CN104023035A - Method for protecting flow among virtual machines in same security domain - Google Patents
Method for protecting flow among virtual machines in same security domain Download PDFInfo
- Publication number
- CN104023035A CN104023035A CN201410291666.7A CN201410291666A CN104023035A CN 104023035 A CN104023035 A CN 104023035A CN 201410291666 A CN201410291666 A CN 201410291666A CN 104023035 A CN104023035 A CN 104023035A
- Authority
- CN
- China
- Prior art keywords
- empty machine
- flow
- engine
- virtual
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for protecting flow among virtual machines in a same security domain. The method comprises the following steps: receiving the flow provided by a flow intercepting engine through a flow access engine, and guiding the flow into a security virtual machine; actuating the access control for the flow among the virtual machines according to a preset rule through a flow analysis engine; transferring the actuation action of the flow analysis engine to a response access engine of a virtual security protection layer through a response engine; transferring normally-responded flow actuated by the security virtual machine to a target virtual machine through the response access engine. Compared with the prior art, for the method disclosed by the invention, the security of the flow among the virtual machines can be discovered in time and maintained, the data transmission security is high, the practicability is strong, and the method is easy to popularize.
Description
Technical field
The present invention relates to computer information safety technique field, specifically the means of defence of flow between the interior empty machine of a kind of practical, same security domain.
Background technology
Cloud computing and large data age, Intel Virtualization Technology application is just with speed development very fast, the most widely used server virtualization that surely belongs in Intel Virtualization Technology, this technology is built into a virtualized environment by one or more physical server, in this virtualized environment, fictionalize a plurality of virtual systems, each virtual system externally provides one or more services, separate between each system.
The virtual preventive means on legacy network border that makes of network boundary lost efficacy, " East and West direction " traffic monitoring becomes blind spot: in traditional network configuration, network boundary is generally identified by server, the network equipment, the network interface of physics, and fire compartment wall and intrusion detection device can adopt the mode of serial connection and bypass catch the flow on turnover border and move according to default strategy execution protection.
But after virtual enforcement, the border between system is not merely that the form with physical equipment exists.Such as fictionalize a plurality of servers in physical server, communicating by letter between these virtual machines and between virtual machine and host all only can complete in server, can not there is not mutual, traditional Border Protection equipment with external network and catch less than these flows, also just can not protect; A plurality of especially empty machines are in same security domain, and between empty machine, flow forwards by virtual switch.
Given this, the invention provides the method that the empty machine of a kind of use deployment secure in virtual platform protects flow between empty machine, object is to solve the problem of flow shortage security protection between the interior virtual switch of same security domain.
Summary of the invention
Technical assignment of the present invention is to solve the deficiencies in the prior art, and the means of defence of flow between a kind of high safety, the interior empty machine of same security domain is provided.
Technical scheme of the present invention realizes in the following manner, the means of defence of flow between empty machine in this kind of same security domain, comprise the empty machine in source of transmitted traffic, receive the empty machine of the object of flow and the empty machine of safety that can security protection, the empty machine here refers to virtual switch, and its concrete protection process is:
One, at the empty machine of virtual level deploy safety of virtual platform, the built-in flow of the empty machine of this safety accesses engine, flow analysis engine and response engine;
Two, at the port of the empty machine of safety, dispose virtual secure overcoat with waiting to protect between the Microsoft Loopback Adapter of empty machine, this virtual secure overcoat comprises flow interception engine and response access engine, described in wait to protect empty machine and be the empty machine in source and object void machine;
Three, the empty machine in source is initiated network data, and the flow of virtual overcoat is tackled the Microsoft Loopback Adapter of the empty machine in engine intercepting and capturing source to the flow between virtual switch, the empty machine in the source that obtains, the empty machine of object and protocol information;
Four, virtual overcoat agent side is accepted the data of empty machine network interface card, operates the flow access engine of giving the empty machine of safety by data retransmission;
Five, detect virtual flow, by flow analysis engine, the flow between empty machine is detected according to predefined safety regulation, and generate response action;
Six, the response access engine of virtual secure overcoat is given in the action that response engine is carried out flow analysis engine;
Seven, the flow that response access engine is carried out normal response the empty machine of safety is given the empty machine of object.
In described virtual secure overcoat, be also provided with empty machine and automatically find engine, this void machine is automatically found all empty machine of engine inspection on virtual platform and is added in list to be protected.
The empty machine of described safety uses virtual firewall, and the flow between the empty machine of this firewall filtering cuts off and blocks protected empty machine, coordinates virtual secure overcoat, and the communication flows forwarding according to default safety regulation analyzing and processing, produces response.
Described response comprises: normal response, forwards and pass through; Exception response, reports to the police and/or abandons.
Described predefined safety regulation is stored in policy library, and this policy library is divided into for two kinds of the overall situation and the overall situation of single empty machine and individual characteies, and rule field is set in policy library, and this rule field comprises the empty machine in source, object void machine, agreement, port and action.
The beneficial effect that the present invention compared with prior art produced is:
In a kind of same security domain of the present invention, between empty machine, the means of defence of flow is used the flow access control technology based on virtual environment to realize access control between empty machine, by virtual safe protective covering by empty machine flow lead in the empty machine of safety, according to the security strategy in policy library, flow between empty machine in same security domain is checked, the flow that only meets safety regulation just can arrive the empty machine of object, guaranteed the fail safe of traffic forwarding transmitting procedure, protective capacities is strong, guaranteeing data security property, practical, be easy to promote.
Accompanying drawing explanation
Accompanying drawing 1 is the schematic diagram of realizing of the present invention.
Accompanying drawing 2 is realization flow figure of the present invention.
Embodiment
Below in conjunction with accompanying drawing in a kind of same security domain of the present invention between empty machine the means of defence of flow be described in detail below.
The invention provides the means of defence of flow between the interior empty machine of a kind of same security domain, the flow access control technology of use based on virtual environment realized access control between empty machine, by virtual safe protective covering by empty machine flow lead in the empty machine of safety, according to the security strategy in policy library, the flow between empty machine in same security domain is checked.The flow that only meets safety regulation just can arrive the empty machine of object.Based on this mentality of designing, as shown in accompanying drawing 1, Fig. 2, the method comprises the empty machine in the source of transmitted traffic, receive the empty machine of the object of flow and the empty machine of safety that can security protection, and the empty machine here refers to virtual switch, and its concrete protection process is:
One, at the empty machine of virtual level deploy safety of virtual platform, the built-in flow of the empty machine of this safety accesses engine, flow analysis engine and response engine.
Wherein flow access engine is responsible for the function of flow access.
Flow analysis engine is responsible for the detection of flow and is generated response action.
Response engine is responsible for carrying out the action that detects engine.
Two, at the port of the empty machine of safety, dispose virtual secure overcoat with waiting to protect between the Microsoft Loopback Adapter of empty machine, this virtual secure overcoat comprises flow interception engine and response access engine, described in wait to protect empty machine and be the empty machine in source and object void machine.
That is to say, this virtual secure overcoat is deployed in virtual switch in virtual platform and needs between the Microsoft Loopback Adapter of empty machine of protection, by flow Interception Technology, traffic forwarding in the empty machine of safety; And the acceptance response that empty machine is passed on safely.
Three, empty machine flow interception: the empty machine in source is initiated network data, the flow of virtual overcoat is tackled the Microsoft Loopback Adapter of the empty machine in engine intercepting and capturing source to the flow between virtual switch, the empty machine in the source that obtains, the empty machine of object and protocol information.
Four, empty machine flow access: virtual overcoat agent side is accepted the data of empty machine network interface card, operates the flow access engine of giving the empty machine of safety by data retransmission.
Five, empty machine flow detection: the empty machine of safety is accepted the data that access engine forwards, is detected according to predefined safety regulation the flow between empty machine by flow analysis engine, and generates response action.
Six, empty machine flow response: the response access engine of virtual secure overcoat is given in the action that response engine is carried out flow analysis engine.
Seven, the flow that response access engine is carried out normal response the empty machine of safety is given the empty machine of object.
In described virtual secure overcoat, be also provided with empty machine and automatically find engine, this void machine is automatically found all empty machine of engine inspection on virtual platform and is added in list to be protected; The existing empty machine list of virtual overcoat traversal, and automatically add acquiescence global safety rule.
Described virtual overcoat possesses automatic protection function, and empty machine overcoat and virtual level communicate, and automatically detects empty machine newly-built or that copy, and automatically applies global safety strategy, meets the automation expansion demand of data center.
The empty machine of described safety uses virtual firewall, and the flow between the empty machine of this firewall filtering cuts off and blocks protected empty machine, coordinates virtual secure overcoat, and the communication flows forwarding according to default safety regulation analyzing and processing, produces response.
Described response comprises: normal response, forwards and pass through; Exception response, reports to the police and/or abandons.
Described predefined safety regulation is stored in policy library, and this policy library is divided into for two kinds of the overall situation and the overall situation of single empty machine and individual characteies, and rule field is set in policy library, and this rule field comprises the empty machine in source, object void machine, agreement, port and action.
Flow means of defence of the present invention, by disposing virtual secure overcoat at virtual level, is tackled and is realized access control the flow between empty machine.
Above execution mode is only for illustrating the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; without departing from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (5)
1. a means of defence for flow between empty machine in same security domain, is characterized in that comprising the empty machine in source of transmitted traffic that, receive the empty machine of the object of flow and the empty machine of safety that can security protection, the empty machine here refers to virtual switch, and its concrete protection process is:
One, at the empty machine of virtual level deploy safety of virtual platform, the built-in flow of the empty machine of this safety accesses engine, flow analysis engine and response engine;
Two, at the port of the empty machine of safety, dispose virtual secure overcoat with waiting to protect between the Microsoft Loopback Adapter of empty machine, this virtual secure overcoat comprises flow interception engine and response access engine, described in wait to protect empty machine and be the empty machine in source and object void machine;
Three, the empty machine in source is initiated network data, and the flow of virtual overcoat is tackled the Microsoft Loopback Adapter of the empty machine in engine intercepting and capturing source to the flow between virtual switch, the empty machine in the source that obtains, the empty machine of object and protocol information;
Four, virtual overcoat agent side is accepted the data of empty machine network interface card, operates the flow access engine of giving the empty machine of safety by data retransmission;
Five, detect virtual flow, by flow analysis engine, the flow between empty machine is detected according to predefined safety regulation, and generate response action;
Six, the response access engine of virtual secure overcoat is given in the action that response engine is carried out flow analysis engine;
Seven, the flow that response access engine is carried out normal response the empty machine of safety is given the empty machine of object.
2. the means of defence of flow between empty machine in a kind of same security domain according to claim 1, it is characterized in that: in described virtual secure overcoat, be also provided with empty machine and automatically find engine, this void machine is automatically found all empty machine of engine inspection on virtual platform and added in list to be protected.
3. the means of defence of flow between empty machine in a kind of same security domain according to claim 2; it is characterized in that: the empty machine of described safety uses virtual firewall; flow between the empty machine of this firewall filtering; cut off and block protected empty machine; coordinate virtual secure overcoat; the communication flows forwarding according to default safety regulation analyzing and processing, produces response.
4. the means of defence of flow between the interior empty machine of a kind of same security domain according to claim 3, is characterized in that: described response comprises: normal response, forwards and pass through; Exception response, reports to the police and/or abandons.
5. the means of defence of flow between empty machine in a kind of same security domain according to claim 3, it is characterized in that: described predefined safety regulation is stored in policy library, this policy library is divided into for two kinds of the overall situation and the overall situation of single empty machine and individual characteies, rule field is set in policy library, and this rule field comprises the empty machine in source, the empty machine of object, agreement, port and action.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410291666.7A CN104023035A (en) | 2014-06-26 | 2014-06-26 | Method for protecting flow among virtual machines in same security domain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410291666.7A CN104023035A (en) | 2014-06-26 | 2014-06-26 | Method for protecting flow among virtual machines in same security domain |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104023035A true CN104023035A (en) | 2014-09-03 |
Family
ID=51439605
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410291666.7A Pending CN104023035A (en) | 2014-06-26 | 2014-06-26 | Method for protecting flow among virtual machines in same security domain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104023035A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104378387A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Virtual platform information security protection method |
| CN104994094A (en) * | 2015-07-01 | 2015-10-21 | 北京奇虎科技有限公司 | Virtualization platform safety protection method, device and system based on virtual switch |
| CN105656916A (en) * | 2016-01-29 | 2016-06-08 | 浪潮(北京)电子信息产业有限公司 | Cloud data center service subnet security management method and system |
| CN106534346A (en) * | 2016-12-07 | 2017-03-22 | 北京奇虎科技有限公司 | Virtual WAF-based flow control method, apparatus and system |
| CN109922021A (en) * | 2017-12-12 | 2019-06-21 | 中国电信股份有限公司 | Security protection system and safety protecting method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100269171A1 (en) * | 2009-04-20 | 2010-10-21 | Check Point Software Technologies, Ltd. | Methods for effective network-security inspection in virtualized environments |
| CN102244622A (en) * | 2011-07-25 | 2011-11-16 | 北京网御星云信息技术有限公司 | Virtual gateway protection method, virtual security gateway and system for server virtualization |
-
2014
- 2014-06-26 CN CN201410291666.7A patent/CN104023035A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100269171A1 (en) * | 2009-04-20 | 2010-10-21 | Check Point Software Technologies, Ltd. | Methods for effective network-security inspection in virtualized environments |
| CN102244622A (en) * | 2011-07-25 | 2011-11-16 | 北京网御星云信息技术有限公司 | Virtual gateway protection method, virtual security gateway and system for server virtualization |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104378387A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Virtual platform information security protection method |
| CN104994094A (en) * | 2015-07-01 | 2015-10-21 | 北京奇虎科技有限公司 | Virtualization platform safety protection method, device and system based on virtual switch |
| CN105656916A (en) * | 2016-01-29 | 2016-06-08 | 浪潮(北京)电子信息产业有限公司 | Cloud data center service subnet security management method and system |
| CN106534346A (en) * | 2016-12-07 | 2017-03-22 | 北京奇虎科技有限公司 | Virtual WAF-based flow control method, apparatus and system |
| CN106534346B (en) * | 2016-12-07 | 2019-12-10 | 北京奇虎科技有限公司 | Flow control method, device and system based on virtual WAF |
| CN109922021A (en) * | 2017-12-12 | 2019-06-21 | 中国电信股份有限公司 | Security protection system and safety protecting method |
| CN109922021B (en) * | 2017-12-12 | 2022-03-08 | 中国电信股份有限公司 | Safety protection system and safety protection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104023035A (en) | Method for protecting flow among virtual machines in same security domain | |
| US9166988B1 (en) | System and method for controlling virtual network including security function | |
| US10567422B2 (en) | Method, apparatus and system for processing attack behavior of cloud application in cloud computing system | |
| CN101645873B (en) | Method for realizing network isolation in environments of computer and virtual machine | |
| CN104023034B (en) | Security defensive system and defensive method based on software-defined network | |
| CN104301321B (en) | A kind of method and system for realizing distributed network security protection | |
| CN104378387A (en) | Virtual platform information security protection method | |
| CN103051605B (en) | A kind of data package processing method, device and system | |
| RU2009111225A (en) | MANAGING THE CONDITION OF DISTRIBUTED HARDWARE IN VIRTUAL MACHINES | |
| US20140317737A1 (en) | Hypervisor-based intrusion prevention platform and virtual network intrusion prevention system | |
| CN103685608B (en) | A kind of method and device for automatically configuring secure virtual machine IP address | |
| CN104717212B (en) | Protection method and system for cloud virtual network security | |
| CA3021285C (en) | Methods and systems for network security | |
| EP3380901A1 (en) | Systems and methods for identifiying compromised devices within industrial control systems | |
| CN104735071A (en) | Network access control implementation method between virtual machines | |
| CN106778275A (en) | Based on safety protecting method and system and physical host under virtualized environment | |
| CN109379347A (en) | A kind of safety protecting method and equipment | |
| CN104506548B (en) | A kind of data packet redirection device, secure virtual machine guard method and system | |
| CN104468504A (en) | Monitoring method and system for virtualized network dynamic information security | |
| CN106899553A (en) | A kind of industrial control system safety protecting method based on private clound | |
| CN113132318A (en) | Active defense method and system for information safety of power distribution automation system master station | |
| CN103258160A (en) | Method for monitoring cloud security under virtualization environment | |
| RU2557476C2 (en) | Robust and secure hardware-computer system in cloud computing environment | |
| CN102523209A (en) | Dynamic adjustment method and device of safety inspection virtual machines | |
| KR101752880B1 (en) | Advanced Persistent Threat attack tolerance system and method using cloud computing virtualization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140903 |