Implementation method and system of general security resource pool service chain

Abstract

The embodiment of the invention discloses an implementation method of a general security resource pool service chain to realize automatic connection with a security resource pool service chain under different arrangement modes of a customer network. The method disclosed by the embodiment of the invention comprises the following steps: configuring a network connection device of a security resourcepool, a service chain drainage device and a security function assembly, wherein the network connection device comprises a router and / or exchange equipment, the service chain guide device comprises exchange equipment, and the exchange equipment supports flexible drainage for a customized matching domain; automatically realizing connection with customer service flow through the network connection device; draining the customer service flow to the security function assembly through the service chain drainage device according to a packing mode for a data packet NSH (Network Function Header) of theservice chain ; and after the customer service flow passes through the security function assembly, returning the customer service flow to a customer service center system or an outer network through the service chain drainage device and the network connection device.

Description

technical field [0001] The invention relates to the technical field of computer security, in particular to a method and system for realizing a general security resource pool service chain. Background technique [0002] As the concept of security resource pools is gradually accepted by the public, the deployment schemes of security resource pools are gradually increasing. During the deployment process, customer needs are mainly divided into three categories: [0003] 1. The customer's physical router supports the policy routing function, which can direct traffic to the security resource pool for cleaning; [0004] 2. If the customer's routing does not support the policy routing function, the security resource pool is required to clean the traffic, and the security resource pool is also required to implement the policy routing function; [0005] 3. If the customer's original physical security equipment is deployed in a transparent manner, the security resource pool is require...

AI Technical Summary

Problems solved by technology

[0005] 3. If the customer's original physical security equipment is deployed in a transparent manner, the security resource pool is required to replace the original physical equipment, and the security resource pool needs to be deployed in a transparent manner, and policy routing cannot be used to divert traffic;

[0010] 2. On the side of the security resource pool, because policy routing generally implements policy drainage based on the router port where the data packet arrives and the source / destination IP address in the data packet, and because the number of ports of the router is limited, and it is necessary to Query the routing table. Therefore, when policy routing implements security service chain drainage, the matching domain is limited, policy management is complicated, and conflicts are likely to occur. Especially for a layer of virtual / physical routing structure, the policy routing table is more complicated

[0011] 3. The current security resource pool drainage method, because security resource pool routing is required, so this method only supports routing mode deployment. After modification, it can also support gateway mode deployment, but it does not support transparent mode (no router) deployment

[0012] 4. In the current security resource pool drainage method, because the network connection function and the drainage strategy function of the security resource pool service chain are all realized through the policy routing of the resource pool, the network connection part of the security resource pool drainage method and the security service The chain drainage part is tightly coupled, and when the policy routing realizes the security service chain drainage, the policy management is complicated. When the customer network scene changes, the security service chain must be redeployed to meet the drainage needs in the new scene

Images