[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN109361675B - Information security protection method, system and related components - Google Patents

Information security protection method, system and related components Download PDF

Info

Publication number
CN109361675B
CN109361675B CN201811280234.0A CN201811280234A CN109361675B CN 109361675 B CN109361675 B CN 109361675B CN 201811280234 A CN201811280234 A CN 201811280234A CN 109361675 B CN109361675 B CN 109361675B
Authority
CN
China
Prior art keywords
security
service
virtual machine
interactive data
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811280234.0A
Other languages
Chinese (zh)
Other versions
CN109361675A (en
Inventor
黄林康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201811280234.0A priority Critical patent/CN109361675B/en
Publication of CN109361675A publication Critical patent/CN109361675A/en
Application granted granted Critical
Publication of CN109361675B publication Critical patent/CN109361675B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/25Routing or path finding in a switch fabric
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • H04L67/1044Group management mechanisms 

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method for protecting information safety, which comprises the steps of acquiring the safety service requirement of a target business system of a server when an equal protection all-in-one machine is deployed on the server; executing network function virtualization deployment operation according to the security service requirement to obtain a virtual machine set corresponding to the security service requirement; and utilizing the virtual machine set to perform security filtering on the interactive data of the target service system. The method can reduce the complexity of the safety equipment in the service system on the premise of ensuring the information safety. The application also discloses a system for information security protection, a computer readable storage medium and an equal security all-in-one machine, which have the beneficial effects.

Description

Information security protection method, system and related components
Technical Field
The invention relates to the technical field of security service, in particular to a method and a system for information security protection, a computer readable storage medium and an equal security all-in-one machine.
Background
And from 6 months and 1 day in 2017, the network security law is formally implemented in China, and requirements and constraints are provided for strengthening the network security construction of enterprises. The twenty-first requirement is that: "the country implements the network security level protection system. The network operator should fulfill the following security protection obligations according to the requirements of the network security level protection system, to protect the network from interference, damage or unauthorized access, and to prevent the network data from being leaked or stolen and tampered. "because" network security law "clearly proposes to realize the protection system of network security level, that means that it is illegal to do no level protection work by the unit.
In the prior art, a large pile of various protective hardware equipment is mainly purchased to meet the requirements of equal-protection compliance. However, the method for improving network security by stacking a large number of protection hardware devices often has the problems of hardware stacking, complex construction, complex operation and maintenance, solidified architecture and the like, so that resource waste is caused, and the management complexity of the security system is increased.
Therefore, how to reduce the complexity of the security devices in the business system on the premise of ensuring information security is a technical problem that needs to be solved currently by those skilled in the art.
Disclosure of Invention
The application aims to provide a method and a system for information security protection, a computer readable storage medium and an equal security all-in-one machine, which can reduce the complexity of security equipment in a service system on the premise of ensuring information security.
In order to solve the above technical problem, the present application provides a method for protecting information security, including:
when the equal-protection all-in-one machine is deployed on a server, acquiring the safety service requirement of a target service system of the server;
executing network function virtualization deployment operation according to the safety service requirement to obtain a virtual machine set corresponding to the safety service requirement;
and carrying out security filtering on the interactive data of the target service system by utilizing the virtual machine set.
Optionally, before acquiring the security service requirement of the target service system of the server, the method further includes:
judging whether a single equal-protection all-in-one machine is deployed on a server or not;
if not, an all-in-one machine cluster is established in a user data center where the server is located;
correspondingly, executing network function virtualization deployment operation according to the security service requirement, and obtaining a virtual machine set corresponding to the security service requirement includes:
executing network function virtualization deployment operation in virtual storage of the all-in-one machine cluster according to the safety service requirement to obtain a virtual machine set corresponding to the safety service requirement; wherein the set of virtual machines is stored in virtual storage.
Optionally, the performing, by using the virtual machine set, security filtering on the interaction data of the target service system includes:
determining a core switch corresponding to the target service system, and configuring a policy route on the core switch so as to forward interactive data between the target service system and the core switch to a virtual machine set;
when the virtual machine set receives interactive data transmitted to the core switch by a target service system, safely filtering the interactive data, and transmitting the safely filtered interactive data to the core switch;
and when the virtual machine set receives interactive data transmitted to the target service system by the core switch, safely filtering the interactive data, and transmitting the interactive data after safe filtering to the target service system.
Optionally, the equal security all-in-one machine is specifically a security device based on a virtualization platform or a cloud computing platform;
correspondingly, the step of executing the network function virtualization deployment operation according to the security service requirement comprises the following steps:
and executing network function virtualization deployment operation on the virtualization platform or the cloud computing platform according to the safety service requirement.
Optionally, the security service includes any one or a combination of any several of next-generation firewall service, database audit service, SSL VPN security access service, operation and maintenance audit service, host antivirus service, log audit service, vulnerability scanning service, configuration check service, load balancing service, micro-isolation service, host security detection service, and response service.
Optionally, the obtaining of the security service requirement of the target service system of the server includes:
and acquiring the network security protection level of a target service system of the server, and determining the security service requirement according to the network security protection level.
The present application further provides a system for information security protection, the system comprising:
the service requirement acquisition module is used for acquiring the safety service requirement of a target service system of the server when the equal-security all-in-one machine is deployed on the server;
the virtual machine set creating module is used for executing network function virtualization deployment operation according to the safety service requirement to obtain a virtual machine set corresponding to the safety service requirement;
and the security filtering module is used for performing security filtering on the interactive data of the target service system by using the virtual machine set.
Optionally, the method further includes:
the judging module is used for judging whether the single equal-security all-in-one machine is deployed on the server or not; if not, an all-in-one machine cluster is established in a user data center where the server is located;
correspondingly, the virtual machine set creating module is specifically a module for executing network function virtualization deployment operation in the virtual storage of the all-in-one machine cluster according to the security service requirement to obtain a virtual machine set corresponding to the security service requirement; wherein the set of virtual machines is stored in virtual storage.
Optionally, the safety filter module includes:
the policy routing configuration unit is used for determining a core switch corresponding to the target service system and configuring policy routing on the core switch so as to forward interactive data between the target service system and the core switch to the virtual machine set;
the filtering unit is used for safely filtering the interactive data when the virtual machine set receives the interactive data transmitted to the core switch by the target service system, and transmitting the interactive data after the safe filtering to the core switch; and the virtual machine set is also used for carrying out security filtering on the interactive data when the interactive data transmitted to the target service system by the core switch is received by the virtual machine set, and transmitting the interactive data after the security filtering to the target service system.
Optionally, the equal security all-in-one machine is specifically a security device based on a virtualization platform or a cloud computing platform;
correspondingly, the virtual machine set creating module is specifically a module for executing network function virtualization deployment operation on a virtualization platform or a cloud computing platform according to the security service requirement to obtain a virtual machine set corresponding to the security service requirement.
Optionally, the security service includes any one or a combination of any several of next-generation firewall service, database audit service, SSL VPN security access service, operation and maintenance audit service, host antivirus service, log audit service, vulnerability scanning service, configuration check service, load balancing service, micro-isolation service, host security detection service, and response service.
Optionally, the service requirement obtaining module is specifically a module configured to, when the equal-security all-in-one machine is deployed on the server, obtain a network security protection level of a target service system of the server, and determine a security service requirement according to the network security protection level.
The present application also provides a computer-readable storage medium, on which a computer program is stored, which, when executed, performs the steps performed by the above-described method for information security protection.
The application also provides an equal security all-in-one machine which comprises a memory and a processor, wherein a computer program is stored in the memory, and the processor calls the computer program in the memory to realize the steps executed by the information security protection method.
The invention provides a method for protecting information security, which comprises the steps of acquiring the security service requirement of a target service system of a server when an equal security all-in-one machine is deployed on the server; executing network function virtualization deployment operation according to the safety service requirement to obtain a virtual machine set corresponding to the safety service requirement; and carrying out security filtering on the interactive data of the target service system by utilizing the virtual machine set. .
The virtual machine cluster with the entity safety equipment function is obtained by deploying the equal security all-in-one machine on the server and executing network function virtualization deployment operation. Because the virtual machine cluster has the same functions as the entity security devices, the virtual machine set can provide corresponding security services instead of the entity security devices. Furthermore, the virtual machine cluster is obtained by executing network function virtualization deployment operation according to the security service requirement of the target service system, so that the virtual machine cluster can provide security service corresponding to the security service requirement, and personalized setting of the security service is realized. According to the method and the system, the entity safety equipment is virtualized through network function virtualization deployment operation without stacking of a plurality of safety equipment, a virtual machine cluster capable of providing safety service corresponding to safety service requirements is obtained, and relevant interaction data are filtered by the virtual machine cluster, so that the complexity of the safety equipment in a service system can be reduced on the premise of ensuring information safety. The application also provides a system for information security protection, a computer readable storage medium and an equal protection all-in-one machine, which have the beneficial effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a method for information security protection according to an embodiment of the present application;
fig. 2 is a flowchart of a method for securely filtering interaction data of a target business system according to an embodiment of the present application;
FIG. 3 is a flow chart of another method for securing information provided by an embodiment of the present application;
FIG. 4 is a network topology diagram of information security protection in practical applications;
fig. 5 is a schematic structural diagram of an information security protection system according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a method for protecting information security according to an embodiment of the present disclosure.
The specific steps may include:
s101: when the equal-protection all-in-one machine is deployed on a server, acquiring the safety service requirement of a target service system of the server;
the equal-protection all-in-one machine is called an information security level protection all-in-one machine, is security equipment capable of assisting a business system to pass security compliance inspection, and can realize related information security protection on a user data center where a server is located by deploying the equal-protection all-in-one machine on the server.
The target business system is a business system corresponding to the server, and the security service requirement of the target business system mentioned herein may be set by the user according to the business function of the target business system itself and related industry requirements, for example, may be a third-level requirement of information security level protection, a second-level requirement of information security, or a security protection requirement set by the user in a personalized manner according to the business characteristics of the target business, where the content of the security service requirement is not specifically limited.
It is understood that the manner of acquiring the security service requirement is not limited herein, and the security service requirement may be actively queried from the user terminal or the related device; the security service requirement is stored in a certain storage space, and the security waiting all-in-one machine directly obtains the security service requirement from the storage space; certainly, other methods can also be adopted to obtain the security service requirement, in short, the security service requirement of the target business system can be obtained in this step, that is, it can be known which security service is specifically adopted by analyzing the security service requirement, so that the interaction data in the target business system can meet the security service requirement.
S102: executing network function virtualization deployment operation according to the security service requirement to obtain a virtual machine set corresponding to the security service requirement;
as a preferred embodiment, before S101, there may be an operation of determining whether a single peer saving machine is deployed on the server; if so, initializing a local storage, and executing network function virtualization deployment operation in the local storage to obtain a virtual machine set corresponding to the security service requirement; if not, an all-in-one machine cluster is established in a user data center where the server is located, network function virtualization deployment operation is executed in virtual storage of the all-in-one machine cluster according to the safety service requirement, and a virtual machine set corresponding to the safety service requirement is obtained; wherein the set of virtual machines is stored in the virtual storage.
The purpose of reducing the complexity of the safety equipment in the service system on the premise of ensuring the information safety is achieved because Network Function Virtualization (NFV) deployment operation is adopted, the safety equipment is fused in the form of NFV Network elements, and a virtual Network topology meeting the safety service requirements is compiled in an all-in-one machine cluster according to the safety service requirements of customers. Network function virtualization can carry very versatile software processing by using generic hardware like x86 and virtualization technologies. Network function virtualization has the following characteristics: by decoupling software and hardware and abstracting functions, the functions of the network equipment do not depend on special hardware any more, resources can be shared fully and flexibly, rapid development and deployment of new services are realized, and automatic deployment, elastic expansion, fault isolation, self-healing and the like are carried out based on actual service requirements. It should be noted that Network Function Virtualization (NFV) is a initiative that stems from the ETSI industry specification working group to simplify operations by replacing dedicated hardware with virtual network functions, where NFV in the prior art is used to integrate network functions into industry standard servers, switches and storage hardware, providing an optimized virtualized data plane, and where NFV lets administrators replace traditional physical network devices through software running on servers. A technology of using network function virtualization does not exist on a security device such as a network security device or an equal security machine, which can assist a service system to pass security compliance inspection. Executing the network function virtualization deployment operation according to the security service requirement may create a virtual machine cluster corresponding to the security service requirement. In fact, the security service requirement is set according to the security service that the target service system needs some security devices to provide, that is, in the prior art, it can be known which security devices need to be added to meet the corresponding security service requirement according to the security service requirement, but a virtual machine cluster after executing the network function virtualization deployment operation may have the same function as the hardware devices stacked in the prior art, that is, the same security service as the hardware devices in the prior art may be provided.
Certainly, the deployment operation of network function virtualization must be implemented based on a virtualization platform or a cloud computing platform, so that the equal-protection all-in-one machine is a security device based on the virtualization platform or the cloud computing platform by default in this embodiment, and as an optimal implementation manner, the equal-protection all-in-one machine based on the super-fusion infrastructure may be selected to implement the information security protection scheme of the present application.
It should be noted that the security service requirement means that the target business system has a requirement of being provided with some security services, and since the security service requirement is diverse in practical situations, there may be multiple security service requirements accordingly. Preferably, the security service may include: any one or any combination of firewall service, database audit service, SSL VPN security access service, operation and maintenance audit service, host antivirus service, log audit service, vulnerability scanning service, configuration check service, load balancing service, micro-isolation service, host security detection service and response service of the next generation. In this step, the virtual machine set created by the network function virtualization deployment operation is executed according to the security service requirement, so that the corresponding virtual machine set can be created according to the security service requirement on the premise of not additionally adding other security hardware devices, so as to meet various security service requirements.
S103: and carrying out security filtering on the interactive data of the target service system by utilizing the virtual machine set.
After the set of virtual machines capable of providing a plurality of security services has been established in S102, the security protection capability of the target business system can meet the protection requirement corresponding to the security service requirement only by performing security filtering on the interactive data of the target business system by using the set of virtual machines. The interactive data mentioned in this step includes data received by the target service system and data sent by the target service system, and the security filtering operation performed on the interactive data by the virtual machine set can be understood as a data cleaning operation corresponding to security service performed on the interactive data.
In this embodiment, a virtual machine cluster with an entity security device function is obtained by deploying an equal security all-in-one machine on a server and executing network function virtualization deployment operation. Because the virtual machine cluster has the same functions as the entity security devices, the virtual machine set can provide corresponding security services instead of the entity security devices. Further, in this embodiment, the virtual machine cluster is obtained by executing network function virtualization deployment operation according to the security service requirement of the target service system, so that the virtual machine cluster can provide security service corresponding to the security service requirement, and personalized security service setting is realized. According to the embodiment, stacking of a large number of safety devices is not needed, the entity safety devices are virtualized through network function virtualization deployment operation, a virtual machine cluster capable of providing safety services corresponding to safety service requirements is obtained, and relevant interaction data are filtered through the virtual machine cluster, so that the complexity of the safety devices in the service system can be reduced on the premise of ensuring information safety.
Referring to fig. 2, fig. 2 is a flowchart of a method for securely filtering interaction data of a target service system according to an embodiment of the present application; this embodiment is a preferred implementation of S103 in the previous embodiment, and S103 in the previous embodiment may be replaced by the execution operation in this embodiment, so as to obtain a more preferred technical solution for information security protection.
The specific steps may include:
s201: determining a core switch corresponding to the target service system, and configuring a policy route on the core switch so as to forward interactive data between the target service system and the core switch to a virtual machine set;
in this embodiment, the policy for performing security filtering on the interactive data of the target service system is as follows: and configuring a policy route on a core switch corresponding to the target service system, and changing a sending path of the interactive data of the target service system to enable the interactive data to be transmitted according to an original transmission path after the interactive data is subjected to security filtering operation of the virtual machine cluster.
The core switch is a 'channel' for data interaction of the target service system, and the policy routing configured on the core switch can change the path of the data interaction of the target service system. The policy routing in this embodiment refers to forwarding interactive data, which needs to be sent to the other side, between the core switch and the target service system to the virtual machine set, and after the interactive data is safely filtered by the virtual machine set, forwarding the interactive data to the core switch or the target service system according to the original path. Equivalently, before policy routing is configured, the transmission path is: target service system — core switch, after configuring policy routing the transmission path becomes: target business system-virtual machine set-core switch. The virtual machine assembly plays a role of data cleaning between the target business system and the core switch.
S202: when the virtual machine set receives interactive data transmitted to the core switch by a target service system, safely filtering the interactive data, and transmitting the safely filtered interactive data to the core switch;
s203: and when the virtual machine set receives interactive data transmitted to the target service system by the core switch, safely filtering the interactive data, and transmitting the interactive data after safe filtering to the target service system.
S202 and S203 are specifically described for two situations, namely, data transmission from the target service system to the core switch and data transmission from the core switch to the target service system, where the two steps are to forward data to be transmitted to the target service system to the core switch to the virtual machine set according to policy routing, and the virtual machine set performs security filtering on the data, and then transmits the data to the target service system to the core switch according to the original path. Because the virtual machine set can provide the security service corresponding to the security service requirement, the interactive data after the security filtering operation meets the requirement corresponding to the security service requirement.
Referring to fig. 3, fig. 3 is a flowchart of another information security protection method provided in the embodiment of the present application. The embodiment is obtained by combining the embodiment corresponding to fig. 1 and the embodiment corresponding to fig. 2, and further, the operation of determining the security service requirement for the network security protection level is added in the embodiment. The specific steps may include:
s301: when the equal-protection all-in-one machine is deployed on a server, an all-in-one machine cluster is established in a user data center where the server is located;
the constant security all-in-one machine is specifically a security device based on a virtualization platform or a cloud computing platform, and the embodiment is directed to the case that a plurality of constant security all-in-one machines are deployed on a server. Preferably, the virtualization platform may be a hyper-converged infrastructure. The Hyper-Converged Infrastructure (HCI) is a technical architecture which integrates resources such as computation, network and storage as Infrastructure, can be selected, combined and customized according to specific service system requirements, and conveniently and quickly builds a data center and deploys a service system.
When the iso-protection all-in-one machine mentioned in this embodiment is a security device based on a super-fusion infrastructure, the entire iso-protection all-in-one machine shelf deployment may start with the manufacturing of an HCI system iso (international standard optical disc file system format) installation package, a CSSP virtual machine image and a component template are to be integrated in the iso, a U-disc installation disc is manufactured through the iso for installing an HCI system to a third-party server, and an HCI system master disc is manufactured through the U-disc installation disc for shipment, storage, and transportation. The CSSP (Cloud-Security Service Platform) is a Platform for providing a Service Security delivery in a Cloud Security scenario. The CSSP system supports deployment in a single equal-protection all-in-one machine and a plurality of equal-protection all-in-one machines to complete the deployment flow of the upper frame, the single equal-protection all-in-one machine needs to be configured with a management port, and the plurality of equal-protection all-in-one machines need to be configured with a management port, a data communication port and a storage communication port.
The deployment process of the equal insurance integrative machine can comprise the following steps:
(1) preparation work before deployment: an HCI system is installed through iso, one equal security all-in-one machine is selected as a main control, CSSP is connected through a CSSP default IP, a CSSP platform management IP is modified, and a network cable is connected.
(2) Carrying out deployment operation through an interface: and connecting a CSSP deployment interface through a CSSP platform management IP, adding an equal protection all-in-one machine, and confirming the use of the disk.
(3) Background shelving tasks: if the single deployment is carried out, initializing the local storage, uploading the component template to the local storage, and deleting the local vma; and if the number of the multiple deployments is multiple, a cluster and virtual storage are established, the CSSP is migrated to the virtual storage, the component template is uploaded to the virtual storage, and the local vma is deleted. vma is the virtual machine image format required by the HCI platform, and local vma refers to a vma virtual machine template stored on a local system disk. After uploading to the virtual storage of the cluster, the local storage can be deleted, and only one copy of storage is needed.
S302: and acquiring the network security protection level of the server, and determining the security service requirement according to the network security protection level.
The network security protection level mentioned in this step is a protection level corresponding to a network security level protection system requirement that a network operator needs to comply with in the network security protection law, and different network security protection levels correspond to different security service requirements.
S303: executing network function virtualization deployment operation in the virtual storage of the all-in-one machine cluster according to the safety service requirement to obtain a virtual machine set corresponding to the safety service requirement;
wherein the set of virtual machines is stored in the virtual storage.
S304: determining a core switch corresponding to the target service system, and configuring a policy route on the core switch so as to forward interactive data between the target service system and the core switch to a virtual machine set;
s305: when the virtual machine set receives interactive data transmitted to the core switch by a target service system, safely filtering the interactive data, and transmitting the safely filtered interactive data to the core switch;
s306: and when the virtual machine set receives interactive data transmitted to the target service system by the core switch, safely filtering the interactive data, and transmitting the interactive data after safe filtering to the target service system.
On the basis of the embodiment, distributed virtual storage can be established in the all-in-one machine cluster, so that the virtual machine templates can be uploaded to the distributed virtual storage. The virtual machine template is used as a template of the security service virtual machine, and the security virtual machine can be derived and generated by using the virtual machine template. Therefore, as a preferred embodiment, in S303, a virtual machine set may be obtained through a network function virtualization deployment operation according to a virtual machine template corresponding to a security service requirement. The distributed virtual storage can realize high availability of storage, double copies of the distributed storage, and the high availability of the virtual machine can be ensured by building the virtual storage.
Referring to fig. 4, fig. 4 is a network topology diagram of information security protection in practical application, where an embodiment corresponding to the network topology diagram may include the following steps:
step 1, the equal protection all-in-one machine forms an all-in-one machine cluster in the user data center, and forms a template for virtual storage and uploading of virtual machines.
And 2, the security service platform automatically creates a virtual machine set in a grade protection three-level package in an equal security integration, provides next-generation firewall service, VPN security access service, database audit service, operation and maintenance audit service, vulnerability scanning service, load balancing service and host security service, and delivers all components meeting equal security requirements in a key mode.
And 3, configuring the policy routing on the three-layer core switch of the client. The request of accessing business systems such as a business server and the like in a pre-existing and post-existing business area of a client three-level equal-insurance area on the Internet is forced to be cleaned through a security component service chain in an equal-insurance three-level component template (the equal-insurance three-level component template is equivalent to the virtual machine set mentioned in the strength) in the equal-insurance all-in-one machine, and vice versa.
And 4, reinjecting the flow to the three-layer switch of the client again after the cleaning is finished, namely, going to the original route to access the established service system or going to the Internet.
Specifically, the specific process of implementing the secure filtering (i.e., cleaning) by the secure component service chain of the equal security template in the equal security all-in-one machine is as follows:
a. the uplink flow path is: bvs _ lan (lan physical egress) - > rt _ lan _ cssp (lan router) - > rt _ data _ core _ cssp (core router) - > rt _ border _ cssp _ admin (border router) - > security component (sec _ res _ cssp _ vaf9_ admin, etc. virtual machine) - > rt _ border _ cssp _ admin (border router) - > rt _ data _ core _ cssp (core router) - > rt _ lan _ cssp (lan router) - > rt _ wan _ cssp (sp router) - > rt _ lan _ csp (lan router) - > rt _ wan _ cssp (sp wan router) - > bvs _ wan (wan physical egress).
b. The downlink traffic path is: bvs _ wan (wan physical egress) - > rt _ wan _ cssp (wan router) - > rt _ lan _ cssp (lan router) - > rt _ data _ core _ cssp (core router) - > rt _ loader _ cssp _ admin (boundary router) - > security component (sec _ res _ cssp _ vaf9_ admin, etc. virtual machine) - > rt _ loader _ cssp _ admin (boundary router) - > rt _ data _ core _ cssp (core router) - > rt _ lan _ cssp (lan router) - > bvs _ lan (lan physical egress).
c. The management network is for the security service platform (cssp virtual machine) to manage the security components (security virtual machines such as sec _ res _ vaf _ bp, sec _ res _ vac _ bp _3), and the security service platform manages the physical network through a phyif _ local _ host-a0369f6e7708 physical egress connection. The security component may proxy to the internet through the security service platform.
The rt _ border _ cssp _ admin border router uses policy routing to allow traffic of a specific service system to flow on the component service chain, for example, the traffic can specify the path as application load (sec _ res _ cssp _ vad16_ admin) - > next generation firewall (sec _ res _ cssp _ vaf9_ admin) - > internet behavior management (sec _ res _ vac _ bp _3), or specify the path as internet behavior management (sec _ res _ vac _ bp _3) - > next generation firewall (sec _ res _ cssp _ vaf9_ admin) - > application load (sec _ res _ cssp _ vad16_ admin), which is customized and arranged by the client.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an information security protection system according to an embodiment of the present disclosure;
the system may include:
the service requirement acquisition module 100 is used for acquiring the safety service requirement of a target service system of a server when the equal security integrated machine is deployed on the server;
a virtual machine set creating module 200, configured to execute a network function virtualization deployment operation according to the security service requirement, so as to obtain a virtual machine set corresponding to the security service requirement;
and a security filtering module 300, configured to perform security filtering on the interaction data of the target business system by using the virtual machine set.
Further, the system further comprises:
the judging module is used for judging whether the single equal-security all-in-one machine is deployed on the server or not; if not, an all-in-one machine cluster is established in a user data center where the server is located;
correspondingly, the virtual machine set creating module 200 is specifically a module that executes network function virtualization deployment operation in the virtual storage of the all-in-one machine cluster according to the security service requirement to obtain a virtual machine set corresponding to the security service requirement; wherein the set of virtual machines is stored in the virtual storage.
Further, the security filter module 300 includes:
a policy routing configuration unit, configured to determine a core switch corresponding to the target service system, and configure policy routing on the core switch, so as to forward interactive data between the target service system and the core switch to the virtual machine set;
the filtering unit is used for carrying out safety filtering on the interactive data when the virtual machine set receives the interactive data transmitted to the core switch by the target service system, and transmitting the interactive data after the safety filtering to the core switch; and the virtual machine set is further configured to, when receiving the interactive data transmitted to the target service system by the core switch, perform security filtering on the interactive data, and transmit the interactive data after security filtering to the target service system.
Further, the equal insurance integrated machine is specifically a safety device based on a virtualization platform or a cloud computing platform;
correspondingly, the virtual machine set creating module 200 is specifically a module configured to execute a network function virtualization deployment operation on the virtualization platform or the cloud computing platform according to the security service requirement, so as to obtain a virtual machine set corresponding to the security service requirement.
Further, the security service includes any one or a combination of any several of next-generation firewall service, database audit service, SSL VPN security access service, operation and maintenance audit service, host antivirus service, log audit service, vulnerability scanning service, configuration check service, load balancing service, micro-isolation service, host security detection service and response service.
Further, the service requirement acquisition module is specifically a module for acquiring a network security protection level of a target service system of the server when the equal-insurance integrated machine is deployed on the server, and determining the security service requirement according to the network security protection level.
Since the embodiment of the system part corresponds to the embodiment of the method part, the embodiment of the system part is described with reference to the embodiment of the method part, and is not repeated here.
In this embodiment, a virtual machine cluster with an entity security device function is obtained by deploying an equal security all-in-one machine on a server and executing network function virtualization deployment operation. Because the virtual machine cluster has the same functions as the entity security devices, the virtual machine set can provide corresponding security services instead of the entity security devices. Further, in this embodiment, the virtual machine cluster is obtained by executing network function virtualization deployment operation according to the security service requirement of the target service system, so that the virtual machine cluster can provide security service corresponding to the security service requirement, and personalized security service setting is realized. According to the embodiment, stacking of a large number of safety devices is not needed, the entity safety devices are virtualized through network function virtualization deployment operation, a virtual machine cluster capable of providing safety services corresponding to safety service requirements is obtained, and relevant interaction data are filtered through the virtual machine cluster, so that the complexity of the safety devices in the service system can be reduced on the premise of ensuring information safety.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application also provides an equal security all-in-one machine which can comprise a memory and a processor, wherein the memory stores a computer program, and the processor can realize the steps provided by the embodiment when calling the computer program in the memory. Of course, the equal-protection all-in-one machine can also comprise various network interfaces, power supplies and other components.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (12)

1. A method of information security protection, comprising:
when the equal-protection all-in-one machine is deployed on a server, acquiring the safety service requirement of a target service system of the server;
executing network function virtualization deployment operation according to the security service requirement to obtain a virtual machine set corresponding to the security service requirement;
utilizing the virtual machine set to perform security filtering on the interactive data of the target service system;
before acquiring the security service requirement of the target business system of the server, the method further comprises the following steps:
judging whether a single equal-security all-in-one machine is deployed on the server or not;
if not, an all-in-one machine cluster is established in a user data center where the server is located;
correspondingly, executing network function virtualization deployment operation according to the security service requirement, and obtaining a virtual machine set corresponding to the security service requirement includes:
executing network function virtualization deployment operation in the virtual storage of the all-in-one machine cluster according to the safety service requirement to obtain a virtual machine set corresponding to the safety service requirement; wherein the set of virtual machines is stored in the virtual storage.
2. The method of claim 1, wherein the securely filtering interaction data of the target business system using the set of virtual machines comprises:
determining a core switch corresponding to the target service system, and configuring a policy route on the core switch so as to forward interactive data between the target service system and the core switch to the virtual machine set;
when the virtual machine set receives interactive data transmitted to the core switch by the target service system, safely filtering the interactive data, and transmitting the safely filtered interactive data to the core switch;
and when the virtual machine set receives the interactive data transmitted to the target service system by the core switch, safely filtering the interactive data and transmitting the safely filtered interactive data to the target service system.
3. The method according to claim 1, wherein the iso-insurance kiosk is specifically a security device based on a virtualization platform or a cloud computing platform;
correspondingly, executing the network function virtualization deployment operation according to the security service requirement comprises:
and executing network function virtualization deployment operation on the virtualization platform or the cloud computing platform according to the safety service requirement.
4. The method of claim 1, wherein the security service comprises any one or a combination of any several of a next generation firewall service, a database audit service, an SSL VPN security access service, an operation and maintenance audit service, a host antivirus service, a log audit service, a vulnerability scanning service, a configuration verification service, a load balancing service, a micro-isolation service, a host security detection service, and a response service.
5. The method of any one of claims 1 to 4, wherein obtaining the security service requirements of the target business system of the server comprises:
and acquiring the network security protection level of the target service system of the server, and determining the security service requirement according to the network security protection level.
6. A system for information security protection, comprising:
the service requirement acquisition module is used for acquiring the safety service requirement of a target service system of the server when the equal-security all-in-one machine is deployed on the server;
the virtual machine set creating module is used for executing network function virtualization deployment operation according to the safety service requirement to obtain a virtual machine set corresponding to the safety service requirement;
the security filtering module is used for performing security filtering on the interactive data of the target business system by using the virtual machine set;
wherein, still include:
the judging module is used for judging whether the single equal-security all-in-one machine is deployed on the server or not; if not, an all-in-one machine cluster is established in a user data center where the server is located;
correspondingly, the virtual machine set creating module is specifically a module for executing network function virtualization deployment operation in the virtual storage of the all-in-one machine cluster according to the security service requirement to obtain a virtual machine set corresponding to the security service requirement; wherein the set of virtual machines is stored in the virtual storage.
7. The system of claim 6, wherein the security filter module comprises:
a policy routing configuration unit, configured to determine a core switch corresponding to the target service system, and configure policy routing on the core switch, so as to forward interactive data between the target service system and the core switch to the virtual machine set;
the filtering unit is used for carrying out safety filtering on the interactive data when the virtual machine set receives the interactive data transmitted to the core switch by the target service system, and transmitting the interactive data after the safety filtering to the core switch; and the virtual machine set is further configured to, when receiving the interactive data transmitted to the target service system by the core switch, perform security filtering on the interactive data, and transmit the interactive data after security filtering to the target service system.
8. The system according to claim 6, wherein the iso-insurance integrator is specifically a security device based on a virtualization platform or a cloud computing platform;
correspondingly, the virtual machine set creating module is specifically a module for executing a network function virtualization deployment operation on the virtualization platform or the cloud computing platform according to the security service requirement to obtain a virtual machine set corresponding to the security service requirement.
9. The system of claim 6, wherein the security service comprises any one or a combination of any several of a next generation firewall service, a database audit service, an SSL VPN security access service, an operation and maintenance audit service, a host antivirus service, a log audit service, a vulnerability scanning service, a configuration verification service, a load balancing service, a micro-isolation service, a host security detection service, and a response service.
10. The system according to any one of claims 6 to 9, wherein the service requirement acquisition module is specifically a module configured to acquire a network security protection level of a target service system of the server when the equal security all-in-one machine is deployed on the server, and determine the security service requirement according to the network security protection level.
11. An equal security all-in-one machine, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method of information security protection according to any one of claims 1 to 5 when executing the computer program.
12. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method for information security protection according to any one of claims 1 to 5.
CN201811280234.0A 2018-10-30 2018-10-30 Information security protection method, system and related components Active CN109361675B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811280234.0A CN109361675B (en) 2018-10-30 2018-10-30 Information security protection method, system and related components

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811280234.0A CN109361675B (en) 2018-10-30 2018-10-30 Information security protection method, system and related components

Publications (2)

Publication Number Publication Date
CN109361675A CN109361675A (en) 2019-02-19
CN109361675B true CN109361675B (en) 2021-08-13

Family

ID=65347379

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811280234.0A Active CN109361675B (en) 2018-10-30 2018-10-30 Information security protection method, system and related components

Country Status (1)

Country Link
CN (1) CN109361675B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112954040B (en) * 2021-02-04 2022-08-12 深圳融安网络科技有限公司 Method, system, device and storage medium for embedding application release server
CN113407949A (en) * 2021-06-29 2021-09-17 恒安嘉新(北京)科技股份公司 Information security monitoring system, method, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105656916A (en) * 2016-01-29 2016-06-08 浪潮(北京)电子信息产业有限公司 Cloud data center service subnet security management method and system
CN105959275A (en) * 2016-04-26 2016-09-21 北京启明星辰信息安全技术有限公司 Security integrated machine system
CN106487556A (en) * 2015-08-28 2017-03-08 中兴通讯股份有限公司 The dispositions method of business function SF and device
CN107786517A (en) * 2016-08-30 2018-03-09 中国电信股份有限公司 Dispositions method, system and the safety control system of Yunan County's full-service
CN108092934A (en) * 2016-11-21 2018-05-29 中国移动通信有限公司研究院 Safety service system and method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070162510A1 (en) * 2005-12-30 2007-07-12 Microsoft Corporation Delayed file virtualization
US10666617B2 (en) * 2016-12-31 2020-05-26 ShieldX Networks, Inc. Intercepting network traffic routed by virtual switches for selective security processing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106487556A (en) * 2015-08-28 2017-03-08 中兴通讯股份有限公司 The dispositions method of business function SF and device
CN105656916A (en) * 2016-01-29 2016-06-08 浪潮(北京)电子信息产业有限公司 Cloud data center service subnet security management method and system
CN105959275A (en) * 2016-04-26 2016-09-21 北京启明星辰信息安全技术有限公司 Security integrated machine system
CN107786517A (en) * 2016-08-30 2018-03-09 中国电信股份有限公司 Dispositions method, system and the safety control system of Yunan County's full-service
CN108092934A (en) * 2016-11-21 2018-05-29 中国移动通信有限公司研究院 Safety service system and method

Also Published As

Publication number Publication date
CN109361675A (en) 2019-02-19

Similar Documents

Publication Publication Date Title
US12026539B2 (en) Service creation and management
CN107707410B (en) Method for configuring system audit service, information processing device and readable storage medium
US11599380B2 (en) Multi-tenant support on virtual machines in cloud computing networks
WO2021017279A1 (en) Cluster security management method and apparatus based on kubernetes and network domain, and storage medium
US9912679B1 (en) System, method, and computer program for managing security in a network function virtualization (NFV) based communication network
CN111556047B (en) Deployment method of security service in private cloud environment
US11265292B1 (en) Graph based management of virtualized infrastructures
US20100027552A1 (en) Cloud computing gateway, cloud computing hypervisor, and methods for implementing same
CN109379347B (en) Safety protection method and equipment
US10606718B1 (en) System, method, and computer program for managing fault recovery in network function virtualization (Nfv) based networks
CN112702372B (en) Cloud service management method, cloud service management device and readable storage medium
US9667509B1 (en) System, method, and computer program for secluding a service in a network based on network function virtualization (NFV)
CN107111510B (en) Method and device for operating VNF packet
CN107247648B (en) Method, device and system for realizing remote project system supervision based on Docker
CN107515783A (en) Application container management-control method and device based on application container cluster tool
US20180349236A1 (en) Method for transmitting request message and apparatus
CN109361675B (en) Information security protection method, system and related components
Hagen et al. Efficient verification of IT change operations or: How we could have prevented Amazon's cloud outage
US10747584B2 (en) Security-aware partitioning of processes
US11474918B1 (en) System, method, and computer program for managing fault recovery in network function virtualization (NFV) based networks
CN116389385A (en) System resource processing method, device, storage medium and equipment
CN109753782A (en) A kind of adaptation processing method and device of cloud security resource pool
US10764323B1 (en) System, method, and computer program for isolating services of a communication network in response to a distributed denial of service (DDoS) attack
CN109660544A (en) Network security checking method and device
EP4197134B1 (en) Cross-subscription multi-vnet homing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20190219

Assignee: Beijing Ruike Far East Technology Co.,Ltd.

Assignor: SANGFOR TECHNOLOGIES Inc.

Contract record no.: X2022980011171

Denomination of invention: A method, system and related components for information security protection

Granted publication date: 20210813

License type: Common License

Record date: 20220725

EE01 Entry into force of recordation of patent licensing contract