CN105245504A - North-south flow safety protection system in cloud computing network - Google Patents
North-south flow safety protection system in cloud computing network Download PDFInfo
- Publication number
- CN105245504A CN105245504A CN201510574191.7A CN201510574191A CN105245504A CN 105245504 A CN105245504 A CN 105245504A CN 201510574191 A CN201510574191 A CN 201510574191A CN 105245504 A CN105245504 A CN 105245504A
- Authority
- CN
- China
- Prior art keywords
- network
- tenant
- logic
- virtual machine
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45504—Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a north-south flow safety protection system in a cloud computing network. The system comprises a virtual machine occupied by a tenant, a virtual firewall for monitoring communication between the virtual machine currently occupied by the tenant and a Network, a first network forwarding layer and a second network forwarding layer, wherein the first network forwarding layer is used for judging a source of a message through recognizing a label of the received message, if the message is from the virtual machine, the message is forwarded to the virtual firewall corresponding to the tenant of the current virtual machine, and the message processed by the virtual firewall is sent to the Network via a second-layer switch and a third-layer switch; and the second network forwarding layer is used for receiving the message from the Network, judging the tenant to which the message belongs through recognizing the label of the message, issuing the message to the virtual machine corresponding to the tenant designated by the label of the message, and forwarding the message sent by the virtual machine to the second-layer switch.
Description
Technical field
The present invention relates to field of cloud computer technology, particularly relate to traffic security guard system in north-south in a kind of system for cloud computing.
Background technology
Virtual computation environmental is formed primarily of empty machine VM, both virtualization system Hypervisor.From the angle of network boundary protection, potential safety hazards such as there is empty machine VM north-south flow, East and West direction flow is accessed, invade, hide.
Cross-node in the networks most situation of tenant inside, that double layer network structure (is not got rid of and had Three Tiered Network Architecture yet mostly simultaneously, but consider the problem such as empty machine migration across data center, in most cases still adopt large double layer network structure), so access has following features between the inner empty machine VM of tenant.The empty machine of same tenant is on different physical nodes, and the flow of exchanging visit goes out physical node.The empty machine of same tenant is all in a large double layer network, and exchanging visit flow is wanted to pass through three-layer network.The internal network of same tenant may need to divide different safety zone VN, and the security strategy between safety zone is different.
Longitudinal flow comprises the normal discharge access request from client to server side, and three layers of flow forwarded between different VM.The common feature of these flows is that its exchange necessarily passes external hardware safety protection layer, and we are also referred to as longitudinal flow control layer.
On the one hand, the protection method of these flows is compared with the security protection of traditional data center does not have essential distinction; On the other hand, the cloud security under virtualized environment is disposed, because there is the service model of many tenants, the virtual realization degree therefore for equipment has had again higher requirement.
Because longitudinal flow exists the concept of many tenants, then demand be it is also proposed to safety, the security protection based on tenant can be realized.
Summary of the invention
The object of this invention is to provide one to be embedded into seamless for empty machine fire compartment wall in virtual platform, thus realize in system for cloud computing the security protection of north-south flow.
In order to realize foregoing invention object, to the invention provides in a kind of system for cloud computing north-south traffic security protection deployment system, comprising: the virtual machine that tenant takies and the virtual firewall communicated for monitoring the virtual machine shared by current tenant and Network network, first network forwarding and second network forwarding;
Described first network forwarding, for being judged the source of this message by the identification of the label to the message received, if source is virtual machine, then by described message repeating to current virtual machine tenant corresponding to virtual firewall, and the message after this virtual firewall process is sent to Network network through Layer 2 switch and three-tier switch, if source is Network network, then by described message repeating to this message label indicated by virtual firewall, and the message after this virtual firewall process is sent to second network forwarding through Layer 2 switch,
Described second network forwarding, during for receiving the message from Network network, the tenant that this message belongs to is judged by the identification of the label to message, and this message is issued to the virtual machine corresponding to the tenant indicated by label of this message, also for message repeating that virtual machine is sent to Layer 2 switch.
Wherein, described first network forwarding and virtual firewall run on first server and troop, and described second network forwarding and virtual machine run on second server cluster.
Wherein, described second network forwarding comprises physical network card, logic network interface card and logic bridge;
Described second server is trooped and is comprised multiple physical server, same physical server comprises physical network card described in multiple, these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, this Logic Networks jig has the Logic Networks clamp interface identical with the tenant's quantity on present physical server, each Logic Networks clamp interface connects a described logic bridge, and each Logic Networks bridging connects one or more virtual machines of the same tenant run on present physical server.
Wherein, described first network forwarding comprises physical network card, logic network interface card and logic bridge;
The physical server of described first server cluster has physical network card described in multiple, these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, this logic network interface card is except having with except described tenant one to one Logic Networks clamp interface, also there is the Logic Networks clamp interface receiving and come from Network network message, each Logic Networks clamp interface connects a described logic bridge, and Logic Networks bridging connects the virtual firewall of the tenant corresponding to it.
Wherein, described first network forwarding comprises physical network card, logic network interface card and logic bridge;
The physical server of described first server cluster has physical network card described in multiple, these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, this Logic Networks links and connects described logic bridge, and described logic bridge connects the Tap interface of the virtual machine running virtual firewall respectively.
Wherein, when described virtual firewall is operated in route pattern, described virtual firewall internal configurations has VLAN and gateway.
Wherein, when described virtual firewall is operated in transparent mode, described three-tier switch connects hardware firewall, and configure routing gateway and Nat on this three-tier switch.
Wherein, the physical server of described first server cluster runs a virtual machine, this virtual machine runs and described tenant virtual firewall one to one,
Described first network forwarding comprises physical network card and logic network interface card;
The physical server of described first server cluster has physical network card described in multiple, and these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, and this Logic Networks links the virtual firewall connect corresponding to each tenant.
According to another aspect of the present invention, north-south traffic security protection deployment system in a kind of system for cloud computing, comprising: the virtual machine that tenant takies and the hardware firewall communicated for monitoring the virtual machine shared by current tenant and Network network;
Described hardware firewall is deployed in three-tier switch, and hardware firewall inside comprises and each tenant logic firewall unit one to one, and each logic firewall unit connects physical network card respectively, and this physical network card connects Layer 2 switch;
Described virtual machine runs on second server and troops, described second server is trooped and is comprised multiple physical server, same physical server comprises physical network card described in multiple, these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, this Logic Networks jig has the Logic Networks clamp interface identical with the tenant's quantity on present physical server, each Logic Networks clamp interface connects a described logic bridge, and each Logic Networks bridging connects one or more virtual machines of the same tenant run on present physical server.
According to another aspect of the present invention, north-south traffic security protection deployment system in a kind of system for cloud computing, comprising: the virtual machine that tenant takies and the hardware firewall communicated for monitoring the virtual machine shared by current tenant and Network network;
Described virtual machine runs on cluster of servers, described cluster of servers comprises multiple physical server, same physical server comprises physical network card described in multiple, these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, this Logic Networks jig has the Logic Networks clamp interface identical with the tenant's quantity on present physical server, each Logic Networks clamp interface connects a described logic bridge, and each Logic Networks bridging connects one or more virtual machines of the same tenant run on present physical server;
Described hardware firewall inside comprises and each tenant logic firewall unit one to one, each logic firewall unit connects each physical network card being placed in hardware firewall respectively, the physical network card that the server zone that part physical network interface card connects operation virtual machine is concentrated, part physical network interface card is connected to Network network by Layer 2 switch and three-tier switch.
Accompanying drawing explanation
Fig. 1 is the deployment architecture schematic diagram according to first embodiment of the invention;
Fig. 2 is the deployment architecture schematic diagram according to second embodiment of the invention;
Fig. 3 is the deployment architecture schematic diagram according to third embodiment of the invention;
Fig. 4 is the deployment architecture schematic diagram according to four embodiment of the invention;
Fig. 5 is the deployment architecture schematic diagram according to fifth embodiment of the invention;
Fig. 6 is the deployment architecture schematic diagram according to sixth embodiment of the invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly understand, below in conjunction with embodiment also with reference to accompanying drawing, the present invention is described in more detail.Should be appreciated that, these describe just exemplary, and do not really want to limit the scope of the invention.In addition, in the following description, the description to known features and technology is eliminated, to avoid unnecessarily obscuring concept of the present invention.
Fig. 1 is the deployment architecture schematic diagram according to first embodiment of the invention.
The scene that this deployment architecture is suitable for is the safety system that tenant needs independently to have routing function, and the identification of tenant simultaneously depends on virtual platform, instead of safety system.
As shown in Figure 1, in system for cloud computing, north-south traffic security protection deployment system comprises: first server is trooped ClusterA and second server cluster ClusterB, Layer 2 switch L2Switch and three-tier switch L3Switch.
Suppose that current cloud computing platform provides service for two tenants, in order to sake of clarity, in Fig. 1, oval frame line is represented as the resource that tenant 1 provides service, the frame line of rectangle is represented as the resource that tenant 2 provides service, and trapezoidal frame line represents the shared resource of tenant 1 and tenant 2.
ClusterB comprises two physical server Host2 and Host3.In Host2, tenant 1 occupies two virtual machine VM, and tenant 2 occupies 1 virtual machine VM.In Host3, tenant 1 occupies 1 virtual machine VM, and tenant 2 occupies 2 virtual machine VM.
Run 2 virtual machine VM in physical server Host1 in ClusterA, every platform virtual machine has run a virtual firewall VFW (Virtualfirewal).Two VFW are responsible for the VM of the tenant 1 and VM of tenant 2 in monitoring ClusterB respectively.
Virtual machine in ClusterB connects Layer 2 switch L2Switch by second network forwarding.Second network forwarding comprises physical network card eth0, eth1, logic network interface card bond0 and logic bridge br100, br200.Physical network card eth0, eth1 on Host2 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 2 virtual machines of service, and br200 connects for tenant 2 provides 1 virtual machine of service.Physical network card eth0, eth1 on Host3 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 1 virtual machine of service, and br200 connects for tenant 2 provides 2 virtual machines of service.
Virtual firewall in ClusterA on virtual machine connects Layer 2 switch L2Switch by first network forwarding.First network forwarding comprises physical network card eth0, eth1, logic network interface card bond0 and logic bridge br100, br200, br400.Physical network card eth0, eth1 on Host1 are bound to logic network interface card bond0, logic network interface card bond0 has 3 Logic Networks clamp interface bond0.100 and bond0.200 and bond0.400, wherein bond0.100 provides service for tenant 1, bond0.200 provides service for tenant 2, bond0.400 connects outside Network network, and simultaneously for tenant 1 and tenant 2 provide service.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200, and bond0.400 connects logic bridge br400.Br100 connects for tenant 1 provides the virtual firewall of service, and br200 connects to be provided the virtual firewall of service for tenant 1 for tenant 2 provides the virtual firewall of service, br400 to connect simultaneously and provide the virtual firewall of service for tenant 2.
For the resource apparatus distributing IP address of tenant.
The virtual firewall private IP address arranging the tenant 1 on Host1 is: 192.188.60.1.The private IP address arranging all virtual machines of tenant 1 in ClusterB is respectively: 192.188.60.2; 192.188.60.3; 192.188.60.4.
The virtual firewall private IP address arranging the tenant 2 on Host1 is: 192.188.61.1.The private IP address arranging all virtual machines of tenant 2 in ClusterB is respectively: 192.188.61.2; 192.188.61.3; 192.188.61.4.
When the IP address of the tenant 1 be positioned on Host2 is: the virtual machine VM of 192.188.60.2 is by when being sent to Network network in advance by message, when the virtual firewall being positioned at tenant 1 on Host1 belongs to its monitoring range according to the tag recognition of message to this message, the default interception rule according to virtual firewall processes this message.
Fig. 2 is the deployment architecture schematic diagram according to second embodiment of the invention.
The scene that this deployment architecture is suitable for is the safety system that tenant needs independently to have routing function, and the identification of tenant simultaneously depends on safety system, instead of virtual platform.
As shown in Figure 2, in system for cloud computing, north-south traffic security protection deployment system comprises: first server is trooped ClusterA and second server cluster ClusterB, Layer 2 switch L2Switch and three-tier switch L3Switch.
Suppose that current cloud computing platform provides service for two tenants, in order to sake of clarity, in Fig. 2, oval frame line is represented as the resource that tenant 1 provides service, the frame line of rectangle is represented as the resource that tenant 2 provides service, and trapezoidal frame line represents the shared resource of tenant 1 and tenant 2.
ClusterB comprises two physical server Host2 and Host3.In Host2, tenant 1 occupies two virtual machine VM, and tenant 2 occupies 1 virtual machine VM.In Host3, tenant 1 takies 1 virtual machine VM, and tenant 2 occupies 2 virtual machine VM.
Run 2 virtual machine VM in physical server Host1 in ClusterA, every platform virtual machine runs a virtual firewall VFW (Virtualfirewal), this virtual firewall VFW internal configurations VlAN and gateway.The VM of the tenant 1 and virtual machine VM of tenant 2 in two VFW monitored in common ClusterB.Wherein, every platform virtual machine VM has 2 logic network interface card Tap, and wherein, a logic network interface card Tap mouth of a virtual machine is used for providing service for tenant 1, and a logic network interface card Tap mouth of another virtual machine is used for providing service for tenant 2.
Virtual machine in ClusterB connects Layer 2 switch L2Switch by second network forwarding.Second network forwarding comprises physical network card eth0, eth1, logic network interface card bond0 and logic bridge br100, br200.Physical network card eth0, eth1 on Host2 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 2 virtual machines of service, and br200 connects for tenant 2 provides 1 virtual machine of service.Physical network card eth0, eth1 on Host3 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 1 virtual machine of service, and br200 connects for tenant 2 provides 2 virtual machines of service.
Virtual firewall in ClusterA on virtual machine connects the trunk port of Layer 2 switch L2Switch by first network forwarding.First network forwarding comprises physical network card eth0, eth1, logic network interface card bond0 and logic bridge br0.Physical network card eth0, eth1 on Host1 are bound to logic network interface card bond0, and logic network interface card bond0 connects logic bridge br0.Br0 connects the Tap interface of the virtual machine providing the virtual firewall of service to run for tenant 1 and tenant 2 respectively.
For the resource apparatus distributing IP address of tenant.
Arrange on Host1 and for tenant 1 provides the private IP address of the Tap port of service be: 192.188.60.1.
The private IP address arranging all virtual machines of tenant 1 in ClusterB is respectively: 192.188.60.2; 192.188.60.3; 192.188.60.4.
Arrange on Host1 and for tenant 2 provides the private IP address of the Tap port of service be: 192.188.61.1.The private IP address arranging all virtual machines of tenant 2 in ClusterB is respectively: 192.188.61.2; 192.188.61.3; 192.188.61.4.
Arrange on Host1 and connect outside Network network and simultaneously for tenant 1 and tenant 2 provide the private IP address of two of service Tap ports to be respectively: 192.188.63.1 and 192.188.63.2.
When the IP address of the tenant 1 be positioned on Host2 is: the virtual machine VM of 192.188.60.2 is by when being sent to Network network in advance by message, when the virtual firewall being positioned at tenant 1 on Host1 belongs to its monitoring range according to the tag recognition of message to this message, the default interception rule according to virtual firewall processes this message.
Fig. 3 is the deployment architecture schematic diagram according to third embodiment of the invention.
The scene that this deployment architecture is suitable for is tenant's needs independently transparent security system (IPS, AV etc.), and the identification of tenant simultaneously depends on safety system, instead of virtual platform.
As shown in Figure 3, in system for cloud computing, north-south traffic security protection deployment system comprises: first server is trooped ClusterA and second server cluster ClusterB, Layer 2 switch L2Switch and three-tier switch L3Switch.
Suppose that current cloud computing platform provides service for two tenants, in order to sake of clarity, in Fig. 3, oval frame line is represented as the resource that tenant 1 provides service, the frame line of rectangle is represented as the resource that tenant 2 provides service, and trapezoidal frame line represents the shared resource of tenant 1 and tenant 2.
ClusterB comprises two physical server Host2 and Host3.In Host2, tenant 1 occupies two virtual machine VM, and tenant 2 occupies 1 virtual machine VM.In Host3, tenant 1 takies 1 virtual machine VM, and tenant 2 occupies 2 virtual machine VM.
Run 2 virtual machine VM in physical server Host1 in ClusterA, every platform virtual machine has run a virtual firewall VFW (Virtualfirewal).The VM of the tenant 1 and virtual machine VM of tenant 2 in two VFW monitored in common ClusterB.Wherein, every platform virtual machine VM has 2 logic network interface card Tap, and a logic network interface card Tap mouth of a virtual machine is used for providing service for tenant 1, and a logic network interface card Tap mouth of another virtual machine is used for providing service for tenant 2.
Virtual machine in ClusterB connects Layer 2 switch L2Switch by second network forwarding.Second network forwarding comprises physical network card eth0, eth1, logic network interface card bond0 and logic bridge br100, br200.Physical network card eth0, eth1 on Host2 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 2 virtual machines of service, and br200 connects for tenant 2 provides 1 virtual machine of service.Physical network card eth0, eth1 on Host3 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 1 virtual machine of service, and br200 connects for tenant 2 provides 2 virtual machines of service.
Virtual firewall in ClusterA on virtual machine connects the trunk port of Layer 2 switch L2Switch by first network forwarding.First network forwarding comprises physical network card eth0, eth1, logic network interface card bond0 and logic bridge br0.Physical network card eth0, eth1 on Host1 are bound to logic network interface card bond0, and logic network interface card bond0 connects logic bridge br0.Br0 connects the Tap interface of the virtual machine providing the virtual firewall of service to run for tenant 1 and tenant 2 respectively.
Three-tier switch connects physics fire compartment wall, and configure routing gateway and Nat on this three-tier switch.
For the resource apparatus distributing IP address of tenant.
The private IP address arranging all virtual machines of tenant 1 in ClusterB is respectively: 192.188.60.2; 192.188.60.3; 192.188.60.4.
The private IP address arranging all virtual machines of tenant 2 in ClusterB is respectively: 192.188.61.2; 192.188.61.3; 192.188.61.4.
When the IP address of the tenant 1 be positioned on Host2 is: the virtual machine VM of 192.188.60.2 is by when being sent to Network network in advance by message, when the virtual firewall being positioned at tenant 1 on Host1 belongs to its monitoring range according to the tag recognition of message to this message, the default interception rule according to virtual firewall processes this message.
Fig. 4 is the deployment architecture schematic diagram according to four embodiment of the invention.
The scene that this deployment architecture is suitable for is the safety system that tenant does not need independently to have routing function, and be security protection characteristic, now multiple tenant shares a safety system, and identification and the isolation of tenant depend on safety system, and this safety system is that empty machine form provides.
As shown in Figure 4, in system for cloud computing, north-south traffic security protection deployment system comprises: first server is trooped ClusterA and second server cluster ClusterB, Layer 2 switch L2Switch and three-tier switch L3Switch.
Suppose that current cloud computing platform provides service for two tenants, in order to sake of clarity, in Fig. 4, oval frame line is represented as the resource that tenant 1 provides service, the frame line of rectangle is represented as the resource that tenant 2 provides service, and trapezoidal frame line represents the shared resource of tenant 1 and tenant 2.
ClusterB comprises two physical server Host2 and Host3.In Host2, tenant 1 occupies two virtual machine VM, and tenant 2 occupies 1 virtual machine VM.In Host3, tenant 1 takies 1 virtual machine VM, and tenant 2 occupies 2 virtual machine VM.
Run 1 virtual machine VM in physical server in ClusterA, this virtual machine runs a virtual firewall VFW (Virtualfirewal), it is for the virtual machine VM of the VM and tenant 2 that monitor tenant 1 in ClusterB.Wherein, mark off 2 logic firewall unit in virtual firewall VFW inside, the corresponding tenant of each logic firewall unit.
Virtual machine in ClusterB connects Layer 2 switch L2Switch by second network forwarding.Second network forwarding comprises physical network card eth0, eth1, logic network interface card bond0 and logic bridge br100, br200.Physical network card eth0, eth1 on Host2 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 2 virtual machines of service, and br200 connects for tenant 2 provides 1 virtual machine of service.Physical network card eth0, eth1 on Host3 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 1 virtual machine of service, and br200 connects for tenant 2 provides 2 virtual machines of service.
Virtual firewall in ClusterA on virtual machine connects the trunk port of Layer 2 switch L2Switch by first network forwarding.First network forwarding comprises physical network card eth0, eth1, logic network interface card bond0.Physical network card eth0, eth1 in ClusterA are bound to logic network interface card bond0, and logic network interface card bond0 connects respectively for tenant 1 and tenant 2 provide the logic firewall unit of service.
For the resource apparatus distributing IP address of tenant.
The private IP address arranging all virtual machines of tenant 1 in ClusterB is respectively: 192.188.60.2; 192.188.60.3; 192.188.60.4.
The private IP address arranging all virtual machines of tenant 2 in ClusterB is respectively: 192.188.61.2; 192.188.61.3; 192.188.61.4.
When the IP address of the tenant 1 be positioned on Host2 is: the virtual machine VM of 192.188.60.2 is by when being sent to Network network in advance by message, when the virtual firewall being positioned at tenant 1 on Host1 belongs to its monitoring range according to the tag recognition of message to this message, the default interception rule according to virtual firewall processes this message.
Fig. 5 is the deployment architecture schematic diagram according to fifth embodiment of the invention.
The scene that this deployment architecture is suitable for is the safety system that tenant does not need independently to have routing function, and be security protection characteristic, now multiple tenant shares a safety system, and identification and the isolation of tenant depend on safety system, and this safety system is that hardware state provides.
As shown in Figure 5, in system for cloud computing, north-south traffic security protection deployment system comprises: first server troop ClusterA, be arranged in hardware firewall in three-tier switch L3Switch and Layer 2 switch L2Switch.
Suppose that current cloud computing platform provides service for two tenants, in order to sake of clarity, in Fig. 5, oval frame line is represented as the resource that tenant 1 provides service, the frame line of rectangle is represented as the resource that tenant 2 provides service, and trapezoidal frame line represents the shared resource of tenant 1 and tenant 2.
ClusterB comprises two physical server Host2 and Host3.In Host2, tenant 1 occupies two virtual machine VM, and tenant 2 occupies 1 virtual machine VM.In Host3, tenant 1 takies 1 virtual machine VM, and tenant 2 occupies 2 virtual machine VM.
Virtual machine in ClusterB connects Layer 2 switch L2Switch by second network forwarding.Second network forwarding comprises physical network card eth0, eth1, logic network interface card bond0 and logic bridge br100, br200.Physical network card eth0, eth1 on Host2 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 2 virtual machines of service, and br200 connects for tenant 2 provides 1 virtual machine of service.Physical network card eth0, eth1 on Host3 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 1 virtual machine of service, and br200 connects for tenant 2 provides 2 virtual machines of service.
Mark off 2 logic firewall unit in hardware firewall host1, the corresponding tenant of each logic firewall unit, for monitor this tenant in ClusterB virtual machine VM and Network between communication.
Hardware firewall connects the trunk port of Layer 2 switch L2Switch by first network forwarding.First network forwarding comprises physical network card eth0, eth1.Physical network card eth0, eth1 connect logic firewall unit respectively.
For the resource apparatus distributing IP address of tenant.
The private IP address arranging all virtual machines of tenant 1 in ClusterB is respectively: 192.188.60.2; 192.188.60.3; 192.188.60.4.
The private IP address arranging all virtual machines of tenant 2 in ClusterB is respectively: 192.188.61.2; 192.188.61.3; 192.188.61.4.
When the IP address of the tenant 1 be positioned on Host2 is: the virtual machine VM of 192.188.60.2 is by when being sent to Network network in advance by message, when the logic firewall unit being positioned at tenant 1 on Host1 belongs to its monitoring range according to the tag recognition of message to this message, the default interception rule according to logic firewall unit processes this message.
Fig. 6 is the deployment architecture schematic diagram according to sixth embodiment of the invention.
The scene that this deployment architecture is suitable for does not need independently transparent security system for tenant, and be security protection characteristic, now multiple tenant shares a safety system, and identification and the isolation of tenant depend on safety system, and this safety system is that hardware state provides.
As shown in Figure 6, in system for cloud computing, north-south traffic security protection deployment system comprises: first server is trooped ClusterA, hardware firewall, Layer 2 switch L2Switch and three-tier switch L3Switch.
Suppose that current cloud computing platform provides service for two tenants, in order to sake of clarity, in Fig. 6, oval frame line is represented as the resource that tenant 1 provides service, the frame line of rectangle is represented as the resource that tenant 2 provides service, and trapezoidal frame line represents the shared resource of tenant 1 and tenant 2.
ClusterB comprises two physical server Host2 and Host3.In Host2, tenant 1 occupies two virtual machine VM, and tenant 2 occupies 1 virtual machine VM.In Host3, tenant 1 takies 1 virtual machine VM, and tenant 2 occupies 2 virtual machine VM.
Virtual machine in ClusterB connects Layer 2 switch L2Switch by second network forwarding.Second network forwarding comprises physical network card eth0, eth1, logic network interface card bond0 and logic bridge br100, br200.Physical network card eth0, eth1 on Host2 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 2 virtual machines of service, and br200 connects for tenant 2 provides 1 virtual machine of service.Physical network card eth0, eth1 on Host3 are bound to logic network interface card bond0, and logic network interface card bond0 has two Logic Networks clamp interface bond0.100 and bond0.200, and wherein bond0.100 provides service for tenant 1, and bond0.200 provides service for tenant 2.Bond0.100 connects logic bridge br100, and bond0.200 connects logic bridge br200.Br100 connects for tenant 1 provides 1 virtual machine of service, and br200 connects for tenant 2 provides 2 virtual machines of service.
Mark off 2 logic firewall unit in hardware firewall host1, the corresponding tenant of each logic firewall unit, for monitor this tenant in ClusterB virtual machine VM and Network between communication.
Hardware firewall comprises physical network card eth0, eth1.Wherein, physical network card eth0 connects the trunk port of Layer 2 switch L2Switch, and physical network card eth1 connects physical network card eth0, the eth1 of the physical server in ClusterB respectively.
The trunk interface of Layer 2 switch L2Switch is connected to three-tier switch L3Switch, and three-tier switch L3Switch connects Network network.
For the resource apparatus distributing IP address of tenant.
The private IP address arranging all virtual machines of tenant 1 in ClusterB is respectively: 192.188.60.2; 192.188.60.3; 192.188.60.4.
The private IP address arranging all virtual machines of tenant 2 in ClusterB is respectively: 192.188.61.2; 192.188.61.3; 192.188.61.4.
When the IP address of the tenant 1 be positioned on Host2 is: the virtual machine VM of 192.188.60.2 is by when being sent to Network network in advance by message, when the logic firewall unit being positioned at tenant 1 on Host1 belongs to its monitoring range according to the tag recognition of message to this message, the default interception rule according to logic firewall unit processes this message.
Should be understood that, above-mentioned embodiment of the present invention only for exemplary illustration or explain principle of the present invention, and is not construed as limiting the invention.Therefore, any amendment made when without departing from the spirit and scope of the present invention, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.In addition, claims of the present invention be intended to contain fall into claims scope and border or this scope and border equivalents in whole change and modification.
Claims (10)
1. north-south traffic security protection deployment system in a system for cloud computing, it is characterized in that, comprising: the virtual machine that tenant takies and the virtual firewall communicated for monitoring the virtual machine shared by current tenant and Network network, first network forwarding and second network forwarding;
Described first network forwarding, for being judged the source of this message by the identification of the label to the message received, if source is virtual machine, then by described message repeating to current virtual machine tenant corresponding to virtual firewall, and the message after this virtual firewall process is sent to Network network through Layer 2 switch and three-tier switch, if source is Network network, then by described message repeating to this message label indicated by virtual firewall, and the message after this virtual firewall process is sent to second network forwarding through Layer 2 switch,
Described second network forwarding, during for receiving the message from Network network, the tenant that this message belongs to is judged by the identification of the label to message, and this message is issued to the virtual machine corresponding to the tenant indicated by label of this message, also for message repeating that virtual machine is sent to Layer 2 switch.
2. system according to claim 1, is characterized in that, described first network forwarding and virtual firewall run on first server and troop, and described second network forwarding and virtual machine run on second server cluster.
3. system according to claim 2, is characterized in that, described second network forwarding comprises physical network card, logic network interface card and logic bridge;
Described second server is trooped and is comprised multiple physical server, same physical server comprises physical network card described in multiple, these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, this Logic Networks jig has the Logic Networks clamp interface identical with the tenant's quantity on present physical server, each Logic Networks clamp interface connects a described logic bridge, and each Logic Networks bridging connects one or more virtual machines of the same tenant run on present physical server.
4. system according to claim 2, is characterized in that, described first network forwarding comprises physical network card, logic network interface card and logic bridge;
The physical server of described first server cluster has physical network card described in multiple, these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, this logic network interface card is except having with except described tenant one to one Logic Networks clamp interface, also there is the Logic Networks clamp interface receiving and come from Network network message, each Logic Networks clamp interface connects a described logic bridge, and Logic Networks bridging connects the virtual firewall of the tenant corresponding to it.
5. system according to claim 3, is characterized in that, described first network forwarding comprises physical network card, logic network interface card and logic bridge;
The physical server of described first server cluster has physical network card described in multiple, these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, this Logic Networks links and connects described logic bridge, and described logic bridge connects the Tap interface of the virtual machine running virtual firewall respectively.
6. system according to claim 5, is characterized in that, when described virtual firewall is operated in route pattern, described virtual firewall internal configurations has VLAN and gateway.
7. system according to claim 5, is characterized in that, when described virtual firewall is operated in transparent mode, described three-tier switch connects hardware firewall, and configure routing gateway and Nat on this three-tier switch.
8. system according to claim 3, is characterized in that,
The physical server of described first server cluster runs a virtual machine, this virtual machine runs and described tenant virtual firewall one to one,
Described first network forwarding comprises physical network card and logic network interface card;
The physical server of described first server cluster has physical network card described in multiple, and these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, and this Logic Networks links the virtual firewall connect corresponding to each tenant.
9. a north-south traffic security protection deployment system in system for cloud computing, is characterized in that, comprising: the virtual machine that tenant takies and the hardware firewall communicated for monitoring the virtual machine shared by current tenant and Network network;
Described hardware firewall is deployed in three-tier switch, and hardware firewall inside comprises and each tenant logic firewall unit one to one, and each logic firewall unit connects physical network card respectively, and this physical network card connects Layer 2 switch;
Described virtual machine runs on second server and troops, described second server is trooped and is comprised multiple physical server, same physical server comprises physical network card described in multiple, these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, this Logic Networks jig has the Logic Networks clamp interface identical with the tenant's quantity on present physical server, each Logic Networks clamp interface connects a described logic bridge, and each Logic Networks bridging connects one or more virtual machines of the same tenant run on present physical server.
10. a north-south traffic security protection deployment system in system for cloud computing, is characterized in that, comprising: the virtual machine that tenant takies and the hardware firewall communicated for monitoring the virtual machine shared by current tenant and Network network;
Described virtual machine runs on cluster of servers, described cluster of servers comprises multiple physical server, same physical server comprises physical network card described in multiple, these multiple physical network cards are bound to same Zhang Suoshu logic network interface card, this Logic Networks jig has the Logic Networks clamp interface identical with the tenant's quantity on present physical server, each Logic Networks clamp interface connects a described logic bridge, and each Logic Networks bridging connects one or more virtual machines of the same tenant run on present physical server;
Described hardware firewall inside comprises and each tenant logic firewall unit one to one, each logic firewall unit connects each physical network card being placed in hardware firewall respectively, the physical network card that the server zone that part physical network interface card connects operation virtual machine is concentrated, part physical network interface card is connected to Network network by Layer 2 switch and three-tier switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510574191.7A CN105245504A (en) | 2015-09-10 | 2015-09-10 | North-south flow safety protection system in cloud computing network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510574191.7A CN105245504A (en) | 2015-09-10 | 2015-09-10 | North-south flow safety protection system in cloud computing network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105245504A true CN105245504A (en) | 2016-01-13 |
Family
ID=55043004
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510574191.7A Pending CN105245504A (en) | 2015-09-10 | 2015-09-10 | North-south flow safety protection system in cloud computing network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105245504A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790091A (en) * | 2016-12-23 | 2017-05-31 | 深圳市深信服电子科技有限公司 | A kind of cloud security guard system and flow cleaning method |
| CN107046546A (en) * | 2017-05-18 | 2017-08-15 | 郑州云海信息技术有限公司 | A kind of network safety control method and device |
| CN107241283A (en) * | 2017-05-23 | 2017-10-10 | 国家计算机网络与信息安全管理中心 | A kind of East and West direction network traffics mirror image acquisition method across main frame tenant |
| CN109669761A (en) * | 2018-12-21 | 2019-04-23 | 合肥时代智慧高新投资管理有限公司 | A kind of SDN controller system |
| CN111371740A (en) * | 2020-02-17 | 2020-07-03 | 华云数据有限公司 | Message flow monitoring method and system and electronic equipment |
| CN111556110A (en) * | 2020-04-21 | 2020-08-18 | 贵州新致普惠信息技术有限公司 | Automatic adaptation method for different physical service networks of private cloud system |
| CN111800340A (en) * | 2020-06-05 | 2020-10-20 | 北京京东尚科信息技术有限公司 | Data packet forwarding method and device |
| CN111934971A (en) * | 2020-08-12 | 2020-11-13 | 杭州默安科技有限公司 | Method and device for local network access from mapping service spanning three-layer network to multiple VLANs and multiple IPs |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8321936B1 (en) * | 2007-05-30 | 2012-11-27 | M86 Security, Inc. | System and method for malicious software detection in multiple protocols |
| CN103973673A (en) * | 2014-04-09 | 2014-08-06 | 汉柏科技有限公司 | Virtual firewall partitioning method and equipment |
| CN104301321A (en) * | 2014-10-22 | 2015-01-21 | 北京启明星辰信息技术股份有限公司 | Method and system for achieving distributed network safety protection |
| US8972581B2 (en) * | 2010-11-05 | 2015-03-03 | Verizon Patent And Licensing Inc. | Server clustering in a computing-on-demand system |
| US20150163200A1 (en) * | 2011-07-12 | 2015-06-11 | Cisco Technology, Inc. | Zone-Based Firewall Policy Model for a Virtualized Data Center |
-
2015
- 2015-09-10 CN CN201510574191.7A patent/CN105245504A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8321936B1 (en) * | 2007-05-30 | 2012-11-27 | M86 Security, Inc. | System and method for malicious software detection in multiple protocols |
| US8972581B2 (en) * | 2010-11-05 | 2015-03-03 | Verizon Patent And Licensing Inc. | Server clustering in a computing-on-demand system |
| US20150163200A1 (en) * | 2011-07-12 | 2015-06-11 | Cisco Technology, Inc. | Zone-Based Firewall Policy Model for a Virtualized Data Center |
| CN103973673A (en) * | 2014-04-09 | 2014-08-06 | 汉柏科技有限公司 | Virtual firewall partitioning method and equipment |
| CN104301321A (en) * | 2014-10-22 | 2015-01-21 | 北京启明星辰信息技术股份有限公司 | Method and system for achieving distributed network safety protection |
Non-Patent Citations (1)
| Title |
|---|
| 王景学: "云计算虚拟机防护系统设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790091B (en) * | 2016-12-23 | 2020-10-27 | 深信服科技股份有限公司 | Cloud safety protection system and flow cleaning method |
| CN106790091A (en) * | 2016-12-23 | 2017-05-31 | 深圳市深信服电子科技有限公司 | A kind of cloud security guard system and flow cleaning method |
| CN107046546A (en) * | 2017-05-18 | 2017-08-15 | 郑州云海信息技术有限公司 | A kind of network safety control method and device |
| CN107241283A (en) * | 2017-05-23 | 2017-10-10 | 国家计算机网络与信息安全管理中心 | A kind of East and West direction network traffics mirror image acquisition method across main frame tenant |
| CN107241283B (en) * | 2017-05-23 | 2020-06-05 | 国家计算机网络与信息安全管理中心 | Cross-host tenant east-west network traffic mirror image acquisition method |
| CN109669761A (en) * | 2018-12-21 | 2019-04-23 | 合肥时代智慧高新投资管理有限公司 | A kind of SDN controller system |
| CN109669761B (en) * | 2018-12-21 | 2023-01-13 | 合肥时代智慧高新投资管理有限公司 | SDN controller system |
| CN111371740A (en) * | 2020-02-17 | 2020-07-03 | 华云数据有限公司 | Message flow monitoring method and system and electronic equipment |
| CN111556110A (en) * | 2020-04-21 | 2020-08-18 | 贵州新致普惠信息技术有限公司 | Automatic adaptation method for different physical service networks of private cloud system |
| CN111556110B (en) * | 2020-04-21 | 2022-09-06 | 贵州新致普惠信息技术有限公司 | Automatic adaptation method for different physical service networks of private cloud system |
| CN111800340B (en) * | 2020-06-05 | 2022-08-12 | 北京京东尚科信息技术有限公司 | Data packet forwarding method and device |
| CN111800340A (en) * | 2020-06-05 | 2020-10-20 | 北京京东尚科信息技术有限公司 | Data packet forwarding method and device |
| CN111934971A (en) * | 2020-08-12 | 2020-11-13 | 杭州默安科技有限公司 | Method and device for local network access from mapping service spanning three-layer network to multiple VLANs and multiple IPs |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105245504A (en) | North-south flow safety protection system in cloud computing network | |
| US10791066B2 (en) | Virtual network | |
| US8989188B2 (en) | Preventing leaks among private virtual local area network ports due to configuration changes in a headless mode | |
| US9755959B2 (en) | Dynamic service path creation | |
| CN106878048B (en) | Fault processing method and device | |
| CN107332812B (en) | Method and device for realizing network access control | |
| CN104685507B (en) | Virtual secure device architecture is provided to virtual cloud foundation structure | |
| US8385356B2 (en) | Data frame forwarding using a multitiered distributed virtual bridge hierarchy | |
| CN109462534B (en) | Local interconnect controller, local interconnect control method, and computer storage medium | |
| US9137119B2 (en) | Efficient handling of multi-destination traffic in an internet protocol fabric data center | |
| CN101938370B9 (en) | Redundant pseudowires for a border gateway protocol based virtual private local area network service multihoming environment | |
| WO2016055027A1 (en) | Table entry in software defined network | |
| CN108173694B (en) | Security resource pool access method and system of data center | |
| CN117178534A (en) | Network management services in points of presence | |
| US9374310B2 (en) | Systems and methods of inter data center out-bound traffic management | |
| CN105634942B (en) | Method and switch for forwarding message | |
| CN105530259A (en) | Message filtering method and equipment | |
| CN104813611A (en) | Virtual device context (VDC) integration for network services | |
| US10103980B1 (en) | Methods and apparatus for maintaining an integrated routing and bridging interface | |
| WO2016107594A1 (en) | Accessing external network from virtual network | |
| CN105429870A (en) | VXLAN security gateway device and application method thereof in SDN | |
| CN112822037B (en) | Flow arrangement method and system for security resource pool | |
| CN105791402A (en) | Network virtualization realization method of cloud computing platform and corresponding plug-in and agent | |
| CN103973578A (en) | Virtual machine traffic redirection method and device | |
| US11159342B2 (en) | MAC address synchronization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160113 |
|
| WD01 | Invention patent application deemed withdrawn after publication |