Security service chain dynamic arrangement device

A security service and dynamic technology, applied in the field of network security, can solve the problems of non-uniform management and control interfaces of security protection equipment, lack of continuous upgrade, dynamic maintenance of security policies, dynamic deployment and adjustment of security functions on demand, and lack of technology, etc., and achieve wide application. Prospects, improve the effectiveness of security management and control, and improve the effect of flexibility

Active Publication Date: 2020-10-09
NO 54 INST OF CHINA ELECTRONICS SCI & TECH GRP
5 Cites 1 Cited by

AI-Extracted Technical Summary

Problems solved by technology

[0003] (1) The static and passive border security protection system is the main one. Once the existing security protection equipment is installed and deployed, it will be in a static state, lacking the ability to continuously upgrade, dynamically maintain security policies, and dynamically deploy and adjust security functions on...
View more

Method used

[0061] In a word, the present invention can provide differentiated security protection capabilities for different flows according to security requirements and network status ...
View more

Abstract

The invention discloses a security service chain dynamic arrangement device, and relates to the technical field of network security. The device comprises a flow classification module, a security function virtual machine management module, a lightweight virtual security resource management platform, a network management module and a flow table generation module. The flow classification module is used for generating a flow classification result flow table; the security function virtual machine management module performs management operation on the security function virtual machine; the lightweight virtual security resource management platform realizes operations of creating, starting, deleting and the like of the security function virtual machine; the network management module realizes network configuration of the security function virtual machine; the flow table generation module is used for generating a flow traction flow table. According to the invention, through a security function service chain mode, differentiated security protection capabilities can be provided for different flows according to security requirements and network states, fine-grained, definable and diversified security protection ways are provided for the network. The method has the broad application prospect.

Application Domain

Data switching networksSoftware simulation/interpretation/emulation

Technology Topic

Security functionNetwork management +7

Image

  • Security service chain dynamic arrangement device
  • Security service chain dynamic arrangement device

Examples

  • Experimental program(1)

Example Embodiment

[0035] The present invention will be further described below in conjunction with the drawings.
[0036] Such as figure 1 As shown, a security service chain dynamic orchestration device includes a traffic transceiver module at the resource layer, a vSwitch virtual switch module, a security function virtual machine module, and a security function template management module, a security service chain template management module, and a log Management module, user management module, and SDN controller module of the control layer; in addition, the control layer also includes a traffic classification module, a security function virtual machine management module, a lightweight virtual security resource management platform, a network management module, and a flow table generation module ;among them:
[0037] The traffic classification module is used to classify traffic according to the quintuple information of the traffic received by the traffic transceiver module, generate a flow classification result flow table, and send the flow classification result flow table to the security function virtual machine management module; the quintuple Including source IP address, source port, destination IP address, destination port, and protocol type; the flow table of the traffic classification result includes a flow quintuple, a security service chain number, and a security service chain template number;
[0038] The security function virtual machine management module is used to issue management instructions to the lightweight virtual security resource management platform when the security service chain is created, modified, and deleted; the management instructions include creation, startup, restart, shutdown, and deletion of virtual machines instruction;
[0039] Lightweight virtual security resource management platform, used to receive management instructions issued by the security function virtual machine management module, and perform resource layer security function virtual machine operations according to the management instructions; these operations include creating security function virtual machines and security function virtual machines Power on, restart the security function virtual machine, shut down the security function virtual machine, and delete the security function virtual machine;
[0040] The network management module is used to automate the network configuration of the security function virtual machine and send the network configuration information to the flow table generation module; the network configuration includes automatically adding a virtual network port for the security function virtual machine and configuring the virtual network port mac address, and mount the virtual network port to the vSwitch virtual switch; in addition, the network management module also contains a DHCP server for automatically configuring the IP address of the security function virtual machine management port;
[0041] The flow table generation module is used to generate a flow traction flow table according to the network configuration information sent by the network management module, and send the flow traction flow table to the SDN controller module for flow scheduling control.
[0042] Further, the traffic classification module includes a security service chain rule library module and a traffic classification determination module, wherein:
[0043] The security service chain rule library module is used to store security service chain information corresponding to the traffic quintuple; the security service chain information includes the traffic quintuple, the security service chain number, and the security service chain template number;
[0044] The traffic category determination module is used to extract the traffic quintuple from the traffic received by the traffic transceiver module, obtain the security service chain information corresponding to the traffic quintuple from the security service chain rule library module, and combine the traffic quintuple The corresponding security service chain information is encapsulated into a flow classification result flow table, and then the flow classification result flow table is sent to the security function virtual machine management module.
[0045] Further, the security function virtual machine management module includes a security service chain analysis module and a security function virtual machine management and control module, wherein:
[0046] The security service chain analysis module is used to receive the flow table of traffic classification results, analyze the security service chain template number in the flow table, and obtain the security service chain of the number according to the security service chain template information stored in the security service chain template management module of the management layer Resource layer security function virtual machine information and vSwitch virtual switch information contained in the template; the security service chain template includes the security service chain template name, security function list, and security function arrangement sequence;
[0047] The security function virtual machine management and control module is used to issue management instructions to the lightweight virtual security resource management platform according to the security function virtual machine information in the security service chain analysis module, and virtualize the management instructions and the security functions involved in the security service chain The machine information and switch information are encapsulated as a safety function flow table and sent to the network management module.
[0048] Further, the safety function flow table includes a flow quintuple, switch name, switch IP address, switch flow inlet port name, switch flow inlet port number, switch flow inlet port mac address, switch flow outlet port name, switch flow outlet The port number, the MAC address of the switch traffic outlet port, and the name of the security function virtual machine involved in the security service chain.
[0049] Further, the specific method for the network management module to perform network configuration on the security function virtual machine is: receiving the security function flow table, and automatically configure the security function virtual machine according to the security function flow table;
[0050] The network configuration includes the creation and deletion of virtual network ports of the security function virtual machine, the IP address configuration of the security function virtual machine virtual network, the MAC address configuration of the security function virtual machine virtual network, and the connection between the security function virtual machine virtual network port and the virtual network. Connection relationship configuration;
[0051] The network configuration information includes the security function virtual machine name, the security function virtual machine traffic entry name, the traffic entry IP address, the traffic entry mac address, the traffic entry port number, the traffic exit name, and the traffic exit IP involved in the security service chain list. Address, traffic egress mac address, traffic egress port number.
[0052] Further, the traffic traction flow table includes a flow quintuple, switch name, switch IP address, switch flow inlet port name, switch flow inlet port number, switch flow inlet port mac address, switch flow outlet port name, switch flow outlet Port number, switch traffic exit port mac address, security function virtual machine name involved in the security service chain list, security function virtual machine traffic entry name, traffic entry IP address, traffic entry mac address, traffic entry port number, traffic exit name , Flow export IP address, flow export mac address, flow export port number.
[0053] The process of using the above devices to dynamically orchestrate the security service chain is as follows: figure 2 As shown, including the following steps:
[0054] (1) The traffic classification module generates a flow table of traffic classification results based on the five-tuple, and sends it to the security function virtual machine management module;
[0055] (2) The security function virtual machine management module parses the flow table to obtain the security service chain template number, security virtual machine information, and switch information, and generates security function virtual machine management instructions and sends them to the lightweight virtual security resource management platform;
[0056] (3) The security function virtual machine management module encapsulates the management instructions, security function virtual machine information, and switch information into a security function flow table and sends it to the network management module;
[0057] (4) The lightweight virtual security resource management platform creates, starts, restarts, closes, and deletes security function virtual machines according to management instructions;
[0058] (5) The network management module performs network configuration on the security function virtual machine, generates network configuration information and sends it to the flow table generation module;
[0059] (6) The flow table generation module generates a flow traction flow table and sends it to the network switch;
[0060] Complete the dynamic orchestration process of the security service chain.
[0061] In a word, the present invention can provide differentiated security protection capabilities for different flows according to security requirements and network status through the security function service chain, and provide fine-grained, definable and diversified security protection means for the network, and has a wide range of application prospects. .

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.

Similar technology patents

Video acquisition method adopting digital watermark technology

InactiveCN1507279ABroad application prospects
Owner:INST OF COMPUTING TECHNOLOGY - CHINESE ACAD OF SCI

Classification and recommendation of technical efficacy words

  • Broad application prospects
  • increase flexibility

Large unsaturated seepage physical simulator for soil in aerated zone

InactiveCN102636630AImprove hands-on abilityBroad application prospects
Owner:CHINA UNIV OF GEOSCIENCES (WUHAN)

Front illuminated back side contact thin wafer detectors

InactiveUS7057254B2reduce radiation damage susceptibilityincrease flexibility
Owner:OSI OPTOELECTRONICS

Security guarantee method and system for Windows terminals based on auto white list

InactiveCN101650768Aincrease flexibilityImprove the range of adaptation
Owner:SHENZHEN Y& D ELECTRONICS CO LTD

Data processing method and system

InactiveUS20070018986A1increase flexibility
Owner:IBM CORP
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products