[0035] The present invention will be further described below in conjunction with the drawings.
[0036] Such as figure 1 As shown, a security service chain dynamic orchestration device includes a traffic transceiver module at the resource layer, a vSwitch virtual switch module, a security function virtual machine module, and a security function template management module, a security service chain template management module, and a log Management module, user management module, and SDN controller module of the control layer; in addition, the control layer also includes a traffic classification module, a security function virtual machine management module, a lightweight virtual security resource management platform, a network management module, and a flow table generation module ;among them:
[0037] The traffic classification module is used to classify traffic according to the quintuple information of the traffic received by the traffic transceiver module, generate a flow classification result flow table, and send the flow classification result flow table to the security function virtual machine management module; the quintuple Including source IP address, source port, destination IP address, destination port, and protocol type; the flow table of the traffic classification result includes a flow quintuple, a security service chain number, and a security service chain template number;
[0038] The security function virtual machine management module is used to issue management instructions to the lightweight virtual security resource management platform when the security service chain is created, modified, and deleted; the management instructions include creation, startup, restart, shutdown, and deletion of virtual machines instruction;
[0039] Lightweight virtual security resource management platform, used to receive management instructions issued by the security function virtual machine management module, and perform resource layer security function virtual machine operations according to the management instructions; these operations include creating security function virtual machines and security function virtual machines Power on, restart the security function virtual machine, shut down the security function virtual machine, and delete the security function virtual machine;
[0040] The network management module is used to automate the network configuration of the security function virtual machine and send the network configuration information to the flow table generation module; the network configuration includes automatically adding a virtual network port for the security function virtual machine and configuring the virtual network port mac address, and mount the virtual network port to the vSwitch virtual switch; in addition, the network management module also contains a DHCP server for automatically configuring the IP address of the security function virtual machine management port;
[0041] The flow table generation module is used to generate a flow traction flow table according to the network configuration information sent by the network management module, and send the flow traction flow table to the SDN controller module for flow scheduling control.
[0042] Further, the traffic classification module includes a security service chain rule library module and a traffic classification determination module, wherein:
[0043] The security service chain rule library module is used to store security service chain information corresponding to the traffic quintuple; the security service chain information includes the traffic quintuple, the security service chain number, and the security service chain template number;
[0044] The traffic category determination module is used to extract the traffic quintuple from the traffic received by the traffic transceiver module, obtain the security service chain information corresponding to the traffic quintuple from the security service chain rule library module, and combine the traffic quintuple The corresponding security service chain information is encapsulated into a flow classification result flow table, and then the flow classification result flow table is sent to the security function virtual machine management module.
[0045] Further, the security function virtual machine management module includes a security service chain analysis module and a security function virtual machine management and control module, wherein:
[0046] The security service chain analysis module is used to receive the flow table of traffic classification results, analyze the security service chain template number in the flow table, and obtain the security service chain of the number according to the security service chain template information stored in the security service chain template management module of the management layer Resource layer security function virtual machine information and vSwitch virtual switch information contained in the template; the security service chain template includes the security service chain template name, security function list, and security function arrangement sequence;
[0047] The security function virtual machine management and control module is used to issue management instructions to the lightweight virtual security resource management platform according to the security function virtual machine information in the security service chain analysis module, and virtualize the management instructions and the security functions involved in the security service chain The machine information and switch information are encapsulated as a safety function flow table and sent to the network management module.
[0048] Further, the safety function flow table includes a flow quintuple, switch name, switch IP address, switch flow inlet port name, switch flow inlet port number, switch flow inlet port mac address, switch flow outlet port name, switch flow outlet The port number, the MAC address of the switch traffic outlet port, and the name of the security function virtual machine involved in the security service chain.
[0049] Further, the specific method for the network management module to perform network configuration on the security function virtual machine is: receiving the security function flow table, and automatically configure the security function virtual machine according to the security function flow table;
[0050] The network configuration includes the creation and deletion of virtual network ports of the security function virtual machine, the IP address configuration of the security function virtual machine virtual network, the MAC address configuration of the security function virtual machine virtual network, and the connection between the security function virtual machine virtual network port and the virtual network. Connection relationship configuration;
[0051] The network configuration information includes the security function virtual machine name, the security function virtual machine traffic entry name, the traffic entry IP address, the traffic entry mac address, the traffic entry port number, the traffic exit name, and the traffic exit IP involved in the security service chain list. Address, traffic egress mac address, traffic egress port number.
[0052] Further, the traffic traction flow table includes a flow quintuple, switch name, switch IP address, switch flow inlet port name, switch flow inlet port number, switch flow inlet port mac address, switch flow outlet port name, switch flow outlet Port number, switch traffic exit port mac address, security function virtual machine name involved in the security service chain list, security function virtual machine traffic entry name, traffic entry IP address, traffic entry mac address, traffic entry port number, traffic exit name , Flow export IP address, flow export mac address, flow export port number.
[0053] The process of using the above devices to dynamically orchestrate the security service chain is as follows: figure 2 As shown, including the following steps:
[0054] (1) The traffic classification module generates a flow table of traffic classification results based on the five-tuple, and sends it to the security function virtual machine management module;
[0055] (2) The security function virtual machine management module parses the flow table to obtain the security service chain template number, security virtual machine information, and switch information, and generates security function virtual machine management instructions and sends them to the lightweight virtual security resource management platform;
[0056] (3) The security function virtual machine management module encapsulates the management instructions, security function virtual machine information, and switch information into a security function flow table and sends it to the network management module;
[0057] (4) The lightweight virtual security resource management platform creates, starts, restarts, closes, and deletes security function virtual machines according to management instructions;
[0058] (5) The network management module performs network configuration on the security function virtual machine, generates network configuration information and sends it to the flow table generation module;
[0059] (6) The flow table generation module generates a flow traction flow table and sends it to the network switch;
[0060] Complete the dynamic orchestration process of the security service chain.
[0061] In a word, the present invention can provide differentiated security protection capabilities for different flows according to security requirements and network status through the security function service chain, and provide fine-grained, definable and diversified security protection means for the network, and has a wide range of application prospects. .
