CN114615022A - Cloud internal flow traction method and device - Google Patents
Cloud internal flow traction method and device Download PDFInfo
- Publication number
- CN114615022A CN114615022A CN202210146983.4A CN202210146983A CN114615022A CN 114615022 A CN114615022 A CN 114615022A CN 202210146983 A CN202210146983 A CN 202210146983A CN 114615022 A CN114615022 A CN 114615022A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- traffic
- filtering
- flow
- forwarding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000001914 filtration Methods 0.000 claims abstract description 138
- 238000004590 computer program Methods 0.000 claims description 9
- 238000004891 communication Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 11
- 230000005641 tunneling Effects 0.000 description 9
- 238000005538 encapsulation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a cloud internal flow traction method and device. The method for traffic traction is characterized in that a secure virtual machine is deployed in each physical machine of a cloud platform, and the traffic traction method is applied to the secure virtual machine and comprises the following steps: acquiring the flow of the virtual machine in the cloud platform mirrored to the mirror port of the secure virtual machine; filtering the acquired flow based on mac information of the virtual machine network card in the forwarding and filtering strategy to obtain a target flow to be forwarded; and forwarding the obtained target flow to analysis equipment outside the cloud platform based on a tunnel protocol. The embodiment of the invention can realize selective filtering and forwarding of the flow by taking the virtual machine network card as granularity, can avoid overlarge flow forwarded by the cloud platform to the external analysis equipment, occupies excessive bandwidth, reduces the consumption of network resources, can greatly reduce the worthless flow in the forwarded flow, and can improve the resource utilization rate of the external analysis equipment.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a cloud internal flow traction method and device.
Background
Cloud platforms, also referred to as cloud computing platforms, are services based on hardware and software resources that provide computing, networking, and storage capabilities. The traffic generated by communication between the virtual machines in the cloud platform is the traffic inside the cloud platform, and is also called intra-cloud traffic, east-west traffic, or lateral traffic. At present, in order to better understand the safety state in the cloud platform, the flow in the cloud platform can be completely drawn to the analysis equipment outside the cloud platform, and then the safety state in the cloud platform is analyzed. Wherein, the traffic traction is to forward the traffic according to the tunneling protocol.
The existing method for pulling the flow in the cloud generally forwards all the flow in the cloud platform to the analysis equipment outside the cloud platform, and the flow cannot be selectively filtered and forwarded, so that a large amount of flow generated by forwarding occupies too much bandwidth of the cloud platform, the consumption of network resources is increased, a large amount of worthless flow can be forwarded, the large amount of worthless flow is forwarded to the analysis equipment, and the resource utilization rate of the analysis equipment is reduced.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a cloud internal flow traction method and a cloud internal flow traction device.
Specifically, the embodiment of the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a method for traffic pulling in a cloud, where a secure virtual machine is deployed in each physical machine of a cloud platform, and the method for traffic pulling is applied to the secure virtual machine, and includes:
acquiring the flow of the virtual machine in the cloud platform mirrored to the mirror port of the secure virtual machine;
filtering the acquired flow based on mac information of the virtual machine network card in the forwarding and filtering strategy to obtain a target flow to be forwarded;
and forwarding the obtained target flow to an analysis device outside the cloud platform based on a tunnel protocol.
Further, the filtering the acquired traffic based on the mac information of the virtual machine network card in the forwarding and filtering policy to obtain the target traffic to be forwarded includes:
judging whether the mac address of the acquired flow is matched with mac information of a virtual machine network card in the forwarding and filtering strategy; wherein the mac address comprises a source mac address and/or a destination mac address;
and if the mac address of the acquired flow is matched with the mac information of the virtual machine network card in the forwarding and filtering strategy, determining the corresponding flow as the target flow to be forwarded.
Further, the filtering the acquired traffic based on the mac information of the virtual machine network card in the forwarding and filtering policy to obtain the target traffic to be forwarded further includes:
and filtering the obtained target traffic to be forwarded based on a filtering rule defined in the forwarding filtering strategy, and updating the target traffic to be forwarded.
Further, filtering the obtained target traffic to be forwarded based on a filtering rule defined in the forwarding filtering policy, and updating the target traffic to be forwarded, including:
judging whether the obtained target flow to be forwarded is matched with a filtering rule defined in the forwarding filtering strategy or not;
if the obtained target traffic to be forwarded is matched with the filtering rule defined in the forwarding filtering strategy, the corresponding target traffic to be forwarded is reserved.
Further, the traffic acquired by the security virtual machine from the mirror port is the traffic of a virtual machine in the cloud platform, which is deployed in the same physical machine as the security virtual machine.
Further, before obtaining the traffic of the virtual machine image in the cloud platform to the image port of the secure virtual machine, the method further includes:
pulling the forwarding filtering policy from a web server, wherein the forwarding filtering policy is generated by the web server based on information of a virtual machine in the cloud platform.
Further, the information of the virtual machine in the cloud platform is obtained by the web server calling an application program interface of the cloud platform from the cloud platform.
In a second aspect, an embodiment of the present invention further provides an intra-cloud traffic pulling apparatus, where a secure virtual machine is deployed in each physical machine of a cloud platform, and the traffic pulling apparatus is applied to the secure virtual machine, and includes:
the flow acquisition module is used for acquiring the flow of the virtual machine in the cloud platform mirrored to the mirror image port of the safety virtual machine;
the first traffic filtering module is used for filtering the acquired traffic based on mac information of the virtual machine network card in the forwarding filtering strategy to obtain target traffic to be forwarded;
and the traffic forwarding module is used for forwarding the obtained target traffic to the analysis equipment outside the cloud platform based on the tunnel protocol.
In a third aspect, an embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the cloud internal flow rate pulling method according to the first aspect when executing the program.
In a fourth aspect, the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the in-cloud traffic pulling method according to the first aspect.
In a fifth aspect, embodiments of the present invention further provide a computer program product, on which executable instructions are stored, and when executed by a processor, the instructions cause the processor to implement the steps of the in-cloud traffic pulling method according to the first aspect.
According to the method and the device for pulling the flow in the cloud, provided by the embodiment of the invention, the safety virtual machine is deployed in each physical machine of the cloud platform, so that the virtual machine in the cloud platform mirrors the flow to the mirror image port of the safety virtual machine, the safety virtual machine filters the flow obtained from the mirror image port according to the mac information of the network card of the virtual machine, and the filtered flow is forwarded to the analysis equipment outside the cloud platform; because the mac address can be used as the unique identifier of each network card, the safe virtual machine can selectively filter and forward the flow by taking the network card of the virtual machine as the granularity, thereby avoiding overlarge flow forwarded by the cloud platform to the external analysis equipment, occupying excessive bandwidth, reducing the consumption of network resources, greatly reducing the worthless flow in the forwarded flow, improving the resource utilization rate of the external analysis equipment, determining the selectively forwarded flow according to the requirements of users, and realizing the primary screening of the flow at the source of collection.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for towing a flow in a cloud according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a method for towing a flow in a cloud according to another embodiment of the present invention;
fig. 3 is a schematic flow chart of a method for towing a flow in a cloud according to another embodiment of the present invention;
fig. 4 is a schematic diagram of a system architecture of an application scenario of the cloud internal flow rate pulling method according to the embodiment of the present invention;
FIG. 5 is a schematic diagram of the cloud platform interacting with a web server of FIG. 4;
FIG. 6 is a schematic diagram of the cloud platform forwarding traffic to the external analytics device of FIG. 4;
fig. 7 is a schematic structural diagram of a cloud inflow traction device according to an embodiment of the present invention;
fig. 8 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The method for drawing the flow rate in the cloud according to the embodiment of the present invention will be described below with reference to fig. 1 to 6.
Referring to fig. 1, fig. 1 is a schematic flow diagram of a cloud internal traffic traction method according to an embodiment of the present invention, where the cloud internal traffic traction method shown in fig. 1 may be executed by a cloud internal traffic traction device, a secure virtual machine may be deployed in each physical machine of a cloud platform, the cloud internal traffic traction device may be applied to the secure virtual machine, and an existing virtual machine deployment method may be adopted to deploy the secure virtual machine in each physical machine of the cloud platform. As shown in fig. 1, the cloud inflow traction method at least includes:
101, obtaining the flow of the virtual machine in the cloud platform mirrored to the mirror port of the secure virtual machine.
In the embodiment of the invention, when the communication between the virtual machines in the cloud platform generates the flow, the flow mirroring capability provided by the cloud platform can forward the flow generated by the communication of the virtual machines to the mirroring port of the secure virtual machine, the mirroring port of the secure virtual machine receives the flow generated by the communication of the virtual machines in the cloud platform, and the mirroring port of the secure virtual machine is a network card in the secure virtual machine. The cloud platform can be a private cloud or a public cloud, and the embodiment of the invention does not limit the type and the application field of the cloud platform. Optionally, the traffic mirroring capability provided by the cloud platform may continuously mirror traffic generated by communication between the virtual machines to the secure virtual machine, and the embodiment of the present invention does not limit an implementation manner in which the traffic mirroring capability provided by the cloud platform mirrors traffic generated by communication between the virtual machines to the secure virtual machine. After the mirror image port in the secure virtual machine receives the flow of the virtual machine mirror image in the cloud platform, the secure virtual machine can acquire the flow of the mirror image from the mirror image port and perform subsequent processing. In some optional examples, for a secure virtual machine deployed in each physical machine in the cloud platform, the traffic received by the image port may be traffic of a virtual machine deployed in the same physical machine as the secure virtual machine.
And 102, filtering the acquired flow based on the mac information of the virtual machine network card in the forwarding and filtering strategy to obtain the target flow to be forwarded.
In the embodiment of the invention, after the traffic of the virtual machine mirror image in the cloud platform is acquired from the mirror image port, the security virtual machine can filter the acquired traffic according to the mac information of the virtual machine network card in the forwarding and filtering strategy, and screen out the target traffic to be forwarded. The forwarding filtering policy may be preset in the secure virtual machine, and the implementation method for presetting the forwarding filtering policy in the secure virtual machine is not limited in the embodiment of the present invention. Alternatively, the forwarding filtering policy may be configured in the secure virtual machine at the time of deployment of the secure virtual machine, or may be pulled from the web server after deployment of the secure virtual machine. When the forwarding filtering policy is pulled from the web server, the forwarding filtering policy may be generated by the web server based on information of the virtual machine in the cloud platform. Optionally, the information of the virtual machine in the cloud platform may be obtained by a web server calling an Application Programming Interface (API) of the cloud platform from the cloud platform, or may also be obtained by the web server receiving information of the virtual machine in the cloud platform sent by the cloud platform to the web server.
And 103, forwarding the obtained target traffic to an analysis device outside the cloud platform based on the tunneling protocol.
In the embodiment of the present invention, after filtering the traffic according to the mac information of the virtual machine network card in the forwarding and filtering policy to obtain the target traffic to be forwarded, the security virtual machine may perform processing such as encapsulation and encryption on the obtained target traffic according to the tunnel protocol, and send the processed target traffic to the analysis device outside the cloud platform, and the analysis device processes the traffic to generate a traffic log, a threat analysis report, and the like. The tunneling protocol may be implemented by using an existing tunneling protocol, and the embodiment of the present invention does not limit the type of the tunneling protocol, for example, the tunneling protocol may use a Network protocol that implements point-to-point communication, such as general Routing Encapsulation (GRE:), Virtual extended Local Area Network (VXLAN), and the like.
In the cloud internal flow traction method provided by the embodiment of the invention, the secure virtual machine is deployed in each physical machine of the cloud platform, so that the virtual machine in the cloud platform mirrors flow to the mirror image port of the secure virtual machine, the secure virtual machine filters the flow acquired from the mirror image port according to the mac information of the network card of the virtual machine, and the filtered flow is forwarded to the analysis equipment outside the cloud platform; because the mac address can be used as the unique identifier of each network card, the safe virtual machine can selectively filter and forward the flow by taking the network card of the virtual machine as the granularity, thereby avoiding overlarge flow forwarded by the cloud platform to the external analysis equipment, occupying excessive bandwidth, reducing the consumption of network resources, greatly reducing the worthless flow in the forwarded flow, improving the resource utilization rate of the external analysis equipment, determining the selectively forwarded flow according to the requirements of users, and realizing the primary screening of the flow at the source of collection.
Referring to fig. 2, fig. 2 is a schematic flow chart of a cloud inflow traction method according to another embodiment of the present invention, as shown in fig. 2, the cloud inflow traction method at least includes:
and 201, acquiring the flow of the virtual machine in the cloud platform mirrored to the mirror image port of the security virtual machine.
In the embodiment of the present invention, the description about 201 may refer to the description about 101 in fig. 1, and thus, the description thereof is omitted here.
202, filtering the acquired traffic based on mac information of the virtual machine network card in the forwarding and filtering strategy to obtain the target traffic to be forwarded.
In the embodiment of the present invention, the description about 202 may refer to the description about 102 in fig. 1, and thus, the description thereof is omitted here.
And 203, filtering the obtained target traffic to be forwarded based on a filtering rule defined in the forwarding filtering strategy, and updating the target traffic to be forwarded.
In the embodiment of the invention, after the traffic is filtered according to the mac information of the virtual machine network card in the forwarding and filtering strategy to obtain the target traffic to be forwarded, the security virtual machine can further filter the target traffic according to the filtering rule defined in the forwarding and filtering strategy, further filter the target traffic, and forward the filtered traffic to the analysis device outside the cloud platform by taking the filtered traffic as the target traffic to be forwarded. The filtering rules defined in the forwarding filtering policy can be defined according to the application scenario of the cloud platform, and the content of the filtering rules defined in the forwarding filtering policy is not limited in the embodiment of the present invention.
And 204, forwarding the obtained target traffic to the analysis equipment outside the cloud platform based on the tunneling protocol.
In the embodiment of the present invention, the description about 204 may refer to the description about 103 in fig. 1, and thus is not described herein again.
Referring to fig. 3, fig. 3 is a schematic flow chart of a cloud inflow traction method according to another embodiment of the present invention, as shown in fig. 3, the cloud inflow traction method at least includes:
301, obtaining the traffic of the virtual machine in the cloud platform mirrored to the mirror port of the secure virtual machine.
In the embodiment of the present invention, the description about 301 may refer to the description about 101 in fig. 1, and thus is not described herein again.
And 302, judging whether the mac address of the acquired flow is matched with mac information of the virtual machine network card in the forwarding and filtering strategy.
If the mac address of the acquired flow is matched with the mac information of the virtual machine network card in the forwarding and filtering strategy, executing 303; otherwise, the corresponding traffic is discarded.
303, determining the corresponding traffic as the target traffic to be forwarded.
In the embodiment of the present invention, after acquiring the traffic of the virtual machine mirror image in the cloud platform from the mirror image port, the security virtual machine may match the mac address of the acquired traffic with the mac information of the virtual machine network card in the forwarding and filtering policy, and determine whether the mac address of the acquired traffic matches the mac information of the virtual machine network card in the forwarding and filtering policy, if the mac address of the acquired traffic matches the mac information of the virtual machine network card in the forwarding and filtering policy, determine the corresponding traffic as the target traffic to be forwarded, and if the mac address of the acquired traffic does not match the mac information of the virtual machine network card in the forwarding and filtering policy, discard the corresponding traffic.
The mac address to be matched may be a source mac address, or may also be a destination mac address, or may also be a source mac address and a destination mac address. If the mac information of the virtual machine network card in the forwarding and filtering strategy only comprises the source mac address, the secure virtual machine only needs to match the source mac address of the acquired flow with the mac information of the virtual machine network card in the forwarding and filtering strategy. If the mac information of the virtual machine network card in the forwarding and filtering policy only comprises the destination mac address, the secure virtual machine only needs to match the destination mac address of the acquired flow with the mac information of the virtual machine network card in the forwarding and filtering policy. If the mac information of the virtual machine network card in the forwarding and filtering policy includes both the source mac address and the destination mac address, the secure virtual machine needs to match the source mac address and the destination mac address of the acquired traffic with the mac information of the virtual machine network card in the forwarding and filtering policy.
In other optional examples, after the traffic of the virtual machine image in the cloud platform is acquired from the image port, the security virtual machine may match a mac address of the acquired traffic with mac information of the virtual machine network card in the forwarding filtering policy, and determine whether the mac address of the acquired traffic matches the mac information of the virtual machine network card in the forwarding filtering policy, if the mac address of the acquired traffic matches the mac information of the virtual machine network card in the forwarding filtering policy, discard the corresponding traffic, and if the mac address of the acquired traffic does not match the mac information of the virtual machine network card in the forwarding filtering policy, determine the corresponding traffic as the target traffic to be forwarded.
And 304, judging whether the obtained target flow to be forwarded is matched with the filtering rule defined in the forwarding filtering strategy.
If the obtained target flow to be forwarded matches with the filtering rule defined in the forwarding filtering strategy, executing 305; otherwise, discarding the corresponding target traffic to be forwarded.
And 305, reserving the corresponding target traffic to be forwarded.
In the embodiment of the present invention, after filtering traffic according to mac information of a virtual machine network card in a forwarding filtering policy to obtain target traffic to be forwarded, a security virtual machine may match the obtained target traffic to be forwarded with a filtering rule defined in the forwarding filtering policy, and determine whether the obtained target traffic to be forwarded matches with the filtering rule defined in the forwarding filtering policy, if the obtained target traffic to be forwarded matches with the filtering rule defined in the forwarding filtering policy, retain the corresponding target traffic to be forwarded, and if the obtained target traffic to be forwarded does not match with the filtering rule defined in the forwarding filtering policy, discard the corresponding target traffic to be forwarded.
In other optional examples, after filtering the traffic according to mac information of the virtual machine network card in the forwarding filtering policy to obtain a target traffic to be forwarded, the security virtual machine may match the obtained target traffic to be forwarded with a filtering rule defined in the forwarding filtering policy, and determine whether the obtained target traffic to be forwarded matches the filtering rule defined in the forwarding filtering policy, if the obtained target traffic to be forwarded matches the filtering rule defined in the forwarding filtering policy, discard the corresponding target traffic to be forwarded, and if the obtained target traffic to be forwarded does not match the filtering rule defined in the forwarding filtering policy, retain the corresponding target traffic to be forwarded.
And 306, forwarding the obtained target traffic to an analysis device outside the cloud platform based on the tunneling protocol.
In the embodiment of the present invention, the description about 306 may refer to the description about 103 in fig. 1, and thus is not described herein again.
Referring to fig. 4, fig. 5 and fig. 6, fig. 4 is a schematic diagram of a system architecture of an application scenario of a method for pulling traffic in a cloud according to an embodiment of the present invention, fig. 5 is a schematic diagram of interaction between a cloud platform and a web server in fig. 4, and fig. 6 is a schematic diagram of forwarding traffic to an external analysis device by the cloud platform in fig. 4. As shown in fig. 4, 5, and 6, in the local embodiment, the system for implementing the cloud inflow traction includes: cloud platform, web server and analytical equipment. The web server calls an API (application programming interface) of the cloud platform to acquire information of the virtual machines in the cloud platform from the cloud platform, and generates a fine-grained forwarding and filtering strategy according to the information of the virtual machines in the cloud platform. The method comprises the steps that a security virtual machine is deployed in each physical machine of a cloud platform, the security virtual machine pulls a fine-grained forwarding and filtering strategy from a web server, the traffic mirroring capacity provided by the cloud platform mirrors traffic generated by communication between the virtual machines in the cloud platform to a mirror image port of the security virtual machine, the security virtual machine obtains the mirrored traffic from the mirror image port, the obtained traffic is matched with the fine-grained forwarding and filtering strategy, and the successfully matched traffic is forwarded to an analysis device outside the cloud platform according to a tunnel protocol. The process that the secure virtual machine matches the acquired flow with the fine-grained forwarding filtering strategy comprises the following steps: and matching the obtained source mac address and the destination mac address of the flow with mac information in a fine-grained forwarding and filtering strategy, if the matching is successful, considering that the flow is the flow to be forwarded, further matching the flow with a filtering rule in the fine-grained forwarding and filtering strategy, forwarding the successfully matched flow to an analysis device outside the cloud platform according to a tunnel protocol, and if any link in the middle fails to be matched, discarding the flow.
In the following description of the cloud internal flow rate traction device provided by the present invention, the cloud internal flow rate traction device described below and the cloud internal flow rate traction method described above may be referred to in correspondence with each other.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a cloud internal flow rate towing device according to an embodiment of the present invention, where a secure virtual machine may be deployed in each physical machine of a cloud platform, and the cloud internal flow rate towing device shown in fig. 7 is applied to the secure virtual machine and may be used to execute the cloud internal flow rate towing method shown in fig. 1. As shown in fig. 7, the in-cloud flow rate drawing device includes at least:
the traffic obtaining module 710 is configured to obtain traffic of a virtual machine in the cloud platform mirrored to the mirror port of the secure virtual machine.
And the first traffic filtering module 720 is configured to filter the acquired traffic based on mac information of the virtual machine network card in the forwarding filtering policy to obtain a target traffic to be forwarded.
The traffic forwarding module 730 is configured to forward the obtained target traffic to an analysis device outside the cloud platform based on the tunneling protocol.
Optionally, the first flow filtering module 720 includes:
the first judgment unit is used for judging whether the mac address of the acquired flow is matched with the mac information of the virtual machine network card in the forwarding and filtering strategy; wherein, the mac address comprises a source mac address and/or a destination mac address.
And the flow determining unit is used for determining the corresponding flow as the target flow to be forwarded if the mac address of the acquired flow is matched with the mac information of the virtual machine network card in the forwarding filtering strategy according to the judgment result of the first judging unit.
Optionally, the in-cloud flow traction device further comprises:
and the second traffic filtering module is used for filtering the obtained target traffic to be forwarded based on a filtering rule defined in the forwarding filtering strategy and updating the target traffic to be forwarded.
Optionally, a second flow filtration module comprising:
and the second judging unit is used for judging whether the obtained target flow to be forwarded is matched with the filtering rule defined in the forwarding filtering strategy.
And the flow retaining unit is used for retaining the corresponding target flow to be forwarded if the obtained target flow to be forwarded is matched with the filtering rule defined in the forwarding filtering strategy according to the judgment result of the second judging unit.
Optionally, the traffic acquired by the security virtual machine from the mirror port is traffic of a virtual machine in the cloud platform, which is deployed in the same physical machine as the security virtual machine.
Optionally, the cloud internal flow traction device further comprises:
and the strategy pulling module is used for pulling a forwarding filtering strategy from the web server, and the forwarding filtering strategy is generated by the web server based on the information of the virtual machine in the cloud platform.
Optionally, the information of the virtual machine in the cloud platform is obtained from the cloud platform by the web server calling an application program interface of the cloud platform.
Fig. 8 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 8: a processor (processor)810, a communication Interface 820, a memory 830 and a communication bus 840, wherein the processor 810, the communication Interface 820 and the memory 830 communicate with each other via the communication bus 840. The processor 810 may call logic instructions in the memory 830 to perform the following method: acquiring the flow of the virtual machine in the cloud platform mirrored to the mirror port of the secure virtual machine; filtering the acquired flow based on mac information of the virtual machine network card in the forwarding and filtering strategy to obtain a target flow to be forwarded; and forwarding the obtained target flow to an analysis device outside the cloud platform based on a tunnel protocol.
In addition, the logic instructions in the memory 830 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented by a processor to perform the method provided by the foregoing embodiments, for example, including: acquiring the flow of the virtual machine in the cloud platform mirrored to the mirror port of the secure virtual machine; filtering the acquired flow based on mac information of the virtual machine network card in the forwarding and filtering strategy to obtain a target flow to be forwarded; and forwarding the obtained target flow to an analysis device outside the cloud platform based on a tunnel protocol.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An intra-cloud traffic pulling method, wherein a secure virtual machine is deployed in each physical machine of a cloud platform, and the traffic pulling method is applied to the secure virtual machine, and comprises the following steps:
acquiring the flow of the virtual machine in the cloud platform mirrored to the mirror port of the secure virtual machine;
filtering the acquired flow based on mac information of the virtual machine network card in the forwarding and filtering strategy to obtain a target flow to be forwarded;
and forwarding the obtained target flow to an analysis device outside the cloud platform based on a tunnel protocol.
2. The method according to claim 1, wherein the filtering the acquired traffic based on mac information of a virtual machine network card in a forwarding and filtering policy to obtain a target traffic to be forwarded comprises:
judging whether the mac address of the acquired flow is matched with mac information of a virtual machine network card in the forwarding and filtering strategy; wherein the mac address comprises a source mac address and/or a destination mac address;
and if the mac address of the acquired flow is matched with the mac information of the virtual machine network card in the forwarding and filtering strategy, determining the corresponding flow as the target flow to be forwarded.
3. The method according to claim 1 or 2, wherein the method for pulling the flow in the cloud further comprises, after filtering the acquired flow based on mac information of a virtual machine network card in a forwarding and filtering policy to obtain a target flow to be forwarded:
and filtering the obtained target traffic to be forwarded based on a filtering rule defined in the forwarding filtering strategy, and updating the target traffic to be forwarded.
4. The intra-cloud traffic pulling method according to claim 3, wherein filtering the obtained target traffic to be forwarded based on a filtering rule defined in the forwarding filtering policy, and updating the target traffic to be forwarded comprises:
judging whether the obtained target flow to be forwarded is matched with a filtering rule defined in the forwarding filtering strategy or not;
if the obtained target traffic to be forwarded is matched with the filtering rule defined in the forwarding filtering strategy, the corresponding target traffic to be forwarded is reserved.
5. The intra-cloud traffic pulling method according to claim 1, 2 or 4, wherein the traffic obtained by the security virtual machine from the mirror port is traffic of a virtual machine in the cloud platform, the virtual machine being deployed in the same physical machine as the security virtual machine.
6. The intra-cloud traffic pulling method according to claim 1, 2 or 4, wherein before obtaining the traffic mirrored to the mirror port of the secure virtual machine by the virtual machine in the cloud platform, the method further comprises:
pulling the forwarding filtering policy from a web server, wherein the forwarding filtering policy is generated by the web server based on information of a virtual machine in the cloud platform.
7. The intra-cloud traffic pulling method according to claim 6, wherein the information of the virtual machine in the cloud platform is obtained from the cloud platform by the web server calling an application program interface of the cloud platform.
8. An intra-cloud traffic pulling apparatus, wherein a secure virtual machine is deployed in each physical machine of a cloud platform, and the traffic pulling apparatus is applied to the secure virtual machine, and comprises:
the flow acquisition module is used for acquiring the flow of the virtual machine in the cloud platform mirrored to the mirror image port of the safety virtual machine;
the first traffic filtering module is used for filtering the acquired traffic based on mac information of the virtual machine network card in the forwarding filtering strategy to obtain target traffic to be forwarded;
and the traffic forwarding module is used for forwarding the obtained target traffic to the analysis equipment outside the cloud platform based on the tunnel protocol.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the steps of the in-cloud traffic pulling method according to any of claims 1 to 7.
10. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the in-cloud traffic pulling method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210146983.4A CN114615022A (en) | 2022-02-17 | 2022-02-17 | Cloud internal flow traction method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210146983.4A CN114615022A (en) | 2022-02-17 | 2022-02-17 | Cloud internal flow traction method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114615022A true CN114615022A (en) | 2022-06-10 |
Family
ID=81859221
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210146983.4A Pending CN114615022A (en) | 2022-02-17 | 2022-02-17 | Cloud internal flow traction method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114615022A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101599966A (en) * | 2009-05-11 | 2009-12-09 | 曙光信息产业(北京)有限公司 | The data filtering method that a kind of multi-dummy machine is used |
| CN110061921A (en) * | 2019-04-17 | 2019-07-26 | 北京云杉世纪网络科技有限公司 | A kind of cloud platform packet delivery method and system |
| US20190238508A1 (en) * | 2018-01-26 | 2019-08-01 | Nicira, Inc. | Unified security policies across virtual private clouds with overlapping ip address blocks |
| CN111651241A (en) * | 2020-08-04 | 2020-09-11 | 北京赛宁网安科技有限公司 | Flow acquisition system and method for network target range |
| CN112437072A (en) * | 2020-11-17 | 2021-03-02 | 广州西麦科技股份有限公司 | Virtual machine flow traction system, method, equipment and medium in cloud platform |
| CN113542160A (en) * | 2021-05-27 | 2021-10-22 | 贵州电网有限责任公司 | SDN-based method and system for pulling east-west flow in cloud |
-
2022
- 2022-02-17 CN CN202210146983.4A patent/CN114615022A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101599966A (en) * | 2009-05-11 | 2009-12-09 | 曙光信息产业(北京)有限公司 | The data filtering method that a kind of multi-dummy machine is used |
| US20190238508A1 (en) * | 2018-01-26 | 2019-08-01 | Nicira, Inc. | Unified security policies across virtual private clouds with overlapping ip address blocks |
| CN110061921A (en) * | 2019-04-17 | 2019-07-26 | 北京云杉世纪网络科技有限公司 | A kind of cloud platform packet delivery method and system |
| CN111651241A (en) * | 2020-08-04 | 2020-09-11 | 北京赛宁网安科技有限公司 | Flow acquisition system and method for network target range |
| CN112437072A (en) * | 2020-11-17 | 2021-03-02 | 广州西麦科技股份有限公司 | Virtual machine flow traction system, method, equipment and medium in cloud platform |
| CN113542160A (en) * | 2021-05-27 | 2021-10-22 | 贵州电网有限责任公司 | SDN-based method and system for pulling east-west flow in cloud |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109565500B (en) | On-demand security architecture | |
| US10148573B2 (en) | Packet processing method, node, and system | |
| US10298600B2 (en) | Method, apparatus, and system for cooperative defense on network | |
| EP3863317A1 (en) | Method and device for determining category information | |
| WO2018006675A1 (en) | Data processing method and apparatus | |
| US20230006937A1 (en) | Packet flow identification with reduced decode operations | |
| CN105939267A (en) | Out-of-band management method and device | |
| CN109088823B (en) | Method and device for realizing terminal interconnection | |
| CN108418776B (en) | Method and apparatus for providing secure services | |
| EP4117240A1 (en) | Route control method and apparatus, system and border gateway protocol peer | |
| CN106411852B (en) | Distributed terminal access control method and device | |
| CN114615022A (en) | Cloud internal flow traction method and device | |
| US20230090543A1 (en) | User Plane Security Enforcement Information Determining Method, Apparatus, and System | |
| CN111262782B (en) | Message processing method, device and equipment | |
| CN106357652A (en) | Method and device for preventing attack of VXLAN message | |
| CN106936718B (en) | PPPoE message transmission method and PPPoE server | |
| CN109756409B (en) | Bridge forwarding method | |
| Lampe et al. | Smartface: Efficient face detection on smartphones for wireless on-demand emergency networks | |
| CN113472727B (en) | Data synchronization method and device, electronic equipment and storage medium | |
| CN111695150B (en) | Dynamic granularity self-polymerization safe filtering method and device | |
| CN111092783A (en) | Method and device for detecting multilayer data | |
| CN111163101B (en) | Intrusion prevention rule dynamic adjustment method and device, electronic equipment and storage medium | |
| CN113556742B (en) | Network architecture and distribution strategy configuration method | |
| US20240048644A1 (en) | Message transmission method and system, and network device and storage medium | |
| CN114257416A (en) | Black and white list adjusting method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |