CN106302466A - The management method of a kind of fire wall and system - Google Patents
The management method of a kind of fire wall and system Download PDFInfo
- Publication number
- CN106302466A CN106302466A CN201610679647.0A CN201610679647A CN106302466A CN 106302466 A CN106302466 A CN 106302466A CN 201610679647 A CN201610679647 A CN 201610679647A CN 106302466 A CN106302466 A CN 106302466A
- Authority
- CN
- China
- Prior art keywords
- request
- fire wall
- virtual router
- module
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention provides management method and the system of a kind of fire wall, wherein, system includes: virtual router card module, FWaaS plug-in unit proxy module, fire wall drive module and safety management module;Wherein, safety management module, for the establishment demand information sent according to virtual router card module, from secure resources pond, select configurable calculating node, on selected calculating node, create virtual router with virtual machine form;Safety management module, it is additionally operable to firewall security rule configuration information and the identification information of selected virtual router that fire wall drives module to send, for searching virtual router according to described identification information, in the virtual router that the write of described firewall security rule configuration information is found.The method and system that the present invention provides is based on identical technical thought, and therefore, both schemes all can create, dynamically according to the actual demand of different user, the virtual router possessing firewall functionality.
Description
Technical field
The present embodiments relate to firewall technology field, be specifically related to fire wall based on Openstack cloud platform
Management method and system.
Background technology
Openstack is a cloud computing framework increased income, using the teaching of the invention it is possible to provide implements simply, can extend on a large scale, enrich, mark
Accurate unified cloud computing management service.Openstack is included in product system by increasing cloud computing manufacturer, cloud meter
Calculate manufacturer and be proposed cloud computing PSST based on Openstack one after another.
Openstack is as a kind of cloud computing framework, and its Security solution is even more important, although, Openstack carries
Supply firewall component (fire wall i.e. services (FireWall as a Service, FWaaS)), but its Security solution
And immature, its function is very simple, can't possess the specialized security capabilities that fire wall of future generation is possessed.
At present, the fire wall implementation of Openstack is to realize virtual flow-line based on Linux namespace technology
Device, carries firewall functionality based on IPtable in virtual router.In this scenario, a packet is from host-physical net
Card is delivered to virtual router, needs through virtual switch, the upper virtual port device of namespace, and therefore, virtual port sets
Standby, virtual switch bandwidth will become the limiting factor of virtual router flow bandwidth, once virtual port equipment, virtual
After switch configures, just cannot the most dynamically adjust its port bandwidth, be difficult to meet the dynamic north and south net of multi-user
The demand of network changes in flow rate.
Summary of the invention
Embodiments provide the management method of fire wall based on Openstack cloud platform, it is possible to dynamically DIGEN
According to the actual demand of different user, create the virtual router possessing firewall functionality, it is possible to dynamically manage the virtual of user
Router.
It addition, the embodiment of the present invention additionally provides the management system of a kind of fire wall, it is used for ensureing that said method is in reality
In application and realization.
Provide the management system of a kind of fire wall in embodiment of the present invention first aspect, described system includes:
Virtual router card module, FWaaS plug-in unit proxy module, fire wall drive module and safety management module;
Wherein, described virtual router card module, for receiving the first request, described first request is about virtual road
By the request to create of device, resolve described first request and obtain the establishment demand information of virtual router, described establishment demand is believed
Breath sends to described safety management module;
Described FWaaS plug-in unit proxy module, for receiving the second request, described second request is the establishment about fire wall
Request, sends described second request to described fire wall driving module;
Described fire wall drives module, is used for resolving described second request and obtains firewall security rule configuration information and quilt
The identification information of the virtual router selected, and described firewall security rule configuration information and described identification information are sent extremely
Described safety management module;
Described safety management module, for according to described establishment demand information, selects configurable from secure resources pond
Calculate node, on described calculating node, create virtual router with virtual machine form;And search void according to described identification information
Intend router, in the virtual router find the write of described firewall security rule configuration information.
Optionally, described virtual router is additionally configured to support the advanced security defense function of fire wall;
The most described safety management module, is additionally operable to receive the 3rd request, is uniformly controlled user's according to described 3rd request
The advanced security defense function of virtual router;Described 3rd request is that the management about fire wall advanced security defense function please
Ask.
Optionally, described advanced security defense function includes one or more functions following:
Anti-virus function, protection distributed denial of service function, UTM function, anti-spam functionality at wire-speed.
Optionally, described virtual router is that the single I/O Intel Virtualization Technology using and supporting network interface card realizes.
Optionally, described virtual router card module, it is additionally operable to:
Receive the 4th request, described 4th request is sent to described safety management module;Described 4th request be about
The operation requests of virtual router;Described 4th request carries the identification information of virtual router needing to be operated and the
One action type;Described first action type includes: deletes or updates;
The most described safety management module, is additionally operable to:
Identification information according to carrying in described 4th request searches corresponding virtual router, according to described first operation
The type virtual router to finding performs corresponding operating.
Optionally, FWaaS plug-in unit proxy module, it is additionally operable to:
Receive the 5th request, described 5th request is sent to described fire wall driving module;Described 5th request is to close
Operation requests in fire wall;Described 5th request carries need between the fire wall and the virtual router that are operated right
Should be related to and the second action type;Described second action type includes: deletes or updates;
The most described fire wall drives module, is additionally operable to:
Resolve described 5th request and obtain described corresponding relation and described second action type, and by described corresponding relation and
Described second action type sends to described safety management module;
The most described safety management module, is additionally operable to:
The virtual router of correspondence is found, according to described second action type to finding according to described corresponding relation
Fire wall in virtual router performs corresponding operating.
Optionally, described establishment demand information includes that one or more of combines:
Handling capacity, CPU, internal memory or bandwidth.
Provide the management method of a kind of fire wall in embodiment of the present invention second aspect, described method includes:
Receive the first request, resolve described first request and obtain the establishment demand information of virtual router;Described first please
Seeking Truth is about the request to create of virtual router;
According to described establishment demand information, from secure resources pond, select configurable calculating node, with virtual machine form
Described calculating node creates virtual router;
Receiving the second request, described second request is the request to create about fire wall;
Resolve described second request and obtain firewall security rule configuration information and the mark of selected virtual router
Information;
Search virtual router according to described identification information, the write of described firewall security rule configuration information is found
Virtual router in.
Optionally, described virtual router is additionally configured to support the advanced security defense function of fire wall, described method
Also include:
Receive the 3rd request, be uniformly controlled the advanced security defence merit of the virtual router of user according to described 3rd request
Energy;Described 3rd request is that the management about fire wall advanced security defense function is asked.
Optionally, described advanced security defense function includes one or more functions following:
Anti-virus function, protection distributed denial of service function, UTM function, anti-spam functionality at wire-speed.
Optionally, described virtual router is that the single I/O Intel Virtualization Technology using and supporting network interface card realizes.
Optionally, described method also includes:
Receive the 4th request, described 4th request is sent to described safety management module;Described 4th request be about
The operation requests of virtual router;Described 4th request carries the identification information of virtual router needing to be operated and the
One action type;Described first action type includes: deletes or updates;
Identification information according to carrying in described 4th request searches corresponding virtual router, according to described first operation
The type virtual router to finding performs corresponding operating.
Optionally, described method also includes:
Receiving the 5th request, described 5th request is the operation requests about fire wall, carries in described 5th request
Need the corresponding relation between fire wall and the virtual router operated and the second action type;Described second action type bag
Include: delete or update;
Resolve described 5th request and obtain described corresponding relation and described second action type;
The virtual router of correspondence is found, according to described second action type to finding according to described corresponding relation
Fire wall in virtual router performs corresponding operating.
Optionally, described establishment demand information includes that one or more of combines:
Handling capacity, CPU, internal memory or bandwidth.
Compared with prior art, the technical scheme that the present invention provides has the advantage that
The embodiment of the present invention provide technical scheme, for prior art exist cannot be dynamically according to the actual need of user
Seek custom firewall, it is impossible to the problem meeting user's request, it is proposed that the management system of a kind of fire wall, this system mainly profit
With safety management module, the calculating node in unified management secure resources pond, the establishment demand information proposed according to user, from peace
Full resource pool selects configurable calculating node, on described calculating node, creates virtual router with virtual machine form;So
After, this safety management module configures fire wall again on the virtual router that user selects, to realize the packet filtering merit of fire wall
Energy.
It can be seen that the technical scheme that the embodiment of the present invention provides, the passage of the Dynamic Customization fire wall provided the user,
User can determine the establishment demand information of virtual router according to the actual requirements such that it is able to realizes Dynamic Customization and meets demand
Virtual router, this virtual router creates again and meets the fire wall of demand.
Further, the embodiment of the present application also proposed based on SR-IOV technology so that virtual machine can be directly from physics
Network interface card transceiving data bag, gets around the bandwidth restriction of virtual switch, virtual port, gives full play to the high performance nature of virtual machine.
Further, the embodiment of the present application also proposed and disposes virtual router with the form of virtual machine so that virtual
Router can carry advanced security defense function.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this
Some embodiments described in invention, for those of ordinary skill in the art, on the premise of not paying creative work,
Other accompanying drawing can also be obtained according to these accompanying drawings.
The structure chart of the management system of a kind of fire wall that Fig. 1 provides for the embodiment of the present invention;
The management systematic difference Sample Scenario figure of a kind of fire wall that Fig. 2 provides for the embodiment of the present invention;
The management system hardware structure figure of a kind of fire wall that Fig. 3 provides for the embodiment of the present invention;
The flow chart of the management method of a kind of fire wall that Fig. 4 provides for the embodiment of the present invention.
Detailed description of the invention
First the thought of the present invention is illustrated.
Prior art is on namespace (NameSpace), realize virtual router, virtual router carries
The packet filtering function (the basic defense function of fire wall) of fire wall, this mode can not user oriented, it is considered to different use
The different demands at family, it is impossible to support the fire wall of the management user of dynamic on-demand.
For prior art exist cannot be dynamically according to user's actual need custom firewall, it is impossible to meet user's need
The problem asked, the present invention proposes the management system of fire wall, this system can user oriented, provided the user and determined establishment
The passage of demand, this system mainly by safety management module, the calculating node in unified management secure resources pond, according to
The establishment demand information that family proposes, selects configurable calculating node, from secure resources pond by virtual machine form in terms of described
Virtual router is created on operator node;Then, this safety management module configuration fire prevention on the virtual router that user selects again
Wall, to realize the packet filtering function of fire wall.So, this system can be realized as the virtual flow-line managing user of dynamic on-demand
Device.
By research, inventor finds that the namespace of prior art is the other container of linux operating system grade
Technology, and high performance fire wall belongs to professional equipment, has abundant advanced security defense function, specialized safe energy
Power, when firewall vendor develops these functions, due to particularity, the complexity of its hardware and software platform so that advanced security is defendd
Function can be grafted directly in Linux system hardly, therefore, can not be grafted directly on linux namespace.
Based on this, inventor just proposes the technical scheme being realized virtual router and fire wall by virtual machine technique.
The management method of the fire wall that the present invention provides is again based on what above-mentioned technical thought realized, it is possible to reach same
The technique effect of sample.
For the technical scheme making those skilled in the art be more fully understood that in the present invention, real below in conjunction with the present invention
Execute the accompanying drawing in example, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described enforcement
Example is only a part of embodiment of the present invention rather than whole embodiments.Based on the embodiment in the present invention, this area is common
The every other embodiment that technical staff is obtained under not making creative work premise, all should belong to present invention protection
Scope.
First the management system of a kind of fire wall that the present invention provides is explained below in conjunction with Fig. 1.
See the structure chart that Fig. 1, Fig. 1 are the management systems of a kind of fire wall that the embodiment of the present invention provides, such as Fig. 1 institute
Showing, this system may include that virtual router card module 101, FWaaS plug-in unit proxy module 102, fire wall drive module
103 and safety management module 104.Below based on the operation principle of this system to the function of its inside modules and company thereof
The relation of connecing explains.
Wherein, virtual router card module 101, for receiving the first request, resolve described first request and obtain virtual
The establishment demand information of router, sends described establishment demand information to safety management module 104;Wherein, described first ask
Seeking Truth, about the request to create of virtual router, at least carries the establishment demand letter of virtual router in described first request
Breath.
User is when using this system, in the user interface that this system provides, triggers the establishment about virtual router
Operation, and determine the establishment demand information of virtual router, the demand information that creates here can be handling up of virtual router
Amount, CPU, internal memory, bandwidth etc. are arbitrary or multiple performance requirement information.This system according to user's operation on a user interface,
Generate the first request, in the first request, carry the establishment demand information about virtual router.
User determines in the user interface that this system provides and creates fire wall on which virtual router, and really
Determine firewall security rule configuration information, this firewall security rule configuration information may include that source IP, purpose IP, source port,
Destination interface, action (allow or refuse);This system, according to user's operation on a user interface, generates the second request,
Firewall security rule configuration information and the identification information of selected virtual router are carried in second request.Inserted by FWaaS
Part proxy module processes this second request.
Wherein, FWaaS plug-in unit proxy module 102, for receiving the second request, described second request is sent to fire wall
Drive module 103;Described second request is the request to create about fire wall.Fire wall drives module 103, is used for resolving described
Second request obtains firewall security rule configuration information and the identification information of selected virtual router, and by described fire prevention
Wall safety regulation configuration information and described identification information send to described safety management module 104.Need exist for explanation, this
FWaaS plug-in unit proxy module in application is to provide, based on Openstack, the plug-in unit that firewall component requires to be realized.
Wherein, safety management module 104, for according to described establishment demand information, select to join from secure resources pond
The calculating node put, creates virtual router with virtual machine form on described calculating node;Described safety management module is also used
In searching virtual router according to described identification information, the write of described firewall security rule configuration information found is virtual
In router.
Needing exist for explanation, the safety management module in this system, can be by calling Openstack when realizing
Nova API, it is achieved the establishment of virtual router, delete, renewal etc. processes.
Further, inventor is it is also contemplated that Openstack is also in development at present, and various mechanism are the most not
Enough sound, the setting to fire wall the most only rests on packet filtering function, but in actual applications, user's demand to fire wall
And not only rest on packet filtering function, but there is the most senior fire wall demand, therefore, in order to be pushed further into
The development of Openstack, meets user's demand to the senior defense function of fire wall, and inventor also proposes preferred solution party
Case, explains this preferred version below in conjunction with Fig. 2.
See the management systematic difference Sample Scenario figure that Fig. 2, Fig. 2 are a kind of fire walls that the embodiment of the present invention provides,
In the scene shown in Fig. 2, in the management system of fire wall, safety management module provides about advanced security defense function
Controlling passage, user passes through this control passage, it becomes possible to control the advanced security defense function of virtual router.
When realizing, virtual router increases the advanced security defense function of fire wall.Here advanced security is prevented
Imperial function refers to the Prevention-Security function in addition to packet filtering function, such as: anti-virus (Anti-Virus, AV), preventing distributed refuse
Service (Distributed Denial of Service, DDOS), UTM (Unified Threat absolutely
Management, UTM), the security function that possessed of the fire wall of future generation such as anti-spam functionality at wire-speed.
On the basis of above-mentioned virtual router configures, the most described safety management module 104, it is additionally operable to:
Receive the 3rd request, be uniformly controlled the advanced security defence merit of the virtual router of user according to described 3rd request
Energy;Wherein, described 3rd request is that the management about fire wall advanced security defense function is asked.
If safety management module is separately configured on one server, then this server provides the user user interface,
User can trigger the 3rd request on the user interface, and such as, user selects the virtual router being correlated with on the surface, with
And need the advanced security defense function enabled, then the 3rd request that this server generates just to comprise selected virtual router
Information and the information of advanced security defense function that enables of needs, safety management module just can be united according to the 3rd request
The advanced security defense function of one virtual router controlling user.
This system has provided the user the passage the most actively controlling advanced security defense function, it is possible to meet
The different demands of different users, for a user, this system has preferable Consumer's Experience.
Further, inventor it is also contemplated that prior art based on namespace realize virtual flow-line
In the scheme of device, general data bag is delivered to virtual router from host-physical network interface card, need through virtual switch,
The upper virtual port device of namespace, therefore, the bandwidth of the virtual port equipment on virtual switch, namespace is the most directly
Limit the amount of bandwidth of virtual router, and, in namespace, after once virtual switch installs configuration, just cannot
Dynamically adjust the bandwidth of its port again, it is thus impossible to enough adapt to the north and south network traffics change of multi-user's high-throughput.This
The bright below scheme that inventors herein proposes:
When realizing, configuration virtual router supports the single I/O Intel Virtualization Technology (SR-IOV) of network;This SR-IOV is empty
Intend network interface card technology make firewall virtual machine directly read the packet on physical network card such that it is able to get around virtual switch,
The bandwidth of virtual port limits, and this most greatly improves the bandwidth of fire wall, it is possible to adapt to the north and south of multi-user's high-throughput
Network traffics change.
Further, after inventor is additionally contemplates that user disposes virtual router on Openstack, may be to virtual
The demand of router changes, and user revises the virtual router disposed for convenience, present invention also offers with lower section
Case:
When realizing, described virtual router card module 101, it is additionally operable to:
Receiving the 4th request, described 4th request is the operation requests about virtual router, described 4th request is sent out
Deliver to described safety management module;Described 4th request carries the identification information of virtual router needing to be operated and the
One action type;Described first action type includes: deletes or updates;
The most described safety management module 104, is additionally operable to:
Identification information according to carrying in described 4th request searches corresponding virtual router, according to described first operation
The type virtual router to finding performs corresponding operating.
Further, after inventor is additionally contemplates that user disposes fire wall on Openstack, may be to fire wall
Demand changes, and user revises the fire wall disposed for convenience, present invention also offers below scheme:
When realizing, described FWaaS plug-in unit proxy module 102, it is additionally operable to:
Receiving the 5th request, described 5th request is the operation requests about fire wall, and described 5th request is sent
Module is driven to described fire wall;Described 5th request carries between fire wall and the virtual router needing to be operated
Corresponding relation and the second action type;Described second action type includes: deletes or updates;
The most described fire wall drives module 103, is additionally operable to:
Resolve described 5th request and obtain described corresponding relation and described second action type, and by described corresponding relation and
Described second action type sends to described safety management module;
The most described safety management module 104, is additionally operable to:
The virtual router of correspondence is found, according to described second action type to finding according to described corresponding relation
Fire wall in virtual router performs corresponding operating.
When realizing, the user interface that user's server at safety management module place provides selects need to be operated
Fire wall and the identification information of virtual router between corresponding relation and action type, trigger about the relevant behaviour of fire wall
Making, server generates the 5th request, carries between fire wall and the virtual router needing to be operated in the 5th request
Corresponding relation and the second action type;Described second action type includes: deletes or updates;
When action type is to delete, then safety management module is according to the corresponding pass carried in the 5th request received
System, finds the virtual router carrying this fire wall, and then deletes this fire wall in this virtual router.
When action type is to update, then safety management module is according to the corresponding pass carried in the 5th request received
System, finds the virtual router carrying this fire wall, and then according to the new configuration information carried in the 5th request, updating should
The configuring condition of the fire wall in virtual router.
By foregoing description, it is known that the system that the present invention provides has the advantage that
(1) system that the present invention provides, cannot dynamically customize according to user's actual need for what prior art existed
Fire wall, it is impossible to the problem meeting user's request, it is proposed that utilize safety management module, the meter in unified management secure resources pond
Operator node, the establishment demand information proposed according to user, from secure resources pond, select configurable calculating node, with virtual machine
Form creates virtual router on described calculating node;Then, the virtual flow-line that this safety management module selects user again
Fire wall is configured, to realize the packet filtering function of fire wall on device.Can be seen that the technical scheme that the embodiment of the present invention provides, for
The passage of the Dynamic Customization fire wall that user provides, user can determine the establishment demand letter of virtual router according to the actual requirements
Breath such that it is able to realize Dynamic Customization and meet the virtual router of demand, creates on this virtual router again and meets demand
Fire wall.So, the secure resources pond of safety management module management just can be regarded as the defense system of user north and south flow.
Can be seen that the system that the present invention provides, the passage of the Dynamic Customization fire wall provided the user, user can root
Determine the establishment demand information of virtual router according to actual demand, thus utilize the technical scheme of the embodiment of the present invention, it is achieved be dynamic
State customization meets the virtual router of demand.Safety management module can be according to user's network demand to north and south flow, such as
Handling capacity, bandwidth etc., when disposing virtual machine, dynamically choose calculating node, by virtual router portion in secure resources pond
Administration is on the calculating node meeting user's request, such as the situation that user is higher to the performance requirement of virtual router, peace
Virtual router can be deployed on high performance calculating node by full administrative center.
(2) system that further, the present invention provides also proposed based on SR-IOV technology so that virtual machine can be direct
From physical network card transceiving data bag, get around the bandwidth restriction of virtual switch, virtual port, give full play to the high-performance of virtual machine
Characteristic.
(3) system that further, the present invention provides also proposed disposes virtual router with the form of virtual machine so that
Virtual router carries advanced security defense function.Many by the safety management module fire wall to disposing on virtual router
Plant advanced security defense function to be managed collectively, make up the disappearance of original FWaaS enhanced security feature.
Those skilled in the art further appreciate that the deployment feelings of management system of fire wall that the present invention provides for convenience
Condition, the hardware deployment scenario of the management system next combining the fire wall shown in Fig. 1 that the present invention is provided by Fig. 3 explains
Explanation.
See the management system hardware structure figure of a kind of fire wall that Fig. 3, Fig. 3 provide for the embodiment of the present invention.In Fig. 3 institute
In the system shown, virtual router card module 101, FWaaS plug-in unit proxy module 102, fire wall drive module 103 to be integrated in
In server 1, safety management module 104 is integrated in server 2, needs exist for explanation, the server 1 shown in Fig. 3
With the connection of server 2, it is used for representing that server 1 and server 2 can be communicated by wired mode, it is also possible to by nothing
Line mode communicates.It addition, the safety management module 104 in server 2 is used for managing secure resources pond, secure resources Chi Bao
Including multiple calculating node, wherein, N refers to greater than or is equal to the positive integer of 2.
Wherein, calculating node is the calculating node in Openstack cloud platform, calculates node and is typically all with server
Example, in hardware exists.In actual deployment, calculate and can also be communicated by wired mode, also between node and safety management module
Can communicate wirelessly.Safety management module management calculates node, the most periodically or in real time obtains secure resources pond
In calculate the performance state information such as the resource size of node, service behaviour, network state, record each calculating node these
Performance state information, dynamically to configure calculating node based on these performance state information.
When realizing, safety management module can be periodically to calculating node transmission inquiry request, and safety management module is permissible
Using mode one to one to calculate node to certain and send inquiry request, certainly, safety management module can also use mass-sending ground
The mode all calculating nodes in secure resources pond send inquiry request, and calculating node is in response to inquiry request, to bursting tube
The performance state information of reason module feedback self.
Certainly, when realizing, the calculating node in secure resources pond can also periodically report to safety management module on one's own initiative
The performance state information of self, so that safety management module understands the real work performance state situation calculating node in time.
Certainly, Fig. 3 is only a kind of example, the virtual router card module when realizing, in the system that the present invention provides
101, FWaaS plug-in unit proxy module 102, fire wall drive module 103, safety management module 104 can also be integrated in same clothes
In business device, this server needs to provide the user user interface, and user triggers the first request and the respectively by this user interface
Two requests.
But, inventor is it is considered that safety management module 104 needs to manage secure resources pond, with secure resources pond
In all calculating node communications, safeguard these calculate nodes performance state.Further, the service behaviour of whole system mainly takes
Certainly in the service behaviour of safety management module, therefore, in order to ensure the runnability of this safety management module, it is preferable that permissible
This safety management module is deployed in a server by the mode shown in Fig. 3 independently of employing.So, whole system is led to exactly
Cross the communication between server to realize the function of modules.Certainly, the virtual router card module when realizing, in system
101, FWaaS plug-in unit proxy module 102, fire wall drive module 103, these four modules of safety management module 104 to divide
The most independently it is deployed in four servers.
Operating technology principle based on said system, present invention also offers the management method of a kind of fire wall, next
The method is explained.
See the flow chart of the management method of a kind of fire wall that the embodiment of the present invention shown in Fig. 4 provides, such as Fig. 4 institute
Showing, the method includes: step 401 to step 405.
Step 401: receive the first request, resolves described first request and obtains the establishment demand information of virtual router;Institute
First request of stating is the request to create about virtual router.
Step 402: according to described establishment demand information, selects configurable calculating node, with void from secure resources pond
Plan machine form creates virtual router on described calculating node.
Step 403: receiving the second request, described second request is the request to create about fire wall.
Step 404: resolve described second request and obtain firewall security rule configuration information and selected virtual flow-line
The identification information of device.
Step 405: search virtual router according to described identification information, described firewall security rule configuration information is write
Enter in the virtual router found.
When realizing, optionally, described virtual router is additionally configured to support the advanced security defense function of fire wall,
Described method also includes:
Receive the 3rd request, be uniformly controlled the advanced security defence merit of the virtual router of user according to described 3rd request
Energy;Described 3rd request is that the management about fire wall advanced security defense function is asked.
When realizing, optionally, described advanced security defense function includes one or more functions following:
Anti-virus function, protection distributed denial of service function, UTM function, anti-spam functionality at wire-speed.
When realizing, optionally, described virtual router is that the single I/O Intel Virtualization Technology using and supporting network interface card realizes
's.
When realizing, optionally, described method also includes:
Receive the 4th request, described 4th request is sent to described safety management module;Described 4th request be about
The operation requests of virtual router;Described 4th request carries the identification information of virtual router needing to be operated and the
One action type;Described first action type includes: deletes or updates;
Identification information according to carrying in described 4th request searches corresponding virtual router, according to described first operation
The type virtual router to finding performs corresponding operating.
When realizing, optionally, described method also includes:
Receiving the 5th request, described 5th request is the operation requests about fire wall, carries in described 5th request
Need the corresponding relation between fire wall and the virtual router operated and the second action type;Described second action type bag
Include: delete or update;
Resolve described 5th request and obtain described corresponding relation and described second action type;
The virtual router of correspondence is found, according to described second action type to finding according to described corresponding relation
Fire wall in virtual router performs corresponding operating.
When realizing, optionally, described establishment demand information includes that one or more of combines:
Handling capacity, CPU, internal memory or bandwidth.
When realizing, method shown in Fig. 4 can system as shown in Figure 1 realize, and wherein, different steps may be by being
Functional modules different in system realizes, and specifically may refer to above for the specific descriptions of each functional module in Fig. 1, this time
Repeat no more.
It will be appreciated by persons skilled in the art that the above management method to a kind of fire wall and system embodiment are carried out
Exemplary illustration, is more than not intended as limitation of the present invention, and those skilled in the art obtain under not paying creative work
Other implementations belong to protection scope of the present invention.
It should be noted that in this article, the relational terms of such as first, second or the like is used merely to an entity
Or operation separates with another entity or operating space, and not necessarily require or imply existence between these entities or operation
The relation of any this reality or order.And, term " includes ", " comprising " or its any other variant are intended to non-
Comprising of exclusiveness, so that include that the process of a series of key element, method, article or equipment not only include those key elements,
But also include other key elements being not expressly set out, or also include being consolidated by this process, method, article or equipment
Some key elements.In the case of there is no more restriction, statement " including ... " key element limited, it is not excluded that including
The process of described key element, method, article or equipment there is also other identical element.The present invention can held by computer
Described in the general context of the computer executable instructions of row, such as program module.Usually, program module includes performing spy
Determine task or realize the routine of particular abstract data type, program, object, assembly, data structure etc..Can also be distributed
Computing environment is put into practice the present invention, in these distributed computing environment, by the teleprocessing connected by communication network
Equipment performs task.In a distributed computing environment, program module may be located at this locality including storage device with remote
In journey computer-readable storage medium.
Each embodiment in this specification all uses the mode gone forward one by one to describe, identical similar portion between each embodiment
Dividing and see mutually, what each embodiment stressed is the difference with other embodiments.Real especially for device
For executing example, owing to it is substantially similar to embodiment of the method, so describing fairly simple, relevant part sees embodiment of the method
Part illustrate.Device embodiment described above is only schematically, wherein said illustrates as separating component
Module can be or may not be physically separate, the parts shown as module can be or may not be
Physical module, i.e. may be located at a place, or can also be distributed on multiple mixed-media network modules mixed-media.Can be according to the actual needs
Select some or all of module therein to realize the purpose of the present embodiment scheme.Those of ordinary skill in the art are not paying
In the case of creative work, i.e. it is appreciated that and implements.The above is only the detailed description of the invention of the present invention, it should refer to
Go out, for those skilled in the art, under the premise without departing from the principles of the invention, it is also possible to make some
Improvements and modifications, these improvements and modifications also should be regarded as protection scope of the present invention.
Claims (10)
1. the management system of a fire wall, it is characterised in that described system includes:
Virtual router card module, FWaaS plug-in unit proxy module, fire wall drive module and safety management module;
Wherein, described virtual router card module, for receiving the first request, resolve described first request and obtain virtual flow-line
The establishment demand information of device, sends described establishment demand information to described safety management module;Described first request be about
The request to create of virtual router;
Described FWaaS plug-in unit proxy module, for receiving the second request, described second request is that the establishment about fire wall please
Ask, described second request is sent to described fire wall driving module;
Described fire wall drives module, is used for resolving described second request and obtains firewall security rule configuration information and be chosen
The identification information of virtual router, and described firewall security rule configuration information and described identification information are sent to the most described
Safety management module;
Described safety management module, for according to described establishment demand information, selects configurable calculating from secure resources pond
Node, creates virtual router with virtual machine form on described calculating node;And search virtual road according to described identification information
By device, in the virtual router that the write of described firewall security rule configuration information is found.
The management system of fire wall the most according to claim 1, it is characterised in that
Described virtual router is additionally configured to support the advanced security defense function of fire wall;
The most described safety management module, is additionally operable to receive the 3rd request, is uniformly controlled the virtual of user according to described 3rd request
The advanced security defense function of router;Described 3rd request is that the management about fire wall advanced security defense function is asked.
The management system of fire wall the most according to claim 2, it is characterised in that
Described advanced security defense function includes one or more functions following:
Advanced threat defence, anti-virus function, preventing distributed refusal service, UTM function, anti-spam functionality at wire-speed.
The management system of fire wall the most according to claim 1 and 2, it is characterised in that described virtual router is to use
The single I/O Intel Virtualization Technology supporting network interface card realizes.
The management system of fire wall the most according to claim 1, it is characterised in that described virtual router card module,
It is additionally operable to:
Receive the 4th request, described 4th request is sent to described safety management module;Described 4th request is about virtual
The operation requests of router;Described 4th request carries and needs the identification information and first of the virtual router operated to grasp
Make type;Described first action type includes: deletes or updates;
The most described safety management module, is additionally operable to:
Identification information according to carrying in described 4th request searches corresponding virtual router, according to described first action type
The virtual router found is performed corresponding operating.
The management system of fire wall the most according to claim 1, it is characterised in that described FWaaS plug-in unit proxy module, also
For:
Receive the 5th request, and described 5th request is sent to described fire wall driving module;Described 5th request is carried
There is a need to the corresponding relation between fire wall and the virtual router operated and the second action type;Described second action type
Including: delete or update;Described 5th request is the operation requests about fire wall;
The most described fire wall drives module, is additionally operable to:
Resolve described 5th request and obtain described corresponding relation and described second action type, and by described corresponding relation and described
Second action type sends to described safety management module;
The most described safety management module, is additionally operable to:
The virtual router of correspondence is found according to described corresponding relation, virtual to find according to described second action type
Fire wall in router performs corresponding operating.
The management system of fire wall the most according to claim 1, it is characterised in that described establishment demand information includes following
One or more combinations:
Handling capacity, CPU, internal memory or bandwidth.
8. the management method of a fire wall, it is characterised in that described method includes:
Receive the first request, resolve described first request and obtain the establishment demand information of virtual router;Described first request is
Request to create about virtual router;
According to described establishment demand information, from secure resources pond, select configurable calculating node, with virtual machine form in institute
State and create virtual router on calculating node;
Receiving the second request, described second request is the request to create about fire wall;
Resolve described second request and obtain firewall security rule configuration information and the identification information of selected virtual router;
Search virtual router according to described identification information, described firewall security rule configuration information is write the void found
Intend in router.
The management method of fire wall the most according to claim 8, it is characterised in that described virtual router is additionally configured to
Supporting the advanced security defense function of fire wall, described method also includes:
Receive the 3rd request, be uniformly controlled the advanced security defense function of the virtual router of user according to described 3rd request;
Described 3rd request is that the management about fire wall advanced security defense function is asked.
The management method of fire wall the most according to claim 8 or claim 9, it is characterised in that described virtual router is to use
The single I/O Intel Virtualization Technology supporting network interface card realizes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610679647.0A CN106302466B (en) | 2016-08-17 | 2016-08-17 | A kind of management method and system of firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610679647.0A CN106302466B (en) | 2016-08-17 | 2016-08-17 | A kind of management method and system of firewall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106302466A true CN106302466A (en) | 2017-01-04 |
| CN106302466B CN106302466B (en) | 2019-04-26 |
Family
ID=57679502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610679647.0A Active CN106302466B (en) | 2016-08-17 | 2016-08-17 | A kind of management method and system of firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106302466B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911723A (en) * | 2017-04-26 | 2017-06-30 | 北京启明星辰信息安全技术有限公司 | Traffic security processing method and safety virtualization system |
| CN108173842A (en) * | 2017-12-26 | 2018-06-15 | 国家电网公司 | The disposition optimization method of software definition fire wall based on openstack cloud platforms |
| CN109120577A (en) * | 2017-06-23 | 2019-01-01 | 华为技术有限公司 | A kind of firewall dispositions method and device |
| CN109889530A (en) * | 2019-03-05 | 2019-06-14 | 北京长亭科技有限公司 | Web application firewall system and computer storage medium |
| CN109918173A (en) * | 2019-03-06 | 2019-06-21 | 苏州浪潮智能科技有限公司 | Virtual machine health examination method and system based on openstack |
| CN109962914A (en) * | 2019-03-12 | 2019-07-02 | 杭州迪普科技股份有限公司 | A kind of firewall configuration method and device |
| CN110365699A (en) * | 2019-07-29 | 2019-10-22 | 北京奇艺世纪科技有限公司 | Flow processing method, apparatus and system, gateway |
| CN111147467A (en) * | 2019-12-19 | 2020-05-12 | 紫光云技术有限公司 | Security policy setting method and device for PaaS products under cloud platform |
| CN113765885A (en) * | 2021-07-30 | 2021-12-07 | 广东浪潮智慧计算技术有限公司 | Firewall rule synchronization method and device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030126268A1 (en) * | 2001-12-21 | 2003-07-03 | International Business Machines Corporation | Method of preserving symmetrical routing in a communication system based upon a server farm |
| CN101656670A (en) * | 2008-08-14 | 2010-02-24 | 丛林网络公司 | Routing device having integrated MPLS-aware firewall |
| CN101668022A (en) * | 2009-09-14 | 2010-03-10 | 陈博东 | Virtual network isolation system established on virtual machine and implementation method thereof |
| CN102857416A (en) * | 2012-09-18 | 2013-01-02 | 中兴通讯股份有限公司 | Method for implementing virtual network and virtual network |
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| CN103986662A (en) * | 2014-05-22 | 2014-08-13 | 浪潮电子信息产业股份有限公司 | Cross-virtualization-platform virtual router achieving method |
| CN204334621U (en) * | 2014-11-25 | 2015-05-13 | 甘肃省科学技术情报研究所 | A kind of network security management device |
-
2016
- 2016-08-17 CN CN201610679647.0A patent/CN106302466B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030126268A1 (en) * | 2001-12-21 | 2003-07-03 | International Business Machines Corporation | Method of preserving symmetrical routing in a communication system based upon a server farm |
| CN101656670A (en) * | 2008-08-14 | 2010-02-24 | 丛林网络公司 | Routing device having integrated MPLS-aware firewall |
| CN101668022A (en) * | 2009-09-14 | 2010-03-10 | 陈博东 | Virtual network isolation system established on virtual machine and implementation method thereof |
| CN102857416A (en) * | 2012-09-18 | 2013-01-02 | 中兴通讯股份有限公司 | Method for implementing virtual network and virtual network |
| CN103746997A (en) * | 2014-01-10 | 2014-04-23 | 浪潮电子信息产业股份有限公司 | Network security solution for cloud computing center |
| CN103986662A (en) * | 2014-05-22 | 2014-08-13 | 浪潮电子信息产业股份有限公司 | Cross-virtualization-platform virtual router achieving method |
| CN204334621U (en) * | 2014-11-25 | 2015-05-13 | 甘肃省科学技术情报研究所 | A kind of network security management device |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106911723B (en) * | 2017-04-26 | 2020-03-03 | 北京启明星辰信息安全技术有限公司 | Flow safety processing method and safety virtualization system |
| CN106911723A (en) * | 2017-04-26 | 2017-06-30 | 北京启明星辰信息安全技术有限公司 | Traffic security processing method and safety virtualization system |
| CN109120577A (en) * | 2017-06-23 | 2019-01-01 | 华为技术有限公司 | A kind of firewall dispositions method and device |
| CN109120577B (en) * | 2017-06-23 | 2020-10-27 | 华为技术有限公司 | Firewall deployment method and device |
| CN108173842A (en) * | 2017-12-26 | 2018-06-15 | 国家电网公司 | The disposition optimization method of software definition fire wall based on openstack cloud platforms |
| CN109889530A (en) * | 2019-03-05 | 2019-06-14 | 北京长亭科技有限公司 | Web application firewall system and computer storage medium |
| CN109889530B (en) * | 2019-03-05 | 2020-10-27 | 北京长亭未来科技有限公司 | Web application firewall system and computer storage medium |
| CN109918173A (en) * | 2019-03-06 | 2019-06-21 | 苏州浪潮智能科技有限公司 | Virtual machine health examination method and system based on openstack |
| CN109962914A (en) * | 2019-03-12 | 2019-07-02 | 杭州迪普科技股份有限公司 | A kind of firewall configuration method and device |
| CN109962914B (en) * | 2019-03-12 | 2021-07-23 | 杭州迪普科技股份有限公司 | Firewall configuration method and device |
| CN110365699A (en) * | 2019-07-29 | 2019-10-22 | 北京奇艺世纪科技有限公司 | Flow processing method, apparatus and system, gateway |
| CN111147467A (en) * | 2019-12-19 | 2020-05-12 | 紫光云技术有限公司 | Security policy setting method and device for PaaS products under cloud platform |
| CN113765885A (en) * | 2021-07-30 | 2021-12-07 | 广东浪潮智慧计算技术有限公司 | Firewall rule synchronization method and device, electronic equipment and storage medium |
| CN113765885B (en) * | 2021-07-30 | 2023-08-15 | 广东浪潮智慧计算技术有限公司 | Firewall rule synchronization method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106302466B (en) | 2019-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106302466A (en) | The management method of a kind of fire wall and system | |
| US11354039B2 (en) | Tenant-level sharding of disks with tenant-specific storage modules to enable policies per tenant in a distributed storage system | |
| US20200218556A1 (en) | Centralized networking configuration in distributed systems | |
| US11750456B2 (en) | Secure configuration of cloud computing nodes | |
| CN109716726B (en) | Credential management in cloud-based application deployment | |
| CA2929304C (en) | Centralized networking configuration in distributed systems | |
| US9059891B2 (en) | Method for providing wireless application privilege management | |
| CN108141373B (en) | Federated communication framework for network controllers | |
| CN102932270A (en) | Load balancing method and device supporting network security service | |
| US20140282818A1 (en) | Access control in a secured cloud environment | |
| Hyun et al. | SDN-based network security functions for effective DDoS attack mitigation | |
| US11237997B2 (en) | Target driven zoning for ethernet in non-volatile memory express over-fabrics (NVMe-oF) environments | |
| CN107111510A (en) | A kind of method and device operated for VNF bags | |
| US11283804B2 (en) | Group zoning and access control over a network | |
| US11301398B2 (en) | Symbolic names for non-volatile memory express (NVMe™) elements in an NVMe™-over-fabrics (NVMe-oF™) system | |
| US10382483B1 (en) | User-customized deceptions and their deployment in networks | |
| CN108055232B (en) | High-speed lightweight mimicry virtual network construction method | |
| CN103560909B (en) | Region access control list item maintaining method and device | |
| WO2017147010A1 (en) | Multi-dimensional packet classification | |
| WO2021071748A1 (en) | Adaptive network slicing via overlaying decomposition and inheritance | |
| US9225552B2 (en) | Mail service management system | |
| CN106161113A (en) | The QinQ message processing method of a kind of linux system and platform | |
| Zhou et al. | A Programmable Network Management Architecture for Address Driven Network | |
| Ranjini et al. | PRS Generic Data Store Service | |
| Kumar | Re-architecting Internet Exchange Points for security and flexibility using Software Defined Networking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |