NETWORK SECURITY MANAGEMENT METHOD AND COMPUTER DEVICE

Information

Patent Application
20230300141

References
Source

Publication Number
20230300141
Date Filed
March 20, 2023
2 years ago
Date Published
September 21, 2023
a year ago

Inventors
Original Assignees
- TENCENT CLOUD COMPUTING (BEIJING) CO., LTD

CPC
- H04L63/105 - Multiple levels of security
- H04L63/20 - for managing network security; network security policies in general
International Classifications
- H04L9/40

Information

Abstract

A network security management method is provided. In the method, configuration data that includes at least one access control policy for a network asset of a target cloud tenant is received. The network asset includes a private network, a subnet of the private network, and a cloud instance of the subnet. A network management and control unit and an access control policy set corresponding to the network management and control unit are determined according to the configuration data. The network management and control unit includes one or more of a private network-level management and control unit, a subnet-level management and control unit, and an instance-level management and control unit. The access control policy set of the network management and control unit is transmitted to the cloud instance that is associated with the network management and control unit to manage network traffic of the cloud instance.

Description

Claims

1. A network security management method, comprising: receiving configuration data that includes at least one access control policy for a network asset of a target cloud tenant, the network asset including a private network, a subnet of the private network, and a cloud instance of the subnet;determining, by processing circuitry and according to the configuration data, a network management and control unit and an access control policy set corresponding to the network management and control unit, the network management and control unit including one or more of a private network-level management and control unit, a subnet-level management and control unit, and an instance-level management and control unit; andtransmitting the access control policy set of the network management and control unit to the cloud instance that is associated with the network management and control unit to manage network traffic of the cloud instance.
2. The method according to claim 1, wherein the at least one access control policy includes a management and control policy for resource access.
3. The method according to claim 1, wherein the access control policy set transmitted to the cloud instance includes an access and control policy for at least one of the private network or the subnet.
4. The method according to claim 1, wherein the determining comprises: acquiring an effect-taking object of the at least one access control policy;determining the network management and control unit includes the instance-level management and control unit based on the effect-taking object being the cloud instance; andadding, to an access control policy set of the instance-level management and control unit, an access control policy for the cloud instance, an access control policy for the subnet that includes the cloud instance, and an access control policy for the private network.
5. The method according to claim 4, further comprising: determining the network management and control unit includes the subnet-level management and control unit based on the effect-taking object being the subnet; andadding, to an access control policy set of the subnet-level management and control unit, the access control policy for the subnet and the access control policy for the private network .
6. The method according to claim 5, further comprising: determining the network management and control unit includes the private network-level management and control unit based on the effect-taking object being the private network; andadding, to an access control policy set of the private network-level management and control unit, the access control policy for the private network.
7. The method according to claim 1, wherein before the transmitting, the method further comprises: based on the network management and control unit including the instance-level management and control unit, distributing the cloud instance indicated by an effect-taking object of the instance-level management and control unit to the instance-level management and control unit;based on the network management and control unit including the subnet-level management and control unit, distributing the cloud instance included in the subnet indicated by an effect-taking object of the subnet-level management and control unit to the subnet-level management and control unit; andbased on the network management and control unit including the private network-level management and control unit, distributing the cloud instance in the private network indicated by an effect-taking object of the private network-level management and control unit to the private network-level management and control unit.
8. A network security management method, comprising: displaying a network asset of a cloud tenant on a network security management interface, the network security management interface including a configuration area, the network asset including a private network, a subnet of the private network, and a cloud instance of the subnet;receiving an access control configuration operation via the configuration area for the network asset;generating configuration data according to the access control configuration operation, the configuration data including an access control policy for the network asset of the cloud tenant; andtransmitting the configuration data to a server, the configuration data indicating a management and control unit and a first access control policy set corresponding to the management and control unit, the management and control unit including one or more of a private network-level management and control unit, a subnet-level management and control unit, and an instance-level management and control unit.
9. The method according to claim 8, wherein the access control policy includes a management and control policy for resource access.
10. The method according to claim 8, wherein the access control policy for at least one of the private network or the subnet.
11. The method according to claim 8, further comprising: transmitting a policy acquisition request to the server in response to a policy viewing instruction for the cloud instance, the policy acquisition request including an instance identifier of the cloud instance;receiving a second access control policy set from the server, the received second access control policy set corresponding to the management and control unit associated with the cloud instance; anddisplaying, on the network security management interface, one or more access control policies included in the second access control policy set.
12. A network security management apparatus, comprising: processing circuitry configured to: receive configuration data that includes at least one access control policy for a network asset of a target cloud tenant, the network asset including a private network, a subnet of the private network, and a cloud instance of the subnet;determine, according to the configuration data, a network management and control unit and an access control policy set corresponding to the network management and control unit, the network management and control unit including one or more of a private network-level management and control unit, a subnet-level management and control unit, and an instance-level management and control unit; andtransmit the access control policy set of the network management and control unit to the cloud instance that is associated with the network management and control unit to manage network traffic of the cloud instance.
13. The network security management apparatus according to claim 12, wherein the at least one access control policy includes a management and control policy for resource access.
14. The network security management apparatus according to claim 12, wherein the access control policy set transmitted to the cloud instance includes an access and control policy for at least one of the private network or the subnet.
15. The network security management apparatus according to claim 12, wherein the processing circuitry is configured to: acquire an effect-taking object of the at least one access control policy;determine the network management and control unit includes the instance-level management and control unit based on the effect-taking object being the cloud instance; andadd, to an access control policy set of the instance-level management and control unit, an access control policy for the cloud instance, an access control policy for the subnet that includes the cloud instance, and an access control policy for the private network.
16. The network security management apparatus according to claim 15, wherein the processing circuitry is configured to: determine the network management and control unit includes the subnet-level management and control unit based on the effect-taking object being the subnet; andadd, to an access control policy set of the subnet-level management and control unit, the access control policy for the subnet and the access control policy for the private network .
17. The network security management apparatus according to claim 16, wherein the processing circuitry is configured to: determine the network management and control unit includes the private network-level management and control unit based on the effect-taking object being the private network; andadd, to an access control policy set of the private network-level management and control unit, the access control policy for the private network.
18. The network security management apparatus according to claim 12, wherein before the access control policy set is transmitted, the processing circuitry is configured to: based on the network management and control unit including the instance-level management and control unit, distribute the cloud instance indicated by an effect-taking object of the instance-level management and control unit to the instance-level management and control unit;based on the network management and control unit including the subnet-level management and control unit, distribute the cloud instance included in the subnet indicated by an effect-taking object of the subnet-level management and control unit to the subnet-level management and control unit; andbased on the network management and control unit including the private network-level management and control unit, distribute the cloud instance in the private network indicated by an effect-taking object of the private network-level management and control unit to the private network-level management and control unit.
19. A non-transitory computer-readable storage medium storing instructions which when executed by a processor cause the processor to perform: receiving configuration data that includes at least one access control policy for a network asset of a target cloud tenant, the network asset including a private network, a subnet of the private network, and a cloud instance of the subnet;determining, according to the configuration data, a network management and control unit and an access control policy set corresponding to the network management and control unit, the network management and control unit including one or more of a private network-level management and control unit, a subnet-level management and control unit, and an instance-level management and control unit; andtransmitting the access control policy set of the network management and control unit to the cloud instance that is associated with the network management and control unit to manage network traffic of the cloud instance.
20. A non-transitory computer-readable storage medium storing instructions which when executed by a processor cause the processor to perform: displaying a network asset of a cloud tenant on a network security management interface, the network security management interface including a configuration area, the network asset including a private network, a subnet of the private network, and a cloud instance of the subnet;receiving an access control configuration operation via the configuration area for the network asset;generating configuration data according to the access control configuration operation, the configuration data including an access control policy for the network asset of the cloud tenant; andtransmitting the configuration data to a server, the configuration data indicating a management and control unit and a first access control policy set corresponding to the management and control unit, the management and control unit including one or more of a private network-level management and control unit, a subnet-level management and control unit, and an instance-level management and control unit.

Priority Claims (1)

Number	Date	Country	Kind
202110555000.8	May 2021	CN	national

Continuations (1)

	Number	Date	Country
Parent	PCT/CN2021/107139	Jul 2021	WO
Child	18123622		US

NETWORK SECURITY MANAGEMENT METHOD AND COMPUTER DEVICE

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims

Priority Claims (1)

Continuations (1)