CN106789542B - A kind of implementation method of cloud data center security service chain - Google Patents
A kind of implementation method of cloud data center security service chain Download PDFInfo
- Publication number
- CN106789542B CN106789542B CN201710124814.XA CN201710124814A CN106789542B CN 106789542 B CN106789542 B CN 106789542B CN 201710124814 A CN201710124814 A CN 201710124814A CN 106789542 B CN106789542 B CN 106789542B
- Authority
- CN
- China
- Prior art keywords
- security service
- flow
- service node
- vlan
- local
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/38—Flow based routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/125—Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of implementation method of cloud data center security service chain, which comprises receives the flow for carrying vlan information corresponding to local security service node;If inquiring the access control policy to match with the header packet information of the flow in local flow table, VLAN removing is carried out to the flow and is sent to local security service node, so that the local security service node carries out safety detection;The VLAN of the flow Jing Guo safety detection is revised as the vlan information of next-hop security service node according to the policy action in the matched access control policy and is sent by exchange network.A kind of implementation method of cloud data center security service chain provided by the invention realizes security service chain based on VLAN agreement, and it is low to design simple, functional and O&M cost.
Description
Technical field
The present invention relates to network safety fileds, more particularly, to a kind of realization side of cloud data center security service chain
Method.
Background technique
Cloud data center is automatically to provide the data of new generation of all kinds of cloud computing services on demand using cloud computing technology
Center.The business feature of cloud data center and the business feature difference of conventional data centers are huge, and with software defined network,
The fast development and sizable application of the new technologies such as network virtualization and network function virtualization, cloud data center network is compared to biography
For data center network of uniting, be faced with new security challenge: cloud data center is increasingly dependent on above-mentioned virtualization technology to mention
For more efficient and flexible service deployment so that security boundary is difficult to define, logical network topology according to the demand of business at any time
Variable, traditional security architecture based on physical boundary protection can not carry out effective security protection to it;Cloud data center industry
Scene of being engaged in is increasingly complex, more strong to the individual demand of security of network and information, and conventional security hardware device is by software
With hardware binding, fixed security function is externally provided, administrator can only carry out easy configuration, nothing to it by interface hand-manipulated
Method carries out flexible function adjustment and customization according to service application scene, is not able to satisfy the resilient expansion and demand for security of business.
In order to cope with these security challenges, cloud data center mainly realizes that safety is anti-by using security service chain at present
Shield.Security service chain is based on the security capabilities resource pool that Overlay (covering) network struction is concentrated, will by the controller of concentration
It needs the service traffics for carrying out security protection to drain into security service node to be detected and protected, and according to the safe plan of business
The slightly protection sequence of demand layout security service node, these security service nodes include FW (Firewall, firewall), IDS
(Intrusion Prevention System, enters by (Intrusion Detection System, intruding detection system), IPS
Invade system of defense) or anti-virus equipment etc..As shown in Figure 1 for based on VXLAN (Virtual Extensible LAN, it is expansible
Virtual LAN) building security service chain model, each security service node of the security service chain can be located at identical or not
Same security capabilities resource pool, by being issued automatically towards tenant or application oriented security service chain layout interface, controller
Drainage strategy arrives each service chaining node, and the process flow after service chaining node matching drainage strategy is as follows: source VM (Virtual
Machine, virtual machine) corresponding to VTEP (VXLAN Tunnel End Point, VXLAN endpoint of a tunnel) source VM issued
Flow carries out VXLAN encapsulation and the message after encapsulation is forwarded to VTEP corresponding to first security service node;First
VTEP corresponding to security service node decapsulates the message after receiving the message after encapsulation, then will decapsulation
The flow that the message obtained afterwards, i.e. source VM issue is transmitted to first security service node;First security service node convection current
Amount carries out safety service processing, then the flow is sent to VTEP;VTEP searches next-hop security service node and by the message
VTEP corresponding to next-hop security service node is transmitted to after re-starting encapsulation;Aforesaid operations are repeated, until having carried out institute
After some safety service processing, the IP of VTEP VTEP according to corresponding to purpose VM corresponding to the last one security service node
Address is packaged and forwards to message;After VTEP corresponding to purpose VM receives message, which is unsealed
Dress, is then sent to purpose VM.The flow that source VM is issued passes through these security service nodes and reaches purpose VM, to realize institute
The safety service needed.
The implementation method of security service chain is in addition to based on VXLAN technology mentioned above at present, further includes: NVGRE
(Network Virtualization using Generic Routing Encapsulation, uses generic route encapsulation
Network virtualization) and GENEVE (Generic Network Virtualization Encapsulation, universal network
Virtual enclosures) etc. technologies.These technologies are tunnel encapsulation technology entirely, for virtualized server, the encapsulation and decapsulation in tunnel
The cpu resource that server can be consumed very much, causes the performance of server very low, this East and West direction stream for almost running full line rate
Amount means that packet loss phenomenon may be generated by the processing of security service chain.Moreover, it is also needed on virtualized server
The interface of additional configured tunneling technique endpoint, for checking which message needs to enter tunnel and judges to pass through inspection according to configuration
Message do what kind of processing, cause O&M extremely complex.
Summary of the invention
Virtualized server performance is led to based on tunnel encapsulation technology in order to solve the implementation method of existing security service chain
Problem low, O&M is complicated, the present invention provide a kind of implementation method of cloud data center security service chain.
According to an aspect of the present invention, a kind of implementation method of cloud data center security service chain is provided, comprising:
Step 1, receive upper hop security service node corresponding to vSwitch sent by exchange network, carry
The flow of vlan information corresponding to local security service node;
Step 2, if inquiring the access control policy to match with the header packet information of the flow in local flow table,
VLAN removing is carried out to the flow, and the flow after VLAN is removed is sent to by local by virtual network interface
Security service node, so that the local security service node carries out safety detection;
Step 3, receive local security service node transmission after the flow of safety detection, according to described matched
The vlan information of the flow by safety detection is revised as next-hop safety clothes by the policy action in access control policy
Vlan information corresponding to business node, and pass through exchange network and send the modified stream by safety detection of vlan information
Amount.
Wherein, step 1 further include: if the local security service node is the first jump security service node, receive source VM
Stream that corresponding vSwitch is sent by exchange network, carrying vlan information corresponding to local security service node
Amount.
Wherein, step 3 further comprises: if the local security service node is final jump security service node,
According to the policy action in the matched access control policy by the vlan information of the flow Jing Guo safety detection
Modification is vlan information corresponding to purpose VM;
It is sent corresponding to the modified flow by safety detection to purpose VM of vlan information by exchange network
VSwitch, so that vSwitch corresponding to purpose VM carries out VLAN removing to received flow and passes through local virtual
The network port is transmitted to purpose VM.
Wherein, the header packet information determines that the type of the header packet information includes: source according to user-defined safety regulation
One of port numbers, destination slogan, protocol type, source IP address and purpose IP address are a variety of.
Wherein, in step 2, include at least one access control policy, the access control policy in the local flow table
Determine that the access control policy includes: the first matching field and the first policy action according to user-defined safety regulation;Its
In, first matching field is corresponding with the header packet information.
Wherein, the vSwitch corresponding to the reception source VM by what exchange network was sent carries local in step 1
Before the flow of vlan information corresponding to security service node, further includes:
After vSwitch corresponding to the VM of source receives multiple flows of source VM transmission, Hash is carried out to the multiple flow
Processing;
VSwitch corresponding to the VM of source according to Hash handle as a result, in local flow table confirmation there are matched loads
Balance policy, and according to the policy action of the load balancing, multiple flows that source VM is issued are transmitted to matching respectively
Security service node corresponding to vSwitch.
Wherein, described that the multiple flow is carried out Hash to handle including: to the feature field in each flow header packet information
Last m bit values carry out mask processing, wherein m log2N round up after value, N be security service chain number,
The feature field includes: port number field, IP address field or protocol type field.
Wherein, the load balancing includes: the second matching field and the second policy action.
According to another aspect of the present invention, a kind of virtual switch is provided, comprising:
Receiving unit is sent for receiving virtual switch corresponding to upper hop security service node by exchange network
, flow that carry vlan information corresponding to local security service node;
Flow table matching unit, if for inquiring the access to match with the header packet information of the flow in local flow table
Control strategy then carries out VLAN removing to the flow, and by virtual network interface by the stream after VLAN is removed
Amount is sent to local security service node, so that the local security service node carries out safety detection;
Retransmission unit, for receive local security service node transmission after the flow of safety detection, according to institute
State the policy action in matched access control policy the vlan information of the flow by safety detection is revised as it is next
Vlan information corresponding to security service node is jumped, and modified described by safety by exchange network transmission vlan information
The flow of detection.
According to another aspect of the present invention, a kind of cloud data center security service chain is provided, comprising: one or more
Virtual switch, controller and security service node, wherein the virtual switch corresponds to security service node, source VM and mesh
VM, wherein
The controller, for receiving user-defined safety regulation and configuring each void according to the safety regulation
The access control policy of quasi- interchanger;
The security service node for carrying out safety detection to received flow, and passes through virtual network interface
Send the flow after safety detection;
Virtual switch corresponding to the security service node, for being executed to the flow for needing to carry out safety detection
VLAN strip operation, and it is transmitted to security service node;Alternatively, for passing through peace for described according to matched access control policy
The vlan information for the flow that full inspection is surveyed is revised as vlan information corresponding to next-hop security service node, and passes through exchange network
Send the modified flow by safety detection of vlan information;
Virtual switch corresponding to the source VM, for needing to carry out safety detection flow introducing for what is issued from source VM
First jumps security service node;
Virtual switch corresponding to the purpose VM, the flow for issuing final jump security service node are drawn
To purpose VM.
A kind of implementation method of cloud data center security service chain proposed by the present invention, based on VLAN (Virtual LAN,
Virtual LAN) agreement realizes security service chain, it is low to design simple, functional and O&M cost, avoids using tunnel
Performance caused by packaged type and O&M cost.
Detailed description of the invention
Fig. 1 is the security service chain model schematic diagram that the prior art is constructed based on VXLAN;
Fig. 2 is provides a kind of process of the implementation method of cloud data center security service chain according to one embodiment of the invention
Figure;
Fig. 3 is the signal of security service chain under the cloud data center Network traffic model provided according to one embodiment of the invention
Figure;
Fig. 4 is to be shown according to security service chain under another cloud data center Network traffic model of one embodiment of the invention
It is intended to;
According to Fig. 5 another embodiment of the present invention provides a kind of cloud data center security service chain implementation method stream
Cheng Tu;
According to Fig. 6 another embodiment of the present invention provides a kind of cloud data center security service chain implementation method stream
Cheng Tu;
Fig. 7 is the realization according to another embodiment of the present invention based on a kind of Fig. 5 cloud data center security service chain provided
The flow chart of method;
According to Fig. 8 another embodiment of the present invention provides security service chain load balancing schematic diagram;
Fig. 9 is the structural schematic diagram of the virtual switch provided according to further embodiment of this invention.
Specific embodiment
With reference to the accompanying drawings and examples, specific embodiments of the present invention will be described in further detail.Implement below
Example is not intended to limit the scope of the invention for illustrating the present invention.
Fig. 2 provides a kind of implementation method of cloud data center security service chain for one embodiment of the invention, comprising:
S21, receive it is that vSwitch corresponding to upper hop security service node is sent by exchange network, carry
The flow of vlan information corresponding to ground security service node;
S22 is right if inquiring the access control policy to match with the header packet information of the flow in local flow table
The flow carries out VLAN removing, and the flow after VLAN is removed is sent to local peace by virtual network interface
Full service node, so that the local security service node carries out safety detection;
S23, receive local security service node transmission after the flow of safety detection, according to the matched visit
Ask that the vlan information of the flow by safety detection is revised as next-hop security service by the policy action in control strategy
Vlan information corresponding to node, and the modified stream by safety detection of vlan information is sent by exchange network
Amount.
With the continuous development of software defined network technology and network function virtualization technology, the network of cloud data center is
Overlay (covering) network of virtualization, i.e. virtual network are carried on physical network.One physical services of cloud data center
Device by operation virtual server (Hypervisor) on it, can create multiple virtual machines (Virtual Machine,
) and virtual switch (Virtual Switch, referred to below with vSwitch) VM.The flow of cloud data center is in a network
When transmitting, the inspection by various security service nodes (Security Service Equipment, SSE) is generally required
It surveys, just can guarantee that network can be supplied to user security, quick, stable network service according to design requirement.These safety clothes
Business node includes well known firewall (FireWalls), intrusion detection (Intrusion Prevention System), anti-disease
Malicious equipment etc..Flow passes through these security service nodes according to set required by user-defined safety regulation, passes through
The safety detection of these security service nodes, to realize the security service chain in cloud data center network.
Specifically, flow refers to a series of set of net packets in network, and meets source IP address, purpose IP address, association
View type, source port number and a series of identical net packets of destination slogan can be known as meeting the flow of same rule.This hair
It is bright clear in order to state, by the different sayings such as message, data packet, grouping, it is collectively referred to as net packet.Based on VLAN agreement by local area network
Multiple VLAN subnets are divided into, each subnet has a VLAN ID, and the vlan information of security service node refers to security service
The VLAN ID value of VLAN subnet belonging to node.VLAN corresponding to local security service node is carried described in step S21
The flow of information refers to vSwitch corresponding to upper hop security service node corresponding to local security service node
Vlan information carries out VLAN format conversion to flow, i.e., turns all net packets in flow from common two layers of Ethernet message format
It is changed to VLAN format, by carrying out VLAN conversion to flow, which can be connect by the vSwitch of local security service node
It receives.For exchange network using traditional double layer network deployment way, the exchange network is one based on two layers of VLAN agreement
The switching matrix of building can be abstracted and be interpreted as being made of multiple switch or router, this switching matrix can guarantee
It is also able to carry out normal double layered communication without security service chain between the virtual machine in the same VLAN subnet, and is guaranteed
The three-tier switch or router passed through in exchange network between virtual machine in different VLAN subnets carries out normal communication.
Specifically, in step S22, the flow table defines the forward-path of flow, and the flow table of each vSwitch includes extremely
A few flow entry, each flow entry includes: the instruction set to be executed after matching field and successful match.The packet header of the flow
Information refers to two layers to four layers of net packet header information.The access control policy is exactly a kind of flow entry, for flow into
Row filtering, i.e., only allow user-defined flow to enter security service chain, access control policy is that controller is defined according to user
Safety regulation be handed down to vSwitch's automatically.Local security service will be carried by referring to flow progress VLAN removing
The flow of node vlan information is converted into common two layers of Ethernet message format from VLAN format, so that local security service node
Safety detection can be carried out to received flow, the purpose for the arrangement is that the embodiment of the present invention does not need additionally to configure peace
Full service node can handle VLAN format net packet.Local security service node passes through corresponding to virtual network interface and its
VSwitch communicated, the flow after safety detection is sent to the vSwitch corresponding to it.
Specifically, in step S23, it is previously mentioned that the specific implementation of access control policy is flow entry, therefore described
Policy action refers to that the instruction set to be executed after successful match, the policy action include: to modify the vlan information of flow and refer to
Constant flow is to be forwarded to which destination port etc..The VLAN letter of next-hop security service node is contained in the policy action
Breath, i.e. after vSwitch corresponding to local security service node is to received flow implementation strategy movement, exchange network meeting
Flow is forwarded to next-hop by the identification by carrying the header packet information of next-hop security service node vlan information to flow
VSwtich corresponding to security service node.
The implementation method of the security service chain specifically includes: vSwitch corresponding to local security service node is received
It is that vSwitch corresponding to upper hop security service node is sent by exchange network, carry local security service node institute
The flow of corresponding vlan information;If vSwitch corresponding to local security service node is inquired in local flow table and institute
The access control policy that the header packet information of flow matches is stated, then VLAN removing is carried out to the flow, and pass through virtual network
The flow after VLAN is removed is sent to local security service node by port, for the local security service node
Carry out safety detection;VSwitch corresponding to local security service node is in the process for receiving the transmission of local security service node
After the flow of safety detection, according to the policy action in the matched access control policy by the stream by safety detection
The vlan information of amount is revised as the vlan information of next-hop security service node, and after being modified vlan information by exchange network
The flow by safety detection be sent to vSwitch corresponding to the next-hop security service node.
The implementation method of a kind of cloud data center security service chain provided in an embodiment of the present invention, by using VLAN agreement
It realizes forwarding of the flow in security service chain, designs simple, functional and O&M cost low.
For example, as shown in figure 3, being to pacify under a kind of cloud data center Network traffic model provided in an embodiment of the present invention
The schematic diagram of full service chaining.It is worth noting that the figure is only schematic diagram, virtual machine (VM), virtual switch (vSwitch) and
The number of security service node (SSE) can be to be multiple, and the deployment way of the number being not limited solely in figure, exchange network can be more
It is complicated.
User define VM1-1 to VM2-4 flow will by security service node SSE1-1, SSE2-2, SSE3-1 and
SSE4-1 carry out safety detection, then, controller after receiving user-defined safety regulation, be respectively configured VM1-1,
Access control policy on vSwitch corresponding to SSE1-1, SSE2-2, SSE3-1, SSE4-1 and VM2-4, with SSE2-2 institute
For access control policy on corresponding vSwitch, the flow that vSwitch corresponding to SSE1-1 is sent is received, if stream
The source IP address of amount is 1.1.1.1, purpose IP address 2.2.2.2, then modifying its VLAN is 1000, and is sent to network and connects
Mouth 2.VSwitch corresponding to local security service node SSE2-2 is received corresponding to upper hop security service node SSE1-1
Flow that vSwitch is sent by exchange network, carrying vlan information corresponding to local security service node;Local peace
VSwitch corresponding to full service node SSE2-2 is inquired in the flow table of local vSwitch to be believed with the packet header of the flow
The access control policy that breath (source IP address 1.1.1.1, purpose IP address 2.2.2.2) matches carries out the flow
VLAN removing, and the flow after VLAN is removed is sent to by local security service node by virtual network interface
SSE2-2, so that the local security service node SSE2-2 carries out safety detection;Local security service node SSE2-2 institute is right
The vSwitch answered, in reception local security service node SSE2-2 transmission after the flow of safety detection, according to described
The vlan information of the flow by safety detection is revised as next-hop peace by the policy action in access control policy matched
The VLAN 1000 of full service node SSE3-1, forwards from output port 2, after being modified vlan information by exchange network
The flow by safety detection be sent to vSwitch corresponding to the next-hop security service node SSE3-1.
Each jump security service node in security service chain executes aforesaid operations to flow, finally, flow from VM1-1 according to
The secondary detection by security service node SSE1-1, SSE2-2, SSE3-1 and SSE4-1 reaches VM2-4.
The processing of acknowledgement back flow for issuing from purpose VM is identical as above-mentioned process, as shown in figure 4, for from mesh
VM issue acknowledgement back flow, equally successively modification VLAN be the received VLAN of each jump security service node, and
Finally it is revised as the received VLAN of source VM institute.Details are not described herein.
As shown in figure 5, for another embodiment of the present invention provides a kind of cloud data center security service chain implementation method,
If the local security service node is the first jump security service node, which comprises
S51, receive source VM corresponding to vSwitch sent by exchange network, carry local security service node
The flow of corresponding vlan information;
S52 is right if inquiring the access control policy to match with the header packet information of the flow in local flow table
The flow carries out VLAN removing, and the flow after VLAN is removed is sent to local peace by virtual network interface
Full service node, so that the local security service node carries out safety detection;
S53, receive local security service node transmission after the flow of safety detection, according to the matched visit
Ask that the vlan information of the flow by safety detection is revised as next-hop security service by the policy action in control strategy
Vlan information corresponding to node, and the modified stream by safety detection of vlan information is sent by exchange network
Amount.
Specifically, if the local security service node is the first jump security service node, local security service node
Received flow vSwitch corresponding to the VM of source.VSwitch corresponding to the VM of source is in the flow for receiving source VM sending
Afterwards, the flow for needing to carry out safety detection is introduced security service chain by the control strategy that equally accesses matching, i.e., in source VM institute
The access control that inquiry matches with the presence or absence of the header packet information with the source VM flow issued in the flow table of corresponding vSwitch
System strategy, the access control policy to match if it exists then will according to the policy action in the matched access control policy
The vlan information for the flow that the source VM is issued is revised as the vlan information of the first jump security service node, exchange network
The VM flow issued in source is forwarded to vSwitch corresponding to the first jump security service node.If not inquiring and the source VM
The access control policy that the header packet information of the flow of sending matches, i.e., the flow that the described source VM is issued need not move through safety clothes
The processing of business chain, then be directly sent to purpose VM for the flow of source VM according to the forward-path of original exchange network.
VSwitch corresponding to first jump security service node receives vSwitch corresponding to the VM of source and passes through exchange network
Flow sending, carrying vlan information corresponding to local security service node;If the first jump security service node institute is right
The vSwitch answered inquires the access control policy to match with the header packet information of the flow in local flow table, then to institute
It states flow and carries out VLAN removing, and the flow after VLAN is removed is sent to by the first jump peace by virtual network interface
Full service node, so that the first jump security service node carries out safety detection to the flow after VLAN is removed;
VSwitch corresponding to first jump security service node receive the transmission of the first jump security service node by safety detection
After flow, the VLAN of the flow by safety detection is believed according to the policy action in the matched access control policy
Breath is revised as the vlan information of next-hop security service node, and passes through exchange network for the modified process of vlan information
The flow of safety detection is sent to vSwitch corresponding to the next-hop security service node.
A kind of implementation method for cloud data center security service chain that the embodiment of the present invention proposes jumps safety clothes by first
VSwitch corresponding to node be engaged in for the flow issued from source VM introducing security service chain, does not need to configure additional drainage and connects
Mouthful, so that very simple to the O&M of security service chain.
For example, as shown in figure 3, such as being received for access control policy on the vSwitch corresponding to the SSE1-1
The flow that vSwitch corresponding to VM1-1 is sent, if the source IP address of flow is 1.1.1.1, purpose IP address is
2.2.2.2, then modifying its VLAN is 999, and it is sent to network interface 3.First jumps corresponding to security service node SSE1-1
VSwitch receive VM1-1 corresponding to vSwitch sent by exchange network, carry the first jump security service node
The flow of corresponding vlan information;First jumps vSwitch corresponding to security service node SSE1-1 local vSwitch's
It inquires in flow table and matches with the header packet information of the flow (source IP address 1.1.1.1, purpose IP address 2.2.2.2)
Access control policy, VLAN removing is carried out to the flow, and by virtual network interface by the institute after VLAN is removed
It states flow and is sent to the first jump security service node SSE1-1, so that SSE1-1 carries out safety detection;First jumps security service section
VSwitch corresponding to point SSE1-1 receives the flow by safety detection that SSE1-1 is sent, according to the matched access
The vlan information of the flow by safety detection is revised as next-hop security service section by the policy action in control strategy
VLAN 999 corresponding to point SSE2-2, and from output port 3 by exchange network will treated flow is sent to it is described under
One jumps the corresponding vSwitch of security service node SSE2-2.
Be illustrated in figure 6 another embodiment of the present invention provides a kind of cloud data center security service chain implementation method,
If the local security service node is final jump security service node, which comprises
S61, receive it is that vSwitch corresponding to upper hop security service node is sent by exchange network, carry
The flow of vlan information corresponding to ground security service node;
S62 is right if inquiring the access control policy to match with the header packet information of the flow in local flow table
The flow carries out VLAN removing, and the flow after VLAN is removed is sent to local peace by virtual network interface
Full service node, so that the local security service node carries out safety detection;
S63, according to the policy action in the matched access control policy by the VLAN of the flow Jing Guo safety detection
Information modification is vlan information corresponding to purpose VM;
S64 sends the modified flow by safety detection of vlan information to purpose VM institute by exchange network
Corresponding vSwitch, so that vSwitch corresponding to purpose VM carries out VLAN removing to received flow and passes through local
Virtual network interface is transmitted to purpose VM.
Specifically, if the local security service node is final jump security service node, final jump safety clothes
The next-hop node of business node is purpose VM.VSwitch corresponding to purpose VM receives the modified warp of vlan information
The flow for crossing safety detection, because flow is VLAN net packet format thus, it is therefore desirable to VLAN removing be executed to this flow and be converted into
Purpose VM is then forwarded to after common ether network packet.
VSwitch corresponding to final jump security service node is received corresponding to upper hop security service node
The flow for carrying vlan information corresponding to local security service node that vSwitch is sent by exchange network;If last
VSwitch corresponding to one jump security service node is inquired in the flow table of local vSwitch to be believed with the packet header of the flow
The matched access control policy of manner of breathing then carries out VLAN removing to the flow, and passes through virtual network interface for the process
Flow after VLAN removing is sent to local security service node, so that the local security service node carries out safety detection;
VSwitch corresponding to final jump security service node will be through according to the policy action in the matched access control policy
The vlan information modification for crossing the flow of safety detection is vlan information corresponding to purpose VM;Final jump security service node institute
Corresponding vSwitch sends the modified flow by safety detection of vlan information to purpose VM institute by exchange network
Corresponding vSwitch, so that vSwitch corresponding to purpose VM carries out VLAN removing to received flow and passes through local
Virtual network interface is transmitted to purpose VM.
A kind of implementation method for cloud data center security service chain that the embodiment of the present invention proposes passes through final jump safety
Flow Jing Guo safety detection is sent to purpose VM by vSwitch corresponding to service node, does not need to configure additional output
Interface, so that very simple to the O&M of security service chain.
For example, as shown in figure 3, with the access control on vSwitch corresponding to final jump security service node SSE4-1
For system strategy, the flow sent as received vSwitch corresponding to SSE3-1, if the source IP address of flow is
1.1.1.1, purpose IP address 2.2.2.2 then modifying its VLAN is 1002, and is sent to the network port 2.SSE4-1 institute is right
The vSwitch answered receives the carrying that vSwitch corresponding to upper hop security service node SSE3-1 is sent by exchange network
There is the flow of vlan information corresponding to local security service node;VSwitch corresponding to SSE4-1 is looked into local flow table
Ask the access control to match with the header packet information of the flow (source IP address 1.1.1.1, purpose IP address 2.2.2.2)
System strategy carries out VLAN removing to the flow, and is sent to the flow after VLAN is removed by virtual network interface
Local security service node SSE4-1, so that SSE4-1 carries out safety detection.VSwitch corresponding to SSE4-1 is receiving this
Ground security service node SSE4-1 send after the flow of safety detection, according in the matched access control policy
Policy action modifies the vlan information of the flow Jing Guo safety detection for VLAN 1002 corresponding to purpose VM, and from output
By exchange network, by treated, flow is sent to vSwitch corresponding to the purpose VM for port 2, so that purpose VM institute is right
The vSwitch answered carries out VLAN removing to the flow after receiving the flow and is transmitted to purpose VM.
Another embodiment of the present invention, on the basis of the various embodiments described above, peace that the header packet information is formulated according to user
Full rule determines that the type of the header packet information includes: source port number, destination slogan, protocol type, source IP address and purpose
One of IP address is a variety of.
Specifically, the header packet information of flow refers to IP five-tuple, i.e. IP source address, IP destination address, association in the present embodiment
It is one or more in view number, source port and destination port, which specifically used header packet information and access control policy progress
Match, be that the safety regulation that is inputted by user is specified, be not that IP five-tuple all has to use, such as can specify and make simultaneously
With source IP address, purpose IP address, protocol type, source port number and destination slogan go to be matched with access control policy,
Wherein a certain seed type can also be only specified, can not also be specified with what, match all IP flows.
VSwitch corresponding to local security service node according to the safety regulation that user specifies determine it is specifically used which kind of
Header packet information matches with the access control policy in its flow table, and the type of the header packet information includes: source port number, purpose
One of port numbers, protocol type, source IP address and purpose IP address are a variety of.
A kind of implementation method of security service chain provided in an embodiment of the present invention, what the header packet information was specified according to user
Safety regulation and determine, layout is flexibly simple, enables security service chain according to the business demand flexible deployment of user.
Another embodiment of the present invention is visited in the local flow table comprising at least one on the basis of the various embodiments described above
Ask control strategy, the access control policy is determined according to the safety regulation that user formulates, and the access control policy includes: the
One matching field and the first policy action;Wherein, first matching field is corresponding with the header packet information.
Specifically, access control policy is a kind of flow entry, and access control policy is the peace that controller is formulated according to user
Full rule carries out matching to postpone being handed down to vSwitch's automatically.First matching field is corresponding with the header packet information, that is, wraps
For head information using which kind of type, first matching field also uses this type, specifically, the first matching field packet
Include: one of source port number, destination slogan, protocol type, source IP address and purpose IP address are a variety of.First plan
Slightly movement refers to the instruction set to be executed after successful match, specifically includes: the vlan information for modifying received flow is
Vlan information corresponding to next-hop security service node, and the output port information for the flow that specifies that treated.Local peace
Received flow is transmitted to next-hop security service according to the first policy action by vSwitch corresponding to full service node
Node.
The embodiment of the present invention can realize virtual switch based on Open vSwitch, Open vSwitch be by
What Nicira Networks was dominated, operate in the virtual switch on virtual platform (such as KVM, Xen).It is flat in virtualization
On platform, Layer2 switching function, access strategy, network preferably in control virtual network can be provided for the endpoint of dynamic change
Isolation, traffic monitoring etc..
For access control policy on the vSwitch corresponding to the SSE2-2, as received corresponding to SSE1-1
The flow that vSwitch is sent modifies it if the source IP address of flow is 1.1.1.1, purpose IP address 2.2.2.2
VLAN is 1000, and is sent to network interface 2.So, in Open vSwitch, vSwitch Shang couple corresponding to SSE2-2
The access control policy answered is:
In_port=1, ip, nw_src=1.1.1.1, nw_dst=2.2.2.2, actions=mod_vlan_vid:
1000,output:2;
Wherein, in_port is input terminal slogan, and ip is protocol type, and nw_src is source IP address, for the purpose of nw_dst
IP address, this four the first matching fields for access control policy.Actions is then to execute after corresponding successful match
Policy action, mod_vlan_vid:1000 is that flow VLAN is revised as 1000,1000 as next-hop security service node institute
Corresponding vlan information.
A kind of implementation method of cloud data center security service chain provided in an embodiment of the present invention, the access control policy
It is obtained according to the safety regulation that user formulates, enables security service chain according to the business demand flexible deployment of user.
Another embodiment of the present invention, on the basis of the above embodiments, as shown in fig. 7, in Fig. 5 step S51
VSwitch corresponding to the reception source VM is carried corresponding to local security service node by what exchange network was sent
Before the flow of vlan information, further includes:
After vSwitch corresponding to S71, source VM receives multiple flows of source VM transmission, the multiple flow is carried out
Hash processing;
VSwitch corresponding to S72, source VM according to Hash handle as a result, in local flow table confirmation there are matched
Load balancing, and according to the policy action of the load balancing, multiple flows that source VM is issued are transmitted to respectively
VSwitch corresponding to matched security service node.
Specifically, for a plurality of security service chain, load balancing is increased by the entrance in service chaining, to realize stream
Measure the equilibrium treatment between a plurality of security service chain.VSwitch corresponding to the VM of source receives multiple flows of source VM transmission
Afterwards, Hash processing is carried out to the multiple flow first.The result that vSwitch corresponding to the VM of source is handled according to Hash is in local
It searches whether that different Kazakhstan can be obtained after carrying out Hash processing to different flows there are matched load balancing in flow table
Uncommon value, different cryptographic Hash can be matched to different load balancings, thus according to the strategy in the load balancing
The VLAN of each flow is revised as first received VLAN of security service node institute of different security service chains by movement, each in this way
Flow will be dispensed to different security service chains and be handled, and the final jump security service node of security service chain is then
The VLAN of flow will be revised as to the final received VLAN of VM institute, to complete the parallel processing of different security service chains.It is right
It is consistent in the strategy of round-trip flow, execution, that is, guarantees that the flow for belonging to same session is assigned to identical service chaining
It is handled.
The implementation method of a kind of cloud data center security service chain provided in an embodiment of the present invention, by security service chain
Entrance increase load balancing, the security protection performance of security service chain can be further increased.
As shown in figure 8, different two can be distributed to after polices node processing of the flow of VM-1-1 out by default
Security service chain is handled, i.e. VM-1-1 → SSE-1-1 → SSE-2-2 → SSE-1-3 → SSE-1-4 → VM-2-4 and
VM-1-1 → SSE-2-1 → SSE-1-2 → SSE-2-3 → SSE-2-4 → VM-2-4, after two service chaining completion processing, stream
Amount can be revised as the identical received VLAN of VM-2-4 institute, to be received by VM-2-4.For reversed VM-2-4 → VM-1-1
Flow, handled in the same way, if the web traffic of VM-1-1 → VM-2-4 is the security service by top
Chain processing, and SSH flow is handled by the security service chain of lower section, then reversed web traffic equally can be by strategy
The security service chain for being balanced to top is handled, and the security service chain that SSH flow equally can also be balanced to lower section is handled.
Another embodiment of the present invention, it is on the basis of the above embodiments, described that Hash processing is carried out to the multiple flow
It include: that mask processing is carried out to last m bit values of the feature field in each flow header packet information, wherein m log2N to
Value after upper rounding, N are the number of security service chain, and the feature field includes: port number field, IP address field or agreement
Type field.
Specifically, the header packet information of flow includes: source port number, destination slogan, protocol type, source IP address and purpose
One of IP address is a variety of.The feature field includes: port number field, IP address field or protocol type field.Its
In, port number field, that is, source port number and destination slogan, IP address field, that is, source IP address and purpose IP address, protocol type
Field includes: IP, TCP, UDP or Stream Control Transmission Protocol etc..The data of the security service chain are obtained according to the safety regulation that user formulates
It arrives.
After vSwitch corresponding to the VM of source receives multiple flows of source VM transmission, according to the number N of security service chain,
Calculate log2The value M that N rounds up carries out at mask last M bit values of the feature field in each flow header packet information
Reason.
A kind of implementation method of cloud data center security service chain provided in an embodiment of the present invention, can be according to security service
The method of the flexible number selection Hash processing of chain, can further increase the security protection performance of security service chain.
For example, for Transmission Control Protocol, if controller creates 2 security service chains according to the safety regulation that user formulates, that
Mask processing is carried out to last bit value of the port number field in each flow header packet information.If controller is according to user
The safety regulation of formulation creates 4 security service chains, due to log24=2, then to the port numbers word in each flow header packet information
Last 2 carry out mask processing of section.If controller creates 3 security service chains according to the safety regulation that user formulates, by
In log23 round up after for 2, then to last 2 carry out mask processing of the port number field in each flow header packet information.
Another embodiment of the present invention, on the basis of the above embodiments, the load balancing include: the second matching word
Section and the second policy action.
The load balancing is a kind of flow entry, therefore includes: the second matching field and the second policy action, described
Second matching field includes that the Hash different cryptographic Hash that treated obtains are carried out to the feature field of flow, second strategy
Movement is according to different cryptographic Hash by flow matches to different security service chains.
A kind of implementation method of cloud data center security service chain provided in an embodiment of the present invention, passes through load balancing
By different traffic distribution to different security service chains, the security protection performance of security service chain can be improved, obtain preferable
Performance.
For example, for Transmission Control Protocol, if controller creates 2 security service chains according to the safety regulation that user formulates, that
Mask processing is carried out to last bit value of the port number field in each flow header packet information, and according to different Hash
It is worth flow matches to different security service chains.The load balancing is as follows:
Source port number and destination slogan be odd number or be even number flow, be distributed to service chaining A processing;
Source port number and destination slogan are respectively the even flow of a surprise one, are distributed to service chaining B processing.
In Open vSwitch, above-mentioned load balancing is implemented as follows:
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=0/0x0001, tp_dst=
0/0x0001, actions=" mod_vlan_vid:1001, output:2 ";
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=1/0x0001, tp_dst=
1/0x0001, actions=" mod_vlan_vid:1001, output:2 ";
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=0/0x0001, tp_dst=
1/0x0001, actions=" mod_vlan_vid:1002, output:2 ";
Ovs-ofctl add-flow ovsbr in_port=1, ip, tcp, tp_src=1/0x0001, tp_dst=
0/0x0001, actions=" mod_vlan_vid:1002, output:2 ";
4 service chainings if it exists, so that it may use log24=2 bit carries out Hash processing, and load balancing is such as
Under:
Source port number and last 2 bits of destination slogan be 00 or be 01 be 10 or be 11 flow,
It is distributed to service chaining A processing;
Source port number and last 2 bits of destination slogan are respectively one 00 1 01 or respectively one 10 1 11
Flow, be distributed to service chaining B processing;
Source port number and last 2 bits of destination slogan are respectively one 00 1 10 or respectively one 01 1 11
Flow, be distributed to service chaining C processing;
Source port number and last 2 bits of destination slogan are respectively one 00 1 11 or respectively one 01 1 10
Flow, be distributed to service chaining D processing.
Further embodiment of this invention provides a kind of virtual switch, as shown in Figure 9, comprising: receiving unit 901, flow table
With unit 902 and retransmission unit 903, wherein
Receiving unit 901 passes through exchange network for receiving virtual switch corresponding to upper hop security service node
Flow sending, carrying vlan information corresponding to local security service node;
Flow table matching unit 902, if matching for being inquired in local flow table with the header packet information of the flow
Access control policy then carries out VLAN removing to the flow, and by virtual network interface by the institute after VLAN is removed
It states flow and is sent to local security service node, so that the local security service node carries out safety detection;
Retransmission unit 903, for receive local security service node transmission after the flow of safety detection, according to
The vlan information of the flow by safety detection is revised as down by the policy action in the matched access control policy
One jumps vlan information corresponding to security service node, and modified described by pacifying by exchange network transmission vlan information
The flow that full inspection is surveyed.
Specifically, virtual switch corresponding to the reception of receiving unit 901 upper hop security service node passes through switching network
The flow for carrying vlan information corresponding to local security service node that network is sent;Flow table matching unit 902 is in local stream
Inquiry whether there is the access control policy to match with the header packet information of the flow in table, if it exists matched access control
Strategy, then flow table matching unit 902 carries out VLAN removing to the flow, will carry local security service node vlan information
Flow be converted into common two layers of Ethernet message format from VLAN format, and will be removed by VLAN by virtual network interface
Flow afterwards is sent to local security service node, so that local security service node carries out safety detection to the flow;Turn
Bill member 903, receive local security service node transmission after the flow of safety detection, according to the matched access
The vlan information of the flow by safety detection is revised as next-hop security service section by the policy action in control strategy
The vlan information of point, and by exchange network be transmitted to the modified flow by safety detection of vlan information next
Jump virtual switch corresponding to security service node.
The embodiment of the present invention provides a kind of virtual switch, and flow is drained to safety clothes by matching access control policy
Business node can simplify the realization of security service chain to carry out safety detection, and not need additionally to be configured to access control
Interface, O&M are simple.
Further embodiment of this invention provides a kind of cloud data center security service chain, comprising: one or more virtual friendship
It changes planes, controller and security service node, wherein the virtual switch corresponds to security service node, source VM and purpose VM,
Wherein,
The controller, for receiving user-defined safety regulation and configuring each void according to the safety regulation
The access control policy of quasi- interchanger;
The security service node for carrying out safety detection to received flow, and passes through virtual network interface
Send the flow after safety detection;
Virtual switch corresponding to the security service node, for being executed to the flow for needing to carry out safety detection
VLAN strip operation, and it is transmitted to security service node;Alternatively, for passing through peace for described according to matched access control policy
The vlan information for the flow that full inspection is surveyed is revised as vlan information corresponding to next-hop security service node, and passes through exchange network
Send the modified flow by safety detection of vlan information;
Virtual switch corresponding to the source VM, for needing to carry out safety detection flow introducing for what is issued from source VM
First jumps security service node;
Virtual switch corresponding to the purpose VM, the flow for issuing final jump security service node are drawn
To purpose VM.
Specifically, user-defined safety regulation refers to that user specifies specific flow by successively which security service section
Point is detected, and controller, which is then determined according to user-defined safety regulation, specifically uses what type of header packet information, accordingly
Ground determines the matching field of access control policy, which security service node is successively passed through according to flow, determines the forwarding of flow
Path, to go the policy action in setting access control policy, established access control policy is issued to respectively by controller
A virtual switch.
Security service node carries out safety detection to the received flow of institute, mentions security service node in above-described embodiment
Type there are many, so as to flow implement multi-angle security protection.After the completion of the detection process of security service node
Flow can be forwarded by the local virtual network port, so that flow is able to enter next-hop security service node.
Virtual switch corresponding to security service node, the virtual switch as provided in above-described embodiment, herein
It repeats no more.
Virtual switch corresponding to the VM of source is considered as the entrance of security service chain, for that will need to enter safety clothes
The be engaged in flow of chain introduces first and jumps security service node, specifically, by searching whether to exist in its local flow table and institute
State the access control policy that the header packet information of flow matches, and if it exists, then illustrate that the flow needs to carry out safety detection, thus
The vlan information of the flow is revised as the first jump security service node according to the policy action in matched access control policy
Corresponding vlan information simultaneously forwards;If it does not exist, then illustrate that the flow does not need to carry out safety detection, then by the flow
Purpose VM is sent to according to common forward-path.
Virtual switch corresponding to purpose VM can be regarded as the outlet of security service chain, by final jump safety clothes
The flow that business node issues draws security service chain, purpose VM is sent to, to complete the communication between source VM and purpose VM.
A kind of cloud data center security service chain proposed by the present invention can carry out flexible portion according to the demand for security of user
Administration, simple, the functional and O&M cost of design is low, can reach good security protection effect.
Finally, the present processes are only preferable embodiment, it is not intended to limit the scope of the present invention.It is all
Within the spirit and principles in the present invention, any modification, equivalent replacement, improvement and so on should be included in protection of the invention
Within the scope of.
Claims (10)
1. a kind of implementation method of cloud data center security service chain characterized by comprising
Step 1, receive upper hop security service node corresponding to vSwitch sent by exchange network, carry local
The flow of vlan information corresponding to security service node;
Step 2, if inquiring the access control policy to match with the header packet information of the flow in local flow table, to institute
It states flow and carries out VLAN removing, and the flow after VLAN is removed is sent to by local security by virtual network interface
Service node, so that the local security service node carries out safety detection;
Step 3, receive local security service node transmission after the flow of safety detection, according to the matched access
The vlan information of the flow by safety detection is revised as next-hop security service section by the policy action in control strategy
The corresponding vlan information of point, and the modified flow by safety detection of vlan information is sent by exchange network.
2. the implementation method of security service chain according to claim 1, which is characterized in that step 1 further include: if described
Security service node in ground is the first jump security service node,
It is that vSwitch corresponding to the VM of reception source is sent by exchange network, carry corresponding to local security service node
The flow of vlan information.
3. the implementation method of security service chain according to claim 1, which is characterized in that step 3 further comprises: if institute
Stating local security service node is final jump security service node,
The vlan information of the flow Jing Guo safety detection is modified according to the policy action in the matched access control policy
For vlan information corresponding to purpose VM;
It is sent corresponding to the modified flow by safety detection to purpose VM of vlan information by exchange network
VSwitch, so that vSwitch corresponding to purpose VM carries out VLAN removing to received flow and passes through local virtual net
Network port is transmitted to purpose VM.
4. the implementation method of security service chain according to any one of claims 1 to 3, which is characterized in that the header packet information
Determine that the type of the header packet information includes: source port number, destination slogan, protocol class according to user-defined safety regulation
One of type, source IP address and purpose IP address are a variety of.
5. the implementation method of security service chain according to any one of claims 1 to 3, which is characterized in that described in step 2
Comprising at least one access control policy in local flow table, the access control policy is true according to user-defined safety regulation
Fixed, the access control policy includes: the first matching field and the first policy action;Wherein, first matching field and institute
It is corresponding to state header packet information.
6. the implementation method of security service chain according to claim 2, which is characterized in that in the reception source in step 1
The stream for carrying vlan information corresponding to local security service node that vSwitch corresponding to VM is sent by exchange network
Before amount, further includes:
After vSwitch corresponding to the VM of source receives multiple flows of source VM transmission, Hash processing is carried out to the multiple flow;
VSwitch corresponding to the VM of source according to Hash handle as a result, in local flow table confirmation there are matched load balancing
Strategy, and according to the policy action of the load balancing, multiple flows that source VM is issued are transmitted to matched peace respectively
VSwitch corresponding to full service node.
7. the implementation method of security service chain according to claim 6, which is characterized in that it is described to the multiple flow into
The processing of row Hash includes: to carry out mask processing to last m bit values of the feature field in each flow header packet information, wherein m
For log2N round up after value, N be security service chain number, the feature field includes: port number field, IP address
Field or protocol type field.
8. the implementation method of security service chain according to claim 6, which is characterized in that the load balancing packet
It includes: the second matching field and the second policy action.
9. a kind of virtual switch characterized by comprising
Receiving unit, for receive it is that virtual switch corresponding to upper hop security service node is sent by exchange network,
Carry the flow of vlan information corresponding to local security service node;
Flow table matching unit, if for inquiring the access control to match with the header packet information of the flow in local flow table
Strategy then carries out VLAN removing to the flow, and is sent out the flow after VLAN is removed by virtual network interface
It send to local security service node, so that the local security service node carries out safety detection;
Retransmission unit, for receive local security service node transmission after the flow of safety detection, according to described
The vlan information of the flow by safety detection is revised as next-hop peace by the policy action in access control policy matched
Vlan information corresponding to full service node, and it is modified described by safety detection by exchange network transmission vlan information
Flow.
10. a kind of cloud data center security service catenary system characterized by comprising one or more is such as claim 9 institute
Virtual switch, controller and the security service node stated, wherein the virtual switch corresponds to security service node, source VM
With purpose VM, wherein
The controller, for receiving user-defined safety regulation and configuring each virtual switch according to the safety regulation
Access control policy;
The security service node for carrying out safety detection to received flow, and is sent by virtual network interface
By the flow of safety detection;
Virtual switch corresponding to the security service node, for executing VLAN stripping to the flow for needing to carry out safety detection
From operation, and it is transmitted to security service node;Alternatively, for passing through safety detection for described according to matched access control policy
The vlan information of flow be revised as vlan information corresponding to next-hop security service node, and pass through exchange network and send
The modified flow by safety detection of vlan information;
Virtual switch corresponding to the source VM, for the safety detection flow that needs to carry out issued from source VM to be introduced first
Jump security service node;
Virtual switch corresponding to the purpose VM, the flow for issuing final jump security service node lead to mesh
VM.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710124814.XA CN106789542B (en) | 2017-03-03 | 2017-03-03 | A kind of implementation method of cloud data center security service chain |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710124814.XA CN106789542B (en) | 2017-03-03 | 2017-03-03 | A kind of implementation method of cloud data center security service chain |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106789542A CN106789542A (en) | 2017-05-31 |
CN106789542B true CN106789542B (en) | 2019-08-09 |
Family
ID=58961233
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710124814.XA Active CN106789542B (en) | 2017-03-03 | 2017-03-03 | A kind of implementation method of cloud data center security service chain |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106789542B (en) |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107947965B (en) * | 2017-11-07 | 2020-06-19 | 清华大学 | Service chain compiler |
CN107911258B (en) * | 2017-12-29 | 2021-09-17 | 深信服科技股份有限公司 | SDN network-based security resource pool implementation method and system |
CN107920023B (en) * | 2017-12-29 | 2021-01-19 | 深信服科技股份有限公司 | Method and system for realizing security resource pool |
CN108199958B (en) * | 2017-12-29 | 2021-04-09 | 深信服科技股份有限公司 | Universal secure resource pool service chain implementation method and system |
CN111684775B (en) | 2018-02-06 | 2022-10-14 | 上海诺基亚贝尔股份有限公司 | Method, apparatus, and computer-readable medium for providing security services for a data center |
CN110324282A (en) * | 2018-03-29 | 2019-10-11 | 华耀(中国)科技有限公司 | The load-balancing method and its system of SSL/TLS visualization flow |
CN109981355A (en) * | 2019-03-11 | 2019-07-05 | 北京网御星云信息技术有限公司 | Security defend method and system, computer readable storage medium for cloud environment |
CN109889533B (en) * | 2019-03-11 | 2021-07-20 | 北京网御星云信息技术有限公司 | Security defense method and system under cloud environment and computer readable storage medium |
CN110213181B (en) * | 2019-04-28 | 2021-01-29 | 华为技术有限公司 | Data stream guiding device and data stream guiding method in virtual network |
CN110311838B (en) * | 2019-07-24 | 2021-05-04 | 绿盟科技集团股份有限公司 | Method and device for counting safety service flow |
CN113098728B (en) * | 2019-12-23 | 2023-12-19 | 华为云计算技术有限公司 | Health check method of load balancing system and related equipment |
CN111756632B (en) * | 2020-06-22 | 2021-10-22 | 中国电子科技集团公司第五十四研究所 | Security service chain dynamic arranging method based on MPLS encapsulation |
CN114070639B (en) * | 2021-11-19 | 2024-04-23 | 北京天融信网络安全技术有限公司 | Message security forwarding method and device and network security equipment |
CN114629853B (en) * | 2022-02-28 | 2024-06-14 | 天翼安全科技有限公司 | Flow classification control method based on security service chain analysis in security resource pool |
CN114944952B (en) * | 2022-05-20 | 2023-11-07 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
CN115695086B (en) * | 2022-09-19 | 2024-01-19 | 中电信数智科技有限公司 | System and method for realizing service chain function based on VLAN (virtual local area network) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104618379A (en) * | 2015-02-04 | 2015-05-13 | 北京天地互连信息技术有限公司 | IDC service scene-oriented security service arranging method and network structure |
CN105450522A (en) * | 2014-09-24 | 2016-03-30 | 英特尔公司 | Techniques for routing service chain flow packets between virtual machines |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105490995B (en) * | 2014-09-30 | 2018-04-20 | 国际商业机器公司 | A kind of method and apparatus that NVE E-Packets in NVO3 networks |
-
2017
- 2017-03-03 CN CN201710124814.XA patent/CN106789542B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105450522A (en) * | 2014-09-24 | 2016-03-30 | 英特尔公司 | Techniques for routing service chain flow packets between virtual machines |
CN104618379A (en) * | 2015-02-04 | 2015-05-13 | 北京天地互连信息技术有限公司 | IDC service scene-oriented security service arranging method and network structure |
Non-Patent Citations (2)
Title |
---|
"虚拟网络环境下安全服务接入方法";陈兴蜀 等;《华中科技大学学报(自然科学版)》;20160331;全文 * |
"防火墙上台阶:安全网关多层过滤技术的走向";李军;《信息网络安全》;20060730;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN106789542A (en) | 2017-05-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106789542B (en) | A kind of implementation method of cloud data center security service chain | |
US9742575B2 (en) | Explicit list encoding of sparse multicast group membership information with Bit Index Explicit Replication (BIER) | |
US11115328B2 (en) | Efficient troubleshooting in openflow switches | |
US9654395B2 (en) | SDN-based service chaining system | |
US20200344143A1 (en) | Optimized datapath troubleshooting with trace policy engine | |
US10225169B2 (en) | Method and apparatus for autonomously relaying statistics to a network controller in a software-defined networking network | |
CN105765946B (en) | Support the method and system of the service chaining in data network | |
US9755959B2 (en) | Dynamic service path creation | |
KR101478475B1 (en) | Computer system and communication method in computer system | |
EP3248339B1 (en) | Devices, systems and methods for service chains | |
CN104243270B (en) | A kind of method and apparatus for establishing tunnel | |
US20160301603A1 (en) | Integrated routing method based on software-defined network and system thereof | |
US20160127142A1 (en) | Explicit block encoding of multicast group membership information with bit index explicit replication (bier) | |
US20160315866A1 (en) | Service based intelligent packet-in mechanism for openflow switches | |
JP2018519751A (en) | Presenting the maximum segment identifier depth to external applications using the Border Gateway Protocol | |
CN110178342A (en) | The scalable application level of SDN network monitors | |
CN105471907B (en) | A kind of virtual firewall transfer control method and system based on Openflow | |
CN107181691B (en) | Method, equipment and system for realizing message routing in network | |
CN105516025B (en) | Path clustering and data transmission method, OpenFlow controller and interchanger end to end | |
CN106105114B (en) | The more preferable replacement path of more ownership IS-IS prefixes | |
CN108353068A (en) | The intrusion prevention system of SDN controllers auxiliary | |
EP3646533B1 (en) | Inline stateful monitoring request generation for sdn | |
KR20160122226A (en) | Communication system, control device, communication control method and program | |
CN106713026A (en) | Service chain topological structure, service chain setting method and controller | |
CN110431827A (en) | Distributed network gate framework is realized using location identifier separated protocol to be used for 3GPP mobility |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |