CN106789542A - A kind of implementation method of cloud data center security service chain - Google Patents
A kind of implementation method of cloud data center security service chain Download PDFInfo
- Publication number
- CN106789542A CN106789542A CN201710124814.XA CN201710124814A CN106789542A CN 106789542 A CN106789542 A CN 106789542A CN 201710124814 A CN201710124814 A CN 201710124814A CN 106789542 A CN106789542 A CN 106789542A
- Authority
- CN
- China
- Prior art keywords
- security service
- flow
- service node
- vlan
- local
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/38—Flow based routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/125—Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of implementation method of cloud data center security service chain, and methods described includes:Reception carries the flow of the vlan information corresponding to local security service node;If inquiring the access control policy matched with the header packet information of the flow in local flow table, VLAN is carried out to the flow and is peeled off and is sent to local security service node, so that the local security service node carries out safety detection;The policy action in access control policy according to the matching will be revised as the vlan information of next-hop security service node by the VLAN of the flow of safety detection and be sent by exchange network.A kind of implementation method of cloud data center security service chain that the present invention is provided, security service chain is realized based on VLAN agreements, and design is simple, functional and O&M cost is low.
Description
Technical field
The present invention relates to network safety filed, more particularly, to a kind of realization side of cloud data center security service chain
Method.
Background technology
Cloud data center is to utilize cloud computing technology, and the data of new generation of all kinds of cloud computing services are automatically provided on demand
Center.The traffic performance of cloud data center is huge with the traffic performance difference of conventional data centers, and with software defined network,
The fast development and sizable application of the new technology such as network virtualization and network function virtualization, cloud data center network is compared to biography
For system data center network, new security challenge is faced with:Cloud data center becomes increasingly dependent on above-mentioned Intel Virtualization Technology to carry
For more efficient and flexible service deployment so that secure border is difficult to define, logical network topology according to the demand of business at any time
Variable, traditional security architecture based on physical boundary protection cannot carry out effective security protection to it;Cloud data center industry
Business scene is increasingly complex, and the individual demand to security of network and information is more strong, and conventional security hardware device is by software
With hardware binding, fixed security function is externally provided, keeper can only carry out easy configuration, nothing by interface hand-manipulated to it
Method carries out flexible function adjustment and customization according to service application scene, it is impossible to meet resilient expansion and the demand for security of business.
In order to tackle these security challenges, current cloud data center is mainly anti-by realizing safety using security service chain
Shield.Security service chain is based on the security capabilities resource pool that Overlay (covering) network struction is concentrated, will by the controller concentrated
Need the service traffics for carrying out security protection to drain into security service node to be detected and protected, and according to the safe plan of business
Slightly sequentially, these security service nodes include FW (Firewall, fire wall), IDS for the protection of demand layout security service node
(Intrusion Prevention System, enter for (Intrusion Detection System, intruding detection system), IPS
Invade system of defense) or anti-virus equipment etc..Be as shown in Figure 1 based on VXLAN (Virtual Extensible LAN, it is expansible
VLAN) the security service chain model that builds, each security service node of the security service chain can be located at identical or not
Same security capabilities resource pool, by the way that towards tenant or application oriented security service chain layout interface, controller is issued automatically
Drainage strategy is to each service chaining node, and the handling process after service chaining node matching drainage strategy is as follows:Source VM (Virtual
Machine, virtual machine) corresponding to VTEP (VXLAN Tunnel End Point, VXLAN endpoint of a tunnel) source VM is sent
Flow carries out VXLAN encapsulation and the message after encapsulation is forwarded into the VTEP corresponding to first security service node;First
VTEP corresponding to security service node is decapsulated after the message after receiving encapsulation to the message, then will decapsulation
The message for obtaining afterwards, i.e., the flow that source VM sends is transmitted to first security service node;First security service node convection current
Amount carries out safety service treatment, then the flow is sent into VTEP;VTEP searches next-hop security service node and by the message
VTEP corresponding to next-hop security service node is transmitted to after re-starting encapsulation;Aforesaid operations are repeated, until having carried out institute
After the treatment of some safety services, the IP of the VTEP of VTEP corresponding to last security service node according to corresponding to purpose VM
Address is packaged and forwards to message;After VTEP corresponding to purpose VM receives message, the message is unsealed
Dress, is then sent to purpose VM.The flow that source VM sends reaches purpose VM through these security service nodes, it is achieved thereby that institute
The safety service of needs.
The implementation method of current security service chain is except based on VXLAN technologies mentioned above, also including:NVGRE
(Network Virtualization using Generic Routing Encapsulation, use generic route encapsulation
Network virtualization) and GENEVE (Generic Network Virtualization Encapsulation, universal network
Virtual enclosures) etc. technology.These technologies are full tunnel encapsulation technologies, for virtualized server, the encapsulation and decapsulation in tunnel
The cpu resource of server can be very consumed, causes the performance of server very low, this East and West direction stream for almost running full line rate
Amount means that by the treatment of security service chain packet loss phenomenon may be produced.Moreover, also needed on virtualized server
The interface of additional configuration endpoint of a tunnel, for checking which message needs into tunnel and judges to pass through inspection according to configuration
Message do what kind for the treatment of, cause O&M extremely complex.
The content of the invention
In order to the implementation method for solving existing security service chain causes virtualized server performance based on tunnel encapsulation technology
The complicated problem of low, O&M, the present invention provides a kind of implementation method of cloud data center security service chain.
According to an aspect of the present invention, there is provided a kind of implementation method of cloud data center security service chain, including:
Step 1, receive upper hop security service node corresponding to vSwitch sent by exchange network, carry
The flow of the vlan information corresponding to local security service node;
Step 2, if inquiring the access control policy matched with the header packet information of the flow in local flow table,
Carry out VLAN strippings to the flow, and sent to local the flow after VLAN is peeled off by virtual network interface
Security service node, so that the local security service node carries out safety detection;
Step 3, receive local security service node transmission by after the flow of safety detection, according to the matching
The vlan information of the flow by safety detection is revised as next-hop safety clothes by the policy action in access control policy
Vlan information corresponding to business node, and the amended stream by safety detection of vlan information is sent by exchange network
Amount.
Wherein, step 1 also includes:If the local security service node is the first jump security service node, source VM is received
Stream that corresponding vSwitch is sent by exchange network, carrying vlan information corresponding to local security service node
Amount.
Wherein, step 3 is further included:If the local security service node is final jump security service node,
The policy action in access control policy according to the matching is by by the vlan information of the flow of safety detection
Change the vlan information corresponding to purpose VM;
Sent corresponding to the amended flow by safety detection of vlan information to purpose VM by exchange network
VSwitch, peeled off and by local virtual so that the vSwitch corresponding to purpose VM carries out VLAN to received flow
The network port is transmitted to purpose VM.
Wherein, the header packet information determines that the type of the header packet information includes according to user-defined safety regulation:Source
One or more in port numbers, destination slogan, protocol type, source IP address and purpose IP address.
Wherein, in step 2, at least one access control policy, the access control policy are included in the local flow table
Determined according to user-defined safety regulation, the access control policy includes:First matching field and the first policy action;Its
In, first matching field is corresponding with the header packet information.
Wherein, carried locally by what exchange network sent in the vSwitch corresponding to the reception source VM in step 1
Before the flow of the vlan information corresponding to security service node, also include:
After vSwitch corresponding to the VM of source receives multiple flows of source VM transmissions, Hash is carried out to the multiple flow
Treatment;
The result that vSwitch corresponding to the VM of source is processed according to Hash, confirms the load that there is matching in local flow table
Balance policy, and according to the policy action of the load balancing, multiple flows that source VM sends are transmitted to matching respectively
Security service node corresponding to vSwitch.
Wherein, it is described the multiple flow is carried out Hash treatment include:To the feature field in each flow header packet information
Last m bit value carry out mask treatment, wherein, m is log2N round up after value, N for security service chain number,
The feature field includes:Port number field, IP address field or protocol type field.
Wherein, the load balancing includes:Second matching field and the second policy action.
According to another aspect of the present invention, there is provided a kind of virtual switch, including:
Receiving unit, is sent for receiving the virtual switch corresponding to upper hop security service node by exchange network
, the flow for carrying vlan information corresponding to local security service node;
Flow table matching unit, if for inquiring the access matched with the header packet information of the flow in local flow table
Control strategy, then carry out VLAN strippings to the flow, and by virtual network interface by the stream after VLAN is peeled off
Amount is sent to local security service node, so that the local security service node carries out safety detection;
Retransmission unit, for receive local security service node transmission by after the flow of safety detection, according to institute
State the policy action in the access control policy of matching the vlan information of the flow by safety detection is revised as it is next
The vlan information corresponding to security service node is jumped, and it is amended described by safety to send vlan information by exchange network
The flow of detection.
According to another aspect of the present invention, there is provided a kind of cloud data center security service chain, including:One or more
Virtual switch, controller and security service node, wherein the virtual switch corresponds to security service node, source VM and mesh
VM, wherein,
The controller, for receiving user-defined safety regulation and each void according to safety regulation configuration
Intend the access control policy of interchanger;
The security service node, for carrying out safety detection to received flow, and by virtual network interface
Send by the flow after safety detection;
Virtual switch corresponding to the security service node, for needing the flow for carrying out safety detection to perform
VLAN strip operations, and it is transmitted to security service node;Or, for the access control policy according to matching by described by pacifying
The vlan information of the flow that full inspection is surveyed is revised as the vlan information corresponding to next-hop security service node, and by exchange network
Send the amended flow by safety detection of vlan information;
Virtual switch corresponding to the source VM, for will be sent from source VM the need for carry out safety detection flow introducing
First jumps security service node;
Virtual switch corresponding to the purpose VM, the flow for final jump security service node to be sent is drawn
To purpose VM.
A kind of implementation method of cloud data center security service chain proposed by the present invention, based on VLAN (Virtual LAN,
VLAN) agreement realizes security service chain, design that simple, functional and O&M cost is low, it is to avoid use tunnel
Performance and O&M cost caused by packaged type.
Brief description of the drawings
Fig. 1 is that prior art is based on the security service chain model schematic diagram that VXLAN builds;
Fig. 2 according to one embodiment of the invention to provide a kind of flow of the implementation method of cloud data center security service chain
Figure;
Fig. 3 is the signal of security service chain under the cloud data center Network traffic model that is provided according to one embodiment of the invention
Figure;
Fig. 4 is that security service chain shows under another cloud data center Network traffic model according to one embodiment of the invention
It is intended to;
Fig. 5 is the stream of the implementation method of a kind of cloud data center security service chain provided according to another embodiment of the present invention
Cheng Tu;
Fig. 6 is the stream of the implementation method of a kind of cloud data center security service chain provided according to another embodiment of the present invention
Cheng Tu;
Fig. 7 according to another embodiment of the present invention to be based on the realization of a kind of cloud data center security service chain that Fig. 5 is provided
The flow chart of method;
Fig. 8 is the schematic diagram of security service chain load balancing provided according to another embodiment of the present invention;
Fig. 9 is the structural representation of virtual switch provided according to further embodiment of this invention.
Specific embodiment
With reference to the accompanying drawings and examples, specific embodiment of the invention is described in further detail.Hereinafter implement
Example is not limited to the scope of the present invention for illustrating the present invention.
A kind of Fig. 2 implementation methods of cloud data center security service chain for one embodiment of the invention is provided, including:
S21, receive it is that the vSwitch corresponding to upper hop security service node sends by exchange network, carry
The flow of the vlan information corresponding to ground security service node;
S22 is right if inquiring the access control policy matched with the header packet information of the flow in local flow table
The flow carries out VLAN strippings, and is sent to local peace the flow after VLAN is peeled off by virtual network interface
Full service node, so that the local security service node carries out safety detection;
S23, receive local security service node transmission by after the flow of safety detection, according to the visit of the matching
Ask that the vlan information of the flow by safety detection is revised as next-hop security service by the policy action in control strategy
Vlan information corresponding to node, and the amended stream by safety detection of vlan information is sent by exchange network
Amount.
With continuing to develop for software defined network technology and network function Intel Virtualization Technology, the network of cloud data center is
Overlay (covering) network of virtualization, i.e. virtual network is carried on physical network.One physical services of cloud data center
Device by operation virtual server (Hypervisor) thereon, can create multiple virtual machines (Virtual Machine,
) and virtual switch (Virtual Switch, referred to vSwitch below) VM.The flow of cloud data center is in a network
During transmission, the inspection by various security service nodes (Security Service Equipment, SSE) is generally required
Survey, just can guarantee that network can be supplied to user security, quick, stabilization network service according to design requirement.These safety clothes
Business node includes well known fire wall (FireWalls), intrusion detection (Intrusion Prevention System), anti-disease
Malicious equipment etc..Flow passes through these security service nodes according to set required by user-defined safety regulation, passes through
The safety detection of these security service nodes, so as to realize the security service chain in cloud data center network.
Specifically, flow refers to a series of set of the net bags in network, and meets source IP address, purpose IP address, association
View type, source port number and a series of net bags of destination slogan identical are just properly termed as meeting the flow of same rule.This hair
It is bright clear in order to state, by the difference saying such as message, packet, packet, it is collectively referred to as net bag.Based on VLAN agreements by LAN
Multiple VLAN subnets are divided into, each subnet has a VLAN ID, and the vlan information of security service node is to refer to security service
The VLAN ID values of the VLAN subnets belonging to node.The VLAN corresponding to local security service node is carried described in step S21
The flow of information refers to the vSwitch corresponding to upper hop security service node with corresponding to local security service node
Vlan information carries out VLAN format conversion to flow, and all net bags that will be in flow turn from common two layers of Ethernet message format
VLAN format is changed to, VLAN conversions are carried out by flow, the flow can just be connect by the vSwitch of local security service node
Receive.Exchange network uses traditional double layer network deployment way, and the exchange network is one based on two layers of VLAN agreements
The switching matrix of structure, can be interpreted as being made up of multiple switch or router with abstract, and this switching matrix ensure that
Normal double layered communication can be also carried out without security service chain between virtual machine in same VLAN subnets, and is ensured
Proper communication is carried out by the three-tier switch or router in exchange network between virtual machine in different VLAN subnets.
Specifically, in step S22, the flow table defines the forward-path of flow, and the flow table of each vSwitch is comprising extremely
A few flow table item, each flow table item is included:Matching field and the instruction set to be performed after the match is successful.The packet header of the flow
Information refers to two layers to four layers of net packet header information.The access control policy is exactly a kind of flow table item, for entering to flow
Row filtering, i.e., only allow user-defined flow to enter security service chain, and access control policy is that controller is defined according to user
Safety regulation be handed down to vSwitch's automatically.Carry out the flow VLAN to peel off refers to that will carry local security service
The flow of node vlan information is converted into common two layers of Ethernet message format from VLAN format, so that local security service node
Safety detection can be carried out to received flow, the purpose for the arrangement is that the embodiment of the present invention need not go additional configuration to pacify
Full service node can process VLAN format net bag.Local security service node is by corresponding to virtual network interface and its
VSwitch communicated, the vSwitch corresponding to it will be sent to by the flow after safety detection.
Specifically, in step S23, it is previously mentioned that implementing for access control policy is flow table item, thus it is described
Policy action refers to the instruction set to be performed after the match is successful, and the policy action includes:Change the vlan information of flow and refer to
Constant flow is to be forwarded to which destination interface etc..The VLAN letters of next-hop security service node are contained in the policy action
Breath, i.e. after vSwitch corresponding to local security service node is to received flow implementation strategy action, exchange network meeting
Flow is forwarded to by next-hop by the identification that the header packet information of next-hop security service node vlan information is carried to flow
VSwtich corresponding to security service node.
The implementation method of the security service chain is specifically included:VSwitch corresponding to local security service node is received
It is that vSwitch corresponding to upper hop security service node is sent by exchange network, carry local security service node institute
The flow of corresponding vlan information;If the vSwitch corresponding to local security service node is inquired and institute in local flow table
The access control policy that the header packet information of flow matches is stated, then VLAN strippings is carried out to the flow, and by virtual network
Port sends to local security service node the flow after VLAN is peeled off, for the local security service node
Carry out safety detection;VSwitch corresponding to local security service node is receiving the process that local security service node sends
After the flow of safety detection, the policy action in access control policy according to the matching is by the stream by safety detection
The vlan information of amount is revised as the vlan information of next-hop security service node, and after by exchange network, vlan information is changed
The flow by safety detection send vSwitch corresponding to the next-hop security service node.
The implementation method of a kind of cloud data center security service chain provided in an embodiment of the present invention, by using VLAN agreements
To realize forwarding of the flow in security service chain, simple, functional and O&M cost is designed low.
For example, as shown in figure 3, to pacify under a kind of cloud data center Network traffic model provided in an embodiment of the present invention
The schematic diagram of full service chaining.What deserves to be explained is, the figure is only schematic diagram, virtual machine (VM), virtual switch (vSwitch) and
The number of security service node (SSE) can be multiple, be not limited solely to the number in figure, and the deployment way of exchange network can be more
It is complicated.
User define VM1-1 to VM2-4 flow will by security service node SSE1-1, SSE2-2, SSE3-1 and
SSE4-1 carries out safety detection, then, controller after user-defined safety regulation is received, be respectively configured VM1-1,
The access control policy on vSwitch corresponding to SSE1-1, SSE2-2, SSE3-1, SSE4-1 and VM2-4, with SSE2-2 institutes
As a example by access control policy on corresponding vSwitch, the flow that the vSwitch corresponding to SSE1-1 sends is received, if stream
The source IP address of amount is that 1.1.1.1, purpose IP address are 2.2.2.2, then change its VLAN for 1000, and be sent to network connecing
Mouth 2.VSwitch corresponding to local security service node SSE2-2 is received corresponding to upper hop security service node SSE1-1
Flow that vSwitch is sent by exchange network, carrying vlan information corresponding to local security service node;Local peace
VSwitch corresponding to full service node SSE2-2 is inquired in the flow table of local vSwitch and believed with the packet header of the flow
The access control policy that breath (source IP address is 1.1.1.1, purpose IP address are 2.2.2.2) matches, is carried out to the flow
VLAN is peeled off, and is sent to local security service node the flow after VLAN is peeled off by virtual network interface
SSE2-2, so that the local security service node SSE2-2 carries out safety detection;Local security service node SSE2-2 institutes are right
The vSwitch for answering, in the SSE2-2 transmissions of reception local security service node by after the flow of safety detection, according to described
The vlan information of the flow by safety detection is revised as next-hop peace by the policy action in the access control policy matched somebody with somebody
The VLAN 1000 of full service node SSE3-1, is forwarded, after by exchange network, vlan information is changed from output port 2
The flow by safety detection send vSwitch corresponding to the next-hop security service node SSE3-1.
Each jump security service node in security service chain performs aforesaid operations to flow, finally, flow from VM1-1 according to
Secondary detecting up to VM2-4 by security service node SSE1-1, SSE2-2, SSE3-1 and SSE4-1.
The treatment of the acknowledgement back flow for being sent from purpose VM is identical with above-mentioned flow, as shown in figure 4, for from mesh
The acknowledgement back flows that send of VM, the VLAN that equally modification VLAN is received by each jump security service node successively, and
Finally it is revised as the VLAN that source VM is received.Will not be repeated here.
As shown in figure 5, a kind of implementation method of the cloud data center security service chain provided for another embodiment of the present invention,
If the local security service node is the first jump security service node, methods described includes:
S51, receive source VM corresponding to vSwitch sent by exchange network, carry local security service node
The flow of corresponding vlan information;
S52 is right if inquiring the access control policy matched with the header packet information of the flow in local flow table
The flow carries out VLAN strippings, and is sent to local peace the flow after VLAN is peeled off by virtual network interface
Full service node, so that the local security service node carries out safety detection;
S53, receive local security service node transmission by after the flow of safety detection, according to the visit of the matching
Ask that the vlan information of the flow by safety detection is revised as next-hop security service by the policy action in control strategy
Vlan information corresponding to node, and the amended stream by safety detection of vlan information is sent by exchange network
Amount.
Specifically, if the local security service node is the first jump security service node, local security service node
The flow for being received is from the vSwitch corresponding to the VM of source.The flow that vSwitch corresponding to the VM of source sends in the source VM of receiving
Afterwards, the control strategy that equally conducts interviews matching will need the flow for carrying out safety detection to introduce security service chain, i.e., in source VM institutes
The access control that inquiry matches with the presence or absence of the header packet information of the flow sent with the source VM in the flow table of corresponding vSwitch
System strategy, if in the presence of the access control policy for matching, the policy action in the access control policy according to the matching will
The vlan information of the flow that the source VM sends is revised as the vlan information of the first jump security service node, and exchange network just can be with
The flow that source VM sends is forwarded to the vSwitch corresponding to the first jump security service node.If not inquiring and the source VM
The access control policy that the header packet information of the flow for sending matches, i.e., the flow that described source VM sends needs not move through safety clothes
The treatment of business chain, then directly send to purpose VM the flow of source VM according to the forward-path of original exchange network.
The vSwitch that first vSwitch jumped corresponding to security service node is received corresponding to the VM of source passes through exchange network
Flow sending, carrying vlan information corresponding to local security service node;If the first jump security service node institute is right
The vSwitch for answering inquires the access control policy matched with the header packet information of the flow in local flow table, then to institute
Stating flow carries out VLAN strippings, and is sent to the first jump peace the flow after VLAN is peeled off by virtual network interface
Full service node, so that the described first jump security service node carries out safety detection to the flow after VLAN is peeled off;
VSwitch corresponding to first jump security service node receive the transmission of the first jump security service node by safety detection
After flow, the policy action in access control policy according to the matching believes the VLAN of the flow by safety detection
Breath is revised as the vlan information of next-hop security service node, and by exchange network by the amended process of vlan information
The flow of safety detection sends the vSwitch corresponding to the next-hop security service node.
A kind of implementation method of cloud data center security service chain that the embodiment of the present invention is proposed, safety clothes are jumped by first
The flow that vSwitch corresponding to business node will send from source VM introduces security service chain, it is not necessary to configures extra drainage and connects
Mouthful, so that very simple to the O&M of security service chain.
For example, as shown in figure 3, by taking the access control policy on the vSwitch corresponding to SSE1-1 as an example, such as receiving
The flow that vSwitch corresponding to VM1-1 sends, if the source IP address of flow is 1.1.1.1, purpose IP address being
2.2.2.2, then it is 999 to change its VLAN, and is sent to network interface 3.First jumps corresponding to security service node SSE1-1
VSwitch receive VM1-1 corresponding to vSwitch sent by exchange network, carry the first jump security service node
The flow of corresponding vlan information;VSwitch corresponding to first jump security service node SSE1-1 is local vSwitch's
Inquired in flow table and matched with the header packet information (source IP address is 1.1.1.1, purpose IP address are 2.2.2.2) of the flow
Access control policy, carry out VLAN strippings to the flow, and by virtual network interface by the institute after VLAN is peeled off
Flow is stated to send to the first jump security service node SSE1-1, so that SSE1-1 carries out safety detection;First jumps security service section
VSwitch corresponding to point SSE1-1, receives the flow by safety detection that SSE1-1 sends, according to the access of the matching
The vlan information of the flow by safety detection is revised as next-hop security service section by the policy action in control strategy
VLAN 999 corresponding to point SSE2-2, and sent the flow after treatment under described by exchange network from output port 3
One jumps the corresponding vSwitch of security service node SSE2-2.
A kind of implementation method of cloud data center security service chain of another embodiment of the present invention offer is provided,
If the local security service node is final jump security service node, methods described includes:
S61, receive it is that the vSwitch corresponding to upper hop security service node sends by exchange network, carry
The flow of the vlan information corresponding to ground security service node;
S62 is right if inquiring the access control policy matched with the header packet information of the flow in local flow table
The flow carries out VLAN strippings, and is sent to local peace the flow after VLAN is peeled off by virtual network interface
Full service node, so that the local security service node carries out safety detection;
S63, the policy action in access control policy according to the matching is by by the VLAN of the flow of safety detection
Vlan information of the information modification corresponding to purpose VM;
S64, the amended flow by safety detection of vlan information to purpose VM institutes is sent by exchange network
Corresponding vSwitch, peels off and by local so that the vSwitch corresponding to purpose VM carries out VLAN to received flow
Virtual network interface is transmitted to purpose VM.
Specifically, if the local security service node is final jump security service node, final jump safety clothes
The next-hop node of business node is purpose VM.VSwitch corresponding to purpose VM receives the amended warp of vlan information
The flow of safety detection is crossed, because this flow is VLAN net bag forms, it is therefore desirable to VLAN strippings are performed to this flow and is converted into
Purpose VM is then forwarded to after common ether network packet.
VSwitch corresponding to final jump security service node is received corresponding to upper hop security service node
The flow for carrying the vlan information corresponding to local security service node that vSwitch is sent by exchange network;If last
VSwitch corresponding to one jump security service node is inquired in the flow table of local vSwitch and believed with the packet header of the flow
The access control policy of manner of breathing matching, then carry out VLAN strippings to the flow, and by virtual network interface by the process
Flow after VLAN is peeled off is sent to local security service node, so that the local security service node carries out safety detection;
The policy action of vSwitch corresponding to final jump security service node in the access control policy of the matching will be through
The vlan information modification for crossing the flow of safety detection is the vlan information corresponding to purpose VM;Final jump security service node institute
Corresponding vSwitch sends the amended flow by safety detection of vlan information to purpose VM institutes by exchange network
Corresponding vSwitch, peels off and by local so that the vSwitch corresponding to purpose VM carries out VLAN to received flow
Virtual network interface is transmitted to purpose VM.
The implementation method of a kind of cloud data center security service chain that the embodiment of the present invention is proposed, by final jump safety
VSwitch corresponding to service node will be sent to purpose VM by the flow of safety detection, it is not necessary to configure extra output
Interface, so that very simple to the O&M of security service chain.
For example, as shown in figure 3, with the access control on the vSwitch corresponding to final jump security service node SSE4-1
As a example by system strategy, the flow that the vSwitch as corresponding to receiving SSE3-1 sends, if the source IP address of flow is
1.1.1.1, purpose IP address are 2.2.2.2, then it is 1002 to change its VLAN, and is sent to the network port 2.SSE4-1 institutes are right
The vSwitch for answering receives the carrying that the vSwitch corresponding to upper hop security service node SSE3-1 is sent by exchange network
There is the flow of the vlan information corresponding to local security service node;VSwitch corresponding to SSE4-1 is looked into local flow table
Ask the access control matched with the header packet information (source IP address is 1.1.1.1, purpose IP address are 2.2.2.2) of the flow
System strategy, carries out VLAN strippings to the flow, and by virtual network interface by the flow after VLAN is peeled off send to
Local security service node SSE4-1, so that SSE4-1 carries out safety detection.VSwitch corresponding to SSE4-1, is receiving this
Ground security service node SSE4-1 send by after the flow of safety detection, in the access control policy according to the matching
Policy action will be the VLAN 1002 corresponding to purpose VM by the modification of the vlan information of the flow of safety detection, and from output
The flow after treatment is sent the vSwitch corresponding to the purpose VM by exchange network for port 2, so that purpose VM institutes are right
The vSwitch for answering to be received and VLAN is carried out to the flow after the flow peeled off and be transmitted to purpose VM.
Another embodiment of the present invention, on the basis of the various embodiments described above, the peace that the header packet information is formulated according to user
Full rule determines that the type of the header packet information includes:Source port number, destination slogan, protocol type, source IP address and purpose
One or more in IP address.
Specifically, the header packet information of flow refers to IP five-tuples, i.e. IP source address, IP destination addresses, association in the present embodiment
One or more in view number, source port and destination interface, specifically used which header packet information and access control policy are carried out
Match somebody with somebody, specified by the safety regulation of user input, be not that IP five-tuples all have to use, can for example specify simultaneously makes
With source IP address, purpose IP address, protocol type, source port number and destination slogan go to be matched with access control policy,
Wherein a certain type can also only be specified, it is also possible to which what is not specified, match all IP flows.
The safety regulation that vSwitch corresponding to local security service node is specified according to user determine it is specifically used which kind of
Header packet information matches with the access control policy in its flow table, and the type of the header packet information includes:Source port number, purpose
One or more in port numbers, protocol type, source IP address and purpose IP address.
A kind of implementation method of security service chain provided in an embodiment of the present invention, what the header packet information was specified according to user
Safety regulation and determine, layout is flexibly simple so that security service chain can be according to the business demand flexible deployment of user.
Another embodiment of the present invention, on the basis of the various embodiments described above, visits in the local flow table comprising at least one
Control strategy is asked, the safety regulation that the access control policy is formulated according to user determines that the access control policy includes:The
One matching field and the first policy action;Wherein, first matching field is corresponding with the header packet information.
Specifically, access control policy is a kind of flow table item, and access control policy is the peace that controller is formulated according to user
Full rule carries out matching somebody with somebody to postpone being handed down to vSwitch's automatically.First matching field is corresponding with the header packet information, that is, wrap
Which kind of type header uses, and first matching field is also adopted by this type, specifically, the first matching field bag
Include:One or more in source port number, destination slogan, protocol type, source IP address and purpose IP address.First plan
Slightly action refers to the instruction set to be performed after the match is successful, is specifically included:The vlan information of the received flow of modification is
Vlan information corresponding to next-hop security service node, and specify the output port information of the flow after treatment.Local peace
Received flow is transmitted to next-hop security service by the vSwitch corresponding to full service node according to the first policy action
Node.
The embodiment of the present invention can realize virtual switch based on Open vSwitch, Open vSwitch be by
What Nicira Networks were dominated, operate in the virtual switch on virtual platform (such as KVM, Xen).It is flat in virtualization
On platform, Layer2 switching function can be provided for the end points of dynamic change, preferably control access strategy, the network in virtual network
Isolation, traffic monitoring etc..
By taking the access control policy on the vSwitch corresponding to SSE2-2 as an example, as corresponding to receiving SSE1-1
VSwitch send flow, if the source IP address of flow be 1.1.1.1, purpose IP address be 2.2.2.2, then change it
VLAN is 1000, and is sent to network interface 2.So, it is right on the vSwitch corresponding to SSE2-2 in Open vSwitch
The access control policy answered is:
In_port=1, ip, nw_src=1.1.1.1, nw_dst=2.2.2.2, actions=mod_vlan_vid:
1000,output:2;
Wherein, in_port is input slogan, and ip is protocol type, and nw_src is source IP address, for the purpose of nw_dst
IP address, this four is the first matching field of access control policy.Actions will be then performed after the match is successful for corresponding
Policy action, mod_vlan_vid:1000 is that flow VLAN is revised as into 1000,1000 is next-hop security service node institute
Corresponding vlan information.
A kind of implementation method of cloud data center security service chain provided in an embodiment of the present invention, the access control policy
Obtained according to the safety regulation that user formulates so that security service chain can be according to the business demand flexible deployment of user.
Another embodiment of the present invention, on the basis of above-described embodiment, as shown in fig. 7, in Fig. 5 steps S51
VSwitch corresponding to the reception source VM is carried corresponding to local security service node by what exchange network sent
Before the flow of vlan information, also include:
After S71, the vSwitch corresponding to the VM of source receive multiple flows of source VM transmissions, the multiple flow is carried out
Hash treatment;
S72, the result that the vSwitch corresponding to the VM of source is processed according to Hash confirms there is matching in local flow table
Load balancing, and according to the policy action of the load balancing, multiple flows that source VM sends are transmitted to respectively
VSwitch corresponding to the security service node of matching.
Specifically, for a plurality of security service chain, stream is realized by increasing load balancing in the entrance of service chaining
Measure the equilibrium treatment between a plurality of security service chain.VSwitch corresponding to the VM of source receives multiple flows of source VM transmissions
Afterwards, Hash treatment is carried out to the multiple flow first.The result that vSwitch corresponding to the VM of source is processed according to Hash is local
Search whether there is the load balancing of matching in flow table, different Kazakhstan can be obtained after Hash treatment is carried out to different flows
Uncommon value, different cryptographic Hash can match different load balancings, so as to the strategy in the load balancing
The VLAN that action is received first security service node that the VLAN of each flow is revised as different security service chains, it is so each
Flow will be dispensed to different security service chains and be processed, and the final jump security service node of security service chain is then
The VLAN of flow will be revised as the VLAN that final VM is received, so as to complete the parallel processing of different security service chains.It is right
In round flow, the strategy of execution is consistent, that is, ensure that the flow for belonging to same session is assigned to identical service chaining
Processed.
The implementation method of a kind of cloud data center security service chain provided in an embodiment of the present invention, by security service chain
Entrance increase load balancing, can further improve the security protection performance of security service chain.
As shown in figure 8, VM-1-1 flows out are by that after the polices node treatment given tacit consent to, can be distributed to different two
Bar security service chain is processed, i.e. VM-1-1 → SSE-1-1 → SSE-2-2 → SSE-1-3 → SSE-1-4 → VM-2-4 and
VM-1-1 → SSE-2-1 → SSE-1-2 → SSE-2-3 → SSE-2-4 → VM-2-4, after two service chaining completion treatment, stream
Amount can be revised as the VLAN that identical VM-2-4 is received, so as to be received by VM-2-4.For reverse VM-2-4 → VM-1-1
Flow, processed in the same way, if the web traffic of VM-1-1 → VM-2-4 is by the security service of top
Chain treatment, and SSH flows are processed by the security service chain of lower section, then reverse web traffic equally can be by strategy
The security service chain for being balanced to top is processed, and the security service chain that SSH flows equally can also be balanced to lower section is processed.
Another embodiment of the present invention, it is described that Hash treatment is carried out to the multiple flow on the basis of above-described embodiment
Including:The last m bit value to the feature field in each flow header packet information carries out mask treatment, wherein, m is log2N to
On round after value, N is the number of security service chain, and the feature field includes:Port number field, IP address field or agreement
Type field.
Specifically, the header packet information of flow includes:Source port number, destination slogan, protocol type, source IP address and purpose
One or more in IP address.The feature field includes:Port number field, IP address field or protocol type field.Its
In, port number field is source port number and destination slogan, and IP address field is source IP address and purpose IP address, protocol type
Field includes:IP, TCP, UDP or Stream Control Transmission Protocol etc..The data of the security service chain are obtained according to the safety regulation that user formulates
Arrive.
After vSwitch corresponding to the VM of source receives multiple flows of source VM transmissions, according to the number N of security service chain,
Calculate log2The value M that N rounds up, the last M bit value to the feature field in each flow header packet information is carried out at mask
Reason.
A kind of implementation method of cloud data center security service chain provided in an embodiment of the present invention, can be according to security service
The method of the flexible number selection Hash treatment of chain, can further improve the security protection performance of security service chain.
Such as, for Transmission Control Protocol, if controller creates 2 security service chains according to the safety regulation that user formulates, that
Last bit value to the port number field in each flow header packet information carries out mask treatment.If controller is according to user
The safety regulation of formulation creates 4 security service chains, due to log24=2, then to the port numbers word in each flow header packet information
Last 2 of section carry out mask treatment.If controller creates 3 security service chains according to the safety regulation that user formulates, by
In log23 round up after for 2, then last 2 to the port number field in each flow header packet information carry out mask treatment.
Another embodiment of the present invention, on the basis of above-described embodiment, the load balancing includes:Second matching word
Section and the second policy action.
The load balancing is a kind of flow table item, therefore including:Second matching field and the second policy action, it is described
Second matching field includes carrying out the feature field of flow the different cryptographic Hash for obtaining after Hash treatment, second strategy
Action is according to different cryptographic Hash by flow matches to different security service chains.
The implementation method of a kind of cloud data center security service chain provided in an embodiment of the present invention, by load balancing
By different traffic distribution to different security service chains, it is possible to increase the security protection performance of security service chain, obtain preferable
Performance.
For example, for Transmission Control Protocol, if controller creates 2 security service chains according to the safety regulation that user formulates, that
Last bit value to the port number field in each flow header packet information carries out mask treatment, and according to different Hash
It is worth flow matches to different security service chains.The load balancing is as follows:
Source port number and destination slogan are odd number or are the flow of even number, are distributed to service chaining A treatment;
Source port number and destination slogan are respectively the flow of a strange idol, are distributed to service chaining B treatment.
In Open vSwitch, above-mentioned load balancing is implemented as follows:
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=0/0x0001, tp_dst=
0/0x0001, actions=" mod_vlan_vid:1001,output:2";
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=1/0x0001, tp_dst=
1/0x0001, actions=" mod_vlan_vid:1001,output:2";
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=0/0x0001, tp_dst=
1/0x0001, actions=" mod_vlan_vid:1002,output:2";
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=1/0x0001, tp_dst=
0/0x0001, actions=" mod_vlan_vid:1002,output:2";
If in the presence of 4 service chainings, it is possible to use log24=2 bit carries out Hash treatment, and load balancing is such as
Under:
Source port number and last 2 bits of destination slogan be 00 be 01 or be 10 or be 11 flow,
It is distributed to service chaining A treatment;
Source port number and last 2 bits of destination slogan are respectively one 00 1 01 or respectively one 10 1 11
Flow, be distributed to service chaining B treatment;
Source port number and last 2 bits of destination slogan are respectively one 00 1 10 or respectively one 01 1 11
Flow, be distributed to service chaining C treatment;
Source port number and last 2 bits of destination slogan are respectively one 00 1 11 or respectively one 01 1 10
Flow, be distributed to service chaining D treatment.
A kind of further embodiment of this invention, there is provided virtual switch, as shown in figure 9, including:Receiving unit 901, flow table
With unit 902 and retransmission unit 903, wherein,
Receiving unit 901, exchange network is passed through for receiving the virtual switch corresponding to upper hop security service node
Flow sending, carrying vlan information corresponding to local security service node;
Flow table matching unit 902, if matching with the header packet information of the flow for inquiring in local flow table
Access control policy, then carry out VLAN strippings to the flow, and by virtual network interface by the institute after VLAN is peeled off
State flow to send to local security service node, so that the local security service node carries out safety detection;
Retransmission unit 903, for receive the transmission of local security service node by after the flow of safety detection, according to
Be revised as down for the vlan information of the flow by safety detection by the policy action in the access control policy of the matching
One jumps the vlan information corresponding to security service node, and it is amended described by peace to send vlan information by exchange network
The flow that full inspection is surveyed.
Specifically, the virtual switch that receiving unit 901 is received corresponding to upper hop security service node passes through switching network
The flow for carrying the vlan information corresponding to local security service node that network sends;Flow table matching unit 902 is locally flowing
Inquiry whether there is the access control policy matched with the header packet information of the flow in table, if in the presence of the access control of matching
Strategy, then 902 pairs of flows of flow table matching unit carry out VLAN strippings, local security service node vlan information will be carried
Flow be converted into common two layers of Ethernet message format from VLAN format, and will be peeled off by VLAN by virtual network interface
Flow afterwards is sent to local security service node, to cause that local security service node carries out safety detection to the flow;Turn
Bill unit 903, receive local security service node transmission by after the flow of safety detection, according to the access of the matching
The vlan information of the flow by safety detection is revised as next-hop security service section by the policy action in control strategy
The vlan information of point, and be transmitted to the amended flow by safety detection of vlan information by exchange network next
Jump the virtual switch corresponding to security service node.
The embodiment of the present invention provides a kind of virtual switch, and flow is drained into safety clothes by matching access control policy
Business node can simplify the realization of security service chain, and do not need additional configuration for access control to carry out safety detection
Interface, O&M is simple.
A kind of further embodiment of this invention, there is provided cloud data center security service chain, including:One or more is virtually handed over
Change planes, controller and security service node, wherein the virtual switch corresponds to security service node, source VM and purpose VM,
Wherein,
The controller, for receiving user-defined safety regulation and each void according to safety regulation configuration
Intend the access control policy of interchanger;
The security service node, for carrying out safety detection to received flow, and by virtual network interface
Send by the flow after safety detection;
Virtual switch corresponding to the security service node, for needing the flow for carrying out safety detection to perform
VLAN strip operations, and it is transmitted to security service node;Or, for the access control policy according to matching by described by pacifying
The vlan information of the flow that full inspection is surveyed is revised as the vlan information corresponding to next-hop security service node, and by exchange network
Send the amended flow by safety detection of vlan information;
Virtual switch corresponding to the source VM, for will be sent from source VM the need for carry out safety detection flow introducing
First jumps security service node;
Virtual switch corresponding to the purpose VM, the flow for final jump security service node to be sent is drawn
To purpose VM.
Specifically, user-defined safety regulation refers to that user specifies specific flow by which security service section successively
Point is detected that controller then determines specifically to use what type of header packet information according to user-defined safety regulation, accordingly
Ground determines the matching field of access control policy, and which security service node sequentially passed through according to flow, determines the forwarding of flow
Path, so as to go to set the policy action in access control policy, the access control policy that controller will be established is issued to respectively
Individual virtual switch.
Security service node carries out safety detection to the flow for being received, and security service node was mentioned in above-described embodiment
Type have various such that it is able to flow implement multi-angle security protection.After the completion of the detection process of security service node
Flow can be forwarded by the local virtual network port, so that flow can enter next-hop security service node.
Virtual switch corresponding to security service node, the virtual switch as provided in above-mentioned embodiment, herein
Repeat no more.
Virtual switch corresponding to the VM of source, is considered as the entrance of security service chain, for will need to enter safety clothes
The flow of business chain introduces first and jumps security service node, specifically, searches whether exist and institute by its local flow table
The access control policy that the header packet information of flow matches is stated, if in the presence of, illustrate that the flow needs to carry out safety detection, so that
The vlan information of the flow is revised as the first jump security service node by the policy action in access control policy according to matching
Corresponding vlan information is simultaneously forwarded;If not existing, illustrate that the flow need not carry out safety detection, then by the flow
Purpose VM is sent to according to common forward-path.
Virtual switch corresponding to purpose VM, can be regarded as the outlet of security service chain, by final jump safety clothes
The flow that business node sends draws security service chain, purpose VM is sent to, so as to complete the communication between source VM and purpose VM.
A kind of cloud data center security service chain proposed by the present invention, can carry out flexible portion according to the demand for security of user
Administration, design is simple, functional and O&M cost is low, can reach good security protection effect.
Finally, the present processes are only preferably embodiment, are not intended to limit the scope of the present invention.It is all
Within the spirit and principles in the present invention, any modification, equivalent substitution and improvements made etc. should be included in protection of the invention
Within the scope of.
Claims (10)
1. a kind of implementation method of cloud data center security service chain, it is characterised in that including:
Step 1, receive upper hop security service node corresponding to vSwitch sent by exchange network, carry locally
The flow of the vlan information corresponding to security service node;
Step 2, if inquiring the access control policy matched with the header packet information of the flow in local flow table, to institute
Stating flow carries out VLAN strippings, and is sent to local security the flow after VLAN is peeled off by virtual network interface
Service node, so that the local security service node carries out safety detection;
Step 3, receive local security service node transmission by after the flow of safety detection, according to the access of the matching
The vlan information of the flow by safety detection is revised as next-hop security service section by the policy action in control strategy
The corresponding vlan information of point, and the amended flow by safety detection of vlan information is sent by exchange network.
2. the implementation method of security service chain according to claim 1, it is characterised in that step 1 also includes:If described
Security service node in ground is the first jump security service node,
It is that vSwitch corresponding to the VM of reception source is sent by exchange network, carry corresponding to local security service node
The flow of vlan information.
3. the implementation method of security service chain according to claim 1, it is characterised in that step 3 is further included:If institute
Local security service node is stated for final jump security service node,
The policy action in access control policy according to the matching will be changed by the vlan information of the flow of safety detection
Vlan information corresponding to purpose VM;
Sent corresponding to the amended flow by safety detection of vlan information to purpose VM by exchange network
VSwitch, peels off and by local virtual net so that the vSwitch corresponding to purpose VM carries out VLAN to received flow
Network port is transmitted to purpose VM.
4. according to the implementation method of any described security service chain of claims 1 to 3, it is characterised in that the header packet information
Determined according to user-defined safety regulation, the type of the header packet information includes:Source port number, destination slogan, protocol class
One or more in type, source IP address and purpose IP address.
5. according to the implementation method of any described security service chain of claims 1 to 3, it is characterised in that described in step 2
At least one access control policy is included in local flow table, the access control policy is true according to user-defined safety regulation
Fixed, the access control policy includes:First matching field and the first policy action;Wherein, first matching field and institute
State header packet information corresponding.
6. the implementation method of security service chain according to claim 2, it is characterised in that in the reception source in step 1
The stream for carrying the vlan information corresponding to local security service node that vSwitch corresponding to VM is sent by exchange network
Before amount, also include:
After vSwitch corresponding to the VM of source receives multiple flows of source VM transmissions, Hash treatment is carried out to the multiple flow;
The result that vSwitch corresponding to the VM of source is processed according to Hash, confirms the load balancing that there is matching in local flow table
Strategy, and according to the policy action of the load balancing, multiple flows that source VM sends are transmitted to the peace of matching respectively
VSwitch corresponding to full service node.
7. the implementation method of security service chain according to claim 6, it is characterised in that described to enter to the multiple flow
The treatment of row Hash includes:The last m bit value to the feature field in each flow header packet information carries out mask treatment, wherein, m
It is log2N round up after value, N is the number of security service chain, and the feature field includes:Port number field, IP address
Field or protocol type field.
8. the implementation method of security service chain according to claim 6, it is characterised in that the load balancing bag
Include:Second matching field and the second policy action.
9. a kind of virtual switch, it is characterised in that including:
Receiving unit, for receive it is that the virtual switch corresponding to upper hop security service node is sent by exchange network,
Carry the flow of the vlan information corresponding to local security service node;
Flow table matching unit, if for inquiring the access control matched with the header packet information of the flow in local flow table
Strategy, then carry out VLAN strippings, and send out the flow after VLAN is peeled off by virtual network interface to the flow
Local security service node is delivered to, so that the local security service node carries out safety detection;
Retransmission unit, for receive local security service node transmission by after the flow of safety detection, according to described
The vlan information of the flow by safety detection is revised as next-hop peace by the policy action in the access control policy matched somebody with somebody
Vlan information corresponding to full service node, and it is amended described by safety detection to send vlan information by exchange network
Flow.
10. a kind of cloud data center security service chain, it is characterised in that including:One or more is as claimed in claim 9
Virtual switch, controller and security service node, wherein the virtual switch corresponds to security service node, source VM and mesh
VM, wherein,
The controller, for receiving user-defined safety regulation and each virtual friendship according to safety regulation configuration
The access control policy changed planes;
The security service node, for carrying out safety detection to received flow, and is sent by virtual network interface
By the flow of safety detection;
Virtual switch corresponding to the security service node, for being shelled to needing the flow for carrying out safety detection to perform VLAN
From operation, and it is transmitted to security service node;Or, for according to matching access control policy by described by safety detection
Flow the vlan information vlan information that is revised as corresponding to next-hop security service node, and sent by exchange network
The amended flow by safety detection of vlan information;
Virtual switch corresponding to the source VM, for will be sent from source VM the need for carry out safety detection flow introduce first
Jump security service node;
Virtual switch corresponding to the purpose VM, for the flow that final jump security service node sends to be led into mesh
VM.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710124814.XA CN106789542B (en) | 2017-03-03 | 2017-03-03 | A kind of implementation method of cloud data center security service chain |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710124814.XA CN106789542B (en) | 2017-03-03 | 2017-03-03 | A kind of implementation method of cloud data center security service chain |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106789542A true CN106789542A (en) | 2017-05-31 |
| CN106789542B CN106789542B (en) | 2019-08-09 |
Family
ID=58961233
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710124814.XA Active CN106789542B (en) | 2017-03-03 | 2017-03-03 | A kind of implementation method of cloud data center security service chain |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106789542B (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911258A (en) * | 2017-12-29 | 2018-04-13 | 深信服科技股份有限公司 | A kind of realization method and system in the secure resources pond based on SDN network |
| CN107920023A (en) * | 2017-12-29 | 2018-04-17 | 深信服科技股份有限公司 | A kind of realization method and system in secure resources pond |
| CN107947965A (en) * | 2017-11-07 | 2018-04-20 | 清华大学 | Service chaining compiler |
| CN108199958A (en) * | 2017-12-29 | 2018-06-22 | 深信服科技股份有限公司 | A kind of general secure resources pond service chaining realization method and system |
| CN109889533A (en) * | 2019-03-11 | 2019-06-14 | 北京网御星云信息技术有限公司 | Security defend method and system, computer readable storage medium under cloud environment |
| CN109981355A (en) * | 2019-03-11 | 2019-07-05 | 北京网御星云信息技术有限公司 | Security defend method and system, computer readable storage medium for cloud environment |
| WO2019153127A1 (en) * | 2018-02-06 | 2019-08-15 | Nokia Shanghai Bell Co., Ltd. | Method, apparatus, and computer readable medium for providing security service for data center |
| CN110213181A (en) * | 2019-04-28 | 2019-09-06 | 华为技术有限公司 | Data drainage device and data drainage method in virtual network |
| CN110311838A (en) * | 2019-07-24 | 2019-10-08 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of security service traffic statistics |
| CN110324282A (en) * | 2018-03-29 | 2019-10-11 | 华耀(中国)科技有限公司 | The load-balancing method and its system of SSL/TLS visualization flow |
| CN111756632A (en) * | 2020-06-22 | 2020-10-09 | 中国电子科技集团公司第五十四研究所 | Security service chain dynamic arranging method based on MPLS encapsulation |
| CN113098728A (en) * | 2019-12-23 | 2021-07-09 | 华为技术有限公司 | Health check method of load balancing system and related equipment |
| CN114070639A (en) * | 2021-11-19 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Message secure forwarding method and device and network security equipment |
| CN114629853A (en) * | 2022-02-28 | 2022-06-14 | 天翼安全科技有限公司 | Traffic classification control method based on security service chain analysis in security resource pool |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN115695086A (en) * | 2022-09-19 | 2023-02-03 | 中电信数智科技有限公司 | System and method for realizing service chain function based on VLAN network |
| CN116055412A (en) * | 2023-01-16 | 2023-05-02 | 山石网科通信技术股份有限公司 | Flow control method, device and storage medium based on security service chain |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618379A (en) * | 2015-02-04 | 2015-05-13 | 北京天地互连信息技术有限公司 | IDC service scene-oriented security service arranging method and network structure |
| CN105450522A (en) * | 2014-09-24 | 2016-03-30 | 英特尔公司 | Techniques for routing service chain flow packets between virtual machines |
| US20160094440A1 (en) * | 2014-09-30 | 2016-03-31 | International Business Machines Corporation | Forwarding a packet by a nve in nvo3 network |
-
2017
- 2017-03-03 CN CN201710124814.XA patent/CN106789542B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105450522A (en) * | 2014-09-24 | 2016-03-30 | 英特尔公司 | Techniques for routing service chain flow packets between virtual machines |
| US20160094440A1 (en) * | 2014-09-30 | 2016-03-31 | International Business Machines Corporation | Forwarding a packet by a nve in nvo3 network |
| CN104618379A (en) * | 2015-02-04 | 2015-05-13 | 北京天地互连信息技术有限公司 | IDC service scene-oriented security service arranging method and network structure |
Non-Patent Citations (2)
| Title |
|---|
| 李军: ""防火墙上台阶:安全网关多层过滤技术的走向"", 《信息网络安全》 * |
| 陈兴蜀 等: ""虚拟网络环境下安全服务接入方法"", 《华中科技大学学报(自然科学版)》 * |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107947965A (en) * | 2017-11-07 | 2018-04-20 | 清华大学 | Service chaining compiler |
| CN107911258A (en) * | 2017-12-29 | 2018-04-13 | 深信服科技股份有限公司 | A kind of realization method and system in the secure resources pond based on SDN network |
| CN107920023A (en) * | 2017-12-29 | 2018-04-17 | 深信服科技股份有限公司 | A kind of realization method and system in secure resources pond |
| CN108199958A (en) * | 2017-12-29 | 2018-06-22 | 深信服科技股份有限公司 | A kind of general secure resources pond service chaining realization method and system |
| CN108199958B (en) * | 2017-12-29 | 2021-04-09 | 深信服科技股份有限公司 | Universal secure resource pool service chain implementation method and system |
| WO2019153127A1 (en) * | 2018-02-06 | 2019-08-15 | Nokia Shanghai Bell Co., Ltd. | Method, apparatus, and computer readable medium for providing security service for data center |
| US11558353B2 (en) | 2018-02-06 | 2023-01-17 | Nokia Technologies Oy | Method, apparatus, and computer readable medium for providing security service for data center |
| CN110324282A (en) * | 2018-03-29 | 2019-10-11 | 华耀(中国)科技有限公司 | The load-balancing method and its system of SSL/TLS visualization flow |
| CN109889533A (en) * | 2019-03-11 | 2019-06-14 | 北京网御星云信息技术有限公司 | Security defend method and system, computer readable storage medium under cloud environment |
| CN109889533B (en) * | 2019-03-11 | 2021-07-20 | 北京网御星云信息技术有限公司 | Security defense method and system under cloud environment and computer readable storage medium |
| CN109981355A (en) * | 2019-03-11 | 2019-07-05 | 北京网御星云信息技术有限公司 | Security defend method and system, computer readable storage medium for cloud environment |
| CN110213181A (en) * | 2019-04-28 | 2019-09-06 | 华为技术有限公司 | Data drainage device and data drainage method in virtual network |
| WO2020220977A1 (en) * | 2019-04-28 | 2020-11-05 | 华为技术有限公司 | Data flow guiding apparatus and data flow guiding method in virtual network |
| CN110311838A (en) * | 2019-07-24 | 2019-10-08 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of security service traffic statistics |
| CN110311838B (en) * | 2019-07-24 | 2021-05-04 | 绿盟科技集团股份有限公司 | Method and device for counting safety service flow |
| CN113098728A (en) * | 2019-12-23 | 2021-07-09 | 华为技术有限公司 | Health check method of load balancing system and related equipment |
| CN113098728B (en) * | 2019-12-23 | 2023-12-19 | 华为云计算技术有限公司 | Health check method of load balancing system and related equipment |
| CN111756632A (en) * | 2020-06-22 | 2020-10-09 | 中国电子科技集团公司第五十四研究所 | Security service chain dynamic arranging method based on MPLS encapsulation |
| CN114070639A (en) * | 2021-11-19 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Message secure forwarding method and device and network security equipment |
| CN114070639B (en) * | 2021-11-19 | 2024-04-23 | 北京天融信网络安全技术有限公司 | Message security forwarding method and device and network security equipment |
| CN114629853A (en) * | 2022-02-28 | 2022-06-14 | 天翼安全科技有限公司 | Traffic classification control method based on security service chain analysis in security resource pool |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN114944952B (en) * | 2022-05-20 | 2023-11-07 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN115695086A (en) * | 2022-09-19 | 2023-02-03 | 中电信数智科技有限公司 | System and method for realizing service chain function based on VLAN network |
| CN115695086B (en) * | 2022-09-19 | 2024-01-19 | 中电信数智科技有限公司 | System and method for realizing service chain function based on VLAN (virtual local area network) |
| CN116055412A (en) * | 2023-01-16 | 2023-05-02 | 山石网科通信技术股份有限公司 | Flow control method, device and storage medium based on security service chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106789542B (en) | 2019-08-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106789542B (en) | A kind of implementation method of cloud data center security service chain | |
| US11765085B2 (en) | Switch with network services packet processing by service software instances | |
| CN107819663B (en) | Method and device for realizing virtual network function service chain | |
| US9742575B2 (en) | Explicit list encoding of sparse multicast group membership information with Bit Index Explicit Replication (BIER) | |
| US9432205B2 (en) | Explicit block encoding of multicast group membership information with bit index explicit replication (BIER) | |
| CN104521195B (en) | The method and system of the orderly business model of software definition is created in a communication network | |
| US8811398B2 (en) | Method for routing data packets using VLANs | |
| CN104243270B (en) | A kind of method and apparatus for establishing tunnel | |
| CN105227463B (en) | A kind of communication means in distributed apparatus between business board | |
| JP4598462B2 (en) | Provider network providing an L2-VPN service and edge router | |
| US20200382421A1 (en) | Efficient troubleshooting in openflow switches | |
| US9036636B1 (en) | System and methods for managing network packet broadcasting | |
| CN108353024A (en) | It is reduced via the multicast state of tunnelling in routing system | |
| CN108055878A (en) | Using Border Gateway Protocol maximum segment identifier depth is disclosed to applications | |
| CN109076018A (en) | Utilize IS-IS exposure maximum node and/or the technology of Link Fragmentation identifier depth | |
| CN107948086A (en) | A kind of data packet sending method, device and mixed cloud network system | |
| CN106464522A (en) | A method and system for network function placement | |
| CN106105115A (en) | The service chaining originated by service node in network environment | |
| CN107210966A (en) | In software definition networking (SDN) system the fragments for packet without restructuring is forwarded using L4 L7 headers | |
| CN110178342A (en) | The scalable application level of SDN network monitors | |
| CN105681198B (en) | A kind of business chain processing method, equipment and system | |
| CN106105114B (en) | The more preferable replacement path of more ownership IS-IS prefixes | |
| CN108092934A (en) | Safety service system and method | |
| JP2018518925A (en) | Packet forwarding | |
| CN109691026A (en) | Method and apparatus for updating multiple multiprotocol label switching (MPLS) two-way converting detection (BFD) sessions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |