摘要:设计并实现了云网安一体化的安全能力池系统。该系统将重要的网络安全能力虚拟化、原子化后沉入边缘云节点进行部署,支持多种流量型与非流量型的安全服务场景。系统基于IPv6 的段路由(SRv6)与Flowspec 技术实现了安全服务链编排与流量调度,配置简单,灵活高效,并通过标准化接口实现了跨厂商安全能力统一纳管。系统通过工程方法解决了生产运行过程中存在的运行速度慢、业务中断等问题,实现了安全能力的集中管理与智能调度。目前,安全能力池已进入商用阶段,服务客户上千家,累计防御次数达到百万级。
关键词:云网融合;安全能力池;近源防护;弹性扩展;按需组合
Abstract: A security capability resource pool system that integrates cloud, network, and security is proposed. The system deploys major security capabilities at the edge cloud nodes and supports a variety of traffic-mode and non-traffic-mode service scenarios. Based on Segment Routing IPv6 (SRv6) and Flowspec technology, the resource pool achieves service chain orchestration and flow scheduling with simple configuration and high efficiency. Meanwhile, the system manages cross-vendor security capabilities through standardized interfaces. In addition, the whole system solves the problems such as slow running speed and service interruption in operation and achieves unified management and intelligent scheduling of security capabilities. At present, with the commercial use of the security capability resource pool, thousands of customers have been successfully protected from millions of cyber-attacks.
Keywords: cloud-network convergence; security capability resource pool; near-source protection; elastic expansion; integration by requirements