CN106161522A - The communication means of a kind of LA Management Room, the network equipment and distributed network - Google Patents
The communication means of a kind of LA Management Room, the network equipment and distributed network Download PDFInfo
- Publication number
- CN106161522A CN106161522A CN201510154559.4A CN201510154559A CN106161522A CN 106161522 A CN106161522 A CN 106161522A CN 201510154559 A CN201510154559 A CN 201510154559A CN 106161522 A CN106161522 A CN 106161522A
- Authority
- CN
- China
- Prior art keywords
- packet
- network equipment
- safety
- equipment
- mentioned
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 title claims abstract description 22
- 238000012360 testing method Methods 0.000 claims abstract description 65
- 238000000034 method Methods 0.000 claims abstract description 47
- 238000001514 detection method Methods 0.000 claims abstract description 44
- 230000005540 biological transmission Effects 0.000 claims abstract description 34
- 238000012545 processing Methods 0.000 claims description 21
- 238000012546 transfer Methods 0.000 claims description 9
- 238000007726 management method Methods 0.000 abstract description 22
- 239000008186 active pharmaceutical agent Substances 0.000 description 30
- 230000008569 process Effects 0.000 description 23
- 230000006870 function Effects 0.000 description 16
- 230000000875 corresponding effect Effects 0.000 description 7
- 238000007689 inspection Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 4
- 238000001914 filtration Methods 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 239000003795 chemical substances by application Substances 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000002372 labelling Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 238000002834 transmittance Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 206010022000 influenza Diseases 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/40—Support for services or applications
Landscapes
- Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses the communication means of a kind of LA Management Room, the network equipment and distributed network, wherein the realization of method includes: when having packet to transmit between first network equipment and second network equipment in main frame, interrupt the transmission of described packet, described packet is stored in the shared drive between the safety equipment in described main frame;Receive the testing result of the described packet that described safety equipment return, if described testing result is safety, described packet is mail to the destination of described packet, if described testing result is danger, refuses to forward described packet.Safety equipment are arranged in main frame, use shared drive that packet is carried out safety detection, need not move through network delivery packet, therefore can save the network bandwidth, promote the data transmission performance in network.
Description
Technical field
The present invention relates to communication technical field, particularly to communication means, the network of a kind of LA Management Room
Equipment and distributed network.
Background technology
In cloud computing environment, distributed virtual network is distributed big double layer network.Same main frame
On virtual machine may belong to different distributed virtual networks, the virtual machine on different main frames may belong to again
In same distributed virtual network.
Based on above-mentioned distributed nature, a series of functions realized by gateway in physical network are required for
Distributed do to virtual switch aspect.Reduce roundabout, the performance of increase network of flow.Some letter
Single function such as route querying, can be by the internal realization of network filtering virtual switch.Additionally also have some high
Level security such as attacks protection, needs to realize by third party's ability.Third-party enhanced security feature one
As in secure virtual machine run.
In order to realize the secure communication between virtual machine, it is proposed that state-inspection firewall.State-detection is prevented
Wall with flues have employed the technology of State Inspection Packet Filter, is the Function Extension in tradition packet filtering.State-detection
Fire wall has an intercepted data bag extract the letter relevant with application layer state of checking engine in Internet
Breath, and determine it is to accept or refusal this connection on this basis.This technology provides high safety
Solution, there is well adapting to property and autgmentability simultaneously.State-inspection firewall the most also includes
The service of some agents level, they provide the additional support to application-specific data content.State
Detection technique is best suitable for providing user datagram protocol (User Datagram Protocol, UDP)
Limited support.All UDP packets by fire wall are accordingly to be regarded as a virtual connections by it, work as acknowledgement back
When packet is sent to, it is considered as a virtual link and has built up.
In distributed virtual network, can arrange and realize the node of state-inspection firewall function and reach peace
The purpose of full detection.At present, having a kind of processing mode is to dispose one the most on each server
Virtualized safety equipment, these safety equipment are connected by transparent bridging and each virtual machine.Virtual machine is sent out
The packet gone out and receive all can forward through these safety equipment, carries out network security on these safety equipment
Detection.The advantage of this kind of way is, can detect the safety of flow between the virtual machine of server internal network
Property, additionally need not as gateway, and travelling back across may virtualized safety on another station server
Equipment, therefore can save flow.
But, using above scheme, all flows all can be through safety equipment, the data throughput of virtual machine
Amount can be limited by security device interfaces communication capacity, causes network data transmission performance relatively low.
Summary of the invention
Embodiments provide the communication means of a kind of LA Management Room, the network equipment and distributed network
Network, for promoting the data transmission performance in network.
On the one hand the embodiment of the present invention provides the communication means of a kind of LA Management Room, including:
When having packet to transmit between first network equipment and second network equipment in main frame, interrupt institute
Stating the transmission of packet, sharing of being stored between the safety equipment in described main frame by described packet is interior
Deposit;
Receive the testing result of the described packet that described safety equipment return, if described testing result is peace
Complete then described packet is mail to the destination of described packet, if described testing result is danger, refuse
Forward described packet.
In conjunction with implementation on the one hand, in the implementation that the first is possible, if described testing result
For safety, and the packet that described packet is data stream, described method also includes:
After the follow-up data bag receiving described data stream, described packet is mail to described packet
Destination.
In conjunction with the first possible implementation on the one hand, in the implementation that the second is possible, institute
State testing result to include for safety:
Described data stream is the data stream comprised in white list, or, described data stream is marked as stream
The data stream passed through.
In conjunction with implementation on the one hand, in the implementation that the third is possible, also wrap in described main frame
Include: routing module;Described first network equipment and described safety equipment use with described routing module should
Set up with routine interface API and connect;
The transmission of the described packet of described interruption includes: use described API to interrupt by described routing module
The transmission of described packet.
In conjunction with the third possible implementation on the one hand, in the 4th kind of possible implementation, institute
Stating first network equipment and second network equipment is virtual machine, described routing module is virtual switch,
Described safety equipment are the virtual machine with safety detection ability.
In conjunction with the third possible implementation on the one hand, in the 5th kind of possible implementation, institute
Method of stating also includes:
Receive the security policy information from cloud management server, need if described security policy information is specified
Described first network equipment is carried out security protection, then uses API to set up described first network equipment and institute
State the communication connection between routing module.
In conjunction with on the one hand, on the one hand the first, the second or the third possible implementation,
In 6th kind of possible implementation, described described packet is stored in and the safety equipment in described main frame
Between shared drive include:
After obtaining described packet, described packet is stored in the tail of the queue of the single queue being positioned in sharing,
Described safety equipment are made to detect the safety of packet in described single queue successively toward tail of the queue from team's head.
In conjunction with the 6th kind of possible implementation on the one hand, in the 7th kind of possible implementation, institute
The testing result stating the described packet receiving the return of described safety equipment includes: read from described single queue
Take the testing result of described packet;
Also include after described packet is mail to the destination of described packet:
Described packet is deleted from described single queue.
In conjunction with the 7th kind of possible implementation on the one hand, in the 8th kind of possible implementation, institute
If stating described testing result is danger, refuse to forward described packet also to include:
If the testing result reading described packet from described single queue is described packet is threat data
Bag, then delete described packet.
The embodiment of the present invention two aspect provides a kind of network equipment, and the described network equipment and first network set
For being positioned at main frame;The described network equipment includes:
Interrupt control unit, for having packet between described first network equipment and second network equipment
During transmission, interrupt the transmission of described packet;
Data transfer elements, for being stored in described packet between the safety equipment in described main frame
Shared drive;
Result acquiring unit, for receiving the testing result of the described packet that described safety equipment return;
Data processing unit, if being safety for described testing result, mails to described number by described packet
According to the destination of bag, if described testing result is danger, refuse to forward described packet.
In conjunction with the implementation of two aspects, in the implementation that the first is possible, described first network sets
For also including:
Data forwarding unit, if being safety for described testing result, and described packet is data stream
Packet, after the follow-up data bag receiving described data stream, mails to described data by described packet
The destination of bag.
In conjunction with the first possible implementation of two aspects, in the implementation that the second is possible, institute
State data processing unit, if being the data stream comprised in white list for described data stream, or, institute
State data stream and be marked as the data stream that stream passes through, then described packet is mail to the purpose of described packet
End.
In conjunction with the implementation of two aspects, in the implementation that the third is possible, also wrap in described main frame
Include: routing module;Described first network equipment and described safety equipment use with described routing module should
Set up with routine interface API and connect;
Described interruption control unit, described specifically for using described API to interrupt by described routing module
The transmission of packet.
In conjunction with the third possible implementation of two aspects, in the 4th kind of possible implementation, institute
Stating first network equipment and second network equipment is virtual machine, described routing module is virtual switch,
Described safety equipment are the virtual machine with safety detection ability.
In conjunction with the third possible implementation of two aspects, in the 5th kind of possible implementation, institute
State first network equipment also to include:
Information receiving unit, for receiving the security policy information from cloud management server;
Connection establishment unit, needs described first network equipment if specifying for described security policy information
Carry out security protection, then use API to set up leading between described interruption control unit and described routing module
Letter connects.
In conjunction with two aspects, two aspects the first, the second or the third possible implementation,
In 6th kind of possible implementation,
Described data transfer elements, specifically for, after obtaining described packet, being stored in described packet
The tail of the queue of the single queue being positioned in sharing, makes described safety equipment detect described successively toward tail of the queue from team's head
The safety of the packet in single queue.
In conjunction with the 6th kind of possible implementation of two aspects, in the 7th kind of possible implementation, institute
State result acquiring unit to include:
Result reads unit, specifically for reading the testing result of described packet from described single queue;
Delete control unit, for described packet being mail to described packet at described data transfer elements
Destination after, described packet is deleted from described single queue.
In conjunction with the 7th kind of possible implementation of two aspects, in the 8th kind of possible implementation,
Described data processing unit, if specifically for the detection reading described packet from described single queue
Result be described packet be threat data bag, then delete described packet.
The embodiment of the present invention three aspect provides a kind of distributed network, including: so that mode can be communicated to connect
First network equipment, second network equipment and the 3rd network equipment connected, it is characterised in that described
The network equipment described in any one that 3rd network equipment provides for the embodiment of the present invention, described 3rd net
Network equipment, described first network equipment and safety equipment are positioned at same main frame.
As can be seen from the above technical solutions, the embodiment of the present invention has the advantage that safety equipment are arranged
In main frame, use shared drive that packet is carried out safety detection, need not move through network delivery number
According to bag, therefore can save the network bandwidth, promote the data transmission performance in network.
Accompanying drawing explanation
For the technical scheme being illustrated more clearly that in the embodiment of the present invention, in embodiment being described below
The required accompanying drawing used is briefly introduced, it should be apparent that, the accompanying drawing in describing below is only this
Some bright embodiments, from the point of view of those of ordinary skill in the art, are not paying creative work
On the premise of, it is also possible to other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is embodiment of the present invention method flow schematic diagram;
Fig. 2 is embodiment of the present invention apparatus structure schematic diagram;
Fig. 3 is embodiment of the present invention virtual machine communication network architecture schematic diagram;
Fig. 4 is that embodiment of the present invention configuration management flow process is intended to;
Fig. 5 is that embodiment of the present invention virtual machine arranges security strategy flow process intention;
Fig. 6 is that embodiment of the present invention network traffics handling process is intended to;
Fig. 7 is that the present invention implements security function fit structure intention;
Fig. 8 is that embodiment of the present invention data stream conveying flow is intended to;
Fig. 9 is that the present invention implements single queue structure intention;
Figure 10 is that the present invention implements network equipment infrastructure intention;
Figure 11 is that the present invention implements network equipment infrastructure intention;
Figure 12 is that the present invention implements network equipment infrastructure intention;
Figure 13 is that the present invention implements network equipment infrastructure intention;
Figure 14 is that the present invention implements network equipment infrastructure intention;
Figure 15 is that the present invention implements network equipment infrastructure intention.
Detailed description of the invention
In order to make the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing to this
Invention is described in further detail, it is clear that described embodiment is only that some of the present invention is implemented
Example rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art exist
Do not make all other embodiments obtained under creative work premise, broadly fall into present invention protection
Scope.
Embodiments provide the communication means of a kind of LA Management Room, as it is shown in figure 1, include:
101: when having packet to transmit between first network equipment and second network equipment in main frame, in
The transmission of disconnected above-mentioned packet, is stored in being total between the safety equipment in above-mentioned main frame by above-mentioned packet
Enjoy internal memory;
In the present embodiment " first " with " second " merely to distinguish two different network equipments make
With, do not represent other art-recognized meanings, should not be construed as the restriction with other.First network equipment
May be located in same main frame with second network equipment, it is also possible to be positioned at different main frame, the present invention implements
This is not made uniqueness and limits by example.First network equipment and second network equipment can be the nets of physical entity
Network equipment, it is also possible to be virtual machine, is set according to different application scenarios, and the embodiment of the present invention is not
This is carried out uniqueness restriction.Interrupt the transmitting procedure of packet, interrupt instruction can be had not have,
In the present embodiment, represent the testing result needing to stop forwarding wait packet rather than be immediately performed
Forwarding process, the forwarding of follow-up data bag can be understood as the recovery of packet transmission.
102: receive the testing result of the above-mentioned packet that above-mentioned safety equipment return, if above-mentioned testing result
Then above-mentioned packet is mail to the destination of above-mentioned packet for safety, if above-mentioned testing result is danger,
Refusal forwards above-mentioned packet.
In the embodiment of the present invention, safety equipment are arranged in main frame, use shared drive to carry out packet
Safety detection, needs not move through network delivery packet, therefore can save the network bandwidth, promotes net
Data transmission performance in network.
In the present embodiment, refusal forwards the mode of packet can be not forward, it is also possible to directly delete,
The specific implementation embodiment of the present invention is not restricted.
Previous embodiment is primarily related to packet detection process and processing procedure, for packet
Speech, some packet follow-up data bag after primary detection is owing to having relatedness therewith, because of hereafter
Continuous packet can detect again, such as the packet of data stream, unnecessary in order to reduce based on this
Safety detection reduce data processing amount promote system effectiveness, further, the embodiment of the present invention provides
Following solution: if above-mentioned testing result is safety, and the packet that above-mentioned packet is data stream,
Said method also includes: after the follow-up data bag receiving above-mentioned data stream, mail to by above-mentioned packet
The destination of above-mentioned packet.
The mode of safety detection has a lot, can be in accordance with different safety detection algorithms, based on previous enforcement
The implementation of data stream in example, testing result is that safe situation then may is that above-mentioned testing result is
Safety includes: above-mentioned data stream is the data stream comprised in white list, or, above-mentioned data stream is marked
It is designated as the data stream that stream passes through.
Corresponding to the data stream comprised in white list and be marked as the data stream that passes through of stream, at data stream
Initial packet when being sent to, be unwritten, the most still can perform the step of safety detection;
Correspondingly, after having performed safety detection, have record white list or the step passed through of labelling stream.
Flow by be safety detection result be safe identification information.
In the present embodiment, first network equipment second network equipment safety equipment etc. may have as required
There is different distributed architectures, this gives the most conventional illustration, specific as follows:
Also include in above-mentioned main frame: routing module;Above-mentioned first network equipment and above-mentioned safety equipment are with above-mentioned
Routing module uses application programming interfaces (Application Program Interface, API) to set up connection;
The transmission of the above-mentioned packet of above-mentioned interruption includes: use above-mentioned API to interrupt by above-mentioned routing module
The transmission of above-mentioned packet.
In the embodiment above, give between safety equipment and first network equipment with routing module it
Between connected mode, and interrupt control implementation.Can as the embodiment of the present invention one more
Preferably implementation uses.
The equipment such as first network equipment in the embodiment of the present invention and second network equipment may each be entity and sets
Standby, it is also possible to be applied in virtual communication network, therefore embodiments provide following scheme: on
Stating first network equipment and second network equipment is virtual machine, above-mentioned routing module is virtual switch,
Above-mentioned safety equipment are the virtual machine with safety detection ability.
The present embodiment additionally provides the function flexible control program the need of startup of security protection, specifically
As follows: said method also includes:
Receive the security policy information from cloud management server, need if above-mentioned security policy information is specified
Above-mentioned first network equipment is carried out security protection, then uses API to set up above-mentioned first network equipment with upper
State the communication connection between routing module.
Cloud management server can collect the attribute of the network equipment in each main frame, is virtual with the network equipment
As a example by machine, main frame provides the hardware foundation of virtual machine;Cloud management server can collect the genus of each virtual machine
Property information, such as: the user of virtual machine, such as: domestic consumer, responsible consumer etc.;The use of virtual machine
On the way, such as: client computer, server etc.;Attribute according to virtual machine is different, and different virtual machines can correspondence
There is different security performance demands, therefore can determine that security performance requires according to predefined rule higher
Virtual machine belong to the virtual machine needing to carry out security protection.The collection work of above attribute information can be by
Cloud management server completes, and determines that the work of the virtual machine needing security protection can be by equipment safety control
Complete, it is also possible to completed by cloud management server;Additionally equipment safety control can be integrated in cloud management clothes
In business device.
The present embodiment additionally provides the specific implementation using shared drive transmission packet: above-mentioned by upper
State the shared drive that packet is stored between the safety equipment in above-mentioned main frame to include:
After obtaining above-mentioned packet, above-mentioned packet is stored in the tail of the queue of the single queue being positioned in sharing,
Above-mentioned safety equipment are made to detect the safety of packet in above-mentioned single queue successively toward tail of the queue from team's head.
Above scheme realizes based on single annular queue, can ensure data consistency easily, and reduce
Memory headroom is taken in transmittance process by packet.
Based on the above implementation using single annular queue, the embodiment of the present invention additionally provides testing result
Reading and maintenance scheme, specific as follows: the above-mentioned safety equipment of above-mentioned reception return above-mentioned packet
Testing result include: from above-mentioned single queue, read the testing result of above-mentioned packet;
Also include after above-mentioned packet is mail to the destination of above-mentioned packet:
Above-mentioned packet is deleted from above-mentioned single queue.
Further, based on the reading implementation of testing result, the embodiment of the present invention in above example
Additionally provide the maintenance scheme of packet, specific as follows: if above-mentioned testing result is danger, to refuse
Above-mentioned packet is forwarded also to include:
If the testing result reading above-mentioned packet from above-mentioned single queue is above-mentioned packet is threat data
Bag, then delete above-mentioned packet.
Based on above example, it is dividing of main application scenarios that the embodiment of the present invention additionally provides with virtual machine
The Safe Architecture For eNet of cloth, in the Safe Architecture For eNet that the embodiment of the present invention provides, complete by cloud platform
The filtration of paired data bag, classification, cloud platform will need the packet of detection and to this packet classification
Result pass to third party's safety equipment, third party's safety equipment complete the degree of depth to network data peace
Full detection.It is then back to result and carries out corresponding action to cloud platform, cloud platform according to result.
In the examples below, distribution is described in detail with regard to following five aspects: one, modular construction;Two,
Virtual machine communication network architecture;Three, workflow;Four, enhanced security feature and the safe merit of basic network
Cooperation between energy;Five, data stream transmission.Specific as follows: Virtual Swtich
One, modular construction:
As in figure 2 it is shown, dispose the virtual machine of a degree of depth safety detection on each virtualized server,
In fig. 2 for adding the secure virtual machine (Security Virtual Machine, SVM) shown in thick lines.Cloud
Management (Cloud Manager, CM) server can safeguard the virtual machine configuration strategy needing protection, and
By safety management (Security Manager, SM) equipment, policy distribution to this virtual machine place is serviced
In SVM on device.
Two, virtual machine communication network architecture:
As it is shown on figure 3, Fig. 2 can be referred in the lump;Virtual machine passes through virtual network interface and virtual switch
(VSwitch) connecting, secure virtual machine (Security Virtual Machine, SVM) is by application journey
Sequence interface (Application Program Interface, API) and virtual switch connect.
Three, workflow:
1, configuration management flow process, as shown in Figure 4, specific as follows:
401: equipment safety control obtains virtual machine list information from cloud management server;
402: equipment safety control is opened and virtual machine is enabled protection, notice and virtual machine are same master simultaneously
Secure virtual machine (Security Virtual Machine, the SVM) opening protection function of machine.
403: set up the API between virtual machine and secure virtual machine by API service end and connect.This step
Can complete before step 401 or step 402.
2, virtual machine is arranged security strategy, as it is shown in figure 5, specific as follows:
501: security strategy is passed through by virtual machine monitor (Virtual Machine Monitor, VMM)
API service end in main frame is issued to virtual machine on the SVM of same main frame.
Above-mentioned VMM can comprise a virtual switch (Virtual Switch, VS), VS and each void
Plan machine (Virtual Machine, VM) and SVM use api interface to connect.
502: during virtual machine (vm) migration, the SVM on new main frame obtains virtual machine event, sets from safety management
Standby acquisition security strategy.
503:SVM, according to the security strategy of virtual machine, decides whether virtual machine opening protection function.If
Needing, SVM calls api interface, opening protection function.
3, network traffics process, and as shown in Figure 6, specifically include:
601: when opening the virtual machine 1 of protection to virtual machine 2 outgoing outflow or when receiving flow, peace
Full API service end interrupts Data Stream Processing;
602: then data stream is passed to SVM by shared drive, wait result.
603:SVM carries out safety detection, returns testing result.
604: safe API service module abandons according to result or continues transmitting data flow.Shown in Fig. 6
Forwarding as testing result is the flow process in the case of safety, and the flow process abandoned will not perform to turn shown in Fig. 6
Send out step.
4, the cooperation between enhanced security feature and basic network security function, as shown in Figure 7:
Mainly comprise two parts, SVM and VMM;Wherein, comprise in SVM side: DPI/IPS,
Safety (Security) API;Comprise in VMM side: TSM Security Agent (Security Agent) and
Virtual switch/basic network safety;
Using api interface to dock between VMM and SVM, advantage is after SVM processes, return
It it is result.For legacy network forwarding unit converting flow, take less network bandwidth.
Additionally can return more result, allow the follow-up flow that need not degree of depth inspection be no longer transmitted to SVM,
The most both decreased and network had been taken, also mitigated the processing pressure of SVM.
SVM returns to the result of VMM and may is that
Pass through: Pass;
Stop: Block;
Stream passes through: PassContinious;
Flow resistance is stopped: BlockContinious;
White list: WhiteList;
Blacklist: BlackList.
Wherein, stream passes through/and flow resistance is only meant that, and follow-up need not of current accessed data stream checks again,
Directly let slip, flow through safety detection in data and obtain when result is safe and can pass through with labelling stream.Such as:
When confirming that accessing stream is credible or needs the flow of refusal, follow-up flow avoids the need for forwarding.
White list/blacklist is meant that if flow is the flow of certain white list, blacklist, Ke Yizhi
Connect and let slip or stop.
5, data stream transmission, as shown in Figure 8, including:
801: virtual machine 1 has the flow mailing to virtual machine 2, arrive secure virtual machine through API service end;
802: secure virtual machine determines that virtual machine 1 is the virtual machine needing protection, and this flow does not has phase
Close record, then the packet detecting flow determines whether safety, and testing result mails to API service end;
According to testing result, 803:API service end determines whether flow can be transmitted to virtual machine 2, if
Can then forward, otherwise delete corresponding data bag;There is also the need to record the corresponding information of this flow, example
As: stream pass through/flow resistance only, white list/blacklist;
804: the follow-up data bag of above-mentioned flow arrives API service end, and API service end is first according to record
Information determination, such as: the stream whether belonging to record passes through/flow resistance only, white list/blacklist;On
State flow and can obtain corresponding result, and decide whether accordingly then to forward, otherwise delete respective counts
According to bag.
In the embodiment above, SVM obtains flow to be detected by API, and returns knot by API
Really.This communication mode is very different compared with network forwarding equipment.Use the present embodiment scheme special
Point is to forward packet, but sequence processing data bag, and order returns result.So
Single queue can be used to communicate.
In the embodiment above, API service end can be last from queue according to sequencing flow to be detected
Tail puts into queue;SVM obtains flow to be detected from queue head, detects, and corresponding in queue
Position arranges testing result;API service end starts from the position having testing result place to process, according to detection
Result.Carry out the process relevant to this packet.
As it is shown in figure 9, three pointers mobile packet processing in queue in queue can be had.Empty
The flow that plan switch will detect puts into shared drive, and " tail pointer " rotates counterclockwise.Notice SVM
Process.The content of SVM process " head pointer ", notifies virtual switch result after process.Empty
Intending switch and read the content of " result pointer ", the flow passed through continues to forward, it is impossible to the flow passed through
Abandon.
General at least two queues (deque) of network forwarding equipment: receiving queue, transmit queue.Phase
For deque, single queue processing is got up simpler, and concordance the most more preferably ensures.In the present embodiment,
Virtual switch constantly transmits packet in queue, is moved rearwards by tail pointer simultaneously.SVM is constantly from team
Row obtain packet detect, slip-on head pointer.The virtual switch constantly result from queue refers to
Pin obtains result, and the packet of caching is forwarded or abandoned.
Use the scheme of the embodiment of the present invention, at least there is following several beneficial effect:
One, achieving distributed network safety prevention, protective position is closer to protection object, and granularity is more
Carefully.The delimitation of security domain is no longer bound by network, convenient.
Two, by between virtual switch and high-level network safety function module, expanded definition testing result,
Can coordinate, no between virtual switch basic network filtering function and high-level network security module
Need to send all flows to high-level network safety function module.
Three, more hold relative to Crossed Circle queue at virtual switch and single annular queue based on shared drive
Easily ensure concordance, and take less internal memory.
The embodiment of the present invention additionally provides a kind of network equipment, as shown in Figure 10, and the above-mentioned network equipment and the
One network equipment is positioned at main frame;The above-mentioned network equipment includes:
Interrupt control unit 1001, for having number between above-mentioned first network equipment and second network equipment
During according to bag transmission, interrupt the transmission of above-mentioned packet;
Data transfer elements 1002, for above-mentioned packet is stored in the safety equipment in above-mentioned main frame it
Between shared drive;
Result acquiring unit 1003, for receiving the detection knot of the above-mentioned packet that above-mentioned safety equipment return
Really;
Data processing unit 1004, if being safety for above-mentioned testing result, mails to above-mentioned packet
State the destination of packet, if above-mentioned testing result is danger, refuse to forward above-mentioned packet.
Further, as shown in figure 11, above-mentioned first network equipment also includes:
Data forwarding unit 1101, if being safety for above-mentioned testing result, and above-mentioned packet is data
The packet of stream, after the follow-up data bag receiving above-mentioned data stream, mails to above-mentioned by above-mentioned packet
The destination of packet.
Alternatively, above-mentioned data processing unit 1004, if for above-mentioned data stream for comprise in white list
Data stream, or, above-mentioned data stream is marked as the data stream that passes through of stream, then sent out by above-mentioned packet
Destination toward above-mentioned packet.
Alternatively, also include in above-mentioned main frame: routing module;Above-mentioned first network equipment and above-mentioned peace
Full equipment uses application programming interfaces API foundation to be connected with above-mentioned routing module;
Above-mentioned interruption control unit 1001, specifically for using above-mentioned API to interrupt by above-mentioned routing module
The transmission of above-mentioned packet.
Alternatively, above-mentioned first network equipment and second network equipment are virtual machine, above-mentioned routing module
For virtual switch, above-mentioned safety equipment are the virtual machine with safety detection ability.
Further, as shown in figure 12, above-mentioned first network equipment also includes:
Information receiving unit 1201, for receiving the security policy information from cloud management server;
Connection establishment unit 1202, needs above-mentioned first network if specifying for above-mentioned security policy information
Equipment carries out security protection, then use API to set up above-mentioned interruption control unit 1001 and above-mentioned routing module
Between communication connection.
Alternatively, above-mentioned data transfer elements 1002, specifically for after obtaining above-mentioned packet, by upper
State packet and be stored in the tail of the queue of the single queue being positioned in sharing, make above-mentioned safety equipment from team's head toward tail of the queue
Detect the safety of packet in above-mentioned single queue successively.
Alternatively, as shown in figure 13, the above results acquiring unit 1003 includes:
Result reads unit 1301, ties specifically for reading the detection of above-mentioned packet from above-mentioned single queue
Really;
Delete control unit 1302, for being mail to by above-mentioned packet at above-mentioned data transfer elements 1002
After stating the destination of packet, above-mentioned packet is deleted from above-mentioned single queue.
Alternatively, above-mentioned data processing unit 1004, if above-mentioned specifically for reading from above-mentioned single queue
The testing result of packet be above-mentioned packet be threat data bag, then delete above-mentioned packet.
The embodiment of the present invention additionally provides a kind of distributed network, as shown in figure 14, including: communicating
First network equipment 1401, second network equipment 1402 of connected mode connection and the 3rd network equipment
1403;Wherein, the network of any one that above-mentioned 3rd network equipment 1403 provides for the embodiment of the present invention
Equipment, above-mentioned 3rd network equipment 1403, above-mentioned first network equipment 1401 and safety equipment are positioned at same
In one main frame.
Wherein, first network equipment 1401 has packet to mail to second network equipment 1402;First network sets
First the packet of standby 1401 is sent to the 3rd network equipment 1402, the 3rd network equipment 1402 determine
Whether the packet received is stored the shared drive between safety equipment, then by safety equipment
Packet is carried out safety detection, by the 3rd network equipment 1403 according to safety detection result decision is finally
No packet being transmitted to above-mentioned second network equipment, the process of implementing is referred to previous embodiment side
Method flow process;The structure of the 3rd network equipment 1402 is referred in previous embodiment the network equipment of offer
Structure, this is no longer going to repeat them.
In the embodiment of the present invention, safety equipment are arranged in main frame, use shared drive to carry out packet
Safety detection, needs not move through network delivery packet, therefore can save the network bandwidth, promotes net
Data transmission performance in network.
The embodiment of the present invention additionally provides another network equipment, as shown in figure 15, the above-mentioned network equipment
It is positioned at main frame with first network equipment;The above-mentioned network equipment includes: receptor 1501, emitter 1502,
Processor 1503 and memorizer 1504, wherein memorizer 1504 can provide processor 1503 to count
According to caching required in processing procedure, it is also possible to provide shared memory space.
Wherein, above-mentioned processor 1503, for the first network equipment in main frame and second network equipment
Between when having packet to transmit, interrupt the transmission of above-mentioned packet, and by shared drive by above-mentioned data
Bag passes to the safety equipment in above-mentioned main frame;Receive the inspection of the above-mentioned packet that above-mentioned safety equipment return
Survey result, if above-mentioned testing result is safety, above-mentioned packet mail to the destination of above-mentioned packet,
If above-mentioned testing result is danger, refuse to forward above-mentioned packet.
In the present embodiment " first " with " second " merely to distinguish two different network equipments make
With, do not represent other art-recognized meanings, should not be construed as the restriction with other.First network equipment
May be located in same main frame with second network equipment, it is also possible to be positioned at different main frame, the present invention implements
This is not made uniqueness and limits by example.
In the embodiment of the present invention, safety equipment are arranged in main frame, use shared drive to carry out packet
Safety detection, needs not move through network delivery packet, therefore can save the network bandwidth, promotes net
Data transmission performance in network.
Previous embodiment is primarily related to packet detection process and processing procedure, for packet
Speech, some packet follow-up data bag after primary detection is owing to having relatedness therewith, because of hereafter
Continuous packet can detect again, such as the packet of data stream, unnecessary in order to reduce based on this
Safety detection reduce data processing amount promote system effectiveness, further, the embodiment of the present invention provides
Following solution: above-mentioned processor 1503 is if being additionally operable to above-mentioned testing result is safety and above-mentioned
Packet is the packet of data stream, after the follow-up data bag receiving above-mentioned data stream, by above-mentioned number
The destination of above-mentioned packet is mail to according to bag.
The mode of safety detection has a lot, can be in accordance with different safety detection algorithms, based on previous enforcement
The implementation of data stream in example, testing result is that safe situation then may is that above-mentioned processor 1503,
For determining that the mode that above-mentioned testing result is safe includes: above-mentioned data stream is comprise in white list
Data stream, or, above-mentioned data stream is marked as the data stream that stream passes through.
Corresponding to the data stream comprised in white list and be marked as the data stream that passes through of stream, at data stream
Initial packet when being sent to, be unwritten, the most still can perform the step of safety detection;
Correspondingly, after having performed safety detection, have record white list or the step passed through of labelling stream.
In the present embodiment, first network equipment second network equipment safety equipment etc. may have as required
There is different distributed architectures, this gives the most conventional illustration, specific as follows:
Also include in above-mentioned main frame: routing module;Above-mentioned first network equipment and above-mentioned safety equipment are with above-mentioned
Routing module uses application programming interfaces (Application Program Interface, API) to set up connection;
Above-mentioned processor 1503, the transmission for the above-mentioned packet of above-mentioned interruption includes: by above-mentioned route
Module uses above-mentioned API to interrupt the transmission of above-mentioned packet.
In the embodiment above, give between safety equipment and first network equipment with routing module it
Between connected mode, and interrupt control implementation.Can as the embodiment of the present invention one more
Preferably implementation uses.
The equipment such as first network equipment in the embodiment of the present invention and second network equipment may each be entity and sets
Standby, it is also possible to be applied in virtual communication network, therefore embodiments provide following scheme: on
Stating first network equipment and second network equipment is virtual machine, above-mentioned routing module is virtual switch,
Above-mentioned safety equipment are the virtual machine with safety detection ability.
The present embodiment additionally provides the function flexible control program the need of startup of security protection, specifically
As follows: above-mentioned processor 1503, it is additionally operable to receive the security policy information from cloud management server, if
Above-mentioned security policy information is specified to be needed above-mentioned first network equipment is carried out security protection, then use API
Set up the communication connection between above-mentioned first network equipment and above-mentioned routing module.
The present embodiment additionally provide use shared drive transmission packet specific implementation: above-mentioned process
Device 1503, for the shared drive bag being stored between the safety equipment in above-mentioned main frame by above-mentioned packet
Include: after obtaining above-mentioned packet, above-mentioned packet be stored in the tail of the queue of the single queue being positioned in sharing,
Above-mentioned safety equipment are made to detect the safety of packet in above-mentioned single queue successively toward tail of the queue from team's head.
Above scheme realizes based on single annular queue, can ensure data consistency easily, and reduce
Memory headroom is taken in transmittance process by packet.
Based on the above implementation using single annular queue, the embodiment of the present invention additionally provides testing result
Reading and maintenance scheme, specific as follows: above-mentioned processor 1503, be used for receiving above-mentioned safety equipment
The testing result of the above-mentioned packet returned includes: read the detection of above-mentioned packet from above-mentioned single queue
Result;
Above-mentioned processor 1503, is additionally operable to after above-mentioned packet mails to the destination of above-mentioned packet,
Above-mentioned packet is deleted from above-mentioned single queue.
Further, based on the reading implementation of testing result, the embodiment of the present invention in above example
Additionally provide the maintenance scheme of packet, specific as follows: above-mentioned processor 1503, if being additionally operable to from above-mentioned
Single queue is read the testing result of above-mentioned packet be above-mentioned packet be threat data bag, then delete
State packet.
Those skilled in the art is it can be understood that arrive, and for convenience and simplicity of description, above-mentioned retouches
The specific works process of the system stated, device and unit, is referred to the correspondence in preceding method embodiment
Process, does not repeats them here.
In several embodiments provided herein, it should be understood that disclosed system, device and
Method, can realize by another way.Such as, device embodiment described above is only shown
Meaning property, such as, the division of said units, be only a kind of logic function and divide, actual can when realizing
There to be other dividing mode, the most multiple unit or assembly can in conjunction with or be desirably integrated into another
System, or some features can ignore, or do not perform.Another point, shown or discussed each other
Coupling direct-coupling or communication connection can be the INDIRECT COUPLING by some interfaces, device or unit
Or communication connection, can be electrical, machinery or other form.
The above-mentioned unit illustrated as separating component can be or may not be physically separate, makees
The parts shown for unit can be or may not be physical location, i.e. may be located at a place,
Or can also be distributed on multiple NE.Can select according to the actual needs part therein or
The whole unit of person realizes the purpose of the present embodiment scheme.
It addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit,
Can also be that unit is individually physically present, it is also possible to two or more unit are integrated in a list
In unit.Above-mentioned integrated unit both can realize to use the form of hardware, it would however also be possible to employ software function list
The form of unit realizes.
If above-mentioned integrated unit realizes and as independent production marketing using the form of SFU software functional unit
Or when using, can be stored in a computer read/write memory medium.Based on such understanding, this
The part that the most in other words prior art contributed of technical scheme of invention or this technical scheme
Completely or partially can embody with the form of software product, this computer software product is stored in one
In storage medium, including some instructions with so that computer equipment (can be personal computer,
Server, or the network equipment etc.) perform completely or partially walking of each embodiment said method of the present invention
Suddenly.And aforesaid storage medium includes: USB flash disk, portable hard drive, read only memory (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD
Etc. the various media that can store program code.
The most above-mentioned, above example only in order to technical scheme to be described, is not intended to limit;
Although being described in detail the present invention with reference to previous embodiment, those of ordinary skill in the art should
Work as understanding: the technical scheme described in foregoing embodiments still can be modified by it, or to it
Middle part technical characteristic carries out equivalent;And these amendments or replacement, do not make appropriate technical solution
Essence depart from various embodiments of the present invention technical scheme spirit and scope.
Claims (19)
1. the communication means of a LA Management Room, it is characterised in that including:
When having packet to transmit between first network equipment and second network equipment in main frame, interrupt institute
Stating the transmission of packet, sharing of being stored between the safety equipment in described main frame by described packet is interior
Deposit;
Receive the testing result of the described packet that described safety equipment return, if described testing result is peace
Complete then described packet is mail to the destination of described packet, if described testing result is danger, refuse
Forward described packet.
Method the most according to claim 1, it is characterised in that if described testing result is safety, and
Described packet is the packet of data stream, and described method also includes:
After the follow-up data bag receiving described data stream, described packet is mail to described packet
Destination.
Method the most according to claim 2, it is characterised in that described testing result includes for safety:
Described data stream is the data stream comprised in white list, or, described data stream is marked as stream
The data stream passed through.
Method the most according to claim 1, it is characterised in that also include in described main frame: route mould
Block;Described first network equipment and described safety equipment use application programming interfaces with described routing module
API sets up connection;
The transmission of the described packet of described interruption includes: use described API to interrupt by described routing module
The transmission of described packet.
Method the most according to claim 4, it is characterised in that described first network equipment and the second net
Network equipment is virtual machine, and described routing module is virtual switch, and described safety equipment are for having safety
The virtual machine of power of test.
Method the most according to claim 4, it is characterised in that described method also includes:
Receive the security policy information from cloud management server, need if described security policy information is specified
Described first network equipment is carried out security protection, then uses API to set up described first network equipment and institute
State the communication connection between routing module.
7. according to method described in Claims 1-4 any one, it is characterised in that described by described number
The shared drive being stored between the safety equipment in described main frame according to bag includes:
After obtaining described packet, described packet is stored in the tail of the queue of the single queue being positioned in sharing,
Described safety equipment are made to detect the safety of packet in described single queue successively toward tail of the queue from team's head.
Method the most according to claim 7, it is characterised in that the described safety equipment of described reception return
The testing result of described packet include: from described single queue, read the testing result of described packet;
Also include after described packet is mail to the destination of described packet:
Described packet is deleted from described single queue.
Method the most according to claim 8, it is characterised in that if described testing result is dangerous
Then refusal forwards described packet also to include:
If the testing result reading described packet from described single queue is described packet is threat data
Bag, then delete described packet.
10. a network equipment, it is characterised in that the described network equipment and first network equipment are positioned at master
In machine;The described network equipment includes:
Interrupt control unit, for having packet between described first network equipment and second network equipment
During transmission, interrupt the transmission of described packet;
Data transfer elements, for being stored in described packet between the safety equipment in described main frame
Shared drive;
Result acquiring unit, for receiving the testing result of the described packet that described safety equipment return;
Data processing unit, if being safety for described testing result, mails to described number by described packet
According to the destination of bag, if described testing result is danger, refuse to forward described packet.
11. network equipments according to claim 10, it is characterised in that described first network equipment is also
Including:
Data forwarding unit, if being safety for described testing result, and described packet is data stream
Packet, after the follow-up data bag receiving described data stream, mails to described data by described packet
The destination of bag.
12. according to the network equipment described in claim 11, it is characterised in that
Described data processing unit, if being the data stream comprised in white list for described data stream, or
Person, described data stream is marked as the data stream that stream passes through, then described packet is mail to described packet
Destination.
13. network equipments according to claim 10, it is characterised in that also include in described main frame:
Routing module;Described first network equipment and described safety equipment use application journey with described routing module
Sequence interface API sets up connection;
Described interruption control unit, described specifically for using described API to interrupt by described routing module
The transmission of packet.
14. according to the network equipment described in claim 13, it is characterised in that described first network equipment and
Second network equipment is virtual machine, and described routing module is virtual switch, and described safety equipment are tool
There is the virtual machine of safety detection ability.
15. according to the network equipment described in claim 13, it is characterised in that described first network equipment is also
Including:
Information receiving unit, for receiving the security policy information from cloud management server;
Connection establishment unit, needs described first network equipment if specifying for described security policy information
Carry out security protection, then use API to set up leading between described interruption control unit and described routing module
Letter connects.
16. according to the network equipment described in claim 10 to 13 any one, it is characterised in that
Described data transfer elements, specifically for, after obtaining described packet, being stored in described packet
The tail of the queue of the single queue being positioned in sharing, makes described safety equipment detect described successively toward tail of the queue from team's head
The safety of the packet in single queue.
17. according to the network equipment described in claim 16, it is characterised in that described result acquiring unit bag
Include:
Result reads unit, specifically for reading the testing result of described packet from described single queue;
Delete control unit, for described packet being mail to described packet at described data transfer elements
Destination after, described packet is deleted from described single queue.
18. according to the network equipment described in claim 14, it is characterised in that
Described data processing unit, if specifically for the detection reading described packet from described single queue
Result be described packet be threat data bag, then delete described packet.
19. 1 kinds of distributed networks, including: with can communicate to connect first network equipment that mode connects,
Second network equipment and the 3rd network equipment, it is characterised in that described 3rd network equipment is that right is wanted
Ask the network equipment described in 10~18 any one, described 3rd network equipment, described first network equipment
And safety equipment are positioned at same main frame.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510154559.4A CN106161522A (en) | 2015-04-02 | 2015-04-02 | The communication means of a kind of LA Management Room, the network equipment and distributed network |
| PCT/CN2016/077386 WO2016155574A1 (en) | 2015-04-02 | 2016-03-25 | Method for communication between network devices, network device, and distributed network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510154559.4A CN106161522A (en) | 2015-04-02 | 2015-04-02 | The communication means of a kind of LA Management Room, the network equipment and distributed network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106161522A true CN106161522A (en) | 2016-11-23 |
Family
ID=57003903
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510154559.4A Pending CN106161522A (en) | 2015-04-02 | 2015-04-02 | The communication means of a kind of LA Management Room, the network equipment and distributed network |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN106161522A (en) |
| WO (1) | WO2016155574A1 (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109413001A (en) * | 2017-08-15 | 2019-03-01 | 东软集团股份有限公司 | The method and device of safeguard protection is carried out to the interaction data in cloud computing system |
| CN109672681A (en) * | 2018-12-25 | 2019-04-23 | 上海点融信息科技有限责任公司 | Intrusion detection method and invasion detecting device |
| CN110012033A (en) * | 2019-05-05 | 2019-07-12 | 深信服科技股份有限公司 | A kind of data transmission method, system and associated component |
| CN111953661A (en) * | 2020-07-23 | 2020-11-17 | 深圳供电局有限公司 | SDN-based east-west flow security protection method and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101800730A (en) * | 2009-02-09 | 2010-08-11 | 国际商业机器公司 | Safety enhanced virtual machine communication method and virtual machine system |
| CN101946466A (en) * | 2007-12-21 | 2011-01-12 | 英特尔公司 | Peer-to-peer streaming and API services for plural applications |
| CN102523215A (en) * | 2011-12-15 | 2012-06-27 | 北京海云捷迅科技有限公司 | Virtual machine (VM) online antivirus system based on KVM virtualization platform |
| US20130036470A1 (en) * | 2011-08-03 | 2013-02-07 | Zhu Minghang | Cross-vm network filtering |
| US20130275964A1 (en) * | 2008-06-03 | 2013-10-17 | Jonathan L. Edwards | System, method, and computer program product for scanning data utilizing one of a plurality of virtual machines of a device |
| CN103458003A (en) * | 2013-08-15 | 2013-12-18 | 中电长城网际系统应用有限公司 | Access control method and system of self-adaptation cloud computing environment virtual security domain |
-
2015
- 2015-04-02 CN CN201510154559.4A patent/CN106161522A/en active Pending
-
2016
- 2016-03-25 WO PCT/CN2016/077386 patent/WO2016155574A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101946466A (en) * | 2007-12-21 | 2011-01-12 | 英特尔公司 | Peer-to-peer streaming and API services for plural applications |
| US20130275964A1 (en) * | 2008-06-03 | 2013-10-17 | Jonathan L. Edwards | System, method, and computer program product for scanning data utilizing one of a plurality of virtual machines of a device |
| CN101800730A (en) * | 2009-02-09 | 2010-08-11 | 国际商业机器公司 | Safety enhanced virtual machine communication method and virtual machine system |
| US20130036470A1 (en) * | 2011-08-03 | 2013-02-07 | Zhu Minghang | Cross-vm network filtering |
| CN102523215A (en) * | 2011-12-15 | 2012-06-27 | 北京海云捷迅科技有限公司 | Virtual machine (VM) online antivirus system based on KVM virtualization platform |
| CN103458003A (en) * | 2013-08-15 | 2013-12-18 | 中电长城网际系统应用有限公司 | Access control method and system of self-adaptation cloud computing environment virtual security domain |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109413001A (en) * | 2017-08-15 | 2019-03-01 | 东软集团股份有限公司 | The method and device of safeguard protection is carried out to the interaction data in cloud computing system |
| CN109413001B (en) * | 2017-08-15 | 2021-06-22 | 东软集团股份有限公司 | Method and device for carrying out security protection on interactive data in cloud computing system |
| CN109672681A (en) * | 2018-12-25 | 2019-04-23 | 上海点融信息科技有限责任公司 | Intrusion detection method and invasion detecting device |
| CN110012033A (en) * | 2019-05-05 | 2019-07-12 | 深信服科技股份有限公司 | A kind of data transmission method, system and associated component |
| CN110012033B (en) * | 2019-05-05 | 2022-03-22 | 深信服科技股份有限公司 | Data transmission method, system and related components |
| CN111953661A (en) * | 2020-07-23 | 2020-11-17 | 深圳供电局有限公司 | SDN-based east-west flow security protection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2016155574A1 (en) | 2016-10-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104301184B (en) | The health examination method and device of link | |
| CN102904729B (en) | The intelligent acceleration network card of more applications is supported according to agreement, port shunt | |
| CN104301321B (en) | A kind of method and system for realizing distributed network security protection | |
| CN104272672B (en) | Providing services to virtual overlay network traffic | |
| CN103414535B (en) | Data sending method, data receiving method and relevant devices | |
| CN101582900B (en) | Firewall security policy configuration method and management unit | |
| CN104954274B (en) | Generate method, controller and the business Delivery Function of forwarding information | |
| CN202261360U (en) | Device for testing robustness of router data path | |
| CN107077340A (en) | Load balancing | |
| US20100172257A1 (en) | Internet Real-Time Deep Packet Inspection and Control Device and Method | |
| CN106161522A (en) | The communication means of a kind of LA Management Room, the network equipment and distributed network | |
| CN104506548B (en) | A kind of data packet redirection device, secure virtual machine guard method and system | |
| CN103067218B (en) | A kind of express network packet content analytical equipment | |
| CN104424438B (en) | A kind of antivirus file detection method, device and the network equipment | |
| CN104009885B (en) | The virtual machine based on convert channel is the same as staying detection method under a kind of cloud environment | |
| CN104361692B (en) | A kind of transaction monitoring method, ATM front-end system and ATM transaction system | |
| CN104660449B (en) | The method and apparatus for preventing the more main equipment Master of stacking splitting | |
| CN106878343A (en) | The system that network security is service is provided under a kind of cloud computing environment | |
| CN101483649A (en) | Network safe content processing card based on FPGA | |
| CN106571978A (en) | Data packet capture method and data packet capture device | |
| CN107547430A (en) | A kind of file transmitting method and device | |
| CN106302322A (en) | A kind of virtual-machine data flow management method and system | |
| CN106357726A (en) | Load balancing method and device | |
| CN107948071A (en) | Message forwarding method and device | |
| CN103607360B (en) | Message processing method, line card and switching equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161123 |