CN112887317A - Method and system for protecting database based on VXLAN network - Google Patents
Method and system for protecting database based on VXLAN network Download PDFInfo
- Publication number
- CN112887317A CN112887317A CN202110131813.4A CN202110131813A CN112887317A CN 112887317 A CN112887317 A CN 112887317A CN 202110131813 A CN202110131813 A CN 202110131813A CN 112887317 A CN112887317 A CN 112887317A
- Authority
- CN
- China
- Prior art keywords
- data packet
- vxlan
- judgment
- result
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000004458 analytical method Methods 0.000 claims abstract description 19
- 238000004891 communication Methods 0.000 claims abstract description 9
- 238000005516 engineering process Methods 0.000 claims description 10
- 238000007619 statistical method Methods 0.000 claims description 5
- 230000006835 compression Effects 0.000 claims description 2
- 238000007906 compression Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 8
- 239000000243 solution Substances 0.000 description 7
- 230000000903 blocking effect Effects 0.000 description 6
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 238000012502 risk assessment Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000011897 real-time detection Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000005641 tunneling Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a system for protecting a database based on a VXLAN network, and relates to the field of computer network communication. A method for protecting a database based on a VXLAN network comprises the following steps: acquiring a data packet and analyzing a link head part of the data packet; performing first judgment on the analyzed data packet, if the judgment result is the target data packet, analyzing according to a first preset rule, and if the judgment result is not the target data packet, analyzing according to a second preset rule; and matching the binding risk strategy according to the analysis result and carrying out secondary judgment on the matching binding strategy. The method can be used for a database auditing and protecting system deployed in a VXLAN network, realizing message decapsulation, supporting the forwarding of VXLAN messages and realizing the capability of strategy matching risk alarm and access control. In addition, the invention also provides a protection system for the database based on the VXLAN network.
Description
Technical Field
The invention relates to the field of computer network communication, in particular to a method and a system for protecting a database based on a VXLAN (virtual extensible local area network).
Background
The prior art uses Virtual extensible LAN (VXLAN) technology to extend network virtualization in order to obtain a sufficient number of Virtual networks to satisfy users.
With the rapid development of cloud computing, the virtualization degree of a data center is higher and higher, and the requirement on a physical network is also higher and higher. For example, Top Of Rack (TOR) switches deployed in a data center network need to maintain a large-scale Media Access Control (MAC) address table. For example, the existing Virtual Local Area Network (VLAN) technology only supports 4094 two-layer isolated independent forwarding domains at most, and cannot achieve Network isolation of massive Virtual machines. For another example, an effective network isolation technology is urgently needed in a multi-tenant environment to ensure data security of users.
The existing virtual extensible local area network technology can solve the problems. However, in practical applications, VXLAN has a problem that VXLAN is vulnerable to counterfeit VXLAN messages. For example, when an attacker sends a large number of spoofed VXLAN messages to a VXLAN Tunnel Endpoint (VTEP) device, the VTEP device has to provide a large number of processor resources to process the spoofed VXLAN messages, resulting in the VTEP device not having enough remaining processor resources to process non-VXLAN messages, thereby reducing the normal operating efficiency of the VTEP device.
The two-layer Ethernet frame encapsulated by VXLAN can cross the three-layer network boundary, so that the networking and the application deployment become more flexible, and a larger logic network is supported. However, in the VXLAN network, because of the particularity of the message, the product that does not support VXLAN cannot realize the function of the corresponding product, and the work efficiency of analyzing the VXLAN data packet is too low.
Disclosure of Invention
The invention aims to provide a method for protecting a database based on a VXLAN network, which can be used for realizing message solution audit and risk analysis by a database audit system deployed in the VXLAN network. The database firewall system realizes the decapsulation of the message, supports the forwarding of the VXLAN message, and has the capability of strategy matching risk alarm and access control.
Another object of the present invention is to provide a protection system for a database based on a VXLAN network, which can operate a protection method for a database based on a VXLAN network.
The embodiment of the invention is realized by the following steps:
in a first aspect, an embodiment of the present application provides a method for protecting a database based on a VXLAN network, which includes obtaining a data packet and analyzing a link header portion of the data packet; performing first judgment on the analyzed data packet, if the judgment result is the target data packet, analyzing according to a first preset rule, and if the judgment result is not the target data packet, analyzing according to a second preset rule; matching the binding risk strategy according to the analysis result and carrying out secondary judgment on the matching binding strategy; and caching the result of the matching binding strategy, and sending the alarm according to the configuration and compressing and storing the alarm in parallel.
In some embodiments of the present invention, the acquiring the data packet includes: in a VXLAN network, a database auditing and protecting system is deployed transparently, and the DPDK technology is adopted to realize the high-speed service forwarding of a database firewall.
In some embodiments of the present invention, the above determining the parsed data packet for the first time includes: and judging whether the data packet is a VXLAN data packet or not according to the analysis data packet link head part.
In some embodiments of the present invention, if the determination result is the target packet, the parsing according to the first preset rule includes: if the data packet is VXLAN data packet, the link head of the data packet is analyzed according to VXLAN data packet format.
In some embodiments of the present invention, if the determination result is not yes, performing the parsing according to a second preset rule includes: judging whether the analysis result is a service data packet needing to be processed again; if the judgment result is the service data packet needing to be processed, the service data packet is shifted to the VXLAN data packet data part, and then the data is analyzed according to the normal IP data packet format.
In some embodiments of the present invention, the matching the binding risk policy according to the analysis result and performing the second judgment on the matching binding policy includes: and according to the analysis result, matching the binding strategy, and judging whether to forward or block the discard.
In some embodiments of the present invention, the above caching the result of the matching binding policy according to the configuration-based alarm sending parallel compression storage includes: and caching the result of the matching binding strategy, and sending an alarm according to the configuration and storing the alarm in parallel IO.
In some embodiments of the present invention, the above further includes: and after IO storage, carrying out java creation index and UI page display statistical analysis.
In a second aspect, an embodiment of the present application provides a protection system for a database based on a VXLAN network, which includes an obtaining module, configured to obtain a data packet and analyze a link header portion of the data packet;
the first judgment module is used for carrying out first judgment on the analyzed data packet, if the judgment result is the target data packet, analyzing according to a first preset rule, and if the judgment result is not the target data packet, analyzing according to a second preset rule;
the second judgment module is used for matching the binding risk strategy according to the analysis result and carrying out second judgment on the matching binding strategy;
and the cache module is used for caching the result of the matching binding strategy and sending the alarm according to the configuration and compressing and storing the alarm in parallel.
In some embodiments of the invention, the above includes: at least one memory for storing computer instructions; at least one processor in communication with the memory, wherein the at least one processor, when executing the computer instructions, causes the system to: the device comprises an acquisition module, a first judgment module, a second judgment module and a cache module.
Compared with the prior art, the embodiment of the invention has at least the following advantages or beneficial effects:
the VXLAN data forwarding and data security protection function is supported in the VXLAN environment. The following problems in VXLAN environments, access control capabilities, can also be solved: the capability of detecting and blocking access to sensitive data is supported, such as the capability of real-time access control to sensitive libraries, sensitive tables, sensitive field queries, modifications or deletions. Intrusion detection capability: and the capability of real-time detection and interception of internal violation unauthorized operation, SQL injection and vulnerability attack is supported.
In a VXLAN network, a deployed database auditing system realizes message solution auditing and carries out risk analysis. The database firewall system realizes the decapsulation of the message, supports the forwarding of the VXLAN message, and has the capability of strategy matching risk alarm and access control.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic diagram illustrating steps of a method for protecting a database based on a VXLAN network according to an embodiment of the present invention;
fig. 2 is a detailed step diagram of a database protection method based on a VXLAN network according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a database protection system module based on a VXLAN network according to an embodiment of the present invention.
Icon: 10-an acquisition module; 20-a first judging module; 30-second judging module; 40 a cache module.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the individual features of the embodiments can be combined with one another without conflict.
Example 1
Referring to fig. 1, fig. 1 is a schematic diagram illustrating steps of a database protection method based on a VXLAN network according to an embodiment of the present invention, which is shown as follows:
step S100, acquiring a data packet and analyzing a link head part of the data packet;
in some embodiments, a TCP event or data packet in a data packet is obtained and a link header portion of the data packet is parsed. Packets (also called packets) transmitted by the network layer are transmitted as "frames" in the data link layer. After the data packet arrives at the data link layer, the protocol header and the protocol trailer of the data link layer are added to form a data frame. Adding a frame head to the front of each frame and a frame tail to the end of each frame, and using the data packet of the network layer as the data part of the frame, a complete frame is formed. The frame head and the frame tail are used as the start and end marks of the frame, namely the frame boundary. And resolving to de-encapsulate and identify VXLAN field for the message.
Step S110, carrying out first judgment on the analyzed data packet, if the judgment result is the target data packet, analyzing according to a first preset rule, and if the judgment result is not yes, analyzing according to a second preset rule;
in some embodiments, this is determined by the IP address and port number in the protection database engine VXLAN network.
In some embodiments, the data packet link header portion is parsed to determine whether the data packet is a VXLAN data packet, and if the data packet is a VXLAN data packet, the data packet link header portion is parsed according to a VXLAN data packet format; if not, judging whether the message is a normal message, and if so, analyzing according to the normal message.
VXLAN (Virtual eXtensible Local Area Network) is a Virtual tunnel communication technology. It is an Overlay technology, and a virtual two-layer network is built through a three-layer network.
In brief, VXLAN uses a tunneling technique on a bottom-layer physical network (underlay), and a logical network of an Overlay is constructed by means of a UDP layer, so that the logical network and the physical network are decoupled, and a flexible networking requirement is realized. The method has little influence on the original network architecture, and can erect a new network without changing the original network. Also because of this characteristic, many CNI plug-ins will select VXLAN as the communication network.
In some embodiments, VXLAN supports not only one-to-one but also one-to-many, and a VXLAN device can learn the IP addresses of other peers in a bridge-like learning manner, and can directly configure a static forwarding table.
Step S120, matching the binding risk strategy according to the analysis result and carrying out secondary judgment on the matching binding strategy;
in some embodiments, whether to pass forwarding or to discard risk blocking is determined according to the analysis result matching the binding policy. The method realizes deployment in VXLAN environment, identifies risk operation, performs blocking control in real time, and protects the security of the database and the integrity of data.
And step S130, caching the result of the matching binding strategy, and sending the alarm according to the configuration and compressing and storing the alarm.
Specifically, the result of the matching binding strategy is cached, an alarm is sent according to configuration, IO storage is performed in parallel, java creates an index, and UI page display statistical analysis is performed.
In some embodiments, IO is an abbreviation of Input/Output, which is a process in which a computer schedules writing and writing data in each storage (including memory and external storage); the written-in and written-out function is abstractly represented by a stream (stream) in java, and is packaged into a class which is placed in a http:// java. The form of "streaming" allows the java program to access different input/output sources in the same way. A stream is ordered data from an origin (source) to a sink (sink). The input/output sources are compared into a 'bucket', the flow is a 'pipeline', and the properties of thickness, unidirectionality and the like of the 'pipeline' are characteristics for distinguishing different 'flows'.
Example 2
Referring to fig. 2, fig. 2 is a detailed step diagram of a database protection method based on a VXLAN network according to an embodiment of the present invention, which is shown as follows:
and step S200, transparently deploying a database auditing and protecting system in the VXLAN network, and realizing high-speed service forwarding of a database firewall by adopting a DPDK technology.
Step S210, determining whether the packet is a VXLAN packet according to the parsing packet link header.
Step S220, if the packet is a VXLAN packet, the link header of the packet is parsed according to the VXLAN packet format.
Step S230, judging whether the analysis result is a service data packet needing to be processed again;
step S240, if the determined result is the service data packet to be processed, the data is shifted to the VXLAN data packet data part, and then the data is analyzed according to the normal IP data packet format.
And step S250, judging whether to forward or block discarding according to the analysis result matched binding strategy.
And step S260, caching the result of the matching binding strategy, and sending the alarm according to the configuration and storing the alarm in parallel IO.
And step S270, carrying out java creation index and UI page display statistical analysis after IO storage.
In some embodiments, the two-layer ethernet frames encapsulated by VXLAN may span three-layer network boundaries, allowing for more flexibility in networking and application deployment. While supporting larger logical networks. However, in the VXLAN network, because of the special characteristics of the message, the product that does not support VXLAN cannot realize the corresponding product function.
The purpose of the patent is to support VXLAN data forwarding and data security functions in VXLAN environment.
The database firewall adopts DPDK technology, and realizes deployment in VXLAN environment, risk identification operation, real-time blocking control and database security and data integrity protection without changing production environment network.
In some embodiments, the DPDK bypasses the Linux kernel protocol stack, accelerates the processing of data, and a user can customize the protocol stack in the user space to meet the application requirements of the user. The present embodiment employs DPDK to optimize network performance.
In some embodiments, the packet link header portion is parsed to determine whether the packet is a VXLAN packet, and if the packet is a VXLAN packet, the packet header portion is parsed according to a VXLAN packet format to determine whether the packet is a service packet to be processed. If the service data packet is the service data packet to be processed, the service data packet is shifted to a VXLAN data packet data part, and then the data is analyzed according to the normal IP data packet format. Analyzing a result matching binding strategy, judging whether to forward or not, or blocking and discarding the result cache of the matching binding strategy, sending an alarm according to configuration, storing IO in parallel, creating an index by java, and displaying statistical analysis on a UI page.
In some embodiments, the extension, e.g., receives a VXLAN message, wherein the VXLAN message comprises a local VXLAN message and a non-local VXLAN message.
It should be noted that the local VXLAN packet refers to a VXLAN packet whose header carries a local VNI, where the local VNI includes VNIs of all VXLAN networks supported by the VTEP device, and the local VNI carries a local VNI, where the VNI carried by the VXLAN packet header is equal to one of the VNIs of all VXLAN networks supported by the VTEP device. Correspondingly, the non-local VXLAN message means that the VXLAN message header does not carry a VXLAN message of a local VNI, and the non-local VXLAN message header does not carry a local VNI means that the VNI carried by the VXLAN message header is a VNI of a network of another VXLAN except all VXLAN networks supported by the VTEP device.
And counting the number of the non-local VXLAN messages within a first preset time. The first preset time refers to a preset time for the VTEP device to count the number of the non-local VXLAN messages, and may be set according to a specific application environment. For example, if the number of non-local VXLAN messages received by the VTEP device in different time periods changes greatly, the first preset time may be set to a small value, for example, 1 second, so as to improve the accuracy of counting the number of non-local VXLAN messages. For another example, if the number of non-local XLAN messages received by the VTEP apparatus over a long time is always small, the first preset time may be set to a large value, for example, 1 hour.
And when the statistic value of the non-local VXLAN message is larger than or equal to a first threshold value, discarding the received non-local VXLAN message. It should be noted that the first threshold may be set according to a specific application environment, where the specific application environment includes a maximum number of messages that can be processed by the VTEP device per unit time. In practical application, the number of the local VXLAN messages and the number of the non-VXLAN messages can be counted besides the number of the non-local VXLAN messages; when the ratio of the local VXLAN message to the non-VXLAN message to all the received messages is high (for example, 80%), and the ratio of the total amount of the received messages per unit time to the maximum amount of the messages that can be processed per unit time of the VTEP device is large (for example, 0.9), the first threshold value may be set to a small value. The total amount of messages received by the VTEP device in a unit time is the sum of the number of non-local VXLAN messages, the number of local VXLAN messages and the number of non-VXLAN messages received by the VTEP device in the unit time.
In addition, if the statistical value of the non-local VXLAN message is smaller than the first threshold, it indicates that the VTEP device has enough remaining processor resources to process the received non-local VXLAN message, and non-VXLAN message, so the VTEP device decapsulates the received non-local VXLAN message, and non-VXLAN message.
The method comprises the steps of counting the number of received non-local VXLAN messages within first preset time, and discarding the received non-local VXLAN messages when the counted value of the non-local VXLAN messages is larger than or equal to a first threshold value, so that the phenomenon that counterfeit VXLAN messages from a non-local VXLAN network occupy a large number of processor resources of the VTEP device is avoided, the VTEP device can reserve enough processor resources to process the local VXLAN messages and the non-VXLAN messages, and the normal working efficiency of the VTEP device is improved.
Example 3
Referring to fig. 3, fig. 3 is a schematic diagram of a database protection system module based on a VXLAN network according to an embodiment of the present invention, which is shown as follows:
an obtaining module 10, configured to obtain a data packet and analyze a link header portion of the data packet;
the first-time judging module 20 is configured to perform first judgment on the analyzed data packet, perform analysis according to a first preset rule if the judgment result is the target data packet, and perform analysis according to a second preset rule if the judgment result is not the target data packet;
the second judgment module 30 is used for matching the binding risk policy according to the analysis result and performing second judgment on the matching binding policy;
and the caching module 40 is used for caching the result of the matching binding strategy and sending the alarm according to the configuration and compressing and storing the alarm in parallel.
Also included are a memory, a processor, and a communication interface, which are electrically connected, directly or indirectly, to each other to enable transmission or interaction of data. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory may be used to store software programs and modules, and the processor may execute various functional applications and data processing by executing the software programs and modules stored in the memory. The communication interface may be used for communicating signaling or data with other node devices.
The Memory may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
The processor may be an integrated circuit chip having signal processing capabilities. The Processor may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), etc.; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
It will be appreciated that the configuration shown in fig. 3 is merely illustrative and may include more or fewer components than shown in fig. 3, or have a different configuration than shown in fig. 3. The components shown in fig. 3 may be implemented in hardware, software, or a combination thereof.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
To sum up, the method and system for protecting a database based on a VXLAN network provided by the embodiment of the present application support VXLAN data forwarding and data security protection functions in a VXLAN environment. The following problems in VXLAN environments, access control capabilities, can also be solved: the capability of detecting and blocking access to sensitive data is supported, such as the capability of real-time access control to sensitive libraries, sensitive tables, sensitive field queries, modifications or deletions. Intrusion detection capability: and the capability of real-time detection and interception of internal violation unauthorized operation, SQL injection and vulnerability attack is supported.
In a VXLAN network, a deployed database auditing system realizes message solution auditing and carries out risk analysis. The database firewall system realizes the decapsulation of the message, supports the forwarding of the VXLAN message, and has the capability of strategy matching risk alarm and access control.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (10)
1. A method for protecting a database based on a VXLAN network is characterized by comprising the following steps:
acquiring a data packet and analyzing a link head part of the data packet;
performing first judgment on the analyzed data packet, if the judgment result is the target data packet, analyzing according to a first preset rule, and if the judgment result is not the target data packet, analyzing according to a second preset rule;
matching the binding risk strategy according to the analysis result and carrying out secondary judgment on the matching binding strategy;
and caching the result of the matching binding strategy, and sending the alarm according to the configuration and compressing and storing the alarm in parallel.
2. The method of claim 1, wherein the obtaining the data packet comprises:
in a VXLAN network, a database auditing and protecting system is deployed transparently, and the DPDK technology is adopted to realize the high-speed service forwarding of a database firewall.
3. The method of claim 1, wherein the first determining the parsed packet comprises:
and judging whether the data packet is a VXLAN data packet or not according to the analysis data packet link head part.
4. The method according to claim 1, wherein if the determination result is the target packet, the parsing according to the first predetermined rule comprises:
if the data packet is VXLAN data packet, the link head of the data packet is analyzed according to VXLAN data packet format.
5. The method according to claim 1, wherein if the determination result is "no", then parsing according to a second predetermined rule comprises:
judging whether the analysis result is a service data packet needing to be processed again;
if the judgment result is the service data packet needing to be processed, the service data packet is shifted to the VXLAN data packet data part, and then the data is analyzed according to the normal IP data packet format.
6. The method according to claim 1, wherein the matching the binding risk policy according to the parsing result and the second determining the matching binding policy comprise:
and according to the analysis result, matching the binding strategy, and judging whether to forward or block the discard.
7. The method according to claim 1, wherein the caching of the result of the matching binding policy and the parallel compression and storage of the sent alarm according to the configuration comprises:
and caching the result of the matching binding strategy, and sending an alarm according to the configuration and storing the alarm in parallel IO.
8. The method of claim 7, wherein the database protection method based on a VXLAN network further comprises:
and after IO storage, carrying out java creation index and UI page display statistical analysis.
9. A protection system for a database based on a VXLAN network, comprising:
the acquisition module is used for acquiring the data packet and analyzing the link head part of the data packet;
the first judgment module is used for carrying out first judgment on the analyzed data packet, if the judgment result is the target data packet, analyzing according to a first preset rule, and if the judgment result is not the target data packet, analyzing according to a second preset rule;
the second judgment module is used for matching the binding risk strategy according to the analysis result and carrying out second judgment on the matching binding strategy;
and the cache module is used for caching the result of the matching binding strategy and sending the alarm according to the configuration and compressing and storing the alarm in parallel.
10. The VXLAN network-based database protection system of claim 9, comprising:
at least one memory for storing computer instructions;
at least one processor in communication with the memory, wherein the at least one processor, when executing the computer instructions, causes the system to perform: the device comprises an acquisition module, a first judgment module, a second judgment module and a cache module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110131813.4A CN112887317A (en) | 2021-01-30 | 2021-01-30 | Method and system for protecting database based on VXLAN network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110131813.4A CN112887317A (en) | 2021-01-30 | 2021-01-30 | Method and system for protecting database based on VXLAN network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112887317A true CN112887317A (en) | 2021-06-01 |
Family
ID=76052124
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110131813.4A Pending CN112887317A (en) | 2021-01-30 | 2021-01-30 | Method and system for protecting database based on VXLAN network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112887317A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113656263A (en) * | 2021-08-20 | 2021-11-16 | 重庆紫光华山智安科技有限公司 | Data processing method, system, storage medium and terminal |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140146817A1 (en) * | 2012-11-29 | 2014-05-29 | Futurewei Technologies, Inc. | System and Method for VXLAN Intern-Domain Communications |
| CN104410541A (en) * | 2014-11-18 | 2015-03-11 | 盛科网络(苏州)有限公司 | Method and device for counting VXLAN inner layer virtual machine flux on intermediate switch |
| CN106357652A (en) * | 2016-09-26 | 2017-01-25 | 杭州迪普科技有限公司 | Method and device for preventing attack of VXLAN message |
| CN107204896A (en) * | 2017-05-22 | 2017-09-26 | 迈普通信技术股份有限公司 | Handle method, device and the VTEP equipment of VXLAN messages |
| CN108809793A (en) * | 2017-04-27 | 2018-11-13 | 华为技术有限公司 | A kind of data transmission method, apparatus and system |
| CN109639557A (en) * | 2019-02-11 | 2019-04-16 | 北京百度网讯科技有限公司 | Methods, devices and systems for network communication |
| CN111030970A (en) * | 2019-03-21 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Distributed access control method and device and storage equipment |
| CN111447233A (en) * | 2020-03-31 | 2020-07-24 | 国家计算机网络与信息安全管理中心 | VXLAN-based packet filtering method and device |
| CN111726364A (en) * | 2020-06-29 | 2020-09-29 | 浙江军盾信息科技有限公司 | A host intrusion prevention method, system and related device |
-
2021
- 2021-01-30 CN CN202110131813.4A patent/CN112887317A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140146817A1 (en) * | 2012-11-29 | 2014-05-29 | Futurewei Technologies, Inc. | System and Method for VXLAN Intern-Domain Communications |
| CN104410541A (en) * | 2014-11-18 | 2015-03-11 | 盛科网络(苏州)有限公司 | Method and device for counting VXLAN inner layer virtual machine flux on intermediate switch |
| CN106357652A (en) * | 2016-09-26 | 2017-01-25 | 杭州迪普科技有限公司 | Method and device for preventing attack of VXLAN message |
| CN108809793A (en) * | 2017-04-27 | 2018-11-13 | 华为技术有限公司 | A kind of data transmission method, apparatus and system |
| CN107204896A (en) * | 2017-05-22 | 2017-09-26 | 迈普通信技术股份有限公司 | Handle method, device and the VTEP equipment of VXLAN messages |
| CN109639557A (en) * | 2019-02-11 | 2019-04-16 | 北京百度网讯科技有限公司 | Methods, devices and systems for network communication |
| CN111030970A (en) * | 2019-03-21 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Distributed access control method and device and storage equipment |
| CN111447233A (en) * | 2020-03-31 | 2020-07-24 | 国家计算机网络与信息安全管理中心 | VXLAN-based packet filtering method and device |
| CN111726364A (en) * | 2020-06-29 | 2020-09-29 | 浙江军盾信息科技有限公司 | A host intrusion prevention method, system and related device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113656263A (en) * | 2021-08-20 | 2021-11-16 | 重庆紫光华山智安科技有限公司 | Data processing method, system, storage medium and terminal |
| CN113656263B (en) * | 2021-08-20 | 2023-05-12 | 重庆紫光华山智安科技有限公司 | Data processing method, system, storage medium and terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108701187B (en) | Apparatus and method for hybrid hardware-software distributed threat analysis | |
| US8024799B2 (en) | Apparatus and method for facilitating network security with granular traffic modifications | |
| US7937756B2 (en) | Apparatus and method for facilitating network security | |
| US7890991B2 (en) | Apparatus and method for providing security and monitoring in a networking architecture | |
| US8156541B1 (en) | System, method, and computer program product for identifying unwanted activity utilizing a honeypot device accessible via VLAN trunking | |
| US20150236895A1 (en) | Apparatus, System, and Method for Enhanced Monitoring and Interception of Network Data | |
| US9407518B2 (en) | Apparatus, system, and method for enhanced reporting and measurement of performance data | |
| CN110809010B (en) | Threat information processing method, device, electronic equipment and medium | |
| US20180278498A1 (en) | Process representation for process-level network segmentation | |
| CN113938308B (en) | Application cluster security protection system, method, electronic equipment and storage medium | |
| US20140164609A1 (en) | Apparatus, System, and Method for Enhanced Monitoring and Searching of Devices Distributed Over a Network | |
| US11973773B2 (en) | Detecting and mitigating zero-day attacks | |
| CN105871811A (en) | Method for controlling rights of application and controller | |
| CN107612890A (en) | A kind of network monitoring method and system | |
| US20140173102A1 (en) | Apparatus, System, and Method for Enhanced Reporting and Processing of Network Data | |
| EP4293550A1 (en) | Traffic processing method and protection system | |
| CN112887317A (en) | Method and system for protecting database based on VXLAN network | |
| CN116566635A (en) | Network security assessment method, system, device and storage medium | |
| US11425092B2 (en) | System and method for analytics based WAF service configuration | |
| CN103026679B (en) | Mitigation of detected patterns in network devices | |
| CN112583827A (en) | Data leakage detection method and device | |
| EP2929472B1 (en) | Apparatus, system and method for enhanced network monitoring, data reporting, and data processing | |
| EP3092737A1 (en) | Apparatus, system, and method for enhanced monitoring, searching, and visualization of network data | |
| CN114826775A (en) | Method, device, system, equipment and medium for generating filtering rule of data packet | |
| EP3092771A1 (en) | Apparatus, system, and method for enhanced monitoring and interception of network data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210601 |