SDN-based SDP security group implementation method and security system

An implementation method and security group technology, which are applied in the SDN-based SDP security group implementation method and security system field, can solve problems such as destructive attacks, brute force cracking, and limited load capacity of a single point of SDP gateway, and achieve precise control, Strengthen security and prevent attacks

Active Publication Date: 2020-08-25
GUANGZHOU BINGO SOFTWARE
View PDF11 Cites 16 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] 1. Due to the strong mobility of the client, the IP address often changes, so the security group needs to authorize the whitelist of a wide range of IP network segments to open port access. This method makes the server easy to be scanned by hackers and discover services The external port, thus launching destructive attacks, brute force cracking and other attack behaviors
[0005] 2. The traditional SDP software-defined boundary architecture needs to be realized through the SDP gateway and the SDP controller. The SDP gateway needs to have a virtual machine or a physical machine as a carrier, which brings a certain increase in cost and management complexity, and the SDP gateway has a single The problem of limited point load capacity makes it difficult to effectively integrate with the existing security management system of the cloud platform
[0006] 3. The traditional SDP software-defined boundary security is mainly aimed at the boundary security of the external network to the internal network, and for the internal network protection between multi-tenants in the cloud platform. In the same host, SDP security protection between different virtual machines, traditional SDP Software-defined boundary security architecture is difficult to meet

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • SDN-based SDP security group implementation method and security system
  • SDN-based SDP security group implementation method and security system
  • SDN-based SDP security group implementation method and security system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0065] Such as figure 2 with image 3 As shown, this embodiment discloses a method for implementing an SDN-based SDP security group, the steps of which include:

[0066] S1. The cloud platform receives a security policy and rule creation instruction from a server client.

[0067] Specifically, the security policy indicates the network information of the protected server, including the IP address and port information of the server. Specifically, the cloud platform sends the security policy to the SDN controller, and the SDN controller generates SPA authorization message determination rules and server access message determination rules according to the security policy. The SPA authorization packet determination rule is used to determine whether any packet received by the SDN controller is an SPA authorization packet. The server access packet determination rule is used to determine whether any packet received by the SDN controller is a server access packet.

[0068] The secu...

Embodiment 2

[0098] Such as image 3 As shown, this embodiment corresponds to the method for realizing the SDN-based SDP security group disclosed in Embodiment 1, and discloses a security system including a cloud platform, an SDN controller, and an SDN switch.

[0099] Specifically, the cloud platform includes a security service registration module, an SPA verification module, and an IAM user management module, and the SDN controller includes a first packet collection engine, an SPA processing module, a security group module, a data packet processing module, and a flow table control engine.

[0100] Specifically, the security service registration module is used to receive security policy and rule creation instructions from the server client. Specifically, the security policy indicates the network information of the protected server, including the IP address and port information of the server. Specifically, the cloud platform sends the security policy to the SDN controller, and the SDN con...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an SDN-based SDP security group implementation method and a security system, and the method achieves SPA single-packet authorization service logic through adoption of a flow table method of an SDN network, and carries out the planning and identity authentication of access authorities of different users through combining with the IAM user management of a cloud platform. According to the invention, the security of the cloud platform security group function is enhanced; accurate control of the security group on external authorization is realized; in combination with the identity authentication technology of the cloud platform and the SDN cloud network, the additional cost of the SDP gateway and the SDP controller is reduced, the SDP technology and the cloud computing security technology are fused, meanwhile, attacks from an internal network can be effectively defended, and comprehensive defense of flow in all directions of the cloud platform can be achieved.

Description

technical field [0001] The invention belongs to the technical field of software-defined boundaries, and in particular relates to an SDN-based SDP security group realization method and a security system. Background technique [0002] The software-defined perimeter (SDP) is a security framework developed by the Cloud Security Alliance (CSA) that controls access to resources based on identity. Each terminal must perform unicast authorization (SPA) verification before connecting to the server to ensure that each device is allowed to access. Its core idea is to hide core network assets and facilities through the SDP architecture, so that they are not directly exposed to the Internet, so that network assets and facilities are protected from external security threats. Due to the large scope of protected services, the traditional SDP architecture generally adopts the gateway mode, such as figure 1 Shown: The access rules established by the SDP controller are only open to authorize...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/083H04L63/0876H04L63/101H04L63/20
Inventor 刘忻林冬艺袁龙浩
Owner GUANGZHOU BINGO SOFTWARE
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap