CN117376011A - Safety protection system, safety protection method and equipment - Google Patents
Safety protection system, safety protection method and equipment Download PDFInfo
- Publication number
- CN117376011A CN117376011A CN202311540708.1A CN202311540708A CN117376011A CN 117376011 A CN117376011 A CN 117376011A CN 202311540708 A CN202311540708 A CN 202311540708A CN 117376011 A CN117376011 A CN 117376011A
- Authority
- CN
- China
- Prior art keywords
- tenant
- module
- message
- waf
- application firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000001514 detection method Methods 0.000 claims abstract description 76
- 230000015654 memory Effects 0.000 claims description 27
- 230000005540 biological transmission Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 12
- 230000000903 blocking effect Effects 0.000 claims description 6
- 238000012545 processing Methods 0.000 abstract description 24
- 230000008569 process Effects 0.000 abstract description 19
- 238000013461 design Methods 0.000 abstract description 6
- 238000002955 isolation Methods 0.000 abstract description 6
- 238000004880 explosion Methods 0.000 abstract description 4
- 238000005192 partition Methods 0.000 description 30
- 238000010586 diagram Methods 0.000 description 24
- 238000004458 analytical method Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 9
- 238000003860 storage Methods 0.000 description 9
- 239000003795 chemical substances by application Substances 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 239000000523 sample Substances 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 230000036541 health Effects 0.000 description 2
- 230000003862 health status Effects 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 102100033270 Cyclin-dependent kinase inhibitor 1 Human genes 0.000 description 1
- 101000944380 Homo sapiens Cyclin-dependent kinase inhibitor 1 Proteins 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008602 contraction Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000008521 reorganization Effects 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a safety protection system, a safety protection method and safety protection equipment, which are used for solving the problems of high fault explosion radius, low SLA reliability, low transverse expansion capability and high cost of a WAF scheme in the prior art. The system comprises a receiving and transmitting package module and an application firewall WAF, wherein the receiving and transmitting package module is responsible for analyzing and transmitting data, the application firewall WAF only carries out safety detection on messages and determines corresponding decision results, so that the situation that all processing processes are completed on one Nginx of the WAF is avoided, fault isolation and fault tolerance design are realized, the influence of faults on the system is reduced, and the reliability and stability of the system are improved; and by respectively disposing the tasks on different modules, the transverse expansion and load balancing can be realized by taking the module as a unit when the module resources corresponding to any task are not enough to be processed, and the performance and the expandability of the system are improved.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a security protection system, a security protection method, and a device.
Background
The existing general Web application protection system (Web Application Firewall, WAF) adopts a double-Master double-standby scheme, as shown in FIG. 1, the capacity of the traditional Master and standby machines is shared maximally, an original Master node (Master) host simultaneously starts 5 WAF applications (WAF 1, … … and WAF 5), and an original Slave node (Slave) host starts 5 WAF applications (WAF 6, … … and WAF 10); in the example, WAF1 carries 70% traffic of tenant 1 and 30% traffic of tenant 10, WAF10 carries 30% traffic of tenant 1 and 70% traffic of tenant 10, each tenant has two reliable node hosting traffic, session (Session) between tenants realizes reliable data synchronization through remote dictionary service (Remote Dictionary Server, dis) master and slave, so that as long as one machine survives for two machines, a user will not break network.
However, the dual-Master dual-standby mode WAF Master node hosts all tenants, the Master node and the Slave node complete the synchronization of the Master and standby service data through persistent Session, as shown in fig. 2, the processing flow of the data flow in the Master and standby mode is implemented, and after the layer 7 network data packets (including TLS/SSL offload five-tuple HASH) of tenant 10 are decrypted by the secure transport layer protocol (Transport Layer Security, TLS) or unloaded by the secure socket layer (Secure Socket Layer, SSL) certificate and five-tuple HASH (HASH), the obtained data packets are forwarded to the reverse proxy server (nmginx) in the WAF through the internet protocol (Internet Protocol, IP) load of the hardware repeater (F5), and the traffic analysis and security scanning are implemented in the Master and Slave by adopting the conventional dual-Master dual-standby in nmginx, and the detected data packets are forwarded to the website (web site). Wherein, the Nginx bears all roles including TLS decryption, protocol analysis, message analysis, security check, packet reassembly and packet forwarding in the above process; an nmginx process is divided into a main process (Master process) and a plurality of working processes (Worker processes), wherein one Worker process needs a protocol analysis module, a packet reorganization module, a security detection module, a message analysis module, a policy matching module and a packet forwarding module.
Because all processing procedures of single tenants and multiple tenants in the existing WAF scheme are completed on one Nginx, once the Nginx is down, the flow of all tenants forwarded to the current Nginx can be influenced, so that the fault explosion radius is extremely high, and the reliability of Service-Level Agreement (SLA) is low; and when the resources of any one of the Nginx modules are insufficient, one Nginx needs to be deployed again, namely, the Nginx needs to be used as a unit for transverse expansion, so that the transverse expansion capability is low and the cost is high.
To sum up, the existing WAF scheme has the problems of high fault explosion radius, low SLA reliability, low transverse expansion capability and high cost.
Disclosure of Invention
The embodiment of the application provides a safety protection system, a safety protection method and safety protection equipment, which are used for solving the problems of high fault explosion radius, low SLA reliability, low transverse expansion capability and high cost of a WAF scheme in the prior art.
In a first aspect, an embodiment of the present application provides a security protection system, where the system includes a transceiver module and an application firewall WAF;
the receiving and transmitting package module is used for receiving the tenant message, analyzing the tenant message, determining a target application firewall WAF corresponding to the target tenant according to the target tenant to which the tenant message belongs, and forwarding the message to the target application firewall WAF;
The target application firewall WAF is used for carrying out safety detection on the message, determining a decision result corresponding to the message and forwarding the decision result to the receiving and transmitting module;
and the packet receiving and transmitting module is also used for forwarding the message when the decision result is transmission.
In a second aspect, embodiments of the present application provide a method for protecting safety, where the method includes:
the receiving and transmitting package module receives the tenant message, analyzes the tenant message, determines a target application firewall WAF corresponding to the target tenant according to the target tenant to which the tenant message belongs, and forwards the message to the target application firewall WAF;
the target application firewall WAF carries out security detection on the message, determines a decision result corresponding to the message, and forwards the decision result to the receiving and transmitting module;
and when the decision result is transmission, the packet receiving and transmitting module forwards the message.
In a third aspect, embodiments of the present application further provide a safety shield apparatus, the apparatus including:
the processing module is used for receiving the tenant message, analyzing the tenant message, determining a target application firewall WAF corresponding to the target tenant according to the target tenant to which the tenant message belongs, and forwarding the message to the target application firewall WAF;
The detection module is used for carrying out safety detection on the message by the target application firewall WAF, determining a decision result corresponding to the message and forwarding the decision result to the receiving and transmitting module;
and the forwarding module is used for forwarding the message by the packet receiving and transmitting module when the decision result is transmission.
In a fourth aspect, an embodiment of the present application further provides an electronic device, where the electronic device includes at least a processor and a memory, where the processor is configured to implement the steps of the security protection method according to any one of the preceding claims when executing a computer program stored in the memory.
In a fifth aspect, embodiments of the present application further provide a computer readable storage medium storing a computer program, which when executed by a processor implements the steps of the security protection method according to any of the preceding claims.
In the embodiment of the application, the safety protection system comprises a packet receiving and transmitting module and an application firewall WAF; the receiving and transmitting package module is used for receiving the tenant message, analyzing the tenant message, determining a target application firewall WAF corresponding to the target tenant according to the target tenant to which the tenant message belongs, and forwarding the message to the target application firewall WAF; the target application firewall WAF is used for carrying out safety detection on the message, determining a decision result corresponding to the message and forwarding the decision result to the receiving and transmitting module; and the packet receiving and transmitting module is also used for forwarding the message when the decision result is transmission.
Because the safety protection system in the embodiment of the application comprises the receiving and transmitting packet module and the application firewall WAF, the receiving and transmitting packet module is responsible for analyzing and transmitting data, the application firewall WAF only carries out safety detection on the message and determines the corresponding decision result, the situation that all processing procedures are completed on one Nginx of the WAF is avoided, fault isolation and fault tolerance design are realized, the influence of faults on the system is reduced, and the reliability and stability of the system are improved; and by respectively disposing the tasks on different modules, the transverse expansion and load balancing can be realized by taking the module as a unit when the module resources corresponding to any task are not enough to be processed, and the performance and the expandability of the system are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow diagram of a conventional dual-master dual-standby scheme;
FIG. 2 is a schematic diagram of a data flow process in a primary/secondary mode;
fig. 3 is a schematic structural diagram of a safety protection system according to an embodiment of the present application;
FIG. 4 is a schematic diagram of another embodiment of a safety protection system according to the present disclosure;
fig. 5 is a schematic structural diagram of a policy issuing module provided in an embodiment of the present application;
FIG. 6 is a schematic diagram of a security system architecture according to an embodiment of the present application;
fig. 7 is a schematic diagram of a tenant account opening sharing registration flow provided in an embodiment of the present application;
fig. 8 is a schematic diagram of a tenant account opening and sharing registration flow provided in an embodiment of the present application;
fig. 9 is a schematic diagram of a tenant sales flow provided in an embodiment of the present application;
fig. 10 is a schematic diagram of a security protection process according to an embodiment of the present application;
FIG. 11 is a schematic structural diagram of a safety device according to an embodiment of the present disclosure;
fig. 12 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of clarity, technical solutions and advantages of the present application, the following description will be further described in detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The embodiment of the application provides a safety protection system, a safety protection method and equipment, wherein the system comprises a packet receiving and sending module and a plurality of application firewall WAFs; the receiving and transmitting package module is used for receiving the tenant message, analyzing the tenant message, determining a target application firewall WAF corresponding to the target tenant according to the target tenant to which the tenant message belongs, and forwarding the message to the target application firewall WAF; the target application firewall WAF is used for carrying out safety detection on the message, determining a decision result corresponding to the message and forwarding the decision result to the receiving and transmitting module; and the packet receiving and transmitting module is also used for forwarding the message when the decision result is transmission. Because the safety protection system in the embodiment of the application comprises the receiving and transmitting packet module and the application firewall WAF, the receiving and transmitting packet module is responsible for analyzing and transmitting data, the application firewall WAF only carries out safety detection on the message and determines the corresponding decision result, the situation that all processing procedures are completed on one Nginx of the WAF is avoided, fault isolation and fault tolerance design are realized, the influence of faults on the system is reduced, and the reliability and stability of the system are improved; and by respectively disposing the tasks on different modules, the transverse expansion and load balancing can be realized by taking the module as a unit when the module resources corresponding to any task are not enough to be processed, and the performance and the expandability of the system are improved.
Example 1:
fig. 3 is a schematic structural diagram of a security protection system provided in an embodiment of the present application, where the system includes a transceiver module 31 and a plurality of application firewalls WAFs;
the receiving and sending package module 31 is configured to receive a tenant message, parse the tenant message, determine a target application firewall WAF32 corresponding to a target tenant according to the target tenant to which the tenant message belongs, and forward the message to the target application firewall WAF32;
the target application firewall WAF32 is configured to perform security detection on the message, determine a decision result corresponding to the message, and forward the decision result to the transceiver module 31;
the transceiver module 31 is further configured to forward the packet when the decision result is transmission.
The security protection system provided by the embodiment of the application can be deployed in a cluster mode, and by way of example, the security protection system provided by the embodiment of the application can be deployed in a container scheduling software (Kubernetes) cluster, and the traffic scheduling and resource maximization utilization is achieved through the strong scheduling and scheduling capability of the Kubernetes cluster. The Kubernetes cluster is a prior art, and is not described herein in detail.
In this embodiment, after the tenant packet enters the packet receiving and sending module 31, the packet receiving and sending module 31 receives the tenant packet, and performs protocol analysis on the tenant packet, for example, 7-layer protocol analysis may be adopted to analyze the tenant packet; and determining the target tenant to which the tenant message belongs. Because the corresponding relation between the tenant information and the application firewall is stored in the system, in the embodiment of the present application, the target application firewall WAF32 corresponding to the target tenant is determined according to the corresponding relation between the target tenant and the tenant information and the application firewall. The packet transceiver module 31 may forward the parsed packet to the target application firewall WAF32 through a ring buffer In queue.
The target application firewall WAF32 receives the parsed message, and the target application firewall WAF32 may obtain the parsed message from the Ringbuffer In queue, for example; the target application firewall WAF32 performs security detection on the acquired message to determine a security detection result of the message, wherein the security detection includes, but is not limited to, performing various security detections on the message by adopting various security engines; the target application firewall WAF32 determines a decision result corresponding to the message according to each security detection result of the message, and forwards the decision result corresponding to the message to the receiving and transmitting module 31. For example, the target application firewall WAF32 may feed back the decision result to the transceiver module 31 through a ring buffer (Ringbuffer).
It can be understood that the Ringbuffer is stored in the shared memory and mapped to the device file of the host, and zero copy of the message can be realized through the Ringbuffer and can be realized in an all-user mode.
Wherein, the decision result includes, but is not limited to, sending or blocking, in one possible implementation, when the decision result received by the transceiver module 31 is sending, the transceiver module 31 may reassemble the application layer message according to the message content and the quintuple information; and determining a receiver corresponding to the message according to the destination address contained in the message, and forwarding the combined message to the corresponding receiver.
In another possible implementation, when the decision received by the transceiver module 31 is blocking, the transceiver module 31 discards the message.
In the embodiment of the application, the safety protection system comprises a receiving and transmitting packet module and an application firewall WAF, wherein the receiving and transmitting packet module is responsible for analyzing and transmitting data, the application firewall WAF only carries out safety detection on the message and determines a corresponding decision result, so that the situation that all processing processes are completed on one Nginx of the WAF is avoided, fault isolation and fault tolerance design are realized, the influence of faults on the system is reduced, and the reliability and stability of the system are improved; and by respectively disposing the tasks on different modules, the transverse expansion and load balancing can be realized by taking the module as a unit when the module resources corresponding to any task are not enough to be processed, and the performance and the expandability of the system are improved.
Example 2:
in order to accelerate the query rate, based on the above embodiment, in this embodiment of the present application, the system further includes a tenant control module;
the packet receiving and sending module 31 is specifically configured to forward the packet to the tenant control module;
the tenant control module is used for querying a target tenant to which the message belongs, and determining a target application firewall WAF32 corresponding to the target tenant according to the information of the tenant, the corresponding relation of the application firewall WAF and the target tenant.
Another structural schematic diagram of a security protection system shown in fig. 4, where the security protection system further includes a tenant control module (i.e., the tenant cache module and the Controller module in fig. 4).
The receiving and transmitting package module 31 forwards the analyzed message to the tenant control module, the tenant cache module in the tenant control module receives the message and inquires the information of the tenant corresponding to the message according to the message, and if the information of the tenant corresponding to the message is inquired in the tenant cache module, the target tenant to which the message belongs is determined according to the information of the searched tenant; if the information of the tenant corresponding to the message is not queried in the tenant cache module, calling a far-end interface, querying the information of the tenant corresponding to the message in the Controller module, and determining a target tenant to which the message belongs according to the queried information of the tenant. The tenant cache module stores information of part of tenants locally, and the Controller module can be deployed in the cloud to store information of all tenants, which is not limited herein.
After querying a target tenant to which the message belongs, the tenant control module determines a target application firewall WAF32 corresponding to the target tenant according to the stored tenant information, the corresponding relation of the application firewall WAF and the target tenant.
In one possible implementation, after determining the target application firewall WAF32 corresponding to the target tenant, the tenant control module may send the message and the information of the target tenant to which the message belongs to the target application firewall WAF32 through a Ringbuffer In queue.
In the embodiment of the application, the tenant control module establishes a multi-level cache comprising a tenant cache module and a Controller module by using a mode of sharing a memory, so as to accelerate the query rate.
Example 3:
based on the above embodiments, in the embodiments of the present application, the system further includes a secure transport layer protocol TLS decryption module;
the packet receiving/sending module 31 is specifically configured to determine whether the message is an encrypted message after parsing the tenant message, and if not, forward the message to the tenant control module; if yes, forwarding the message to a TLS decryption module;
the TLS decryption module is configured to decrypt the message after receiving the message, and forward the decrypted message to the transceiver module 31;
the transceiver module 31 is further configured to forward the received packet sent by the TLS decryption module to the tenant control module.
As shown in fig. 4, the security protection system further includes a TLS decryption module, i.e., a certificate uninstall module shown in fig. 4.
After parsing the tenant message, the transceiver module 31 determines whether the message is an encrypted message, and the exemplary transceiver module 31 determines whether the message is hypertext transfer security protocol (Hypertext Transfer Protocol Secure, HTTPS) traffic; if not, determining that the message is an unencrypted plaintext message, and forwarding the unencrypted plaintext message to a tenant control module; if yes, determining that the message is an encrypted message, and forwarding the message (namely the encrypted message) to a TLS decryption module by adopting a TLS Ringbuffer In interface.
After receiving the message, the TLS decryption module decrypts the message by using a TLS decryption algorithm or an SSL decryption algorithm to obtain a decrypted message, and forwards the decrypted message to the transceiver packet module 31 through a TLS ring buffer Out (Ringbuffer Out) interface.
After receiving the decrypted message sent by the TLS decryption module, the transceiver module 31 forwards the decrypted message to the tenant control module, so that the tenant control module queries the target tenant to which the message belongs according to the plaintext message.
Example 4:
in order to improve the security detection capability, based on the above embodiments, in the embodiments of the present application, the target application firewall WAF32 includes a security engine module and a policy decision module;
The security engine module is used for carrying out security detection on the message after receiving the message, determining the detection score of the message corresponding to each security detection, and forwarding the detection score corresponding to each security detection to the policy decision module;
the policy decision module is configured to obtain a tenant policy corresponding to the target tenant, make a decision on the corresponding detection score by using the tenant policy, determine a decision result corresponding to the message, and forward the decision result to the transceiver module 31.
The application firewall WAF in the embodiments of the present application includes a security engine module (i.e. the security module in fig. 4) and a policy decision module (i.e. the policy decision point (Policy Decision Point, PDP) in fig. 4). The policy decision module PDP may be a central control point, responsible for managing and executing security policies, and typically an independent server, which may receive requests from policy enforcement points (Policy Enforcement Point, PEP) and make decisions according to tenant policies; in addition, the policy decision module PDP may also manage updating and version control of the tenant policy, which will not be described herein.
The Security engine module In the target application firewall WAF32 may receive the message through a Security (Security) Ringbuffer In queue, and after receiving the message, perform Security detection on the message by using a plurality of Security detection engines included In the Security engine module, where any Security detection engine corresponds to a Security detection item, obtains a Security detection score of the item corresponding to the message, and forwards the Security detection score of each Security detection corresponding to the message to the policy decision module.
Storing tenant strategies corresponding to different tenants in the system, and acquiring tenant strategies corresponding to target tenants by a strategy decision module; the tenant policy is adopted to make a decision on the detection score corresponding to the message of the target tenant, and for example, the tenant policy is adopted to make a policy collision on the detection score corresponding to the message of the target tenant, and the policy collision can adopt a series of acceleration methods such as a shared memory database and the like; and determining a decision result corresponding to the message.
The policy decision module forwards the decision result to the transceiver module 31 after determining the decision result corresponding to the message.
In the embodiment of the application, the tenant policies corresponding to different tenants are stored, and the detection scores corresponding to the target tenant policies are decided based on the tenant policies corresponding to the target tenants, so that personalized decision on the security of each tenant message according to the tenant policies of each tenant is realized, and the security detection capability is improved.
Example 5:
in order to improve accuracy of tenant security detection, in the embodiments of the present application, a policy decision module is specifically configured to determine, according to a corresponding relationship between tenant information and a tenant policy and a target tenant to which a message belongs, a tenant policy corresponding to the target tenant.
The system in the embodiment of the application further comprises a policy issuing module, the policy issuing module stores the corresponding relation between the tenant information and the tenant policy, and the policy decision module can acquire the corresponding relation between the tenant information and the tenant policy from the policy issuing module and determine the tenant policy corresponding to the target tenant according to the corresponding relation between the tenant information and the tenant policy and the target tenant to which the message belongs.
As shown in the schematic structure diagram of the policy issuing module shown in fig. 5, the producer client (Message Proxy) issues the tenant policy corresponding to each tenant to the software (KafKa) in the Message Bus (Message Bus) according to the pre-stored corresponding relationship between the tenant ID and the partition. The Message Proxy is an open source framework (Remote Procedure Calls, GRPS) software development kit (Software Development Kit, SDK), and injects GRPS MetaData (MetaData) according to the tenant ID, the tenant Policy, and a Message type corresponding to the tenant Policy, and converts the tenant Policy in the GRPS format into a byte stream, and forwards the byte stream to each partition (i.e., partition 1, partition 2, … …, partition 16 in a Topic Policy (Topic-Policy) queue shown in fig. 5) of KafKa according to a pre-stored correspondence between the tenant ID and the partition, so as to ensure that a Message sequence of a single tenant falls into a certain fixed partition of a Topic Policy queue.
According to the corresponding relation between each partition and an application firewall controller (WAF controller), the KafKa sequentially transmits tenant strategies in each partition to WAF controllers of corresponding consumer clients in a serial mode (such as the tenant strategies in WAF controller1 consuming partitions 1, 2, 3 and 4 shown in fig. 5; the tenant strategies in WAF controller2 consuming partitions 5, 6, 7, 8 and 9; and the tenant strategies in WAF controller3 consuming partitions 10, 11, 12, 13, 14, 15 and 16).
Specifically, kafKa determines a partition corresponding to the current offset according to the value of the current offset (offset) recorded in redis and the corresponding relation between the offset and the partition (partition 1, partition 2, … …, partition 16, corresponding to partition 16 corresponding to partition 1, partition 2, and offset shown in fig. 5), and issues the tenant policy in the partition to the corresponding WAF controller, so that the WAF controller controls the tenant policy to be issued to the corresponding WAF for consumption. At this time, the policy decision module may obtain tenant information and a corresponding relationship of tenant policies from the policy issuing module, and after confirming that the tenant policies in the partition are issued to the WAFs, the WAFs may forward Acknowledgement (ACK) responses to corresponding WAF controllers. After receiving the ACK response, the WAF controller sends the ACK response to the Redis, and the Redis determines that the tenant policy processing in the current partition is completed and updates the value of the current offset in the Redis after receiving the ACK response, and for example, 1 can be added on the basis of the current offset.
Before issuing the tenant policy in the next partition to the corresponding WAF controller, kafKa may first determine whether the offset recorded in Redis is the value of the offset corresponding to the next partition, if not, it indicates that the consumption policy in the previous partition adjacent to the next partition has not been issued successfully; in order to ensure consistency of issuing sequence of tenant policy, kafKa issues again consumption policy in partition corresponding to the offset according to the value of the offset recorded in Redis until determining that the offset recorded in Redis is the value of the offset corresponding to the next partition.
In the embodiment of the application, the tenant strategy is issued in sequence by adopting KafKa, the successful issuing information is returned through ACK, and the offset is updated, so that the fact that the tenant strategy in the partition is issued successfully is indicated, the sequential transmission of the tenant strategy and the data idempotency of the data surface can be ensured, and the strong consistency of the cross-center message is realized. And the distribution lock can be used for guaranteeing the tenant strategy sequence enqueuing of the same tenant aiming at the tenant strategy of the same tenant, so that the condition that the message processing sequence of the tenant is disordered due to disordered tenant strategy distribution sequence, and the final processing result is wrong is reduced, and the accuracy of safety detection of the tenant message is improved.
Example 6:
based on the above embodiments, in the embodiments of the present application, the target application firewall WAF further includes a policy enforcement module;
the policy decision module is specifically used for forwarding a decision result to the policy execution module;
the policy execution module is configured to determine, according to the decision result, a hint information corresponding to the message, and forward the hint information corresponding to the message to the transceiver module 31;
the packet transceiver module 31 is specifically configured to send the corresponding prompt message to the corresponding receiver.
The application of the firewall WAF in the embodiment of the present application as shown in fig. 4 further comprises a policy enforcement module (i.e. PEP in fig. 4). The PEP is a security control mechanism responsible for verifying and authorizing a user or entity's request, is typically integrated into WAF applications, can intercept user requests and check if the user requests conform to security policies, if the request is allowed, the PEP will allow access to the user request resources, and if the request is denied, the PEP will deny access to the user request resources.
In this embodiment of the present application, the policy decision module in the target application firewall WAF32 may forward the decision result to the policy execution module through Ringbuffer Out, and after receiving the decision result, the policy execution module PEP determines, according to the decision result, the hint information corresponding to the message, where the hint information includes, but is not limited to, byPass (ByPass), continue (Continue), block (Block), reset (Reset), error (Error), and the like. The ByPass indicates that the message is forwarded to a corresponding receiver in an intact state, the content indicates that the message is sent, the Block indicates that the message is discarded, the Reset indicates that the message is Reset, and the Error indicates that an Error exists in the message.
After determining the prompt information corresponding to the message, the policy execution module forwards the prompt information corresponding to the message to the receiving and sending module 31 through Ringbuffer, and the receiving and sending module 31 sends the prompt information of the message to the receiving party corresponding to the message after receiving the prompt information corresponding to the message.
In addition, it can be understood that the packet transceiving module, the application firewall WAF (including the security engine module, the policy decision module, and the policy execution module), the tenant control module, and the TLS decryption module shown in the foregoing embodiments all belong to the data plane of the security protection system provided in the embodiments of the present application, that is, the WAF-data plane shown in fig. 4.
Example 7:
based on the above embodiments, a security protection system architecture is provided in the embodiment of the present application as shown in fig. 6, wherein the system includes, from bottom to top, an infrastructure-level service (Infrastructure as aService, iaaS), an internet data center (Internet Data Center, IDC) (i.e., a datacenter shown in the figure); kubernetes cluster; a container runtime (Container runtime), a storage integration module (Storage integration), a container network (container networking callco-sriov); identity information (identity), admission control (Admission control), a secret management module (Secret management); observability (Observability); application (Application).
It can be understood that, in the embodiment of the present Application, an Application part in the illustrated system structure is improved, and other parts can refer to the prior art, which is not described in detail in the embodiment of the present Application.
The whole system structure shown in fig. 6 is constructed by adopting a full cloud native method, and all codes corresponding to the system can realize source code level controllability. In addition, the above-mentioned security protection system adopts a cluster mode to replace a primary and backup mode, and adopts an attribute-based access control (Attribute based access control, ABAC) +domain driver Design (DDD) to split an original WAF based on a Kubernetes cluster, so as to split the original WAF into a plurality of modules in the system, such as an application firewall monitor (WAF-monitor), an application firewall operation module (WAF-operator), an application firewall network (WAF-web), an application firewall agent (WAF-proxy), an application firewall control module (WAF-controller), an application firewall log collection tool (WAF-log), an application firewall management module (WAF-agent), an application firewall scheduler (WAF-schedule), an application firewall offline analysis engine (WAF-mod-AI-line), an application firewall online analysis engine (WAF-mod-AI-line), an application security inspection engine (WAF-mod-security), and the like. Wherein, ABAC and DDD are prior art, and are not described here in detail. In addition, each WAF application module belongs to the control surface of the system.
In the embodiment of the application, the original WAF is split into the modules in the system in the splitting mode, the modules are decoupled, WAF services are isolated according to tenants, resources can be conveniently isolated based on the tenants, the connection of the tenants can be guaranteed not to be affected even in updating, and the migration, capacity expansion, capacity contraction and the like of the tenants can be completed under the condition of not interrupting any connection by adopting the cluster mode.
Specifically, the WAF-monitor is configured to monitor a traffic index and a traffic index in each WAF application in the Kubernetes cluster, and expose collected data to other interfaces in the cluster through a promethaus interface, so that the interfaces of other applications in the cluster schedule the collected data.
The WAF-operator is an operator of a WAF Application program (Application, APP), and is used for monitoring user-defined resource types (Custom Resource Definition, CRD) of WAFs in the Kubernetes cluster, and creating and expanding WAF APP CRD resources when the traffic required by the traffic is larger or exceeds a traffic threshold according to the traffic required resource condition.
The WAF-web is a service display page of the WAF APP, and policy configuration, traffic arrangement, security policy and the like of the WAF are displayed to the user for the user to configure on the web according to the service.
WAF-proxy is the flow forwarding APP of WAF APP, and is used for forwarding the message of the user to the destination address.
The WAF-controller is used for carrying out end-to-end management on the life cycle of the WAF APP resource and controlling the creation, deletion and the like of the WAF APP. The WAF-controller issues an instruction to the WAF-operator, and causes the WAF-operator to execute the instruction.
WAF-loggent, which is used to collect the log of WAF through domain socket (DomainSocket), and to process the collected log for the second time and forward to the log platform. Among the logs collected include, but are not limited to, logs generated by the WAF itself, debug logs, traffic logs, and the like. In addition, WAF-loggent is deployed in a cluster in a concomitant manner.
Because data transmission and information interaction between WAFs require shared memory or shared storage as a bridge, in the embodiment of the present application, WAF-agents are used to complete creation, deletion and binding of WAF sharing devices.
WAF-Scheduler for binding tenant and WAF.
The WAF-mod-AI-Outline is an AI offline analysis engine in the WAF security engine, and is used for analyzing the message when offline, and determining a decision result corresponding to the message.
The WAFmod-AI-Inline is an AI online analysis engine in the WAF security engine, and is used for analyzing the message when online, and determining a decision result corresponding to the message.
WAF-mod-security is a rule checking engine in WAF security engine for security detection of messages.
The following describes each application module related to WAF in the above system in connection with the tenant registration process: the transceiver module 31 is further configured to receive a registration request sent by a tenant, and send the registration request to the tenant control module;
the tenant control module is also used for receiving the registration request, judging whether the current host computer has the application firewall WAF with the residual resources, if so, determining the application firewall WAF with the residual resources as a target application firewall WAF, and storing the tenant information and the corresponding relation of the target application firewall WAF; if not, judging whether the current host has residual resources, if so, creating a target application firewall WAF for the tenant on the current host, and storing the corresponding relation between the tenant information and the target application firewall WAF, and if not, creating a target application firewall WAF for the tenant on other hosts with residual resources, and storing the corresponding relation between the tenant information and the target application firewall WAF.
It can be understood that the WAF-controller shown in fig. 6 is the tenant control module in the embodiment of the present application.
In this embodiment of the present application, when a new tenant accesses, that is, when a tenant 11 performs an account opening operation on a WAF-web, a transceiver module 31 receives a registration request sent by the tenant and sends the registration request of the tenant to a tenant control module, after receiving the registration request of the tenant, the tenant control module WAF-controller obtains a current host resource and an allocated resource, determines whether a remaining resource exists in an existing application firewall WAF on the current host, if so, determines the application firewall WAF with the remaining resource in the current host as a target application firewall WAF, determines an account opening mode of the tenant as a tenant sharing mode, and stores a correspondence between information of the tenant and the target application firewall WAF; the tenant information includes, but is not limited to, information such as Identity (ID) of a newly added tenant, a memory map file (mmap), and the like.
For example, as shown in fig. 7, when the tenant 11 performs an account opening operation on the WAF-web, the transceiver module 31 receives a registration request sent by the tenant and sends the registration request of the tenant to the tenant control module WAF-controller, and the tenant control module WAF-controller controls the WAF-Scheduler to obtain current host resources and allocated resources, determines whether there are residual resources in the current host WAF, determines the WAF with residual resources as a target WAF if it is determined that there are residual resources in the current host WAF, binds the tenant with the target WAF and the current host WAF, and controls the WAF-operator to perform resource capacity expansion on the tenant according to service requirements of the tenant; the tenant control module WAF-controller acquires information such as tenant Identity (Identity, ID), memory mapping file (mmap) and the like of a newly added tenant, and controls the WAF-agent to bind equipment information (dev shown in the figure) of the tenant and tenant Identity (Identity, ID) (xxxxx-11 shown in the figure) with local equipment (current host); and detecting the health state probe of the bound target WAF, and accessing the target WAF into F5 after the health state probe is detected and the target WAF is successfully bound. The procedure of accessing F5 is prior art, and will not be described in detail here.
If the current host does not have the application firewall WAF with the residual resources, judging whether the current host has the residual resources, if so, creating a target application firewall WAF for the tenant on the current host, determining that the account opening mode of the tenant is a tenant exclusive mode, and storing the corresponding relation between the information of the tenant and the target application firewall WAF; if the current host does not have the residual resources, a target application firewall WAF is created for the tenant on other hosts with the residual resources, an account opening mode of the tenant is determined to be a tenant exclusive mode, and the information of the tenant and the corresponding relation of the target application firewall WAF are stored.
For example, as shown in fig. 8, when determining that there are no remaining resources in the current host, determining whether the remaining resources of the current host can meet the service requirements of the tenant, if so, creating a new first WAF for the tenant on the current host, determining the first WAF as a target application firewall WAF (i.e. WAF11 in the figure), binding the tenant with the target application firewall WAF and the current host, and storing the correspondence between the information of the tenant and the target application firewall WAF; if not, a new second WAF is created for the tenant on other hosts capable of meeting the service requirement of the tenant, the second WAF is used for determining a target application firewall WAF (namely WAF11 in the figure), the tenant is bound with the target application firewall WAF and hosts corresponding to the second WAF, and the corresponding relation between the information of the tenant and the target application firewall WAF is stored. The tenant control module WAF-controller controls the WAF-operator to perform resource creation and the like on the tenant according to the service requirement of the tenant; binding the device information (dev shown in the figure) of the tenant and the Identity (ID) of the tenant (xxxxx-11 shown in the figure) with the shared memory redis11 and the target application firewall WAF (WAF 11 in the figure) through the WAF-agent; and detecting the health status probe of the bound target application firewall WAF, and accessing the target application firewall WAF into F5 after the health status probe is detected and the target application firewall WAF is successfully bound. The procedure of accessing F5 is prior art, and will not be described in detail here.
In addition, the following describes each application module related to WAF in the above system in combination with the tenant logoff process:
as shown in fig. 9, when a tenant 11 performs a pinning operation or tenant resource migration on a WAF-web, the transceiver module 31 receives a pinning request sent by the tenant and sends the pinning request to the tenant control module, the tenant control module WAF-controlWAF-Scheduler obtains current host resources and allocated resources, determines a current resource utilization condition, and checks whether other tenants are hosted in a target application firewall WAF bound with the tenant 11, and if not, deletes all tenant resources recorded in the target application firewall WAF corresponding to the tenant 11 through the WAF-operator; if yes, controlling the WAF-operator to determine tenant resources of the tenant 11 recorded in a target application firewall WAF corresponding to the tenant 11, and deleting the tenant resources of the tenant 11 recorded in the target application firewall WAF; and controlling the WAF-agent to delete the device information (dev shown in the figure) and the tenant ID (xxxxx-11 shown in the figure) of the tenant 11 and the shared memory rediss 11 and the corresponding WAF (WAF 1 shown in the figure) in the shared device corresponding to the tenant 11, and deleting the container and the F5 configuration.
Wherein, the host resources include, but are not limited to, host central processing unit (Central Processing Unit, CPU) resources, host network resources, host memory resources, etc.; the allocated resources include, but are not limited to, CPU utilization, memory utilization, quality of service (Quality of Service, QOS), etc.
In the embodiment of the application, by adopting the mode of splitting the tenants according to the fine granularity and binding the tenants with the WAF, the WAF service is isolated according to the tenants, and compared with the current mode of processing the messages of all the tenants by using the same Nginx, the isolation of tenant resources is realized, and the privacy and the safety of tenant data are ensured. In addition, compared with the problem that when the Nginx corresponding to one host computer reads the Session in the current double-master double-standby mode, the problem that resources contend and rob exist when the Session is synchronous because the Session is read by the Nginx corresponding to the other host computer without being able to read the Session because the Session needs to be locked to the Session. In addition, compared with the prior art that a host corresponding to Nginx is bound for one F5, the host can only perform the security detection process of tenant messages, and can not be used for other purposes no matter whether the host is idle or not, the embodiment of the application optimizes resource allocation and utilization, and improves the utilization rate of the host.
Example 8:
based on the same concept, on the basis of the above embodiments, the present application provides a safety protection method, and fig. 10 is a schematic diagram of a safety protection process provided by the embodiment of the present application, where the process includes:
s1001: the receiving and transmitting package module receives the tenant message, analyzes the tenant message, determines a target application firewall WAF corresponding to the target tenant according to the target tenant to which the tenant message belongs, and forwards the message to the target application firewall WAF.
The safety protection method provided in the embodiment of the present application is applied to the safety protection system shown in each embodiment, and will not be described herein.
S1002: the target application firewall WAF carries out security detection on the message, determines a decision result corresponding to the message, and forwards the decision result to the receiving and transmitting module.
S1003: and when the decision result is transmission, the packet receiving and transmitting module forwards the message.
Because the receiving and transmitting package module and the application firewall WAF are respectively deployed, the situation that all processing processes are completed on one Nginx is reduced, fault isolation and fault tolerance design are realized, the influence of faults on a system is reduced, and the reliability and stability of message detection are improved; and by respectively disposing the tasks on different modules, the transverse expansion and load balancing can be realized by taking the module as a unit when the module resources corresponding to any task are not enough to be processed, and the performance and the expandability of the system are improved.
Based on the above embodiments, in the embodiments of the present application, according to a target tenant to which a tenant packet belongs, determining a target application firewall WAF corresponding to the target tenant, and forwarding the packet to the target application firewall WAF includes:
the receiving and transmitting package module forwards the message to the tenant control module;
the tenant control module inquires a target tenant to which the message belongs according to the message, and determines a target application firewall WAF corresponding to the target tenant according to the information of the tenant, the corresponding relation of the application firewall WAF and the target tenant.
Based on the above embodiments, in an embodiment of the present application, the method further includes:
the receiving and sending package module receives a registration request sent by a tenant and sends the registration request to the tenant control module;
the tenant control module receives the registration request, judges whether the current host has the application firewall WAF with the residual resources, if yes, determines the application firewall WAF with the residual resources as a target application firewall WAF, and stores tenant information and the corresponding relation of the target application firewall WAF; if not, judging whether the current host has residual resources, if so, creating a target application firewall WAF for the tenant on the current host, and storing the corresponding relation between the tenant information and the target application firewall WAF, and if not, creating a target application firewall WAF for the tenant on other hosts with residual resources, and storing the corresponding relation between the tenant information and the target application firewall WAF.
Based on the foregoing embodiments, in an embodiment of the present application, a packet forwarding and receiving module forwards a packet to a tenant control module, including:
after analyzing the tenant message, the receiving and transmitting packet module judges whether the message is an encrypted message, if not, the message is forwarded to the tenant control module; if yes, forwarding the message to a TLS decryption module;
after receiving the message, the TLS decryption module decrypts the message and forwards the decrypted message to the receiving-transmitting package module;
and the receiving and transmitting packet module forwards the received message sent by the TLS decryption module to the tenant control module.
In order to improve the security detection capability, based on the above embodiments, in the embodiments of the present application, the target application firewall WAF includes a security engine module and a policy decision module; performing security detection on the message, determining a decision result corresponding to the message, and forwarding the decision result to the transceiver module includes:
the security engine module carries out security detection on the message, determines the detection score of the message corresponding to each security detection, and forwards the detection score corresponding to each security detection to the policy decision module;
the policy decision module acquires a tenant policy corresponding to the target tenant, adopts the tenant policy to make a decision on the corresponding detection score, determines a decision result corresponding to the message, and forwards the decision result to the receiving-transmitting package module.
In order to improve accuracy of tenant security detection, in the embodiment of the present application, the obtaining, by the policy decision module, a tenant policy corresponding to a target tenant includes:
the policy decision module determines the tenant policy corresponding to the target tenant according to the tenant information, the corresponding relation of the tenant policy and the target tenant to which the message belongs.
Based on the above embodiments, in the embodiments of the present application, the target application firewall WAF further includes a policy enforcement module; the policy decision module forwards the decision result to the receiving and transmitting module, comprising:
the policy decision module forwards the decision result to the policy execution module;
and the strategy execution module determines prompt information corresponding to the message according to the decision result, and forwards the prompt information corresponding to the message to the receiving and transmitting module, so that the receiving and transmitting module transmits the corresponding prompt information to a corresponding receiver.
Based on the above embodiments, in an embodiment of the present application, the method further includes:
and when the decision result is blocking, the packet receiving and sending module discards the message.
Example 9:
based on the same technical concept, on the basis of the above embodiments, the present application provides a safety protection device, and fig. 11 is a schematic structural diagram of the safety protection device provided in the embodiment of the present application, as shown in fig. 11, where the device includes:
The processing module 1101 is configured to receive the tenant message, parse the tenant message, determine a target application firewall WAF corresponding to the target tenant according to the target tenant to which the tenant message belongs, and forward the message to the target application firewall WAF;
the detection module 1102 is configured to perform security detection on the message by using the target application firewall WAF, determine a decision result corresponding to the message, and forward the decision result to the transceiver module;
and the forwarding module 1103 is configured to forward the message when the decision result is transmission.
In a possible implementation manner, the processing module 1101 is specifically configured to forward the message to the tenant control module by using the packet transceiver module; the tenant control module inquires a target tenant to which the message belongs according to the message, and determines a target application firewall WAF corresponding to the target tenant according to the information of the tenant, the corresponding relation of the application firewall WAF and the target tenant.
In a possible implementation manner, the processing module 1101 is further configured to receive a registration request sent by a tenant by using the transceiver module, and send the registration request to the tenant control module; the tenant control module receives the registration request, judges whether the current host has the application firewall WAF with the residual resources, if yes, determines the application firewall WAF with the residual resources as a target application firewall WAF, and stores tenant information and the corresponding relation of the target application firewall WAF; if not, judging whether the current host has residual resources, if so, creating a target application firewall WAF for the tenant on the current host, and storing the corresponding relation between the tenant information and the target application firewall WAF, and if not, creating a target application firewall WAF for the tenant on other hosts with residual resources, and storing the corresponding relation between the tenant information and the target application firewall WAF.
In a possible implementation manner, the processing module 1101 is specifically configured to, after parsing the tenant message, determine whether the message is an encrypted message, and if not, forward the message to the tenant control module; if yes, forwarding the message to a TLS decryption module; after receiving the message, the TLS decryption module decrypts the message and forwards the decrypted message to the receiving-transmitting package module; and the receiving and transmitting packet module forwards the received message sent by the TLS decryption module to the tenant control module.
In a possible implementation manner, the target application firewall WAF includes a security engine module and a policy decision module, and the detection module 1102 is specifically configured to perform security detection on the message by using the security engine module, determine a detection score corresponding to each security detection of the message, and forward the detection score corresponding to each security detection to the policy decision module; the policy decision module acquires a tenant policy corresponding to the target tenant, adopts the tenant policy to make a decision on the corresponding detection score, determines a decision result corresponding to the message, and forwards the decision result to the receiving-transmitting package module.
In a possible implementation manner, the detection module 1102 is specifically configured to determine, by using the policy decision module, a tenant policy corresponding to a target tenant according to the tenant information, the corresponding relationship of the tenant policy, and the target tenant to which the message belongs.
In a possible implementation manner, the target application firewall WAF further includes a policy execution module, and the detection module 1102 is specifically configured to forward the decision result to the policy execution module by the policy decision module; and the strategy execution module determines prompt information corresponding to the message according to the decision result, and forwards the prompt information corresponding to the message to the receiving and transmitting module, so that the receiving and transmitting module transmits the corresponding prompt information to a corresponding receiver.
In a possible implementation manner, the forwarding module 1103 is further configured to discard the packet when the decision result is blocking.
Example 10:
based on the same technical concept, the present application further provides an electronic device, and fig. 12 is a schematic structural diagram of the electronic device provided in the embodiment of the present application, as shown in fig. 12, including: the device comprises a processor 1201, a communication interface 1202, a memory 1203 and a communication bus 1204, wherein the processor 1201, the communication interface 1202 and the memory 1203 are communicated with each other through the communication bus 1204;
the memory 1203 has stored therein a computer program which, when executed by the processor 1201, causes the processor 1201 to perform the steps of:
the receiving and transmitting package module receives the tenant message, analyzes the tenant message, determines a target application firewall WAF corresponding to the target tenant according to the target tenant to which the tenant message belongs, and forwards the message to the target application firewall WAF;
The target application firewall WAF carries out security detection on the message, determines a decision result corresponding to the message, and forwards the decision result to the receiving and transmitting module;
and when the decision result is transmission, the packet receiving and transmitting module forwards the message.
In one possible implementation, the processor 1201 is specifically configured to forward the packet to the tenant control module by using the packet transceiver module; the tenant control module inquires a target tenant to which the message belongs according to the message, and determines a target application firewall WAF corresponding to the target tenant according to the information of the tenant, the corresponding relation of the application firewall WAF and the target tenant.
In a possible implementation manner, the processor 1201 is further configured to receive a registration request sent by the tenant by using the transceiver module, and send the registration request to the tenant control module; the tenant control module receives the registration request, judges whether the current host has the application firewall WAF with the residual resources, if yes, determines the application firewall WAF with the residual resources as a target application firewall WAF, and stores tenant information and the corresponding relation of the target application firewall WAF; if not, judging whether the current host has residual resources, if so, creating a target application firewall WAF for the tenant on the current host, and storing the corresponding relation between the tenant information and the target application firewall WAF, and if not, creating a target application firewall WAF for the tenant on other hosts with residual resources, and storing the corresponding relation between the tenant information and the target application firewall WAF.
In one possible implementation manner, the processor 1201 is specifically configured to, after parsing the tenant message, determine whether the message is an encrypted message, and if not, forward the message to the tenant control module; if yes, forwarding the message to a TLS decryption module; after receiving the message, the TLS decryption module decrypts the message and forwards the decrypted message to the receiving-transmitting package module; and the receiving and transmitting packet module forwards the received message sent by the TLS decryption module to the tenant control module.
In a possible implementation manner, the target application firewall WAF includes a security engine module and a policy decision module, and the processor 1201 is specifically configured to perform security detection on the message by using the security engine module, determine a detection score corresponding to each security detection of the message, and forward the detection score corresponding to each security detection to the policy decision module; the policy decision module acquires a tenant policy corresponding to the target tenant, adopts the tenant policy to make a decision on the corresponding detection score, determines a decision result corresponding to the message, and forwards the decision result to the receiving-transmitting package module.
In a possible implementation manner, the processor 1201 is specifically configured to determine, by using the policy decision module, a tenant policy corresponding to the target tenant according to the tenant information, the corresponding relationship of the tenant policy, and the target tenant to which the message belongs.
In a possible implementation manner, the target application firewall WAF further includes a policy enforcement module, and the processor 1201 is specifically configured to forward the decision result to the policy enforcement module by the policy decision module; and the strategy execution module determines prompt information corresponding to the message according to the decision result, and forwards the prompt information corresponding to the message to the receiving and transmitting module, so that the receiving and transmitting module transmits the corresponding prompt information to a corresponding receiver.
In one possible implementation, the processor 1201 is further configured to discard the packet when the decision result is blocking.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface 1202 is used for communication between the above-described electronic device and other devices.
The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit, a network processor (Network Processor, NP), etc.; but also digital instruction processors (Digital Signal Processing, DSP), application specific integrated circuits, field programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
Example 11:
based on the same technical idea, the embodiments of the present application provide a computer readable storage medium, in which a computer program executable by an electronic device is stored, which when executed on the electronic device, causes the electronic device to implement any of the embodiments described above.
The computer readable storage medium may be any available medium or data storage device that can be accessed by a processor in an electronic device, including but not limited to magnetic memories such as floppy disks, hard disks, magnetic tapes, magneto-optical disks (MO), etc., optical memories such as CD, DVD, BD, HVD, etc., and semiconductor memories such as ROM, EPROM, EEPROM, nonvolatile memories (NAND FLASH), solid State Disks (SSD), etc.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.
Claims (10)
1. A safety protection system is characterized by comprising a receiving and transmitting packet module and an application firewall WAF;
the receiving and sending package module is used for receiving a tenant message, analyzing the tenant message, determining a target application firewall WAF corresponding to the target tenant according to the target tenant to which the tenant message belongs, and forwarding the message to the target application firewall WAF;
The target application firewall WAF is used for carrying out safety detection on the message, determining a decision result corresponding to the message and forwarding the decision result to the receiving and transmitting module;
and the packet receiving and transmitting module is further used for forwarding the message when the decision result is transmission.
2. The system of claim 1, further comprising a tenant control module;
the packet receiving and sending module is specifically configured to forward the packet to the tenant control module;
the tenant control module is used for inquiring a target tenant to which the message belongs according to the message, and determining a target application firewall WAF corresponding to the target tenant according to the tenant information, the corresponding relation of the application firewall WAF and the target tenant.
3. The system of claim 2, wherein the transceiver module is further configured to receive a registration request sent by the tenant, and send the registration request to the tenant control module;
the tenant control module is further configured to receive the registration request, determine whether there are remaining resources on the application firewall WAF of the current host, if yes, determine the application firewall WAF with the remaining resources as the target application firewall WAF, and store information of the tenant and a corresponding relationship of the target application firewall WAF; if not, judging whether the current host has residual resources, if so, creating a target application firewall WAF for the tenant on the current host, and storing the information of the tenant and the corresponding relation of the target application firewall WAF, if not, creating a target application firewall WAF for the tenant on other hosts with residual resources, and storing the information of the tenant and the corresponding relation of the target application firewall WAF.
4. The system of claim 2, further comprising a secure transport layer protocol TLS decryption module;
the packet receiving and sending module is specifically configured to determine whether the packet is an encrypted packet after parsing the tenant packet, and if not, forward the packet to the tenant control module; if yes, forwarding the message to the TLS decryption module;
the TLS decryption module is used for decrypting the message after receiving the message and forwarding the decrypted message to the receiving and transmitting package module;
the receiving and sending package module is further configured to forward the received message sent by the TLS decryption module to the tenant control module.
5. The system of claim 1, wherein the target application firewall WAF comprises a security engine module and a policy decision module;
the security engine module is used for carrying out security detection on the message after receiving the message, determining the detection score of each security detection corresponding to the message, and forwarding the detection score of each security detection to the policy decision module;
the policy decision module is configured to obtain a tenant policy corresponding to the target tenant, make a decision on a corresponding detection score by using the tenant policy, determine a decision result corresponding to the message, and forward the decision result to the transceiver module.
6. The system of claim 5, wherein the policy decision module is specifically configured to determine a tenant policy corresponding to a target tenant to which the message belongs according to a corresponding relationship between tenant information and a tenant policy and the target tenant to which the message belongs.
7. The system of claim 6, wherein the target application firewall WAF further comprises a policy enforcement module;
the policy decision module is specifically configured to forward the decision result to the policy execution module;
the policy execution module is used for determining prompt information corresponding to the message according to the decision result and forwarding the prompt information corresponding to the message to the receiving and transmitting module;
the packet receiving and sending module is specifically configured to send the corresponding prompt information to a corresponding receiver.
8. The system according to claim 1 or 7, wherein the transceiver module is further configured to discard the packet when the decision result is blocking.
9. A method of safeguarding, the method comprising:
the receiving and transmitting package module receives a tenant message, analyzes the tenant message, determines a target application firewall WAF corresponding to a target tenant according to the target tenant to which the tenant message belongs, and forwards the message to the target application firewall WAF;
The target application firewall WAF carries out safety detection on the message, determines a decision result corresponding to the message, and forwards the decision result to the receiving and transmitting module;
and when the decision result is transmission, the packet receiving and transmitting module forwards the message.
10. An electronic device comprising at least a processor and a memory, the processor being adapted to implement the steps of the security method of claim 9 when executing a computer program stored in the memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311540708.1A CN117376011A (en) | 2023-11-17 | 2023-11-17 | Safety protection system, safety protection method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311540708.1A CN117376011A (en) | 2023-11-17 | 2023-11-17 | Safety protection system, safety protection method and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117376011A true CN117376011A (en) | 2024-01-09 |
Family
ID=89404175
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311540708.1A Pending CN117376011A (en) | 2023-11-17 | 2023-11-17 | Safety protection system, safety protection method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117376011A (en) |
-
2023
- 2023-11-17 CN CN202311540708.1A patent/CN117376011A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3425870B1 (en) | Method for optimization of the connection setup of an ssl proxy | |
| US11252196B2 (en) | Method for managing data traffic within a network | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| US11848981B2 (en) | Secure multi-directional data pipeline for data distribution systems | |
| US11750721B2 (en) | Bidirectional command protocol via a unidirectional communication connection for reliable distribution of tasks | |
| AU2021202517B2 (en) | Collecting and processing context attributes on a host | |
| US8554913B2 (en) | Testing policies in a network | |
| GB2493597A (en) | Multiple Independent Levels of Security (MILS) host with plura stack offload engines | |
| CN112948842A (en) | Authentication method and related equipment | |
| CN112019330B (en) | Intranet security audit data storage method and system based on alliance chain | |
| US11874845B2 (en) | Centralized state database storing state information | |
| US10785147B2 (en) | Device and method for controlling route of traffic flow | |
| Dhaya et al. | Cloud computing security protocol analysis with parity-based distributed file system | |
| US10333792B2 (en) | Modular controller in software-defined networking environment and operating method thereof | |
| CN117376011A (en) | Safety protection system, safety protection method and equipment | |
| US20230231802A1 (en) | Systems and methods for selecting tunnels for transmitting application traffic by an sd-wan application | |
| US20170331838A1 (en) | Methods and computing devices to regulate packets in a software defined network | |
| CN108449252B (en) | Dump method and device for access log | |
| CN114143048B (en) | Method, device and storage medium for managing safety resources | |
| US9172717B2 (en) | Security-aware admission control of requests in a distributed system | |
| US12003517B2 (en) | Enhanced cloud infrastructure security through runtime visibility into deployed software | |
| US20230254243A1 (en) | Systems and methods for managing network services by an sd-wan application and an sd-wan device | |
| US20230164148A1 (en) | Enhanced cloud infrastructure security through runtime visibility into deployed software | |
| US20230231768A1 (en) | Systems and methods for updating a configuration of an sd-wan application using connectivity or usage data | |
| KR102120229B1 (en) | Load balancing system and method based on artificial intelligence for security control of 4-tier type CASB |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |