Method, device and equipment for increasing functions of a bastion host and readable storage medium
By atomizing bastion host functions into virtual network functions and orchestrating them based on operating system policies, the problem of high logical complexity of bastion hosts is solved, achieving more efficient function orchestration and improved stability.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA MOBILE INFORMATION TECHNOLOGY CO LTD
- Filing Date
- 2022-12-09
- Publication Date
- 2026-06-19
AI Technical Summary
Traditional bastion hosts have excessively high logical complexity during the process of adding functions, making them unable to flexibly meet various access needs, resulting in a decline in operational quality and stability.
The multiple functions of the bastion host are atomized into virtual network functions. Service functions are orchestrated through the routing or switching policies and traffic redirection policies of the target operating system, generating JSON data structures and building service chains to achieve flexible orchestration and control of functions.
It reduces the internal logic complexity of the bastion host, improves operational quality and stability, effectively utilizes computing resources, and reduces redundant implementation and inconsistency of security control capabilities.
Smart Images

Figure CN116318789B_ABST
Abstract
Description
Technical Field
[0001] This application belongs to the field of computer network information security, and in particular relates to a method, apparatus, device and readable storage medium for adding functions to a bastion host. Background Technology
[0002] Currently, bastion hosts are a type of security device widely used in the operation, maintenance, access, and use of IT systems in large enterprises. Their principle is to transmit access to important systems by various personnel or interfaces through transparent or jump host modes, and play a security role in access control, operation command auditing, and data anonymization.
[0003] With the increasing business demands, traditional graphical bastion hosts often adopt more comprehensive graphical bastions to achieve function overlay. However, the traditional accumulation method can easily lead to too many internal functions in the graphical bastion, making it impossible to intelligently arrange them according to actual access needs. Especially when the bastion host supports multiple users accessing at the same time, the overlay of multiple functions must adopt a pre-programmed combination mode, which can easily lead to excessive internal logic complexity of the graphical bastion, making it difficult to flexibly meet various functions, maintain the uniformity of access control strength, and reduce the quality and stability of the bastion host operation. Summary of the Invention
[0004] This application provides a method, apparatus, device, and computer-readable storage medium for adding functionality to a bastion host, which can reduce the complexity of the internal logic of a graphical bastion and improve the quality and stability of the bastion host's operation.
[0005] In a first aspect, embodiments of this application provide a method for adding functionality to a bastion host, the method comprising:
[0006] Atomize the multiple functions of the bastion host to be added to form multiple virtual network functions;
[0007] Receive access requests initiated by the accessing subject to the accessing object;
[0008] Based on the access request, and according to the routing or switching policies of the target operating system and the preset traffic redirection policies, the target virtual network function is selected from multiple virtual network functions and the service functions are arranged to obtain the bastion host with added functions.
[0009] According to the implementation method of the first aspect of this application, based on the access request and the routing or switching policy of the target operating system and the preset traffic redirection policy, a target virtual network function is selected from multiple virtual network functions for service function orchestration to obtain a bastion host with added functions, specifically including:
[0010] The access request is analyzed to obtain the target information carried by the access request. The target information includes at least one of the following: the type of request, the type of the main client, the type of the object service, the network channel requirements, the audit requirements, the security control requirements, and the data security requirements.
[0011] Based on the target information, determine the target virtual network functions and generate JSON data structures for process orchestration data, condition orchestration data, and runtime parameter data;
[0012] Receive target transport protocol traffic sent by the accessing entity;
[0013] Based on the target transport protocol traffic and a service chain that includes at least the target virtual network functionality, a bastion host with added functionality is obtained by constructing a service chain based on a JSON data structure.
[0014] According to any of the foregoing embodiments of the first aspect of this application, a service chain including at least the target virtual network function is constructed based on the target transport protocol traffic and a JSON data structure to obtain a bastion host with added functionality, specifically including:
[0015] Analyze the target transport protocol traffic sent by the accessing entity to determine whether the target transport protocol traffic needs to be orchestrated and the corresponding JSON data structure;
[0016] The JSON data structure is passed to the pre-built module entity for service function orchestration.
[0017] According to any of the foregoing embodiments of the first aspect of this application, before analyzing the target transport protocol traffic sent by the accessing subject and determining whether the target transport protocol traffic needs to be orchestrated and the corresponding JSON data structure, the method for adding functionality to a bastion host further includes:
[0018] Based on the source IP, destination IP, source port, destination port, and validity period of the target transmission protocol traffic, the target transmission protocol traffic is uniquely identified to determine whether the target transmission protocol traffic is unique.
[0019] Analyze the target transport protocol traffic sent by the accessing entity to determine whether the target transport protocol traffic needs orchestration and its corresponding JSON data structure, specifically including:
[0020] When the target transport protocol traffic is unique, analyze the target transport protocol traffic sent by the accessing subject to determine whether the target transport protocol traffic needs to be orchestrated and the corresponding JSON data structure.
[0021] According to any of the foregoing embodiments of the first aspect of this application, after obtaining the enhanced bastion host by constructing a service chain that includes at least the target virtual network functionality based on the target transport protocol traffic and a JSON data structure, the method for adding functionality to the bastion host further includes:
[0022] Receive operation requests from the access subject;
[0023] The various functions of the bastion host are executed sequentially according to the service chain order.
[0024] When executing each function, determine whether the next function needs to be executed;
[0025] When the next function is not required, determine at least one data interaction that has been completed between the access subject and the access object.
[0026] According to any of the foregoing embodiments of the first aspect of this application, after obtaining the enhanced bastion host by constructing a service chain that includes at least the target virtual network functionality based on the target transport protocol traffic and a JSON data structure, the method for adding functionality to the bastion host further includes:
[0027] When the next function needs to be executed, determine whether the next function is running normally;
[0028] When the next function runs normally, return to the step of determining whether the next function needs to be executed;
[0029] If the next function fails to function properly, skip executing the next function or terminate the access of the access subject to the access object.
[0030] According to any of the foregoing embodiments of the first aspect of this application, after obtaining the enhanced bastion host by constructing a service chain that includes at least the target virtual network functionality based on the target transport protocol traffic and a JSON data structure, the method for adding functionality to the bastion host further includes:
[0031] Based on the connection status of the bastion host, determine whether to terminate the access of the access subject to the access object;
[0032] When the access subject terminates its access to the accessed object, the service chain information established during this access is cleared.
[0033] Secondly, embodiments of this application provide an apparatus for adding functionality to a bastion host, the apparatus comprising:
[0034] The atomization module is used to atomize multiple functions of the bastion host to be added into multiple virtual network functions;
[0035] The receiving module is used to receive access requests initiated by the accessing subject to the accessing object;
[0036] The orchestration module is used to select target virtual network functions from multiple virtual network functions based on access requests, the routing or switching policies of the target operating system, and preset traffic redirection policies, and to orchestrate the service functions to obtain the bastion host with added functions.
[0037] Thirdly, embodiments of this application provide an electronic device, which includes: a processor, a memory, and a computer program stored in the memory and executable on the processor. When the computer program is executed by the processor, it implements the steps of the method for adding functionality to a bastion host as provided in the first aspect.
[0038] Fourthly, embodiments of this application provide a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the method for adding functionality to a bastion host as provided in the first aspect.
[0039] The method, apparatus, device, and computer-readable storage medium for adding functionality to a bastion host according to embodiments of this application atomize multiple functions of the bastion host to be added into multiple virtual network functions. This atomization effectively reduces redundant development, reduces the problem of repeated implementation of security control capabilities on different access channels, and reduces inconsistent security control. Furthermore, based on the access request initiated by the access subject to the access object, and based on the routing or switching policies and traffic redirection policies of the target operating system, the target virtual network function is selected from multiple virtual network functions for service function orchestration to obtain the bastion host with added functionality. Compared with the traditional function overlay mode, this is more flexible, can effectively utilize computing resources, reduce the complexity of the internal logic of the graphical bastion, and improve the quality and stability of operation. Attached Figure Description
[0040] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments of this application will be briefly introduced below. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0041] Figure 1 This is a flowchart illustrating a method for adding functionality to a bastion host, as provided in an embodiment of this application.
[0042] Figure 2 This is a flowchart illustrating another method for adding functionality to a bastion host provided in an embodiment of this application;
[0043] Figure 3 This is an architecture diagram of a method for adding functionality to a bastion host, provided in an embodiment of this application.
[0044] Figure 4This is a flowchart illustrating the implementation of adding functionality to a bastion host, as provided in an embodiment of this application.
[0045] Figure 5 This is a flowchart illustrating a method for software-defined functionality of a bastion host, as provided in an embodiment of this application.
[0046] Figure 6 This is a schematic diagram of a device for adding functionality to a bastion host, as provided in an embodiment of this application.
[0047] Figure 7 This is a schematic diagram of the hardware structure of an electronic device provided in an embodiment of this application. Detailed Implementation
[0048] The features and exemplary embodiments of various aspects of this application will be described in detail below. To make the objectives, technical solutions, and advantages of this application clearer, the application will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are only intended to explain this application and not to limit it. For those skilled in the art, this application can be implemented without some of these specific details. The following description of the embodiments is merely to provide a better understanding of this application by illustrating examples.
[0049] It should be noted that, in this document, relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising..." does not exclude the presence of additional identical elements in the process, method, article, or apparatus that includes said element.
[0050] It should be understood that the term "and / or" used in this article is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, and B existing alone. Additionally, the character " / " in this article generally indicates that the preceding and following related objects have an "or" relationship.
[0051] Various modifications and variations can be made to this application without departing from its spirit or scope, which will be apparent to those skilled in the art. Therefore, this application is intended to cover modifications and variations falling within the scope of the corresponding claims (the claimed technical solutions) and their equivalents. It should be noted that the embodiments provided in this application can be combined with each other without contradiction.
[0052] Before describing the technical solutions provided in the embodiments of this application, in order to facilitate understanding of the embodiments of this application, this application first specifically explains the problems existing in the related technologies:
[0053] As mentioned above, the inventors of this application have discovered that in related technologies, upgrading the graphical bastion function 5 often involves using a more feature-rich graphical bastion. Since feature upgrades are a direct way to enhance the capabilities of a graphical bastion, development teams continuously enrich the bastion host's functions and provide them to the maintenance site for upgrades, achieving a combination of capabilities. However, the combination of multiple functions must be done using a pre-programmed combination, which can easily lead to excessive complexity in the internal logic of the graphical bastion, affecting its operational quality and stability. In addition...
[0054] In addition, to upgrade the graphical bastion functionality, new graphical bastion nodes will be added to enable business operations using different bastion hosts in different zero-demand scenarios, as different types of access demands account for a significant portion of the overall demand.
[0055] Frequent changes can lead to insufficient or excessive capacity, resulting in wasted resources and inconsistent control over the same access purpose, thereby reducing the quality and stability of the bastion host operation.
[0056] In view of the inventors' above-mentioned research findings, the embodiments of this application provide a method, apparatus, device, and computer-readable storage medium for adding 5 functions to a bastion host, which can solve the problems existing in related technologies.
[0057] The excessive internal logic complexity of the graphical fortress prevents it from flexibly fulfilling various functional requirements and causes technical issues such as instability in the fortress host's operation.
[0058] To address the problems in the prior art, embodiments of this application provide a method, apparatus, device, and computer-readable storage medium for adding functionality to a bastion host.
[0059] 0 The following section first introduces the method for adding functionality to a bastion host provided in the embodiments of this application.
[0060] Figure 1 This is a flowchart illustrating a method for adding functionality to a bastion host, as provided in an embodiment of this application. Figure 1 As shown, the method may include the following steps S110 to S130.
[0061] S110: Atomize multiple functions of the bastion host to be added to form multiple virtual network functions.
[0062] Virtual Network Feature (VNF) is the Network Function Virtualization (NFV) framework defined by the European Telecommunications Standards Institute (ETSI).
[0063] In the diagram, objects such as virtual machines and containers that provide certain network functions are used to represent the pre-set BClinux graphical fortress atomic functions.
[0064] The various functions within the bastion host to be added should meet the requirements of "low coupling and high cohesion." Firstly, from the perspective of security control, the level of security control over access behavior should not differ based on the technical channel used. For example, when accessing a database, various methods can be used, such as graphical interface, web interface, character interface (SSH), and database interface. However, the level of security control should be applied to both the behavior and the content. All technical channels should employ the same level of control strategy to achieve consistent control effects.
[0065] During access, aside from providing network services, traffic encryption / decryption, and file analysis technologies, other controlled aspects, including zero trust, auditing, and vaults, should be separated from the technical channel. The various functions of the bastion host should be atomicated and virtualized.
[0066] S120: Receive an access request initiated by the accessing subject to the accessing object.
[0067] Users access the system through the access subject (terminal), initiating an access request to the access object (server, application), thus establishing an access channel from the subject to the object.
[0068] S130. Based on the access request and the routing or switching policy of the target operating system and the preset traffic redirection policy, select the target virtual network function from multiple virtual network functions and arrange the service functions to obtain the bastion host with added functions.
[0069] The target operating system can be BClinux. Based on the modifications of BClinux, the various functions within the bastion host can be overlaid and arranged, that is, software-defined bastion host functions. Each bastion host function is atomicated into a virtual network function (VNF). According to the different business needs of visitors, the functions on the access channel are intelligently arranged to achieve the effect of software-defined function overlay within the BClinux graphical bastion.
[0070] like Figure 3 As shown, Figure 3 This application provides an architecture diagram for adding functionality to a bastion host. By modifying the underlying BClinux operating system, the traditional application-based bastion host traffic redirection function is optimized to utilize the operating system's routing or switching policies, combined with a traffic redirection strategy. The bastion host is treated as a node in a service chain, and audit snapshot capabilities can be overlaid when capacity expansion is needed. Furthermore, network traffic redirection is directed to a service chain composed of various atomic capabilities, adding BClinux graphical bastion functionality without affecting the original access logic of the normal bastion host.
[0071] The above describes the specific implementation of the method for adding functionality to a bastion host provided in this application embodiment. This application embodiment atomizes multiple functions of the bastion host to be added into multiple virtual network functions. This atomization effectively reduces redundant development, minimizes the problem of repeated implementation of security control capabilities on different access channels, and reduces inconsistent security control strength. Furthermore, based on the access request initiated by the access subject to the access object, and considering the routing or switching policies and traffic redirection policies of the target operating system, the target virtual network function is selected from multiple virtual network functions for service function orchestration, resulting in the bastion host with added functionality. Compared to the traditional function overlay mode, this is more flexible, effectively utilizes computing resources, reduces the complexity of the internal logic of the graphical bastion, and improves the quality and stability of operation.
[0072] In one example, based on the access request and the target operating system's routing or switching policies and preset traffic redirection policies, a target virtual network function is selected from multiple virtual network functions for service function orchestration, resulting in a bastion host with added functions, specifically including:
[0073] The access request is analyzed to obtain the target information carried by the access request. The target information includes at least one of the following: the type of request, the type of the main client, the type of the object service, the network channel requirements, the audit requirements, the security control requirements, and the data security requirements.
[0074] Based on the target information, determine the target virtual network functions and generate JSON data structures for process orchestration data, condition orchestration data, and runtime parameter data;
[0075] Receive target transport protocol traffic sent by the accessing entity;
[0076] Based on the target transport protocol traffic and a service chain that includes at least the target virtual network functionality, a bastion host with added functionality is obtained by constructing a service chain based on a JSON data structure.
[0077] For example, based on the access request received above, the access request is analyzed to obtain the target information carried by the access request. The target information includes the type of requirement, the subject client type (browser / client / application), the object service type (desktop application / graphical application), network channel requirements (protocol and encryption requirements), audit requirements (whether video recording / whether image recognition), security control requirements (whether multi-factor authentication), and data security requirements (whether data anonymization).
[0078] Based on the target information, determine the Virtual Network Function (VNF), establish a combination of one or more functions such as graphical fortress, zero trust, multi-factor authentication, video recording, image recognition, and data anonymization, and generate a standard data exchange format (JavaScript Object Notation, JSON) data structure for process orchestration data, condition orchestration data, and runtime parameter data.
[0079] The target transport protocol traffic includes Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) traffic. Network traffic orchestration analyzes the TCP / UDP traffic sent to the bastion host by the access subject, identifies which bastion host session the traffic belongs to, and redirects it accordingly. Based on the target transport protocol traffic and a JSON data structure, a service chain is constructed that includes at least the target virtual network functionality. The service chain is a virtual link composed of different VNF groups arranged in a certain order, providing a specific service. This application specifically refers to a security service chain providing bastion host services. A VNF group is formed by adding one or more VNFs of the same type to a VNF group. All VNFs within the group share the load and uniformly process the traffic introduced into the group, resulting in a bastion host with enhanced functionality.
[0080] Through the above embodiments, in addressing the differentiated needs faced by BClinux graphical bastion hosts, a software-defined functionality approach is adopted to orchestrate various atomic capabilities into service chains to meet the requirements of diverse access sessions. Compared to traditional methods that do not rely on software-defined functionality and physical expansion, this application's embodiments solve the problem that previous bastion hosts needed to adapt to various access scenarios one by one, failing to flexibly meet various functionalities, while simultaneously reducing costs and improving hardware performance.
[0081] In one example, based on the target transport protocol traffic and a service chain built on a JSON data structure, including at least the target virtual network functionality, the enhanced bastion host is obtained, specifically including:
[0082] Analyze the target transport protocol traffic sent by the accessing entity to determine whether the target transport protocol traffic needs to be orchestrated and the corresponding JSON data structure;
[0083] The JSON data structure is passed to the pre-built module entity for service function orchestration.
[0084] For example, the target transport protocol traffic sent by the accessing subject is first analyzed, and then the bastion session to which the target transport protocol traffic belongs is analyzed, thereby determining whether the target transport protocol traffic needs to be orchestrated and the corresponding JSON data structure.
[0085] Once the main function of a bastion host is composed of atomic capabilities, the bastion host can address various access needs: those from different subjects, those destined for different objects, those using different technical channels, those requiring different levels of control, and those needing to meet the latest security control requirements, through logical orchestration.
[0086] Key aspects of orchestration include defining orchestration requirements, digitizing strategies and processes, and separating the control plane from the data plane. Firstly, defining orchestration requirements involves both the enterprise's security control requirements and the subject's application content. This is an overlay of two parts. Enterprise security control requirements may include management requirements, access control, asset ownership, personnel roles, data security requirements, and specific period requirements. The subject's application content may include natural persons, accounts, organizations, terminals, networks, work orders, operation methods, target objects, and data. This results in five clarifications: Who (WHO), When (WHEN), Where (WHERE), What to do with what subject (WHAT), Whether there is authorization or a work order (WHY), and Through what method (HOW). By overlaying the enterprise's security control requirements and the subject's application content, it is calculated which bastion host should be located, what combination of control capabilities should be provided, which subject's assets or data should be connected to, and what security control strategy should be adopted.
[0087] Then, the datafication of strategies and processes, including orchestration requirements and control strategies, will form orchestration scripts and data formats that can be recognized and transmitted by programs, such as JSON data format.
[0088] Finally, the separation of the control plane and the data plane is included in the content of the bastion host. In order to ensure the orderly conduct of orchestration work, including functions such as orchestration establishment, orchestration operation, process control, and error handling, the business domain of the bastion host needs to be divided into the control plane and the data plane.
[0089] like Figure 4 As shown, Figure 4This application provides a flowchart illustrating the functional implementation of adding functionality to a bastion host. To complete the entire service process from network traffic access, two orchestration stages are required: network traffic orchestration and service function orchestration. Service function orchestration includes three parts: process orchestration, jump conditions, and module function parameter orchestration. Service function orchestration transmits standard data format (JSON data structure) to pre-established module entities. This allows each module entity (such as a character bastion service program) to adopt different strategies for different access sessions. Determining the conditions for different strategies requires passing the data from each condition branch to the next module for service function orchestration.
[0090] After adopting the software-defined functionality model, the process of completing the core functions of the BClinux graphical bastion host includes three parts: the requirement identification and function orchestration stage of the BClinux graphical bastion, the session execution process and exception handling of the BClinux graphical bastion, and the termination stage.
[0091] Through the above embodiments, the software definition and service function orchestration of multiple functions within the BClinux graphical fortress are more flexible than the traditional function overlay mode, can effectively utilize computing resources, and effectively reduce redundant development by atomicating functions, thereby reducing the problems of repeated implementation of security control capabilities and inconsistent security control on different access channels.
[0092] In one example, before analyzing the target transport protocol traffic sent by the accessing subject and determining whether the target transport protocol traffic needs orchestration and the corresponding JSON data structure, the method for adding functionality to a bastion host provided in this application embodiment may further include the following steps:
[0093] Based on the source IP, destination IP, source port, destination port, and validity period of the target transmission protocol traffic, the target transmission protocol traffic is uniquely identified to determine whether the target transmission protocol traffic is unique.
[0094] Analyze the target transport protocol traffic sent by the accessing entity to determine whether the target transport protocol traffic needs orchestration and the corresponding JSON data structure, specifically including:
[0095] When the target transport protocol traffic is unique, analyze the target transport protocol traffic sent by the accessing subject to determine whether the target transport protocol traffic needs to be orchestrated and the corresponding JSON data structure.
[0096] For example, the target transport protocol traffic is analyzed to determine which bastion host session it belongs to and then redirected. The redirection condition is to uniquely identify the target transport protocol traffic using the traffic's five-tuple, including source IP, destination IP, source port, destination port (an ephemeral service port on the bastion host), and validity period. Since the ephemeral service port on the bastion host is unique, this method can handle multiple accesses from the same subject to the same object. Once the uniqueness of the target transport protocol traffic is determined, the network layer functionality of the BClinux operating system can be combined to achieve traffic routing based on the underlying transport protocol.
[0097] Figure 2 This is a flowchart illustrating another method for adding functionality to a bastion host, as provided in an embodiment of this application. Figure 2 As shown, according to some embodiments of this application, optionally, after obtaining the enhanced bastion host by constructing a service chain that includes at least the target virtual network function based on the target transmission protocol traffic and the JSON data structure, the method for enhancing the functionality of the bastion host provided in this application embodiment may further include the following steps S210 to S240.
[0098] S210, Receive the operation request from the access subject;
[0099] S220. Execute multiple functions of the bastion host sequentially according to the service chain order.
[0100] S230. When performing each function, determine whether the next function needs to be performed;
[0101] S240. When the next function does not need to be executed, determine at least one data interaction that has been completed between the access subject and the access object.
[0102] For example, such as Figure 5 As shown, Figure 5This is a flowchart of a software-defined function method for a bastion host provided in an embodiment of this application. S501 is that the access subject logs into the 4A access portal and requests access through the BClinux graphical bastion host from an object within a certain permission. S502 is that the BClinux graphical bastion host cooperates with the 4A system to analyze the service chain content required for the access request. The analysis elements include the type of requirement, the subject client type (browser|client|application), the object service type (desktop application|graphical application), network channel requirements (protocol and encryption requirements), audit requirements (whether video recording|whether image recognition), security control requirements (whether multi-factor authentication), and data security requirements (whether data anonymization). S501 and S502 belong to the data plane of the bastion host's business domain, providing a network channel to the accessor. The channel is established to realize the "subject-bastion-object" access process, and the security control and data flow order within the channel are constrained by the control plane.
[0103] Apart from S501 and S502, the remaining steps belong to the control plane. The control plane capabilities of the bastion host include policy management, security control management, and service orchestration management. The core capability is policy management, which integrates with the unified identity system, obtaining unified identity information, unified access control, unified authentication, and complete access requirements from the 4A (Access Advisor). The "Policy Management" function intervenes in the network routing function of the BClinux operating system, ensuring that once a subject's access request is connected, it is incorporated into a specific network flow. Policy management also implements security control during the access process through security control functions and orchestration management implements orchestration methods for various components.
[0104] S503 constructs a service chain based on process elements and strategy requirements, selectively establishing one or more combinations of functions such as graphical bastion, zero trust, multi-factor authentication, video recording, image recognition, and data anonymization, generating JSON data structures of process orchestration data, condition orchestration data, and runtime parameter data, awaiting access from the accessing subject; S504 receives the network connection from the accessing subject, establishing a connection between the subject, the BClinux graphical bastion (service chain), and the object, and through the underlying dynamic modification of the BClinux operating system, realizing the diversion of network traffic to the service chain; S505 receives operation requests from the accessing subject, such as commands for connection opening, reconnection, operation clicks, and file transfer; S506 executes each function sequentially according to the service chain order. For an operation request, the next operation is confirmed in a chain. If there is a next bastion host atomic capability (VNF) that needs to be executed, the process jumps to S507. If the execution has already been completed, the process jumps to S510, which confirms that at least one data interaction has been completed between the accessing subject and the accessing object.
[0105] In one example, after obtaining the enhanced bastion host by constructing a service chain that includes at least the target virtual network functionality based on the target transport protocol traffic and a JSON data structure, the method for enhancing the functionality of the bastion host provided in this application embodiment may further include the following steps:
[0106] When the next function needs to be executed, determine whether the next function is running normally;
[0107] When the next function runs normally, return to the step of determining whether the next function needs to be executed;
[0108] If the next function fails to function properly, skip executing the next function or terminate the access of the access subject to the access object.
[0109] For example, such as Figure 5 As shown, S507 determines whether the bastion host atomic function VNF in the next link of the service chain is normal; S508 calls the function if the bastion host atomic function VNF is normal and jumps to S506; S509 determines whether to skip the next function or stop the access subject to the access object according to the orchestration strategy, and then jumps to S506.
[0110] In one example, after obtaining the enhanced bastion host by constructing a service chain that includes at least the target virtual network functionality based on the target transport protocol traffic and a JSON data structure, the method for enhancing the functionality of the bastion host provided in this application embodiment may further include the following steps:
[0111] Based on the connection status of the bastion host, determine whether to terminate the access of the access subject to the access object;
[0112] When the access subject terminates its access to the accessed object, the service chain information established during this access is cleared.
[0113] For example, such as Figure 5 As shown, S509 determines whether the connection has ended based on the status of the main connection. For example, the terminal of the operating subject may lose the connection actively or passively. If the connection has not ended, it returns to S504; if it has ended, it jumps to S510. S510 completes the execution of all service chains on the BClinux graphical fortress, thus ending the current interaction process. S511 determines whether the session should be terminated based on the connection status of the fortress host. This termination depends on whether the operating subject closes the client or disconnects due to unexpected factors. S512 confirms that the session is closed and clears the service chain information established for this session. S513 ends the process.
[0114] Through the above embodiments, leveraging the independent advantages of the BClinux operating system, routing or switching security policies and traffic redirection policies are controlled from the bottom layer. Different bastion hosts are used to execute business operations in different demand scenarios. This is achieved in a software-defined manner, reducing the idle waste of hardware resources, promoting energy conservation and emission reduction, and maintaining consistent security control across all technical channels.
[0115] Based on the method for adding functionality to a bastion host provided in the above embodiments, this application also provides specific implementations of an apparatus for adding functionality to a bastion host. Please refer to the following embodiments.
[0116] First see Figure 6 The apparatus 600 for adding functionality to a bastion host provided in this application embodiment includes the following modules:
[0117] Atomization module 601 is used to atomize multiple functions of the bastion host to be added into multiple virtual network functions;
[0118] The receiving module 602 is used to receive an access request initiated by the accessing subject to the accessing object;
[0119] The orchestration module 603 is used to select target virtual network functions from multiple virtual network functions based on access requests, the routing or switching policies of the target operating system, and preset traffic redirection policies, and to orchestrate the service functions to obtain the bastion host with added functions.
[0120] The apparatus for adding functionality to a bastion host provided in this application atomizes multiple functions of the bastion host to be added into multiple virtual network functions. This atomization effectively reduces redundant development, reduces the problem of repeated implementation of security control capabilities on different access channels, and reduces inconsistent security control. Furthermore, based on the access request initiated by the access subject to the access object, and based on the routing or switching policies and traffic redirection policies of the target operating system, the target virtual network function is selected from multiple virtual network functions for service function orchestration to obtain the bastion host with added functionality. Compared with the traditional function overlay mode, this is more flexible, can effectively utilize computing resources, reduce the complexity of the internal logic of the graphical bastion, and improve the quality and stability of operation.
[0121] In some embodiments, the above-described orchestration module 603 is specifically used for:
[0122] The access request is analyzed to obtain the target information carried by the access request. The target information includes at least one of the following: the type of request, the type of the main client, the type of the object service, the network channel requirements, the audit requirements, the security control requirements, and the data security requirements.
[0123] Based on the target information, determine the target virtual network functions and generate JSON data structures for process orchestration data, condition orchestration data, and runtime parameter data;
[0124] Receive target transport protocol traffic sent by the accessing entity;
[0125] Based on the target transport protocol traffic and a service chain that includes at least the target virtual network functionality, a bastion host with added functionality is obtained by constructing a service chain based on a JSON data structure.
[0126] In some embodiments, the above-described orchestration module 603 can also be used for:
[0127] Analyze the target transport protocol traffic sent by the accessing entity to determine whether the target transport protocol traffic needs to be orchestrated and the corresponding JSON data structure;
[0128] The JSON data structure is passed to the pre-built module entity for service function orchestration.
[0129] In some embodiments, the bastion host enhancement device 600 may further include an identification module for:
[0130] Based on the source IP, destination IP, source port, destination port, and validity period of the target transmission protocol traffic, the target transmission protocol traffic is uniquely identified to determine whether the target transmission protocol traffic is unique.
[0131] Analyze the target transport protocol traffic sent by the accessing entity to determine whether the target transport protocol traffic needs orchestration and its corresponding JSON data structure, specifically including:
[0132] When the target transport protocol traffic is unique, analyze the target transport protocol traffic sent by the accessing subject to determine whether the target transport protocol traffic needs to be orchestrated and the corresponding JSON data structure.
[0133] In some embodiments, the bastion host enhancement device 600 may further include a receiving module for:
[0134] Receive operation requests from the access subject;
[0135] The various functions of the bastion host are executed sequentially according to the service chain order.
[0136] When executing each function, determine whether the next function needs to be executed;
[0137] When the next function is not required, determine at least one data interaction that has been completed between the access subject and the access object.
[0138] In some embodiments, the apparatus 600 for adding functionality to a bastion host may further include a first determination module, used for:
[0139] When the next function needs to be executed, determine whether the next function is running normally;
[0140] When the next function runs normally, return to the step of determining whether the next function needs to be executed;
[0141] If the next function fails to function properly, skip executing the next function or terminate the access of the access subject to the access object.
[0142] In some embodiments, the apparatus 600 for adding functionality to the bastion host may further include a second determination module, used for:
[0143] Based on the connection status of the bastion host, determine whether to terminate the access of the access subject to the access object;
[0144] When the access subject terminates its access to the accessed object, the service chain information established during this access is cleared.
[0145] Figure 6 Each module / unit in the device shown has the function of each step in the method for adding functions to the bastion host provided in the above method embodiment, and can achieve its corresponding technical effect. For the sake of brevity, it will not be described in detail here.
[0146] Based on the method for adding functionality to a bastion host provided in the above embodiments, this application also provides specific implementation methods for electronic devices. Please refer to the following embodiments.
[0147] Figure 7 A schematic diagram of the hardware structure of the electronic device provided in an embodiment of this application is shown.
[0148] The electronic device may include a processor 701 and a memory 702 storing computer program instructions.
[0149] Specifically, the processor 701 may include a central processing unit (CPU), an application specific integrated circuit (ASIC), or one or more integrated circuits that can be configured to implement the embodiments of this application.
[0150] Memory 702 may include mass storage for data or instructions. For example, and not limitingly, memory 702 may include a hard disk drive (HDD), floppy disk drive, flash memory, optical disk, magneto-optical disk, magnetic tape, or Universal Serial Bus (USB) drive, or a combination of two or more of these. In one example, memory 702 may include removable or non-removable (or fixed) media, or memory 702 may be non-volatile solid-state memory. Memory 702 may be internal or external to the integrated gateway disaster recovery device.
[0151] In one example, memory 702 may be read-only memory (ROM). In one example, the ROM may be a mask-programmed ROM, a programmable ROM (PROM), an erasable PROM (EPROM), an electrically erasable PROM (EEPROM), an electrically rewritable ROM (EAROM), or flash memory, or a combination of two or more of these.
[0152] Memory 702 may include read-only memory (ROM), random access memory (RAM), disk storage media device, optical storage media device, flash memory device, electrical, optical, or other physical / tangible memory storage device. Therefore, typically, memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., memory devices) encoded with software including computer-executable instructions, and when the software is executed (e.g., by one or more processors), it is operable to perform the operations described with reference to the method according to one aspect of this application.
[0153] The processor 701 reads and executes the computer program instructions stored in the memory 702 to implement the methods / steps in the above method embodiments and achieve the corresponding technical effects achieved by the method embodiments in executing their methods / steps. For the sake of brevity, these details will not be repeated here.
[0154] In one example, the electronic device may also include a communication interface 703 and a bus 710. For example, Figure 7 As shown, the processor 701, memory 702, and communication interface 703 are connected through bus 710 and complete communication with each other.
[0155] The communication interface 703 is mainly used to realize communication between various modules, devices, units and / or equipment in the embodiments of this application.
[0156] Bus 710 includes hardware, software, or both, that couples components of an electronic device together. For example, and not limitingly, the bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Extended Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hyper Transport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an Infinite Bandwidth Interconnect, a Low Pin Count (LPC) bus, a memory bus, a Microchannel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a Video Electronics Standards Association Local (VLB) bus, or other suitable buses, or combinations of two or more of these. Where appropriate, bus 710 may include one or more buses. Although specific buses are described and illustrated in embodiments of this application, this application contemplates any suitable bus or interconnect.
[0157] Furthermore, in conjunction with the method for adding functionality to a bastion host in the above embodiments, this application embodiment can provide a computer-readable storage medium for implementation. This computer-readable storage medium stores computer program instructions; when these computer program instructions are executed by a processor, they implement any of the methods for adding functionality to a bastion host in the above embodiments. Examples of computer-readable storage media include non-transitory computer-readable storage media, such as electronic circuits, semiconductor memory devices, ROM, random access memory, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, and hard disks.
[0158] It should be clarified that this application is not limited to the specific configurations and processes described above and shown in the figures. For the sake of brevity, detailed descriptions of known methods are omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method process of this application is not limited to the specific steps described and shown. Those skilled in the art can make various changes, modifications, and additions, or change the order of steps, after understanding the spirit of this application.
[0159] The functional blocks shown in the above-described block diagram can be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, they can be, for example, electronic circuits, application-specific integrated circuits (ASICs), appropriate firmware, plug-ins, function cards, etc. When implemented in software, the elements of this application are programs or code segments used to perform the required tasks. Programs or code segments can be stored on a machine-readable medium or transmitted over a transmission medium or communication link via data signals carried on a carrier wave. "Machine-readable medium" can include any medium capable of storing or transmitting information. Examples of machine-readable media include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links, etc. Code segments can be downloaded via computer networks such as the Internet, intranets, etc.
[0160] It should also be noted that the exemplary embodiments mentioned in this application describe methods or systems based on a series of steps or apparatus. However, this application is not limited to the order of the above steps; that is, the steps can be performed in the order mentioned in the embodiments, or in a different order, or several steps can be performed simultaneously.
[0161] The aspects of this application have been described above with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It should be understood that each block in the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing apparatus to produce a machine such that these instructions, executable via the processor of the computer or other programmable data processing apparatus, enable the implementation of the functions / actions specified in one or more blocks of the flowchart illustrations and / or block diagrams. Such a processor can be, but is not limited to, a general-purpose processor, a special-purpose processor, a special application processor, or a field-programmable logic circuit. It is also understood that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can also be implemented by dedicated hardware performing the specified functions or actions, or can be implemented by a combination of dedicated hardware and computer instructions.
[0162] The above description is merely a specific implementation of this application. Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, modules, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here. It should be understood that the protection scope of this application is not limited thereto. Any person skilled in the art can easily conceive of various equivalent modifications or substitutions within the technical scope disclosed in this application, and these modifications or substitutions should all be covered within the protection scope of this application.
Claims
1. A method for adding functionality to a bastion host, characterized in that, include: The multiple functions of the bastion host to be added are atomically formed into multiple virtual network functions. In addition to providing network services, traffic encryption and decryption, and file analysis, the zero trust, auditing, and vault functions of the bastion host to be added are stripped away. Receive access requests initiated by the accessing subject to the accessing object; Based on the access request, and according to the routing or switching policy of the target operating system and the preset traffic redirection policy, the target virtual network function is selected from the multiple virtual network functions and the service function is arranged to obtain the bastion host with added functions. Specifically, the step of selecting a target virtual network function from the multiple virtual network functions based on the access request, the routing or switching policy of the target operating system, and a preset traffic redirection policy, and then orchestrating the service functions to obtain the bastion host with added functions, specifically includes: The access request is analyzed to obtain the target information carried by the access request. The target information includes at least one of the following: the type of requirement, the type of the main client, the type of the object service, the network channel requirements, the audit requirements, the security control requirements, and the data security requirements. Based on the target information, determine the target virtual network function and generate a JSON data structure containing process orchestration data, condition orchestration data, and runtime parameter data; Receive the target transport protocol traffic sent by the accessing entity; Based on the target transport protocol traffic and the JSON data structure, a service chain including at least the target virtual network function is constructed to obtain the bastion host with added functions.
2. The method of claim 1, wherein, The process of constructing a service chain that includes at least the target virtual network functionality based on the target transport protocol traffic and the JSON data structure to obtain the enhanced bastion host specifically includes: Analyze the target transport protocol traffic sent by the accessing entity to determine whether the target transport protocol traffic needs to be orchestrated and the corresponding JSON data structure; The JSON data structure is passed to the pre-established module entity for service function orchestration.
3. The method according to claim 2, characterized in that, Before analyzing the target transport protocol traffic sent by the accessing subject and determining whether the target transport protocol traffic needs orchestration and the corresponding JSON data structure, the method further includes: Based on the source IP, destination IP, source port, destination port, and validity period of the target transmission protocol traffic, the target transmission protocol traffic is uniquely identified to determine whether the target transmission protocol traffic is unique. The analysis of the target transport protocol traffic sent by the accessing subject, determining whether the target transport protocol traffic needs orchestration and the corresponding JSON data structure, specifically includes: When the target transport protocol traffic is unique, analyze the target transport protocol traffic sent by the accessing subject to determine whether the target transport protocol traffic needs to be orchestrated and the corresponding JSON data structure.
4. The method of claim 1, wherein, After obtaining the enhanced bastion host by constructing a service chain that includes at least the target virtual network functionality based on the target transport protocol traffic and the JSON data structure, the method further includes: Receive the operation request from the access subject; The various functions of the bastion host are executed sequentially according to the order of the service chain. When executing each function, determine whether the next function needs to be executed; When the next function is not required to be executed, determine at least one data interaction that has been completed between the access subject and the access object.
5. The method according to claim 4, characterized in that, After obtaining the enhanced bastion host by constructing a service chain that includes at least the target virtual network functionality based on the target transport protocol traffic and the JSON data structure, the method further includes: When the next function needs to be executed, determine whether the next function is running normally; When the next function is running normally, return to the step of determining whether the next function needs to be executed; If the next function does not work properly, skip executing the next function or terminate the access of the access subject to the access object.
6. The method of claim 4, wherein, After obtaining the enhanced bastion host by constructing a service chain that includes at least the target virtual network functionality based on the target transport protocol traffic and the JSON data structure, the method further includes: Based on the connection status of the bastion host, determine whether to terminate the access of the access subject to the access object; When the access subject terminates its access to the access object, the service chain information established during this access is cleared.
7. A device for adding functionality to a bastion host, characterized in that, include: The atomization module is used to atomize multiple functions of the bastion host to be added into multiple virtual network functions. In addition to providing network services, traffic encryption and decryption, and file analysis, the zero trust, auditing, and vault functions of the bastion host to be added are stripped away. The receiving module is used to receive access requests initiated by the accessing subject to the accessing object; The orchestration module is used to select target virtual network functions from the multiple virtual network functions according to the access request, and based on the routing or switching policy of the target operating system and the preset traffic redirection policy, to perform service function orchestration and obtain the bastion host with added functions. The orchestration module is further configured to analyze the access request to obtain the target information carried by the access request. The target information includes at least one of the following: type of requirement, subject client type, object service type, network channel requirements, audit requirements, security control requirements, and data security requirements; determine the target virtual network function based on the target information, and generate JSON data structures of process orchestration data, condition orchestration data, and runtime parameter data; and receive the target transport protocol traffic sent by the access subject. Based on the target transport protocol traffic and the JSON data structure, a service chain including at least the target virtual network function is constructed to obtain the bastion host with added functions.
8. An electronic device, comprising: The electronic device includes: a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the computer program, when executed by the processor, implements the steps of the method for adding functionality to a bastion host as described in any one of claims 1 to 6.
9. A computer-readable storage medium, characterized in that, A computer program is stored on the computer-readable storage medium, which, when executed by a processor, implements the steps of the method for adding functionality to a bastion host as described in any one of claims 1 to 6.