[go: up one dir, main page]

CN117614647A - Communication system and communication method - Google Patents

Communication system and communication method Download PDF

Info

Publication number
CN117614647A
CN117614647A CN202311388160.3A CN202311388160A CN117614647A CN 117614647 A CN117614647 A CN 117614647A CN 202311388160 A CN202311388160 A CN 202311388160A CN 117614647 A CN117614647 A CN 117614647A
Authority
CN
China
Prior art keywords
waf
node
service
protection
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311388160.3A
Other languages
Chinese (zh)
Inventor
彭汝张
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202311388160.3A priority Critical patent/CN117614647A/en
Publication of CN117614647A publication Critical patent/CN117614647A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5003Managing SLA; Interaction between SLA and QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1023Server selection for load balancing based on a hash applied to IP addresses or costs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a communication system and a communication method, wherein the communication system is applied to a WAF cluster, and the WAF cluster comprises a SaaS WAF management platform, an LB node and a plurality of WAF nodes; the SaaS WAF management platform is used for receiving a start SaaS service request input by a user, wherein the start SaaS service request comprises a public network address to be protected and a protection bandwidth; sending a first configuration file to the LB node, wherein the first configuration file comprises a first sub-configuration file; the LB node is used for receiving the first configuration file sent by the SaaS WAF management platform and acquiring a first sub-configuration file from the first configuration file; configuring virtual service and QoS of the virtual service locally according to the first sub-configuration file, wherein the virtual service comprises a public network address to be protected, and the QoS comprises a protection bandwidth; the virtual service is used for forwarding the service traffic to a plurality of corresponding WAF nodes by the LB node after the service traffic reaches the LB node.

Description

Communication system and communication method
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a communications system and a communications method.
Background
The Web application protection system (English: web Application Firewall, WAF) service is a basic service indispensable to cloud service and is also one of basic services required by the warranty requirement. Currently, both public and private clouds need to provide WAF services.
The on-cloud WAF service includes two types of modes, a mirror mode, and a cloud WAF mode. The current cloud WAF service adopts a cloud WAF mode more. The cloud WAF mode is used for guiding the service traffic accessing the domain name to the cloud WAF by modifying the domain name, and forwarding the service traffic after protection cleaning to a network (Web) application.
Taking domain name www.xxx.com as an example, before the WAF service on the cloud is not accessed, the DNS resolution recorded in the switch directly establishes a mapping relation between the domain name and the public network address of the domain name, namely www.xxx.com-180.101.50.242. After the switch has accessed the cloud WAF mode, the user adds a guard domain name (www.xxx.com) in the Web application firewall and sets back source information (e.g., switch address). The Web application firewall assigns a unique CNAME address (e.g., www.a.yyy.com) to the guard domain name that can forward the received traffic to the guard domain name, www.a.yyy.com-180.101.50.242. At the same time, the user modifies the previously recorded DNS resolution (www.xxx.com-180.101.50.242) within the switch to a mapping relationship with the CNAME address, i.e., www.xxx.com-www.a.yyy.com. Through the CANME address, the switch first pulls the traffic accessing the guard domain name to the Web application firewall. After malicious detection and cleaning are carried out on the service flow accessing the protection domain name by the Web application firewall, normal service flow is returned to the source station according to the return information, and the safety of the Web application is protected.
However, existing cloud WAF modes also expose the following drawbacks: 1) The user needs to manually modify the DNS analysis recorded in the switch and conduct drainage, the operation is complex, the automation is not easy to realize, and the time delay exists. Typically DNS resolution modifications take 10 minutes to validate; 2) If a hacker knows the public network address of the original Web application, the hacker can directly skip the cloud WAF mode to directly access, and the protection of the Web application is not achieved.
Disclosure of Invention
In view of this, the present application provides a communication system and a communication method, which are used to solve the problems of manually modifying DNS resolution, draining, delaying and skipping access of the cloud WAF mode in the existing cloud WAF mode.
In a first aspect, the present application provides a communication system applied to a WAF cluster, where the WAF cluster includes a SaaS WAF management platform, an LB node, and a plurality of WAF nodes;
the SaaS WAF management platform is used for receiving a SaaS service starting request input by a user, wherein the SaaS service starting request comprises a public network address to be protected and a protection bandwidth; sending a first configuration file to the LB node, wherein the first configuration file comprises a first sub-configuration file;
the LB node is used for receiving the first configuration file sent by the SaaS WAF management platform and acquiring the first sub-configuration file from the first configuration file; configuring virtual service and QoS of the virtual service locally according to the first sub-configuration file, wherein the virtual service comprises the public network address to be protected, and the QoS comprises the protection bandwidth;
and the virtual service is used for forwarding the service flow to the corresponding WAF nodes by the LB node after the service flow reaches the LB node.
In a second aspect, the present application provides a communication method, where the method is applied to a SaaS WAF management platform, where the SaaS WAF management platform is in a WAF cluster, where the WAF cluster further includes an LB node and a plurality of WAF nodes, and the method includes:
receiving a start SaaS service request input by a user, wherein the start SaaS service request comprises a public network address to be protected and a protection bandwidth;
sending a first configuration file to the LB node, wherein the first configuration file comprises a first sub-configuration file, so that the LB node locally configures virtual service and QoS of the virtual service according to the first sub-configuration file, the virtual service comprises a public network address to be protected, and the QoS comprises the protection bandwidth;
and the virtual service is used for forwarding the service flow to the corresponding WAF nodes by the LB node after the service flow reaches the LB node.
Therefore, by applying the communication system and the communication method provided by the application, the SaaS WAF management platform is used for receiving a request for starting SaaS service input by a user, wherein the request for starting SaaS service comprises a public network address to be protected and a protection bandwidth; transmitting a first configuration file to the LB node, wherein the first configuration file comprises a first sub-configuration file; the LB node is used for receiving the first configuration file sent by the SaaS WAF management platform and acquiring a first sub-configuration file from the first configuration file; configuring virtual service and QoS of the virtual service locally according to the first sub-configuration file, wherein the virtual service comprises a public network address to be protected, and the QoS comprises the protection bandwidth; the virtual service is used for forwarding the service traffic to a plurality of corresponding WAF nodes by the LB node after the service traffic reaches the LB node.
In this way, the protection processing is performed on the service traffic reaching the pre-access Web application in the cloud platform core switch through the SaaS WAF management platform, the LB node and the WAF nodes which are included in the WAF cluster, so as to realize the protection of the cloud platform Web application. The method solves the problems of manually modifying DNS resolution, drainage, delay and skipping cloud WAF mode access in the existing cloud WAF mode. Compared with the existing mirror image mode, the communication method and the communication system realize the protection of the shared Web application of multiple tenants, and save the occupation of resources; compared with the existing cloud WAF mode, the drainage scheme is simpler and takes effect timely, and the risk of directly accessing the Web application is avoided.
Drawings
Fig. 1 is a networking diagram applicable to a communication method provided in an embodiment of the present application;
fig. 2 is a signaling diagram applicable to a communication method provided in an embodiment of the present application;
fig. 3 is a flowchart of a communication method provided in an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be referred to as a second message, and similarly, a second message may also be referred to as a first message, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The communication method provided in the embodiment of the present application is described in detail below. Referring to fig. 1, fig. 1 is a networking diagram suitable for a communication method according to an embodiment of the present application. In fig. 2, a cloud platform is included, as well as WAF clusters.
The cloud platform is connected with an external network (Internet), and comprises a core switch (border), an access switch (leaf) and a plurality of servers (servers). The server may be used to carry the Web application and provide an access interface for the Web application. Web applications are types of applications that can provide services to users.
And deploying WAF clusters at the outlet of the cloud platform. The WAF cluster includes a SaaS WAF management platform, a Load Balancing (LB) node, a plurality of WAF nodes (3 WAF nodes are illustrated in FIG. 2 as an example), and a log node. The SaaS WAF management platform establishes Netconf connection with the core switch, and the core switch establishes communication connection with the LB node. The WAF cluster may implement protection for Web applications, e.g., malicious detection, attack detection, cleaning, etc., of traffic accessing the Web application. And after receiving the service traffic for accessing the Web application, the core switch guides the service traffic to the WAF cluster. And the WAF cluster performs protection processing on the service traffic and feeds the service traffic after the protection processing back to the core switch. And the core switch sends the service flow after the protection processing to the server, so that the WAF cluster protects the Web application.
A brief description of the SaaS WAF management platform, LB node, multiple WAF nodes, and log nodes in a WAF cluster follows.
The SaaS WAF management platform provides user self-service capability and WAF cluster resource management capability. The user self-service capability refers to functions of selecting and designating protection bandwidth, issuing protection strategy, checking protection log, skipping by one key, blacklisting and the like of the SaaS service by the user; the cluster resource management capability refers to functions of managing LB nodes, WAF nodes, log nodes, issuing configuration files to each component, monitoring the running state of each component, displaying alarm information to a user and the like.
The LB node distributes the traffic to a plurality of WAF nodes through a load balancing algorithm of source address hash.
The WAF node is used for providing a protection function for the Web application, is connected with the LB node through a transparent proxy mode, configures a public network address and a protection policy of the Web application to be protected at a local place, and executes the protection policy.
The log node collects part of protection log of each WAF node and stores the protection log in a classified mode according to Web application.
In this embodiment of the present application, the SaaS WAF management platform is configured to receive a request for starting SaaS service input by a user, where the request for starting SaaS service includes a public network address to be protected and a protection bandwidth; sending a first configuration file to the LB node, wherein the first configuration file comprises a first sub-configuration file;
the LB node is used for receiving the first configuration file sent by the SaaS WAF management platform and acquiring the first sub-configuration file from the first configuration file; configuring virtual service and QoS of the virtual service locally according to the first self-configuration file, wherein the virtual service comprises the public network address to be protected, and the QoS comprises the protection bandwidth; and the virtual service is used for forwarding the service flow to the corresponding WAF nodes by the LB node after the service flow reaches the LB node.
For example, the public network address to be protected may be specifically a public network address of a Web application to be accessed by the user later, 1.1.1.1; the guard bandwidth may be specifically 50M. It can be appreciated that a user sends traffic to a Web application to be accessed through a client. The traffic flow includes a source address, a destination address, and a user identification characterizing the user. The source address is the address of the client; the destination address is a public network address of the Web application with access, and the user identifier may be a client identifier.
Optionally, the first configuration file further includes a second sub-configuration file;
the LB node is further configured to configure a load balancing algorithm of source address hash locally according to the second sub-configuration file, and configure the plurality of WAF nodes as real services corresponding to the virtual services locally;
the real service is used for providing service flow protection for the Web application accessed by the user.
The second sub-configuration file and the first sub-configuration file can be issued to the LB node together through the first configuration, and the LB node configures the second sub-configuration file after the configuration according to the first sub-configuration file is finished, or may configure the second sub-configuration file at the same time.
Optionally, the SaaS WAF management platform is further configured to send a second configuration file to each WAF node in the plurality of WAF nodes that provide the real service, where the second configuration file includes a protection asset, a proxy rule, and a protection policy;
the WAF node is used for receiving the second configuration file; configuring the protection assets, agent rules and protection policies locally;
the protection asset is the public network address to be protected.
In the embodiment of the present application, the SaaS WAF management platform may send the second configuration file to the WAF node after sending the first configuration file to the LB node.
Optionally, netconf connection is established between the SaaS WAF management platform and a core switch included in the cloud platform;
the SaaS WAF management platform is further configured to send, through the Netconf connection, a policy route to the core switch, so that the core switch configures the policy route locally, and when the traffic reaches the core switch, the core switch forwards the traffic to the LB node according to the policy route.
Wherein, in the core switch, the policy route has a higher priority than the normal route table entry in the route table. After receiving the service flow, the core switch performs matching processing on the service flow and the policy route. If so, forwarding the service traffic to the LB node according to the outgoing interface and the next hop in the policy route.
Optionally, the WAF cluster further includes a log node;
the WAF node is further configured to, when the service flow is received and a destination address included in the service flow is the same as the public network address to be protected indicated by the protection asset, perform protection processing on the service flow according to the proxy rule and the protection policy, and generate a partial protection log; transmitting the partial protection log to the log node;
the log node is used for receiving part of protection log transmitted by each WAF node; and classifying and storing the plurality of partial protection logs according to the protection assets recorded by each partial protection log.
Optionally, the SaaS WAF management platform is further configured to receive a log view request input by the user, where the log view request includes a log attribute;
according to the log attribute, acquiring matched log information from the log nodes, wherein the log information comprises at least one part of protection log reported to the log nodes by the WAF nodes;
and the log attribute is the public network address to be protected.
Optionally, the LB node is further configured to receive a service flow sent by the core switch, where a destination address included in the service flow is the public network address to be protected; if the local virtual service is matched with the public network address to be protected, carrying out hash operation on a source address included in the service flow according to the load balancing algorithm, and forwarding the service flow to the WAF nodes corresponding to the virtual service according to a hash operation result;
the WAF node is further configured to receive the traffic flow; if the destination address included in the service flow is the same as the public network address to be protected indicated by the protection asset, carrying out protection processing on the service flow according to the proxy rule and the protection strategy; sending the service flow after the protection treatment to the LB node;
the LB node is further configured to receive the service traffic after the protection processing, and send the service traffic after the protection processing to the core switch, so that the core switch forwards the service traffic after the protection processing to the Web application indicated by the destination address.
In this way, the protection processing is performed on the service traffic reaching the pre-access Web application in the cloud platform core switch through the SaaS WAF management platform, the LB node and the WAF nodes which are included in the WAF cluster, so as to realize the protection of the cloud platform Web application. The method solves the problems of manually modifying DNS resolution, drainage, delay and skipping cloud WAF mode access in the existing cloud WAF mode. Compared with the existing mirror image mode, the communication method and the communication system realize the protection of the shared Web application of multiple tenants, and save the occupation of resources; compared with the existing cloud WAF mode, the drainage scheme is simpler and takes effect timely, and the risk of directly accessing the Web application is avoided.
In the embodiment of the application, the user wants to open the SaaS service. The user inputs the address of the SaaS WAF management platform in an address bar included in the browser, and accesses the SaaS WAF management platform. After receiving an access request input by a user, the SaaS WAF management platform determines that the user wants to open the SaaS service, and displays an interface for opening the SaaS service to the user.
And the user inputs a request for starting the SaaS service to the SaaS WAF management platform again according to the prompt message for opening the SaaS service interface. The start SaaS service request includes a public network address to be guarded and a guarded bandwidth. The public network address to be protected is the public network address (for example, 1.1.1.1) of the Web application to be accessed by the user later; the guard bandwidth is one selected by the user according to any of a plurality of guard bandwidths displayed in the SaaS service interface, for example, 50M.
The prompt information of the SaaS service interface comprises a public network address field to be protected and a protection bandwidth field. The public network address field to be protected fills in the address of the Web application expected to be protected by the user; the guard bandwidth field may be displayed in a drop down list of various types, e.g., 20M, 50M, 100M, etc., and the user may make a selection input according to actual network requirements.
After receiving a request for starting the SaaS service input by a user, the SaaS WAF management platform acquires a public network address to be protected and a protection bandwidth from the request.
The SaaS WAF management platform generates a first configuration file. The first configuration file comprises a first sub-configuration file and a second sub-configuration file, wherein the first sub-configuration file is used for enabling the LB node to locally configure virtual services and QoS of the virtual services; the second sub-configuration file is used for enabling the LB node to locally configure a load balancing algorithm of source address hash, and configuring real services corresponding to virtual services for the WAF nodes.
The SaaS WAF management platform sends a first configuration file to the LB node.
And after receiving the first configuration file, the LB node acquires the first sub-configuration file and the second sub-configuration file from the first configuration file. The LB node creates virtual service and QoS of virtual service locally according to the first sub-configuration file. In this embodiment of the present application, the first self-configuration file includes a public network address to be protected and a protection bandwidth. The virtual service created locally by the LB node comprises a public network address to be protected, and the QoS comprises a protection bandwidth. The virtual service is used for forwarding the service traffic to a plurality of corresponding WAF nodes without discarding the service traffic when the LB node determines that the destination address is the same as the address of the virtual service after the service traffic reaches the LB node.
When the LB node configures the virtual service, the public network address to be protected can be configured as the IP address of the virtual service. I.e. the IP address of the virtual service is 1.1.1.1 and the QoS of the virtual service is 50M.
Meanwhile, the LB node configures a load balancing algorithm of source address hash locally and configures a plurality of WAF nodes as real services corresponding to the virtual services locally. After receiving the service traffic, the load balancing algorithm of the source address hash is used for carrying out hash operation on the source address included in the service traffic, and distributing the service traffic to a plurality of WAF nodes uniformly according to the hash operation result so as to realize load balancing, so that the WAF cluster performance is improved. The real service is used for providing service traffic protection for the Web application to be accessed by the user.
It should be noted that, at the beginning of the establishment of the WAF cluster, the LB node, each WAF node, and the log node all send a registration message to the SaaS WAF management platform, so that the SaaS WAF management platform determines the attribute of each component in the current WAF cluster. Such attributes include, but are not limited to, ID, address, port, location, etc. And when the SaaS WAF management platform generates the second sub-configuration file, carrying the attribute of each WAF node in the WAF cluster in the second sub-configuration file together, so that the LB node configures a plurality of WAF nodes as real services corresponding to the virtual services locally.
In the embodiment of the present application, the SaaS WAF management platform generally uses all WAF nodes included in the WAF cluster as real services corresponding to virtual services.
The first profile is exemplified as follows:
after the SaaS WAF management platform sends the first configuration file to the LB node, the SaaS WAF management platform generates and sends a second configuration file to WAF nodes serving as real services (i.e., all WAF nodes included in the current WAF cluster). The second profile includes a guard asset, proxy rules, and a guard policy.
And after each WAF node receives the second configuration file, the protection asset, the proxy rule and the protection strategy acquired from the second configuration file are configured locally. The protection asset is a public network address to be protected, for example, 1.1.1.1; the proxy rule is information such as a port, a certificate and the like for configuring the Web application to be accessed; the protection policy is a protection configuration specific to a Web attack.
The protection policy comprises policy basic attributes and policy configuration details. Policy base attributes include, but are not limited to, policy names (high-level, medium-level, low-level), application assets, blocking return information, notes, selection templates, etc.; policy configuration details include, but are not limited to, SQL injection guard, feature detection, semantic algorithm detection, processing actions, detection levels, feature rules, and the like.
After the SaaS WAF management platform sends the second configuration file, a policy route is also generated. Through the Netconf connection, the SaaS WAF management platform sends policy routing to the core switch.
After receiving the policy route, the core switch configures the policy route locally. When the service flow reaches the core switch, the core switch performs matching processing on the service flow and the policy route. If so, the core switch forwards the traffic to the LB node according to the policy route. If not, the core switch forwards the service flow according to the existing lookup routing table forwarding mode.
In the embodiment of the application, the policy route includes information of a matching condition, an outgoing interface, a next hop and the like. The matching condition may be specifically a public network address of the Web application to be accessed, for example, 1.1.1.1; the output interface may be specifically a port for establishing communication connection between the core switch and the LB node; the next hop may be specifically the address of the LB node.
As shown in fig. 2, fig. 2 is a signaling diagram suitable for a communication method according to an embodiment of the present application. In fig. 2, after receiving a public network address to be protected and a protection bandwidth input by a user, the SaaS WAF management platform generates a first configuration file, a second configuration file and a policy route respectively, and issues the first configuration file, the second configuration file and the policy route to an LB node, each WAF node and a core switch, so that the LB node, each WAF node and the core switch are configured correspondingly locally.
And after receiving the service flow, the LB node acquires a destination address included in the service flow, wherein the destination address is a public network address to be protected. The LB node judges whether the public network address to be protected is matched with the address of the local virtual service. If the address of the local virtual service is matched with the public network address to be protected, the LB node carries out hash operation on the source address included in the service flow according to a load balancing algorithm, and forwards the service flow to a plurality of WAF nodes corresponding to the virtual service according to a hash operation result.
After the WAF node receives the service flow, the WAF node judges whether the destination address is the same as the public network address to be protected indicated by the protection asset. If the destination address is the same as the public network address to be protected indicated by the protection asset, the WAF node performs protection processing on the traffic according to the proxy rule (e.g., transparent proxy rule, authentication needs to be performed with each sub-rule of the transparent proxy rule and the authentication passes) and the protection policy; the WAF node sends the service flow after the protection treatment to the LB node.
And after receiving the service flow after the protection processing, the LB node sends the service flow after the protection processing to the core switch, so that the core switch forwards the service flow after the protection processing to the Web application indicated by the destination address.
If the user wants to check the log information of a certain Web application, the user inputs a log check request to the SaaS WAF management platform, wherein the log check request comprises log attributes. After receiving the log checking request, the SaaS WAF management platform acquires log attributes from the log checking request.
According to the log attribute, the SaaS WAF management platform acquires matched log information from the log nodes, wherein the log information comprises part of protection logs reported to the log nodes by at least one WAF node. The SaaS WAF management platform displays log information to the user.
The log attribute may be specifically a public network address of the Web application.
Examples of partial guard logs are shown below:
character string format:
<188>time WAF:time WAF:source ip:source port->dest ip dport=%ddevicename=%s url=%s method=%s args=%s flag_field=%s block_time=%dhttp_type=%s attack_field=%d profile_id=%d rule_id=%d type=%s severity=%saction=%s referer=%s useragent=%s post=%s xip=%s code=%d country=%sprovince=%s equipment=%s os=%s browser=%s|
log sample:
<188>Jun 15 07:10:49WAF:2021-06-15 07:10:49WAF:192.168.123.61:8739->192.168.123.248dport=80devicename=waf url=/bWAPP/login.php/images/netsparker.png method=GET args=flag_field=block_time=0http_type=attack_field=4profile_id=-1rule_id=10type=Web Scan Protection severity=HIGH action=PASS referer=useragent=post=xip=192.168.123.61code=30090country=province=local area network equipment=PC os=WINDOWS browser=BROWSER CHROME|
it should be noted that, in the embodiment of the present application, the SaaS WAF management platform also has a black-and-white list function. Wherein the white list is used for storing the addresses of trusted clients and the black list is used for storing the addresses of untrusted clients. The SaaS WAF management platform sends a black and white list to the core switch over the Netconf connection. When the core switch subsequently receives the service traffic sent by the client in the white list again, the service traffic can be not sent to the LB node any more, and the service traffic can be directly released. Similarly, when the core switch subsequently receives the service traffic sent by the client in the blacklist again, the service traffic can be blocked directly.
Of course, the SaaS WAF management platform may send the black-and-white list to the LB node instead of sending the black-and-white list to the core switch. And after receiving the service traffic, the core switch normally transmits the service traffic to the LB node. The LB node may first match the source address included in the traffic with a black and white list. If the white list is matched, the LB node directly feeds back the service flow to the core switch; and if the blacklist is matched, the LB node directly discards the service flow.
It can be understood that the traffic sent by the client in the black-and-white list is no longer protected.
In the embodiment of the application, the SaaS WAF management platform also has a one-key skip function. A skip button is included in the open SaaS service interface for not executing Web application protection. After the user clicks the button, the SaaS WAF management platform determines that the traffic sent to the client used by the user (the user may input a user identifier (e.g., a client identifier) so that the SaaS WAF management platform determines which client sends the traffic that is not protected) is no longer protected. The SaaS WAF management platform generates a one-key skip list and issues the skip list to the LB node. And after receiving the service traffic, the core switch normally transmits the service traffic to the LB node. The LB node may first match the source address included in the traffic with a one-touch skip list. If so, the LB node directly returns the service flow to the value core switch. And the core switch forwards the service traffic according to the existing lookup routing table forwarding mode.
The communication method provided in the embodiment of the present application is described in detail below. Referring to fig. 3, fig. 3 is a flowchart of a communication method provided in an embodiment of the present application. The communication method provided by the embodiment of the application can comprise the following steps when the method is applied to the SaaS WAF management platform.
Step 310, receiving a request for starting the SaaS service, which is input by a user and comprises a public network address to be protected and a protection bandwidth;
specifically, the user wants to open the software as a service (English: software as a Service, abbreviated as SaaS) service. The user inputs the address of the SaaS WAF management platform in an address bar included in the browser, and accesses the SaaS WAF management platform. After receiving an access request input by a user, the SaaS WAF management platform determines that the user wants to open the SaaS service, and displays an interface for opening the SaaS service to the user.
And the user inputs a request for starting the SaaS service to the SaaS WAF management platform again according to the prompt message for opening the SaaS service interface. The start SaaS service request includes a public network address to be guarded and a guarded bandwidth. The public network address to be protected is the public network address (for example, 1.1.1.1) of the Web application to be accessed by the user later; the guard bandwidth is one selected by the user according to any of a plurality of guard bandwidths displayed in the SaaS service interface, for example, 50M.
The prompt information of the SaaS service interface comprises a public network address field to be protected and a protection bandwidth field. The public network address field to be protected fills in the address of the Web application expected to be protected by the user; the guard bandwidth field may be displayed in a drop down list of various types, e.g., 20M, 50M, 100M, etc., and the user may make a selection input according to actual network requirements.
After receiving a request for starting the SaaS service input by a user, the SaaS WAF management platform acquires a public network address to be protected and a protection bandwidth from the request.
In the embodiment of the application, the SaaS WAF management platform is located in a WAF cluster. The WAF cluster also includes an LB node, a plurality of WAF nodes.
Step 320, sending a first configuration file to the LB node, where the first configuration file includes a first sub-configuration file, so that the LB node configures a virtual service locally according to the first self-configuration file and QoS of the virtual service, where the virtual service includes the public network address to be protected, and the QoS includes the protection bandwidth; and the virtual service is used for forwarding the service flow to the corresponding WAF nodes by the LB node after the service flow reaches the LB node.
Specifically, according to the description of step 310, after the SaaS WAF management platform obtains the public network address to be protected and the protection bandwidth, a first configuration file is generated. The first configuration file comprises a first sub-configuration file, and the first sub-configuration file comprises a public network address to be protected and a protection bandwidth.
The SaaS WAF management platform sends a first configuration file to the LB node.
And after receiving the first configuration file, the LB node acquires the first sub-configuration file from the first configuration file. And the LB node establishes virtual service according to the public network address to be protected, and configures QoS for the virtual service according to the protection bandwidth. The virtual service is used to forward traffic to corresponding WAF nodes without dropping traffic after the traffic reaches the LB node.
When the LB node configures the virtual service, the public network address to be protected can be configured as the IP address of the virtual service. I.e. the IP address of the virtual service is 1.1.1.1 and the QoS of the virtual service is 50M.
Optionally, in the embodiment of the present application, the first configuration file generated by the SaaS WAF management platform further includes a second sub-configuration file, where the second sub-configuration file is used to configure the load balancing algorithm of the source address hash of the LB node locally, and configure the plurality of WAF nodes locally to be real services corresponding to the virtual services.
After receiving the service traffic, the load balancing algorithm of the source address hash is used for carrying out hash operation on the source address included in the service traffic, and distributing the service traffic to a plurality of WAF nodes uniformly according to the hash operation result so as to realize load balancing, so that the WAF cluster performance is improved. The real service is used for providing service traffic protection for the Web application to be accessed by the user.
Optionally, in an embodiment of the present application, the method further includes a step of generating the second configuration file by the SaaS WAF management platform.
Specifically, after the SaaS WAF management platform obtains the public network address to be protected and the protection bandwidth, a second configuration file is generated. The SaaS WAF management platform sends the second configuration file to each of the plurality of WAF nodes as providing real services, respectively. The second profile includes a guard asset, proxy rules, and a guard policy.
After each WAF node receives the second configuration file, the protection asset, the proxy rule and the protection strategy acquired from the second configuration file are configured locally. The protection asset is a public network address to be protected, for example, 1.1.1.1; the proxy rule is information such as a port, a certificate and the like for configuring the Web application to be accessed; the protection policy is a protection configuration specific to a Web attack.
Optionally, in the embodiment of the present application, a Netconf connection is already established between the SaaS WAF management platform and a core switch included in the cloud platform. Through the Netconf connection, the SaaS WAF management platform may send policy routes to the core switch to cause the core switch to stream traffic to the LB nodes.
Specifically, after the SaaS WAF management platform obtains the public network address to be protected, the protection bandwidth and the WAF protection policy template selected by the user, a policy route is generated. Through the Netconf connection, the SaaS WAF management platform sends policy routing to the core switch.
After receiving the policy route, the core switch configures the policy route locally. When the service flow reaches the core switch, the core switch performs matching processing on the service flow and the policy route. If so, the core switch forwards the traffic to the LB node according to the policy route. If not, the core exchanger forwards the service flow according to the existing table look-up forwarding mode.
In the embodiment of the application, the policy route includes information of a matching condition, an outgoing interface, a next hop and the like. The matching condition may be specifically a public network address of the Web application to be accessed, for example, 1.1.1.1; the output interface may be specifically a port for establishing communication connection between the core switch and the LB node; the next hop may be specifically the address of the LB node.
Optionally, in the embodiment of the present application, the SaaS WAF management platform may further receive a log view request input by a user, and provide corresponding log information for the user.
Specifically, the WAF cluster further includes a log node, where the log node is configured to obtain and store a part of the protection log transmitted by each WAF node, and store the part of the protection log in a classified manner. It should be noted that, since the traffic of accessing the Web application is distributed by the LB node to a plurality of WAF nodes for protection processing. Each WAF node will generate a partial guard log for the Web application. Therefore, by adding log nodes in the WAF cluster and collecting and storing the protection logs of different Web applications in a classified manner through the log nodes, the subsequent user can check the overall protection effect aiming at a certain Web application.
The user inputs a log view request to the SaaS WAF management platform, the log view request including log attributes. After receiving the log checking request, the SaaS WAF management platform acquires log attributes from the log checking request.
According to the log attribute, the SaaS WAF management platform acquires matched log information from the log nodes, wherein the log information comprises part of protection logs reported to the log nodes by at least one WAF node. The SaaS WAF management platform displays log information to the user.
In this way, the protection processing is performed on the service traffic reaching the pre-access Web application in the cloud platform core switch through the SaaS WAF management platform, the LB node and the WAF nodes which are included in the WAF cluster, so as to realize the protection of the cloud platform Web application. The method solves the problems of manually modifying DNS resolution, drainage, delay and skipping cloud WAF mode access in the existing cloud WAF mode. Compared with the existing mirror image mode, the communication method and the communication system realize the protection of the shared Web application of multiple tenants, and save the occupation of resources; compared with the existing cloud WAF mode, the drainage scheme is simpler and takes effect timely, and the risk of directly accessing the Web application is avoided.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.

Claims (12)

1. A communication system, wherein the communication system is applied to a WAF cluster, the WAF cluster including a SaaS WAF management platform, an LB node, and a plurality of WAF nodes;
the SaaS WAF management platform is used for receiving a SaaS service starting request input by a user, wherein the SaaS service starting request comprises a public network address to be protected and a protection bandwidth; sending a first configuration file to the LB node, wherein the first configuration file comprises a first sub-configuration file;
the LB node is used for receiving the first configuration file sent by the SaaS WAF management platform and acquiring the first sub-configuration file from the first configuration file; configuring virtual service and QoS of the virtual service locally according to the first sub-configuration file, wherein the virtual service comprises the public network address to be protected, and the QoS comprises the protection bandwidth;
and the virtual service is used for forwarding the service flow to the corresponding WAF nodes by the LB node after the service flow reaches the LB node.
2. The system of claim 1, wherein the first profile further comprises a second sub-profile;
the LB node is further configured to configure a load balancing algorithm of source address hash locally according to the second sub-configuration file, and configure the plurality of WAF nodes as real services corresponding to the virtual services locally;
the real service is used for providing service flow protection for the Web application to be accessed by the user.
3. The system of claim 2, wherein the SaaS WAF management platform is further configured to send a second profile to each of a plurality of WAF nodes that are providing the real service, the second profile including a protection asset, a proxy rule, and a protection policy;
the WAF node is used for receiving the second configuration file; configuring the protection assets, agent rules and protection policies locally;
the protection asset is the public network address to be protected.
4. The system of claim 1, wherein a Netconf connection has been established between the SaaS WAF management platform and a core switch comprised by a cloud platform;
the SaaS WAF management platform is further configured to send, through the Netconf connection, a policy route to the core switch, so that the core switch configures the policy route locally, and when the traffic reaches the core switch, the core switch forwards the traffic to the LB node according to the policy route;
the policy route comprises a destination address and a next hop, wherein the destination address is the public network address to be protected, and the next hop is the address of the LB node.
5. The system of claim 3, wherein the WAF cluster further comprises a log node;
the WAF node is further configured to, when the service flow is received and a destination address included in the service flow is the same as the public network address to be protected indicated by the protection asset, perform protection processing on the service flow according to the proxy rule and the protection policy, and generate a partial protection log; transmitting the partial protection log to the log node;
the log node is used for receiving part of protection log transmitted by each WAF node; and classifying and storing the plurality of partial protection logs according to the protection assets recorded by each partial protection log.
6. The system of claim 5, wherein the SaaS WAF management platform is further configured to receive a log view request entered by the user, the log view request including a log attribute;
according to the log attribute, acquiring matched log information from the log nodes, wherein the log information comprises at least one part of protection log reported to the log nodes by the WAF nodes;
and the log attribute is the public network address to be protected.
7. The system of claim 3, wherein the LB node is further configured to receive a traffic flow sent by a core switch included in the cloud platform, where the traffic flow includes a destination address that is the public network address to be protected; if the local virtual service is matched with the public network address to be protected, carrying out hash operation on a source address included in the service flow according to the load balancing algorithm, and forwarding the service flow to the WAF nodes corresponding to the virtual service according to a hash operation result;
the WAF node is further configured to receive the traffic flow; if the destination address included in the service flow is the same as the public network address to be protected indicated by the protection asset, carrying out protection processing on the service flow according to the proxy rule and the protection strategy; sending the service flow after the protection treatment to the LB node;
the LB node is further configured to receive the service traffic after the protection processing, and send the service traffic after the protection processing to the core switch, so that the core switch forwards the service traffic after the protection processing to the Web application indicated by the destination address.
8. A communication method, wherein the method is applied to a SaaS WAF management platform, the SaaS WAF management platform being in a WAF cluster, the WAF cluster further comprising an LB node, a plurality of WAF nodes, the method comprising:
receiving a start SaaS service request input by a user, wherein the start SaaS service request comprises a public network address to be protected and a protection bandwidth;
sending a first configuration file to the LB node, wherein the first configuration file comprises a first sub-configuration file, so that the LB node locally configures virtual service and QoS of the virtual service according to the first sub-configuration file, the virtual service comprises a public network address to be protected, and the QoS comprises the protection bandwidth;
and the virtual service is used for forwarding the service flow to the corresponding WAF nodes by the LB node after the service flow reaches the LB node.
9. The method of claim 8, wherein the first profile further comprises a second sub-profile for locally configuring a load balancing algorithm for source address hashing by the LB node and locally configuring the plurality of WAF nodes as real services corresponding to the virtual services;
the real service is used for providing service flow protection for the Web application to be accessed by the user.
10. The method according to claim 9, wherein the method further comprises:
sending a second configuration file to each WAF node in the plurality of WAF nodes providing the real service, wherein the second configuration file comprises a protection asset, a proxy rule and a protection policy, so that each WAF node configures the protection asset, the proxy rule and the protection policy locally;
the protection asset is the public network address to be protected.
11. The method of claim 8, wherein a Netconf connection has been established between the SaaS WAF management platform and a core switch comprised by a cloud platform, the method further comprising:
sending a policy route to the core switch through the Netconf connection, so that the core switch configures the policy route locally, and when the service traffic arrives at the core switch, the core switch forwards the service traffic to the LB node according to the policy route;
the policy route comprises a destination address and a next hop, wherein the destination address is the public network address to be protected, and the next hop is the address of the LB node.
12. The method of claim 8, wherein the WAF cluster further comprises a log node, the method further comprising:
receiving a log viewing request input by the user, wherein the log viewing request comprises log attributes;
according to the log attribute, acquiring matched log information from the log nodes, wherein the log information comprises at least one part of protection log reported to the log nodes by the WAF nodes;
and the log attribute is the public network address to be protected.
CN202311388160.3A 2023-10-24 2023-10-24 Communication system and communication method Pending CN117614647A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311388160.3A CN117614647A (en) 2023-10-24 2023-10-24 Communication system and communication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311388160.3A CN117614647A (en) 2023-10-24 2023-10-24 Communication system and communication method

Publications (1)

Publication Number Publication Date
CN117614647A true CN117614647A (en) 2024-02-27

Family

ID=89955075

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311388160.3A Pending CN117614647A (en) 2023-10-24 2023-10-24 Communication system and communication method

Country Status (1)

Country Link
CN (1) CN117614647A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119520150A (en) * 2024-12-04 2025-02-25 成都数默科技有限公司 Encryption and decryption traffic control method based on transparent proxy

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119520150A (en) * 2024-12-04 2025-02-25 成都数默科技有限公司 Encryption and decryption traffic control method based on transparent proxy

Similar Documents

Publication Publication Date Title
US10951495B2 (en) Application signature generation and distribution
US10841279B2 (en) Learning network topology and monitoring compliance with security goals
US10708146B2 (en) Data driven intent based networking approach using a light weight distributed SDN controller for delivering intelligent consumer experience
CA2563422C (en) Systems and methods for managing a network
EP3449600B1 (en) A data driven intent based networking approach using a light weight distributed sdn controller for delivering intelligent consumer experiences
US9948606B2 (en) Enhancing privacy and security on a SDN network using SDN flow based forwarding control
US7149219B2 (en) System and method for content filtering using static source routes
US20160164826A1 (en) Policy Implementation at a Network Element based on Data from an Authoritative Source
US8543710B2 (en) Method and system for controlling network access
US10868720B2 (en) Data driven orchestrated network using a voice activated light weight distributed SDN controller
US7451203B2 (en) Method and system for communicating between a management station and at least two networks having duplicate internet protocol addresses
CN117614647A (en) Communication system and communication method
CN113872933B (en) Method, system, device, equipment and storage medium for hiding source station
Kirkpatrick Fixing the internet
JP2006013732A (en) Routing apparatus and information processing apparatus authentication method
US20050216598A1 (en) Network access system and associated methods
CA3194737A1 (en) Resource filter for integrated networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination