CN103763310B - Firewall service system and method based on virtual network - Google Patents
Firewall service system and method based on virtual network Download PDFInfo
- Publication number
- CN103763310B CN103763310B CN201310751713.7A CN201310751713A CN103763310B CN 103763310 B CN103763310 B CN 103763310B CN 201310751713 A CN201310751713 A CN 201310751713A CN 103763310 B CN103763310 B CN 103763310B
- Authority
- CN
- China
- Prior art keywords
- firewall
- user
- network
- fire wall
- security policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 20
- 238000011217 control strategy Methods 0.000 claims description 10
- 206010022000 influenza Diseases 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000000686 essence Substances 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Abstract
The invention provides a firewall service system based on a virtual network. The firewall service system based on the virtual network comprises a distributed type firewall manager and firewall service nodes, wherein the distributed type firewall manager is used for obtaining information of all virtual machine network interfaces in a user network according to the network identity of a user, determining the corresponding firewall service nodes according to the information of the virtual machine network interfaces, and distributing firewall configuration information and/or firewall security strategies of the user to the corresponding firework service nodes; the firewall service nodes are configured on an OVS switch based on OVS and are used for managing data flow passing through the OVS switch according to the received firewall configuration information and/or the received firewall security strategies of the user. The invention further provides a method for obtaining a virtual network firewall. By the adoption of the firewall service system based on the virtual network and the method for obtaining the virtual network firewall, through the deployment and the distributed management of the firewall service nodes, establishment of the distributed virtual network firewall is achieved.
Description
Technical field
The present invention relates to field of computer technology, more particularly, to a kind of firewall services system based on virtual network
System and a kind of method for realizing virtual network fire wall.
Background technology
The fire wall of legacy network is typically all the border for being deployed in network, and all flows in network can be monitored
Link on.Packet to being sent to internal network is filtered, and with reference to the firewall security policy of setting, to packet
Forwarding is abandoned.
In environment in virtualization network, physical network resource is that all of virtual network user is shared, but right
For user, network is exclusive, and is isolated with the network of other users.Each user or business flow network can
Possess different network security demands according to the service feature of the network of oneself, have difference to fire wall deployment and security strategy
Requirement.Due to the expansible retractility of virtual network, the network boundary of user is uncertain from from the perspective of physical network
, thus cannot in the conventional mode dispose fire wall and provide firewall services for each user.Therefore it is traditional
Firewall technology is difficult to meet the demand for security of virtual network user.
For the problem in correlation technique, effective solution is not yet proposed at present.
The content of the invention
For the problem in correlation technique, the present invention propose a kind of firewall services system based on virtual network and
A kind of method for realizing virtual network fire wall, using the deployment to firewall services node and distributed management, so as to realize
The structure of distributed virtual fire wall.
For achieving the above object, on the one hand, the invention provides a kind of firewall services system based on virtual network, bag
Include:Distributed fire wall manager, connects for obtaining all virtual machine networks in user network according to the network identity of user
Message ceases;Corresponding firewall services node is determined according to virtual machine network interface message;And, by the firewall configuration of user
Information and/or firewall security policy are distributed to corresponding firewall services node;Firewall services node, is configured in and is based on
Open the firewall configuration information of the user on the OVS switches of virtual switch standard OVS, receiving for basis and/or prevent
Wall with flues security strategy by the data flow of OVS switches to being managed.
According to the present invention, firewall services system also includes virtual firewall module, for by both firewall operations interface
The network identity and corresponding firewall configuration information and/or firewall security policy of user are set;And by the net of user
Network mark and corresponding firewall configuration information and/or firewall security policy are sent to distributed fire wall manager.
According to the present invention, virtual firewall module is additionally operable to firewall configuration information and/or firewall security as user
When strategy changes, by the firewall configuration information after change and/or the network identity of firewall security policy and user
It is sent to distributed fire wall manager.
According to the present invention, virtual machine network interface message includes that the OVS switches that virtual machine network interface is connected are managed
Port numbering of the position and virtual machine network interface in reason net in OVS switches.
According to the present invention, firewall services node includes policy module, and it is used to issue distributed fire wall manager
Firewall security policy be converted into data flow con-trol strategy.
According to the present invention, firewall services node also includes control module, and it is used to monitor distributed fire wall manager
The control information sent, so that operation is controlled to service node or configuration operation is carried out to policy module.
On the other hand, present invention also offers a kind of method for realizing virtual network fire wall, including:Distributed fire wall
Manager obtains all virtual machine network interface messages in user network according to the network identity of user;Distributed fire wall pipe
Reason device determines corresponding firewall services node according to virtual machine network interface message;Distributed fire wall manager is by user's
Firewall configuration information and/or firewall security policy are distributed to corresponding firewall services node, wherein, firewall services section
Point is configured on the OVS switches based on open virtual switch standard OVS;Firewall services node is according to the user's for receiving
Firewall configuration information and/or firewall security policy by the data flow of OVS switches to being managed.
According to the present invention, the method also includes:Virtual firewall module, for arranging user by both firewall operations interface
Network identity and corresponding firewall configuration information and/or firewall security policy;And by the network identity of user with
And corresponding firewall configuration information and/or firewall security policy are sent to distributed fire wall manager.
According to the present invention, according to the firewall configuration information and/or firewall security policy of the user for receiving to passing through
The data flow of OVS switches is managed, including:The firewall security policy of user is converted into into data flow con-trol strategy;With
And according to data flow con-trol strategy to being managed by the data flow of OVS switches.
Compared with prior art, the beneficial effects of the present invention is:
The present invention carries out distributed management by disposing firewall services node in physical machine to service node,
Distributed virtual fire wall is realized so as to build, for each user logically independent virtual firewall equipment is provided.
In addition, the present invention is also capable of achieving the independence of security strategy and user profile, and the security strategy of user will not
Others' network is interfered.Therefore, the present invention is solved cannot be come in virtual network using traditional firewall box
Meet the problem of different user demand for security.
Description of the drawings
Fig. 1 is the structural schematic block diagram of the firewall services system based on virtual network according to an embodiment of the invention;
Fig. 2 is the schematic diagram of the method for realizing virtual network fire wall according to an embodiment of the invention;
Fig. 3 is the schematic diagram of the method for realizing virtual network fire wall according to further embodiment of this invention;
Fig. 4 is the schematic diagram of the method for realizing virtual network fire wall according to another embodiment of the present invention.It is embodied as
Mode
Below in conjunction with the accompanying drawings the present invention is further illustrated.
As shown in Figure 1, thus it is shown that firewall services system of the present invention based on virtual network, the system includes distributed
Firewall manager 10 and firewall services node 20.
Specifically, distributed fire wall manager 10 is used to obtain the institute in user network according to the network identity of user
There is virtual machine network interface message;It can also determine corresponding firewall services node 20 according to virtual machine network interface message;
And the firewall configuration information and/or firewall security policy of user are distributed to into corresponding firewall services node 20.
Further, firewall services node 20 is configurable on the OVS switches based on open virtual switch standard OVS,
The firewall configuration information and/or firewall security policy of the above-mentioned user received for basis is to by OVS switches
Data flow is managed.
In an alternate embodiment of the present invention where, firewall services system can also include virtual firewall module.Should
Virtual firewall module can be used to arrange the network identity and corresponding firewall configuration of user by both firewall operations interface
Information and/or firewall security policy;It can also be by the network identity of above-mentioned user and corresponding firewall configuration information
And/or firewall security policy is sent to distributed fire wall manager 10.
Further, in a preferred embodiment of the invention, virtual firewall module can be also used for working as user
Firewall configuration information and/or firewall security policy when changing, by the firewall configuration information after change and/or anti-
The network identity of wall with flues security strategy and user is sent to distributed fire wall manager 10.
In the another preferred embodiment of the present invention, virtual machine network interface message can include virtual machine network interface institute
The OVS switches of connection management net in position and virtual machine network interface OVS switches port numbering.
Further, in an alternate embodiment of the present invention where, firewall services node 20 can include:Policy module and
Control module.
Specifically, the policy module can be used for the firewall security policy conversion for issuing distributed fire wall manager 10
Into data flow con-trol strategy;And aerial module can be used to monitor the control information that distributed fire wall manager 10 is sent, with right
Service node is controlled operation or carries out configuration operation to policy module.
On the other hand, as shown in Fig. 2 present invention also offers a kind of method for realizing virtual network fire wall, the method
Including:
S101, distributed fire wall manager 10 obtains all virtual machines in user network according to the network identity of user
Network interface information;
S102, distributed fire wall manager 10 determines corresponding firewall services section according to virtual machine network interface message
Point 20;
S103, distributed fire wall manager 10 divides the firewall configuration information and/or firewall security policy of user
Corresponding firewall services node 20 is dealt into, wherein, firewall services node 20 is configured in based on open virtual switch standard OVS
OVS switches on;
S104, firewall configuration information and/or firewall security of the firewall services node 20 according to the user for receiving
Strategy by the data flow of OVS switches to being managed.
Preferably, as shown in figure 3, during one embodiment of the method for virtual network fire wall is realized in the present invention, the party
Method may also include:
S201, virtual firewall module, for arranging the network identity and correspondence of user by both firewall operations interface
Firewall configuration information and/or firewall security policy;And
S202, the network identity of user and corresponding firewall configuration information and/or firewall security policy are sent
To distributed fire wall manager 10.
Additionally, as shown in figure 4, in the another preferred embodiment of the method for the present invention, according to the anti-of the user for receiving
The step of wall with flues configuration information and/or firewall security policy by the data flow of OVS switches to being managed may include:
S301, by the firewall security policy of user data flow con-trol strategy is converted into;And
S302, according to data flow con-trol strategy to being managed by the data flow of OVS switches.
Specifically, in the present invention, the service node of fire wall is built upon the service module on the basis of OVS.First
Original Linux Bridge modules are instead of using OVS on host, and the use of OVS is the virtual of operation on host
Machine provides two layers of network insertion.OVS carries out the forwarding of high speed to the packet for being sent to virtual machine, and the foundation of forwarding is exactly to flow
Table.Wherein, so-called flow table is exactly a kind of the abstract of height of the Openflow switches for forwarding rule, and flow table includes packet header
Domain, counter and action.The content in packet header domain describes the matching strategy for packet, and its content is flowed into including packet
Port, source MAC, destination-mac address, source IP address, target ip address, IP agreement, TCP/UDP source ports, TCP/UDP
Destination interface.
Specifically, flow table information can be freely set according to demand, turning for packet can be provided as switch with this
Send out strategy.The module of firewall services node 20 is mainly made up of two parts:First is policy module, is saved in policy module
From the firewall security policy that distributed manager is issued, security strategy is converted into into the data flow con-trol strategy of OVS, and will
Strategy is stored in the flow table of OVS;Another part is node control module, and a web has been run in node control module
Service, has been issued to service using REST (Representational State Transfer, declarative state transfer) standard
The control interface of node, monitors the order that distributed manager is sent, and to service node operation and firewall policy are controlled
Configuration operation.
For fire wall distributed manager, it is logically independent that the module virtualizes network abstraction one for each
Firewall services.When user configures to the firewall services of oneself, can be by configuration information and the net of user
Network mark is together sent to distribution manager.Distribution manager can be obtained and use according to the network identity of user from network management
All of virtual machine network interface message in the network of family, manages including the OVS switches that virtual machine network interface is connected
Port numbering of the position and interface in reason network in OVS switches.Then distribution manager is by matching somebody with somebody the fire wall of user
Confidence is ceased according to corresponding firewall services node 20 is distributed to, and by corresponding firewall services node 20 fire wall plan is processed
Slightly.
In sum, the present invention in physical machine by disposing firewall services node 20, and service node is carried out
Distributed management, so as to build distributed virtual fire wall is realized, for each user logically independent virtual fire prevention is provided
Wall equipment.
In addition, the present invention is also capable of achieving the independence of security strategy and user profile, and the security strategy of user will not
Others' network is interfered.Therefore, the present invention is solved cannot be come in virtual network using traditional firewall box
Meet the problem of different user demand for security.
Presently preferred embodiments of the present invention is the foregoing is only, not to limit the present invention, all essences in the present invention
Within god and principle, any modification, equivalent substitution and improvements made etc. should be included within the scope of the present invention.
Claims (7)
1. a kind of firewall services system based on virtual network, including:
Distributed fire wall manager, connects for obtaining all virtual machine networks in user network according to the network identity of user
Message ceases;Corresponding firewall services node is determined according to the virtual machine network interface message;And, by the anti-of the user
Wall with flues configuration information and/or firewall security policy are distributed to corresponding firewall services node;
Firewall services node, is configured on the OVS switches based on open virtual switch standard OVS, receives for basis
The user firewall configuration information and/or firewall security policy to being managed by the data flow of OVS switches;
Wherein, the firewall services system also includes virtual firewall module, uses for being arranged by both firewall operations interface
The network identity at family and corresponding firewall configuration information and/or firewall security policy;And,
The network identity of the user and corresponding firewall configuration information and/or firewall security policy are sent to described
Distributed fire wall manager.
2. firewall services system according to claim 1, it is characterised in that the virtual firewall module, is additionally operable to
When the firewall configuration information and/or firewall security policy of the user change, by the firewall configuration after change
The network identity of information and/or firewall security policy and user is sent to distributed fire wall manager.
3. firewall services system according to claim 1, it is characterised in that the virtual machine network interface message includes
Hand in the OVS position and virtual machine network interface of the OVS switches that virtual machine network interface is connected in management net
The port numbering changed planes.
4. firewall services system according to claim 1, it is characterised in that the firewall services node includes:Plan
Module is omited, for the firewall security policy that distributed fire wall manager is issued to be converted into into data flow con-trol strategy.
5. firewall services system according to claim 4, it is characterised in that the firewall services node also includes:
Control module, for monitoring the control information that distributed fire wall manager is sent, with to service node be controlled operation or
Configuration operation is carried out to the policy module.
6. a kind of method for realizing virtual network fire wall, including:
Distributed fire wall manager obtains all virtual machine network interfaces letter in user network according to the network identity of user
Breath;
Distributed fire wall manager determines corresponding firewall services node according to the virtual machine network interface message;
The firewall configuration information and/or firewall security policy of the user are distributed to correspondence by distributed fire wall manager
Firewall services node, wherein, the firewall services node is configured in be handed over based on the OVS of open virtual switch standard OVS
On changing planes;
Firewall services node is according to the firewall configuration information and/or firewall security policy of the user for receiving to logical
The data flow for crossing OVS switches is managed;
The network identity and corresponding firewall configuration information and/or fire wall peace of user are arranged by both firewall operations interface
Full strategy;And,
The network identity of the user and corresponding firewall configuration information and/or firewall security policy are sent to described
Distributed fire wall manager.
7. method according to claim 6, it is characterised in that according to the firewall configuration information of the user for receiving
And/or firewall security policy by the data flow of OVS switches to being managed, including:
The firewall security policy of the user is converted into into data flow con-trol strategy;And
According to the data flow con-trol strategy to being managed by the data flow of OVS switches.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310751713.7A CN103763310B (en) | 2013-12-31 | 2013-12-31 | Firewall service system and method based on virtual network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310751713.7A CN103763310B (en) | 2013-12-31 | 2013-12-31 | Firewall service system and method based on virtual network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103763310A CN103763310A (en) | 2014-04-30 |
| CN103763310B true CN103763310B (en) | 2017-04-12 |
Family
ID=50530470
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310751713.7A Active CN103763310B (en) | 2013-12-31 | 2013-12-31 | Firewall service system and method based on virtual network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103763310B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105100026B (en) * | 2014-05-22 | 2018-07-20 | 新华三技术有限公司 | A kind of safe retransmission method of message and device |
| CN105141571A (en) * | 2014-06-09 | 2015-12-09 | 中兴通讯股份有限公司 | Distributed virtual firewall device and method |
| EP3761592B8 (en) * | 2015-04-07 | 2023-09-13 | Umbra Technologies Ltd. | System and method for virtual interfaces and advanced smart routing in a global virtual network |
| CN104869016B (en) * | 2015-04-28 | 2018-12-25 | 新华三技术有限公司 | A kind of transmission method and equipment of data message |
| CN104954186B (en) * | 2015-06-19 | 2018-01-30 | 云南电网有限责任公司信息中心 | A kind of application oriented SDN policy control method |
| CN104994094B (en) * | 2015-07-01 | 2016-11-30 | 北京奇虎科技有限公司 | Virtual platform safety protecting method based on virtual switch, device and system |
| CN105530259B (en) * | 2015-12-22 | 2019-01-18 | 华为技术有限公司 | Message filtering method and equipment |
| CN106027569A (en) * | 2016-07-19 | 2016-10-12 | 浪潮电子信息产业股份有限公司 | Firewall management methods, master node, slave node, and cluster |
| CN107920022B (en) * | 2017-12-26 | 2021-08-24 | 北京天融信网络安全技术有限公司 | Virtual machine safety communication system and virtual machine safety communication method |
| CN108108210A (en) * | 2018-01-11 | 2018-06-01 | 上海有云信息技术有限公司 | Management method, device, server and the storage medium of safety product |
| US10999251B2 (en) | 2018-09-28 | 2021-05-04 | Juniper Networks, Inc. | Intent-based policy generation for virtual networks |
| US11159487B2 (en) * | 2019-02-26 | 2021-10-26 | Juniper Networks, Inc. | Automatic configuration of perimeter firewalls based on security group information of SDN virtual firewalls |
| CN111711536B (en) * | 2020-06-05 | 2023-06-06 | 北京计算机技术及应用研究所 | Firewall test environment construction method under cloud architecture |
| CN112491789B (en) * | 2020-10-20 | 2022-12-27 | 苏州浪潮智能科技有限公司 | OpenStack framework-based virtual firewall construction method and storage medium |
| CN112511495A (en) * | 2020-11-05 | 2021-03-16 | 方一信息科技(上海)有限公司 | Distributed firewall-oriented network system and interface card data flow acceleration processing method |
| CN113765912A (en) * | 2021-09-02 | 2021-12-07 | 迈迪信息技术有限公司 | Distributed firewall device and detection method thereof |
| US11870642B2 (en) | 2021-10-04 | 2024-01-09 | Juniper Networks, Inc. | Network policy generation for continuous deployment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212453A (en) * | 2006-12-29 | 2008-07-02 | 凹凸科技(中国)有限公司 | Network access control method and firewall device |
| CN101409714A (en) * | 2008-11-18 | 2009-04-15 | 华南理工大学 | Firewall system based on virtual machine |
| CN101958903A (en) * | 2010-10-09 | 2011-01-26 | 南京博同科技有限公司 | Method for realizing high-performance firewall based on SOC and parallel virtual firewall |
-
2013
- 2013-12-31 CN CN201310751713.7A patent/CN103763310B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212453A (en) * | 2006-12-29 | 2008-07-02 | 凹凸科技(中国)有限公司 | Network access control method and firewall device |
| CN101409714A (en) * | 2008-11-18 | 2009-04-15 | 华南理工大学 | Firewall system based on virtual machine |
| CN101958903A (en) * | 2010-10-09 | 2011-01-26 | 南京博同科技有限公司 | Method for realizing high-performance firewall based on SOC and parallel virtual firewall |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103763310A (en) | 2014-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103763310B (en) | Firewall service system and method based on virtual network | |
| CN104702512B (en) | The multi-level control system and computer implemented method of network management are provided for software defined network | |
| CN109561108B (en) | Policy-based container network resource isolation control method | |
| Wibowo et al. | Multi-domain software defined networking: research status and challenges | |
| CN106953788B (en) | virtual network controller and control method | |
| Pisa et al. | OpenFlow and Xen-based virtual network migration | |
| KR101650832B1 (en) | Network resource monitoring | |
| CN107370642B (en) | Multi-tenant network stability monitoring system and method based on cloud platform | |
| CN102780758B (en) | Distribution Strategy management method and system | |
| JP5864758B2 (en) | System and method for controlling network traffic via a virtual switch | |
| CN103997414B (en) | Generate method and the network control unit of configuration information | |
| US9917729B2 (en) | Methods, systems, and computer readable media for multi-layer orchestration in software defined networks (SDNs) | |
| JP6248938B2 (en) | Communication system, virtual network management apparatus, virtual network management method and program | |
| US20160301603A1 (en) | Integrated routing method based on software-defined network and system thereof | |
| US20120185853A1 (en) | Virtual Input-Output Connections for Machine Virtualization | |
| CN104081733A (en) | Interconnecting data centers for migration of virtual machines | |
| CN105897465A (en) | Equipment configuration method and apparatus | |
| TWI663854B (en) | Controller, control method and program | |
| CN106936715A (en) | virtual machine message control method and device | |
| CN102412978A (en) | Method for carrying out network configuration for VM and system thereof | |
| CN107181691B (en) | Method, equipment and system for realizing message routing in network | |
| CN102316001A (en) | Virtual network connection configuration realizing method and network equipment | |
| KR20170134556A (en) | CONTROLLER, CONTROL METHOD AND PROGRAM | |
| WO2021098727A1 (en) | Network deployment method and system | |
| CN104683165A (en) | Monitor method for virtual machine network data in Xen virtual environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 Beijing, Haidian District, northeast Wang West Road, building 8, building 36, floor 5 Patentee after: Shuguang Cloud Computing Group Co.,Ltd. Address before: 100193 Beijing, Haidian District, northeast Wang West Road, building 8, building 36, floor 5 Patentee before: DAWNING CLOUD COMPUTING TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| CP03 | Change of name, title or address |
Address after: 100193 5 floor, 36 building, No. 8 Northeast Road, Haidian District, Beijing. Patentee after: Shuguang Cloud Computing Group Co.,Ltd. Country or region after: China Address before: 100193 5 floor, 36 building, No. 8 Northeast Road, Haidian District, Beijing. Patentee before: Shuguang Cloud Computing Group Co.,Ltd. Country or region before: China |
|
| CP03 | Change of name, title or address |