CN105827629B - Software definition safe flow guide device and its implementation under cloud computing environment - Google Patents
Software definition safe flow guide device and its implementation under cloud computing environment Download PDFInfo
- Publication number
- CN105827629B CN105827629B CN201610285832.1A CN201610285832A CN105827629B CN 105827629 B CN105827629 B CN 105827629B CN 201610285832 A CN201610285832 A CN 201610285832A CN 105827629 B CN105827629 B CN 105827629B
- Authority
- CN
- China
- Prior art keywords
- water conservancy
- conservancy diversion
- service traffics
- module
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to software securities under cloud computing environment to define guiding device, including:Management platform provides safe water conservancy diversion strategy and configures interface, allows the safe water conservancy diversion strategy of administrator configurations;Management module receives safe water conservancy diversion strategy file and forms water conservancy diversion Policy Table according to the content of safe water conservancy diversion strategy file;Traffic identification module receives and recognizes the service traffics that mirror image comes, and is pre-processed to identified service traffics;Flow processing module carries out after-treatment to pretreated service traffics;Service traffics after after-treatment are sent to designated port by flow sending module, are received to service traffics by external equipment;Data statistics module counts all service traffics, and is sent to management module, then statistical information is sent to management platform by management module.The present invention can flexible mirroring service flow on demand, reliability is stronger, and can realize the safe water conservancy diversion of software definition.
Description
Technical field
The invention belongs to field of information security technology, be related to the mirror image of service traffics under cloud computing environment, monitoring, statistics with
Analysis, and in particular to software definition safe flow guide device and its implementation under cloud computing environment.
Background technology
With the Large scale construction of data center, the large-scale application of virtualization technology plays virtualization to maximize
Advantage, ensure data center stabilization, continue, Effec-tive Function, cloud computing become current IT support systems first choice.
The core of cloud computing technology is that virtualization technology, virtualization technology include computing resource virtualization, storage money
Source virtualization, secure resources virtualization and Internet resources virtualization etc..In virtualization technology, Internet resources virtualization technology is aobvious
It is increasingly important because it be connect computing resource virtualization, storage resource virtualization and secure resources virtualization tie.
Two key concepts of Internet resources virtualization are OVS and OpenFlow.
OVS is the abbreviation of openvswitch, refers to virtual switch of increasing income, it is the software disposed on the server, is realized
Data exchanging function under cloud computing environment.OVS has traffic mirroring function, can be by mirror orders, by operation system
For the service traffics mirror image portion of institute connectivity port to a specific port, institute can be collected by being connected to the operation system of the port
Some mirror image flows.
Openflow is open source protocol, while being also the important component of OVS, passes through Openflow agreements, Ke Yishi
The control function of existing data forwarding, for specific access relation, specified one needs the path passed through, referred to as to drain.
Cloud computing technology provides strong support for the flexible allocation of operation system resource, on-demand adjustment, fast quick-recovery, greatly
O&M efficiency is improved greatly, the system deployment time is saved, reduces workload.
But there is also some problems simultaneously for cloud computing technology.For example, the safety of normal operation is set in traditional business system
Standby, when network virtualization realizes the cross-region migration of virtual service system using vxlan technologies, there is None- identifieds
Vxlan data packet heads, the case where can not disposing;Operation system boundary under cloud computing environment disappears, and can not realize and pacify on boundary
Full control;The flow of operation system forwards inside OVS, and security detection equipment can not find the safety problem inside OVS.
In addition, by the acquired data of the mirror orders of OVS, there are Data duplications, cause network flow double, shadow
Ring network performance;The data that the mirror orders of OVS are mirrored to are high with the network interface degree of association, the number obtained from the same interface
According to the information that may include multiple operation systems, and the information of certain operation systems is not needed to when carrying out safety analysis, mirror
The flexibility of picture is poor.
Invention content
The object of the present invention is to provide software definition safe flow guide device and its implementation under a kind of cloud computing environment, lead to
It crosses it and solves problems with:1) in cloud computing environment, physical topology and service logic topology boundary are inconsistent, cause based on safety
The problem of service traffics of monitoring demand can not obtain;2) conventional security monitoring can not provide in cloud computing environment to East and West direction
The monitoring problem of service traffics, and under specific transactions environment, to being not necessarily to the flow by safety equipment in big service traffics
Fine granularity flow select optimization problem;3) tradition is needed using what physical switches image feature cannot achieve by security monitoring
It sums safety equipment configuration topology, the problem of on-demand complicated traffic mirrorings of multiple and different purposes is handled is mirrored to from multiple sources;
4) in conventional security monitoring scheme, it is not based on the unified security monitoring traffic management and control frame of security monitoring demand, is realized to whole
The on-demand software definition of the mirror image flow rule of all flows and all safety monitoring equipments and the problem of management and control in a network.
To achieve the goals above, the present invention provides the following technical solutions:Software security defines under a kind of cloud computing environment
Guiding device comprising:
Management platform, the management platform allow administrator to pass through the configuration for providing safe water conservancy diversion strategy configuration interface
Interface configures safe water conservancy diversion strategy;
Management module, the management module is for receiving the safe water conservancy diversion strategy that the management platform is issued by CWCP agreements
File simultaneously forms water conservancy diversion Policy Table according to the content of safe water conservancy diversion strategy file;
Traffic identification module, the traffic identification module are used to receive and recognize the service traffics that mirror image comes, and with described
The water conservancy diversion strategy of water conservancy diversion Policy Table pre-processes identified service traffics;
Flow processing module, the flow processing module are used for pre- to the traffic identification module according to the water conservancy diversion Policy Table
Service traffics that treated carry out after-treatment;
Flow sending module, the flow sending module are used for the service traffics after the flow processing module after-treatment
It is sent to designated port, the external equipment by being connected to the port receives service traffics;
Data statistics module, the data statistics module are used to count all service traffics that mirror image comes, and with
Mode actively or passively is sent to the management module, then statistical information is sent to the pipe by the management module
Platform.
In addition, the present invention provides a kind of safe water conservancy diversion based on software definition safe flow guide device under above-mentioned cloud computing environment
Implementation method comprising following steps:
(1) administrator is led in the management platform by the safety of safe water conservancy diversion strategy configuration interface configuration service flow
Flow Policy;
(2) management platform issues safe water conservancy diversion strategy file by CWCP agreements to the management module;
(3) management module establishes water conservancy diversion Policy Table according to the safe water conservancy diversion strategy file of acquisition;
(4) on blade server or PC server, the mirror orders of OVS are called, are realized all service traffics mirrors
As giving the traffic identification module;
(5) traffic identification module receives all service traffics that mirror image comes, and to all business that mirror image comes
Flow is identified, and is then pre-processed to identified service traffics with the water conservancy diversion strategy of the water conservancy diversion Policy Table, and will
Pretreated service traffics are sent to the flow processing module;
(6) the flow processing module carries out secondary place according to the water conservancy diversion Policy Table to the service traffics sended over
Service traffics are sent to the flow sending module by reason after after-treatment;
(7) service traffics received are sent to specified external equipment by the flow sending module, and with the number
Module shared service flow transmit queue according to statistics;
(8) data statistics module data in the service traffics transmit queue are counted, merger and preservation;
(9) data statistics module in a manner of actively or passively to the management module push statistical information, and by
Statistical information is reported to the management platform by the management module;
(10) network topology, service topology, industry of the management platform based on the statistical information global monitoring cloud environment
Access relation, flowing of access and safety measure deployable state between business domain.
Further, wherein being identified by of service traffics read the source MAC of service traffics data packet, purpose MAC,
VLAN_ID information, source IP, source port, destination IP, destination interface and agreement are realized.
Further, wherein the flow processing module is defined according to Actions fields in the water conservancy diversion Policy Table
Content, to service traffics carry out after-treatment.
Still further, wherein, it includes modifying data packet word to service traffics to carry out after-treatment to service traffics
Multiple addresses that section, setting data packet transmit queue, setting data packet transmission speed, setting data packet are sent.
Software definition safe flow guide device and its implementation have following Advantageous under the cloud computing environment of the present invention
Effect:
1), the service traffics data and the network platform of mirror image are decoupled, can flexible mirroring service domain on demand service traffics.
2), by the service traffics of the mirrored procedure of service traffics, identification process, mirror policy configuration process and mirror image
Operation, forwarding, statistic processes decoupling, increase more fine granularity control means, to keep controllability stronger.
3), there is the selection of more mirror images, complicated service traffics can be screened according to IP, port and protocol, and
Various expected is arranged according to business objective to act, realizes the safe water conservancy diversion of software definition.
4), energy real-time statistics service traffics information, so as to assist operation maintenance personnel quickly to find that traffic issues, safety are asked
Topic, the quick positioning service fault point of auxiliary operation maintenance personnel.
Description of the drawings
Fig. 1 be the present invention cloud computing environment under software definition safe flow guide device deployment diagram.
Fig. 2 be the present invention cloud computing environment under software definition safe flow guide device integrated stand composition.
Fig. 3 is the process chart of service traffics.
Fig. 4 be the present invention cloud computing environment under software definition safe flow guide device disposed of in its entirety flow chart.
Specific implementation mode
Present invention will be further explained below with reference to the attached drawings and examples, and the content of embodiment is not as the guarantor to the present invention
Protect the limitation of range.
Under cloud computing environment, in order to meet security monitoring and the safety detection to service traffics, need to service traffics
Mirror image is carried out, and the service traffics of mirror image are sent to external security device and carry out safety detection and security audit.
In complicated service application, although some agreements occupy a large number of services bandwidth, security risk is not present in itself,
What it is there are security risk is the external frame for carrying such service traffics.Such as video playing, there is no safety is hidden in video flowing
Suffer from, but there are security risks in video render component.Video render component is generally embedded in the form of frame in the page,
It is transmitted with http agreements, but the content played individually carries out content transmission with stream media protocol.When coping with security risk,
It is contemplated that filtering out the stream media protocol of carrying video playing.Same similar scene is also very much.Therefore, locate to reduce
Reason load, provides working efficiency, needs the safe water conservancy diversion that the service traffics of mirror image are carried out with software definition.
As shown in Figure 1, software definition safe flow guide device is deployed under cloud computing environment under the cloud computing environment of the present invention
Blade server or PC server on and Connection Service device OVS.The other operation systems disposed on blade server, such as
Operation system 1, operation system 2 and operation system 3 are also connected on OVS simultaneously, and OVS completes the information between different business systems and hands over
Mutually.
By calling the traffic mirroring function of OVS, using mirror orders, by operation system 1, business in OVS kernels
The service traffics of system 2 and operation system 3 are mirrored in the software definition safe flow guide device of the present invention, by the software definition
Safe flow guide device carries out safe water conservancy diversion to the service traffics of mirror image.
As shown in Fig. 2, it includes management platform, management mould that software security, which defines guiding device, under the cloud computing environment of the present invention
Block, traffic identification module, flow processing module, flow sending module and data statistics module.Wherein,
The management platform allows administrator to be configured by the configuration interface for providing safe water conservancy diversion strategy configuration interface
Safe water conservancy diversion strategy, and safe water conservancy diversion strategy file is handed down to the management module by CWCP agreements, and by the management
Module forms water conservancy diversion Policy Table according to the content of the safe water conservancy diversion strategy file.
Agreement is the key that decoupling physical network, business network, service traffics realize safety prison by Protocol Design
Control on demand filtering, demand-driven, real-time statistics purpose, solve many of service traffics mirror image under current cloud computing environment and ask
Topic.
The data packet format of CWCP agreements is as follows:
.Wherein,
VLAN_ID fields are used for the vlan information in two layers of packet header of matched data packet;
SRC_MAC fields are used for the source MAC address information in two layers of packet header of matched data packet;
DST_MAC fields are used for the target MAC (Media Access Control) address information in two layers of packet header of matched data packet;
SRC_IP fields are used for the source IP address information in three layers of packet header of matched data packet;
SRC_PORT fields are used for the source port information in four layers of packet header of matched data packet;
DST_IP fields are used for the purpose IP address information in three layers of packet header of matched data packet;
DST_PORT fields are used for the destination interface information in four layers of packet header of matched data packet;
Protocol field is used for the protocol information in three layers of packet header of matched data packet;
Priority fields are used for being arranged the priority level of current strategies;
Actions fields are used for being arranged the corresponding actions of matching rule data packet;
Conters fields are used for carrying out quantity statistics to the data packet of matching rule;
Actions fields are the operation fields to data packet, and the operation behavior supported at present has:Removal/modification data
The vlan information of packet changes the MAC information of data packet, changes the IP address information of data packet, packet discard, replicate data
Packet, transmits packets to particular address, transmits packets to multiple particular address, and number is arranged in the speed that setting data packet is sent
According to packet QOS.
Administrator by the configuration interface in the management platform when configuring safe water conservancy diversion strategy, it would be desirable to be led
In the feature filling CWCP data packets of the service traffics of stream, and send content to the management module.The management module root
According to the water conservancy diversion policy information received, it is locally generated water conservancy diversion Policy Table, in case the traffic identification module is called.
The traffic identification module, the service traffics to come for receiving and recognizing mirror image, and with the water conservancy diversion Policy Table
Water conservancy diversion strategy identified service traffics are pre-processed.Specifically, using the mirror orders of OVS by each operation system
Service traffics be mirrored to the traffic identification module, by the traffic identification module be service traffics matching and forwarding do
Pre-processing work.
In the present invention, the source MAC for being identified by read data packet of service traffics, purpose MAC, VLAN_ID information, source
IP, source port, destination IP, destination interface and agreement are realized.When the service traffics data of mirror image enter software definition safety
After in guiding device, the traffic identification module can read the packet header of the data packet of the service traffics of mirror image, to service traffics into
Row identification.
The traffic identification module is by the data packet of the service traffics of the mirror image got, from top to bottom, matches institute one by one
The regularization term in water conservancy diversion Policy Table is stated, and the action that Actions is accordingly arranged is carried out for the data packet for meeting matching rule item
Processing, if without matching rule item, according to default treatment strategy, is handled data packet.
The flow processing module is used for according to the water conservancy diversion Policy Table to the pretreated industry of the traffic identification module
Business flow carries out after-treatment.Specifically, the flow processing module is according to defined in Actions fields in water conservancy diversion decision table
Content carries out after-treatment to matched service traffics.The flow processing module may include execution module.The execution mould
Block is used to change the relevant information of service traffics according to action message.The content packet that the execution module can be changed expands modification business
The purpose IP address of flow, target MAC (Media Access Control) address, the transmission speed that service traffics are arranged, modification vlan marks, remove and have vlan
Mark.
The flow sending module is specified for being sent to the service traffics after the flow processing module after-treatment
Port, the external equipment by being connected to the port receive service traffics.
The data statistics module is for counting all service traffics that mirror image comes, and with actively or passively
Mode is sent to the management module, then statistical information is sent to the management platform by the management module.
The data statistics module may include acquisition module.The acquisition module is responsible for obtaining service traffics progress data
Take, merger and formatting, and by all data with the unified format storage of specification in the database.Data contain service traffics
The information such as IP, port, agreement, event, number-of-packet, uninterrupted.This kind of statistical information finds auxiliary operation maintenance personnel
Safety problem, traffic issues reduce information noise and have very great help effect.Statistical information can in a manner of actively or passively,
It is sent to management module, statistical information is sent to the management platform by management module.In this way, the management platform can
With based on the statistical information global monitoring cloud environment network topology, service topology, the access relation between business domains, access
Flow and safety measure deployable state.
Specifically, as shown in figure 3, when matched service traffics enter the flow processing module, matching first is led
Flow Policy table is handled matched service traffics according to the content of water conservancy diversion Policy Table.When not matched in water conservancy diversion Policy Table
When item and matched service traffics are arranged without action, matched service traffics are directly passed through the flow sending module
It is sent to external equipment, and the service traffics data transmission of transmission to the data statistics module is subjected to Information Statistics.
When pretreated service traffics have matched water conservancy diversion Policy Table and are provided with action message, first determine whether to lose
Information is abandoned, if it is discarding information then by service traffics data packet discarding, if it is not, then service traffics are sent to execution mould
Block is changed the relevant information of service traffics by the execution module according to action message.
Meanwhile the acquisition module is responsible for service traffics carrying out data acquisition, merger and formatting, and by all data
In the database with the unified format storage of specification.Data contain the IP of service traffics, port, agreement, event, data packet
The information such as number, uninterrupted.This kind of statistical information finds safety problem, traffic issues for auxiliary operation maintenance personnel, reduces information
Noise has very great help effect.Statistical information can be sent in a manner of actively or passively to management module, management module
Statistical information is sent to the management platform.In this way, the management platform can be based on the statistical information global monitoring
Access relation, flowing of access and safety measure deployable state between the network topology of cloud environment, service topology, business domains.
In the present invention, statistical information is sent to the management platform by the management module by CWMP agreements.
The data packet format of CWMP agreements is as follows:
.Wherein,
VLAN_ID fields are used for recording the vlan information in two layers of packet header of data packet;
SRC_MAC fields are used for recording the source MAC address information in two layers of packet header of data packet;
DST_MAC fields are used for recording the target MAC (Media Access Control) address information in two layers of packet header of data packet;
SRC_IP fields are used for recording the source IP address information in three layers of packet header of data packet;
SRC_PORT fields are used for recording the source port information in four layers of packet header of data packet;
DST_IP fields are used for recording the purpose IP address information in three layers of packet header of data packet;
DST_PORT fields are used for recording the destination interface information in four layers of packet header of data packet;
Protocol field is used for recording the protocol information in three layers of packet header of data packet;
Packets fields are used for recording the packet number of data packet transmission;
Sizes fields are used for the size of technical data package;
Con_time fields are used for recording the connection duration of data packet.
Management platform the overall situation can show the connection status in current business domain, access situation well according to statistical information,
To the troubleshooting of operation maintenance personnel, global monitoring has positive effect.
As shown in figure 4, the disposed of in its entirety flow of software definition safe flow guide device is as follows under the cloud computing environment of the present invention:
1, administrator passes through the safe water conservancy diversion plan in interactive interface in the management platform of software definition safe flow guide device
Slightly configure the water conservancy diversion strategy of interface configuration service flow.Wherein it is possible to which allocating default water conservancy diversion rule is to abandon, configuration abandons video
The File Transfer Protocol such as agreement, ftp agreements, configuration replicate the flow of server key 1.1.1.1 and are separately sent to detection and set
It is standby with audit device (a flow is sent to two purpose equipments).
2, management platform issues water conservancy diversion strategy by CWCP agreements to the management module of software definition safe flow guide device, pipe
Reason module establishes water conservancy diversion Policy Table according to the water conservancy diversion strategy of acquisition.
3, on blade server or PC server, the mirror orders of OVS are called, are realized all service traffics mirror images
To the traffic identification module of software definition safe flow guide device.
4, the modules of software definition safe flow guide device cooperate.Wherein, traffic identification module receives all mirrors
The service traffics of picture, and according to the five-tuple information, vlan_id information, summary info of service traffics to the service traffics of mirror image
In different business flow be identified, the rule of the information matches water conservancy diversion Policy Table of identified service traffics, and by business
Flow is sent to flow processing module.
5, flow processing module carries out two according to the Actions field contents being arranged in water conservancy diversion Policy Table to service traffics
Service traffics are sent to flow sending module by secondary processing after being disposed, if failing to match any rule, basis
Default policy abandons not matched mirror image flow.
6, the service traffics of successful match are sent to specific external equipment or are sent to two simultaneously by flow sending module
A external equipment (a business datum is sent to two external equipments), and share flow transmit queue with data statistics module.
7, data statistics module the data in flow transmit queue are counted, merger, preservation.Wherein, statistical content
For for the data traffic volume of single IP, packet rate, uninterrupted and IP network section element tool traffic volume, data package size,
Uninterrupted.
8, data statistics module pushes statistical information in a manner of actively or passively to management module, and management module will count
Information reporting is to management platform.
9, management platform is according to the network topology of statistical information global monitoring cloud environment, service topology, between business domains
Access relation, flowing of access, safety measure deployable state.
Under cloud computing environment, virtualization technology large scale deployment, OVS used by network virtualization realizes service
The flow interaction of all virtual service systems inside device.Mirror orders possessed by OVS, although can be to virtual service system
Traffic mirroring is carried out, but there are doublings of traffic, influence network performance, all service traffics mix, and mirror image data exists
The problem of unconcerned service traffics, waste memory space.
The software definition safe flow guide device of the present invention can carry out after-treatment to the service traffics of mirror image, pass through business
Flow Duplicate Removal Algorithm reduces influence of the mirror orders of OVS to network performance;Water conservancy diversion strategy is matched by administrator simultaneously
Set, can service traffics needed for the flexible mirror image of fine granularity, processing business flow subsequent action realizes the safe water conservancy diversion of software definition.
The above embodiment of the present invention be only to clearly illustrate example of the present invention, and not be to the present invention
Embodiment restriction.For those of ordinary skill in the art, it can also make on the basis of the above description
Other various forms of variations or variation.Here all embodiments can not be exhaustive.Every skill for belonging to the present invention
Row of the obvious changes or variations that art scheme is extended out still in protection scope of the present invention.
Claims (4)
1. software security defines guiding device under a kind of cloud computing environment comprising:
Management platform, the management platform allow administrator to pass through the configuration interface for providing safe water conservancy diversion strategy configuration interface
Configure safe water conservancy diversion strategy;
Management module, the management module is for receiving the safe water conservancy diversion strategy file that the management platform is issued by CWCP agreements
And water conservancy diversion Policy Table is formed according to the content of safe water conservancy diversion strategy file;
Traffic identification module, the traffic identification module are used to receive and recognize the service traffics that mirror image comes, and with the water conservancy diversion
The water conservancy diversion strategy of Policy Table pre-processes identified service traffics;
Flow processing module, the flow processing module is for pre-processing the traffic identification module according to the water conservancy diversion Policy Table
Service traffics afterwards carry out after-treatment;
Flow sending module, the flow sending module are used to send the service traffics after the flow processing module after-treatment
To designated port, the external equipment by being connected to the port receives service traffics;
Data statistics module, the data statistics module are used to count all service traffics that mirror image comes, and with actively
Or passive mode is sent to the management module, then statistical information is sent to the management by the management module and is put down
Platform.
2. the safe water conservancy diversion implementation method of software definition safe flow guide device under a kind of cloud computing environment based on claim 1,
It includes the following steps:
(1) administrator configures the safe water conservancy diversion plan of interface configuration service flow in the management platform by safe water conservancy diversion strategy
Slightly;
(2) management platform issues safe water conservancy diversion strategy file by CWCP agreements to the management module;
(3) management module establishes water conservancy diversion Policy Table according to the safe water conservancy diversion strategy file of acquisition;
(4) on blade server or PC server, the mirror orders of OVS, realization is called to give all service traffics mirror images
The traffic identification module;
(5) traffic identification module receives all service traffics that mirror image comes, and to all service traffics that mirror image comes
It is identified, then identified service traffics is pre-processed with the water conservancy diversion strategy of the water conservancy diversion Policy Table, and will locate in advance
Service traffics after reason are sent to the flow processing module;
(6) service traffics progress after-treatment of the flow processing module according to the water conservancy diversion Policy Table to sending over, two
It is secondary be disposed after service traffics are sent to the flow sending module;
(7) service traffics received are sent to specified external equipment by the flow sending module, and are united with the data
Count module shared service flow transmit queue;
(8) data statistics module data in the service traffics transmit queue are counted, merger and preservation;
(9) data statistics module pushes statistical information in a manner of actively or passively to the management module, and by described
Statistical information is reported to the management platform by management module;
(10) network topology, service topology, industry of the management platform based on the statistical information global monitoring cloud computing environment
Access relation, flowing of access and safety measure deployable state between business domain.
3. safe water conservancy diversion implementation method according to claim 2, characterized in that service traffics are identified by reading business
Source MAC, purpose MAC, VLAN_ID information, source IP, source port, destination IP, destination interface and the agreement of data on flows packet are come real
It is existing.
4. safe water conservancy diversion implementation method according to claim 3, characterized in that the flow processing module is led according to
Content defined in Actions fields in Flow Policy table carries out after-treatment to service traffics.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610285832.1A CN105827629B (en) | 2016-05-04 | 2016-05-04 | Software definition safe flow guide device and its implementation under cloud computing environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610285832.1A CN105827629B (en) | 2016-05-04 | 2016-05-04 | Software definition safe flow guide device and its implementation under cloud computing environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105827629A CN105827629A (en) | 2016-08-03 |
| CN105827629B true CN105827629B (en) | 2018-08-03 |
Family
ID=56528988
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610285832.1A Active CN105827629B (en) | 2016-05-04 | 2016-05-04 | Software definition safe flow guide device and its implementation under cloud computing environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105827629B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106100999B (en) * | 2016-08-28 | 2019-05-24 | 北京瑞和云图科技有限公司 | Image network flow control methods in a kind of virtualized network environment |
| CN106375384B (en) * | 2016-08-28 | 2019-06-18 | 北京瑞和云图科技有限公司 | The management system and control method of image network flow in a kind of virtual network environment |
| CN106533838B (en) * | 2016-11-30 | 2019-12-10 | 国云科技股份有限公司 | Service characteristic time sequence data packet acquisition method facing cloud platform |
| CN107342926A (en) * | 2017-06-13 | 2017-11-10 | 国家计算机网络与信息安全管理中心 | A kind of method of multi-service Rapid matching distribution |
| CN110912731B (en) * | 2019-10-29 | 2022-07-26 | 广州丰石科技有限公司 | NFV-based system and method for realizing service identification and topology analysis by adopting DPI technology |
| CN111026525B (en) * | 2019-10-30 | 2024-02-13 | 安天科技集团股份有限公司 | Scheduling method and device for cloud platform virtual diversion technology |
| CN111031091B (en) * | 2019-10-30 | 2022-10-21 | 安天科技集团股份有限公司 | Automatic adaptation method and device for cloud platform virtual diversion technology |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8613089B1 (en) * | 2012-08-07 | 2013-12-17 | Cloudflare, Inc. | Identifying a denial-of-service attack in a cloud-based proxy service |
| CN104301321A (en) * | 2014-10-22 | 2015-01-21 | 北京启明星辰信息技术股份有限公司 | Method and system for achieving distributed network safety protection |
| CN104378298A (en) * | 2013-08-16 | 2015-02-25 | 中兴通讯股份有限公司 | Flow table entry generating method and corresponding device |
| CN104579810A (en) * | 2013-10-23 | 2015-04-29 | 中兴通讯股份有限公司 | Flow sampling method and system for software-defined network |
-
2016
- 2016-05-04 CN CN201610285832.1A patent/CN105827629B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8613089B1 (en) * | 2012-08-07 | 2013-12-17 | Cloudflare, Inc. | Identifying a denial-of-service attack in a cloud-based proxy service |
| CN104378298A (en) * | 2013-08-16 | 2015-02-25 | 中兴通讯股份有限公司 | Flow table entry generating method and corresponding device |
| CN104579810A (en) * | 2013-10-23 | 2015-04-29 | 中兴通讯股份有限公司 | Flow sampling method and system for software-defined network |
| CN104301321A (en) * | 2014-10-22 | 2015-01-21 | 北京启明星辰信息技术股份有限公司 | Method and system for achieving distributed network safety protection |
Non-Patent Citations (2)
| Title |
|---|
| 云环境中软件定义的安全服务;何利文 等;《南京邮电大学学报》;20140830;全文 * |
| 通过虚拟导流突破云环境安全部署问题;李陟,李小爽;《邮电设计技术》;20160130;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105827629A (en) | 2016-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105827629B (en) | Software definition safe flow guide device and its implementation under cloud computing environment | |
| US10367736B2 (en) | Extended tag networking | |
| EP3151470B1 (en) | Analytics for a distributed network | |
| CN105493450B (en) | The method and system of service exception in dynamic detection network | |
| CN106375384B (en) | The management system and control method of image network flow in a kind of virtual network environment | |
| US8804747B2 (en) | Network interface controller for virtual and distributed services | |
| US8837288B2 (en) | Flow-based network switching system | |
| CN103765839B (en) | Variable-based forwarding path construction for packet processing within a network device | |
| US10992536B2 (en) | Method and apparatus to control anycast traffic using a software defined network controller | |
| CN104954367B (en) | A kind of cross-domain ddos attack means of defence of internet omnidirectional | |
| CN107690776A (en) | For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection | |
| CN101442442A (en) | Management apparatus, control apparatus, management control apparatus and router system | |
| CN109714238A (en) | A kind of method and apparatus for realizing inter-virtual machine communication | |
| CN104125214B (en) | A kind of security architecture system and safety governor for realizing software definition safety | |
| EP3854033B1 (en) | Packet capture via packet tagging | |
| CN105515998B (en) | A kind of method and system in the domain SPTN three layers of domain and two layers of domain intercommunication | |
| US10868728B2 (en) | Graph-based network management | |
| CN108833305A (en) | The virtual network framework of host | |
| CN111049747A (en) | Intelligent virtual network path planning method for large-scale container cluster | |
| CN112769785A (en) | Network integration depth detection device and method based on rack switch equipment | |
| Tang et al. | Elephant Flow Detection Mechanism in SDN‐Based Data Center Networks | |
| Liatifis et al. | Fault-tolerant SDN solution for cybersecurity applications | |
| KR102207289B1 (en) | Method, apparatus and computer program using a software defined network to avoid didos attack | |
| CN108696398A (en) | Communication loopback fault detection method and device in a kind of communication network | |
| CN110719259A (en) | Data processing method and video networking system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |