云安全服务技术白皮书.pdf

H3C云安全服务技术白皮书 目 录 1 概述 ········································ 1 2 云安全架构与模型 ···································1 2.1 云数据中心安全访问控制需求 ······························1 2.2 云安全总体架构 ····································2 2.3 基于租户的安全隔离 ··································3 2.4 安全架构的两种模型 ··································4 3 嵌入式安全 ······································5 3.1 安全组ACL功能 ····································5 3.2 分布式状态防火墙功能 ·································6 4 云服务链 ·······································6 5 基于SDN和服务链的云安全组网方案 ···························8 5.1 VSR做网关的服务链方案 ································8 5.2 物理交换机做网关的服务链方案 ·····························9 5.3 服务链和第三方安全设备对接 ····························· 10 5.4 服务链支持东西向和南北向安全的总结 ························· 12 6 安全资源池化 ···································· 12 6.1 网络服务资源虚拟化和池化 ······························ 12 6.2 多资源池支持 ···································· 14 6.3 安全资源池之大规模租户技术 ····························· 15 6.3.1 硬件资源池支持大规模租户 ··························· 15 6.3.2 软件资源池支持大规模租户 ··························· 16 6.4 云安全微分段服务 ·································· 17 6.5 安全资源池之高可靠性技术 ······························ 17 7 多层次安全防护体系 ································· 18 7.1 异构设备组成的统一安全资源池 ···························· 18 7.2 多层次的安全体系 ·································· 19 8 安全功能通过云服务部署 ······························· 19 9 H3C云安全优势总结 ·································21 1 概述 云计算技术的发展，带来了新一轮的 IT 技术变革，但同时也给网络与业务带来巨大的挑战。网络服务 模式已经从传统的面向连接转向面向应用，传统的安全部署模式在管理性、伸缩性、业务快速升级 等方面已经无法跟上步伐，需要考虑建设灵活可靠，自动化快速部署和资源弹性可扩展的新安全防 护体系。 同时，按照云计算等保规范《信息系统安全等级保护 第二分册 云计算安全要求》草案 7.1.2 网络 安全章节的描述，对云网络安全也有下述要求：  保证云平台管理流量与云租户业务流量分离；  根据云租户的业务需求自定义安全访问路径；  在虚拟网络边界部署访问控制设备，并设置访问控制规则；  依据安全策略控制虚拟机间的访问。 H3C 充分探索了云安全的需求，引入基于