Search

CN-122001626-A - Security service delivery method and device

CN122001626ACN 122001626 ACN122001626 ACN 122001626ACN-122001626-A

Abstract

The application provides a method and a device for delivering security service. The method comprises the steps of responding to an opening request for a target SaaS security service initiated by a public network tenant, calling an application program interface of a target SaaS security service system, creating and registering a first service instance according to identity information of the public network tenant, generating a first proxy configuration rule and issuing the first proxy configuration rule to a first proxy virtual machine, wherein the rule is used for logically binding the first proxy virtual machine with the first service instance. The security resource pool and the network boundary of the public network tenant are configured with an IPSec VPN tunnel, and the management platform completes the nano-tube for the first proxy virtual machine through the IPSec VPN tunnel. According to the method, the public network tenant side does not need to deploy a complete security product virtual machine, and only one lightweight agent is needed to open security services, so that the virtual machine resource consumption of the public network tenant is effectively reduced.

Inventors

  • ZHOU MING

Assignees

  • 新华三信息安全技术有限公司

Dates

Publication Date
20260508
Application Date
20260112

Claims (11)

  1. 1. A security service delivery method, wherein the method is applied to a management platform of a secure resource pool, the method comprising: Responding to an opening request for a target SaaS security service initiated by a public network tenant, calling an application program interface of a target SaaS security service system in a security resource pool, and creating and registering a service instance in the target SaaS security service system according to identity information of the public network tenant to obtain a first service instance; Generating a first proxy configuration rule and issuing the first proxy configuration rule to a first proxy virtual machine, wherein the first proxy configuration rule is used for logically binding the first proxy virtual machine with a first service instance to establish a data forwarding channel from the first proxy virtual machine to the first service instance, The first proxy virtual machine is deployed in a proxy subnet of the internal network of the public network tenant; an IPSec VPN tunnel is configured between the security resource pool and the network boundary of the public network tenant, and the management platform completes the nano-tube for the first proxy virtual machine through the IPSec VPN tunnel; The first proxy virtual machine is configured to receive the security data sent by the service virtual machine of the public network tenant, and forward the security data to a first service instance of the target SaaS security service system for processing through the IPSec VPN tunnel according to the first proxy configuration rule.
  2. 2. The method of claim 1, wherein prior to generating the first proxy configuration rule and issuing to the first proxy virtual machine, the method further comprises: Judging whether the public network tenant already has a first proxy virtual machine which is available and is already managed; if not, triggering an automatic deployment process, wherein the automatic deployment process comprises the steps of creating a first proxy virtual machine in a proxy subnet of a public network tenant by using a proxy virtual machine template; and accessing a management interface of the first proxy virtual machine through the IPSec VPN tunnel to finish the nano-tube of the first proxy virtual machine.
  3. 3. The method of claim 2, wherein the first proxy virtual machine is configured to support proxy multiple different SaaS security services simultaneously.
  4. 4. The method of claim 2, wherein after creating the first proxy virtual machine using the proxy virtual machine template, the method further comprises: Triggering an automatic configuration flow based on a network address of the first proxy virtual machine in the proxy subnet, wherein the automatic configuration flow comprises the step of configuring an output address of security data of a service virtual machine of a public network tenant as the network address.
  5. 5. The method of claim 1, wherein access control rules are configured on the exit firewall of the secure resource pool and the exit firewall of the public network tenant, the access control rules being used to define that only traffic between the management platform, the target SaaS security service system, and the first proxy virtual machine is allowed to pass through the IPSec VPN tunnel.
  6. 6. The method according to claim 1, wherein the method further comprises: Responding to an opening request for a target SaaS security service initiated by an intranet tenant, calling an application program interface of the target SaaS security service system in a security resource pool, and creating and registering a service instance in the target SaaS security service system by using identity information of the intranet tenant to obtain a second service instance; generating a second proxy configuration rule and issuing the second proxy configuration rule to a second proxy virtual machine, wherein the second proxy configuration rule is used for logically binding the second proxy virtual machine with a second service instance to establish a data forwarding channel from the second proxy virtual machine to the second service instance, The second agent virtual machine is deployed in a virtual private cloud network of the intranet tenant; The management platform completes the nano-tube for the second agent virtual machine through the intranet; The second proxy virtual machine is configured to receive the security data sent by the business virtual machine of the intranet tenant, and forward the security data to a second service instance of the target SaaS security service system for processing through the intranet according to a second proxy configuration rule.
  7. 7. A security service delivery apparatus, the apparatus being applied to a management platform of a secure resource pool, the apparatus comprising: The first module is used for responding to an opening request for the target SaaS security service initiated by a public network tenant, calling an application program interface of the target SaaS security service system in the security resource pool, creating and registering a service instance in the target SaaS security service system according to identity information of the public network tenant, and obtaining a first service instance; a second module for generating a first proxy configuration rule and issuing the first proxy configuration rule to a first proxy virtual machine, wherein the first proxy configuration rule is used for logically binding the first proxy virtual machine with a first service instance to establish a data forwarding channel from the first proxy virtual machine to the first service instance, The first proxy virtual machine is deployed in a proxy subnet of the internal network of the public network tenant; an IPSec VPN tunnel is configured between the security resource pool and the network boundary of the public network tenant, and the management platform completes the nano-tube for the first proxy virtual machine through the IPSec VPN tunnel; The first proxy virtual machine is configured to receive the security data sent by the service virtual machine of the public network tenant, and forward the security data to a first service instance of the target SaaS security service system for processing through the IPSec VPN tunnel according to the first proxy configuration rule.
  8. 8. The apparatus of claim 7, wherein the apparatus further comprises: The third module is used for responding to an opening request for the target SaaS security service initiated by the intranet tenant, calling an application program interface of the target SaaS security service system in the security resource pool, and creating and registering a service instance in the target SaaS security service system by using identity information of the intranet tenant to obtain a second service instance; A fourth module for generating a second proxy configuration rule and issuing the second proxy configuration rule to a second proxy virtual machine, wherein the second proxy configuration rule is used for logically binding the second proxy virtual machine with a second service instance to establish a data forwarding channel from the second proxy virtual machine to the second service instance, The second agent virtual machine is deployed in a virtual private cloud network of the intranet tenant; The management platform completes the nano-tube for the second agent virtual machine through the intranet; The second proxy virtual machine is configured to receive the security data sent by the business virtual machine of the intranet tenant, and forward the security data to a second service instance of the target SaaS security service system for processing through the intranet according to a second proxy configuration rule.
  9. 9. An electronic device, comprising: a memory, one or more processors, the memory coupled with the processors, wherein the memory has stored therein computer program code comprising computer instructions that, when executed by the processors, the electronic device performs the method of any of claims 1-6.
  10. 10. A computer readable storage medium comprising computer instructions which, when run on an electronic device, cause the electronic device to perform the method of any of claims 1-6.
  11. 11. A computer program product, characterized in that the computer program product, when run on a computer, causes the computer to perform the method according to any of claims 1-6.

Description

Security service delivery method and device Technical Field The present application relates to the field of cloud computing technologies, and in particular, to a method and an apparatus for delivering security services. Background The secure resource pool product may support multiple types of security services including SaaS security services (e.g., log audit SaaS, bastion machine SaaS, host security SaaS) and mirror security services. The SaaS security service can be shared by a plurality of users, and the mirror image security service is shared by a single user. Although there are differences in deployment modes, their security capabilities are substantially consistent. In practical deployment, the secure resource pool may serve two classes of tenants simultaneously, one class is an intranet tenant in the same intranet as the secure resource pool, and the other class is a public network tenant needing to be accessed through a public network. How to efficiently and flexibly deliver security services for the two types of tenants and realize the protection of the services is a technical problem to be solved at present. Currently, a common way to provide security services for public network tenants is to deploy a complete security product virtual machine at the tenant. In particular, the service provider will provide a virtual machine image of the security product to public network tenants, who deploy the virtual machine in their local environment and enable it to be managed by the management platform nanotubes through Network Address Translation (NAT) or similar techniques. And then, the service system of the tenant needs to directly send the security data to the locally deployed security product virtual machine for processing. This implementation has the following disadvantages: The virtual machine resource consumption is overlarge, because each security product needs to independently deploy a complete virtual machine instance on the public network tenant side, the virtualized resources (such as CPU, memory and storage) of the tenant are occupied in a large amount, and the resource utilization rate is low; the deployment and maintenance are complex, namely mirror deployment, network configuration and system initialization are required to be repeatedly carried out every time a security service is opened, the process is complex, and the operation and maintenance cost is high; The resource lacks reusability, namely the bottom computing resource cannot be shared among different security services, when tenants need to open various security services, the problem of resource waste is multiplied, and the overall expansibility and the economical efficiency of the system are poor. Disclosure of Invention The application provides a secure service delivery method and a secure service delivery device, which are used for reducing virtual machine resource consumption of public network tenants when the secure service is opened, simplifying platform delivery flow and enhancing resource reusability. Specifically, the application provides the following technical scheme: in a first aspect, the present application provides a secure service delivery method, the method being applied to a management platform of a secure resource pool, the method comprising: Responding to an opening request for a target SaaS security service initiated by a public network tenant, calling an application program interface of a target SaaS security service system in a security resource pool, and creating and registering a service instance in the target SaaS security service system according to identity information of the public network tenant to obtain a first service instance; Generating a first proxy configuration rule and issuing the first proxy configuration rule to a first proxy virtual machine, wherein the first proxy configuration rule is used for logically binding the first proxy virtual machine with a first service instance to establish a data forwarding channel from the first proxy virtual machine to the first service instance, The first proxy virtual machine is deployed in a proxy subnet of the internal network of the public network tenant; an IPSec VPN tunnel is configured between the security resource pool and the network boundary of the public network tenant, and the management platform completes the nano-tube for the first proxy virtual machine through the IPSec VPN tunnel; The first proxy virtual machine is configured to receive the security data sent by the service virtual machine of the public network tenant, and forward the security data to a first service instance of the target SaaS security service system for processing through the IPSec VPN tunnel according to the first proxy configuration rule. In a second aspect, the present application provides a security service delivery apparatus, the apparatus being applied to a management platform of a secure resource pool, the apparatus comprising: The first module is used for responding t