Unlock instant, AI-driven research and patent intelligence for your innovation.

Network micro-isolation strategy self-generation method and system

A generation method and strategy technology, applied in the field of network security, can solve problems such as inability to add, not fine enough granularity, huge access traffic, etc., to achieve the effect of reducing errors and security operation and maintenance difficulty, reducing complexity, and interactive friendly effects

Active Publication Date: 2022-01-11
XIAMEN FUYUN INFORMATION TECH CO LTD
View PDF7 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] With the rise of cloud computing, business migration to the cloud has become a trend. The changes in the data center environment have brought many challenges to the network security of the data center, such as: the east-west access traffic is huge, and the access relationship between services cannot be perceived; Formulate fine-grained access control policies, static policies cannot follow the automatic migration of virtual machines and other network access border inspection control issues
[0004] The current mainstream technical solutions mainly divide the rule dimension level from the two dimensions of the visitor and the accessed service. The granularity of the rule dimension division is not fine enough, and the generated rules cannot accurately control the communication between workload nodes.
And it is impossible to add targeted policy rules for abnormal access relationships, and does not support the type of custom configuration policy rules
Using VLAN technology, VxLAN technology, and VPC technology cannot solve the isolation strategy between virtualized devices, containers, host workloads, and business applications.
From the perspective of technical characteristics, VLAN is a coarse-grained network isolation technology. VxLAN and VPC are closer to the technical requirements of micro-isolation, but they are not very good at solving the direct isolation problems between hosts and hosts and between hosts and containers.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Network micro-isolation strategy self-generation method and system
  • Network micro-isolation strategy self-generation method and system
  • Network micro-isolation strategy self-generation method and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0043] An embodiment of the present invention provides a method for self-generating a network micro-isolation policy, such as figure 1 As shown, the method includes the following steps:

[0044] S1: Select an existing policy set or create a new policy set, and determine whether there is an access relationship in the policy range in the policy set. If it exists, classify the data in the policy set by using the access relationship type as the dimension, and count the data corresponding to different access relationship types. The number of access relationships, and then calculate the rule coverage of each access relationship type; if it does not exist, reselect or create a new policy set.

[0045] A policy set is a collection of storage policy rules, and a policy rule is a set of conditions based on five-tuples, which is the rule followed by business access between workloads. The content of the policy set in this embodiment includes policy set basic information, policy scope and...

Embodiment 2

[0081] The present invention also provides a network micro-isolation policy self-generation system, including a cloud and a workload end, and the cloud and the workload end both include a memory, a processor, and a computer stored in the memory and capable of running on the processor program, when the processor executes the computer program, the steps in the above-mentioned method embodiment of Embodiment 1 of the present invention are realized.

[0082] Further, as an executable solution, the workload end may be computing devices such as desktop computers, notebooks, and palmtop computers.

[0083] Further, as an executable solution, the so-called processor can be a central processing unit (Central Processing Unit, CPU), and can also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to a network micro-isolation strategy self-generation method and system. The method comprises the following steps: S1, selecting an existing strategy set or a new strategy set, judging whether the strategy range in the strategy set has an access relation, and if yes, classifying the data in the strategy set by taking the type of the access relation as the dimension, the number of access relations corresponding to different access relation types is counted, and then the rule coverage rate of each access relation type is calculated; s2, performing corresponding strategy rule configuration on the data of each access relation type according to the access relation type; s3, verifying the configured strategy rule, and entering S4 when the verification is passed; otherwise, returning to S2 to perform strategy rule configuration again; and S4, after the cloud issues the verified strategy rule to the working load end, the working load end performs corresponding configuration according to the configuration item of the strategy rule after receiving the strategy rule. According to the method, the strategy rules can be quickly and conveniently generated in batches, and the complexity of manual carding of a user is reduced.

Description

technical field [0001] The invention relates to the field of network security, in particular to a method and system for self-generating network micro-isolation policies. Background technique [0002] Micro-segmentation is a fine-grained network isolation technology. It divides the network and cloud into smaller areas, which can meet the needs of traffic isolation in different environments. Its core functional requirements are to focus on the isolation of east-west traffic, focusing on preventing Lateral movement of attackers once inside the data center. Traditional firewalls are isolated on single-point boundaries, while micro-isolation extends the segmentation capability to cloud workloads and containers, adopts the method of separating the control center platform from the policy execution unit, and has the characteristics of distribution and self-adaptation, which is different from The isolation function of the firewall is also a real requirement in the cloud computing en...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L9/40H04L67/10
CPCH04L63/02H04L63/0227H04L63/20H04L63/08H04L67/10
Inventor 韦雪冬李俊良陈奋陈荣有张寅余志军何春根
Owner XIAMEN FUYUN INFORMATION TECH CO LTD