow data control method, device and medium provided by the present application are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, without departing from the principle of the present application, the present application can also make several improvements and modifications, and those improvements and modifications also fall into the protection scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A flow data control method is applied to an OpenStack platform virtual router and comprises the following steps:
acquiring a first message and analyzing the first message to acquire a source IP, a destination IP and a destination MAC of the first message;
sending the source IP, the destination IP and the destination MAC to an open virtual network controller so that the open virtual network controller can judge whether the first message meets a first preset condition;
and if the first preset condition is met, sending the first message to a safety network element so that the safety network element can safely process the first message.
2. The flow rate data control method according to claim 1, wherein the first preset condition includes:
the source IP of the first message is a preset IP, and the destination MAC of the first message is a first preset MAC;
or the destination IP of the first message is the preset IP and the destination MAC is not the second preset MAC.
3. The method for controlling traffic data according to claim 1, wherein the step of sending the source IP, the destination IP, and the destination MAC to the open virtual network controller so that the open virtual network controller determines whether the first packet satisfies a first preset condition further includes:
if the first preset condition is not met, judging whether the first message meets a second preset condition or not;
if the second preset condition is met, forwarding the first message according to the target IP;
the second preset condition includes: the destination IP of the first message is a preset IP and the destination MAC of the first message is a second preset MAC; or the source IP of the first message is a preset IP and the source MAC of the first message is a second preset MAC.
4. The method according to claim 1, wherein when a plurality of security network elements exist in the OpenStack platform, the sending the first packet to a security network element includes:
determining a target security network element by using a hash algorithm;
and sending the first message to the target security network element.
5. A traffic data control method is applied to an OpenStack platform security network element, and comprises the following steps:
acquiring a message to be processed, wherein the first message is a first message which is sent by an OpenStack platform virtual router and meets a first preset condition with a source IP and a target MAC;
performing security processing on data in the message to be processed to generate a second message;
and sending the second message to the virtual router.
6. The traffic data control method according to claim 5, wherein the performing security processing on the data in the message to be processed to generate the second message comprises:
judging whether the source IP of the second message is a preset IP or not;
if the source IP of the second message is a preset IP, encrypting the data in the second message;
if the source IP of the second message is not the preset IP, determining whether the destination IP of the second message is the preset IP;
and if the destination IP of the second message is a preset IP, performing content security check and decryption operation on the data in the second message.
7. The traffic data control method according to claim 5, wherein the sending the second packet to the virtual router includes:
and changing the source MAC of the second message into the MAC of the safety network element, and changing the MAC of the second message into a second preset MAC.
8. A data flow control device is applied to an OpenStack platform virtual router, and the device comprises:
the analysis module is used for acquiring a first message and analyzing the first message to acquire a source IP, a destination IP and a destination MAC of the first message;
the judging module is used for sending the source IP, the destination IP and the destination MAC to the open virtual network controller so as to facilitate the open virtual network controller to judge whether the first message meets a first preset condition;
and the sending module is used for sending the first message to a safety network element if the first preset condition is met so that the safety network element can safely process the first message.
9. A data flow control apparatus comprising a memory for storing a computer program;
a processor for implementing the steps of the data flow control method according to any one of claims 1 to 7 when executing said computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the data flow control method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210893138.3A CN115242788A (en) | 2022-07-27 | 2022-07-27 | Flow data control method, device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210893138.3A CN115242788A (en) | 2022-07-27 | 2022-07-27 | Flow data control method, device and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115242788A true CN115242788A (en) | 2022-10-25 |
Family
ID=83677879
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210893138.3A Pending CN115242788A (en) | 2022-07-27 | 2022-07-27 | Flow data control method, device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115242788A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104685500A (en) * | 2012-10-01 | 2015-06-03 | 国际商业机器公司 | Providing services to virtual overlay network traffic |
| CN112437023A (en) * | 2020-10-12 | 2021-03-02 | 北京天融信网络安全技术有限公司 | Virtualized security network element data processing method, system, medium and cloud platform |
| CN113630315A (en) * | 2021-09-03 | 2021-11-09 | 中国联合网络通信集团有限公司 | Network drainage method and device, electronic equipment and storage medium |
| CN114760246A (en) * | 2022-03-29 | 2022-07-15 | 浪潮云信息技术股份公司 | Service drainage method, device and medium |
-
2022
- 2022-07-27 CN CN202210893138.3A patent/CN115242788A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104685500A (en) * | 2012-10-01 | 2015-06-03 | 国际商业机器公司 | Providing services to virtual overlay network traffic |
| CN112437023A (en) * | 2020-10-12 | 2021-03-02 | 北京天融信网络安全技术有限公司 | Virtualized security network element data processing method, system, medium and cloud platform |
| CN113630315A (en) * | 2021-09-03 | 2021-11-09 | 中国联合网络通信集团有限公司 | Network drainage method and device, electronic equipment and storage medium |
| CN114760246A (en) * | 2022-03-29 | 2022-07-15 | 浪潮云信息技术股份公司 | Service drainage method, device and medium |
Non-Patent Citations (1)
| Title |
|---|
| 张琛宇;侯粤蓉;陆天舒;: "云计算架构下的网络安全研究", 电信快报, no. 12, 10 December 2016 (2016-12-10) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3422663B1 (en) | Intent-based network security policy modification | |
| US11671402B2 (en) | Service resource scheduling method and apparatus | |
| US10051007B2 (en) | Network traffic control device, and security policy configuration method and apparatus thereof | |
| CN112491789B (en) | OpenStack framework-based virtual firewall construction method and storage medium | |
| EP3926924A1 (en) | Method and system for providing edge service, and computing device | |
| CN113132293B (en) | Attack detection method and device and public honeypot system | |
| CN110798459B (en) | Multi-safety-node linkage defense method based on safety function virtualization | |
| CN112019545A (en) | Honeypot network deployment method, device, equipment and medium | |
| CN113872951B (en) | Hybrid cloud security policy issuing method and device, electronic equipment and storage medium | |
| CN108337243B (en) | Message forwarding method, device and forwarding equipment | |
| CN111818081B (en) | Virtual encryption machine management method, device, computer equipment and storage medium | |
| CN111510435B (en) | Network security policy migration method and device | |
| US20230254146A1 (en) | Cybersecurity guard for core network elements | |
| Al-Zewairi et al. | An experimental software defined security controller for software defined network | |
| CN110311861B (en) | Method and device for guiding data flow | |
| CN109246121B (en) | Attack defense method and device, Internet of things equipment and computer readable storage medium | |
| CN116545665A (en) | Safe drainage method, system, equipment and medium | |
| CN115242788A (en) | Flow data control method, device and medium | |
| CN110995586A (en) | BGP message processing method and device, electronic equipment and storage medium | |
| CN112350939B (en) | Bypass blocking method, system, device, computer equipment and storage medium | |
| CN112968879B (en) | Method and equipment for realizing firewall management | |
| US11422845B2 (en) | Native cloud live traffic migration to counter suspected harmful traffic | |
| CN114567678A (en) | Resource calling method and device of cloud security service and electronic equipment | |
| US10645121B1 (en) | Network traffic management based on network entity attributes | |
| CN113467988A (en) | Processing method, device and system of disaster recovery system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |