Search

CN-121984793-A - Hardware-level network isolation and safety protection method based on data processing unit

CN121984793ACN 121984793 ACN121984793 ACN 121984793ACN-121984793-A

Abstract

The application provides a hardware-level network isolation and safety protection method based on a data processing unit, and relates to the technical field of network safety. The method comprises the steps of receiving external network traffic, executing pre-security processing on the external network traffic to generate a policy matching result, wherein the pre-security processing at least comprises traffic identification, traffic detection and policy matching. And the local processing path is used for preventing the external network traffic from entering the host computing unit, and the high-speed through path is used for sending the external network traffic to the host computing unit, and is a path bypassing an operating system protocol stack of the host computing unit. The method solves the problems that in the existing safety protection scheme, the CPU load of the host is high, the data path is long, malicious traffic invades the host, and legal traffic cannot directly reach the host at high speed.

Inventors

  • CHEN HAO
  • HAO ZHIKUN
  • LIU XIANZHENG

Assignees

  • 翼华科技(北京)股份有限公司
  • 北京翼华云网科技有限公司

Dates

Publication Date
20260505
Application Date
20260408

Claims (10)

  1. 1. A hardware-level network isolation and security protection method based on a data processing unit is characterized by being applied to a security control unit arranged between a network inlet and a host computing unit, and comprises the following steps: The method comprises the steps of receiving external network traffic, executing pre-security processing on the external network traffic to generate a policy matching result, wherein the pre-security processing at least comprises traffic identification, traffic detection and policy matching; And according to the policy matching result, the external network traffic is shunted to a local processing path or a high-speed through path, wherein the local processing path is used for preventing the external network traffic from entering the host computing unit, the high-speed through path is used for sending the external network traffic to the host computing unit, and the high-speed through path is a path bypassing an operating system protocol stack of the host computing unit.
  2. 2. The method of claim 1, wherein performing pre-security processing on the external network traffic to generate policy matching results comprises: performing five-tuple analysis and stream classification on the external network traffic to generate stream classification information; If the flow classification information characterizes the external network flow as non-encrypted flow, deep packet detection is carried out on the non-encrypted flow, and an application layer identification result and a malicious load matching result are generated; If the flow classification information characterizes the external network flow as an encrypted flow, performing TLS unloading and decryption on the encrypted flow to generate a plaintext flow, and performing deep packet detection on the plaintext flow to generate an application layer identification result and a malicious load matching result; And outputting the strategy matching result according to the pre-issued security strategy, the application layer identification result and the malicious load matching result.
  3. 3. The method of claim 1, wherein splitting the external network traffic into a local processing path or a high-speed pass-through path based on the policy matching result comprises: if the policy matching result represents that the external network traffic is malicious traffic or abnormal traffic, executing a treatment action in the security control unit to prevent the external network traffic from entering the host computing unit; and if the strategy matching result represents that the external network traffic is legal traffic, the external network traffic is sent to the host computing unit through a high-speed straight-through path, wherein the high-speed straight-through path is a data channel bypassing an operating system protocol stack of the host computing unit.
  4. 4. The method of claim 3, wherein the high speed direct path is a remote direct memory access, RDMA, direct path; and according to the policy matching result, shunting the external network traffic to a high-speed straight-through path, including: and writing legal external network traffic into a pre-registered memory area or an application buffer of the host computing unit through RDMA operation according to the policy matching result.
  5. 5. The method of any one of claims 1-4, further comprising: Receiving security policies, rules and white list/black list information issued by a security policy management center; And reporting the log abstract, the event information and the statistical data to a global monitoring and auditing center.
  6. 6. A hardware-level network isolation and security protection system based on a data processing unit, the system comprising: the physical access unit is used for receiving the external network traffic; A security control unit disposed between the physical access unit and the host computing unit for performing the method of any one of claims 1-5; the host computing unit is configured to receive traffic sent by the security control unit after performing the method according to any one of claims 1 to 5, and perform service processing.
  7. 7. The system of claim 6, wherein the safety control unit comprises: The hardware flow splitting and flow classifying module is used for carrying out five-tuple analysis on the incoming external network flow, carrying out flow classification based on five-tuple information and generating flow classification information; the deep packet detection module is used for performing deep packet detection on the unencrypted traffic if the flow classification information characterizes the external network traffic as the unencrypted traffic, and generating an application layer identification result and a malicious load matching result; the TLS unloading and encrypting and decrypting module is used for executing TLS unloading and decrypting on the encrypted traffic to generate plaintext traffic and sending the plaintext traffic to the deep packet inspection module if the flow classification information characterizes the external network traffic as the encrypted traffic; the strategy matching and access control module is used for generating a strategy matching result according to the pre-issued security strategy, and an application layer identification result and a malicious load matching result which are output by the deep packet inspection module; the local processing module is used for executing treatment operation on malicious or abnormal traffic according to the policy matching result, wherein the treatment operation comprises discarding, speed limiting, isolating or redirecting operation; and the high-speed straight-through forwarding module is used for sending the flow output by the safety control unit to the host computer computing unit through a high-speed straight-through path based on the strategy matching result.
  8. 8. A hardware-level network isolation and security guard device based on a data processing unit, characterized by being applied to a security control unit disposed between a network portal and a host computing unit, the device comprising: The system comprises a security module, a strategy matching module and a strategy matching module, wherein the security module is used for receiving external network traffic, executing front-end security processing on the external network traffic and generating a strategy matching result; The system comprises a policy matching module, a local processing path and a high-speed through path, wherein the policy matching module is used for matching the external network traffic to the local processing path or the high-speed through path according to the policy matching result, the local processing path is used for preventing the external network traffic from entering the host computing unit, the high-speed through path is used for sending the external network traffic to the host computing unit, and the high-speed through path is a path bypassing an operating system protocol stack of the host computing unit.
  9. 9. The safety control unit is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus; a memory for storing a computer program; a processor for implementing the method of any of claims 1-5 when executing a program stored on a memory.
  10. 10. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program which, when executed by a processor, implements the method of any of claims 1-5.

Description

Hardware-level network isolation and safety protection method based on data processing unit Technical Field The application relates to the technical field of network security, in particular to a hardware-level network isolation and security protection method based on a data processing unit. Background With the continuous evolution of network attack means and the popularization of new architectures such as cloud protogenesis, edge computing and the like, network security protection faces unprecedented challenges. Traditional security schemes rely primarily on host-side software or dedicated hardware devices, the core processing logic of which is still assumed by the Central Processing Unit (CPU). Currently, the closest prior art to the present application mainly includes the following categories: First, a centralized deployment mode based on dedicated security devices. The scheme detects and controls the flow at the boundary of a network outlet or a data center through devices such as an independent hardware firewall, an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS) or a zero trust gateway. After the traffic passes through these devices, it still enters the server in a conventional manner. Second, security mode based on host side software. The scheme deploys a security agent program or a software security engine in a server, a virtual machine or a service host, and a host CPU performs functions such as flow acquisition, deep Packet Inspection (DPI), TLS decryption, access control, log reporting and the like. Thirdly, based on the processing mode of the traditional network card and the CPU protocol stack. In the mode, the traffic is processed according to the path of network card, host memory, linux kernel protocol stack, security module and retransmission, all traffic needs to enter the host memory and pass through the operating system protocol stack, and then the CPU executes security analysis and action execution. However, the prior art solutions described above suffer from the objective disadvantage of (1) excessive CPU load. The security tasks such as deep packet inspection, TLS decryption, connection tracking, abnormal behavior analysis and the like consume a large amount of host CPU resources, so that the CPU becomes a performance bottleneck and fights against computing resources with business applications. (2) the data path is lengthy and the delay is high. The traffic must pass through the host memory and the operating system protocol stack, and there are multiple data copies, interrupts and context switches, which increases the processing delay and reduces the overall throughput. (3) security is striving for computing resources. The security task and the service task share the CPU, the memory bandwidth and the DMA channel, so that service jitter is easy to be caused, and the stability of the system is reduced. (4) malicious traffic has entered the host side prior to identification. Before being identified and intercepted, malicious traffic occupies host memory, protocol stack resources and CPU time slices, expands the attack surface and causes invalid consumption of resources. (5) existing offloading schemes do not support enough for security scenarios. The existing intelligent network card or DPU unloading scheme is oriented to virtual switching, tunnel encapsulation, storage acceleration and other scenes, and cannot systematically solve the resource consumption problems of security detection, decryption, policy matching and action execution. (6) Legal traffic lacks high-speed direct capability after security verification. The traditional scheme has the advantages that legal and malicious traffic are treated by a host protocol stack at the same time, and a low-overhead high-speed transmission path cannot be established after the security check passes. Disclosure of Invention The embodiment of the application aims to provide a hardware-level network isolation and safety protection method based on a data processing unit, which solves the problems of high load of a host CPU, long data path, invasion of malicious traffic into the host, incapability of high-speed direct connection of legal traffic and the like in the existing safety protection scheme. In a first aspect, a hardware-level network isolation and security protection method based on a data processing unit is provided, and the method is applied to a security control unit deployed between a network entry and a host computing unit, and may include: The method comprises the steps of receiving external network traffic, executing pre-security processing on the external network traffic to generate a policy matching result, wherein the pre-security processing at least comprises traffic identification, traffic detection and policy matching; And according to the policy matching result, the external network traffic is shunted to a local processing path or a high-speed through path, wherein the local processing path is used for p