CN104753852A - Virtualization platform and security protection method and device - Google Patents

Virtualization platform and security protection method and device Download PDF

Info

Publication number
CN104753852A
CN104753852A CN 201310728105 CN201310728105A CN104753852A CN 104753852 A CN104753852 A CN 104753852A CN 201310728105 CN201310728105 CN 201310728105 CN 201310728105 A CN201310728105 A CN 201310728105A CN 104753852 A CN104753852 A CN 104753852A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
server
platform
security
protection
virtualization
Prior art date
Application number
CN 201310728105
Other languages
Chinese (zh)
Inventor
张志宏
刘军卫
钱岭
孙少陵
Original Assignee
中国移动通信集团公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Abstract

The invention relates to the technical field of computer networks, in particular to a virtualization platform and a security protection method and device, and aims to solve the problem of the presence of performance bottleneck and single-point failures when security protection is provided for the whole virtualization platform with special hardware firewall equipment. The virtualization platform provided in the embodiment of the invention comprises at least one server, wherein at least one virtual machine runs on each server; and each server is used for providing a security protection service for each virtual machine on the server respectively. Each server in the virtualization platform provides the security protection service for each virtual machine on the server respectively, so that the problem of the presence of performance bottleneck and single-point failures when the security protection service is provided for the whole virtualization platform with the special hardware firewall equipment is solved.

Description

一种虚拟化平台、安全防护方法及装置 A kind of virtual platforms, security method and apparatus

技术领域 FIELD

[0001] 本发明涉及计算机网络技术领域,尤其涉及一种虚拟化平台、安全防护方法及装置。 [0001] The present invention relates to computer network technology, and more particularly, to a virtualization platform security method and apparatus.

背景技术 Background technique

[0002] 在目前的虚拟化平台中,主要通过防火墙为虚拟化平台中的虚拟机提供安全防护。 [0002] In the current virtualization platforms, mainly through the firewall virtualization platform to provide security for virtual machines. 防火墙作为虚拟机的网关设备,对进出虚拟机的流量进行过滤,过滤的规则通常由虚拟化平台的管理系统设置。 Firewall as the gateway virtual machine, the virtual machine for inbound and outbound traffic filtering, filtering rules are usually set by the virtualization platform management systems.

[0003]目前,对于虚拟化平台,主要采用专用的硬件防火墙设备提供安全防护。 [0003] Currently, virtualization platform, mainly dedicated hardware firewall device to provide security. 图1为虚拟化平台中第一种为虚拟机提供安全防护的方案的示意图。 FIG 1 is a schematic diagram of a first virtualization platform to provide security protection for a virtual machine program. 如图1所示,虚拟化平台中的所有虚拟机的流量经由形成的多个虚拟局域网(Virtual Local Area Network, VLAN)由同一台硬件防火墙设备进行安全防护。 1, the flow rate of all the virtual machines in a virtualization platform security protection by the same hardware firewall apparatus via a plurality of virtual local area network (Virtual Local Area Network, VLAN) is formed. 图1中的防火墙通常与传统硬件防火墙的工作原理相同,虚拟化平台的管理系统通过调用防火墙的管理接口实现对防火墙规则的动态控制。 Figure 1 is generally the same as the traditional firewall hardware firewall works, virtualization platform management system by calling a firewall management interface to dynamically control their firewall rules.

[0004] 图1中采用专用的硬件防火墙设备为整个虚拟化平台提供安全防护的方案存在以下缺点: There is a disadvantage [0004] Figure 1 apparatus using a dedicated hardware firewall to provide security for the entire virtualization platform scheme:

[0005] 图1中的硬件防火墙为虚拟化平台中的所有虚拟机(Virtual Machine,VM)提供进行安全防护,当虚拟化平台中的进出各虚拟机的流量均较大时,其性能可能满足对所有虚拟机进行安全防护的要求,此外,由于其网络拓扑位置决定了,当该硬件防火墙出现故障时,整个虚拟化平台中的虚拟机均无法实现安全防护的问题。 The [0005] 1 hardware firewall for virtualized platform for all virtual machines (Virtual Machine, VM) to provide security protection, when all traffic in and out virtualization platform for each virtual machine is larger, its performance may meet conduct security requirements for all virtual machines. in addition, because of its location determines the network topology, when the hardware firewall fails, the entire virtual platform virtual machines are unable to realize the problem of security.

[0006] 综上,图1中采用专用的硬件防火墙设备为整个虚拟化平台提供安全防护的方案存在性能瓶颈和单点故障的问题。 [0006] In summary, FIG. 1 in dedicated hardware firewall equipment performance bottleneck and single point of failure in the entire virtualized platform security program issues.

发明内容 SUMMARY

[0007] 本发明实施例提供一种虚拟化平台、安全防护方法及装置,用以解决采用专用的硬件防火墙设备为整个虚拟化平台提供安全防护的方案存在性能瓶颈和单点故障的问题。 Example embodiments provide [0007] The present invention provides a virtualization platform security apparatus and a method to solve the performance bottleneck problem of the single point of failure and dedicated hardware firewall device provides security for the entire virtualization platform program.

[0008] 第一方面,本发明实施例提供一种虚拟化平台,包括: [0008] In a first aspect, embodiments of the present invention provides a virtualization platform, comprising:

[0009] 至少一台服务器,每一台服务器上运行至少一个虚拟机, [0009] at least one server, the at least one virtual machine running on each server,

[0010] 每一台所述服务器用于向该服务器上的每个所述虚拟机分别提供安全防护服务。 [0010] To each of the server for each of the virtual machine on the server to provide security service, respectively.

[0011] 本方案中,由于虚拟化平台中的每一台服务器向该服务器上的每个虚拟机分别体统安全防护服务,避免了采用专用硬件防火墙设备为整个虚拟机提供安全防护服务存在的性能瓶颈和单点故障的问题。 [0011] In the present embodiment, since the virtualization platform of each server to each virtual machine on the server Security services are decency, avoid the use of dedicated hardware firewall to provide security devices exist for the entire service performance of the virtual machine bottleneck and single point of failure problem.

[0012] 较佳地,所述虚拟化平台还包括安全防护管理器; [0012] Preferably, the virtualization platform further comprises a security manager;

[0013] 所述安全防护管理器用于在每一台所述服务器上,针对该服务器上的每个所述虚拟机分别设置安全防护规则。 [0013] The security manager is used on each of the servers, security rules provided for each of the virtual machines on the server, respectively.

[0014] 采用本优选方案,可通过阿安全防护管理器为虚拟化平台中的每个虚拟机设置安全防护规则。 [0014] According to the present preferred embodiment, it may be a virtualization platform security for each virtual machine provided by the rule A security manager.

[0015] 较佳地,所述虚拟化平台还包括虚拟机资源管理器,所述虚拟机资源管理器用于管理所述虚拟化平台中的虚拟机;所述安全防护管理器具体用于: [0015] Preferably, the virtualization platform further includes a virtual machine resource manager, the resource manager virtual machine for managing the virtual machine virtual platform; the security manager is configured to:

[0016] 在收到用户设置所述虚拟化平台上的第一虚拟机的安全防护规则的指令后,向所述虚拟机资源管理器发送用于查询所述第一虚拟机所在服务器的地址的请求,接收所述虚拟机资源管理器响应所述请求返回的服务器的地址,在收到的所述服务器的地址所指示的服务器上,设置所述第一虚拟机的安全防护规则;或 [0016] Upon receipt of a user security rules provided first virtual machine on the virtual platform instruction, the virtual machine to the resource manager transmits a query for an address where the first virtual machine server requesting, receiving the virtual machine resource manager server returns the response to the address request, the address of the server on the server indicated by the received provided security rules of the first virtual machine; or

[0017] 在收到所述虚拟机资源管理器在所述虚拟化平台中创建第二虚拟机的指令后,从收到的所述创建指令中获取所述第二虚拟机所在服务器的地址,并在获取的服务器地址所指示的服务器上,创建所述第二虚拟机的安全防护规则;或 [0017] to obtain the address of the server to create a second virtual machine from the received instructions after receiving the virtual machine resource manager to create a second virtual machine instructions in the virtualization platform, and the server acquires the server address indicated by the security rule to create the second virtual machine; or

[0018] 在收到所述虚拟机资源管理器删除所述虚拟化平台中的第三虚拟机的指令后,从收到的所述删除指令中获取所述第三虚拟机所在服务器的地址,并在获取的服务器地址所指示的服务器上,删除所述第三虚拟机的安全防护规则;或 [0018] After deleting virtualization platform in the third virtual machine instructions, delete instruction to obtain the address of the server virtual machine from the third received the receipt of the virtual machine resource manager, and on the server to obtain the server address indicated, remove the security protection rules for the third virtual machine; or

[0019] 在收到所述虚拟机资源管理器将所述虚拟化平台中的第四虚拟机迁移到第五虚拟机的指令后,将收到的所述迁移指令中获取所述第五虚拟机所在服务器的地址,并在获取的服务器地址所指示的服务器上,将所述第五虚拟机的安全防护规则设置为所述第四虚拟机的安全防护规则。 After [0019] receiving the virtual machine in said virtual resource manager platform of the fourth virtual machine migration to a fifth virtual machine instructions, the migration instruction received acquire the virtual fifth address of the machine where the server and on the server to get the server address indicated by the security rules of the fifth virtual machine is set to rule the fourth security virtual machine.

[0020] 采用本优选方案,通过虚拟机资源管理器与安全防护管理器之间的交互,可实现实时、动态地配置虚拟机安全防护规则。 [0020] According to the present preferred embodiment, by the interaction between the resource manager and the virtual machine security manager, may be implemented in real time, to dynamically configure virtual machine security protection rules.

[0021] 第二方面,本发明实施例还提供了一种虚拟化平台中的安全防护方法,该方法包括: [0021] In a second aspect, embodiments of the present invention further provides a method for security in a virtualization platform, the method comprising:

[0022] 虚拟化平台中的服务器接收网络数据; [0022] The virtualization platform server receive network data;

[0023] 所述服务器在确定收到的网络数据是发给所述服务器上运行的一个虚拟机时,根据所述服务器上的该虚拟机的安全防护规则对收到的网络数据进行过滤。 When [0023] the network server to determine the received data is addressed to a virtual machine running on the server, the network filtering the received data according to the rules of the security virtual machine on the server.

[0024] 本方案中,由于虚拟化平台中的每一台服务器向该服务器上的每个虚拟机分别体统安全防护服务,避免了采用专用硬件防火墙设备为整个虚拟机提供安全防护服务存在的性能瓶颈和单点故障的问题。 [0024] In the present embodiment, since the virtualization platform of each server to each virtual machine on the server Security services are decency, avoid the use of dedicated hardware firewall to provide security devices exist for the entire service performance of the virtual machine bottleneck and single point of failure problem.

[0025] 第三方面,本发明实施例还提供了一种用于虚拟化平台中的服务器,所述服务器上运行至少一个虚拟机,所述服务器包括: [0025] a third aspect, embodiments of the present invention further provides a method for virtualization server platform, said at least one virtual machine running on a server comprising:

[0026] 接收模块,用于接收网络数据; [0026] a receiving module configured to receive network data;

[0027] 处理模块,用于在确定所述接收模块收到的网络数据是发给所述服务器上运行的一个虚拟机时,根据所述服务器上的该虚拟机的安全防护规则对收到的网络数据进行过滤。 [0027] processing means for determining when the receiving module receives network data is sent to the virtual machine running on a server, according to the rules of the security virtual machine on the server receiving the filtering network data.

[0028] 本方案中,由于虚拟化平台中的每一台服务器向该服务器上的每个虚拟机分别体统安全防护服务,避免了采用专用硬件防火墙设备为整个虚拟机提供安全防护服务存在的性能瓶颈和单点故障的问题。 [0028] In the present embodiment, since the virtualization platform of each server to each virtual machine on the server Security services are decency, avoid the use of dedicated hardware firewall to provide security devices exist for the entire service performance of the virtual machine bottleneck and single point of failure problem.

[0029] 第四方面,本发明实施例还提供了一种虚拟化平台中设置虚拟机的安全防护规则的方法,用以提供一种设置虚拟化平台中虚拟机的安全防护规则的方法,所述方法包括: [0029] The fourth aspect, embodiments of the present invention further provides a set of security rules in a virtual machine in a virtualization platform method, a method is provided for providing security rule virtual platform of the virtual machine, the said method comprising:

[0030] 在确定需要设置所述虚拟化平台中的特定虚拟机的安全防护规则后,确定所述特定虚拟机所在服务器的地址; [0030] After determining the need to set virtualization platform security rule specific virtual machine, the address of the server to determine the specific virtual machine;

[0031] 向确定的所述服务器的地址指示的服务器发送设置指令,以在确定的所述服务器上设置所述特定虚拟机的安全防护规则。 [0031] indicated by the server to the address of the server sending the determined set of instructions to the server provided on the security rule determines specific virtual machine.

[0032] 采用本方案,当需要设置特定虚拟机的安全防护规则时,由于对虚拟机的安全防护功能是由虚拟机所在的服务器实现的,所以需要确定虚拟机所在服务器的地址,之后,向获取的地址指示的服务器发送设置指令,以在该服务器上设置所述特定虚拟机的安全防护规则。 [0032] According to the present embodiment, when the need to set the security rule specific virtual machine, due to the security function of the virtual machine is implemented by a server virtual machine resides, it is necessary to determine the address of the server virtual machine, then, the the server transmits the acquired address indication setting instruction to set the security rules in a particular virtual machine on the server.

[0033] 较佳地,所述确定需要设置所述特定虚拟机的安全防护规则,包括:在收到用户设置所述特定虚拟机的安全防护规则的指令后,确定需要设置所述特定虚拟机的安全防护规则;确定所述特定虚拟机所在服务器的地址,包括:向所述虚拟化平台的虚拟机资源管理器发送用于查询所述特定虚拟机所在服务器的地址的请求,将收到的所述虚拟机资源管理器响应所述请求返回的服务器的地址作为所述特定虚拟机所在服务器的地址;或 [0033] Preferably, the determination to set the security rule specific virtual machine, comprising: after receiving the user to set security rules of the particular virtual machine instruction set determines that a particular virtual machine the security rules; determine the specific server where the virtual machine address, comprising: sending a virtual machine resource manager of the virtual platform for requesting the address of the server queries the particular virtual machine, you will receive the the virtual machine address of the server resource manager in response to the return address of the request as the server where the particular virtual machine; or

[0034] 所述确定需要设置所述特定虚拟机的安全防护规则,包括:在收到所述虚拟机资源管理器创建所述特定虚拟机的指令后,确定需要创建所述特定虚拟机的安全防护规则;确定所述特定虚拟机所在服务器的地址,包括:从收到的所述创建指令中获取所述特定虚拟机所在服务器的地址;或 [0034] the determination to set the security rule specific virtual machine, comprising: after receiving the resource manager virtual machine instruction to create the specific virtual machine, determines the need to create a particular virtual machine security protection rules; the address of the server to determine the specific virtual machine, comprising: obtaining the address of the server from the specific virtual machine creation instruction received; or

[0035] 所述确定需要设置所述特定虚拟机的安全防护规则,包括:在收到所述虚拟机资源管理器删除所述特定虚拟机的指令后,确定需要删除所述特定虚拟机的安全防护规则;确定所述特定虚拟机所在服务器的地址,包括:从收到的所述删除指令中获取所述特定虚拟机所在服务器的地址;或 [0035] the determination to set the security rule specific virtual machine, comprising: instruction after deleting the particular virtual machine in a virtual machine receives the resource manager to determine the need to remove the particular virtual machine security protection rules; the address of the server to determine the specific virtual machine, comprising: obtaining the address of the server from the specific virtual machine instructions received deleted; or

[0036] 所述确定需要设置所述特定虚拟机的安全防护规则,包括:在收到所述虚拟机资源管理器将所述虚拟化平台中的源虚拟机迁移到所述特定虚拟机的指令后,确定需要创建所述特定虚拟机的安全防护规则;确定所述特定虚拟机所在服务器的地址,包括:从收到的所述迁移指令中获取所述特定虚拟机所在服务器的地址;所述向确定的所述服务器的地址指示的服务器发送设置指令,以在确定的所述服务器上设置所述特定虚拟机的安全防护规则,包括:向确定的所述服务器的地址指示的服务器发送设置指令,所述设置指令中包括所述源虚拟机的安全防护规则,以在确定的所述服务器上将所述特定虚拟机的安全防护规则设置为所述源虚拟机的安全防护规则;或 [0036] the determination to set the security rule specific virtual machine, comprising: receiving the virtual machine to the resource manager virtualization platform migration source virtual machine to the particular virtual machine instruction after determining the need to create security rules of the particular virtual machine; determining the specific server where the virtual machine address, including: obtaining the specific address of the server virtual machine migration from the instruction received; the address of the server indicated by the server to determine the transmission setting command to set on the server to determine the specific security rule virtual machine, comprising: the address indicated by the server to determine the server transmits a setting instruction the setting instruction includes a security source rule the virtual machine to virtual machine is provided for the source identified in the server on the security rules of the particular virtual machine security rules; or

[0037] 所述确定需要设置所述特定虚拟机的安全防护规则,包括:在收到所述虚拟机资源管理器将所述特定虚拟机迁移到所述虚拟化平台中的目的虚拟机的指令后,确定删除创建所述特定虚拟机的安全防护规则;确定所述特定虚拟机所在服务器的地址,包括:从收到的所述迁移指令中获取所述特定虚拟机所在服务器的地址。 [0037] the determination to set the security rule specific virtual machine, comprising: receiving the virtual machine to the resource manager specific to migrate a virtual machine instruction of the virtual object in a virtual machine platform after use, delete or create security rules of the particular virtual machine; determine the address of the server of a particular virtual machine, including: obtaining the specific address of the server virtual machine migration from the instruction received.

[0038] 采用本优选方案,可实现根据用户指令或虚拟化平台平台中虚拟机的动态变化,实现为虚拟机动态配置安全防护规则。 [0038] According to the present preferred embodiment, it may be implemented according to a user instruction or the dynamic change virtualization platform includes a virtual machine, the virtual machine is implemented as a dynamic configuration of security rules.

[0039] 第五方面,本发明实施例还提供了一种虚拟化平台中的安全防护管理器,所述安全防护管理器包括: [0039] In a fifth aspect, embodiments of the present invention further provides a virtualization platform security manager, the security manager comprises:

[0040] 处理模块,用于在确定需要设置所述虚拟化平台中的特定虚拟机的安全防护规则后,确定所述第一虚拟机所在服务器的地址; [0040] processing means for determining when to set the security protection rules virtualization platform specific virtual machine address of the server to determine the first virtual machine;

[0041] 发送模块,用于向所述处理模块确定的所述服务器的地址指示的服务器发送设置指令,以在确定的所述服务器上设置所述特定虚拟机的安全防护规则。 [0041] The transmission module, the server determines the server address for the instruction to the processing module transmits setting instruction to set on the server to determine the security rule specific virtual machine.

[0042] 采用本方案,当需要设置特定虚拟机的安全防护规则时,由于对虚拟机的安全防护功能是由虚拟机所在的服务器实现的,所以需要确定虚拟机所在服务器的地址,之后,向获取的地址指示的服务器发送设置指令,以在该服务器上设置所述特定虚拟机的安全防护规则。 [0042] According to the present embodiment, when the need to set the security rule specific virtual machine, due to the security function of the virtual machine is implemented by a server virtual machine resides, it is necessary to determine the address of the server virtual machine, then, the the server transmits the acquired address indication setting instruction to set the security rules in a particular virtual machine on the server.

[0043] 较佳地,所述处理模块具体用于:在收到用户设置所述特定虚拟机的安全防护规则的指令后,确定需要设置所述特定虚拟机的安全防护规则;所述发送模块还用于:在所述处理模块确定需要设置所述特定虚拟机的安全防护规则后,向所述虚拟化平台的虚拟机资源管理器发送用于查询所述特定虚拟机所在服务器的地址的请求;所述处理模块具体用于:将收到的所述虚拟机资源管理器响应所述请求返回的服务器的地址作为所述特定虚拟机所在服务器的地址;或 [0043] Preferably, the processing module is configured to: after receiving a user setting of the specific security rules virtual machine instruction set of security rules to determine the need of the particular virtual machine; the sending module further configured to: after the processing module determines the need to set specific security rules virtual machine request to query the server where the particular virtual machine to a virtual machine address of the virtual resource manager for transmitting platform ; the processing module is configured to: receive the virtual machine to the resource manager server returns the response to the address as an address request to the server where the particular virtual machine; or

[0044] 所述处理模块具体用于:在收到所述虚拟机资源管理器创建所述特定虚拟机的指令后,确定需要创建所述特定虚拟机的安全防护规则,并从收到的所述创建指令中获取所述特定虚拟机所在服务器的地址;或 [0044] The processing module is configured to: after creating the particular virtual machine instruction of the virtual machine receives resource manager, determines the need to create a security rule specific virtual machine, and to receive from the said creation instruction acquired address of the server to the particular virtual machine; or

[0045] 所述处理模块具体用于:在收到所述虚拟机资源管理器删除所述特定虚拟机的指令后,确定需要删除所述特定虚拟机的安全防护规则;并从收到的所述删除指令中获取所述特定虚拟机所在服务器的地址;或 [0045] The processing module is configured to: after said virtual machine instruction to delete the resource manager receives a particular virtual machine, determines the need to remove the security rule specific virtual machine; and received from said deletion instruction address of the server acquires the particular virtual machine; or

[0046] 所述处理模块具体用于:在收到所述虚拟机资源管理器将所述虚拟化平台中的源虚拟机迁移到所述特定虚拟机的指令后,确定需要创建所述特定虚拟机的安全防护规则;并从收到的所述迁移指令中获取所述特定虚拟机所在服务器的地址;所述发送模块具体用于:向确定的所述服务器的地址指示的服务器发送设置指令,所述设置指令中包括所述源虚拟机的安全防护规则,以在确定的所述服务器上将所述特定虚拟机的安全防护规则设置为所述源虚拟机的安全防护规则;或 [0046] The processing module is configured to: receive the source virtual machine in a virtual machine to the resource manager virtualization platform from migrating to the particular virtual machine instruction after determining a need to create a particular virtual safety rules machine; and acquires the address of the server from the specific virtual machine migration instruction received; the sending module is configured to: indicate the server address of the server to transmit the determined setting instruction, the setting instruction includes a security source rule the virtual machine to virtual machine is provided for the source identified in the server on the security rules of the particular virtual machine security rules; or

[0047] 所述处理模块具体用于:在收到所述虚拟机资源管理器将所述特定虚拟机迁移到所述虚拟化平台中的目的虚拟机的指令后,确定删除创建所述特定虚拟机的安全防护规则,并从收到的所述迁移指令中获取所述特定虚拟机所在服务器的地址。 [0047] The processing module is configured to: receive the virtual machine to the resource manager specific to migrate a virtual machine instruction in the virtual object in a virtual machine platform after determining the specific virtual delete the created machine safety rules, and get the specific address of the server virtual machine migration from the instruction received.

[0048] 采用本优选方案,可实现根据用户指令或虚拟化平台平台中虚拟机的动态变化,实现为虚拟机动态配置安全防护规则。 [0048] According to the present preferred embodiment, it may be implemented according to a user instruction or the dynamic change virtualization platform includes a virtual machine, the virtual machine is implemented as a dynamic configuration of security rules.

[0049] 第六方面,本发明实施例还提供了一种虚拟化平台中设置虚拟机的安全防护规则的方法,所述方法包括: [0049] The sixth aspect, embodiments of the present invention further provides a set of security rules in a virtual machine in a virtualization platform, the method comprising:

[0050] 接收虚拟化平台的安全防护管理器发送的用于查询第一虚拟机所在服务器的地址的请求,所述请求是所述安全防护管理器在收到用户设置所述第一虚拟机的安全防护规则的指令后发送的; [0050] where the query request for the first virtual machine server address virtualization platform receiving security manager sent the request that the security manager receives a user of the first virtual machine is provided safety rules instruction sent after;

[0051] 将所述第一虚拟机所在服务器的地址返回给所述安全防护管理器,以使所述安全防护管理器在收到的服务器的地址指示的服务器上设置所述第一虚拟机的安全防护规则。 [0051] The address of the server of the first virtual machine is returned to the security manager, the security manager to set the first virtual machine on the server address of the server receives an indication of safety rules.

[0052] 采用本方案,当需要设置第一虚拟机的安全防护规则时,由于对第一虚拟机的安全防护功能是由第一虚拟机所在的服务器实现的,所以在收到安全防护管理器发送的查询第一虚拟机所在服务器的地址的请求后,将第一虚拟机所在服务器的地址返回给安全防护管理器,以使安全防护管理器在该地址指示的服务器上设置第一虚拟机的安全防护规则。 [0052] According to the present embodiment, when the need to set up a first virtual machine safety rules, since the security features of the first virtual machine is implemented by the first virtual machine server is located, so in the received security manager after transmitting a query request address where the first virtual machine server, the address of the server of the first virtual machine is returned to the security manager, security manager so that a first virtual machine on the server at the address indicated by safety rules.

[0053] 较佳地,所述方法还包括: [0053] Preferably, the method further comprising:

[0054] 确定需要在所述虚拟化平台中创建第二虚拟机;向所述安全防护管理器发送创建所述第二虚拟机的指令,所述创建指令中包括所述第二虚拟机所在服务器的地址,以使所述安全防护管理器在收到的服务器的地址指示的服务器上创建所述第二虚拟机的安全防护规则;或 [0054] determine the need to create a second virtual machine in a virtualization platform; transmission instruction of the second virtual machine to create the security manager, said instruction comprises creating the second virtual machine server where address, so that the security of security rules manager creates the second virtual machine on the server address of the server received indication; or

[0055] 确定需要删除所述虚拟化平台中的第三虚拟机;向所述安全防护管理器发送删除所述第三虚拟机的指令,所述删除指令中包括所述第三虚拟机所在服务器的地址,以使所述安全防护管理器在收到的服务器的地址指示的服务器上删除所述第三虚拟机的安全防护规则;或 [0055] determining the need to remove the virtualization platform in a third virtual machine; third virtual machine instruction of deleting the transmission to the security manager, where the deletion instruction including the third virtual machine server address, so that the security manager on the server address of the server receives instructions to delete the security rules of the third virtual machine; or

[0056] 确定需要将所述虚拟化平台中的第四虚拟机迁移到第五虚拟机;向所述安全防护管理器发送将所述第四虚拟机迁移到所述第五虚拟机的指令,所述迁移指令中包括所述第四虚拟机所在服务器的地址、所述第五虚拟机所在服务器的地址,以使所述安全防护管理器在收到的所述第五虚拟机所在服务器的地址指示的服务器上,将所述第五虚拟机的安全防护规则设置为所述第四虚拟机的安全防护规则,并在收到的所述第四虚拟机所在服务器的地址指示的服务器上,删除所述第四虚拟机的安全防护规则。 [0056] determines that the virtualization platform in a fourth virtual machine migration to a fifth virtual machine; transmitting migrate to the fourth virtual machine instruction in the virtual machine to the fifth security manager, the migration included in the instruction of the server where the virtual machine address of the fourth, the fifth virtual machine where the server's address, so that the security manager fifth virtual machine server where the received address indicated on the server, the security rules of the fifth virtual machine is set to rule the fourth security virtual machine, and the server address of the received fourth virtual machine server where indicated, delete the security rule fourth virtual machine.

[0057] 采用本优选方案,可实现根据虚拟化平台中虚拟机的动态变化来设置虚拟机的安全防护规则。 [0057] According to the present preferred embodiment, it may be implemented to set the dynamic change of the virtualization platform of the virtual machine virtual machine security rules.

[0058] 第七方面,本发明实施例还提供一种虚拟化平台中的虚拟机资源管理器,所述虚拟机资源管理器包括: [0058] a seventh aspect, embodiments of the present invention further provides a virtualization platform resource manager virtual machine, the virtual machine resource manager comprising:

[0059] 第一处理模块,用于接收虚拟化平台的安全防护管理器发送的用于查询第一虚拟机所在服务器的地址的请求,所述请求是所述安全防护管理器在收到用户设置所述第一虚拟机的安全防护规则的指令后发送的; [0059] The first processing module, configured to query for requesting location server of the first virtual machine address of the receiver virtualization platform security manager sent the request that the security manager receives user settings instruction security rules the first virtual machine after a transmission;

[0060] 第二处理模块,用于将所述第一虚拟机所在服务器的地址返回给所述安全防护管理器,以使所述安全防护管理器在收到的服务器的地址指示的服务器上设置所述第一虚拟机的安全防护规则。 [0060] The second processing module, the address of the server for the first virtual machine is returned to the security manager, so that the security manager is provided on the server address of the server receives an indication the first rule of security virtual machine.

[0061] 采用本方案,当需要设置第一虚拟机的安全防护规则时,由于对第一虚拟机的安全防护功能是由第一虚拟机所在的服务器实现的,所以在收到安全防护管理器发送的查询第一虚拟机所在服务器的地址的请求后,将第一虚拟机所在服务器的地址返回给安全防护管理器,以使安全防护管理器在该地址指示的服务器上设置第一虚拟机的安全防护规则。 [0061] According to the present embodiment, when the need to set up a first virtual machine safety rules, since the security features of the first virtual machine is implemented by the first virtual machine server is located, so in the received security manager after transmitting a query request address where the first virtual machine server, the address of the server of the first virtual machine is returned to the security manager, security manager so that a first virtual machine on the server at the address indicated by safety rules.

[0062] 较佳地,所述第一处理模块还用于:确定需要在所述虚拟化平台中创建第二虚拟机;所述第二处理模块还用于:向所述安全防护管理器发送创建所述第二虚拟机的指令,所述创建指令中包括所述第二虚拟机所在服务器的地址,以使所述安全防护管理器在收到的服务器的地址指示的服务器上创建所述第二虚拟机的安全防护规则;或 [0062] Preferably, the first processing module is further configured to: determine the need to create a second virtual machine on the virtualization platform; and the second processing module is further configured to: send, to the security manager creating the second virtual machine instruction, the creation instruction address of the server included in the second virtual machine, so that the security manager creates the first address of the server on the server receives an indication security rule number two virtual machines; or

[0063] 所述第一处理模块还用于:确定需要删除所述虚拟化平台中的第三虚拟机;所述第二处理模块还用于:向所述安全防护管理器发送删除所述第三虚拟机的指令,所述删除指令中包括所述第三虚拟机所在服务器的地址,以使所述安全防护管理器在收到的服务器的地址指示的服务器上删除所述第三虚拟机的安全防护规则;或 [0063] The first processing module is further configured to: determine the need to remove the virtualization platform third virtual machine; said second processing module is further configured to: transmit to the first deleting the security manager three virtual machine instructions, the address included in the instruction to delete the server where the third virtual machine, so that the security manager deletes the third virtual machine on the server address of the server receives an indication of security rules; or

[0064] 所述第一处理模块还用于:确定需要将所述虚拟化平台中的第四虚拟机迁移到第五虚拟机;所述第二处理模块还用于:向所述安全防护管理器发送将所述第四虚拟机迁移到所述第五虚拟机的指令,所述迁移指令中包括所述第四虚拟机所在服务器的地址、所述第五虚拟机所在服务器的地址,以使所述安全防护管理器在收到的所述第五虚拟机所在服务器的地址指示的服务器上,将所述第五虚拟机的安全防护规则设置为所述第四虚拟机的安全防护规则,并在收到的所述第四虚拟机所在服务器的地址指示的服务器上,删除所述第四虚拟机的安全防护规则。 [0064] The first processing module is further configured to: determine the need virtualization platform fourth virtual machine migration to a fifth virtual machine; said second processing module is further configured: to the Security Management transmits the fourth migrating the virtual machine to the fifth virtual machine instructions, the migration address included in the instruction of the server where the fourth virtual machine, the virtual machine address of the server where the fifth, so the security manager on the server address of the received fifth virtual machine server where indicated, the security rules of the fifth virtual machine is set to rule the fourth security virtual machine, and on the server address of the received fourth virtual machine server where indicated, remove the security protection rules for the fourth virtual machine.

[0065] 采用本优选方案,可实现根据虚拟化平台中虚拟机的动态变化来设置虚拟机的安全防护规则。 [0065] According to the present preferred embodiment, it may be implemented to set the dynamic change of the virtualization platform of the virtual machine virtual machine security rules.

附图说明 BRIEF DESCRIPTION

[0066] 图1为现有的第一种虚拟化平台中为虚拟机提供安全防护的方案的示意图; [0066] FIG 1 of a first conventional virtualization platform provides a schematic representation of the security virtual machine;

[0067] 图2为本发明实施例提供的虚拟化平台的结构示意图; [0067] FIG. 2 is a schematic structural diagram of a virtualization platform embodiment of the present invention;

[0068] 图3为现有的第二种虚拟化平台中为虚拟机提供安全防护的方案的示意图; [0068] FIG. 3 is a schematic diagram of the platform to provide security virtual machine of a second embodiment of the conventional virtualization;

[0069] 图4为本发明实施例提供的虚拟化平台中,安全防护管理器根据用户指令设置虚拟机的安全防护规则的方法的流程图; [0069] FIG 4 is a flowchart virtualization platform embodiment provided, the security manager sets the virtual machine security rules according to user instructions for a method embodiment of the present invention;

[0070] 图5为本发明实施例提供的虚拟化平台中,安全防护管理器收到虚拟机资源管理器创建虚拟机的指令后的处理方法的流程图; [0070] FIG 5 is a flowchart of the processing method provided by the virtualization platform, the security manager receives resource manager virtual machine instruction to create a virtual machine embodiment of the invention;

[0071] 图6为本发明实施例提供的虚拟化平台中,安全防护管理器收到虚拟机资源管理器创建虚拟机的指令后的处理方法的流程图; [0071] FIG 6 is a flowchart of the processing method provided by the virtualization platform, the security manager receives resource manager virtual machine instruction to create a virtual machine embodiment of the invention;

[0072] 图7为本发明实施例提供的虚拟化平台中,安全防护管理器收到虚拟机资源管理器将一个虚拟机迁移到另一个虚拟机的指令后的处理方法的流程图; [0072] FIG. 7 embodiment of the present invention provide a virtualization platform embodiment, the security virtual machine manager receives a resource manager to migrate virtual machines to a flowchart of a method of processing instructions after the other virtual machine;

[0073] 图8为本发明实施例提供的创建虚拟机和设置虚拟机的安全防护规则的方法流程图; [0073] The method of FIG. 8 Safety rules created virtual machines and virtual machine is provided according to an embodiment of the present invention, a flow chart;

[0074] 图9为本发明实施例中的安全防护规则链的示意图; [0074] FIG. 9 is a schematic of the security rule in the chain in the embodiment of the present invention;

[0075] 图10为本发明实施例提供的虚拟化平台中的安全防护方法的流程图; [0075] FIG. 10 is a flowchart of a method of security provided by the virtualization platform in the embodiment of the invention;

[0076] 图11为本发明实施例提供的虚拟化平台中的服务器的结构示意图; [0076] FIG. 11 is a schematic structural virtualization platform provided in the server embodiment of the invention;

[0077] 图12为本发明实施例提供的第一种虚拟化平台中设置虚拟机的安全防护规则的方法的流程图; [0077] FIG 12 a flow chart of security rules provided in a first virtual machine in a virtualization platform provided by a method embodiment of the invention;

[0078] 图13为本发明实施例提供的虚拟化平台中的安全防护管理器的结构示意图; [0078] FIG 13 a schematic view of virtualization platform provided by the security manager of the embodiment of the present invention;

[0079] 图14为本发明实施例提供的第二种虚拟化平台中设置虚拟机的安全防护规则的方法流程图; [0079] FIG 14 a flow chart of security rules provided a second virtual machine virtualization platform provided by the method of the present invention;

[0080] 图15为本发明实施例提供的虚拟化平台中的虚拟机资源管理器的结构示意图。 [0080] FIG 15 a schematic view of virtualization platform provided by the virtual machine resource manager embodiment of the invention.

具体实施方式 detailed description

[0081] 本发明实施例提供一种虚拟化平台、安全防护方法及装置,用以解决采用专用的硬件防火墙设备为整个虚拟化平台提供安全防护的方案存在性能瓶颈和单点故障的问题。 Example embodiments provide [0081] The present invention provides a virtualization platform security apparatus and a method to solve the performance bottleneck problem of the single point of failure and dedicated hardware firewall device provides security for the entire virtualization platform program. 在本发明实施例提供的虚拟化平台中,包括:至少一台服务器,每一台服务器上运行至少一个虚拟机,其中,每一台服务器用于向该服务器上的每个虚拟机分别提供安全防护服务。 In the virtualization platform according to an embodiment of the present invention, comprising: at least one server, each server running on the at least one virtual machine, wherein each server for each virtual machine to provide security on a server, respectively, protective services. 由于虚拟化平台中的每一台服务器向该服务器上的每个虚拟机分别体统安全防护服务,避免了采用专用硬件防火墙设备为整个虚拟机提供安全防护服务存在的性能瓶颈和单点故障的问题。 Because virtualization platform in each server to each virtual machine on the server, respectively decency security services, avoiding the problem of using a dedicated hardware firewall devices exist to provide security service performance bottlenecks and single points of failure for the entire virtual machine .

[0082] 下面,参考附图对本发明实施例进行详细说明。 [0082] Next, with reference to the accompanying drawings of the embodiments of the present invention will be described in detail.

[0083] 图2为本发明实施例提供的虚拟化平台的结构示意图。 [0083] FIG. 2 is a schematic structural diagram of a virtualization platform embodiment of the present invention. 如图2所示,该虚拟化平台包括: 2, the virtualization platform comprising:

[0084] 至少一台服务器; [0084] at least one server;

[0085] 每一台服务器上运行至少一个虚拟机VM ; [0085] at least one virtual machine VM running on each server;

[0086] 其中,每一台服务器为其上的每个虚拟机分别提供安全防护服务。 [0086] where each server to provide security services for each virtual machine, respectively.

[0087] 由于服务器仅为其上的虚拟机提供安全防护服务,所以避免了当一台硬件防火墙设备为虚拟化平台上的所有虚拟机提供安全防护服务时存在的单点故障和性能瓶颈的问题,并具有良好的内网隔离性。 [0087] Because of its virtual machines on the server only provides security services, so avoid single points of failure and performance bottlenecks When a hardware firewall device provides security services for all virtual machines on the virtual platform of the existence of the problem , and has a good network isolation.

[0088] 图3为现有的虚拟化平台中第二种为虚拟机提供安全防护的示意图。 [0088] FIG. 3 is a schematic diagram providing security protection for a virtual machine in a virtualization platform conventional second. 如图3所示,该方案中,在每一个虚拟机上实现对该虚拟机进行安全防护的虚拟防火墙,根据虚拟机可以动态创建的特点,动态创建虚拟防火墙,并且通过虚拟化平台的管理系统控制,使不同VLAN的虚拟机流量流经不同的虚拟防火墙,从而达到负荷分担的效果。 3, this embodiment, implemented on each virtual machine to the virtual machine virtual security firewalls, according to the characteristics of the virtual machines can be created dynamically, dynamically create virtual firewall, and by virtualization platform management system controlling the traffic of different virtual machines VLAN flowing through different virtual firewalls, so as to achieve load sharing. 该方案相对于图1中的硬件防火墙相比,可部分缓解单点故障和性能瓶颈的问题,但其存在如下缺点: Compared with respect to the embodiment of FIG. 1 in a hardware firewall, can partially alleviate performance bottleneck and single point of failure problem, but has the following disadvantages:

[0089] I)显著增加了虚拟化平台的管理系统的复杂度,虚拟化平台的管理系统需要根据各VLAN的负载动态管理虚拟防火墙的实例数,还要确保虚拟防火墙的高可用行; [0089] I) significantly increases the complexity of systems management virtualization platform, virtualization platform management system needs to dynamically manage the load based on the number of instances of each VLAN virtual firewall, but also to ensure high availability line virtual firewall;

[0090] 2)虚拟防火墙的性能远不及物理防火墙,容易造成性能瓶颈。 [0090] 2) the virtual firewall performance far less physical firewall, likely to cause performance bottlenecks.

[0091] 采用本发明实施例提供的虚拟化平台,由于虚拟机的安全防护功能由该虚拟机所在的服务器提供,网络性能由每一台服务器的处理性能决定,且不需要图3方案中的复杂的防火墙的管理,实现简单,性能可靠。 [0091] The present invention virtualization platform according to an embodiment, since the security features provided by the virtual machine to the virtual machine server is located, the network performance is determined by the processing performance of each server, and does not require the embodiment of FIG. 3 complex management of the firewall, simple, reliable performance.

[0092] 可选地,该虚拟化平台还包括安全防护管理器; [0092] Alternatively, the virtualization platform further comprises a security manager;

[0093] 安全防护管理器用于在每一台服务器上,针对该服务器上的每个虚拟机分别设置安全防护规则。 [0093] Security Manager is used on each server, set security rules for each virtual machine on the server, respectively.

[0094] 可选地,该虚拟化平台还包括虚拟机资源管理器,虚拟机资源管理器用于管理虚拟化平台中的虚拟机。 [0094] Alternatively, the virtualization platform further includes a virtual machine resource manager, virtual machine resource manager for managing a virtual platform virtual machine.

[0095] 其中虚拟机资源管理器和安全防护管理器可在一台硬件设备上实现,也可分开实现。 [0095] in which the virtual machine resource manager and security manager may be implemented on a hardware device can also be implemented separately. 虚拟机资源管理器由于管理虚拟化平台中的虚拟机,其上存储了虚拟化平台中每一台服务器的IP地址和虚拟机的虚拟IP地址。 Because Virtual Machine Resource Manager management virtualization platform in a virtual machine on which the virtual IP address of the virtual storage platform and IP address for each virtual machine servers.

[0096] 当安全防护管理器设置虚拟机的安全防护规则时,其并不知道虚拟机所在服务器的IP地址,此时需要向虚拟机资源管理器查询虚拟机所在服务器的IP地址,以实现在该服务器上设置该虚拟机的安全防护规则。 [0096] When the security manager to set security rules of the virtual machine, it does not know the IP address of the server virtual machine, this time need to query the server where the virtual machine to the virtual machine's IP address resource management, in order to achieve set security rules for the protection of virtual machines on the server.

[0097] 下面,区分以下四种情形,详细描述安全防护管理器设置虚拟机的安全防护规则的方法: [0097] Hereinafter, to distinguish the following four cases, security rules Security Manager virtual machine is provided a method described in detail:

[0098] 情形1、安全防护管理器根据用户指令设置虚拟机的安全防护规则; [0098] Case 1, security rules Security Manager virtual machine is provided according to a user instruction;

[0099] 情形2、安全防护管理器收到虚拟机资源管理器创建虚拟机的指令后的处理; [0099] Case 2, security manager to receive treatment after the virtual machine resource manager to create a virtual machine instructions;

[0100] 情形3、安全防护管理器收到虚拟机资源管理器删除虚拟机的指令后的处理; [0100] Case 3, security manager to receive treatment after the virtual machine Explorer to delete the virtual machine instructions;

[0101] 情形4、安全防护管理器收到虚拟机资源管理器一个虚拟机迁移到另一个虚拟机的指令后的处理。 [0101] Case 4, security manager receives a virtual machine Explorer migrate virtual machines to process the instruction after another virtual machine.

[0102] 如图4所示,在情形I下,安全防护管理器根据用户指令设置虚拟机的安全防护规则的方法包括如下步骤: [0102] As shown, in the case of I, security manager sets the virtual machine security rules according to a user instruction 4 comprising the steps of:

[0103] S401:接收用户设置虚拟机的安全防护规则的指令; [0103] S401: receiving a user set of security rules in a virtual machine instruction;

[0104] S402:向虚拟机资源管理器发送用于查询该虚拟机所在服务器的地址的请求; Request sent to the virtual machine resource manager used to query the server where the virtual machine address;: [0104] S402

[0105] S403:接收虚拟机资源管理器响应该请求返回的服务器的地址; [0105] S403: receiving a resource manager in response to the virtual machine address of the server request returned;

[0106] S404:在收到的服务器的地址所指示的服务器上,设置该虚拟机的安全防护规则。 [0106] S404: On the server address of the server received as indicated, set security rules for the virtual machine.

[0107] 如图5所示,在情形2下,安全防护管理器收到虚拟机资源管理器创建虚拟机的指令后的处理方法包括如下步骤: [0107] As shown in FIG. 5, the processing method in the case 2, security manager receives resource manager creates a virtual machine instruction of the virtual machine comprising the steps of:

[0108] S501:接收虚拟机资源管理器创建虚拟机的指令; [0108] S501: instruction receiving virtual machine resource manager to create a virtual machine;

[0109] S502:从收到的创建指令中获取该虚拟机所在服务器的地址; [0109] S502: get the server where the virtual machine is created from the instruction received address;

[0110] S503:在获取的服务器地址所指示的服务器上,创建虚拟机的安全防护规则。 [0110] S503: on the server to obtain the server address indicated, create security rules for virtual machines.

[0111] 如图6所示,在情形3下,安全防护管理器收到虚拟机资源管理器创建虚拟机的指令后的处理方法包括如下步骤: After processing method [0111] As shown, in the case of the 3, 6 security virtual machine manager receives resource manager to create the virtual machine instruction comprising the steps of:

[0112] S601:接收虚拟机资源管理器删除虚拟机的指令; [0112] S601: receiving a command to delete the virtual machine resource management of virtual machines;

[0113] S602:从接收的删除指令中获取虚拟机所在服务器的地址; [0113] S602: get the server where the virtual machine from a delete instruction received address;

[0114] S603:在获取的服务器地址所指示的服务器上,删除该虚拟机的安全防护规则。 [0114] S603: on the server to obtain the server address indicated, remove the security protection rules for the virtual machine.

[0115] 如图7所示,在情形4下,安全防护管理器收到虚拟机资源管理器将一个虚拟机迁移到另一个虚拟机的指令后的处理流程如下: After the process flow [0115] As shown in Figure 4 case, security manager receives resource manager virtual machine a virtual machine migration 7 to another virtual machine instructions as follows:

[0116] S701:接收虚拟机资源管理器将源虚拟机迁移到目的虚拟机的指令; [0116] S701: receiving a resource manager virtual machine VM migration source to the destination virtual machine instruction;

[0117] S702:从收到的迁移指令中获取目的虚拟机所在服务器的地址; [0117] S702: get the address of the server where the destination virtual machine migration from the instruction received;

[0118] S703:在获取的目的虚拟机所在服务器的地址所指示的服务器上,将目的虚拟机的安全防护规则设置为源虚拟机的安全防护规则; [0118] S703: obtaining the address of the destination server of the virtual machine server indicated by the destination virtual machine security rule to rule security source virtual machine;

[0119] 可选地,在步骤S701之后,还包括: [0119] Alternatively, after step S701, the further comprising:

[0120] S704:从收到的迁移指令中获取源虚拟机所在服务器的地址; [0120] S704: get the source server where the virtual machine from the migration instruction received address;

[0121] S705:在获取的源虚拟机所在服务器的地址所指示的服务器上,删除源虚拟机的安全防护规则。 [0121] S705: On the server address of the server virtual machine to obtain the source indicated, remove the security protection rules source virtual machine.

[0122] 图7中将源虚拟机和目的虚拟机画在两台服务器上,仅为示意,实际上,源虚拟机和目的虚拟机可以位于同一台服务器上。 [0122] FIG 7 and source virtual machine in the destination virtual machine drawn on two servers, schematically only, in fact, the source and the destination virtual machine virtual machines may be located on the same server.

[0123] 以上,对安全防护管理器通过与虚拟机资源管理器中间的交互,来实现设置虚拟机的安全防护规则的方法进行了详细描述。 [0123] Hereinabove, the method of security manager by interacting with the intermediate virtual machine resource manager, to implement security rule settings of the virtual machine described in detail. 下面,具体说明安全防护管理器在服务器上设置虚拟机的安全防护规则的方法。 Next, specify the security manager to set security rules of virtual machines on a server method.

[0124] 可选地,服务器可通过器上运行的防火墙模块为该服务器上的各个虚拟机提供安全防护服务。 [0124] Alternatively, the server provides security services for each virtual machine on the server through a firewall modules running on the device. 防火墙模块根据期内设置的安全防护规则为虚拟机提供安全防护服务,并可根据接收的安全防护管理器的命令设置虚拟机的安全防护规则。 Firewall security module provides security services in accordance with the rules set period for the virtual machine, and set security rules based on virtual machine security manager of the received command.

[0125] 下面,参考图8,以情形2中创建虚拟机为例,对创建虚拟机以及设置虚拟机的安全防护规则的方法进行说明。 [0125] Next, with reference to FIG. 8, in order to create a virtual machine in the case of Example 2, a method for creating a virtual machine security rules and setting the virtual machine will be described.

[0126] S801:用户向虚拟机资源管理器提交资源申请的请求,申请内容包括: [0126] S801: user submits the application to the virtual machine resources, resource manager request, the application shall include:

[0127] I)资源类型:虚拟机; [0127] I) Resource type: Virtual Machine;

[0128] 2)资源规格:CPU、内存、磁盘以及网卡等资源的规格; [0128] 2) resource Specifications: Specifications resources of CPU, memory, disk and network cards;

[0129] 3)操作系统模板:需要安装的操作系统镜像类型; [0129] 3) Operating System Template: operating system image installation type;

[0130] 4)针对虚机设置的访问控制列表(Access Control List, ACL)规则(可选) [0130] 4) for the virtual machine to access control list provided (Access Control List, ACL) rules (optional)

[0131] S802:虚拟机资源管理器选择满足上述资源要求的服务器进行虚拟机调度; [0131] S802: Virtual Machine Manager server that satisfies the above requirements virtual machine resource scheduling;

[0132] S803:虚拟机资源管理器请求虚拟化平台中的网络管理器(安全防护规则可作为网络管理器的一部分来实现)为创建的该虚拟机分配媒体接入控制(Medium AccessControl, MAC)地址、互联网协议(Internet Protocol, IP)地址,并创建网桥,网卡等相关的网络资源; [0132] S803: the resource manager requests the virtual machine virtual network platform manager (security rules may be implemented as part of the network manager) to assign the medium access control virtual machines created (Medium AccessControl, MAC) address, Internet protocol (Internet protocol, IP) address, and create a network resources associated bridges, network cards;

[0133] S804:网络管理器在服务器上生成网桥和网卡等虚拟机设备,并针对虚拟机实例设置初始的安全防护规则; [0133] S804: The network manager generates a virtual bridges and network cards and other devices on the server machine, and the initial set of security rules for virtual machine instance;

[0134] 初始的安全防护规则可参考图9所示的防火墙过滤链。 [0134] Initial security firewall filtering rule can refer to the chain 9 shown in FIG. 该初始的安全防护规则保证当有网络数据以虚拟机的IP地址为目标地址进入服务器的防火墙模块时,该网络数据将进入该虚拟机所对应的安全防护规则链上进行过滤。 The initial security rule ensures that when a data network address of the virtual IP address of the target machine firewall module into the server, the network data is filtered will enter the virtual machine corresponding to the security rules chain.

[0135] 比如:虚机VMl的IP地址为10.1.1.5,则根据图9所示的安全防护规则,当有目标地址为10.1.1.5的网络数据进入服务器时,会自动进入VMl安全防护规则链。 [0135] For example: IP address of the virtual machine VMl is 10.1.1.5, according to the safety rules shown in FIG. 9, when the target address is 10.1.1.5 network data into the server automatically enters the security rules chain VMl . 首先,经过初始过滤模块进行基本的过滤,比如按照常用的诸如IP-spoof,mac_spoof和arp-spoof规则进行过滤,以防止用户随意修改虚拟机的IP地址和MAC地址而在虚拟化平台中进行IP欺骗或MAC欺骗等行为。 First, after the initial filtration module basic filter, such as filter by commonly used, such as IP-spoof, mac_spoof and arp-spoof rules to prevent users to freely change the IP address of the virtual machine and the MAC address and the IP virtualization platform MAC and other acts of fraud or deception. 后续用户可通过安全防护管理器动态地修改虚拟机的安全防护规贝U,在虚拟机的安全防护规则链上添加定制的规则。 Subsequent users can modify the security rules by Tony U virtual machine security manager dynamically add custom rules on safety rules chain of virtual machines. 在该安全防护规则链处理结束后,统一进入数据丢弃模块,对应的规则为DROP (丢弃),即将所有之前未匹配的网络数据丢弃。 After the end of the security chain rule processing, uniform incoming data discarding module, the corresponding rules for the DROP (discarded), ie before all network unmatched discarded.

[0136] S805:虚拟机创建成功后,所有发往该虚拟机的网络数据都会在该虚拟机所在的服务器上的防火墙模块中过滤。 [0136] S805: After the virtual machine is created, all sent to the virtual machine's network data are on the server where the virtual machine's firewall module filters.

[0137] 当服务器发生故障时,虚拟机资源管理器会在备份的服务器上对虚拟机进行故障恢复,同时会在该备份服务器上的防火墙模块恢复故障服务器的虚拟机的安全防护规则。 [0137] When a server fails, the virtual machine resource management will failover virtual machines on the server backup, will also firewall module on the backup server to restore security protection rules for virtual machine failed server.

[0138] 当删除虚拟机时,虚拟机资源管理器主动向网络管理器(其中包括安全防护管理器)发送删除虚拟机的指令,网络管理器删除服务器上的该虚拟机对应的的网桥,虚拟网卡等,回收IP,MAC地址,并从该服务器的防火墙模块上删除该虚机的安全防护规则。 [0138] When deleting a virtual machine, the virtual machine resource manager sends an instruction to delete the virtual machine to the network manager (including the security manager), the network manager deletes the corresponding virtual machine on the server bridge, virtual network cards or other recovery IP, MAC address, and remove the security rules of the virtual machine on the firewall module from the server.

[0139] 在目前的虚拟化平台中,主要通过两种防火墙解决方案为虚拟机提供安全防护。 [0139] In the current virtualization platforms, mainly to provide security for virtual machines in two firewall solutions.

[0140] 基于相同的发明构思,本发明实施例还提供了本发明实施例提供一种虚拟化平台中的安全防护方法、虚拟化平台中的服务器、虚拟化平台中设置虚拟机的安全防护规则的方法、虚拟化平台中的安全防护管理器、虚拟化平台中的虚拟机资源管理器。 [0140] Based on the same inventive concept, an embodiment of the present invention further provides an embodiment of the present invention provides a method for security in a virtualization platform virtualization platform server, virtualization platform security rules provided in the virtual machine the method virtualization platform security management, virtual platform virtual machine resource manager. 由于上述方法和装置与本发明实施例提供的虚拟化平台解决技术问题的原理相似,其实施可参照虚拟化平台的实施,因此重复之处不再赘述。 Because virtualization platform provided by the method and apparatus of the present embodiment is similar to the principles of the invention to solve the technical problem, embodiments thereof with reference to the virtualization platform may embodiment, therefore repeated description of which will not be repeated.

[0141] 图10为本发明实施例提供的虚拟化平台中的安全防护方法的流程图。 [0141] FIG. 10 is a flowchart of a method of security virtualization platform provided in the embodiment of the present invention. 如图10所示,该方法包括: 10, the method comprising:

[0142] S1001:虚拟化平台中的服务器接收网络数据; [0142] S1001: virtualization platform server receive network data;

[0143] S1002:该服务器在确定收到的网络数据是发给该服务器上运行的一个虚拟机时,根据其上该虚拟机的安全防护规则对收到的网络数据进行过滤。 [0143] S1002: When the network server is sent to the received data determining a virtual machine running on the server, the received data is filtered according to the network on which the rules of the security virtual machine.

[0144] 本发明实施例还提供了一种虚拟化平台中的服务器,该服务器上运行至少一个虚拟机。 Example [0144] The present invention also provides a server virtualization platform, running at least one virtual machine on the server. 如图11所示,该服务器包括: As shown in FIG. 11, the server comprising:

[0145] 接收模块1101,用于接收网络数据; [0145] The receiving module 1101 is configured to receive network data;

[0146] 处理模块1102,用于在确定接收模块1101收到的网络数据是发给该服务器上运行的一个虚拟机时,根据该服务器上的该虚拟机的安全防护规则对收到的网络数据进行过滤。 When [0146] The processing module 1102, a network data receiving module 1101 receives the determination is sent to a virtual machine running on the server, data received over the network in accordance with the rules of the security virtual machine on the server filter.

[0147] 本发明实施例还提供了一种虚拟化平台中设置虚拟机的安全防护规则的方法,如图12所示,该方法包括如下步骤: [0147] Embodiments of the present invention further provides a set of security rules in a virtual machine in a virtualization platform method, shown in Figure 12, the method comprising the steps of:

[0148] S1201:在确定需要设置虚拟化平台中的特定虚拟机的安全防护规则后,确定特定虚拟机所在服务器的地址; [0148] S1201: After determining the need to set safety rules virtualization platform specific virtual machine, to determine the address of the server of a particular virtual machine;

[0149] S1202:向确定的服务器的地址指示的服务器发送设置指令,以在确定的服务器上设置特定虚拟机的安全防护规则。 [0149] S1202: send commands to a server provided to determine the address of the server indicated by the server determined to be disposed on the security rule specific virtual machine.

[0150] 可选地,确定需要设置特定虚拟机的安全防护规则,包括:在收到用户设置特定虚拟机的安全防护规则的指令后,确定需要设置特定虚拟机的安全防护规则;确定特定虚拟机所在服务器的地址,包括:向虚拟化平台的虚拟机资源管理器发送用于查询特定虚拟机所在服务器的地址的请求,将收到的虚拟机资源管理器响应请求返回的服务器的地址作为特定虚拟机所在服务器的地址;或 [0150] Alternatively, determining the need to set specific security rules in a virtual machine, comprising: after receiving a user instruction set specific security rules in a virtual machine, determines that a particular set of security rules in a virtual machine; determining a particular virtual machine address of the server, including: the virtual machine resource Manager virtualization platform sends a query request for the address of the server where a particular virtual machine, the virtual machine will receive a resource manager responds to the request address returned by the server as a specific address of the server virtual machine; or

[0151] 确定需要设置特定虚拟机的安全防护规则,包括:在收到虚拟机资源管理器创建特定虚拟机的指令后,确定需要创建特定虚拟机的安全防护规则;确定特定虚拟机所在服务器的地址,包括:从收到的创建指令中获取特定虚拟机所在服务器的地址;或 [0151] determine the need to set safety rules specific virtual machine, include: After you create virtual machines receive specific instruction virtual machine resource manager to determine the need to create safety rules specific virtual machine; determining a particular virtual machine host servers address, including: obtaining the specific address of the server to create a virtual machine from the instruction received; or

[0152] 确定需要设置特定虚拟机的安全防护规则,包括:在收到虚拟机资源管理器删除特定虚拟机的指令后,确定需要删除特定虚拟机的安全防护规则;确定特定虚拟机所在服务器的地址,包括:从收到的删除指令中获取特定虚拟机所在服务器的地址;或 [0152] determine the need to set safety rules specific virtual machine, including: after receiving the Explorer to delete the virtual machine instructions specific virtual machine, determine the need to remove the security protection rules specific virtual machine; determining a particular virtual machine host servers address, including: obtaining the specific address of the server virtual machine from a delete instruction received; or

[0153] 确定需要设置特定虚拟机的安全防护规则,包括:在收到虚拟机资源管理器将虚拟化平台中的源虚拟机迁移到特定虚拟机的指令后,确定需要创建特定虚拟机的安全防护规则;确定特定虚拟机所在服务器的地址,包括:从收到的迁移指令中获取特定虚拟机所在服务器的地址;向确定的服务器的地址指示的服务器发送设置指令,以在确定的服务器上设置特定虚拟机的安全防护规则,包括:向确定的服务器的地址指示的服务器发送设置指令,设置指令中包括源虚拟机的安全防护规则,以在确定的服务器上将特定虚拟机的安全防护规则设置为源虚拟机的安全防护规则;或 [0153] determine the need to set safety rules specific virtual machine, including: after receiving the virtual machine resource manager platform source virtual machine migration to a virtual machine instructions specific virtualization, determine the need to create a security-specific virtual machine protection rules; determining a specific address of the server where the virtual machine, comprising: obtaining an address of the server where the particular virtual machine from a migration instruction received; the address of the server indicated by the server transmitting the determined set of instructions to determine the settings on the server safety rules specific virtual machine, comprising: a server indicated by the server to the address of the determined transmission setting command, included in the instruction set of security rules source virtual machine, to be disposed on the security rules to determine a specific virtual machine server safety rules for the source virtual machine; or

[0154] 确定需要设置特定虚拟机的安全防护规则,包括:在收到虚拟机资源管理器将特定虚拟机迁移到虚拟化平台中的目的虚拟机的指令后,确定删除创建特定虚拟机的安全防护规则;确定特定虚拟机所在服务器的地址,包括:从收到的迁移指令中获取特定虚拟机所在服务器的地址。 [0154] determine the need to set safety rules specific virtual machine, including: after receiving the Virtual Machine Manager to migrate the virtual machine to a specific purpose instruction virtualization platform in a virtual machine, create secure OK to delete a specific virtual machine protection rules; determine the address of a particular server where the virtual machine, including: obtaining a particular virtual machine address of the server from the migration instruction received.

[0155] 本发明实施例还提供了一种虚拟化平台中的安全防护管理器,如图13所示,该安全防护管理器包括: [0155] Embodiments of the present invention further provides a virtualization platform security manager 13, the security manager comprises:

[0156] 处理模块1301,用于在确定需要设置虚拟化平台中的特定虚拟机的安全防护规则后,确定第一虚拟机所在服务器的地址; [0156] Processing module 1301 for determining the need to set the security rules virtualization platform specific virtual machine, to determine a first virtual address of the server machine;

[0157] 发送模块1302,用于向处理模块1301确定的服务器的地址指示的服务器发送设置指令,以在确定的服务器上设置特定虚拟机的安全防护规则。 [0157] sending module 1302, the server determines the server address for the instruction processing module 1301 transmits a setting instruction to set the security rules in a particular virtual machine on the server determined.

[0158] 可选地,处理模块1301具体用于:在收到用户设置特定虚拟机的安全防护规则的指令后,确定需要设置特定虚拟机的安全防护规则;发送模块1302还用于:在处理模块1301确定需要设置特定虚拟机的安全防护规则后,向虚拟化平台的虚拟机资源管理器发送用于查询特定虚拟机所在服务器的地址的请求;处理模块1301具体用于:将收到的虚拟机资源管理器响应请求返回的服务器的地址作为特定虚拟机所在服务器的地址;或 [0158] Alternatively, the processing module 1301 is configured to: set instruction security rule specific virtual machine after receipt of a user, determining specific rules need to set the security virtual machine; transmitting module 1302 is further configured to: process the after the request module 1301 to determine the need to set safety rules specific virtual machine, the virtual machine resource management virtualization platform for sending a query server where the virtual machine-specific address; processing module 1301 is specifically configured to: receive a virtual machine address request response resource manager server returns the address of the server as the specific virtual machine; or

[0159] 处理模块1301具体用于:在收到虚拟机资源管理器创建特定虚拟机的指令后,确定需要创建特定虚拟机的安全防护规则,并从收到的创建指令中获取特定虚拟机所在服务器的地址;或 [0159] The processing module 1301 is specifically configured to: after creating a virtual machine specific instructions received virtual machine resource manager to determine the need to create safety rules specific virtual machine, and get specific virtual machine where the command received from creation address of the server; or

[0160] 处理模块1301具体用于:在收到虚拟机资源管理器删除特定虚拟机的指令后,确定需要删除特定虚拟机的安全防护规则;并从收到的删除指令中获取特定虚拟机所在服务器的地址;或 [0160] The processing module 1301 is specifically configured to: after receiving the Explorer to delete the virtual machine instructions specific virtual machine, determine the need to remove the security protection rules specific virtual machine; and get specific virtual machine where the delete command received from address of the server; or

[0161] 处理模块1301具体用于:在收到虚拟机资源管理器将虚拟化平台中的源虚拟机迁移到特定虚拟机的指令后,确定需要创建特定虚拟机的安全防护规则;并从收到的迁移指令中获取特定虚拟机所在服务器的地址;发送模块1302具体用于:向确定的服务器的地址指示的服务器发送设置指令,设置指令中包括源虚拟机的安全防护规则,以在确定的服务器上将特定虚拟机的安全防护规则设置为源虚拟机的安全防护规则;或 [0161] The processing module 1301 is configured to: after receiving the resource manager virtual machine platform source virtual machine migration to a particular virtual machine instruction virtualization, security rules determine the need to create a particular virtual machine; and from the closed migration instruction to obtain the address of the server in a particular virtual machine; transmitting module 1302 is configured to: determine the address of the server to a server indicative of transmission setting command, setting security rules comprise instructions source virtual machine, in order to determine the security rules on the server virtual machine is set to a specific security rule source virtual machine; or

[0162] 处理模块1301具体用于:在收到虚拟机资源管理器将特定虚拟机迁移到虚拟化平台中的目的虚拟机的指令后,确定删除创建特定虚拟机的安全防护规则,并从收到的迁移指令中获取特定虚拟机所在服务器的地址。 [0162] The processing module 1301 is specifically configured to: after receiving the Virtual Machine Manager to migrate the virtual machine to a specific purpose instruction virtualization platform in a virtual machine, delete create security rules to determine the specific virtual machine, and from income migration instruction to obtain the address of the server in a particular virtual machine.

[0163] 本发明实施例还提供了一种虚拟化平台中设置虚拟机的安全防护规则的方法,如图14所示,该方法包括如下步骤: [0163] The present invention further provides a set of security rules in a virtual machine in a virtualization platform method, shown in Figure 14, the method comprising the steps of:

[0164] S1401:接收虚拟化平台的安全防护管理器发送的用于查询第一虚拟机所在服务器的地址的请求,该请求是安全防护管理器在收到用户设置第一虚拟机的安全防护规则的指令后发送的; [0164] S1401: where the request is used to query the address of the first virtual machine server to receive virtualization platform security manager sent the request is a security manager security rules provided in the first virtual machine receives the user after transmission of the instruction;

[0165] S1402:将第一虚拟机所在服务器的地址返回给安全防护管理器,以使安全防护管理器在收到的服务器的地址指示的服务器上设置第一虚拟机的安全防护规则。 [0165] S1402: The address of the server back to the first virtual machine security manager, the security manager to set security rules first virtual machine on the server address of the server received indication.

[0166] 可选地,该方法还包括: [0166] Optionally, the method further comprising:

[0167] 确定需要在虚拟化平台中创建第二虚拟机;向安全防护管理器发送创建第二虚拟机的指令,创建指令中包括第二虚拟机所在服务器的地址,以使安全防护管理器在收到的服务器的地址指示的服务器上创建第二虚拟机的安全防护规则;或 [0167] In determining the need to create a virtualization platform in a second virtual machine; transmission command to create a second virtual machine security manager, creating instruction includes the address of the server where the second virtual machine, so that the security manager create security rules of the second virtual machine on the server indicating the address of the server received; or

[0168] 确定需要删除虚拟化平台中的第三虚拟机;向安全防护管理器发送删除第三虚拟机的指令,删除指令中包括第三虚拟机所在服务器的地址,以使安全防护管理器在收到的服务器的地址指示的服务器上删除第三虚拟机的安全防护规则;或 [0168] determine the need to remove the virtualization platform in the third virtual machine; a third virtual machine instruction is sent to the security manager to delete, delete instruction including the address of the server third virtual machine, so that the security manager delete the third virtual machine on the server security protection rules address of the server received indication; or

[0169] 确定需要将虚拟化平台中的第四虚拟机迁移到第五虚拟机;向安全防护管理器发送将第四虚拟机迁移到第五虚拟机的指令,迁移指令中包括第四虚拟机所在服务器的地址、第五虚拟机所在服务器的地址,以使安全防护管理器在收到的第五虚拟机所在服务器的地址指示的服务器上,将第五虚拟机的安全防护规则设置为第四虚拟机的安全防护规贝U,并在收到的第四虚拟机所在服务器的地址指示的服务器上,删除第四虚拟机的安全防护规则。 [0169] determines that the migration of the virtual platform of the virtual machine to the fifth to the fourth virtual machine; fourth transmitting migrate the virtual machine to a virtual machine instruction to a fifth security manager, the migration instruction includes a fourth virtual machine address address of the server, the server that hosts the fifth virtual machine, so that the security manager on the server address of the server virtual machine instructions received fifth of the fifth virtual machine security rules set for the fourth safety regulations Tony U virtual machine and the server address of the server's fourth virtual machine instructions received, deleting security rule fourth virtual machine.

[0170] 本发明实施例还提供了一种虚拟化平台中的虚拟机资源管理器,如图15所示,该虚拟机资源管理器包括: [0170] The present invention further provides a virtualization platform virtual machine resource manager, shown in Figure 15, the virtual machine resource manager comprising:

[0171] 第一处理模块1501,用于接收虚拟化平台的安全防护管理器发送的用于查询第一虚拟机所在服务器的地址的请求,请求是安全防护管理器在收到用户设置第一虚拟机的安全防护规则的指令后发送的; [0171] The first request processing module 1501, where the query the server for the first virtual machine address for receiving the virtualization platform security manager sent the request is in the security manager receives a first virtual user safety rules instruction sent after the machine;

[0172] 第二处理模块1502,用于将第一虚拟机所在服务器的地址返回给安全防护管理器,以使安全防护管理器在收到的服务器的地址指示的服务器上设置第一虚拟机的安全防护规则。 [0172] The second processing module 1502, for the return address of the server to the first virtual machine security manager, security manager so that a first virtual machine on the server address of the server receives an indication of safety rules.

[0173] 可选地,第一处理模块1501还用于:确定需要在虚拟化平台中创建第二虚拟机;第二处理模块1502还用于:向安全防护管理器发送创建第二虚拟机的指令,创建指令中包括第二虚拟机所在服务器的地址,以使安全防护管理器在收到的服务器的地址指示的服务器上创建第二虚拟机的安全防护规则;或 [0173] Alternatively, the first process module 1501 is further configured to: determine the need to create a second virtual machine in a virtualization platform; a second processing module 1502 is further configured to: send to the security manager to create a second virtual machine Directive, including the address where the instruction to create a second server virtual machine to enable security managers to create security rules second virtual machine on the server address of the server received indication; or

[0174] 第一处理模块1501还用于:确定需要删除虚拟化平台中的第三虚拟机;第二处理模块1502还用于:向安全防护管理器发送删除第三虚拟机的指令,删除指令中包括第三虚拟机所在服务器的地址,以使安全防护管理器在收到的服务器的地址指示的服务器上删除第三虚拟机的安全防护规则;或 [0174] The first processing module 1501 is further configured to: determine the need to remove the virtualization platform third virtual machine; a second processing module 1502 is further configured to: send a third virtual machine instruction to delete the security manager, deletion instruction includes a third server where the virtual machine addresses, so that security manager to remove the security rules of the third virtual machine on the server address of the server received indication; or

[0175] 第一处理模块1501还用于:确定需要将虚拟化平台中的第四虚拟机迁移到第五虚拟机;第二处理模块1502还用于:向安全防护管理器发送将第四虚拟机迁移到第五虚拟机的指令,迁移指令中包括第四虚拟机所在服务器的地址、第五虚拟机所在服务器的地址,以使安全防护管理器在收到的第五虚拟机所在服务器的地址指示的服务器上,将第五虚拟机的安全防护规则设置为第四虚拟机的安全防护规则,并在收到的第四虚拟机所在服务器的地址指示的服务器上,删除第四虚拟机的安全防护规则。 [0175] The first processing module 1501 is further configured to: determine the need to migrate virtualization platform fourth virtual machine to the fifth virtual machine; a second processing module 1502 is further configured to: send to the fourth virtual security manager machine migration to a virtual machine instruction fifth, migration included in the instruction address of the server virtual machine fourth, fifth virtual machine address of the server, so security manager at the fifth address of the server where the virtual machine's received indicated on the server, the security rules of the fifth virtual machine to virtual machine security rules of the fourth, and on the fourth server address of the server virtual machine instructions received, deleting the fourth security virtual machine protection rules.

[0176] 本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。 [0176] skilled in the art should understand that the embodiments of the present invention may provide a method, system, or computer program product. 因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。 Thus, embodiments of the present invention may be employed entirely hardware embodiment, an entirely software embodiment, or an embodiment in conjunction with the form of software and hardware aspects. 而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。 Further, the present invention may take the form of a computer program product embodied in one or more of which comprises a computer usable storage medium having computer-usable program code (including but not limited to, disk storage, CD-ROM, optical memory, etc.).

[0177] 本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。 [0177] The present invention has been described in accordance with the method of Example of the present invention, apparatus (systems) and computer program products flowchart and / or block diagrams described. 应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。 It should be understood and implemented by computer program instructions and block, and the flowchart / or block diagrams each process and / or flowchart illustrations and / or block diagrams of processes and / or blocks. 可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。 These computer program instructions may be provided to a processor a general purpose computer, special purpose computer, embedded processor or other programmable data processing apparatus to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing apparatus generating in a device for implementing the flow chart or more flows and / or block diagram block or blocks in a specified functions.

[0178] 这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。 [0178] These computer program instructions may also be stored in a computer can direct a computer or other programmable data processing apparatus to function in a particular manner readable memory produce an article of manufacture such that the storage instruction means comprises a memory in the computer-readable instructions the instruction means implemented in a flowchart or more flows and / or block diagram block or blocks in a specified function.

[0179] 这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。 [0179] These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps on the computer or other programmable apparatus to produce a computer implemented so that the computer or other programmable apparatus execute instructions to provide processes for implementing a process or flows and / or block diagram block or blocks a function specified step.

[0180] 尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。 [0180] While the present invention has been described with preferred embodiments, but those skilled in the art from the underlying inventive concept can make other modifications and variations to these embodiments. 所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。 Therefore, the appended claims are intended to explain embodiments including the preferred embodiment as fall within the scope of the invention and all changes and modifications.

[0181] 显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。 [0181] Obviously, those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. 这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 Thus, if these modifications and variations of the present invention fall within the claims of the invention and the scope of equivalents thereof, the present invention intends to include these modifications and variations.

Claims (13)

  1. 1.一种虚拟化平台,其特征在于,所述虚拟化平台包括: 至少一台服务器,每一台服务器上运行至少一个虚拟机, 每一台所述服务器用于向该服务器上的每个所述虚拟机分别提供安全防护服务。 A virtualization platform, wherein the virtualization platform comprising: at least one server, each server running on the at least one virtual machine, the server for each server to each of the the virtual machines are provided security services.
  2. 2.如权利要求1所述的虚拟化平台,其特征在于,所述虚拟化平台还包括安全防护管理器; 所述安全防护管理器用于在每一台所述服务器上,针对该服务器上的每个所述虚拟机分别设置安全防护规则。 2. The virtualization platform as recited in claim 1, characterized in that, further comprising the virtualization platform security manager; for the security manager on each of the servers for the server each of the virtual machine security protection rules are provided.
  3. 3.如权利要求2所述的虚拟化平台,其特征在于,所述虚拟化平台还包括虚拟机资源管理器,所述虚拟机资源管理器用于管理所述虚拟化平台中的虚拟机;所述安全防护管理器具体用于: 在收到用户设置所述虚拟化平台上的第一虚拟机的安全防护规则的指令后,向所述虚拟机资源管理器发送用于查询所述第一虚拟机所在服务器的地址的请求,接收所述虚拟机资源管理器响应所述请求返回的服务器的地址,在收到的所述服务器的地址所指示的服务器上,设置所述第一虚拟机的安全防护规则;或在收到所述虚拟机资源管理器在所述虚拟化平台中创建第二虚拟机的指令后,从收到的所述创建指令中获取所述第二虚拟机所在服务器的地址,并在获取的服务器地址所指示的服务器上,创建所述第二虚拟机的安全防护规则;或在收到所述虚拟机资源管理器删除所 3. The virtualization platform as recited in claim 2, wherein the platform further comprises a virtual machine virtual resource manager, the resource manager virtual machine for managing the virtual machine virtual platform; the said security manager is configured to: command the security rules in a first virtual machine on receipt of a user is provided after the virtualization platform, virtual machine to the resource manager transmits a query for the first virtual the request address of the server machine, the virtual machine receives the resource manager server returns the response to the address request, the address of the server on the server receives an indication is provided to secure the first virtual machine protection rules; or, get the address of the server where the second virtual machine is created from the command received after receiving the virtual machine resource manager to create a second virtual machine instructions in the virtualization platform and on the server to obtain the server address indicated, create security rules of the second virtual machine; or receipt of the virtual machine Explorer to delete the 虚拟化平台中的第三虚拟机的指令后,从收到的所述删除指令中获取所述第三虚拟机所在服务器的地址,并在获取的服务器地址所指示的服务器上,删除所述第三虚拟机的安全防护规则;或在收到所述虚拟机资源管理器将所述虚拟化平台中的第四虚拟机迁移到第五虚拟机的指令后,将收到的所述迁移指令中获取所述第五虚拟机所在服务器的地址,并在获取的服务器地址所指示的服务器上,将所述第五虚拟机的安全防护规则设置为所述第四虚拟机的安全防护规则。 After the virtualization platform in a third virtual machine instruction, deleting instruction received from the acquired address of the server of the third virtual machine, the server and the server acquires the indicated address, deleting the first rule number three security virtual machine; the migration instruction or fourth virtual machine in the virtual machine will receive the Explorer virtualization platform in the migration to a virtual machine instruction fifth, will be received Gets the fifth address of the server virtual machine and on the server to get the server address indicated by the security rules of the fifth virtual machine is set to the fourth virtual machine security rules.
  4. 4.一种虚拟化平台中的安全防护方法,其特征在于,该方法包括: 虚拟化平台中的服务器接收网络数据; 所述服务器在确定收到的网络数据是发给所述服务器上运行的一个虚拟机时,根据所述服务器上的该虚拟机的安全防护规则对收到的网络数据进行过滤。 4. A method of security virtualization platform, characterized in that, the method comprising: a virtualization platform server receive network data; said network server determines the received data is addressed to the server running on when a virtual machine, to filter the received network data in accordance with the rules of the security virtual machine on the server.
  5. 5.一种用于虚拟化平台中的服务器,所述服务器上运行至少一个虚拟机,其特征在于,所述服务器包括: 接收模块,用于接收网络数据; 处理模块,用于在确定所述接收模块收到的网络数据是发给所述服务器上运行的一个虚拟机时,根据所述服务器上的该虚拟机的安全防护规则对收到的网络数据进行过滤。 A virtual server platform, said at least one virtual machine running on the server, wherein the server includes: a receiving module configured to receive network data; processing means for determining the when the network receives data receiving module is addressed to a virtual machine running on the server, the network filtering the received data according to the rules of the security virtual machine on the server.
  6. 6.一种虚拟化平台中设置虚拟机的安全防护规则的方法,其特征在于,所述方法包括: 在确定需要设置所述虚拟化平台中的特定虚拟机的安全防护规则后,确定所述特定虚拟机所在服务器的地址; 向确定的所述服务器的地址指示的服务器发送设置指令,以在确定的所述服务器上设置所述特定虚拟机的安全防护规则。 Safety rules set virtual machine virtualization platform 6. A method, wherein the method comprises: upon determining the need to set security rules virtualization platform specific virtual machine, to determine the the particular virtual address of the server machine; indicated by the server to the address of the server sending the determined set of instructions to the server provided on the security rule determines specific virtual machine.
  7. 7.如权利要求6所述的方法,其特征在于, 所述确定需要设置所述特定虚拟机的安全防护规则,包括:在收到用户设置所述特定虚拟机的安全防护规则的指令后,确定需要设置所述特定虚拟机的安全防护规则;确定所述特定虚拟机所在服务器的地址,包括:向所述虚拟化平台的虚拟机资源管理器发送用于查询所述特定虚拟机所在服务器的地址的请求,将收到的所述虚拟机资源管理器响应所述请求返回的服务器的地址作为所述特定虚拟机所在服务器的地址;或所述确定需要设置所述特定虚拟机的安全防护规则,包括:在收到所述虚拟机资源管理器创建所述特定虚拟机的指令后,确定需要创建所述特定虚拟机的安全防护规则;确定所述特定虚拟机所在服务器的地址,包括:从收到的所述创建指令中获取所述特定虚拟机所在服务器的地址;或所述确定需要设置 7. The method according to claim 6, wherein said security rules to determine the specific virtual machine is provided, comprising: after receiving a user instruction provided to the particular virtual machine security rule, determine the need to set security rules of the particular virtual machine; determining the specific server where the virtual machine address, including: the virtual machine resource manager of the virtual platform for sending a query to the server where a particular virtual machine the request address, the virtual machine will receive a resource manager server returns the response to the address as an address request to the server where the particular virtual machine; or safety rules determining the need to set the particular virtual machine including: after receiving the virtual machine resource manager to create a specific instruction of the virtual machine, you need to create security rules to determine the specific virtual machine; determine the address of the server of a particular virtual machine, include: from the creation instruction received address of the server acquires the particular virtual machine; determining the need to set or 述特定虚拟机的安全防护规则,包括:在收到所述虚拟机资源管理器删除所述特定虚拟机的指令后,确定需要删除所述特定虚拟机的安全防护规则;确定所述特定虚拟机所在服务器的地址,包括:从收到的所述删除指令中获取所述特定虚拟机所在服务器的地址;或所述确定需要设置所述特定虚拟机的安全防护规则,包括:在收到所述虚拟机资源管理器将所述虚拟化平台中的源虚拟机迁移到所述特定虚拟机的指令后,确定需要创建所述特定虚拟机的安全防护规则;确定所述特定虚拟机所在服务器的地址,包括:从收到的所述迁移指令中获取所述特定虚拟机所在服务器的地址;所述向确定的所述服务器的地址指示的服务器发送设置指令,以在确定的所述服务器上设置所述特定虚拟机的安全防护规贝U,包括:向确定的所述服务器的地址指示的服务器发送设置指 Said security rule specific virtual machine, comprising: instruction after deleting the particular virtual machine in a virtual machine receives the resource manager, determining the need to remove the security rule specific virtual machine; determining the particular virtual machine address of the server, comprising: a deleting instruction received from the acquired address of the server to the particular virtual machine; determining said security rule or to set the specific virtual machine, comprising: receiving the after the virtual machine resource manager to the source virtualization platform in the migration of virtual machines to command the particular virtual machine, you need to create security rules to determine the specific virtual machine; determining the specific server where the virtual machine address , comprising: obtaining the address of the server from the specific virtual machine migration instruction received; server transmits a setting instruction to the instruction address of the server is determined to be disposed on said server determines the safety regulations said shell U specific virtual machine, comprising: the address indicated by the server to the server determines transmission setting means 令,所述设置指令中包括所述源虚拟机的安全防护规则,以在确定的所述服务器上将所述特定虚拟机的安全防护规则设置为所述源虚拟机的安全防护规则;或所述确定需要设置所述特定虚拟机的安全防护规则,包括:在收到所述虚拟机资源管理器将所述特定虚拟机迁移到所述虚拟化平台中的目的虚拟机的指令后,确定删除创建所述特定虚拟机的安全防护规则;确定所述特定虚拟机所在服务器的地址,包括:从收到的所述迁移指令中获取所述特定虚拟机所在服务器的地址。 So, the setting instruction includes a security virtual machine of the source rules to the rule set security source security virtual machine in the rules on the server to determine the specific virtual machine; or the determining said security rules to set the specific virtual machine, comprising: after receiving the virtual machine to the resource manager specific to migrate a virtual machine instruction in the virtual object in a virtual machine platform, it is determined to delete Creating the safety rules specific virtual machine; determining the specific server where the virtual machine address, including: obtaining the specific address of the server virtual machine migration from the instruction received.
  8. 8.—种虚拟化平台中的安全防护管理器,其特征在于,所述安全防护管理器包括: 处理模块,用于在确定需要设置所述虚拟化平台中的特定虚拟机的安全防护规则后,确定所述第一虚拟机所在服务器的地址; 发送模块,用于向所述处理模块确定的所述服务器的地址指示的服务器发送设置指令,以在确定的所述服务器上设置所述特定虚拟机的安全防护规则。 8.- species virtualization platform security manager, wherein the security manager comprises: a processing module for specific safety rules in the virtual machine determines that the setting of the virtualization platform determining the location of the address of the first virtual machine server; sending server module, the server for determining an address to the instruction processing module transmits setting instruction to set on the virtual server determines the particular machine safety rules.
  9. 9.如权利要求8所述的安全防护管理器,其特征在于, 所述处理模块具体用于:在收到用户设置所述特定虚拟机的安全防护规则的指令后,确定需要设置所述特定虚拟机的安全防护规则;所述发送模块还用于:在所述处理模块确定需要设置所述特定虚拟机的安全防护规则后,向所述虚拟化平台的虚拟机资源管理器发送用于查询所述特定虚拟机所在服务器的地址的请求;所述处理模块具体用于:将收到的所述虚拟机资源管理器响应所述请求返回的服务器的地址作为所述特定虚拟机所在服务器的地址;或所述处理模块具体用于:在收到所述虚拟机资源管理器创建所述特定虚拟机的指令后,确定需要创建所述特定虚拟机的安全防护规则,并从收到的所述创建指令中获取所述特定虚拟机所在服务器的地址;或所述处理模块具体用于:在收到所述虚拟机资源管理器删 9. The security manager according to claim 8, wherein the processing module is configured to: after receiving a user instruction provided to the virtual machine specific security rules to determine the need to set specific safety rules virtual machine; the sending module is further configured to: after the processing module determines the need to set specific security rules virtual machine to the virtual platform of the virtual machine resource manager transmits a query address of the server requesting the particular virtual machine; the processing module is configured to: receive the virtual machine to the resource manager server returns the response to the address request as the server where the particular virtual machine address ; or the processing module is configured to: after receiving the resource manager virtual machine specific instructions to create the virtual machine, create the required safety rules determine the specific virtual machine, and received from the creation instruction acquired in the particular virtual machine host server address; or the processing module is configured to: receive said resource manager to delete the virtual machine at 所述特定虚拟机的指令后,确定需要删除所述特定虚拟机的安全防护规则;并从收到的所述删除指令中获取所述特定虚拟机所在服务器的地址;或所述处理模块具体用于:在收到所述虚拟机资源管理器将所述虚拟化平台中的源虚拟机迁移到所述特定虚拟机的指令后,确定需要创建所述特定虚拟机的安全防护规则;并从收到的所述迁移指令中获取所述特定虚拟机所在服务器的地址;所述发送模块具体用于:向确定的所述服务器的地址指示的服务器发送设置指令,所述设置指令中包括所述源虚拟机的安全防护规则,以在确定的所述服务器上将所述特定虚拟机的安全防护规则设置为所述源虚拟机的安全防护规则;或所述处理模块具体用于:在收到所述虚拟机资源管理器将所述特定虚拟机迁移到所述虚拟化平台中的目的虚拟机的指令后,确定删除创建所述特 After the specific virtual machine instruction, determining the need to remove the security rule specific virtual machine; and acquires the address of the server to the particular virtual machine from the deletion instruction received; or by the processing module to: receive source virtual machine in the virtual machine resource manager to the virtualization platform in the migration to the specific instructions of the virtual machine, you need to create security rules to determine the specific virtual machine; and from income the migration instruction to obtain the address of the server to the particular virtual machine; the sending module is configured to: indicate the server address of the server to transmit the determined setting instruction, the setting instruction includes the source virtual machine security rules, security rules in order to determine the specific virtual machine server on the security rule is set to the source virtual machine; or the processing module is configured to: receive the later virtual machine to the resource manager specific to migrate a virtual machine instruction in the virtual object in a virtual machine platform determines to delete the created Laid 虚拟机的安全防护规则,并从收到的所述迁移指令中获取所述特定虚拟机所在服务器的地址。 Safety rules of the virtual machine, and get the specific address of the server virtual machine migration from the instruction received.
  10. 10.一种虚拟化平台中设置虚拟机的安全防护规则的方法,其特征在于,所述方法包括: 接收虚拟化平台的安全防护管理器发送的用于查询第一虚拟机所在服务器的地址的请求,所述请求是所述安全防护管理器在收到用户设置所述第一虚拟机的安全防护规则的指令后发送的; 将所述第一虚拟机所在服务器的地址返回给所述安全防护管理器,以使所述安全防护管理器在收到的服务器的地址指示的服务器上设置所述第一虚拟机的安全防护规则。 Safety rules set 10. A virtual machine in a virtualization platform, characterized in that, said method comprising: a query address of the server receiving a first virtual machine in a virtualization platform security manager transmitted request, the request is sent to the security manager is provided to a user after receiving the first instruction of the security virtual machine rules; the address of the server is returned to the first virtual machine the safety manager, the security manager to set the security rules in a first virtual machine on the server address of the server receives an indication.
  11. 11.如权利要求10所述的方法,其特征在于,所述方法还包括: 确定需要在所述虚拟化平台中创建第二虚拟机;向所述安全防护管理器发送创建所述第二虚拟机的指令,所述创建指令中包括所述第二虚拟机所在服务器的地址,以使所述安全防护管理器在收到的服务器的地址指示的服务器上创建所述第二虚拟机的安全防护规则;或确定需要删除所述虚拟化平台中的第三虚拟机;向所述安全防护管理器发送删除所述第三虚拟机的指令,所述删除指令中包括所述第三虚拟机所在服务器的地址,以使所述安全防护管理器在收到的服务器的地址指示的服务器上删除所述第三虚拟机的安全防护规则;或确定需要将所述虚拟化平台中的第四虚拟机迁移到第五虚拟机;向所述安全防护管理器发送将所述第四虚拟机迁移到所述第五虚拟机的指令,所述迁移指令中包括所述 11. The method according to claim 10, wherein said method further comprises: determining a need to create a second virtual machine on the virtualization platform; transmitting the security manager to create the second virtual machine instruction, the creation instruction address of the server included in the second virtual machine, so that the security of the security manager to create a second virtual machine on the server address of the server receives an indication rules; or determining the need to remove the virtualization platform third virtual machine; third virtual machine instruction of deleting the transmission to the security manager, where the deletion instruction including the third virtual machine server address, so that the security manager on the server address of the server receives instructions to delete the security rules of the third virtual machine; or to determine the need for a fourth virtual machine migration to the virtualization platform to the fifth virtual machine; transmitting to the security Manager to migrate the virtual machines to the fourth virtual machine instruction of the fifth, the migration instruction including the 第四虚拟机所在服务器的地址、所述第五虚拟机所在服务器的地址,以使所述安全防护管理器在收到的所述第五虚拟机所在服务器的地址指示的服务器上,将所述第五虚拟机的安全防护规则设置为所述第四虚拟机的安全防护规则,并在收到的所述第四虚拟机所在服务器的地址指示的服务器上,删除所述第四虚拟机的安全防护规则。 The fourth address of the server virtual machine, the server that hosts the fifth virtual machine address, so that the security manager on the server address of the received fifth virtual machine server where indicated, the security rules fifth virtual machine is set to rule the fourth security virtual machine, and the server address of the received fourth virtual machine server where indicated, to delete the fourth security virtual machine protection rules.
  12. 12.—种虚拟化平台中的虚拟机资源管理器,其特征在于,所述虚拟机资源管理器包括: 第一处理模块,用于接收虚拟化平台的安全防护管理器发送的用于查询第一虚拟机所在服务器的地址的请求,所述请求是所述安全防护管理器在收到用户设置所述第一虚拟机的安全防护规则的指令后发送的; 第二处理模块,用于将所述第一虚拟机所在服务器的地址返回给所述安全防护管理器,以使所述安全防护管理器在收到的服务器的地址指示的服务器上设置所述第一虚拟机的安全防护规则。 12.- species virtualization platform virtual machine resource manager, wherein the virtual machine resource manager comprising: a first processing module for receiving the virtualization platform security manager for querying the first request address where a virtual machine server, the request is sent to the security manager after receiving a user instruction security rules provided the first virtual machine; a second processing module, for the address of the server where said first virtual machine is returned to the security manager, the security manager to set the security rules in a first virtual machine on the server address of the server receives an indication.
  13. 13.如权利要求12所述的虚拟机资源管理器,其特征在于, 所述第一处理模块还用于:确定需要在所述虚拟化平台中创建第二虚拟机;所述第二处理模块还用于:向所述安全防护管理器发送创建所述第二虚拟机的指令,所述创建指令中包括所述第二虚拟机所在服务器的地址,以使所述安全防护管理器在收到的服务器的地址指示的服务器上创建所述第二虚拟机的安全防护规则;或所述第一处理模块还用于:确定需要删除所述虚拟化平台中的第三虚拟机;所述第二处理模块还用于:向所述安全防护管理器发送删除所述第三虚拟机的指令,所述删除指令中包括所述第三虚拟机所在服务器的地址,以使所述安全防护管理器在收到的服务器的地址指示的服务器上删除所述第三虚拟机的安全防护规则;或所述第一处理模块还用于:确定需要将所述虚拟化平台中的第四虚 13. The virtual machine resource manager according to claim 12, wherein the first processing module is further configured to: determine the need to create a second virtual machine on the virtualization platform; and the second processing module It is further configured to: send instructions to the second virtual machine to create the security manager, to create the instruction address of the server included in the second virtual machine, so that the security manager receives safety rules create a second virtual machine on the server address of the server indicated; or the first processing module is further configured to: determine the need to remove the virtualization platform third virtual machine; the second the processing module is further configured to: delete instruction transmitting said third virtual machine to the security manager, where the deletion instruction including the third virtual machine server address, so that the security manager deleting the security rule on the third virtual machine server address indicated by the received server; or the first processing module is further configured to: determine the need of fourth virtual virtual platform 机迁移到第五虚拟机;所述第二处理模块还用于:向所述安全防护管理器发送将所述第四虚拟机迁移到所述第五虚拟机的指令,所述迁移指令中包括所述第四虚拟机所在服务器的地址、所述第五虚拟机所在服务器的地址,以使所述安全防护管理器在收到的所述第五虚拟机所在服务器的地址指示的服务器上,将所述第五虚拟机的安全防护规则设置为所述第四虚拟机的安全防护规则,并在收到的所述第四虚拟机所在服务器的地址指示的服务器上,删除所述第四虚拟机的安全防护规则。 Virtual machine migration to a fifth machine; said second processing module is further configured to: send to migrate to the fourth virtual machine instruction in the virtual machine to the fifth security manager, said migration instruction including the fourth address of the server virtual machine, the virtual machine where the fifth address of the server, so that the security manager on the server address of the received fifth virtual machine server where indicated, will the security rule fifth virtual machine is set to rule the fourth security virtual machine, and the server address of the received fourth virtual machine server where indicated, to delete the fourth virtual machine the security rules.
CN 201310728105 2013-12-25 2013-12-25 Virtualization platform and security protection method and device CN104753852A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201310728105 CN104753852A (en) 2013-12-25 2013-12-25 Virtualization platform and security protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201310728105 CN104753852A (en) 2013-12-25 2013-12-25 Virtualization platform and security protection method and device

Publications (1)

Publication Number Publication Date
CN104753852A true true CN104753852A (en) 2015-07-01

Family

ID=53592973

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201310728105 CN104753852A (en) 2013-12-25 2013-12-25 Virtualization platform and security protection method and device

Country Status (1)

Country Link
CN (1) CN104753852A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018036103A1 (en) * 2016-08-24 2018-03-01 华为技术有限公司 Virtual machine creation method and system, and host computer

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101668022A (en) * 2009-09-14 2010-03-10 陈博东 Virtual network isolation system established on virtual machine and implementation method thereof
US20100125667A1 (en) * 2008-11-19 2010-05-20 Vmware, Inc. Dynamic configuration of virtual machines
CN102739645A (en) * 2012-04-23 2012-10-17 杭州华三通信技术有限公司 Method and device for migrating virtual machine safety policy
CN103067356A (en) * 2012-12-12 2013-04-24 北京启明星辰信息技术股份有限公司 System and method for business virtual machine safety guaranteeing
CN103065086A (en) * 2012-12-24 2013-04-24 北京启明星辰信息技术股份有限公司 Distributed intrusion detection system and method applied to dynamic virtualization environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100125667A1 (en) * 2008-11-19 2010-05-20 Vmware, Inc. Dynamic configuration of virtual machines
CN101668022A (en) * 2009-09-14 2010-03-10 陈博东 Virtual network isolation system established on virtual machine and implementation method thereof
CN102739645A (en) * 2012-04-23 2012-10-17 杭州华三通信技术有限公司 Method and device for migrating virtual machine safety policy
CN103067356A (en) * 2012-12-12 2013-04-24 北京启明星辰信息技术股份有限公司 System and method for business virtual machine safety guaranteeing
CN103065086A (en) * 2012-12-24 2013-04-24 北京启明星辰信息技术股份有限公司 Distributed intrusion detection system and method applied to dynamic virtualization environment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018036103A1 (en) * 2016-08-24 2018-03-01 华为技术有限公司 Virtual machine creation method and system, and host computer

Similar Documents

Publication Publication Date Title
US20120287936A1 (en) Efficient software-based private vlan solution for distributed virtual switches
US20130036213A1 (en) Virtual private clouds
CN102143149A (en) Method and system for mini-station to access cloud, and access management equipment
CN104219127A (en) Creation method and device of virtual network instance
CN102025535A (en) Virtual machine management method and device and network equipment
US20150052282A1 (en) System and Method for Virtual Machine Live Migration
CN102412978A (en) Method for carrying out network configuration for VM and system thereof
US20110239216A1 (en) Service providing system, a virtual machine server, a service providing method, and a program thereof
CN102739645A (en) Method and device for migrating virtual machine safety policy
CN103685250A (en) Virtual machine security policy migration system and method based on SDN
CN102291452A (en) Virtual machine management method based on cloud strategy, cloud server and cloud management system
CN102571698A (en) Access authority control method, system and device for virtual machine
US20130132545A1 (en) Virtual Network Interface Objects
US20150350102A1 (en) Method and System for Integrated Management of Converged Heterogeneous Resources in Software-Defined Infrastructure
US20140101656A1 (en) Virtual firewall mobility
US20100313256A1 (en) Virtual computer system, access control method and communication device for the same
CN101980490A (en) Link establishment method for virtual switch and physical switch and device thereof
US20140280864A1 (en) Methods of Representing Software Defined Networking-Based Multiple Layer Network Topology Views
US20160057102A1 (en) Methods and System for Allocating an IP Address for an Instance in a Network Function Virtualization (NFV) system
EP1914956A1 (en) Enabling a secure platform
US20140280948A1 (en) Cloud computing nodes
CN102025776A (en) Disaster tolerant control method, device and system
CN103595574A (en) Computer network cloud start-up system
CN102148715A (en) Method and device for virtual network configuration migration
US20140137109A1 (en) Virtual device context (vdc) integration for network services

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination