CN106411863A - Virtualization platform for processing network traffic of virtual switches in real time - Google Patents

Virtualization platform for processing network traffic of virtual switches in real time Download PDF

Info

Publication number
CN106411863A
CN106411863A CN201610824785.3A CN201610824785A CN106411863A CN 106411863 A CN106411863 A CN 106411863A CN 201610824785 A CN201610824785 A CN 201610824785A CN 106411863 A CN106411863 A CN 106411863A
Authority
CN
China
Prior art keywords
virtual
network
port
switch
virtual machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610824785.3A
Other languages
Chinese (zh)
Inventor
朱春杰
柏传杰
朱民航
陈海军
谭丹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Nubosh Information Technology Co Ltd
Original Assignee
Nanjing Nubosh Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Nubosh Information Technology Co Ltd filed Critical Nanjing Nubosh Information Technology Co Ltd
Priority to CN201610824785.3A priority Critical patent/CN106411863A/en
Publication of CN106411863A publication Critical patent/CN106411863A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Abstract

The invention discloses a virtualization platform for processing network traffic of virtual switches in real time. The virtualization platform comprises a host, virtual machines, virtual network ports, virtual devices, safety software, the virtual switches and physical network ports; the virtual machines are respectively connected with the corresponding virtual network ports; the virtual network ports are connected with the virtual devices; the safety software is connected with the virtual devices; the virtual devices are connected with the virtual switches; and the virtual switches are connected with the physical network ports. The virtualization platform disclosed by the invention has the beneficial effects that by adding one virtual device in a communication link between the virtual network port of each virtual machine and the corresponding virtual switch, network data packets entering and flowing out of the virtual machine are filtered/blocked in real time; each newly added virtual device is transparent for both the corresponding virtual machine and virtual switch so as to ensure compatibility of various functions of the virtual switch; and each newly added virtual device is loosely coupled with an existing module of a system, so that functions of the existing module cannot be influenced.

Description

A kind of virtual platform of real-time processing virtual switch network traffics
Technical field
The present invention relates to technical field of the computer network, especially a kind of void of real-time processing virtual switch network traffics Planization platform.
Background technology
In prior art, virtual platform passes through to load the networks such as fire wall/intrusion detection on the virtual bridge of main frame Fail-safe software, to detect the in/out network traffics of each virtual machine, thereby protects virtual machine and resists various forms of networks and attack Hit.But the virtual bridge function of above-mentioned platform too single it is difficult to adapt to day by day complicated virtual network environment.For in reply reality Complex network environment, existing virtual platform gradually adopts the virtual switch meeting software defined network SDN standard, such as OpenSwitch, but cannot be with virtual switch collaborative work it is impossible to the virtual switch running on effective protection main frame does not meet with By network attack.
Content of the invention
The technical problem to be solved is, provides a kind of the virtual of real-time processing virtual switch network traffics Change platform it is ensured that the compatibility of virtual switch various functions, do not affect the various functions of virtual switch.
For solving above-mentioned technical problem, the present invention provides a kind of virtualization of real-time processing virtual switch network traffics to put down Platform, including main frame, virtual machine, virtual network port, virtual unit, fail-safe software, virtual switch and physical internet ports;Virtual machine is respectively It is connected with corresponding virtual network port, virtual network port is connected with virtual unit, and fail-safe software is connected with virtual unit, virtual unit It is connected with virtual switch, virtual switch is connected with physical internet ports;Virtual machine normally starts, the virtual machine pipe that main frame runs Reason program is virtual machine creating virtual network port and other external equipments, and virtual machine management program activates this virtual network port, activation behaviour Work can trigger host computer system kernel notification device hot plug events, oracle listener real-time monitoring equipment hot plug events, and judges Whether the equipment of hot plug events description is the virtual network port of its certain virtual machine of concern, oracle listener create one brand-new Virtual unit, and be implanted in the middle of virtual network port and the communication link of virtual switch, fail-safe software is virtual with new Equipment collaboration works, the security sweep/filtration/blocking-up work of execution network traffics, and virtual machine passes through port and virtual network port phase Even, virtual machine is connected with main frame external network by physical internet ports.
Preferably, virtual machine sends network traffics or the flow that main frame external network receives all first pass through virtual switch Port, flow inbound port gives network traffics distribution module flow, and network traffics distribution module calculates should be from which port Go out, flow is forwarded to corresponding flow exit port.
Preferably, virtual unit includes port, filtering module and user-interface, has 2 ports inside virtual unit, and one Individual and virtual machine virtual network port connects, and another connects with the port of virtual switch, receives and forwards network packet;Cross Filter module safeguards the status information of network connection, the terminal point information of record network connection, and filtering module receives port and forwards Packet after, count flow, update network connection information, filtering module by packet pass to fail-safe software scanning, directly Reach a conclusion to fail-safe software, this network connection is safe or malice, after fail-safe software is reached a conclusion, information is led to Know to filtering module, filtering module updates network connection information, network connection safety, filtering module can packet redirect to Another port in virtual unit, packet is eventually sent to destination address, and network connection is malice, fail-safe software meeting Send reset signal to two end main frames of this network connection, terminate this connection, if subsequently also having packet untreated, filter module Block can simply execute packet loss strategy;Oracle listener needs dynmaic establishing virtual equipment, and virtual unit is realized necessary client layer and connect Confession oracle listener uses.
Preferably, virtual machine number is 3, and the number of virtual switch is 2.
Preferably, virtual network port is corresponding with virtual machine with the number of virtual unit.
Beneficial effects of the present invention are:By in the communication link between the virtual network port and virtual switch of virtual machine Add a virtual unit, to come/to block to flow into and out the network packet of virtual machine in real time;The new virtual unit adding It is all transparent to virtual machine and virtual switch it is ensured that the compatibility of virtual switch various functions;New the virtual of addition sets Standby with system existing module loose couplings, do not interfere with the function of existing module.
Brief description
Fig. 1 is the virtual platform structural representation of the present invention.
Fig. 2 is that the virtual unit of the present invention adds communication link process schematic.
Fig. 3 is the structural representation of the virtual unit of the present invention.
Specific embodiment
As shown in figure 1, a kind of virtual platform of real-time processing virtual switch network traffics, including main frame, virtual machine, Virtual network port, virtual unit, fail-safe software, virtual switch and physical internet ports;Virtual machine respectively with corresponding virtual network port It is connected, virtual network port is connected with virtual unit, and fail-safe software is connected with virtual unit, and virtual unit is connected with virtual switch, Virtual switch is connected with physical internet ports.
As shown in Fig. 2 add the process schematic of communication link for virtual unit.Virtual machine normally starts, and main frame is transported The virtual machine management program of row is virtual machine creating virtual network port and other external equipments, and it is virtual that virtual machine management program activates this Network interface, activation manipulation can trigger host computer system kernel notification device hot plug events, oracle listener real-time monitoring equipment hot plug Event, and judge that whether the equipment of hot plug events description be the virtual network port of its certain virtual machine of concern, oracle listener Create a brand-new virtual unit, and be implanted in the middle of virtual network port and the communication link of virtual switch, safety is soft Part and new virtual unit collaborative work, the security sweep/filtration/blocking-up work of execution network traffics, virtual machine passes through port It is connected with virtual network port, virtual machine is connected with main frame external network by physical internet ports.Fail-safe software and filtering module are led to Letter, oracle listener and user-interface are communicated.
Network traffics that virtual machine sends or the flow that main frame external network receives all first pass through the port of virtual switch, Flow inbound port gives network traffics distribution module flow, and network traffics distribution module calculates and should go out from which port, stream Amount is forwarded to corresponding flow exit port.
As shown in figure 3, the structural representation for virtual unit.Virtual unit includes port, filtering module and client layer and connects Mouthful, there are 2 ports inside virtual unit, a virtual network port with virtual machine connects, another port with virtual switch Connect, receive and forward network packet;Filtering module safeguards the status information of network connection, the end points letter of record network connection Breath, after filtering module receives the packet that port forwards, counts flow, updates network connection information, and filtering module will Packet passes to fail-safe software scanning, and until fail-safe software is reached a conclusion, this network connection is safe or malice, peace After full software is reached a conclusion, information is notified to filtering module, filtering module updates network connection information, and network connection is pacified Entirely, filtering module can redirect packet to another port in virtual unit, and packet is eventually sent to destination Location, network connection is malice, and fail-safe software can send two end main frames to this network connection for the reset signal, terminates this connection, If subsequently also having, packet is untreated, filtering module can simply execute packet loss strategy;Oracle listener needs dynmaic establishing virtual Equipment, virtual unit is realized necessary user-interface and is used for oracle listener.
Virtual machine number is 3, and the number of virtual switch is 2.The number of virtual network port and virtual unit with virtual Machine is corresponding.
Inside network topology structure originally, the direct port connection of virtual network port and virtual switch, in order to ensure virtual friendship The function 100% of changing planes is compatible, the port that virtual unit is connected with virtual switch it is necessary to provide and virtual network port as connecing Mouthful;Some Malwares, can detection network time delay, for example start time-consuming how long, look for a public network Framework computing icmp packet back and forth Time, if time delay is more than empirical value, then Malware is to avoid being detected, and can deliberately quit work, based on this kind of evil The behavioral pattern of meaning software, the process that virtual unit implants communication link must be fast as far as possible.
Although the present invention is illustrated with regard to preferred implementation and has been described, it is understood by those skilled in the art that Without departing from scope defined by the claims of the present invention, variations and modifications can be carried out to the present invention.

Claims (5)

1. a kind of virtual platform of real-time processing virtual switch network traffics is it is characterised in that include:Main frame, virtual machine, Virtual network port, virtual unit, fail-safe software, virtual switch and physical internet ports;Virtual machine respectively with corresponding virtual network port It is connected, virtual network port is connected with virtual unit, and fail-safe software is connected with virtual unit, and virtual unit is connected with virtual switch, Virtual switch is connected with physical internet ports;Virtual machine normally starts, and the virtual machine management program that main frame runs is created for virtual machine Build virtual network port and other external equipments, virtual machine management program activates this virtual network port, and activation manipulation can trigger host computer system Kernel notification device hot plug events, oracle listener real-time monitoring equipment hot plug events, and judge hot plug events description Whether equipment is the virtual network port of its certain virtual machine of concern, and oracle listener creates a brand-new virtual unit, and will It is implanted in the middle of virtual network port and the communication link of virtual switch, fail-safe software and new virtual unit collaborative work, holds Security sweep/filtration/blocking-up the work of row network traffics, virtual machine is connected with virtual network port by port, and virtual machine passes through thing Reason network interface is connected with main frame external network.
2. the virtual platform of real-time processing virtual switch network traffics as claimed in claim 1 is it is characterised in that virtual Network traffics that machine sends or the flow that main frame external network receives all first pass through the port of virtual switch, flow inbound port handle Flow gives network traffics distribution module, and network traffics distribution module calculates and should go out from which port, and flow is forwarded to accordingly Flow exit port.
3. the virtual platform of real-time processing virtual switch network traffics as claimed in claim 1 is it is characterised in that virtual Equipment includes port, filtering module and user-interface, has 2 ports, a virtual net with virtual machine inside virtual unit Mouth connects, and another connects with the port of virtual switch, receives and forwarding network packet;Filtering module safeguards network connection Status information, record network connection terminal point information, after filtering module receives the packet that port forwards, statistic fluid Amount, updates network connection information, and packet is passed to fail-safe software scanning by filtering module, until fail-safe software is reached a conclusion, This network connection is safe or malice, after fail-safe software is reached a conclusion, information is notified to filtering module, filter module Block updates network connection information, network connection safety, and filtering module can redirect packet to another in virtual unit Port, packet is eventually sent to destination address, and network connection is malice, and fail-safe software can send reset signal to this net Two end main frames that network connects, terminate this connection, if subsequently also having, packet is untreated, filtering module can simply execute packet loss plan Slightly;Oracle listener needs dynmaic establishing virtual equipment, and virtual unit is realized necessary user-interface and used for oracle listener.
4. the virtual platform of real-time processing virtual switch network traffics as claimed in claim 1 is it is characterised in that virtual Machine number is 3, and the number of virtual switch is 2.
5. the virtual platform of real-time processing virtual switch network traffics as claimed in claim 1 is it is characterised in that virtual Network interface is corresponding with virtual machine with the number of virtual unit.
CN201610824785.3A 2016-09-14 2016-09-14 Virtualization platform for processing network traffic of virtual switches in real time Pending CN106411863A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610824785.3A CN106411863A (en) 2016-09-14 2016-09-14 Virtualization platform for processing network traffic of virtual switches in real time

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610824785.3A CN106411863A (en) 2016-09-14 2016-09-14 Virtualization platform for processing network traffic of virtual switches in real time

Publications (1)

Publication Number Publication Date
CN106411863A true CN106411863A (en) 2017-02-15

Family

ID=57997096

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610824785.3A Pending CN106411863A (en) 2016-09-14 2016-09-14 Virtualization platform for processing network traffic of virtual switches in real time

Country Status (1)

Country Link
CN (1) CN106411863A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107360058A (en) * 2017-07-12 2017-11-17 郑州云海信息技术有限公司 A kind of method and device for realizing traffic monitoring
CN108306784A (en) * 2017-12-26 2018-07-20 广东睿江云计算股份有限公司 A method of the ponds statistics XenServer virtual machine total flow
CN108964959A (en) * 2017-05-27 2018-12-07 阿里巴巴集团控股有限公司 A kind of network interface card direct communication system and data packet monitoring and managing method for virtual platform
CN109088827A (en) * 2018-07-11 2018-12-25 新华三云计算技术有限公司 virtual machine traffic processing method, device and host
CN110730133A (en) * 2019-10-21 2020-01-24 北京百度网讯科技有限公司 Route notification method and system
CN115080191A (en) * 2022-08-18 2022-09-20 苏州浪潮智能科技有限公司 Method, device and equipment for managing I2C link and readable medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100269171A1 (en) * 2009-04-20 2010-10-21 Check Point Software Technologies, Ltd. Methods for effective network-security inspection in virtualized environments
CN102244622A (en) * 2011-07-25 2011-11-16 北京网御星云信息技术有限公司 Virtual gateway protection method, virtual security gateway and system for server virtualization
CN104917653A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Virtual flow monitoring method based on cloud platform and device thereof
CN104994094A (en) * 2015-07-01 2015-10-21 北京奇虎科技有限公司 Virtualization platform safety protection method, device and system based on virtual switch

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100269171A1 (en) * 2009-04-20 2010-10-21 Check Point Software Technologies, Ltd. Methods for effective network-security inspection in virtualized environments
CN102244622A (en) * 2011-07-25 2011-11-16 北京网御星云信息技术有限公司 Virtual gateway protection method, virtual security gateway and system for server virtualization
CN104917653A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Virtual flow monitoring method based on cloud platform and device thereof
CN104994094A (en) * 2015-07-01 2015-10-21 北京奇虎科技有限公司 Virtualization platform safety protection method, device and system based on virtual switch

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108964959A (en) * 2017-05-27 2018-12-07 阿里巴巴集团控股有限公司 A kind of network interface card direct communication system and data packet monitoring and managing method for virtual platform
CN108964959B (en) * 2017-05-27 2022-02-25 阿里巴巴集团控股有限公司 Network card direct connection system for virtualization platform and data packet supervision method
CN107360058A (en) * 2017-07-12 2017-11-17 郑州云海信息技术有限公司 A kind of method and device for realizing traffic monitoring
CN108306784A (en) * 2017-12-26 2018-07-20 广东睿江云计算股份有限公司 A method of the ponds statistics XenServer virtual machine total flow
CN108306784B (en) * 2017-12-26 2020-12-01 广东睿江云计算股份有限公司 Method for counting total flow of virtual machines in XenServer pool
CN109088827A (en) * 2018-07-11 2018-12-25 新华三云计算技术有限公司 virtual machine traffic processing method, device and host
CN109088827B (en) * 2018-07-11 2019-12-13 新华三云计算技术有限公司 Virtual machine flow processing method and device and host
CN110730133A (en) * 2019-10-21 2020-01-24 北京百度网讯科技有限公司 Route notification method and system
CN110730133B (en) * 2019-10-21 2021-11-12 北京百度网讯科技有限公司 Route notification method and system
CN115080191A (en) * 2022-08-18 2022-09-20 苏州浪潮智能科技有限公司 Method, device and equipment for managing I2C link and readable medium
CN115080191B (en) * 2022-08-18 2023-01-06 苏州浪潮智能科技有限公司 Method, device, equipment and readable medium for managing I2C link

Similar Documents

Publication Publication Date Title
CN106411863A (en) Virtualization platform for processing network traffic of virtual switches in real time
CN108063765B (en) SDN system suitable for solving network security
CN104301321B (en) A kind of method and system for realizing distributed network security protection
EP2382512B1 (en) Communication module with network isolation and communication filter
CN101800658B (en) Apparatus and method for managing subscription requests for a network interface component
CN1761240B (en) Intelligent integrated network security device for high-availability applications
CN105049450A (en) Cloud security system based on virtual network environment and deployment framework of cloud security system
CN103746885A (en) Test system and test method oriented to next-generation firewall
CN104767748B (en) Opc server security protection system
CN106130767A (en) The system and method that a kind of service path failure monitoring and fault solve
CN104519065B (en) A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol
CN108123824A (en) A kind of network fault detecting method and device
EP3720075B1 (en) Data transmission method and virtual switch
CN106657019A (en) Network security protection method and device
CN105812318B (en) For preventing method, controller and the system of attack in a network
CN106254338B (en) Message detecting method and device
CN101557343A (en) Detecting and protecting method of double-layer loop in VRRP topological network
CN106789982B (en) Safety protection method and system applied to industrial control system
TW201616386A (en) Cloud virtual network security protection method and system
CN101483649A (en) Network safe content processing card based on FPGA
CN105429974B (en) A kind of intrusion prevention system and method towards SDN
CN105939294A (en) Message control method and device
CN103634166B (en) Equipment survival detection method and equipment survival detection device
CN105897536A (en) Network game accelerating system based on overlay network
CN106572103A (en) Hidden port detection method based on SDN network architecture

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170215