CN106789542B - A kind of implementation method of cloud data center security service chain - Google Patents

A kind of implementation method of cloud data center security service chain Download PDF

Info

Publication number
CN106789542B
CN106789542B CN201710124814.XA CN201710124814A CN106789542B CN 106789542 B CN106789542 B CN 106789542B CN 201710124814 A CN201710124814 A CN 201710124814A CN 106789542 B CN106789542 B CN 106789542B
Authority
CN
China
Prior art keywords
security service
flow
service node
vlan
local
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710124814.XA
Other languages
Chinese (zh)
Other versions
CN106789542A (en
Inventor
王凯
李军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN201710124814.XA priority Critical patent/CN106789542B/en
Publication of CN106789542A publication Critical patent/CN106789542A/en
Application granted granted Critical
Publication of CN106789542B publication Critical patent/CN106789542B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of implementation method of cloud data center security service chain, which comprises receives the flow for carrying vlan information corresponding to local security service node;If inquiring the access control policy to match with the header packet information of the flow in local flow table, VLAN removing is carried out to the flow and is sent to local security service node, so that the local security service node carries out safety detection;The VLAN of the flow Jing Guo safety detection is revised as the vlan information of next-hop security service node according to the policy action in the matched access control policy and is sent by exchange network.A kind of implementation method of cloud data center security service chain provided by the invention realizes security service chain based on VLAN agreement, and it is low to design simple, functional and O&M cost.

Description

A kind of implementation method of cloud data center security service chain
Technical field
The present invention relates to network safety fileds, more particularly, to a kind of realization side of cloud data center security service chain Method.
Background technique
Cloud data center is automatically to provide the data of new generation of all kinds of cloud computing services on demand using cloud computing technology Center.The business feature of cloud data center and the business feature difference of conventional data centers are huge, and with software defined network, The fast development and sizable application of the new technologies such as network virtualization and network function virtualization, cloud data center network is compared to biography For data center network of uniting, be faced with new security challenge: cloud data center is increasingly dependent on above-mentioned virtualization technology to mention For more efficient and flexible service deployment so that security boundary is difficult to define, logical network topology according to the demand of business at any time Variable, traditional security architecture based on physical boundary protection can not carry out effective security protection to it;Cloud data center industry Scene of being engaged in is increasingly complex, more strong to the individual demand of security of network and information, and conventional security hardware device is by software With hardware binding, fixed security function is externally provided, administrator can only carry out easy configuration, nothing to it by interface hand-manipulated Method carries out flexible function adjustment and customization according to service application scene, is not able to satisfy the resilient expansion and demand for security of business.
In order to cope with these security challenges, cloud data center mainly realizes that safety is anti-by using security service chain at present Shield.Security service chain is based on the security capabilities resource pool that Overlay (covering) network struction is concentrated, will by the controller of concentration It needs the service traffics for carrying out security protection to drain into security service node to be detected and protected, and according to the safe plan of business The slightly protection sequence of demand layout security service node, these security service nodes include FW (Firewall, firewall), IDS (Intrusion Prevention System, enters by (Intrusion Detection System, intruding detection system), IPS Invade system of defense) or anti-virus equipment etc..As shown in Figure 1 for based on VXLAN (Virtual Extensible LAN, it is expansible Virtual LAN) building security service chain model, each security service node of the security service chain can be located at identical or not Same security capabilities resource pool, by being issued automatically towards tenant or application oriented security service chain layout interface, controller Drainage strategy arrives each service chaining node, and the process flow after service chaining node matching drainage strategy is as follows: source VM (Virtual Machine, virtual machine) corresponding to VTEP (VXLAN Tunnel End Point, VXLAN endpoint of a tunnel) source VM issued Flow carries out VXLAN encapsulation and the message after encapsulation is forwarded to VTEP corresponding to first security service node;First VTEP corresponding to security service node decapsulates the message after receiving the message after encapsulation, then will decapsulation The flow that the message obtained afterwards, i.e. source VM issue is transmitted to first security service node;First security service node convection current Amount carries out safety service processing, then the flow is sent to VTEP;VTEP searches next-hop security service node and by the message VTEP corresponding to next-hop security service node is transmitted to after re-starting encapsulation;Aforesaid operations are repeated, until having carried out institute After some safety service processing, the IP of VTEP VTEP according to corresponding to purpose VM corresponding to the last one security service node Address is packaged and forwards to message;After VTEP corresponding to purpose VM receives message, which is unsealed Dress, is then sent to purpose VM.The flow that source VM is issued passes through these security service nodes and reaches purpose VM, to realize institute The safety service needed.
The implementation method of security service chain is in addition to based on VXLAN technology mentioned above at present, further includes: NVGRE (Network Virtualization using Generic Routing Encapsulation, uses generic route encapsulation Network virtualization) and GENEVE (Generic Network Virtualization Encapsulation, universal network Virtual enclosures) etc. technologies.These technologies are tunnel encapsulation technology entirely, for virtualized server, the encapsulation and decapsulation in tunnel The cpu resource that server can be consumed very much, causes the performance of server very low, this East and West direction stream for almost running full line rate Amount means that packet loss phenomenon may be generated by the processing of security service chain.Moreover, it is also needed on virtualized server The interface of additional configured tunneling technique endpoint, for checking which message needs to enter tunnel and judges to pass through inspection according to configuration Message do what kind of processing, cause O&M extremely complex.
Summary of the invention
Virtualized server performance is led to based on tunnel encapsulation technology in order to solve the implementation method of existing security service chain Problem low, O&M is complicated, the present invention provide a kind of implementation method of cloud data center security service chain.
According to an aspect of the present invention, a kind of implementation method of cloud data center security service chain is provided, comprising:
Step 1, receive upper hop security service node corresponding to vSwitch sent by exchange network, carry The flow of vlan information corresponding to local security service node;
Step 2, if inquiring the access control policy to match with the header packet information of the flow in local flow table, VLAN removing is carried out to the flow, and the flow after VLAN is removed is sent to by local by virtual network interface Security service node, so that the local security service node carries out safety detection;
Step 3, receive local security service node transmission after the flow of safety detection, according to described matched The vlan information of the flow by safety detection is revised as next-hop safety clothes by the policy action in access control policy Vlan information corresponding to business node, and pass through exchange network and send the modified stream by safety detection of vlan information Amount.
Wherein, step 1 further include: if the local security service node is the first jump security service node, receive source VM Stream that corresponding vSwitch is sent by exchange network, carrying vlan information corresponding to local security service node Amount.
Wherein, step 3 further comprises: if the local security service node is final jump security service node,
According to the policy action in the matched access control policy by the vlan information of the flow Jing Guo safety detection Modification is vlan information corresponding to purpose VM;
It is sent corresponding to the modified flow by safety detection to purpose VM of vlan information by exchange network VSwitch, so that vSwitch corresponding to purpose VM carries out VLAN removing to received flow and passes through local virtual The network port is transmitted to purpose VM.
Wherein, the header packet information determines that the type of the header packet information includes: source according to user-defined safety regulation One of port numbers, destination slogan, protocol type, source IP address and purpose IP address are a variety of.
Wherein, in step 2, include at least one access control policy, the access control policy in the local flow table Determine that the access control policy includes: the first matching field and the first policy action according to user-defined safety regulation;Its In, first matching field is corresponding with the header packet information.
Wherein, the vSwitch corresponding to the reception source VM by what exchange network was sent carries local in step 1 Before the flow of vlan information corresponding to security service node, further includes:
After vSwitch corresponding to the VM of source receives multiple flows of source VM transmission, Hash is carried out to the multiple flow Processing;
VSwitch corresponding to the VM of source according to Hash handle as a result, in local flow table confirmation there are matched loads Balance policy, and according to the policy action of the load balancing, multiple flows that source VM is issued are transmitted to matching respectively Security service node corresponding to vSwitch.
Wherein, described that the multiple flow is carried out Hash to handle including: to the feature field in each flow header packet information Last m bit values carry out mask processing, wherein m log2N round up after value, N be security service chain number, The feature field includes: port number field, IP address field or protocol type field.
Wherein, the load balancing includes: the second matching field and the second policy action.
According to another aspect of the present invention, a kind of virtual switch is provided, comprising:
Receiving unit is sent for receiving virtual switch corresponding to upper hop security service node by exchange network , flow that carry vlan information corresponding to local security service node;
Flow table matching unit, if for inquiring the access to match with the header packet information of the flow in local flow table Control strategy then carries out VLAN removing to the flow, and by virtual network interface by the stream after VLAN is removed Amount is sent to local security service node, so that the local security service node carries out safety detection;
Retransmission unit, for receive local security service node transmission after the flow of safety detection, according to institute State the policy action in matched access control policy the vlan information of the flow by safety detection is revised as it is next Vlan information corresponding to security service node is jumped, and modified described by safety by exchange network transmission vlan information The flow of detection.
According to another aspect of the present invention, a kind of cloud data center security service chain is provided, comprising: one or more Virtual switch, controller and security service node, wherein the virtual switch corresponds to security service node, source VM and mesh VM, wherein
The controller, for receiving user-defined safety regulation and configuring each void according to the safety regulation The access control policy of quasi- interchanger;
The security service node for carrying out safety detection to received flow, and passes through virtual network interface Send the flow after safety detection;
Virtual switch corresponding to the security service node, for being executed to the flow for needing to carry out safety detection VLAN strip operation, and it is transmitted to security service node;Alternatively, for passing through peace for described according to matched access control policy The vlan information for the flow that full inspection is surveyed is revised as vlan information corresponding to next-hop security service node, and passes through exchange network Send the modified flow by safety detection of vlan information;
Virtual switch corresponding to the source VM, for needing to carry out safety detection flow introducing for what is issued from source VM First jumps security service node;
Virtual switch corresponding to the purpose VM, the flow for issuing final jump security service node are drawn To purpose VM.
A kind of implementation method of cloud data center security service chain proposed by the present invention, based on VLAN (Virtual LAN, Virtual LAN) agreement realizes security service chain, it is low to design simple, functional and O&M cost, avoids using tunnel Performance caused by packaged type and O&M cost.
Detailed description of the invention
Fig. 1 is the security service chain model schematic diagram that the prior art is constructed based on VXLAN;
Fig. 2 is provides a kind of process of the implementation method of cloud data center security service chain according to one embodiment of the invention Figure;
Fig. 3 is the signal of security service chain under the cloud data center Network traffic model provided according to one embodiment of the invention Figure;
Fig. 4 is to be shown according to security service chain under another cloud data center Network traffic model of one embodiment of the invention It is intended to;
According to Fig. 5 another embodiment of the present invention provides a kind of cloud data center security service chain implementation method stream Cheng Tu;
According to Fig. 6 another embodiment of the present invention provides a kind of cloud data center security service chain implementation method stream Cheng Tu;
Fig. 7 is the realization according to another embodiment of the present invention based on a kind of Fig. 5 cloud data center security service chain provided The flow chart of method;
According to Fig. 8 another embodiment of the present invention provides security service chain load balancing schematic diagram;
Fig. 9 is the structural schematic diagram of the virtual switch provided according to further embodiment of this invention.
Specific embodiment
With reference to the accompanying drawings and examples, specific embodiments of the present invention will be described in further detail.Implement below Example is not intended to limit the scope of the invention for illustrating the present invention.
Fig. 2 provides a kind of implementation method of cloud data center security service chain for one embodiment of the invention, comprising:
S21, receive it is that vSwitch corresponding to upper hop security service node is sent by exchange network, carry The flow of vlan information corresponding to ground security service node;
S22 is right if inquiring the access control policy to match with the header packet information of the flow in local flow table The flow carries out VLAN removing, and the flow after VLAN is removed is sent to local peace by virtual network interface Full service node, so that the local security service node carries out safety detection;
S23, receive local security service node transmission after the flow of safety detection, according to the matched visit Ask that the vlan information of the flow by safety detection is revised as next-hop security service by the policy action in control strategy Vlan information corresponding to node, and the modified stream by safety detection of vlan information is sent by exchange network Amount.
With the continuous development of software defined network technology and network function virtualization technology, the network of cloud data center is Overlay (covering) network of virtualization, i.e. virtual network are carried on physical network.One physical services of cloud data center Device by operation virtual server (Hypervisor) on it, can create multiple virtual machines (Virtual Machine, ) and virtual switch (Virtual Switch, referred to below with vSwitch) VM.The flow of cloud data center is in a network When transmitting, the inspection by various security service nodes (Security Service Equipment, SSE) is generally required It surveys, just can guarantee that network can be supplied to user security, quick, stable network service according to design requirement.These safety clothes Business node includes well known firewall (FireWalls), intrusion detection (Intrusion Prevention System), anti-disease Malicious equipment etc..Flow passes through these security service nodes according to set required by user-defined safety regulation, passes through The safety detection of these security service nodes, to realize the security service chain in cloud data center network.
Specifically, flow refers to a series of set of net packets in network, and meets source IP address, purpose IP address, association View type, source port number and a series of identical net packets of destination slogan can be known as meeting the flow of same rule.This hair It is bright clear in order to state, by the different sayings such as message, data packet, grouping, it is collectively referred to as net packet.Based on VLAN agreement by local area network Multiple VLAN subnets are divided into, each subnet has a VLAN ID, and the vlan information of security service node refers to security service The VLAN ID value of VLAN subnet belonging to node.VLAN corresponding to local security service node is carried described in step S21 The flow of information refers to vSwitch corresponding to upper hop security service node corresponding to local security service node Vlan information carries out VLAN format conversion to flow, i.e., turns all net packets in flow from common two layers of Ethernet message format It is changed to VLAN format, by carrying out VLAN conversion to flow, which can be connect by the vSwitch of local security service node It receives.For exchange network using traditional double layer network deployment way, the exchange network is one based on two layers of VLAN agreement The switching matrix of building can be abstracted and be interpreted as being made of multiple switch or router, this switching matrix can guarantee It is also able to carry out normal double layered communication without security service chain between the virtual machine in the same VLAN subnet, and is guaranteed The three-tier switch or router passed through in exchange network between virtual machine in different VLAN subnets carries out normal communication.
Specifically, in step S22, the flow table defines the forward-path of flow, and the flow table of each vSwitch includes extremely A few flow entry, each flow entry includes: the instruction set to be executed after matching field and successful match.The packet header of the flow Information refers to two layers to four layers of net packet header information.The access control policy is exactly a kind of flow entry, for flow into Row filtering, i.e., only allow user-defined flow to enter security service chain, access control policy is that controller is defined according to user Safety regulation be handed down to vSwitch's automatically.Local security service will be carried by referring to flow progress VLAN removing The flow of node vlan information is converted into common two layers of Ethernet message format from VLAN format, so that local security service node Safety detection can be carried out to received flow, the purpose for the arrangement is that the embodiment of the present invention does not need additionally to configure peace Full service node can handle VLAN format net packet.Local security service node passes through corresponding to virtual network interface and its VSwitch communicated, the flow after safety detection is sent to the vSwitch corresponding to it.
Specifically, in step S23, it is previously mentioned that the specific implementation of access control policy is flow entry, therefore described Policy action refers to that the instruction set to be executed after successful match, the policy action include: to modify the vlan information of flow and refer to Constant flow is to be forwarded to which destination port etc..The VLAN letter of next-hop security service node is contained in the policy action Breath, i.e. after vSwitch corresponding to local security service node is to received flow implementation strategy movement, exchange network meeting Flow is forwarded to next-hop by the identification by carrying the header packet information of next-hop security service node vlan information to flow VSwtich corresponding to security service node.
The implementation method of the security service chain specifically includes: vSwitch corresponding to local security service node is received It is that vSwitch corresponding to upper hop security service node is sent by exchange network, carry local security service node institute The flow of corresponding vlan information;If vSwitch corresponding to local security service node is inquired in local flow table and institute The access control policy that the header packet information of flow matches is stated, then VLAN removing is carried out to the flow, and pass through virtual network The flow after VLAN is removed is sent to local security service node by port, for the local security service node Carry out safety detection;VSwitch corresponding to local security service node is in the process for receiving the transmission of local security service node After the flow of safety detection, according to the policy action in the matched access control policy by the stream by safety detection The vlan information of amount is revised as the vlan information of next-hop security service node, and after being modified vlan information by exchange network The flow by safety detection be sent to vSwitch corresponding to the next-hop security service node.
The implementation method of a kind of cloud data center security service chain provided in an embodiment of the present invention, by using VLAN agreement It realizes forwarding of the flow in security service chain, designs simple, functional and O&M cost low.
For example, as shown in figure 3, being to pacify under a kind of cloud data center Network traffic model provided in an embodiment of the present invention The schematic diagram of full service chaining.It is worth noting that the figure is only schematic diagram, virtual machine (VM), virtual switch (vSwitch) and The number of security service node (SSE) can be to be multiple, and the deployment way of the number being not limited solely in figure, exchange network can be more It is complicated.
User define VM1-1 to VM2-4 flow will by security service node SSE1-1, SSE2-2, SSE3-1 and SSE4-1 carry out safety detection, then, controller after receiving user-defined safety regulation, be respectively configured VM1-1, Access control policy on vSwitch corresponding to SSE1-1, SSE2-2, SSE3-1, SSE4-1 and VM2-4, with SSE2-2 institute For access control policy on corresponding vSwitch, the flow that vSwitch corresponding to SSE1-1 is sent is received, if stream The source IP address of amount is 1.1.1.1, purpose IP address 2.2.2.2, then modifying its VLAN is 1000, and is sent to network and connects Mouth 2.VSwitch corresponding to local security service node SSE2-2 is received corresponding to upper hop security service node SSE1-1 Flow that vSwitch is sent by exchange network, carrying vlan information corresponding to local security service node;Local peace VSwitch corresponding to full service node SSE2-2 is inquired in the flow table of local vSwitch to be believed with the packet header of the flow The access control policy that breath (source IP address 1.1.1.1, purpose IP address 2.2.2.2) matches carries out the flow VLAN removing, and the flow after VLAN is removed is sent to by local security service node by virtual network interface SSE2-2, so that the local security service node SSE2-2 carries out safety detection;Local security service node SSE2-2 institute is right The vSwitch answered, in reception local security service node SSE2-2 transmission after the flow of safety detection, according to described The vlan information of the flow by safety detection is revised as next-hop peace by the policy action in access control policy matched The VLAN 1000 of full service node SSE3-1, forwards from output port 2, after being modified vlan information by exchange network The flow by safety detection be sent to vSwitch corresponding to the next-hop security service node SSE3-1.
Each jump security service node in security service chain executes aforesaid operations to flow, finally, flow from VM1-1 according to The secondary detection by security service node SSE1-1, SSE2-2, SSE3-1 and SSE4-1 reaches VM2-4.
The processing of acknowledgement back flow for issuing from purpose VM is identical as above-mentioned process, as shown in figure 4, for from mesh VM issue acknowledgement back flow, equally successively modification VLAN be the received VLAN of each jump security service node, and Finally it is revised as the received VLAN of source VM institute.Details are not described herein.
As shown in figure 5, for another embodiment of the present invention provides a kind of cloud data center security service chain implementation method, If the local security service node is the first jump security service node, which comprises
S51, receive source VM corresponding to vSwitch sent by exchange network, carry local security service node The flow of corresponding vlan information;
S52 is right if inquiring the access control policy to match with the header packet information of the flow in local flow table The flow carries out VLAN removing, and the flow after VLAN is removed is sent to local peace by virtual network interface Full service node, so that the local security service node carries out safety detection;
S53, receive local security service node transmission after the flow of safety detection, according to the matched visit Ask that the vlan information of the flow by safety detection is revised as next-hop security service by the policy action in control strategy Vlan information corresponding to node, and the modified stream by safety detection of vlan information is sent by exchange network Amount.
Specifically, if the local security service node is the first jump security service node, local security service node Received flow vSwitch corresponding to the VM of source.VSwitch corresponding to the VM of source is in the flow for receiving source VM sending Afterwards, the flow for needing to carry out safety detection is introduced security service chain by the control strategy that equally accesses matching, i.e., in source VM institute The access control that inquiry matches with the presence or absence of the header packet information with the source VM flow issued in the flow table of corresponding vSwitch System strategy, the access control policy to match if it exists then will according to the policy action in the matched access control policy The vlan information for the flow that the source VM is issued is revised as the vlan information of the first jump security service node, exchange network The VM flow issued in source is forwarded to vSwitch corresponding to the first jump security service node.If not inquiring and the source VM The access control policy that the header packet information of the flow of sending matches, i.e., the flow that the described source VM is issued need not move through safety clothes The processing of business chain, then be directly sent to purpose VM for the flow of source VM according to the forward-path of original exchange network.
VSwitch corresponding to first jump security service node receives vSwitch corresponding to the VM of source and passes through exchange network Flow sending, carrying vlan information corresponding to local security service node;If the first jump security service node institute is right The vSwitch answered inquires the access control policy to match with the header packet information of the flow in local flow table, then to institute It states flow and carries out VLAN removing, and the flow after VLAN is removed is sent to by the first jump peace by virtual network interface Full service node, so that the first jump security service node carries out safety detection to the flow after VLAN is removed; VSwitch corresponding to first jump security service node receive the transmission of the first jump security service node by safety detection After flow, the VLAN of the flow by safety detection is believed according to the policy action in the matched access control policy Breath is revised as the vlan information of next-hop security service node, and passes through exchange network for the modified process of vlan information The flow of safety detection is sent to vSwitch corresponding to the next-hop security service node.
A kind of implementation method for cloud data center security service chain that the embodiment of the present invention proposes jumps safety clothes by first VSwitch corresponding to node be engaged in for the flow issued from source VM introducing security service chain, does not need to configure additional drainage and connects Mouthful, so that very simple to the O&M of security service chain.
For example, as shown in figure 3, such as being received for access control policy on the vSwitch corresponding to the SSE1-1 The flow that vSwitch corresponding to VM1-1 is sent, if the source IP address of flow is 1.1.1.1, purpose IP address is 2.2.2.2, then modifying its VLAN is 999, and it is sent to network interface 3.First jumps corresponding to security service node SSE1-1 VSwitch receive VM1-1 corresponding to vSwitch sent by exchange network, carry the first jump security service node The flow of corresponding vlan information;First jumps vSwitch corresponding to security service node SSE1-1 local vSwitch's It inquires in flow table and matches with the header packet information of the flow (source IP address 1.1.1.1, purpose IP address 2.2.2.2) Access control policy, VLAN removing is carried out to the flow, and by virtual network interface by the institute after VLAN is removed It states flow and is sent to the first jump security service node SSE1-1, so that SSE1-1 carries out safety detection;First jumps security service section VSwitch corresponding to point SSE1-1 receives the flow by safety detection that SSE1-1 is sent, according to the matched access The vlan information of the flow by safety detection is revised as next-hop security service section by the policy action in control strategy VLAN 999 corresponding to point SSE2-2, and from output port 3 by exchange network will treated flow is sent to it is described under One jumps the corresponding vSwitch of security service node SSE2-2.
Be illustrated in figure 6 another embodiment of the present invention provides a kind of cloud data center security service chain implementation method, If the local security service node is final jump security service node, which comprises
S61, receive it is that vSwitch corresponding to upper hop security service node is sent by exchange network, carry The flow of vlan information corresponding to ground security service node;
S62 is right if inquiring the access control policy to match with the header packet information of the flow in local flow table The flow carries out VLAN removing, and the flow after VLAN is removed is sent to local peace by virtual network interface Full service node, so that the local security service node carries out safety detection;
S63, according to the policy action in the matched access control policy by the VLAN of the flow Jing Guo safety detection Information modification is vlan information corresponding to purpose VM;
S64 sends the modified flow by safety detection of vlan information to purpose VM institute by exchange network Corresponding vSwitch, so that vSwitch corresponding to purpose VM carries out VLAN removing to received flow and passes through local Virtual network interface is transmitted to purpose VM.
Specifically, if the local security service node is final jump security service node, final jump safety clothes The next-hop node of business node is purpose VM.VSwitch corresponding to purpose VM receives the modified warp of vlan information The flow for crossing safety detection, because flow is VLAN net packet format thus, it is therefore desirable to VLAN removing be executed to this flow and be converted into Purpose VM is then forwarded to after common ether network packet.
VSwitch corresponding to final jump security service node is received corresponding to upper hop security service node The flow for carrying vlan information corresponding to local security service node that vSwitch is sent by exchange network;If last VSwitch corresponding to one jump security service node is inquired in the flow table of local vSwitch to be believed with the packet header of the flow The matched access control policy of manner of breathing then carries out VLAN removing to the flow, and passes through virtual network interface for the process Flow after VLAN removing is sent to local security service node, so that the local security service node carries out safety detection; VSwitch corresponding to final jump security service node will be through according to the policy action in the matched access control policy The vlan information modification for crossing the flow of safety detection is vlan information corresponding to purpose VM;Final jump security service node institute Corresponding vSwitch sends the modified flow by safety detection of vlan information to purpose VM institute by exchange network Corresponding vSwitch, so that vSwitch corresponding to purpose VM carries out VLAN removing to received flow and passes through local Virtual network interface is transmitted to purpose VM.
A kind of implementation method for cloud data center security service chain that the embodiment of the present invention proposes passes through final jump safety Flow Jing Guo safety detection is sent to purpose VM by vSwitch corresponding to service node, does not need to configure additional output Interface, so that very simple to the O&M of security service chain.
For example, as shown in figure 3, with the access control on vSwitch corresponding to final jump security service node SSE4-1 For system strategy, the flow sent as received vSwitch corresponding to SSE3-1, if the source IP address of flow is 1.1.1.1, purpose IP address 2.2.2.2 then modifying its VLAN is 1002, and is sent to the network port 2.SSE4-1 institute is right The vSwitch answered receives the carrying that vSwitch corresponding to upper hop security service node SSE3-1 is sent by exchange network There is the flow of vlan information corresponding to local security service node;VSwitch corresponding to SSE4-1 is looked into local flow table Ask the access control to match with the header packet information of the flow (source IP address 1.1.1.1, purpose IP address 2.2.2.2) System strategy carries out VLAN removing to the flow, and is sent to the flow after VLAN is removed by virtual network interface Local security service node SSE4-1, so that SSE4-1 carries out safety detection.VSwitch corresponding to SSE4-1 is receiving this Ground security service node SSE4-1 send after the flow of safety detection, according in the matched access control policy Policy action modifies the vlan information of the flow Jing Guo safety detection for VLAN 1002 corresponding to purpose VM, and from output By exchange network, by treated, flow is sent to vSwitch corresponding to the purpose VM for port 2, so that purpose VM institute is right The vSwitch answered carries out VLAN removing to the flow after receiving the flow and is transmitted to purpose VM.
Another embodiment of the present invention, on the basis of the various embodiments described above, peace that the header packet information is formulated according to user Full rule determines that the type of the header packet information includes: source port number, destination slogan, protocol type, source IP address and purpose One of IP address is a variety of.
Specifically, the header packet information of flow refers to IP five-tuple, i.e. IP source address, IP destination address, association in the present embodiment It is one or more in view number, source port and destination port, which specifically used header packet information and access control policy progress Match, be that the safety regulation that is inputted by user is specified, be not that IP five-tuple all has to use, such as can specify and make simultaneously With source IP address, purpose IP address, protocol type, source port number and destination slogan go to be matched with access control policy, Wherein a certain seed type can also be only specified, can not also be specified with what, match all IP flows.
VSwitch corresponding to local security service node according to the safety regulation that user specifies determine it is specifically used which kind of Header packet information matches with the access control policy in its flow table, and the type of the header packet information includes: source port number, purpose One of port numbers, protocol type, source IP address and purpose IP address are a variety of.
A kind of implementation method of security service chain provided in an embodiment of the present invention, what the header packet information was specified according to user Safety regulation and determine, layout is flexibly simple, enables security service chain according to the business demand flexible deployment of user.
Another embodiment of the present invention is visited in the local flow table comprising at least one on the basis of the various embodiments described above Ask control strategy, the access control policy is determined according to the safety regulation that user formulates, and the access control policy includes: the One matching field and the first policy action;Wherein, first matching field is corresponding with the header packet information.
Specifically, access control policy is a kind of flow entry, and access control policy is the peace that controller is formulated according to user Full rule carries out matching to postpone being handed down to vSwitch's automatically.First matching field is corresponding with the header packet information, that is, wraps For head information using which kind of type, first matching field also uses this type, specifically, the first matching field packet Include: one of source port number, destination slogan, protocol type, source IP address and purpose IP address are a variety of.First plan Slightly movement refers to the instruction set to be executed after successful match, specifically includes: the vlan information for modifying received flow is Vlan information corresponding to next-hop security service node, and the output port information for the flow that specifies that treated.Local peace Received flow is transmitted to next-hop security service according to the first policy action by vSwitch corresponding to full service node Node.
The embodiment of the present invention can realize virtual switch based on Open vSwitch, Open vSwitch be by What Nicira Networks was dominated, operate in the virtual switch on virtual platform (such as KVM, Xen).It is flat in virtualization On platform, Layer2 switching function, access strategy, network preferably in control virtual network can be provided for the endpoint of dynamic change Isolation, traffic monitoring etc..
For access control policy on the vSwitch corresponding to the SSE2-2, as received corresponding to SSE1-1 The flow that vSwitch is sent modifies it if the source IP address of flow is 1.1.1.1, purpose IP address 2.2.2.2 VLAN is 1000, and is sent to network interface 2.So, in Open vSwitch, vSwitch Shang couple corresponding to SSE2-2 The access control policy answered is:
In_port=1, ip, nw_src=1.1.1.1, nw_dst=2.2.2.2, actions=mod_vlan_vid: 1000,output:2;
Wherein, in_port is input terminal slogan, and ip is protocol type, and nw_src is source IP address, for the purpose of nw_dst IP address, this four the first matching fields for access control policy.Actions is then to execute after corresponding successful match Policy action, mod_vlan_vid:1000 is that flow VLAN is revised as 1000,1000 as next-hop security service node institute Corresponding vlan information.
A kind of implementation method of cloud data center security service chain provided in an embodiment of the present invention, the access control policy It is obtained according to the safety regulation that user formulates, enables security service chain according to the business demand flexible deployment of user.
Another embodiment of the present invention, on the basis of the above embodiments, as shown in fig. 7, in Fig. 5 step S51 VSwitch corresponding to the reception source VM is carried corresponding to local security service node by what exchange network was sent Before the flow of vlan information, further includes:
After vSwitch corresponding to S71, source VM receives multiple flows of source VM transmission, the multiple flow is carried out Hash processing;
VSwitch corresponding to S72, source VM according to Hash handle as a result, in local flow table confirmation there are matched Load balancing, and according to the policy action of the load balancing, multiple flows that source VM is issued are transmitted to respectively VSwitch corresponding to matched security service node.
Specifically, for a plurality of security service chain, load balancing is increased by the entrance in service chaining, to realize stream Measure the equilibrium treatment between a plurality of security service chain.VSwitch corresponding to the VM of source receives multiple flows of source VM transmission Afterwards, Hash processing is carried out to the multiple flow first.The result that vSwitch corresponding to the VM of source is handled according to Hash is in local It searches whether that different Kazakhstan can be obtained after carrying out Hash processing to different flows there are matched load balancing in flow table Uncommon value, different cryptographic Hash can be matched to different load balancings, thus according to the strategy in the load balancing The VLAN of each flow is revised as first received VLAN of security service node institute of different security service chains by movement, each in this way Flow will be dispensed to different security service chains and be handled, and the final jump security service node of security service chain is then The VLAN of flow will be revised as to the final received VLAN of VM institute, to complete the parallel processing of different security service chains.It is right It is consistent in the strategy of round-trip flow, execution, that is, guarantees that the flow for belonging to same session is assigned to identical service chaining It is handled.
The implementation method of a kind of cloud data center security service chain provided in an embodiment of the present invention, by security service chain Entrance increase load balancing, the security protection performance of security service chain can be further increased.
As shown in figure 8, different two can be distributed to after polices node processing of the flow of VM-1-1 out by default Security service chain is handled, i.e. VM-1-1 → SSE-1-1 → SSE-2-2 → SSE-1-3 → SSE-1-4 → VM-2-4 and VM-1-1 → SSE-2-1 → SSE-1-2 → SSE-2-3 → SSE-2-4 → VM-2-4, after two service chaining completion processing, stream Amount can be revised as the identical received VLAN of VM-2-4 institute, to be received by VM-2-4.For reversed VM-2-4 → VM-1-1 Flow, handled in the same way, if the web traffic of VM-1-1 → VM-2-4 is the security service by top Chain processing, and SSH flow is handled by the security service chain of lower section, then reversed web traffic equally can be by strategy The security service chain for being balanced to top is handled, and the security service chain that SSH flow equally can also be balanced to lower section is handled.
Another embodiment of the present invention, it is on the basis of the above embodiments, described that Hash processing is carried out to the multiple flow It include: that mask processing is carried out to last m bit values of the feature field in each flow header packet information, wherein m log2N to Value after upper rounding, N are the number of security service chain, and the feature field includes: port number field, IP address field or agreement Type field.
Specifically, the header packet information of flow includes: source port number, destination slogan, protocol type, source IP address and purpose One of IP address is a variety of.The feature field includes: port number field, IP address field or protocol type field.Its In, port number field, that is, source port number and destination slogan, IP address field, that is, source IP address and purpose IP address, protocol type Field includes: IP, TCP, UDP or Stream Control Transmission Protocol etc..The data of the security service chain are obtained according to the safety regulation that user formulates It arrives.
After vSwitch corresponding to the VM of source receives multiple flows of source VM transmission, according to the number N of security service chain, Calculate log2The value M that N rounds up carries out at mask last M bit values of the feature field in each flow header packet information Reason.
A kind of implementation method of cloud data center security service chain provided in an embodiment of the present invention, can be according to security service The method of the flexible number selection Hash processing of chain, can further increase the security protection performance of security service chain.
For example, for Transmission Control Protocol, if controller creates 2 security service chains according to the safety regulation that user formulates, that Mask processing is carried out to last bit value of the port number field in each flow header packet information.If controller is according to user The safety regulation of formulation creates 4 security service chains, due to log24=2, then to the port numbers word in each flow header packet information Last 2 carry out mask processing of section.If controller creates 3 security service chains according to the safety regulation that user formulates, by In log23 round up after for 2, then to last 2 carry out mask processing of the port number field in each flow header packet information.
Another embodiment of the present invention, on the basis of the above embodiments, the load balancing include: the second matching word Section and the second policy action.
The load balancing is a kind of flow entry, therefore includes: the second matching field and the second policy action, described Second matching field includes that the Hash different cryptographic Hash that treated obtains are carried out to the feature field of flow, second strategy Movement is according to different cryptographic Hash by flow matches to different security service chains.
A kind of implementation method of cloud data center security service chain provided in an embodiment of the present invention, passes through load balancing By different traffic distribution to different security service chains, the security protection performance of security service chain can be improved, obtain preferable Performance.
For example, for Transmission Control Protocol, if controller creates 2 security service chains according to the safety regulation that user formulates, that Mask processing is carried out to last bit value of the port number field in each flow header packet information, and according to different Hash It is worth flow matches to different security service chains.The load balancing is as follows:
Source port number and destination slogan be odd number or be even number flow, be distributed to service chaining A processing;
Source port number and destination slogan are respectively the even flow of a surprise one, are distributed to service chaining B processing.
In Open vSwitch, above-mentioned load balancing is implemented as follows:
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=0/0x0001, tp_dst= 0/0x0001, actions=" mod_vlan_vid:1001, output:2 ";
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=1/0x0001, tp_dst= 1/0x0001, actions=" mod_vlan_vid:1001, output:2 ";
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=0/0x0001, tp_dst= 1/0x0001, actions=" mod_vlan_vid:1002, output:2 ";
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=1/0x0001, tp_dst= 0/0x0001, actions=" mod_vlan_vid:1002, output:2 ";
4 service chainings if it exists, so that it may use log24=2 bit carries out Hash processing, and load balancing is such as Under:
Source port number and last 2 bits of destination slogan be 00 or be 01 be 10 or be 11 flow, It is distributed to service chaining A processing;
Source port number and last 2 bits of destination slogan are respectively one 00 1 01 or respectively one 10 1 11 Flow, be distributed to service chaining B processing;
Source port number and last 2 bits of destination slogan are respectively one 00 1 10 or respectively one 01 1 11 Flow, be distributed to service chaining C processing;
Source port number and last 2 bits of destination slogan are respectively one 00 1 11 or respectively one 01 1 10 Flow, be distributed to service chaining D processing.
Further embodiment of this invention provides a kind of virtual switch, as shown in Figure 9, comprising: receiving unit 901, flow table With unit 902 and retransmission unit 903, wherein
Receiving unit 901 passes through exchange network for receiving virtual switch corresponding to upper hop security service node Flow sending, carrying vlan information corresponding to local security service node;
Flow table matching unit 902, if matching for being inquired in local flow table with the header packet information of the flow Access control policy then carries out VLAN removing to the flow, and by virtual network interface by the institute after VLAN is removed It states flow and is sent to local security service node, so that the local security service node carries out safety detection;
Retransmission unit 903, for receive local security service node transmission after the flow of safety detection, according to The vlan information of the flow by safety detection is revised as down by the policy action in the matched access control policy One jumps vlan information corresponding to security service node, and modified described by pacifying by exchange network transmission vlan information The flow that full inspection is surveyed.
Specifically, virtual switch corresponding to the reception of receiving unit 901 upper hop security service node passes through switching network The flow for carrying vlan information corresponding to local security service node that network is sent;Flow table matching unit 902 is in local stream Inquiry whether there is the access control policy to match with the header packet information of the flow in table, if it exists matched access control Strategy, then flow table matching unit 902 carries out VLAN removing to the flow, will carry local security service node vlan information Flow be converted into common two layers of Ethernet message format from VLAN format, and will be removed by VLAN by virtual network interface Flow afterwards is sent to local security service node, so that local security service node carries out safety detection to the flow;Turn Bill member 903, receive local security service node transmission after the flow of safety detection, according to the matched access The vlan information of the flow by safety detection is revised as next-hop security service section by the policy action in control strategy The vlan information of point, and by exchange network be transmitted to the modified flow by safety detection of vlan information next Jump virtual switch corresponding to security service node.
The embodiment of the present invention provides a kind of virtual switch, and flow is drained to safety clothes by matching access control policy Business node can simplify the realization of security service chain to carry out safety detection, and not need additionally to be configured to access control Interface, O&M are simple.
Further embodiment of this invention provides a kind of cloud data center security service chain, comprising: one or more virtual friendship It changes planes, controller and security service node, wherein the virtual switch corresponds to security service node, source VM and purpose VM, Wherein,
The controller, for receiving user-defined safety regulation and configuring each void according to the safety regulation The access control policy of quasi- interchanger;
The security service node for carrying out safety detection to received flow, and passes through virtual network interface Send the flow after safety detection;
Virtual switch corresponding to the security service node, for being executed to the flow for needing to carry out safety detection VLAN strip operation, and it is transmitted to security service node;Alternatively, for passing through peace for described according to matched access control policy The vlan information for the flow that full inspection is surveyed is revised as vlan information corresponding to next-hop security service node, and passes through exchange network Send the modified flow by safety detection of vlan information;
Virtual switch corresponding to the source VM, for needing to carry out safety detection flow introducing for what is issued from source VM First jumps security service node;
Virtual switch corresponding to the purpose VM, the flow for issuing final jump security service node are drawn To purpose VM.
Specifically, user-defined safety regulation refers to that user specifies specific flow by successively which security service section Point is detected, and controller, which is then determined according to user-defined safety regulation, specifically uses what type of header packet information, accordingly Ground determines the matching field of access control policy, which security service node is successively passed through according to flow, determines the forwarding of flow Path, to go the policy action in setting access control policy, established access control policy is issued to respectively by controller A virtual switch.
Security service node carries out safety detection to the received flow of institute, mentions security service node in above-described embodiment Type there are many, so as to flow implement multi-angle security protection.After the completion of the detection process of security service node Flow can be forwarded by the local virtual network port, so that flow is able to enter next-hop security service node.
Virtual switch corresponding to security service node, the virtual switch as provided in above-described embodiment, herein It repeats no more.
Virtual switch corresponding to the VM of source is considered as the entrance of security service chain, for that will need to enter safety clothes The be engaged in flow of chain introduces first and jumps security service node, specifically, by searching whether to exist in its local flow table and institute State the access control policy that the header packet information of flow matches, and if it exists, then illustrate that the flow needs to carry out safety detection, thus The vlan information of the flow is revised as the first jump security service node according to the policy action in matched access control policy Corresponding vlan information simultaneously forwards;If it does not exist, then illustrate that the flow does not need to carry out safety detection, then by the flow Purpose VM is sent to according to common forward-path.
Virtual switch corresponding to purpose VM can be regarded as the outlet of security service chain, by final jump safety clothes The flow that business node issues draws security service chain, purpose VM is sent to, to complete the communication between source VM and purpose VM.
A kind of cloud data center security service chain proposed by the present invention can carry out flexible portion according to the demand for security of user Administration, simple, the functional and O&M cost of design is low, can reach good security protection effect.
Finally, the present processes are only preferable embodiment, it is not intended to limit the scope of the present invention.It is all Within the spirit and principles in the present invention, any modification, equivalent replacement, improvement and so on should be included in protection of the invention Within the scope of.

Claims (10)

1. a kind of implementation method of cloud data center security service chain characterized by comprising
Step 1, receive upper hop security service node corresponding to vSwitch sent by exchange network, carry local The flow of vlan information corresponding to security service node;
Step 2, if inquiring the access control policy to match with the header packet information of the flow in local flow table, to institute It states flow and carries out VLAN removing, and the flow after VLAN is removed is sent to by local security by virtual network interface Service node, so that the local security service node carries out safety detection;
Step 3, receive local security service node transmission after the flow of safety detection, according to the matched access The vlan information of the flow by safety detection is revised as next-hop security service section by the policy action in control strategy The corresponding vlan information of point, and the modified flow by safety detection of vlan information is sent by exchange network.
2. the implementation method of security service chain according to claim 1, which is characterized in that step 1 further include: if described Security service node in ground is the first jump security service node,
It is that vSwitch corresponding to the VM of reception source is sent by exchange network, carry corresponding to local security service node The flow of vlan information.
3. the implementation method of security service chain according to claim 1, which is characterized in that step 3 further comprises: if institute Stating local security service node is final jump security service node,
The vlan information of the flow Jing Guo safety detection is modified according to the policy action in the matched access control policy For vlan information corresponding to purpose VM;
It is sent corresponding to the modified flow by safety detection to purpose VM of vlan information by exchange network VSwitch, so that vSwitch corresponding to purpose VM carries out VLAN removing to received flow and passes through local virtual net Network port is transmitted to purpose VM.
4. the implementation method of security service chain according to any one of claims 1 to 3, which is characterized in that the header packet information Determine that the type of the header packet information includes: source port number, destination slogan, protocol class according to user-defined safety regulation One of type, source IP address and purpose IP address are a variety of.
5. the implementation method of security service chain according to any one of claims 1 to 3, which is characterized in that described in step 2 Comprising at least one access control policy in local flow table, the access control policy is true according to user-defined safety regulation Fixed, the access control policy includes: the first matching field and the first policy action;Wherein, first matching field and institute It is corresponding to state header packet information.
6. the implementation method of security service chain according to claim 2, which is characterized in that in the reception source in step 1 The stream for carrying vlan information corresponding to local security service node that vSwitch corresponding to VM is sent by exchange network Before amount, further includes:
After vSwitch corresponding to the VM of source receives multiple flows of source VM transmission, Hash processing is carried out to the multiple flow;
VSwitch corresponding to the VM of source according to Hash handle as a result, in local flow table confirmation there are matched load balancing Strategy, and according to the policy action of the load balancing, multiple flows that source VM is issued are transmitted to matched peace respectively VSwitch corresponding to full service node.
7. the implementation method of security service chain according to claim 6, which is characterized in that it is described to the multiple flow into The processing of row Hash includes: to carry out mask processing to last m bit values of the feature field in each flow header packet information, wherein m For log2N round up after value, N be security service chain number, the feature field includes: port number field, IP address Field or protocol type field.
8. the implementation method of security service chain according to claim 6, which is characterized in that the load balancing packet It includes: the second matching field and the second policy action.
9. a kind of virtual switch characterized by comprising
Receiving unit, for receive it is that virtual switch corresponding to upper hop security service node is sent by exchange network, Carry the flow of vlan information corresponding to local security service node;
Flow table matching unit, if for inquiring the access control to match with the header packet information of the flow in local flow table Strategy then carries out VLAN removing to the flow, and is sent out the flow after VLAN is removed by virtual network interface It send to local security service node, so that the local security service node carries out safety detection;
Retransmission unit, for receive local security service node transmission after the flow of safety detection, according to described The vlan information of the flow by safety detection is revised as next-hop peace by the policy action in access control policy matched Vlan information corresponding to full service node, and it is modified described by safety detection by exchange network transmission vlan information Flow.
10. a kind of cloud data center security service catenary system characterized by comprising one or more is such as claim 9 institute Virtual switch, controller and the security service node stated, wherein the virtual switch corresponds to security service node, source VM With purpose VM, wherein
The controller, for receiving user-defined safety regulation and configuring each virtual switch according to the safety regulation Access control policy;
The security service node for carrying out safety detection to received flow, and is sent by virtual network interface By the flow of safety detection;
Virtual switch corresponding to the security service node, for executing VLAN stripping to the flow for needing to carry out safety detection From operation, and it is transmitted to security service node;Alternatively, for passing through safety detection for described according to matched access control policy The vlan information of flow be revised as vlan information corresponding to next-hop security service node, and pass through exchange network and send The modified flow by safety detection of vlan information;
Virtual switch corresponding to the source VM, for the safety detection flow that needs to carry out issued from source VM to be introduced first Jump security service node;
Virtual switch corresponding to the purpose VM, the flow for issuing final jump security service node lead to mesh VM.
CN201710124814.XA 2017-03-03 2017-03-03 A kind of implementation method of cloud data center security service chain Active CN106789542B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710124814.XA CN106789542B (en) 2017-03-03 2017-03-03 A kind of implementation method of cloud data center security service chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710124814.XA CN106789542B (en) 2017-03-03 2017-03-03 A kind of implementation method of cloud data center security service chain

Publications (2)

Publication Number Publication Date
CN106789542A CN106789542A (en) 2017-05-31
CN106789542B true CN106789542B (en) 2019-08-09

Family

ID=58961233

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710124814.XA Active CN106789542B (en) 2017-03-03 2017-03-03 A kind of implementation method of cloud data center security service chain

Country Status (1)

Country Link
CN (1) CN106789542B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107947965B (en) * 2017-11-07 2020-06-19 清华大学 Service chain compiler
CN107911258B (en) * 2017-12-29 2021-09-17 深信服科技股份有限公司 SDN network-based security resource pool implementation method and system
CN107920023B (en) * 2017-12-29 2021-01-19 深信服科技股份有限公司 Method and system for realizing security resource pool
CN108199958B (en) * 2017-12-29 2021-04-09 深信服科技股份有限公司 Universal secure resource pool service chain implementation method and system
CN111684775B (en) 2018-02-06 2022-10-14 上海诺基亚贝尔股份有限公司 Method, apparatus, and computer-readable medium for providing security services for a data center
CN110324282A (en) * 2018-03-29 2019-10-11 华耀(中国)科技有限公司 The load-balancing method and its system of SSL/TLS visualization flow
CN109981355A (en) * 2019-03-11 2019-07-05 北京网御星云信息技术有限公司 Security defend method and system, computer readable storage medium for cloud environment
CN109889533B (en) * 2019-03-11 2021-07-20 北京网御星云信息技术有限公司 Security defense method and system under cloud environment and computer readable storage medium
CN110213181B (en) * 2019-04-28 2021-01-29 华为技术有限公司 Data stream guiding device and data stream guiding method in virtual network
CN110311838B (en) * 2019-07-24 2021-05-04 绿盟科技集团股份有限公司 Method and device for counting safety service flow
CN113098728B (en) * 2019-12-23 2023-12-19 华为云计算技术有限公司 Health check method of load balancing system and related equipment
CN111756632B (en) * 2020-06-22 2021-10-22 中国电子科技集团公司第五十四研究所 Security service chain dynamic arranging method based on MPLS encapsulation
CN114070639B (en) * 2021-11-19 2024-04-23 北京天融信网络安全技术有限公司 Message security forwarding method and device and network security equipment
CN114629853B (en) * 2022-02-28 2024-06-14 天翼安全科技有限公司 Flow classification control method based on security service chain analysis in security resource pool
CN114944952B (en) * 2022-05-20 2023-11-07 深信服科技股份有限公司 Data processing method, device, system, equipment and readable storage medium
CN115695086B (en) * 2022-09-19 2024-01-19 中电信数智科技有限公司 System and method for realizing service chain function based on VLAN (virtual local area network)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618379A (en) * 2015-02-04 2015-05-13 北京天地互连信息技术有限公司 IDC service scene-oriented security service arranging method and network structure
CN105450522A (en) * 2014-09-24 2016-03-30 英特尔公司 Techniques for routing service chain flow packets between virtual machines

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105490995B (en) * 2014-09-30 2018-04-20 国际商业机器公司 A kind of method and apparatus that NVE E-Packets in NVO3 networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105450522A (en) * 2014-09-24 2016-03-30 英特尔公司 Techniques for routing service chain flow packets between virtual machines
CN104618379A (en) * 2015-02-04 2015-05-13 北京天地互连信息技术有限公司 IDC service scene-oriented security service arranging method and network structure

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"虚拟网络环境下安全服务接入方法";陈兴蜀 等;《华中科技大学学报(自然科学版)》;20160331;全文 *
"防火墙上台阶:安全网关多层过滤技术的走向";李军;《信息网络安全》;20060730;全文 *

Also Published As

Publication number Publication date
CN106789542A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
CN106789542B (en) A kind of implementation method of cloud data center security service chain
US9742575B2 (en) Explicit list encoding of sparse multicast group membership information with Bit Index Explicit Replication (BIER)
US11115328B2 (en) Efficient troubleshooting in openflow switches
US9654395B2 (en) SDN-based service chaining system
US20200344143A1 (en) Optimized datapath troubleshooting with trace policy engine
US10225169B2 (en) Method and apparatus for autonomously relaying statistics to a network controller in a software-defined networking network
CN105765946B (en) Support the method and system of the service chaining in data network
US9755959B2 (en) Dynamic service path creation
KR101478475B1 (en) Computer system and communication method in computer system
EP3248339B1 (en) Devices, systems and methods for service chains
CN104243270B (en) A kind of method and apparatus for establishing tunnel
US20160301603A1 (en) Integrated routing method based on software-defined network and system thereof
US20160127142A1 (en) Explicit block encoding of multicast group membership information with bit index explicit replication (bier)
US20160315866A1 (en) Service based intelligent packet-in mechanism for openflow switches
JP2018519751A (en) Presenting the maximum segment identifier depth to external applications using the Border Gateway Protocol
CN110178342A (en) The scalable application level of SDN network monitors
CN105471907B (en) A kind of virtual firewall transfer control method and system based on Openflow
CN107181691B (en) Method, equipment and system for realizing message routing in network
CN105516025B (en) Path clustering and data transmission method, OpenFlow controller and interchanger end to end
CN106105114B (en) The more preferable replacement path of more ownership IS-IS prefixes
CN108353068A (en) The intrusion prevention system of SDN controllers auxiliary
EP3646533B1 (en) Inline stateful monitoring request generation for sdn
KR20160122226A (en) Communication system, control device, communication control method and program
CN106713026A (en) Service chain topological structure, service chain setting method and controller
CN110431827A (en) Distributed network gate framework is realized using location identifier separated protocol to be used for 3GPP mobility

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant