CN106411863A - Virtualization platform for processing network traffic of virtual switches in real time - Google Patents
Virtualization platform for processing network traffic of virtual switches in real time Download PDFInfo
- Publication number
- CN106411863A CN106411863A CN201610824785.3A CN201610824785A CN106411863A CN 106411863 A CN106411863 A CN 106411863A CN 201610824785 A CN201610824785 A CN 201610824785A CN 106411863 A CN106411863 A CN 106411863A
- Authority
- CN
- China
- Prior art keywords
- virtual
- network
- port
- switch
- virtual machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Abstract
The invention discloses a virtualization platform for processing network traffic of virtual switches in real time. The virtualization platform comprises a host, virtual machines, virtual network ports, virtual devices, safety software, the virtual switches and physical network ports; the virtual machines are respectively connected with the corresponding virtual network ports; the virtual network ports are connected with the virtual devices; the safety software is connected with the virtual devices; the virtual devices are connected with the virtual switches; and the virtual switches are connected with the physical network ports. The virtualization platform disclosed by the invention has the beneficial effects that by adding one virtual device in a communication link between the virtual network port of each virtual machine and the corresponding virtual switch, network data packets entering and flowing out of the virtual machine are filtered/blocked in real time; each newly added virtual device is transparent for both the corresponding virtual machine and virtual switch so as to ensure compatibility of various functions of the virtual switch; and each newly added virtual device is loosely coupled with an existing module of a system, so that functions of the existing module cannot be influenced.
Description
Technical field
The present invention relates to technical field of the computer network, especially a kind of void of real-time processing virtual switch network traffics
Planization platform.
Background technology
In prior art, virtual platform passes through to load the networks such as fire wall/intrusion detection on the virtual bridge of main frame
Fail-safe software, to detect the in/out network traffics of each virtual machine, thereby protects virtual machine and resists various forms of networks and attack
Hit.But the virtual bridge function of above-mentioned platform too single it is difficult to adapt to day by day complicated virtual network environment.For in reply reality
Complex network environment, existing virtual platform gradually adopts the virtual switch meeting software defined network SDN standard, such as
OpenSwitch, but cannot be with virtual switch collaborative work it is impossible to the virtual switch running on effective protection main frame does not meet with
By network attack.
Content of the invention
The technical problem to be solved is, provides a kind of the virtual of real-time processing virtual switch network traffics
Change platform it is ensured that the compatibility of virtual switch various functions, do not affect the various functions of virtual switch.
For solving above-mentioned technical problem, the present invention provides a kind of virtualization of real-time processing virtual switch network traffics to put down
Platform, including main frame, virtual machine, virtual network port, virtual unit, fail-safe software, virtual switch and physical internet ports;Virtual machine is respectively
It is connected with corresponding virtual network port, virtual network port is connected with virtual unit, and fail-safe software is connected with virtual unit, virtual unit
It is connected with virtual switch, virtual switch is connected with physical internet ports;Virtual machine normally starts, the virtual machine pipe that main frame runs
Reason program is virtual machine creating virtual network port and other external equipments, and virtual machine management program activates this virtual network port, activation behaviour
Work can trigger host computer system kernel notification device hot plug events, oracle listener real-time monitoring equipment hot plug events, and judges
Whether the equipment of hot plug events description is the virtual network port of its certain virtual machine of concern, oracle listener create one brand-new
Virtual unit, and be implanted in the middle of virtual network port and the communication link of virtual switch, fail-safe software is virtual with new
Equipment collaboration works, the security sweep/filtration/blocking-up work of execution network traffics, and virtual machine passes through port and virtual network port phase
Even, virtual machine is connected with main frame external network by physical internet ports.
Preferably, virtual machine sends network traffics or the flow that main frame external network receives all first pass through virtual switch
Port, flow inbound port gives network traffics distribution module flow, and network traffics distribution module calculates should be from which port
Go out, flow is forwarded to corresponding flow exit port.
Preferably, virtual unit includes port, filtering module and user-interface, has 2 ports inside virtual unit, and one
Individual and virtual machine virtual network port connects, and another connects with the port of virtual switch, receives and forwards network packet;Cross
Filter module safeguards the status information of network connection, the terminal point information of record network connection, and filtering module receives port and forwards
Packet after, count flow, update network connection information, filtering module by packet pass to fail-safe software scanning, directly
Reach a conclusion to fail-safe software, this network connection is safe or malice, after fail-safe software is reached a conclusion, information is led to
Know to filtering module, filtering module updates network connection information, network connection safety, filtering module can packet redirect to
Another port in virtual unit, packet is eventually sent to destination address, and network connection is malice, fail-safe software meeting
Send reset signal to two end main frames of this network connection, terminate this connection, if subsequently also having packet untreated, filter module
Block can simply execute packet loss strategy;Oracle listener needs dynmaic establishing virtual equipment, and virtual unit is realized necessary client layer and connect
Confession oracle listener uses.
Preferably, virtual machine number is 3, and the number of virtual switch is 2.
Preferably, virtual network port is corresponding with virtual machine with the number of virtual unit.
Beneficial effects of the present invention are:By in the communication link between the virtual network port and virtual switch of virtual machine
Add a virtual unit, to come/to block to flow into and out the network packet of virtual machine in real time;The new virtual unit adding
It is all transparent to virtual machine and virtual switch it is ensured that the compatibility of virtual switch various functions;New the virtual of addition sets
Standby with system existing module loose couplings, do not interfere with the function of existing module.
Brief description
Fig. 1 is the virtual platform structural representation of the present invention.
Fig. 2 is that the virtual unit of the present invention adds communication link process schematic.
Fig. 3 is the structural representation of the virtual unit of the present invention.
Specific embodiment
As shown in figure 1, a kind of virtual platform of real-time processing virtual switch network traffics, including main frame, virtual machine,
Virtual network port, virtual unit, fail-safe software, virtual switch and physical internet ports;Virtual machine respectively with corresponding virtual network port
It is connected, virtual network port is connected with virtual unit, and fail-safe software is connected with virtual unit, and virtual unit is connected with virtual switch,
Virtual switch is connected with physical internet ports.
As shown in Fig. 2 add the process schematic of communication link for virtual unit.Virtual machine normally starts, and main frame is transported
The virtual machine management program of row is virtual machine creating virtual network port and other external equipments, and it is virtual that virtual machine management program activates this
Network interface, activation manipulation can trigger host computer system kernel notification device hot plug events, oracle listener real-time monitoring equipment hot plug
Event, and judge that whether the equipment of hot plug events description be the virtual network port of its certain virtual machine of concern, oracle listener
Create a brand-new virtual unit, and be implanted in the middle of virtual network port and the communication link of virtual switch, safety is soft
Part and new virtual unit collaborative work, the security sweep/filtration/blocking-up work of execution network traffics, virtual machine passes through port
It is connected with virtual network port, virtual machine is connected with main frame external network by physical internet ports.Fail-safe software and filtering module are led to
Letter, oracle listener and user-interface are communicated.
Network traffics that virtual machine sends or the flow that main frame external network receives all first pass through the port of virtual switch,
Flow inbound port gives network traffics distribution module flow, and network traffics distribution module calculates and should go out from which port, stream
Amount is forwarded to corresponding flow exit port.
As shown in figure 3, the structural representation for virtual unit.Virtual unit includes port, filtering module and client layer and connects
Mouthful, there are 2 ports inside virtual unit, a virtual network port with virtual machine connects, another port with virtual switch
Connect, receive and forward network packet;Filtering module safeguards the status information of network connection, the end points letter of record network connection
Breath, after filtering module receives the packet that port forwards, counts flow, updates network connection information, and filtering module will
Packet passes to fail-safe software scanning, and until fail-safe software is reached a conclusion, this network connection is safe or malice, peace
After full software is reached a conclusion, information is notified to filtering module, filtering module updates network connection information, and network connection is pacified
Entirely, filtering module can redirect packet to another port in virtual unit, and packet is eventually sent to destination
Location, network connection is malice, and fail-safe software can send two end main frames to this network connection for the reset signal, terminates this connection,
If subsequently also having, packet is untreated, filtering module can simply execute packet loss strategy;Oracle listener needs dynmaic establishing virtual
Equipment, virtual unit is realized necessary user-interface and is used for oracle listener.
Virtual machine number is 3, and the number of virtual switch is 2.The number of virtual network port and virtual unit with virtual
Machine is corresponding.
Inside network topology structure originally, the direct port connection of virtual network port and virtual switch, in order to ensure virtual friendship
The function 100% of changing planes is compatible, the port that virtual unit is connected with virtual switch it is necessary to provide and virtual network port as connecing
Mouthful;Some Malwares, can detection network time delay, for example start time-consuming how long, look for a public network Framework computing icmp packet back and forth
Time, if time delay is more than empirical value, then Malware is to avoid being detected, and can deliberately quit work, based on this kind of evil
The behavioral pattern of meaning software, the process that virtual unit implants communication link must be fast as far as possible.
Although the present invention is illustrated with regard to preferred implementation and has been described, it is understood by those skilled in the art that
Without departing from scope defined by the claims of the present invention, variations and modifications can be carried out to the present invention.
Claims (5)
1. a kind of virtual platform of real-time processing virtual switch network traffics is it is characterised in that include:Main frame, virtual machine,
Virtual network port, virtual unit, fail-safe software, virtual switch and physical internet ports;Virtual machine respectively with corresponding virtual network port
It is connected, virtual network port is connected with virtual unit, and fail-safe software is connected with virtual unit, and virtual unit is connected with virtual switch,
Virtual switch is connected with physical internet ports;Virtual machine normally starts, and the virtual machine management program that main frame runs is created for virtual machine
Build virtual network port and other external equipments, virtual machine management program activates this virtual network port, and activation manipulation can trigger host computer system
Kernel notification device hot plug events, oracle listener real-time monitoring equipment hot plug events, and judge hot plug events description
Whether equipment is the virtual network port of its certain virtual machine of concern, and oracle listener creates a brand-new virtual unit, and will
It is implanted in the middle of virtual network port and the communication link of virtual switch, fail-safe software and new virtual unit collaborative work, holds
Security sweep/filtration/blocking-up the work of row network traffics, virtual machine is connected with virtual network port by port, and virtual machine passes through thing
Reason network interface is connected with main frame external network.
2. the virtual platform of real-time processing virtual switch network traffics as claimed in claim 1 is it is characterised in that virtual
Network traffics that machine sends or the flow that main frame external network receives all first pass through the port of virtual switch, flow inbound port handle
Flow gives network traffics distribution module, and network traffics distribution module calculates and should go out from which port, and flow is forwarded to accordingly
Flow exit port.
3. the virtual platform of real-time processing virtual switch network traffics as claimed in claim 1 is it is characterised in that virtual
Equipment includes port, filtering module and user-interface, has 2 ports, a virtual net with virtual machine inside virtual unit
Mouth connects, and another connects with the port of virtual switch, receives and forwarding network packet;Filtering module safeguards network connection
Status information, record network connection terminal point information, after filtering module receives the packet that port forwards, statistic fluid
Amount, updates network connection information, and packet is passed to fail-safe software scanning by filtering module, until fail-safe software is reached a conclusion,
This network connection is safe or malice, after fail-safe software is reached a conclusion, information is notified to filtering module, filter module
Block updates network connection information, network connection safety, and filtering module can redirect packet to another in virtual unit
Port, packet is eventually sent to destination address, and network connection is malice, and fail-safe software can send reset signal to this net
Two end main frames that network connects, terminate this connection, if subsequently also having, packet is untreated, filtering module can simply execute packet loss plan
Slightly;Oracle listener needs dynmaic establishing virtual equipment, and virtual unit is realized necessary user-interface and used for oracle listener.
4. the virtual platform of real-time processing virtual switch network traffics as claimed in claim 1 is it is characterised in that virtual
Machine number is 3, and the number of virtual switch is 2.
5. the virtual platform of real-time processing virtual switch network traffics as claimed in claim 1 is it is characterised in that virtual
Network interface is corresponding with virtual machine with the number of virtual unit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610824785.3A CN106411863A (en) | 2016-09-14 | 2016-09-14 | Virtualization platform for processing network traffic of virtual switches in real time |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610824785.3A CN106411863A (en) | 2016-09-14 | 2016-09-14 | Virtualization platform for processing network traffic of virtual switches in real time |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106411863A true CN106411863A (en) | 2017-02-15 |
Family
ID=57997096
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610824785.3A Pending CN106411863A (en) | 2016-09-14 | 2016-09-14 | Virtualization platform for processing network traffic of virtual switches in real time |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106411863A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107360058A (en) * | 2017-07-12 | 2017-11-17 | 郑州云海信息技术有限公司 | A kind of method and device for realizing traffic monitoring |
CN108306784A (en) * | 2017-12-26 | 2018-07-20 | 广东睿江云计算股份有限公司 | A method of the ponds statistics XenServer virtual machine total flow |
CN108964959A (en) * | 2017-05-27 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of network interface card direct communication system and data packet monitoring and managing method for virtual platform |
CN109088827A (en) * | 2018-07-11 | 2018-12-25 | 新华三云计算技术有限公司 | virtual machine traffic processing method, device and host |
CN110730133A (en) * | 2019-10-21 | 2020-01-24 | 北京百度网讯科技有限公司 | Route notification method and system |
CN115080191A (en) * | 2022-08-18 | 2022-09-20 | 苏州浪潮智能科技有限公司 | Method, device and equipment for managing I2C link and readable medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100269171A1 (en) * | 2009-04-20 | 2010-10-21 | Check Point Software Technologies, Ltd. | Methods for effective network-security inspection in virtualized environments |
CN102244622A (en) * | 2011-07-25 | 2011-11-16 | 北京网御星云信息技术有限公司 | Virtual gateway protection method, virtual security gateway and system for server virtualization |
CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
CN104994094A (en) * | 2015-07-01 | 2015-10-21 | 北京奇虎科技有限公司 | Virtualization platform safety protection method, device and system based on virtual switch |
-
2016
- 2016-09-14 CN CN201610824785.3A patent/CN106411863A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100269171A1 (en) * | 2009-04-20 | 2010-10-21 | Check Point Software Technologies, Ltd. | Methods for effective network-security inspection in virtualized environments |
CN102244622A (en) * | 2011-07-25 | 2011-11-16 | 北京网御星云信息技术有限公司 | Virtual gateway protection method, virtual security gateway and system for server virtualization |
CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
CN104994094A (en) * | 2015-07-01 | 2015-10-21 | 北京奇虎科技有限公司 | Virtualization platform safety protection method, device and system based on virtual switch |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108964959A (en) * | 2017-05-27 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of network interface card direct communication system and data packet monitoring and managing method for virtual platform |
CN108964959B (en) * | 2017-05-27 | 2022-02-25 | 阿里巴巴集团控股有限公司 | Network card direct connection system for virtualization platform and data packet supervision method |
CN107360058A (en) * | 2017-07-12 | 2017-11-17 | 郑州云海信息技术有限公司 | A kind of method and device for realizing traffic monitoring |
CN108306784A (en) * | 2017-12-26 | 2018-07-20 | 广东睿江云计算股份有限公司 | A method of the ponds statistics XenServer virtual machine total flow |
CN108306784B (en) * | 2017-12-26 | 2020-12-01 | 广东睿江云计算股份有限公司 | Method for counting total flow of virtual machines in XenServer pool |
CN109088827A (en) * | 2018-07-11 | 2018-12-25 | 新华三云计算技术有限公司 | virtual machine traffic processing method, device and host |
CN109088827B (en) * | 2018-07-11 | 2019-12-13 | 新华三云计算技术有限公司 | Virtual machine flow processing method and device and host |
CN110730133A (en) * | 2019-10-21 | 2020-01-24 | 北京百度网讯科技有限公司 | Route notification method and system |
CN110730133B (en) * | 2019-10-21 | 2021-11-12 | 北京百度网讯科技有限公司 | Route notification method and system |
CN115080191A (en) * | 2022-08-18 | 2022-09-20 | 苏州浪潮智能科技有限公司 | Method, device and equipment for managing I2C link and readable medium |
CN115080191B (en) * | 2022-08-18 | 2023-01-06 | 苏州浪潮智能科技有限公司 | Method, device, equipment and readable medium for managing I2C link |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106411863A (en) | Virtualization platform for processing network traffic of virtual switches in real time | |
CN108063765B (en) | SDN system suitable for solving network security | |
CN104301321B (en) | A kind of method and system for realizing distributed network security protection | |
EP2382512B1 (en) | Communication module with network isolation and communication filter | |
CN101800658B (en) | Apparatus and method for managing subscription requests for a network interface component | |
CN1761240B (en) | Intelligent integrated network security device for high-availability applications | |
CN105049450A (en) | Cloud security system based on virtual network environment and deployment framework of cloud security system | |
CN103746885A (en) | Test system and test method oriented to next-generation firewall | |
CN104767748B (en) | Opc server security protection system | |
CN106130767A (en) | The system and method that a kind of service path failure monitoring and fault solve | |
CN104519065B (en) | A kind of industry control method of realizing fireproof wall for supporting filtering Modbus Transmission Control Protocol | |
CN108123824A (en) | A kind of network fault detecting method and device | |
EP3720075B1 (en) | Data transmission method and virtual switch | |
CN106657019A (en) | Network security protection method and device | |
CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
CN106254338B (en) | Message detecting method and device | |
CN101557343A (en) | Detecting and protecting method of double-layer loop in VRRP topological network | |
CN106789982B (en) | Safety protection method and system applied to industrial control system | |
TW201616386A (en) | Cloud virtual network security protection method and system | |
CN101483649A (en) | Network safe content processing card based on FPGA | |
CN105429974B (en) | A kind of intrusion prevention system and method towards SDN | |
CN105939294A (en) | Message control method and device | |
CN103634166B (en) | Equipment survival detection method and equipment survival detection device | |
CN105897536A (en) | Network game accelerating system based on overlay network | |
CN106572103A (en) | Hidden port detection method based on SDN network architecture |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170215 |