CN104468568A - Virtual machine security isolation method - Google Patents

Virtual machine security isolation method Download PDF

Info

Publication number
CN104468568A
CN104468568A CN201410737305.0A CN201410737305A CN104468568A CN 104468568 A CN104468568 A CN 104468568A CN 201410737305 A CN201410737305 A CN 201410737305A CN 104468568 A CN104468568 A CN 104468568A
Authority
CN
China
Prior art keywords
virtual machine
subnet
user
cluster
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410737305.0A
Other languages
Chinese (zh)
Inventor
张瑜科
杨松
莫展鹏
季统凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
G Cloud Technology Co Ltd
Original Assignee
G Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by G Cloud Technology Co Ltd filed Critical G Cloud Technology Co Ltd
Priority to CN201410737305.0A priority Critical patent/CN104468568A/en
Publication of CN104468568A publication Critical patent/CN104468568A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of cloud computing, in particular to a virtual machine security isolation method. The method comprises the steps that a whole platform is divided into one or more clusters, and a large subnet is allocated to each cluster; a set of default firewall rules is established on each host computer to achieve default isolation of communication between each host computer and other subnets; when a user presents a request for establishing a virtual machine to the cloud platform, the cloud platform automatically allocates a certain large cluster to the user and establishes a subnet for the user under the large subnet to which the large cluster belongs, and meanwhile, the virtual network interface of the virtual machine is added to the default firewall rules to achieve isolation restraint; when the user establishes another virtual machine, the IP address of the virtual machine is set to be the same subnet in the same cluster with the other virtual machine, and meanwhile, the virtual network interface of the virtual machine is added to the default firewall rules; then an MAC address is bound with the IP address. The method avoids mutual attack between virtual machines and can be used for security isolation of virtual machines.

Description

A kind of secure virtual machine partition method
Technical field
The present invention relates to field of cloud computer technology, particularly a kind of secure virtual machine partition method.
Background technology
Run at cloud platform interior the virtual machine controlled by different user, user is difficult to control in the behavior of virtual machine internal usually.Especially inner at publicly-owned cloud, user uses virtual machine to run different business; Safe quarantine measures must be taked between the virtual machine of different user to avoid accusing each other at cloud platform interior; With the normal operation of the network security and customer service that ensure cloud platform.Usually will isolate the way that the access between the main frame belonging to different user takes VLAN to isolate, the isolation between virtual machine is generally all in conjunction with this method, and step is as follows:
1, first the address of Intranet is divided into multiple VLAN;
2, different VLAN is distributed to different users;
3, after a user creates virtual machine, the IP address assignment of virtual machine is become to belong to corresponding VLAN;
4, the mutually isolated object of virtual machine between user is reached by arrange between VLAN mutually isolated.
But there is following drawback in this method:
1, user uses the VLAN of formed objects, if user creates less or do not create virtual machine, just causes the waste of IP address of internal network; If it is more that user creates virtual machine, the address of a VLAN enough, may not limit the scale that user creates virtual machine again.
2, IP address uses and cannot supervise, and easily causes IP address conflict; Because user can manually arrange IP address at virtual machine internal, when the address of setting is different from former allocation address, there will be two kinds of situations; First be arrange IP address just belong to same VLAN, at this time cannot detect that newly-installed IP address is used, platform reallocate this IP address time will cause conflict.Second is that the IP address arranged does not belong to same VLAN, and at this time the network of virtual machine connects is invalid, can not carry out any network service.
Summary of the invention
The relevant issues such as the technical problem that the present invention solves is to provide a kind of secure virtual machine partition method, and the management of ALARA Principle and monitoring subnet, solves between virtual machine and accuse each other, and network management is chaotic.
The technical scheme that the present invention solves the problems of the technologies described above is:
Described method comprises the steps:
Step 1: by host's physical machine of cloud platform according to demand in logic, one or more is divided on a cluster, and whole platform is divided into one or more cluster, and each cluster distributes a large subnet;
Step 2: the firewall rule setting up one group of acquiescence on all hosts, the communication between isolated by default and other subnets;
Step 3: when establishment virtual machine request submitted to by user Xiang Yun platform, cloud platform is assigned to certain cluster to user automatically, and sets up a subnet under the large subnet belonging to this cluster this user; Meanwhile, the constraint isolated is realized under the virtual network interface of virtual machine being joined the firewall rule of acquiescence;
Step 4: when this user creates virtual machine again, the IP address of virtual machine is arranged to same subnet in a cluster, under also the virtual network interface of virtual machine being joined the firewall rule of acquiescence simultaneously;
Step 5: when after existing subnet resource uses, again create virtual machine time, cloud platform increases subnet newly for this user, while based on old firewall rule newly-built one group of firewall rule, allow to communicate between old subnet and new subnet;
Step 6: by creating the binding between the MAC Address of virtual machine and IP address, prevent user from revising IP.
In described step 2, subnet isolated by default refers to different subnets not in same collision domain, is can not communication mutually.
When user creates virtual machine, platform selects the IP of the subnet belonging to user automatically to virtual machine, and arranges IP automatic acquisition.
If user resets other IP in virtual machine, this IP can not communication, to guarantee can not there be any impact to network.
The beneficial effect of the present invention program is as follows:
1, the subnet of method of the present invention just creates when user creates virtual machine, and the scope of subnet can be adjusted by the mode of amendment mask, and the amount that cloud platform can create virtual machine according to user adjusts at any time, avoids the waste of IP address of internal network.
2, the network confusion that causes after user can being avoided to revise IP address in conjunction with the binding of MAC Address and IP address of method of the present invention, even if user successfully revises other IP addresses, also can block its communication, prevent IP address conflict.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, the present invention is further described:
Fig. 1 is flow chart of the present invention;
Fig. 2 is model support composition of the present invention;
Embodiment
See that, shown in Fig. 1,2, specific implementation process of the present invention is as follows:
1, host divides cluster, and cluster distributes a large subnet.
Such as be allocated to the subnet 10.0.0.0/16 that cluster A mono-is large, usually give and distribute the mode of large subnet employing configuration file at cloud platform to cluster.
VNET_SUBNET=10.0.0.0
VNET_NETMASK=255.255.0.0
2, platform distributes the subnet under a large subnet to user, and different sub-network acquiescence is isolation.
The quantity of little subnet under large subnet is set by the mode of configuration, mode is as follows:
SUBNET_SIZES=255
If the large subnet distributed to cluster is 10.0.0.0/16, the quantity of little subnet is 255, and the subnet so distributed for certain user may be 10.99.0.0/16
Order below multihome node performs
#brctl addbr br99
#ip link add link ethl vlan99 type vlan id 99
#ip link set vlan99 up
#brctl addif br99 vlan99
#ip addr add 10.99.0.1/32 dev br99
After creating virtual machine, be the firewall rule of its load default, here for the rule of iptables
Chain i-5B9B3BCF_out(1 references)
num target prot opt source destination
1 ACCEPT all--0.0.0.0/0 0.0.0.0/0
Chain i-5B9B3BCF_in(1 references)
num target prot opt source destination
1 ACCEPT all--10.251.255.176/28 0.0.0.0/0
2 ACCEPT tcp--0.0.0.0/0 0.0.0.0/0
tcp spt:22
3 ACCEPT tcp--0.0.0.0/0 0.0.0.0/0
tcp dpt:22
4 DROP all--0.0.0.0/0 0.0.0.0/0
3, when this user creates virtual machine again, the IP address of virtual machine is arranged to same subnet in a cluster.Arranging ip adopts dnsmasq to arrange ip, and set-up mode is as follows, order below host performs:
#/usr/sbin/dnsmasq--strict-order--bind-interfaces--conf-file=
--domain=local--pid-file=/var/run/setip11.pid
--listen-address=10.99.0.1--interface eucabr11--except-interface=lo
--dhcp-range=10.99.0.1,static,120s--dhcp-lease-max=256
--dhcp-option=10.99.0.1--dhcp-option=6,8.8.8.8
--dhcp-hostsgile=/etc/network.conf
--dhcp-script=/usr/share/gTunnel/update2db.py--leasefile-ro
At the subnet ip of/etc/network.conf configuring virtual machine, such as, below:
#cat/etc/network.conf
52:54:0:25:8c:16,tesr.rt,10.99.3.44
4, after existing subnet resource uses, when again creating, cloud platform increases subnet newly for this user, simultaneously newly-built one group of firewall rule based on old firewall rule, allows to communicate between old subnet and new subnet:
Chain i-5B9B3BCF_out(1 references)
num target prot opt source destination
1 ACCEPT all--0.0.0.0/0 0.0.0.0/0
Chain i-5B9B3BCF_in(1 references)
num target prot opt source destination
1 ACCEPT all--10.251.255.176/28 0.0.0.0/0
2 ACCEPT tcp--0.0.0.0/0 0.0.0.0/0
tcp spt:22
3 ACCEPT tcp--0.0.0.0/0 0.0.0.0/0
tcp dpt:22
4 ACCEPT all--10.251.255.240/28 0.0.0.0/0
5 DROP all--0.0.0.0/0 0.0.0.0/0
5, create the binding between the MAC Address of virtual machine and IP address, prevent user from revising IP.Specific implementation performs to order on host:
#ebtables-t nat-N libvirt-I-vnet9
#ebtables-t nat-N I-vnet9-mac
#ebtables-t nat-N I-vnet9-ipv4-ip
#ebtables-t nat-A PREROUTIN goes out-i vnet9-j libvirt-I-vnet9
#ebtables-t nat-A libvirt-I-vnet9-j I-vnet9-mac
#ebtables-t nat-A I-vnet9-mac-s 52:54:0:25:8c:16-j RETURN
#ebtables-t nat-A I-vnet9-mac-j DROP
#ebtables-t nat-A libvirt-I-vnet9-p IPv4-j I-vnet9-ipv4-ip
#ebtables-t nat-A I-vnet9-ipv4-ip-p IPv4--ip-src 0.0.0.0--ip-proto udp-j RETURN
#ebtables-t nat-A I-vnet9-ipv4-ip-p IPv4--ip-src 10.99.3.44-j RETURN
#ebtables-t nat-A I-vnet9-ipv4-ip-j DROP。

Claims (5)

1. a secure virtual machine partition method, is characterized in that: described method comprises the steps:
Step 1: by host's physical machine of cloud platform according to demand in logic, one or more is divided on a cluster, and whole platform is divided into one or more cluster, and each cluster distributes a large subnet;
Step 2: the firewall rule setting up one group of acquiescence on all hosts, the communication between isolated by default and other subnets;
Step 3: when establishment virtual machine request submitted to by user Xiang Yun platform, cloud platform is assigned to certain cluster to user automatically, and sets up a subnet under the large subnet belonging to this cluster this user; Meanwhile, the constraint isolated is realized under the virtual network interface of virtual machine being joined the firewall rule of acquiescence;
Step 4: when this user creates virtual machine again, the IP address of virtual machine is arranged to same subnet in a cluster, under also the virtual network interface of virtual machine being joined the firewall rule of acquiescence simultaneously;
Step 5: when after existing subnet resource uses, again create virtual machine time, cloud platform increases subnet newly for this user, while based on old firewall rule newly-built one group of firewall rule, allow to communicate between old subnet and new subnet;
Step 6: by creating the binding between the MAC Address of virtual machine and IP address, prevent user from revising IP.
2. secure virtual machine partition method according to claim 1, is characterized in that: in described step 2, subnet isolated by default refers to different subnets not in same collision domain, is can not communication mutually.
3. secure virtual machine partition method according to claim 1, it is characterized in that: when user creates virtual machine, platform selects the IP of the subnet belonging to user automatically to virtual machine, and arranges IP automatic acquisition.
4. secure virtual machine partition method according to claim 2, it is characterized in that: when user creates virtual machine, platform selects the IP of the subnet belonging to user automatically to virtual machine, and arranges IP automatic acquisition.
5. the secure virtual machine partition method according to any one of Claims 1-4, is characterized in that: if user resets other IP in virtual machine, and this IP can not communication, to guarantee can not there be any impact to network.
CN201410737305.0A 2014-12-05 2014-12-05 Virtual machine security isolation method Pending CN104468568A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410737305.0A CN104468568A (en) 2014-12-05 2014-12-05 Virtual machine security isolation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410737305.0A CN104468568A (en) 2014-12-05 2014-12-05 Virtual machine security isolation method

Publications (1)

Publication Number Publication Date
CN104468568A true CN104468568A (en) 2015-03-25

Family

ID=52913940

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410737305.0A Pending CN104468568A (en) 2014-12-05 2014-12-05 Virtual machine security isolation method

Country Status (1)

Country Link
CN (1) CN104468568A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105491020A (en) * 2015-11-24 2016-04-13 上海市共进通信技术有限公司 Method for realizing restriction of program in operating system of intelligent device on access of IP (Internet Protocol) address
CN107301083A (en) * 2017-06-16 2017-10-27 郑州云海信息技术有限公司 One kind creates OpenStack virtual machines method and OpenStack dummy machine systems
CN107368354A (en) * 2017-08-03 2017-11-21 致象尔微电子科技(上海)有限公司 A kind of secure virtual machine partition method
CN108459899A (en) * 2017-02-21 2018-08-28 华为技术有限公司 Information protecting method and device
CN110233837A (en) * 2019-06-06 2019-09-13 上海思询信息科技有限公司 One kind being based on cloud platform user network safeguard construction
CN111404924A (en) * 2020-03-12 2020-07-10 腾讯云计算(北京)有限责任公司 Security management and control method, device, equipment and storage medium of cluster system
CN112751694A (en) * 2019-10-30 2021-05-04 北京金山云网络技术有限公司 Management method and device of exclusive host and electronic equipment
CN112887330A (en) * 2021-02-26 2021-06-01 浪潮云信息技术股份公司 Structure and method for realizing network ACL isolation floating IP
CN115499314A (en) * 2022-08-23 2022-12-20 新华三技术有限公司 Cluster node IP modification method and device
CN115842664A (en) * 2022-11-23 2023-03-24 紫光云技术有限公司 Public cloud network flow security implementation method
US11909721B2 (en) 2020-12-29 2024-02-20 Mastercard International Incorporated Systems and methods for automated firewall provisioning for virtual machines

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977245A (en) * 2010-01-07 2011-02-16 中兴通讯股份有限公司 Method, network equipment and system for detecting IP (Internet Protocol) address conflict
CN102571698A (en) * 2010-12-17 2012-07-11 中国移动通信集团公司 Access authority control method, system and device for virtual machine
CN103236963A (en) * 2013-04-25 2013-08-07 西北工业大学 VMWare virtual machine remote detection method
US20130254870A1 (en) * 2010-03-26 2013-09-26 Barracuda Networks, Inc. Detecting and Thwarting Browser-Based Network Intrusion Attacks By a Virtual Machine Monitoring System, Apparatus, and Method
CN103516733A (en) * 2012-06-19 2014-01-15 华为技术有限公司 Method and apparatus for processing virtual private cloud
CN103685605A (en) * 2013-12-20 2014-03-26 国云科技股份有限公司 Method for detecting IP (Internet Protocol) conflict of virtual machines
CN103812704A (en) * 2014-02-25 2014-05-21 国云科技股份有限公司 Public network IP (Internet Protocol) dynamic management method for virtual machine
CN103905523A (en) * 2013-12-23 2014-07-02 浪潮(北京)电子信息产业有限公司 Cloud computing network virtualization method and system based on SDN

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977245A (en) * 2010-01-07 2011-02-16 中兴通讯股份有限公司 Method, network equipment and system for detecting IP (Internet Protocol) address conflict
US20130254870A1 (en) * 2010-03-26 2013-09-26 Barracuda Networks, Inc. Detecting and Thwarting Browser-Based Network Intrusion Attacks By a Virtual Machine Monitoring System, Apparatus, and Method
CN102571698A (en) * 2010-12-17 2012-07-11 中国移动通信集团公司 Access authority control method, system and device for virtual machine
CN103516733A (en) * 2012-06-19 2014-01-15 华为技术有限公司 Method and apparatus for processing virtual private cloud
CN103236963A (en) * 2013-04-25 2013-08-07 西北工业大学 VMWare virtual machine remote detection method
CN103685605A (en) * 2013-12-20 2014-03-26 国云科技股份有限公司 Method for detecting IP (Internet Protocol) conflict of virtual machines
CN103905523A (en) * 2013-12-23 2014-07-02 浪潮(北京)电子信息产业有限公司 Cloud computing network virtualization method and system based on SDN
CN103812704A (en) * 2014-02-25 2014-05-21 国云科技股份有限公司 Public network IP (Internet Protocol) dynamic management method for virtual machine

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
林昆: "基于IntelVT_d技术的虚拟机安全隔离研究", 《中国优秀硕士学位论文全文数据库信息科技辑(2011)》 *
王文婷: "基于云平台的虚拟网络子系统", 《电脑知识与技术(2013)》 *
陈晏民: "一种面向典型基础设施云计算系统的虚拟网络子系统设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑(2012)》 *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105491020A (en) * 2015-11-24 2016-04-13 上海市共进通信技术有限公司 Method for realizing restriction of program in operating system of intelligent device on access of IP (Internet Protocol) address
CN108459899B (en) * 2017-02-21 2021-06-01 华为技术有限公司 Information protection method and device
CN108459899A (en) * 2017-02-21 2018-08-28 华为技术有限公司 Information protecting method and device
WO2018153113A1 (en) * 2017-02-21 2018-08-30 华为技术有限公司 Information protection method and device
US11301282B2 (en) 2017-02-21 2022-04-12 Huawei Technologies Co., Ltd. Information protection method and apparatus
CN107301083A (en) * 2017-06-16 2017-10-27 郑州云海信息技术有限公司 One kind creates OpenStack virtual machines method and OpenStack dummy machine systems
CN107368354A (en) * 2017-08-03 2017-11-21 致象尔微电子科技(上海)有限公司 A kind of secure virtual machine partition method
CN107368354B (en) * 2017-08-03 2021-02-02 海光信息技术股份有限公司 Virtual machine security isolation method
CN110233837A (en) * 2019-06-06 2019-09-13 上海思询信息科技有限公司 One kind being based on cloud platform user network safeguard construction
CN112751694A (en) * 2019-10-30 2021-05-04 北京金山云网络技术有限公司 Management method and device of exclusive host and electronic equipment
CN111404924A (en) * 2020-03-12 2020-07-10 腾讯云计算(北京)有限责任公司 Security management and control method, device, equipment and storage medium of cluster system
US11909721B2 (en) 2020-12-29 2024-02-20 Mastercard International Incorporated Systems and methods for automated firewall provisioning for virtual machines
CN112887330A (en) * 2021-02-26 2021-06-01 浪潮云信息技术股份公司 Structure and method for realizing network ACL isolation floating IP
CN112887330B (en) * 2021-02-26 2022-05-31 浪潮云信息技术股份公司 Device and method for realizing network ACL isolation floating IP
CN115499314A (en) * 2022-08-23 2022-12-20 新华三技术有限公司 Cluster node IP modification method and device
CN115842664A (en) * 2022-11-23 2023-03-24 紫光云技术有限公司 Public cloud network flow security implementation method

Similar Documents

Publication Publication Date Title
CN104468568A (en) Virtual machine security isolation method
US10375015B2 (en) Methods and system for allocating an IP address for an instance in a network function virtualization (NFV) system
US20210336997A1 (en) Method and system for virtual machine aware policy management
EP3261300B1 (en) Method and device for establishing link between virtual network functions
KR102193012B1 (en) Distributed processing system and method of operating the same
US9727386B2 (en) Method and apparatus for network resource virtual partitioning
US9363207B2 (en) Private virtual local area network isolation
US10594586B2 (en) Dialing test method, dialing test system, and computing node
CN109981493B (en) Method and device for configuring virtual machine network
US20120257603A1 (en) Network Access Point Management
WO2015074396A1 (en) Automatic configuration method, device and system of software defined network
CN103117947B (en) A kind of load sharing method and device
CN109040180B (en) Network access control method based on Neutron and GBP, storage medium and electronic equipment
CN110870290B (en) Assigning a unique network address to a logical network address
CN103152200B (en) Virtual machine migration method, switch, network management device and network system
CN104660505B (en) Control method, the method and its device of routing iinformation generation that routing iinformation generates
CN102932409B (en) The method and system that a kind of virtual machine moves online
CN105357330A (en) Method and system for preventing IP address conflict of network devices
CN106131244A (en) A kind of message transmitting method and device
CN104506654A (en) Cloud computing system and backup method of dynamic host configuration protocol server
CN112769965A (en) IP address management and distribution method, device and system
CN104468311A (en) Method and system for virtualizing physical network card into multiple virtual network cards
CN102291470A (en) IP (Internet Protocol) address allocation method
CN103401954A (en) Implementation method of virtual DHCP (dynamic host configuration protocol)
CN104104749A (en) Method and device for allocating tunnel IP addresses

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20150325