CN101800730B - Safety enhanced virtual machine communication method and virtual machine system - Google Patents
Safety enhanced virtual machine communication method and virtual machine system Download PDFInfo
- Publication number
- CN101800730B CN101800730B CN 200910004037 CN200910004037A CN101800730B CN 101800730 B CN101800730 B CN 101800730B CN 200910004037 CN200910004037 CN 200910004037 CN 200910004037 A CN200910004037 A CN 200910004037A CN 101800730 B CN101800730 B CN 101800730B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- bag
- virtual
- machine
- response message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a safety enhanced virtual machine communication method and a virtual machine system. The safety enhanced virtual machine system according to one embodiment comprises a plurality of virtual machines positioned on a same physical machine in a virtual network. The virtual machine system comprises a virtual network safety manager coupled in the virtual network and a shadow system coupled with the virtual network safety manager, wherein the shadow system is positioned on the other physical machine different from the physical machine in which the virtual machines are positioned, the virtual network safety manager copied packets are sent among the virtual machines and the copied packets are forwarded to the shadow system through a physical safety device; the shadow system returns response information indicating the received packets to the virtual network safety manager; and the virtual network safety manager sends the packets among the virtual machines according to the returned response information.
Description
Technical field
The present invention relates to Intel Virtualization Technology, especially relate to virtual machine communication method and dummy machine system that safety strengthens.
Background technology
Virtual is a kind of technology that is of value to the user of computer (for example server).By virtual, IT infrastructure is able to resource-sharing, and the IT cost descends, and the simultaneously efficient of active computer hardware, utilance and flexibility improves.Generally, virtually can bring following benefit: Server Consolidation and framework optimization, hardware cost descend, operation cost reduces, application availability improves and system is easier to manage.Many system-level suppliers provide virtualization capability in their software and services.For example, Red Hat has increased the virtual machine manager (hypervisor) of Xen open source code in its enterprise version Linux 5.
Usually, a physical machine is as two or more virtual machines main frame of (virtual machine is called for short VM).Virtual machine manager for managing virtual machines is installed on the physical machine.These virtual machines can be by the each other direct communication of virtual switch/VLAN (VSWITCH/VLAN) that is produced by virtual machine manager.For example, a virtual machine can pass to virtual machine manager with information, and then virtual machine manager passes to another virtual machine again, thereby realizes the communication between the virtual machine.
But under virtual machine environment, traditional fire compartment wall and IPS are difficult to stop the attack to virtual machine.When a virtual machine during by virus infections for example, virus will be by VSWITCH/VLAN directtissima other virtual machine take the Same Physical machine as main frame.These are different from physical environment.Under physical environment, the fire compartment wall of deployment/anti-virus instrument can stop the attack in the physical network.
And under virtual environment, owing in VSWITCH/VLAN, there is not fire compartment wall/anti-virus instrument, can easily spread by VSWITCH/VLAN such as the malicious code of virus.Thereby so that the fail safe of the communication between the virtual machine reduces.
At present, the safety product on the market is paid close attention to physical environment usually, but not virtual environment.The safety product of not communicating by letter for secure virtual machine.And present virtual machine manager does not have to embed the security mechanism about secure virtual machine communication yet.
For example, Fig. 1 shows the schematic diagram of traditional virtual machine environment.As shown in the figure, in traditional dummy machine system 100, for example, virtual machine VM1, VM2 and VM3 are connected among the virtual network VNet.Fire compartment wall 100 is isolated from the outside physical machine and the virtual network at virtual machine place.Under this environment, virtual machine VM1, VM2 and VM3 can pass through virtual switch/VLAN direct communication, and without fire compartment wall 100.Suppose that virtual machine VM3 sends the attack code bag to VM1, then owing to there is not Security mechanism, VM1 is just infected easily.
Summary of the invention
In view of the above-mentioned problems in the prior art, an object of the present invention is to provide virtual machine communication method and dummy machine system that a kind of safety strengthens, it can strengthen the fail safe of the communication between the virtual machine.
To achieve these goals, according to an aspect of the present invention, the dummy machine system that provides a kind of safety to strengthen, it comprises many virtual machines that are positioned in the virtual network on the Same Physical machine.This dummy machine system comprises: be coupled in the virtual network security manager in the virtual network, and the PowerShadow that is coupled with this virtual network security manager, this PowerShadow is positioned on another physical machine of the physical machine that is different from described virtual machine place.Wherein this virtual network security manager copies the bag that sends between the virtual machine, and the bag that will copy arrives this PowerShadow by the physical security device forwards; This PowerShadow returns the response message that indication receives this bag to this virtual network security manager; And this virtual network security manager wraps in this between virtual machine according to the response message of returning and sends.
According to a further aspect in the invention, the virtual machine communication method that provides a kind of safety to strengthen is used for virtual network and is positioned at many virtual machines on the Same Physical machine.The method comprises the steps: to detect the bag that is sent to another virtual machine by a virtual machine in the virtual network; In shared drive, keep and copy detected bag; The bag that copies is arrived PowerShadow by the physical security device forwards, and this PowerShadow is positioned on another physical machine of the physical machine that is different from the virtual machine place; The indication that wait and reception are returned from described PowerShadow receives the response message of this bag; According to the response message of returning from described PowerShadow, this bag is sent to described another virtual machine.
According to the present invention, can detect neatly the virtual network that is created by virtual machine manager.The invention provides the ability of protection virtual machine.In addition, owing to need not existing fire compartment wall is carried out any change, therefore, protected investment and reduced cost.
When in conjunction with following explanation and accompanying drawing consideration, will know better and understand these and other aspect of the present invention and embodiment.
Description of drawings
Fig. 1 is the schematic diagram that traditional virtual machine environment is shown.
Fig. 2 is for illustrating in accordance with the principles of the present invention schematic block diagram.
Fig. 3 illustrates the according to an embodiment of the invention schematic block diagram of dummy machine system.
Fig. 4 illustrates the according to another embodiment of the present invention schematic block diagram of dummy machine system.
Fig. 5 illustrates the flow chart according to the virtual machine communication method of further embodiment of this invention.
Fig. 6 illustrates the flow chart of the processing of being undertaken by PowerShadow in the method for Fig. 5.
Fig. 7 illustrates the flow chart of virtual machine communication method according to yet another embodiment of the invention.
Fig. 8 shows the block diagram that is suitable for computer system of the present invention.
Embodiment
Referring to description of drawings principle of the present invention and embodiment.
Principle summary of the present invention
Fig. 2 illustrates principle sketch of the present invention.As shown in Figure 2, in using virtualized environment of the present invention, many virtual machines (VM) are connected with virtual network (VNet).For example, virtual machine VM1, VM2, VM3 are positioned on the Same Physical machine.The VM PowerShadow 220 that virtualized environment of the present invention also is provided with secure virtual machine manager 200 and is coupled with it.Between secure virtual machine manager and PowerShadow, be provided with physical security equipment 210, such as fire compartment wall, anti-virus equipment, security gateway or IPS equipment etc.Wherein, the VM security manager will be for example VM3 remain in the shared drive to the bag that VM1 sends, copy this bag, and should wrap by physical security equipment 210 and be transmitted to VM PowerShadow 220.
If VM PowerShadow 220 receives this bag, then return a response message to secure virtual machine manager 200.Secure virtual machine manager 200 is determined to transmit this bag according to the response message that returns.The bag that secure virtual machine manager 200 will keep discharges, to obtain this bag by VM1 from shared drive.
If the time that secure virtual machine manager 200 surpasses appointment does not receive the response message of returning from VM PowerShadow 220, then abandon this bag, do not transmit to VM1.
Alternatively, if the time that secure virtual machine manager 200 surpasses appointment does not receive the response message of returning from VM PowerShadow 220, can adjust virtual network VNet.For example, from VNet, mark off the sub-network (not shown) of a separation, VM3 is divided in this sub-network.The bag that is in virtual machine (for example VM3) transmission in this sub-network always passes through physical security equipment 210 to be checked by physical security equipment 210 and to filter.
According to the present invention, send traditional physical security equipment to by the bag of will communicate by letter between the virtual machine and filter inspection, strengthened the fail safe of communicating by letter between the virtual machine.In addition, by according to the result who checks feedback original virtual network being divided into new sub-network, implement the safety isolation, force the virtual machine communication from now on that once sends attack code bag for example all by the inspection of external safe physical equipment, further improved fail safe and the efficient of virtual machine communication.In other execution mode of the present invention, can also after the virtual machine isolation that will have potential hazard, send an indication to control desk and carry out respective handling with the reporting system keeper.
3-6 describes embodiments of the invention referring to accompanying drawing.
Embodiment 1
Fig. 3 illustrates the schematic block diagram according to the dummy machine system of the safety enhancing of present embodiment.
As shown in the figure, comprise a plurality of virtual machines according to the dummy machine system 350 of present embodiment, for example VM1, VM2 and VM3.Describe with three virtual machine instances although note that present embodiment, it only is for the ease of explanation that those skilled in the art can understand this, and unrestricted.The virtual machine that in fact can comprise as required arbitrary number.In the present embodiment, these virtual machines are positioned on the Same Physical machine (such as server, large-scale computer, work station etc.).
Dummy machine system 350 also comprises virtual network (VNet) security manager 300 and the VM PowerShadow 320 that is coupled with it.VM PowerShadow 320 is positioned on another physical machine different from the physical machine at virtual machine VM1, VM2 and VM3 place.
Between VNet security manager 300 and VM PowerShadow 320, be provided with physical security equipment 310.The present invention to physical security equipment 310 without limits.For example, physical security equipment 310 can be traditional fire compartment wall, anti-virus equipment, security gateway, IPS equipment one or a combination set of.Those skilled in the art can understand, in IT architecture, a plurality of physical security equipment such as fire compartment wall can be set, communicating by letter between the equipment that these physical security equipment not only can be used for protected network inside and the external equipment can also be used for the communication between the equipment (comprising virtual machine) of protected network inside.
In the process of virtual machine communication, for example, when virtual machine VM3 sent bag to VM1, VNet security manager 300 copied the bag that virtual machine VM3 sends to VM1, and the bag that will copy is forwarded to VM PowerShadow 320 by physical security equipment 310.VM PowerShadow 320 returns the response message that indication receives this bag to VNet security manager 300.VNet security manager 300 wraps in this between virtual machine according to the response message of returning and sends.
More specifically, except the module (for clear statement the present invention not shown) identical with virtual machine manager (Hypervisor) in the traditional dummy machine system, VNet security manager 300 further comprises VNet communication controler 301.VNet communication controler 301 is configured to be handled as follows: the bag that detects communication between the different virtual machine (for example VM3 and VM1) that is positioned on the Same Physical machine; In shared drive, keep and copy detected bag; The bag that copies is forwarded to VM PowerShadow 320 by physical security equipment 310; Wait for and receive the response message of returning from VM PowerShadow 320; And discharge the bag that keeps in the situation of response message to finish the communication between the different virtual machine receiving.Alternatively, each bag of communicating by letter between 301 pairs of virtual machines of VNet communication controler carries out above-mentioned processing, realizes the whole controls to secure virtual machine communication.Perhaps, VNet communication controler 301 can extract the bag of communicating by letter between the virtual machine according to pre-defined rule and carry out above-mentioned processing, realizes sampling Detection and Partial controll to secure virtual machine communication.Described pre-defined rule can be set as required, for example can extract according to the certain hour interval, perhaps extracts the bag of predefined type etc.
In addition, VNet communication controler 301 can also be the bag mark universal unique identifier (UUID) that keeps, and should wrap and UUID together is forwarded to VM PowerShadow 320.UUID can be used for locating corresponding bag.It should be appreciated by those skilled in the art that the UUID here only is an example, and the present invention can adopt the identifier of other type to identify bag.
As shown in Figure 3, the VM PowerShadow 320 VM shadow manager 325 that comprises VM simulator 321 and be coupled with it.
VM shadow manager 325 is configured to receive the bag that is forwarded by physical security equipment 310 from VNet communication controler 301, and the bag that receives is distributed to VM simulator 321.
VM simulator 321 can be set up corresponding virtual machine shadow according to the virtual machine topological structure of VNet security manager 300 notices.The virtual machine shadow is the mirror image of respective virtual machine on the physical machine at PowerShadow place, also can be called the pseudo-mirror image of virtual machine.But, should be noted that virtual machine shadow herein is not copying fully the respective virtual machine.In fact, it is the controller that comprises the control information (for example UUID) of bag for feedback that the virtual machine shadow can be understood as, and the logic function that it only need be configured to have the control information of the bag that receives corresponding virtual machine transmission and return the response that contains this control information gets final product.After the clear and definite restriction and function of virtual machine shadow, specifically how setting up the virtual machine shadow is that those skilled in the art adopt its general knowledge just can implement, and is not described in detail in this.
In addition, when a virtual machine VM added VNet, VNet security manager 300 can notify VM PowerShadow 320 to increase the virtual machine shadow for it.As shown in phantom in FIG., VM simulator 321 is set up the virtual machine shadow for each virtual machine.For example, the shadow that virtual machine VM1, VM2 and VM3 are corresponding is VM1 ', VM2 ' and VM3 '.VM simulator 321 is resolved bag from VM shadow manager 325 to obtain the UUID of bag.Except UUID, also comprise body matter from the bag of VM shadow manager 325, i.e. the data division of bag.VM simulator 321 does not obtain the body matter from the bag of VM shadow manager 325.VM simulator 321 checks whether set up virtual machine shadow VM3 ' for the virtual machine VM3 that for example sends bag.If not then simulate new virtual machine shadow VM3 '.Then, VM simulator 321 is forwarded to relevant virtual machine shadow VM3 ' with UUID.
As an example, relevant virtual machine shadow VM3 ' can generate only comprise UUID bag as above-mentioned response message, and this bag sent to VM shadow manager 325.
Alternatively, VM simulator 321 can also obtain the IP address of the virtual machine VM3 that sends bag.In this case, virtual machine shadow VM3 ' can have the IP address identical with the IP address of virtual machine VM3.And relevant virtual machine shadow VM3 ' generates the bag that comprises UUID and IP address and sends to VM shadow manager 325 as response message.
VM shadow manager 325 will feed back to VNet communication controler 301 by the response message that associated virtual machine shadow VM3 ' generates.
Embodiment 2
Fig. 4 illustrates the according to another embodiment of the present invention schematic block diagram of the dummy machine system of safety enhancing.In Fig. 4, adopt identical label to represent the device identical with Fig. 3, and omit its detailed description.
The dummy machine system 350 ' of present embodiment is that with dummy machine system 350 differences of embodiment 1 VNet security manager 300 ' comprises that also VNet divides controller 305.
VNet divides controller 305 and is coupled with VNet communication controler 301.If the time that VNet communication controler 301 surpasses appointment does not receive the response message of returning from VM PowerShadow 320, then notify VNet to divide controller 305 and adjust VNet.VNet divides controller 305 and adjusts VNet and be divided in the virtual subnetwork (not shown) that separates with other virtual machine with the virtual machine VM3 that will send bag, and so that the bag that the virtual machine in this virtual subnetwork (for example VM3) sends always passes through physical security equipment 310 with by its inspection and filtration.Specifically how marking off a virtual subnetwork from VNet is that those skilled in the art adopt its general knowledge just can implement, and is not described in detail in this.
In this case, the bag that the virtual machine in the virtual subnetwork that marks off sends will no longer be forwarded to VM PowerShadow 320.Can think the virtual machine in this virtual subnetwork is isolated, before corresponding virtual machine (for example VM3) being processed the safety problem elimination that makes wherein existence, the bag that this virtual machine sends can be filtered by physical security equipment 310, thereby can not realize communicating by letter with other virtual machine.
Embodiment 3
Fig. 5 illustrates the flow chart according to the virtual machine communication method of the safety enhancing of further embodiment of this invention.
Virtual machine communication method according to present embodiment can be realized at embodiment 1 described dummy machine system.As shown in Figure 5, at first, in step 501, the bag that is sent to VM1 such as the virtual machine VM3 that is positioned on the Same Physical machine by VNet communication controler test example.
Then, in step 510, detected bag is remained in the shared drive, and copy this bag.
Then, in step 520, can be the bag mark universal unique identifier UUID that keeps.
Then, in step 530, bag and the UUID that copies is forwarded to the VM PowerShadow by for example fire compartment wall.This PowerShadow is positioned on another physical machine of the physical machine that is different from the virtual machine place.
Afterwards, receive the response message of this bag in the indication that step 540 is waited for and reception is returned from PowerShadow.This response message can only comprise the UUID that marks.
If receive this response message in step 540, then process and advance to step 560.In step 560, discharge this bag that keeps, send it to another virtual machine.
If receive this response message in step 540 above the fixed time, then process and advancing to step 550.In step 550, abandon the bag that keeps, and this bag is not sent to another virtual machine.
More than be described from the angle of the VNET communication controler method to embodiment 3.Fig. 6 illustrates the flow chart of the processing of being undertaken by the VM PowerShadow in the method for Fig. 5.
As shown in Figure 6, in step 531, the VM PowerShadow receives the bag that is forwarded by for example fire compartment wall from the VNET communication controler.
Then, in step 532, process this and wrap to generate the response message that comprises UUID.Particularly, can the bag that obtain be distributed to the VM simulator by VM shadow manager.The VM simulator is resolved bag from VM shadow manager 325 to obtain the UUID of bag.Whether the inspection of VM simulator has set up virtual machine shadow VM3 ' for the virtual machine VM3 that for example sends bag.If not then simulate new virtual machine shadow VM3 '.Then, VM simulator 321UUID is forwarded to relevant virtual machine shadow VM3 '.As an example, relevant virtual machine shadow VM3 ' can generate only comprise UUID bag as above-mentioned response message.Alternatively, the VM simulator can also obtain the IP address of the virtual machine VM3 that sends bag.And relevant virtual machine shadow VM3 ' generates and comprises the bag of UUID and IP address as above-mentioned response message.Then, response message is sent to VM shadow manager.
Then, in step 533, VM shadow manager will feed back to the VNet communication controler by the response message that associated virtual machine shadow VM3 ' generates.
Embodiment 4
Fig. 7 illustrates the flow chart of virtual machine communication method according to yet another embodiment of the invention.In Fig. 7, adopt identical label to represent the step identical with Fig. 5, and omit its detailed description.
Virtual machine communication method according to present embodiment can be realized at embodiment 2 described dummy machine systems.The difference of the method for present embodiment and embodiment 1 is also carry out step 570 after step 550.
As shown in Figure 7, if receive response message in step 540 above the fixed time, and after step 550 abandons the bag that keeps, process advancing to step 570.In step 570, divide controller by VNet for example and adjust VNet with in the virtual subnetwork that virtual machine VM3 is divided into other virtual machine separates that will send bag, and so that the bag that the virtual machine in this virtual subnetwork sends always passes through physical security equipment (for example fire compartment wall) with by its inspection and filtration.
In this case, the bag that the virtual machine in the virtual subnetwork that marks off sends will no longer be forwarded to the VM PowerShadow.Can think the virtual machine in this virtual subnetwork is isolated, before corresponding virtual machine (for example VM3) being processed the safety problem elimination that makes wherein existence, the bag that this virtual machine sends can be filtered by physical security equipment, thereby can not realize communicating by letter with other virtual machine.
Fig. 8 has schematically shown the block diagram that can realize according to the computer system of each embodiment of the present invention.
Computer system shown in Fig. 8 comprises CPU (CPU) 801, RAM (random access memory) 802, ROM (read-only memory) 803, system bus 804, hard disk controller 805, keyboard controller 806, serial interface controller 807, parallel interface controller 808, display controller 809, hard disk 810, keyboard 811, serial external equipment 812, parallel external equipment 813 and display 814.In these parts, what link to each other with system bus 804 has CPU 801, RAM 802, ROM 803, hard disk controller 805, keyboard controller 806, serial interface controller 807, parallel interface controller 808 and a display controller 809.Hard disk 810 links to each other with hard disk controller 805, keyboard 811 links to each other with keyboard controller 806, serial external equipment 812 links to each other with serial interface controller 807, and parallel external equipment 813 links to each other with parallel interface controller 808, and display 814 links to each other with display controller 809.
The function of each parts is being well-known in the art among Fig. 8, and structure shown in Figure 8 also is conventional.This structure not only is used for personal computer and server, and is used for handheld device, such as Palm PC, PDA (personal digital assistant), mobile phone etc.In different application, for example be used for to realize including according to the user terminal of client modules of the present invention or when including server host according to dummy machine system of the present invention, can add some parts to the structure shown in Fig. 8, perhaps some parts among Fig. 8 can be omitted.Whole system shown in Fig. 8 by usually be stored in the hard disk 810 as software or be stored in EPROM or other nonvolatile memory in computer-readable instruction control.Software also can be downloaded from the network (not shown).Perhaps be stored in the hard disk 810, the software of perhaps downloading from network can be loaded into the RAM 802, and is carried out by CPU 801, in order to finish the function of being determined by software.
Although the computer system of describing among Fig. 8 can be provided by the technical scheme that provides according to of the present invention, this computer system is an example of computer system.It will be apparent to those skilled in the art that many other Computer System Design also can realize embodiments of the invention.
The present invention for example can also be embodied as by the employed computer program of system shown in Figure 8, and it can include for realizing dummy machine system that safety according to the present invention strengthens or the part or all of code of virtual machine communication method.Before using, can code storage in the memory of other computer system, for example, be stored in hard disk or the movably memory such as CD or floppy disk, perhaps download via internet or other computer network.
Disclosed method of the present invention can realize in the combination of software, hardware or software and hardware.Hardware components can utilize special logic to realize; Software section can be stored in the memory, and by suitable instruction execution system, for example microprocessor, personal computer (PC) or large-scale computer are carried out.
The preferred embodiments of the present invention have more than been described.The above description of specific embodiment has intactly represented general characteristic of the present invention, and each application of these specific embodiments can easily revise and/or adapt to by being used current knowledge to other side in the situation that does not break away from General Principle.Therefore these application and modification should and be intended to be understood to be in the implication and equivalency range of disclosed embodiment.
Should be appreciated that the wording that adopts and term are the purposes of explanation, rather than restriction here.Therefore, although described the present invention according to embodiment, persons of ordinary skill in the art will recognize that within the scope of the appended claims and can realize the present invention by revising.
Claims (18)
1. virtual machine communication method that safety strengthens is used for many virtual machines of virtual network, and described virtual machine is positioned on the Same Physical machine, and the method comprises the steps:
Detect the bag that is sent to another virtual machine by a virtual machine in the virtual network;
In shared drive, keep and copy detected bag;
The bag that copies is arrived PowerShadow by the physical security device forwards, and this PowerShadow is positioned on another physical machine of the physical machine that is different from the virtual machine place;
The indication that wait and reception are returned from described PowerShadow receives the response message of the described bag that copies;
According to the response message of returning from described PowerShadow, detected bag is sent to described another virtual machine,
Wherein said PowerShadow comprises:
The virtual machine simulator; With
The virtual machine shadow manager that is coupled with this virtual machine simulator,
Wherein, this virtual machine shadow manager is configured to receive the bag that is forwarded from the virtual network communication controler by described physical security equipment, the bag that receives is distributed to this virtual machine simulator, and the described response message that will be obtained by the processing of associated virtual machine shadow feeds back to described virtual network communication controler;
The bag that this virtual machine simulator is configured to resolve from this virtual machine shadow manager wraps mark universal unique identifier UUID to obtain; For the virtual machine that sends described bag is simulated the virtual machine shadow, and described UUID is forwarded to relevant virtual machine shadow.
2. method according to claim 1 is wherein being waited for and is being received in the step of described response message, does not receive the response message of returning from described PowerShadow if surpass the time of appointment, then this bag is not sent to described another virtual machine.
3. method according to claim 2, also comprise the steps: if the time of super appointment does not receive the response message of returning from this PowerShadow, then adjust virtual network with in the virtual subnetwork that virtual machine is divided into other virtual machine separates that will send bag, and so that send bag that the virtual machine of bag sends always by described physical security equipment with by described physical security equipment inspection and filtration.
4. method according to claim 1 wherein is being sent to detected bag in the step of described another virtual machine, and the bag that release keeps is to be sent to detected bag described another virtual machine.
5. method according to claim 1 also was included as the step of the described bag mark universal unique identifier UUID that copies before described forwarding step, in described forwarding step the described bag that copies and UUID thereof together are forwarded to PowerShadow.
6. method according to claim 5 also comprises the steps: also to comprise the steps: after described forwarding step
Described PowerShadow receives the bag that is forwarded;
The bag of processing this forwarding comprises the described response message of described UUID with generation; With
Feed back described response message.
7. method according to claim 6, the described response message that this step of wrapping to generate the described response message that comprises described UUID of wherein said processing generates also comprises the IP address of the virtual machine that sends described bag.
8. method according to claim 6, the described response message that this step of wrapping to generate the described response message that comprises described UUID of wherein said processing generates does not comprise the body matter of the described bag that is forwarded.
9. the dummy machine system that safety strengthens comprises many virtual machines in the virtual network, and described virtual machine is positioned on the Same Physical machine, it is characterized in that this dummy machine system comprises:
Be coupled in the virtual network security manager in the virtual network, and
With the PowerShadow that this virtual network security manager is coupled, this PowerShadow is positioned on another physical machine of the physical machine that is different from described virtual machine place,
Wherein this virtual network security manager copies the bag that sends between the virtual machine, and the bag that will copy arrives this PowerShadow by the physical security device forwards;
This PowerShadow returns the response message that indication receives this bag that copies to this virtual network security manager; And
This virtual network security manager wraps in this between virtual machine according to the response message of returning and sends,
Wherein said PowerShadow comprises:
The virtual machine simulator; With
The virtual machine shadow manager that is coupled with this virtual machine simulator,
Wherein, this virtual machine shadow manager is configured to receive the bag that is forwarded from the virtual network communication controler by described physical security equipment, the bag that receives is distributed to this virtual machine simulator, and the described response message that will be obtained by the processing of associated virtual machine shadow feeds back to described virtual network communication controler;
The bag that this virtual machine simulator is configured to resolve from this virtual machine shadow manager wraps mark universal unique identifier UUID to obtain; For the virtual machine that sends described bag is simulated the virtual machine shadow, and described UUID is forwarded to relevant virtual machine shadow.
10. dummy machine system according to claim 9, wherein, described virtual network security manager further comprises:
The virtual network communication controler, it is configured to be handled as follows: detect the bag of communicating by letter between the different virtual machine on the Same Physical machine; In shared drive, keep and copy detected bag; The bag that copies is arrived PowerShadow by the physical security device forwards; Wait for and receive the response message of returning from described PowerShadow; And discharge the bag that keeps in the situation of described response message to finish the communication between the different virtual machine receiving.
11. dummy machine system according to claim 10, wherein said virtual network security manager also comprises:
Divide controller with the virtual network that described virtual network communication controler is coupled, and
If wherein said virtual network communication controler surpasses the time of appointment and does not receive response message then notify described virtual network to divide controller, described virtual network is divided controller and is adjusted virtual network with in the virtual subnetwork that virtual machine is divided into other virtual machine separates that will send bag, and so that send bag that the virtual machine of bag sends always by described physical security equipment with by also filtration of described physical security equipment inspection.
12. dummy machine system according to claim 10, wherein, described virtual network communication controler also is configured to: be the bag mark universal unique identifier UUID that keeps, and the described bag that copies and UUID thereof together are forwarded to PowerShadow, and
Described response message comprises this UUID.
13. dummy machine system according to claim 9, wherein relevant virtual machine shadow generates the bag that only comprises described UUID and sends to described virtual machine shadow manager as described response message.
14. dummy machine system according to claim 9, wherein said virtual machine simulator also are configured to obtain the IP address of the virtual machine that sends described bag, and
Relevant virtual machine shadow generates the bag that comprises described UUID and described IP address and sends to described virtual machine shadow manager as described response message.
15. dummy machine system according to claim 9, wherein said virtual machine simulator are configured to not obtain the body matter from the bag of described virtual machine shadow manager.
16. dummy machine system according to claim 10, wherein said virtual network communication controler carries out described processing to each bag of communicating by letter between the virtual machine.
17. dummy machine system according to claim 10, wherein said virtual network communication controler extract the part of the bag of communicating by letter between the virtual machine and carry out described processing.
18. dummy machine system according to claim 9, wherein said physical security equipment are fire compartment wall, anti-virus equipment, IPS equipment one or a combination set of.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910004037 CN101800730B (en) | 2009-02-09 | 2009-02-09 | Safety enhanced virtual machine communication method and virtual machine system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910004037 CN101800730B (en) | 2009-02-09 | 2009-02-09 | Safety enhanced virtual machine communication method and virtual machine system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101800730A CN101800730A (en) | 2010-08-11 |
| CN101800730B true CN101800730B (en) | 2013-02-27 |
Family
ID=42596225
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200910004037 Expired - Fee Related CN101800730B (en) | 2009-02-09 | 2009-02-09 | Safety enhanced virtual machine communication method and virtual machine system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101800730B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102244622B (en) * | 2011-07-25 | 2015-03-11 | 北京网御星云信息技术有限公司 | Virtual gateway protection method, virtual security gateway and system for server virtualization |
| US9304801B2 (en) * | 2012-06-12 | 2016-04-05 | TELEFONAKTIEBOLAGET L M ERRICSSON (publ) | Elastic enforcement layer for cloud security using SDN |
| CN102710669B (en) | 2012-06-29 | 2016-03-02 | 杭州华三通信技术有限公司 | A kind of method that firewall policy controls and device |
| WO2014000297A1 (en) * | 2012-06-30 | 2014-01-03 | 华为技术有限公司 | Virtual port monitoring method and device |
| CN102999357B (en) * | 2012-11-16 | 2015-11-25 | 北京奇虎科技有限公司 | A kind of collocation method and system of trusting machine |
| CN103973578B (en) * | 2013-01-31 | 2018-06-19 | 新华三技术有限公司 | The method and device that a kind of virtual machine traffic redirects |
| CN104660554A (en) * | 2013-11-19 | 2015-05-27 | 北京天地超云科技有限公司 | Method for implementing communication data security of virtual machines |
| CN104660553A (en) * | 2013-11-19 | 2015-05-27 | 北京天地超云科技有限公司 | Implementation method of virtual firewall |
| CN104660506B (en) * | 2013-11-22 | 2018-12-25 | 华为技术有限公司 | A kind of method, apparatus and system of data packet forwarding |
| CN105204977A (en) * | 2014-06-30 | 2015-12-30 | 中兴通讯股份有限公司 | System exception capturing method, main system, shadow system and intelligent equipment |
| CN105791234A (en) * | 2014-12-23 | 2016-07-20 | 宇龙计算机通信科技(深圳)有限公司 | Data sharing method and data sharing apparatus for terminal and terminal |
| CN104615934B (en) * | 2015-02-03 | 2020-06-16 | 腾讯科技(深圳)有限公司 | SQL injection attack safety protection method and system |
| CN106161522A (en) * | 2015-04-02 | 2016-11-23 | 华为技术有限公司 | The communication means of a kind of LA Management Room, the network equipment and distributed network |
| CN105072078B (en) * | 2015-06-30 | 2019-03-26 | 北京奇安信科技有限公司 | A kind of monitoring method and device of cloud platform virtualization flow |
| CN106209919A (en) * | 2016-09-18 | 2016-12-07 | 深圳市深信服电子科技有限公司 | A kind of network safety protection method and network security protection system |
| CN108804248B (en) * | 2017-04-28 | 2021-07-06 | 南京壹进制信息科技有限公司 | Automatic verification method for real-time protection data of volume |
| CN110012033B (en) * | 2019-05-05 | 2022-03-22 | 深信服科技股份有限公司 | Data transmission method, system and related components |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1831790A (en) * | 2005-03-08 | 2006-09-13 | 微软公司 | Method and system for a guest physical address virtualization in a virtual machine environment |
| CN101226499A (en) * | 2007-01-16 | 2008-07-23 | 国际商业机器公司 | Method and system for diagnosis of application program |
-
2009
- 2009-02-09 CN CN 200910004037 patent/CN101800730B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1831790A (en) * | 2005-03-08 | 2006-09-13 | 微软公司 | Method and system for a guest physical address virtualization in a virtual machine environment |
| CN101226499A (en) * | 2007-01-16 | 2008-07-23 | 国际商业机器公司 | Method and system for diagnosis of application program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101800730A (en) | 2010-08-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101800730B (en) | Safety enhanced virtual machine communication method and virtual machine system | |
| US10657251B1 (en) | Multistage system and method for analyzing obfuscated content for malware | |
| US20200366694A1 (en) | Methods and systems for malware host correlation | |
| EP3391274B1 (en) | Dual memory introspection for securing multiple network endpoints | |
| US9110703B2 (en) | Virtual machine packet processing | |
| US11252183B1 (en) | System and method for ransomware lateral movement protection in on-prem and cloud data center environments | |
| EP3476101B1 (en) | Method, device and system for network security | |
| EP3571587B1 (en) | Transparent deployment of intermediary manager into guest operating system network traffic | |
| Röpke et al. | Sdn rootkits: Subverting network operating systems of software-defined networks | |
| CN107912064B (en) | Shell code detection | |
| US10027687B2 (en) | Security level and status exchange between TCP/UDP client(s) and server(s) for secure transactions | |
| CN105100026A (en) | Safe message forwarding method and safe message forwarding device | |
| CN104023034A (en) | Security defensive system and defensive method based on software-defined network | |
| CN104205051A (en) | Virtualized movement of enhanced network services associated with a virtual machine | |
| KR20110139151A (en) | Method for network interface sharing among multiple virtual machines | |
| US10681057B2 (en) | Device and method for controlling a communication network | |
| CN103955362A (en) | Xen-based operating system kernel monitoring method | |
| WO2011008017A2 (en) | Apparatus and method for host-based network separation | |
| Denz et al. | A survey on securing the virtual cloud | |
| Imada | Mirageos unikernel with network acceleration for iot cloud environments | |
| GB2519115A (en) | Providing isolated entropy elements | |
| WO2010095446A1 (en) | Network security system and remote machine quarantine method | |
| CN106464513B (en) | System and method for suppressing malicious calls | |
| Chen et al. | Research and practice of dynamic network security architecture for IaaS platforms | |
| CN114244891B (en) | Communication method and device between containers, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: IBM (CHINA) CO., LTD. Free format text: FORMER OWNER: INTERNATIONAL BUSINESS MACHINES CORPORATION Effective date: 20150731 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20150731 Address after: 201203 Shanghai city Pudong New Area Keyuan Road No. 399 Zhang Jiang Zhang Jiang high tech Park Innovation Park 10 Building 7 layer Patentee after: International Business Machines (China) Co., Ltd. Address before: American New York Patentee before: International Business Machines Corp. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130227 Termination date: 20190209 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |