CN106789896A - The method and system that a kind of mandate to virtual firewall is limited - Google Patents
The method and system that a kind of mandate to virtual firewall is limited Download PDFInfo
- Publication number
- CN106789896A CN106789896A CN201611033358.XA CN201611033358A CN106789896A CN 106789896 A CN106789896 A CN 106789896A CN 201611033358 A CN201611033358 A CN 201611033358A CN 106789896 A CN106789896 A CN 106789896A
- Authority
- CN
- China
- Prior art keywords
- authority
- virtual firewall
- authorized
- encryption lock
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000013475 authorization Methods 0.000 claims abstract description 52
- 238000001514 detection method Methods 0.000 claims description 15
- 230000002265 prevention Effects 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 7
- 206010022000 influenza Diseases 0.000 claims description 7
- 238000010200 validation analysis Methods 0.000 claims description 7
- 230000009286 beneficial effect Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 239000011800 void material Substances 0.000 description 6
- 238000004891 communication Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000011017 operating method Methods 0.000 description 2
- 230000004888 barrier function Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention discloses the method and system that the mandate to virtual firewall is limited, belong to virtual firewall technical field.The method includes:Acquisition is directed into the restricted authority in empowerment management virtual machine;Restricted authority includes:Fire wall authority and encryption lock identity code;Obtain the encryption lock identity code stored in encryption lock of the carry on empowerment management virtual machine;Encryption lock identity code in the encryption lock is compared with the encryption lock identity code in restricted authority;If comparison result is consistent, the operation that comes into force is carried out to fire wall authority;Obtain the authorization requests that virtual firewall sends;Virtual firewall is authorized based on the fire wall authority for coming into force.The embodiment of the present invention make use of the encryption device of software and hardware combining of the prior art, enable to the effective mandate to virtual firewall of firewall vendor to be controlled, so as to the interests for avoiding firewall vendor receive infringement.
Description
Technical field
The present invention relates to virtual firewall technical field, what more particularly to a kind of mandate to virtual firewall was limited
Method and system.
Background technology
Fire wall refer to one combined by software and hardware equipment, internally between net and extranets, private network
The protective barrier constructed on interface between public network.It is a kind of vivid saying for obtaining security method menu, it is a kind of meter
The combination of calculation machine hardware and software, makes to set up a security gateway (Security between Internet and Intranet
Gateway), the all-network communication of the computer inflow and outflow in the gateway and packet are intended to by this fire wall, so that
In-house network is protected from the intrusion of disabled user.Traditional physics fire wall equipment uses license authorizations, and user is in purchase
Buy after physics fire wall equipment, some common functions of the fire wall can have been enjoyed, but if user wants to enjoy more
Increase the function of level, only after it have purchased license, the Premium Features of physics fire wall could be activated.
With the fast development of cloud computing, virtual firewall occurs and using more and more universal.Virtual firewall, that is, pacify
Dress is deployed in the fire wall in virtual machine, can be just that a physics fire wall is logically divided into many virtual fire prevention
Wall.Due to the appearance of the technologies such as virtual clone, snapshot so that the license authorizations of traditional physics fire wall become
It is no longer controllable, specifically:Want to need to buy a license at slave firewall manufacturer using the user of virtual firewall
(authority), can cause that the virtual firewall set up is authorized by the license (authority).But due to void
Intend the appearance of the technologies such as clone, user can clone many void of mandate after a license (authority) is bought
Intend fire wall, such user is achieved that the price for spending a fire wall mandate has got many use resources of fire wall,
The serious interests for compromising firewall vendor.
The content of the invention
It is an object of the invention to provide the method and system that a kind of effective mandate to virtual firewall is limited, profit
With the encryption device of software and hardware combining of the prior art, firewall vendor is enabled to effectively to be awarded to virtual firewall
Power is controlled, so as to the interests for avoiding firewall vendor receive infringement.
A kind of one side according to embodiments of the present invention, there is provided the side that mandate to virtual firewall is limited
Method, including:Acquisition is directed into the restricted authority in empowerment management virtual machine;The restricted authority includes:It is anti-
Wall with flues authority and encryption lock identity code;What acquisition carry was stored in the encryption lock on the empowerment management virtual machine
Encryption lock identity code;By the encryption lock identity in the encryption lock identity code in the encryption lock and restricted authority
Identification code is compared;If comparison result is consistent, the operation that comes into force is carried out to the fire wall authority;Obtain virtual fire prevention
The authorization requests that wall sends;The virtual firewall is authorized based on the fire wall authority for coming into force.
Other side according to embodiments of the present invention, there is provided what a kind of mandate to virtual firewall was limited is
System, including:Restricted authority acquisition module, for obtaining the restricted mandate being directed into empowerment management virtual machine text
Part;The restricted authority includes:Fire wall authority, encryption lock identity code;Encryption lock identity code is obtained
Modulus block, for obtaining the encryption lock identity code stored in encryption lock of the carry on the empowerment management virtual machine;The
One comparing module, for the encryption lock identity code in the encryption lock to be known with the encryption lock identity in restricted authority
Other code is compared;If comparison result is consistent, validation instructions are sent to the fire wall authority module that comes into force;Fire wall mandate
File comes into force module, for carrying out the operation that comes into force to the fire wall authority after the validation instructions are received;Authorize
Acquisition request module, the authorization requests for obtaining virtual firewall transmission;Authorization module, for being awarded based on the fire wall for coming into force
Power file is authorized to the virtual firewall.
The beneficial effect of the embodiment of the present invention is, compared to of the prior art by selling a software document ---
Fire wall authority license, realizes carrying out the mandate of virtual firewall by the fire wall authority license
The method of limitation.The method that mandate to virtual firewall provided in an embodiment of the present invention is limited, not only including software,
Also include hardware.Specifically:The identity code of encryption lock is added in original fire wall authority license,
Restricted authority is formd, in addition, developing a set of empowerment management software license server, user is being licensed to
When, user needs to be provided simultaneously with empowerment management software license server, restricted authority and encryption lock to realize
Mandate to virtual firewall, because encryption lock is hardware device, it is impossible to can arbitrarily be replicated as software, therefore, for
For user, it needs to use the Premium Features of virtual firewall, then have to by legal means from virtual firewall manufacturer
Place purchase encryption lock, and by the encryption lock be inserted in physics fire wall just can use virtual firewall, greatly limit to void
The authorization of plan machine fire wall, protects the interests of virtual firewall manufacturer to a certain extent.
Brief description of the drawings
Fig. 1 is the flow chart of the method that first embodiment of the invention is limited virtual firewall mandate;
Fig. 2 is the flow chart of the method that second embodiment of the invention is limited virtual firewall mandate;
Fig. 3 is the flow chart of the method that third embodiment of the invention is limited virtual firewall mandate;
Fig. 4 is the flow chart of the method that fourth embodiment of the invention is limited virtual firewall mandate;
Fig. 5 is the system schematic that fifth embodiment of the invention is limited virtual firewall mandate;
Fig. 6 is the system schematic that sixth embodiment of the invention is limited virtual firewall mandate;
Fig. 7 is the system schematic that seventh embodiment of the invention is limited virtual firewall mandate;
Fig. 8 is the system schematic that eighth embodiment of the invention is limited virtual firewall mandate.
Specific embodiment
To make the object, technical solutions and advantages of the present invention of greater clarity, with reference to specific embodiment and join
According to accompanying drawing, the present invention is described in more detail.It should be understood that these descriptions are merely illustrative, and it is not intended to limit this hair
Bright scope.Additionally, in the following description, the description to known features and technology is eliminated, to avoid unnecessarily obscuring this
The concept of invention.
Fig. 1 is referred to, Fig. 1 is the method limited the mandate of virtual firewall that first embodiment of the invention is provided
Flow chart.
In embodiments of the present invention, the method that the mandate to virtual firewall is limited can be by computer program
Completed to instruct related hardware, described program can be stored in a computer read/write memory medium, and the program is being held
During row, including the following embodiment such as above-mentioned each method flow.Wherein, described storage medium can be magnetic disc, CD, read-only
Storage memory (Read-OnlyMemory, abbreviation ROM) or random access memory (RandomAccessMemory, abbreviation
RAM) etc..
As shown in figure 1, the method that the mandate to virtual firewall is limited comprises the following steps S1-S6:
Step S1, acquisition is directed into the restricted authority in empowerment management virtual machine.
In the embodiment of the present invention, restricted authority includes fire wall authority and encryption lock identity code.It is anti-
Wall with flues authority, English name is license, and the access right to some Premium Features of fire wall is included in this document.
This document sheet, as prior art, is not inventive point of the invention.Physics fire wall in the prior art is continued to use along the present invention to set
The standby license authorizations for using.Restricted authority in the embodiment of the present invention, except including of the prior art
Outside license, also including encryption lock identity code.
Encryption lock identity code is the unique identification number of encryption lock, and encryption lock is a kind of encryption storage of soft or hard combination
Device.Such as UKey of the prior art, full name is similar with common USB flash disk for the apperance of USB Key, USB Key, different
Be it the inside house single-chip microcomputer or intelligent card chip, USB Key have certain memory space, can store the private key of user with
And digital certificate, can realize the certification to user identity using USB Key built-in public key algorithm.Current USB Key are wide
The general Web bank field for being applied to the country, is generally acknowledged safer identity identifying technology.In embodiments of the present invention, plus
The unique identification number of the encryption lock is stored in close lock, i.e., described encryption lock identity code.
Restricted authority is made by firewall vendor, and except restricted authority, firewall vendor makes can also
A set of empowerment management software license server are made, firewall vendor is making restricted authority and empowerment management
After software license server, when there is user to need purchase virtual firewall, firewall vendor will make restricted awarding
The encryption lock and empowerment management software license server used during power file are sold to user together.User takes encryption lock
With after empowerment management software license server, it is necessary to set up virtual firewall authorize when, in the virtual fire prevention
Empowerment management software license is installed in the virtual machine (i.e. empowerment management virtual machine) in the physical server where wall
Server, the empowerment management software license server can be imported after installing successfully in the empowerment management virtual machine
Previously described restricted authority, after file is imported successfully, then empowerment management software license server get limit
Property authority processed.
It should be noted that all virtual firewalls all only management mouths that user creates can communicate, and need configuration
The address of empowerment management software license server, virtual firewall can be according to the empowerment management software license of configuration
Communication connection is set up in the address of server with empowerment management software license server.The all virtual fire prevention that i.e. user creates
Virtual machine (i.e. empowerment management virtual machine) network where wall to empowerment management software license server is reachable.
Step S2, obtains the encryption lock identity code stored in encryption lock of the carry on empowerment management virtual machine.
Be inserted into encryption lock on physical server and carry be in empowerment management software by user after encryption lock is taken
On virtual machine where license server (i.e. empowerment management virtual machine).After carry success, empowerment management software
License server just can read the data in the encryption lock, you can to obtain the encryption lock identity stored in encryption lock
Identification code.
Step S3, the encryption lock identity code in the encryption lock is known with the encryption lock identity in restricted authority
Other code is compared, if comparison result is consistent, performs step S4;If comparison result is inconsistent, not to fire wall mandate text
Part carries out the operation that comes into force.
Step S4, the operation that comes into force is carried out to fire wall authority.
The operation that comes into force is carried out to fire wall authority, that is, causes that fire wall authority comes into force.It should be noted that right
Fire wall authority carries out the operating method that comes into force for operating and can using prior art that comes into force.How so that fire wall mandate is literary
It not is inventive point of the invention that part comes into force, and be will not be repeated here.
Step S5, obtains the authorization requests that virtual firewall sends.
Virtual firewall is created in user, and for the virtual firewall configuration for creating completes empowerment management software
The address of license server so that after virtual firewall and empowerment management software license server can communicate, wound
The virtual firewall built can automatically can according to configuration empowerment management software license server addresses to empowerment management software
License server send authorization requests.So that empowerment management software license server can get virtually preventing
The authorization requests that wall with flues sends.
Step S6, is authorized based on the fire wall authority for coming into force to virtual firewall.
After empowerment management software license server can get the authorization requests of virtual firewall transmission.Award
Power management software license server can be awarded according to the fire wall authority come into force in step S4 to virtual firewall
Power.Virtual firewall could activate some Premium Features after the mandate of authorized management software license server.
The beneficial effect of the embodiment of the present invention is:Compared to of the prior art by selling a software document ---
Fire wall authority license, realizes carrying out the mandate of virtual firewall by the fire wall authority license
The method of limitation.The method that mandate to virtual firewall provided in an embodiment of the present invention is limited, not only including software,
Also include hardware.Specifically:The identity code of encryption lock is added in original fire wall authority license,
Restricted authority is formd, in addition, developing a set of empowerment management software license server, user is being licensed to
When, user needs to be provided simultaneously with empowerment management software license server, restricted authority and encryption lock to realize
Mandate to virtual firewall, because encryption lock is hardware device, it is impossible to can arbitrarily be replicated as software, therefore, for
For user, it needs to use the Premium Features of virtual firewall, then have to by legal means from virtual firewall manufacturer
Place purchase encryption lock, and by the encryption lock be inserted in physics fire wall just can use virtual firewall, greatly limit to void
The authorization of plan machine fire wall, protects the interests of virtual firewall manufacturer to a certain extent.
Fig. 2 is the flow chart of the method that second embodiment of the invention is limited virtual firewall mandate.
In embodiments of the present invention, restricted authority is except including the fire wall mandate text described in first embodiment
Part and encryption lock identity code, also include:Virtual firewall authorized quantity threshold value.
As shown in Fig. 2 in embodiments of the present invention, the method limited virtual firewall mandate is real foregoing first
Apply on the basis of mode, in step S5, after obtaining the authorization requests that virtual firewall sends, further comprising the steps of S51- steps
Rapid S52.
Step S51, the current quantity for obtaining the virtual firewall for authorizing of detection.
Empowerment management software license server are provided with authorized quantity aggregate-value, and the authorized quantity aggregate-value represents current
The quantity of the virtual firewall for authorizing is obtained, empowerment management software license server one virtual firewall of each pair is awarded
After power, authorized quantity aggregate-value can then increase by 1, therefore, whenever having new virtual firewall to empowerment management software license
After server sends authorization requests, empowerment management software license server then obtain once current authorized quantity to be added up
Value.
Step S52, the quantity of the current virtual firewall for obtaining and authorizing is carried out with virtual firewall authorized quantity threshold value
Compare;If the current quantity for obtaining the virtual firewall for authorizing is not up to virtual firewall authorized quantity threshold value, step is performed
S6.If the current quantity for obtaining the virtual firewall for authorizing reaches virtual firewall authorized quantity threshold value, not to current request
The virtual firewall of mandate is authorized.
The further of the embodiment of the present invention has the beneficial effect that:Mandate pipe have purchased by legal means for one
For the user of reason software license server, encryption lock and restricted authority, due to virtual firewall authorized quantity
The presence of threshold value so that it can not arbitrarily create substantial amounts of virtual firewall, further limit and awarded to virtual machine fire wall
Power mode, further protects the interests of virtual firewall manufacturer.
Fig. 3 is the flow chart of the method that third embodiment of the invention is limited virtual firewall mandate.
In embodiments of the present invention, restricted authority is except including the fire wall mandate text described in first embodiment
Part and encryption lock identity code, or including the virtual firewall authorized quantity threshold value described in second embodiment outside, also wrap
Include the mandate entry-into-force time.
As shown in figure 3, in embodiments of the present invention, the method limited virtual firewall mandate foregoing first or
On the basis of second embodiment, in step S1, the restricted authority being directed into empowerment management virtual machine is got
When, also including step S11- steps S12.
Step S11, from the restricted authority in being directed into empowerment management virtual machine is got, authorizes the entry-into-force time
Start countdown.
Step S12, before being authorized to virtual firewall, detection the current grant entry-into-force time whether arrival time threshold
During value, if not reaching, step S6 is performed.If reaching, the virtual firewall to current request mandate is not authorized.
The further of the embodiment of the present invention has the beneficial effect that:The setting of entry-into-force time is authorized to prevent user from unrestricted
The mandate of the acquisition virtual firewall of time.The authorization to virtual machine fire wall is further limit, is further protected
The interests of virtual firewall manufacturer.
Fig. 4 is the flow chart of the method that fourth embodiment of the invention is limited virtual firewall mandate.
As shown in figure 4, in embodiments of the present invention, the method limited virtual firewall mandate foregoing first,
Second or the 3rd implementation method basis on, after step S6, also include:
Step S7, judges whether to receive awarding again for the virtual firewall for having obtained mandate transmission in the given time
Power request;If receiving, step S8 is performed, if being not received by, perform step S9.
Step S8, based on the fire wall authority for coming into force to this authorized virtual firewall re-start mandate.
Step S9, cancels to the virtual firewall for having obtained mandate and authorizing.
Fig. 5 is the system schematic that fifth embodiment of the invention is limited virtual firewall mandate.
As shown in figure 5, the system that virtual firewall mandate provided in an embodiment of the present invention is limited is for shown in Fig. 5
Empowerment management software license server.The system that virtual firewall mandate is limited is computer program, and the program can
To be stored in a computer read/write memory medium.Wherein, described storage medium can be magnetic disc, CD, read-only storage note
Recall body (Read-OnlyMemory, abbreviation ROM) or random access memory (RandomAccessMemory, abbreviation RAM) etc..
As shown in figure 5, empowerment management software license server include restricted authority acquisition module, encryption lock
Identity code acquisition module, the first comparing module, fire wall authority come into force module, authorization requests acquisition module and mandate
Module.
Restricted authority acquisition module, for obtaining the restricted mandate being directed into empowerment management virtual machine text
Part.
In the embodiment of the present invention, restricted authority includes fire wall authority and encryption lock identity code.It is anti-
Wall with flues authority, English name is license, and the access right to some Premium Features of fire wall is included in this document.
This document sheet, as prior art, is not inventive point of the invention.Physics fire wall in the prior art is continued to use along the present invention to set
The standby license authorizations for using.Restricted authority in the embodiment of the present invention, except including of the prior art
Outside license, also including encryption lock identity code.
Encryption lock identity code is the unique identification number of encryption lock, and encryption lock is a kind of encryption storage of soft or hard combination
Device.Such as UKey of the prior art, full name is similar with common USB flash disk for the apperance of USB Key, USB Key, different
Be it the inside house single-chip microcomputer or intelligent card chip, USB Key have certain memory space, can store the private key of user with
And digital certificate, can realize the certification to user identity using USB Key built-in public key algorithm.Current USB Key are wide
The general Web bank field for being applied to the country, is generally acknowledged safer identity identifying technology.In embodiments of the present invention, plus
The unique identification number of the encryption lock is stored in close lock, i.e., described encryption lock identity code.
Restricted authority is made by firewall vendor, and except restricted authority, firewall vendor makes can also
A set of empowerment management software license server are made, firewall vendor is making restricted authority and empowerment management
After software license server, when there is user to need purchase virtual firewall, firewall vendor will make restricted awarding
The encryption lock and empowerment management software license server used during power file are sold to user together.User takes encryption lock
With after empowerment management software license server, it is necessary to set up virtual firewall authorize when, in the virtual fire prevention
Empowerment management software license is installed in the virtual machine (i.e. empowerment management virtual machine) in the physical server where wall
Server, the empowerment management software license server can be imported after installing successfully in the empowerment management virtual machine
Previously described restricted authority, after file is imported successfully, then empowerment management software license server get limit
Property authority processed.
It should be noted that all virtual firewalls all only management mouths that user creates can communicate, and need configuration
The address of empowerment management software license server, virtual firewall can be according to the empowerment management software license of configuration
Communication connection is set up in the address of server with empowerment management software license server.The all virtual fire prevention that i.e. user creates
Virtual machine (i.e. empowerment management virtual machine) network where wall to empowerment management software license server is reachable.
Encryption lock identity code acquisition module, stores for obtaining in encryption lock of the carry on empowerment management virtual machine
Encryption lock identity code.Be inserted into encryption lock on physical server and carry authorized by user after encryption lock is taken
On virtual machine where management software license server (i.e. empowerment management virtual machine).After carry success, empowerment management
Software license server just can read the data in the encryption lock, you can to obtain the encryption lock stored in encryption lock
Identity code.
First comparing module, for by the encryption lock identity code in the encryption lock and restricted authority plus
Close lock identity code is compared.If comparison result is consistent, validation instructions are sent to the fire wall authority module that comes into force.
Otherwise, then not to fire wall authority come into force module send validation instructions.
Fire wall authority comes into force module, for being come into force to fire wall authority after validation instructions are received
Operation.The operation that comes into force is carried out to fire wall authority, that is, causes that fire wall authority comes into force.It should be noted that to anti-
Wall with flues authority carries out the operating method that comes into force for operating and can using prior art that comes into force.How so that fire wall authority
It not is inventive point of the invention to come into force, and be will not be repeated here.
Authorization requests acquisition module, the authorization requests for obtaining virtual firewall transmission.Virtual fire prevention is created in user
Wall, and the address of empowerment management software license server is completed for the virtual firewall configuration for creating so that it is virtual anti-
After wall with flues and empowerment management software license server can communicate, the virtual firewall of establishment can automatically can be according to configuration
Empowerment management software license server addresses send authorization requests to empowerment management software license server.So that
Obtaining empowerment management software license server can get the authorization requests of virtual firewall transmission.
Authorization module, for being authorized to virtual firewall based on the fire wall authority for coming into force.Work as empowerment management
Software license server can be got after the authorization requests of virtual firewall transmission.Empowerment management software license
Server can be authorized according to the fire wall authority come into force in step S4 to virtual firewall.Virtual firewall is being obtained
Some Premium Features could be activated after the mandate of empowerment management software license server.
The beneficial effect of the embodiment of the present invention is:Compared to of the prior art by selling a software document ---
Fire wall authority license, realizes carrying out the mandate of virtual firewall by the fire wall authority license
The method of limitation.The method that mandate to virtual firewall provided in an embodiment of the present invention is limited, not only including software,
Also include hardware.Specifically:The identity code of encryption lock is added in original fire wall authority license,
Restricted authority is formd, in addition, developing a set of empowerment management software license server, user is being licensed to
When, user needs to be provided simultaneously with empowerment management software license server, restricted authority and encryption lock to realize
Mandate to virtual firewall, because encryption lock is hardware device, it is impossible to can arbitrarily be replicated as software, therefore, for
For user, it needs to use the Premium Features of virtual firewall, then have to by legal means from virtual firewall manufacturer
Place purchase encryption lock, and by the encryption lock be inserted in physics fire wall just can use virtual firewall, greatly limit to void
The authorization of plan machine fire wall, protects the interests of virtual firewall manufacturer to a certain extent.
Fig. 6 is the system schematic that sixth embodiment of the invention is limited virtual firewall mandate.
In embodiments of the present invention, restricted authority except including the fire wall authority in the 5th embodiment and
Encryption lock identity code, also including virtual firewall authorized quantity threshold value.
As shown in fig. 6, in embodiments of the present invention, the system limited virtual firewall mandate is real the foregoing 5th
Applying also includes detection module and the second comparing module on the module basis included by mode.
Detection module, for after authorization requests acquisition module obtains the authorization requests that virtual firewall sends, detection to be worked as
The preceding quantity for obtaining the virtual firewall for authorizing.
Empowerment management software license server are provided with authorized quantity aggregate-value, and the authorized quantity aggregate-value represents current
The quantity of the virtual firewall for authorizing is obtained, empowerment management software license server one virtual firewall of each pair is awarded
After power, authorized quantity aggregate-value can then increase by 1, therefore, whenever having new virtual firewall to empowerment management software license
After server sends authorization requests, empowerment management software license server then obtain once current authorized quantity to be added up
Value.
Second comparing module, the quantity and virtual firewall authorized quantity of the virtual firewall for current acquisition to be authorized
Threshold value is compared.If not up to virtual firewall authorized quantity threshold value, authorized order is sent to authorization module.If reaching void
Intend fire wall authorized quantity threshold value, then the virtual firewall is not authorized.The authorization module, is receiving authorized order
Afterwards, virtual firewall is authorized based on the fire wall authority for coming into force.
The further of the embodiment of the present invention has the beneficial effect that:Mandate pipe have purchased by legal means for one
For the user of reason software license server, encryption lock and restricted authority, due to virtual firewall authorized quantity
The presence of threshold value so that it can not arbitrarily create substantial amounts of virtual firewall, further limit and awarded to virtual machine fire wall
Power mode, further protects the interests of virtual firewall manufacturer.
Fig. 7 is the system schematic that seventh embodiment of the invention is limited virtual firewall mandate.
In embodiments of the present invention, restricted authority is except including the fire wall mandate text described in the 5th embodiment
Part and encryption lock identity code, or including the virtual firewall authorized quantity threshold value described in sixth embodiment outside, also wrap
Include the mandate entry-into-force time.
As shown in fig. 7, in embodiments of the present invention, the system limited virtual firewall mandate the foregoing 5th or
On the basis of the 6th implementation method, the system also includes countdown module and entry-into-force time detection module.
Countdown module, for being directed into empowerment management virtual machine when restricted authority acquisition module gets
During restricted authority, countdown is started based on the mandate entry-into-force time.
Entry-into-force time detection module, for before authorization module is authorized to virtual firewall, detecting current grant
Entry-into-force time whether arrival time threshold value when, if not reaching, based on the fire wall authority for coming into force to the virtual firewall
Authorized.The virtual firewall is not authorized if reaching.
The further of the embodiment of the present invention has the beneficial effect that:The setting of entry-into-force time is authorized to prevent user from unrestricted
The mandate of the acquisition virtual firewall of time.The authorization to virtual machine fire wall is further limit, is further protected
The interests of virtual firewall manufacturer.
Fig. 8 is the system schematic that eighth embodiment of the invention is limited virtual firewall mandate.
As shown in figure 8, in embodiments of the present invention, the system limited virtual firewall mandate the foregoing 5th,
On the basis of the 6th or the 7th implementation method, the system also includes authorization requests detection module again.
Again authorization requests detection module, the virtual of mandate has been obtained for judging whether to receive in the given time
The authorization requests again that fire wall sends.If receiving, authorized order again is sent to authorization module.If being not received by,
Then the virtual firewall for having obtained mandate is cancelled and being authorized.
Authorization module, is additionally operable to after authorized order is received, and this has been awarded based on the fire wall authority for coming into force
The virtual firewall of power re-starts mandate.
Step in present invention method can according to actual needs carry out order adjustment, merge and delete.This hair
Module in bright embodiment system can according to actual needs be merged, divides and deleted.
It should be appreciated that above-mentioned specific embodiment of the invention is used only for exemplary illustration or explains of the invention
Principle, without being construed as limiting the invention.Therefore, that is done without departing from the spirit and scope of the present invention is any
Modification, equivalent, improvement etc., should be included within the scope of the present invention.Additionally, appended claims purport of the present invention
In the whole changes covered in the equivalents for falling into scope and border or this scope and border and repair
Change example.
Claims (10)
1. a kind of method that mandate to virtual firewall is limited, it is characterised in that including:
Acquisition is directed into the restricted authority in empowerment management virtual machine;The restricted authority includes:Fire wall
Authority and encryption lock identity code;
Obtain the encryption lock identity code stored in encryption lock of the carry on the empowerment management virtual machine;
Encryption lock identity code in the encryption lock is compared with the encryption lock identity code in restricted authority
It is right;
If comparison result is consistent, the operation that comes into force is carried out to the fire wall authority;
Obtain the authorization requests that virtual firewall sends;
The virtual firewall is authorized based on the fire wall authority for coming into force.
2. method according to claim 1, it is characterised in that the restricted authority also includes:Virtual firewall
Authorized quantity threshold value;
After the authorization requests that virtual firewall sends are obtained, the current quantity for obtaining the virtual firewall for authorizing of detection;
The quantity of the current virtual firewall for obtaining and authorizing is compared with the virtual firewall authorized quantity threshold value;
If not up to described virtual firewall authorized quantity threshold value, based on the fire wall authority for coming into force to the virtual fire prevention
Wall is authorized.
3. method according to claim 2, it is characterised in that the restricted authority also includes:When mandate comes into force
Between;
When the restricted authority in being directed into empowerment management virtual machine described in getting, the mandate entry-into-force time starts
Countdown;
Before being authorized to virtual firewall, detection the current grant entry-into-force time whether arrival time threshold value when, if not arriving
Reach, then the virtual firewall is authorized based on the fire wall authority for coming into force.
4. the method according to claim any one of 2-3, it is characterised in that also include:
Judge whether to receive the authorization requests again that the virtual firewall for having obtained mandate sends in the given time;
If receiving, based on the fire wall authority for coming into force to this authorized virtual firewall re-start mandate.
5. the method according to claim any one of 1-3, it is characterised in that
The encryption lock uses Ukey devices;The encryption lock identity code is the string code information of Ukey devices.
6. the system that a kind of mandate to virtual firewall is limited, it is characterised in that including:
Restricted authority acquisition module, for obtaining the restricted authority being directed into empowerment management virtual machine;Institute
Stating restricted authority includes:Fire wall authority, encryption lock identity code;
Encryption lock identity code acquisition module, stores for obtaining in encryption lock of the carry on the empowerment management virtual machine
Encryption lock identity code;
First comparing module, for by the encryption lock in the encryption lock identity code in the encryption lock and restricted authority
Identity code is compared;If comparison result is consistent, validation instructions are sent to the fire wall authority module that comes into force;
Fire wall authority comes into force module, for being carried out to the fire wall authority after the validation instructions are received
Come into force operation;
Authorization requests acquisition module, the authorization requests for obtaining virtual firewall transmission;
Authorization module, for being authorized to the virtual firewall based on the fire wall authority for coming into force.
7. system according to claim 6, it is characterised in that the restricted authority also includes:Virtual firewall
Authorized quantity threshold value;The system also includes:
Detection module, for after authorization requests acquisition module obtains the authorization requests that virtual firewall sends, detection currently to be obtained
The quantity of the virtual firewall that must be authorized;
Second comparing module, the quantity and the virtual firewall authorized quantity of the virtual firewall for current acquisition to be authorized
Threshold value is compared;If not up to described virtual firewall authorized quantity threshold value, authorized order is sent to the authorization module;
The authorization module, after the authorized order is received, based on the fire wall authority for coming into force to described virtual anti-
Wall with flues is authorized.
8. system according to claim 7, it is characterised in that the restricted authority also includes:When mandate comes into force
Between;The system also includes:
Countdown module, for getting described being directed into empowerment management virtual machine when restricted authority acquisition module
During restricted authority, countdown is started based on the mandate entry-into-force time;
Entry-into-force time detection module, for before the authorization module is authorized to virtual firewall, detecting current grant
Entry-into-force time whether arrival time threshold value when, if not reaching, based on the fire wall authority for coming into force to the virtual firewall
Authorized.
9. the system according to claim any one of 7-8, it is characterised in that also include:
Again authorization requests detection module, for judging whether to receive the virtual fire prevention for having obtained mandate in the given time
The authorization requests again that wall sends;If receiving, authorized order again is sent to the authorization module;
The authorization module, is additionally operable to after the authorized order is received, based on the fire wall authority for coming into force to this
Authorized virtual firewall re-starts mandate.
10. the system according to claim any one of 6-8, it is characterised in that
The encryption lock uses Ukey devices;The encryption lock identity code is the string code information of Ukey devices.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611033358.XA CN106789896A (en) | 2016-11-18 | 2016-11-18 | The method and system that a kind of mandate to virtual firewall is limited |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611033358.XA CN106789896A (en) | 2016-11-18 | 2016-11-18 | The method and system that a kind of mandate to virtual firewall is limited |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106789896A true CN106789896A (en) | 2017-05-31 |
Family
ID=58971902
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611033358.XA Pending CN106789896A (en) | 2016-11-18 | 2016-11-18 | The method and system that a kind of mandate to virtual firewall is limited |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106789896A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108052802A (en) * | 2017-12-06 | 2018-05-18 | 杭州同立方软件有限公司 | A kind of software for the exploitation of unity3d engines is carried out using USB flash disk using the method authorized |
| CN108377239A (en) * | 2018-02-06 | 2018-08-07 | 北京奇安信科技有限公司 | Fire wall license management-control method under cloud environment and device |
| CN109840397A (en) * | 2018-12-27 | 2019-06-04 | 北京奇安信科技有限公司 | Terminal software authorization processing method and device |
| CN109902450A (en) * | 2019-03-14 | 2019-06-18 | 成都安恒信息技术有限公司 | A kind of offline method for permitting to sign and issue management |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101071463A (en) * | 2007-06-08 | 2007-11-14 | 北京飞天诚信科技有限公司 | Method and device for virtulizing personal office environment |
| CN103632090A (en) * | 2013-11-04 | 2014-03-12 | 天津汉柏信息技术有限公司 | Method for operating virtual firewall on virtual machine |
| US20150350214A1 (en) * | 2014-05-28 | 2015-12-03 | Conjur, Inc. | Individualized audit log access control for virtual machines |
| CN105721441A (en) * | 2016-01-22 | 2016-06-29 | 华中科技大学 | Method for authenticating identity under virtualized environment |
-
2016
- 2016-11-18 CN CN201611033358.XA patent/CN106789896A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101071463A (en) * | 2007-06-08 | 2007-11-14 | 北京飞天诚信科技有限公司 | Method and device for virtulizing personal office environment |
| CN103632090A (en) * | 2013-11-04 | 2014-03-12 | 天津汉柏信息技术有限公司 | Method for operating virtual firewall on virtual machine |
| US20150350214A1 (en) * | 2014-05-28 | 2015-12-03 | Conjur, Inc. | Individualized audit log access control for virtual machines |
| CN105721441A (en) * | 2016-01-22 | 2016-06-29 | 华中科技大学 | Method for authenticating identity under virtualized environment |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108052802A (en) * | 2017-12-06 | 2018-05-18 | 杭州同立方软件有限公司 | A kind of software for the exploitation of unity3d engines is carried out using USB flash disk using the method authorized |
| CN108377239A (en) * | 2018-02-06 | 2018-08-07 | 北京奇安信科技有限公司 | Fire wall license management-control method under cloud environment and device |
| CN109840397A (en) * | 2018-12-27 | 2019-06-04 | 北京奇安信科技有限公司 | Terminal software authorization processing method and device |
| CN109902450A (en) * | 2019-03-14 | 2019-06-18 | 成都安恒信息技术有限公司 | A kind of offline method for permitting to sign and issue management |
| CN109902450B (en) * | 2019-03-14 | 2023-01-24 | 成都安恒信息技术有限公司 | Method for off-line permission issuing management |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11625460B1 (en) | Security platform | |
| CA2677689C (en) | Method and apparatus for authorizing a communication interface | |
| US7975288B2 (en) | Method and apparatus for imposing quorum-based access control in a computer system | |
| CN103095659B (en) | Account logon method and system in a kind of the Internet | |
| JP2019523494A (en) | Method and system realized by blockchain | |
| CN106789896A (en) | The method and system that a kind of mandate to virtual firewall is limited | |
| US10789386B2 (en) | Dispatching identity information from secure hardware appliance | |
| JP2007513406A (en) | System and method for preventing identity theft using a secure computing device | |
| CN106664291A (en) | Systems and methods for providing secure access to local network devices | |
| CN101227468A (en) | Method, device and system for authenticating user to network | |
| WO2016188335A1 (en) | Access control method, apparatus and system for user data | |
| JP6871581B2 (en) | Authentication management method and system | |
| US11481509B1 (en) | Device management and security through a distributed ledger system | |
| CN105323253A (en) | Identity verification method and device | |
| JP5013931B2 (en) | Apparatus and method for controlling computer login | |
| CN107295024A (en) | It is a kind of to realize the method that web front end is landed safely and accessed | |
| WO2016070611A1 (en) | Method for processing data, server and terminal | |
| CN111629007B (en) | Communication encryption method and device based on intelligent home gateway | |
| US10291609B2 (en) | Vault appliance for identity verification and secure dispatch of rights | |
| CN107707550B (en) | Method, device and system for accessing virtual machine | |
| TWI699645B (en) | Network framework for detection operation and information management method applied thereto | |
| CN105451225A (en) | An access authentication method and an access authentication device | |
| US20150058621A1 (en) | Proof of possession for web browser cookie based security tokens | |
| CN111159652A (en) | Management and control platform authorization file verification method, device, equipment and storage medium | |
| CN111444118B (en) | Process protection method, device, terminal equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |