CN107872443A - Virtual network security protection system, flow lead method and device - Google Patents

Virtual network security protection system, flow lead method and device Download PDF

Info

Publication number
CN107872443A
CN107872443A CN201610861833.6A CN201610861833A CN107872443A CN 107872443 A CN107872443 A CN 107872443A CN 201610861833 A CN201610861833 A CN 201610861833A CN 107872443 A CN107872443 A CN 107872443A
Authority
CN
China
Prior art keywords
virtual
flow
virtual machine
unit
future generation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610861833.6A
Other languages
Chinese (zh)
Inventor
张结辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Shenxinfu Electronic Technology Co Ltd
Original Assignee
Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Shenxinfu Electronic Technology Co Ltd filed Critical Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority to CN201610861833.6A priority Critical patent/CN107872443A/en
Publication of CN107872443A publication Critical patent/CN107872443A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Abstract

The embodiment of the invention discloses a kind of virtual network security protection system, flow lead method and device, for providing security protection to the virtual network on virtual platform.The virtual network security protection system of the embodiment of the present invention includes:Virtual firewall management platform (CSSP) of future generation, drainage plug-in unit, virtual fire wall (vNGAF) of future generation.The embodiment of the present invention issues security strategy, and issue drainage rule and give drainage plug-in unit by disposing vNGAF and drainage plug-in unit in every virtualized host from CSSP to vNGAF;The flow of virtual machine is redirected to vNGAF by drainage plug-in unit according to drainage rule;VNGAF is sent to drainage plug-in unit after being handled according to security strategy flow, the target port of target virtual machine or virtual switch is sent traffic to by drainage plug-in unit.The embodiment of the present invention can realize seven layers of security protection by way of distributed deployment vNGAF between virtualized host, and between virtual machine, so as to provide security protection for the virtual network on virtual platform.

Description

Virtual network security protection system, flow lead method and device
Technical field
The present invention relates to field of computer technology, more particularly to a kind of virtual network security protection system, flow lead side Method and device.
Background technology
Virtualization has been widely used for cloud computing platform, virtual memory, pseudo operation as one of current hot spot technology The fields such as system, virtual desktop, virtual terminal.The safety of virtualization also increasingly seems important.
Under scene as shown in Figure 1, on same virtual data center, more virtual machine (Virtual be present Manufacturing, VM), VM1, VM2, VM3, every VM are responsible for a kind of business, and if VM1 is WEB server, VM2 is mail clothes Business device, VM3 is MYSQL servers.Assuming that will to VM1, VM2, VM3 carry out security protection, but between VM1, VM2, VM3 but Data interaction be present;Such as WEB server, mail server needs to access the upper resource of MYSQL servers.
Existing safety protection technique mainly includes:
The first:Network security component (the vShield components that such as VWARE is provided) configuration provided by virtualizing manufacturer Accesses control list (English:Access Control Lists, referred to as:ACL) strategy is realized.This technology can only be carried out between VM Isolation, seven layers of security protection can not be realized;Such as when gateway discovery virtual machine has had security risk, this is anti-safely Shield technology can not prevent further diffusion of the security risk in Intranet.As above there is security risk in the VM1 of figure, may infect VM2 and VM3, now VM1 security risk can not be effectively prevented to be diffused into VM2 and VM3.
Second:By buying the physics fire wall or virtual firewall of well-known security firm, by network configuration, such as Vlan or route technology are divided, the flow of multiple virtual machines on multiple fictitious host computers is guided into physics fire wall or virtual anti- Wall with flues, then realized by configuring firewall policy.This technology needs to change original network topology structure, and deployment is complicated, unfavorable In the network capacity extension and upgrading;When virtual machine increasing number, fire wall can not bear huge flow, and buy more fire walls It is costly;And using after this scheme, if fire wall breaks down, virtual machine service disconnection can be directly resulted in.
The content of the invention
The embodiments of the invention provide a kind of virtual network security protection system, flow lead method and device, for Virtual network on virtual platform provides security solution.
In a first aspect, the embodiments of the invention provide a kind of virtual network security protection system, it is characterised in that the system Including virtual firewall management platform of future generation, drainage plug-in unit, virtual fire wall of future generation, wherein, drainage plug-in unit and it is virtual under Generation fire wall is deployed in virtualized host, and at least one virtual machine is deployed in the virtualized host;Wherein, it is virtual next For firewall management platform, for issuing security strategy to virtual fire wall of future generation, and issue drainage rule and give drainage plug-in unit; Plug-in unit is drained, for the flow of virtual machine to be redirected into virtual fire wall of future generation according to drainage rule;It is virtual of future generation anti- Wall with flues is used to handle the flow of virtual machine according to security strategy;Plug-in unit is drained, is additionally operable to receive virtual fire prevention of future generation The flow that wall is let pass after being handled, the flow of clearance is sent to the target port of target virtual machine or virtual switch.
Optionally, virtual fire wall of future generation, the flow specifically for handling virtual machine according to security strategy, judges whether The flow of virtual machine is let pass, however, it is determined that the flow of virtual machine is let pass, then sent the flow of virtual machine to drawing Flow plug-in unit.
Optionally, virtual firewall management platform of future generation, the security strategy set specifically for obtaining user, issues peace Full strategy generates drainage rule to virtual fire wall of future generation, and according to security strategy, issues drainage rule and gives drainage plug-in unit.
Optionally, drain plug-in unit, specifically for when it is determined that let pass flow for access virtual machine flow when, according to storage The MAC Address of virtual machine and the mapping table of virtual switch port determine destination-mac address, the flow hair of virtual machine will be accessed Toward target virtual machine corresponding to destination-mac address.
Optionally, drain plug-in unit, specifically for when it is determined that let pass flow for virtual machine initiate flow when, according to storage The MAC Address of virtual machine and the mapping table of virtual switch port determine the target port of virtual switch, virtual machine is sent out The flow risen is sent to the target port of virtual switch.
Optionally, the virtual network security protection system also includes:Virtual authorization server, for obtaining authorization message, According to authorization message authorization service is provided at least one virtual fire wall of future generation.
Optionally, the virtual authorization server, specifically for obtaining authorization message from physics U-key, awarded according to described Weigh information and provide authorization service at least one virtual fire wall of future generation, the authorization message enables including security function License Info and allow deployment virtual fire wall of future generation information.
Optionally, the virtual authorization server, specifically for obtaining authorization message from public network by network, according to described Authorization message provides authorization service at least one virtual fire wall of future generation, and the authorization message opens including security function With the information of License Info and the virtual fire wall of future generation for allowing deployment.
Second aspect, the embodiments of the invention provide a kind of flow lead method of virtual platform, it is characterised in that should Method is applied to virtual network security protection system, and virtual network security protection system includes virtual fire wall of future generation, drainage Plug-in unit, virtual firewall management platform of future generation, wherein, drainage plug-in unit and virtual fire wall of future generation are located at virtualized host On, at least one virtual machine is deployed in virtualized host, this method includes:Drain plug-in unit and receive virtual fire prevention wall coil of future generation The drainage rule that platform issues;The flow of virtual machine is redirected to virtual fire prevention of future generation by drainage plug-in unit according to drainage rule Wall, virtual fire wall of future generation are used to handle the flow of virtual machine;Drainage plug-in unit receives virtual fire wall of future generation and entered The flow let pass after row processing, the flow of clearance is sent to the target port or target virtual machine of virtual switch.
Optionally, the flow of clearance is sent to the target port or target virtual machine bag of virtual switch by drainage plug-in unit Include:If the flow let pass is the flow that virtual machine is initiated, drainage plug-in unit is handed over according to the MAC Address of the virtual machine of storage with virtual The mapping table of port of changing planes determines the target port of virtual switch, and the flow that virtual machine is initiated is sent to the mesh of virtual switch Mark port.
Optionally, the flow of clearance is sent to the target port or target virtual machine bag of virtual switch by drainage plug-in unit Include:If the flow let pass is accesses the flow of virtual machine, drainage plug-in unit is handed over according to the MAC Address of the virtual machine of storage with virtual The mapping table of port of changing planes determines destination-mac address, and it is empty that the flow for accessing virtual machine is sent into target corresponding to destination-mac address Plan machine.
The third aspect, the embodiments of the invention provide a kind of flow lead device of virtual platform, the flow lead The specific implementation of device corresponds to the function for the flow lead method that above-mentioned second aspect provides.The function can pass through hardware Realize, corresponding software program can also be performed by hardware and is realized.Hardware and software includes one or more and above-mentioned function Corresponding unit module, the unit module can be software and/or hardware.
In a kind of possible realization, the flow lead device includes:
Receiving unit, the drainage rule issued for receiving virtual firewall management platform of future generation;
Unit is redirected, it is empty for the flow of virtual machine to be redirected into virtual fire wall of future generation according to drainage rule Intend fire wall of future generation to be used to handle the flow of virtual machine;
Receiving unit, it is additionally operable to receive the flow let pass after virtual fire wall of future generation is handled;
Transmitting element, for the flow of clearance to be sent to the target port of target virtual machine or virtual switch.
As can be seen from the above technical solutions, the embodiment of the present invention has advantages below:
In the embodiment of the present invention, by disposing a virtual fire wall of future generation in every virtualized host, and install Plug-in unit is drained, issues security strategy to virtual fire wall of future generation from virtual firewall management platform of future generation, and issue drainage Rule gives the drainage plug-in unit;When the flow of virtual machine flows through drainage plug-in unit, drainage plug-in unit is regular by virtual machine according to drainage Flow be redirected to virtual fire wall of future generation;Virtual flow of the fire wall of future generation according to security strategy to the virtual machine Handled, the flow of clearance is sent to drainage plug-in unit, then the flow of the clearance is sent to target void by drainage plug-in unit The target port of plan machine or virtual switch.The embodiment of the present invention by way of distributed deployment virtually fire wall of future generation, Seven layers of security protection are realized between virtualized host, and between virtual machine;And the embodiment of the present invention uses distributed portion The mode of administration, without changing original network topology structure, deployment is simple, is advantageous to the network capacity extension and upgrading;And every virtual Change and a virtual fire wall of future generation is disposed on main frame, immediately when virtual machine increasing number, virtually fire wall of future generation is not yet It can therefore overload, without buying more fire walls, cost can be saved.
Brief description of the drawings
Fig. 1 is to virtualize schematic diagram in the prior art;
Fig. 2 is that the virtual network security solution in the embodiment of the present invention on virtual platform disposes schematic diagram;
Fig. 3 is the realization principle schematic diagram of virtual network guard system in the embodiment of the present invention;
Fig. 4 is the flow handling process schematic diagram of virtual network guard system in the embodiment of the present invention;
Fig. 5 is the method flow diagram of flow lead in the embodiment of the present invention;
Fig. 6 is that the virtual machine MAC Address stored in plug-in unit and the mapping table of vSwitch ports are drained in the embodiment of the present invention Schematic diagram;
Fig. 7 is flow lead apparatus function structural representation in the embodiment of the present invention.
Embodiment
In order that technical scheme and beneficial effect are clearer, below in conjunction with drawings and Examples, to this hair It is bright to be further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and do not have to It is of the invention in limiting.
The embodiment of the present invention is described in detail below in conjunction with the accompanying drawings.
Fig. 2 is the virtual network security solution deployment schematic diagram on virtual platform in the embodiment of the present invention.Such as Fig. 2 Shown, trust region refers to deploying the virtualized host of virtual network security protection system, and non-trusted region then includes INTERNET, the server not virtualized, the PC independently to handle official business, mobile device.For physical network border, still use Physics fire wall carries out security protection, and is then prevented for virtualized host by disposing virtual network security protection system Shield.
Virtual network security protection system in the embodiment of the present invention can include with lower component:
Virtual fire wall (English of future generation:Next Generation Application Firewall, referred to as: VNGAF), it is deployed on virtual data center, there is provided seven layers of function of safety protection.
Virtual firewall management platform (English of future generation:Cloud Security Service Platform, referred to as: CSSP), vNGAF is managed, there is provided security strategy configures, status inquiry, the function such as log query.
Also include drainage plug-in unit in each virtualized host, drainage plug-in unit is arranged in virtual machine host, will flow into virtual machine Flow and flow from virtual machine outflow be transmitted to virtual fire wall of future generation and carry out security protection.
Virtual authorization server (Virtual License Server, VLS), the mandate of security function is provided to vNGAF Service.
By CSSP configure Safeguard tactics, can be achieved trust region between the micro- isolation of virtual machine, intrusion prevention system (Intrusion Prevention System, IPS), Web applications guard system (Web Application Firewall, Seven layers of security protection such as WAF);Also seven layers of security protection between trust region and non-trusted region can be realized.
The realization principle of virtual network guard system in the embodiment of the present invention is introduced below, as shown in figure 3, more Virtualized host passes through NIC (English:Network Interface Card, full name:NIC) it is connected with interchanger, often There are multiple virtual machines (VM) in platform virtualized host, multiple virtual machines on every virtual machine pass through virtual switch and network Interface cartoon letters.Virtual fire wall (vNGAF) of future generation is deployed in virtualized host, drains plug-in unit, each virtual machine disengaging Flow all redirect virtual fire wall of future generation by the drainage plug-in unit in virtualized host and carry out at security protection Reason.Virtual firewall management platform (CSSP) of future generation can manage the virtual fire wall of future generation in more virtualized hosts.
Specifically, component and the function of each component that the virtual network guard system in the embodiment of the present invention includes are realized such as Under:
vNGAF:Virtual fire wall of future generation is disposed in the form of virtual machine, and one is disposed on each virtual machine main frame, There is provided and include but is not limited to ACL, application control, IPS, WAF, advanced continuation threat (Advanced Persistent Threat, APT), the security protection ability such as UTM (Unified Threat Management, UTM).
CSSP:Virtual firewall management platform of future generation is individually disposed in the form of virtual machine or physical host, there is provided The function such as check to being managed collectively of vNGAF, tactful configuration, policy distribution, condition monitoring, daily record.CSSP provides user's operation Interface, user can be by the tactful configurations of operation interface progress, the operations such as daily record is checked.
VLS:Virtual authorization server is individually disposed in the form of virtual machine or physical host, and function is provided to vNGAF Authorization service.Optionally, the authorization of support includes but is not limited to authorize by USB KEY, authorized online by internet.
Drain plug-in unit:Plug-in unit is drained to be arranged in virtual machine host, the platform of support include but is not limited to VMware, KVM, The platforms such as XEN.
VLS, CSSP, vNGAF, the workflow of drainage plug-in unit are as shown in Figure 4:
Step 1:VLS needs to connect Internet or and hardware binding;VLS can be obtained by the USB KEY of physics To authorization message, or VLS is connected to the authorization server of public network by Internet and gets the authorization message of itself.Authorize Information includes but is not limited to:The vNGAF numbers for enabling license, allowing deployment of each security function (WAF, IPS, APT, UTM etc.), VNGAF model (CPU numbers, internal memory number etc.);
Step 2:CSSP without and hardware binding, without UNICOM Internet, CSSP gets oneself by interact with VLS The authorization message of body;
Step 3:The user interface that user is provided by CSSP carries out security strategy and functional configuration;
Step 4:The security strategy of user configuration is passed through intellectual analysis by CSSP, determines target corresponding to the security strategy VNGAF, and the specific security strategy being issued on these targets vNGAF, afterwards, corresponding specific security strategy is issued to pair On the every vNGAF answered;
Step 5:The security strategy of user configuration is passed through intellectual analysis by CSSP, and generation drainage rule is issued to drainage and inserted Part;Such as:Draining rule can be:The flow initiated on every virtual machine in virtualized host 1 is all redirected to vNGAF.
Step 6:Drainage plug-in unit is matched according to drainage rule to flow, and the flow for meeting drainage rule condition is reset To vNGAF;
Step 7:The flow that vNGAF comes to drainage plug-in unit drainage carries out safety detection, and according to the safety of user configuration Strategy execution acts accordingly, and the optional action of execution includes:Let pass the flow, block the flow, the stream recorded in daily record Measure related information etc.;
Step 8:The UI interfaces that user is provided by CSSP are observed and the safe condition of monitoring virtualized environment, check safety Daily record etc..
Specifically, the flow that drainage plug-in unit carries out flow lead is as shown in Figure 5.
501st, drain plug-in unit and receive the drainage rule that virtual firewall management platform of future generation issues;
As shown in step 5 and step 6 in Fig. 4, drainage plug-in unit receives the drainage rule that CSSP is issued.
502nd, drain plug-in unit and the flow of virtual machine is redirected to by virtual fire wall of future generation according to drainage rule;
The flow (i.e. virtual machine initiates to access internet flow) initiated by virtual machine, or initiated by internet The flow of virtual machine is accessed, is required for by draining plug-in unit, initiates to access internet's when drainage plug-in unit receives virtual machine When flow or internet initiate to access the flow of virtual machine, if the flow meets drainage rule, drainage rule will be met Flow is redirected to vNGAF, and safety detection is carried out to the flow that drainage comes by vNGAF, and according to the safe plan of user configuration Slightly perform corresponding action, however, it is determined that the flow to come to drainage is let pass, then is sent the flow to drainage plug-in unit.If need Flow blocked, then abandon the flow, the flow not sent to drainage plug-in unit.Meanwhile to letting pass or blocking flow Behavior carry out log recording.
503rd, drain plug-in unit and receive the flow let pass after virtual fire wall of future generation is handled, the flow of clearance is sent To target virtual machine or the target port of virtual switch.
As shown in fig. 6, for the virtual machine of virtual platform, drainage plug-in unit maintains the media interviews control of a virtual machine System (English:Media Access Control, referred to as:MAC) the mapping table of address and virtual switch (vSwitch) port, The mapping relations that element in table includes but is not limited between the MAC and vSwitch of virtual machine port numbers PORT.
Virtual machine initiates to access Internet stream, or the stream by the Internet access virtual machines initiated, and is passing through Drain plug-in unit when can be redirected to vNGAF, via vNGAF carry out safe handling after, by look into MAC Address and The mapping table of vSwitch ports, determine that the flow needs the target port for the target virtual machine or virtual switch being sent to.
Specially:
It is described to drain virtual machine of the plug-in unit according to storage if the flow of the clearance is the flow that the virtual machine is initiated MAC Address and the mapping table of virtual switch port determine the target port of the virtual switch, and the virtual machine is initiated Flow be sent to the target port of the virtual switch;
Or,
If the flow of the clearance is accesses the flow of virtual machine, described to drain virtual machine Mac of the plug-in unit according to storage The mapping table of address and virtual switch port determines the target virtual machine MAC Address, by the flow of the access virtual machine It is sent to the target virtual machine MAC Address.
In the embodiment of the present invention, by disposing a virtual fire wall of future generation in every virtualized host, and install Plug-in unit is drained, issues security strategy to virtual fire wall of future generation from virtual firewall management platform of future generation, and issue drainage Rule gives the drainage plug-in unit;When the flow of virtual machine flows through drainage plug-in unit, drainage plug-in unit is regular by virtual machine according to drainage Flow be redirected to virtual fire wall of future generation;Virtual flow of the fire wall of future generation according to security strategy to the virtual machine Handled, the flow of clearance is sent to drainage plug-in unit, then the flow of the clearance is sent to target void by drainage plug-in unit The target port of plan machine or virtual switch.The embodiment of the present invention by way of distributed deployment virtually fire wall of future generation, Seven layers of security protection are realized between virtualized host, and between virtual machine;And the embodiment of the present invention uses distributed portion The mode of administration, without changing original network topology structure, deployment is simple, is advantageous to the network capacity extension and upgrading;And every virtual Change and a virtual fire wall of future generation is disposed on main frame, immediately when virtual machine increasing number, virtually fire wall of future generation is not yet It can therefore overload, without buying more fire walls, cost can be saved.
Above is the introduction to virtual network security protection system and flow lead method in the embodiment of the present invention, below To the flow lead device in the embodiment of the present invention is introduced from functional structure angle.
Flow lead device in the embodiment of the present invention can be mounted in plug-in unit in virtualized host or soft The functional module of combination of hardware.The step performed by plug-in unit is drained specifically for realizing above-mentioned Fig. 2 into the embodiment shown in Fig. 6 Suddenly.As shown in fig. 7, in a kind of possible realization, the flow lead device includes:
Receiving unit 701, the drainage rule issued for receiving virtual firewall management platform of future generation;
Unit 702 is redirected, it is virtual of future generation anti-for being redirected to the flow of virtual machine according to the drainage rule Wall with flues, the virtual fire wall of future generation are used to handle the flow of the virtual machine;
The receiving unit 701, it is additionally operable to receive the flow let pass after the virtual fire wall of future generation is handled;
Transmitting element 703, for the flow of the clearance to be sent to the destination end of target virtual machine or virtual switch Mouthful.
In some specific implementations, the transmitting element 703, specifically for being described virtual when the flow of the clearance During the flow that machine is initiated, determined according to the mapping table of the MAC Address of the virtual machine of storage and virtual switch port described virtual The target port of interchanger, the flow that the virtual machine is initiated is sent to the target port of the virtual switch;
In some specific implementations, the transmitting element 703 is specifically used for, when the flow of the clearance is virtual to access The flow of machine, destination-mac address is determined according to the mapping table of the MAC Address of the virtual machine of storage and virtual switch port, will The flow for accessing virtual machine is sent to target virtual machine corresponding to the target destination-mac address.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method can be with Realize by another way.For example, device embodiment described above is only schematical, for example, the unit Division, only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or The mutual coupling discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, device or unit Close or communicate to connect, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or use When, it can be stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially The part to be contributed in other words to prior art or all or part of the technical scheme can be in the form of software products Embody, the computer software product is stored in a storage medium, including some instructions are causing a computer Equipment (can be personal computer, server, or network equipment etc.) performs the complete of each embodiment methods described of the present invention Portion or part steps.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can store journey The medium of sequence code.
Described above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to before Embodiment is stated the present invention is described in detail, it will be understood by those within the art that:It still can be to preceding State the technical scheme described in each embodiment to modify, or equivalent substitution is carried out to which part technical characteristic;And these Modification is replaced, and the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (10)

1. a kind of virtual network security protection system, it is characterised in that inserted including virtually firewall management platform of future generation, drainage Part, virtual fire wall of future generation, wherein, the drainage plug-in unit and the virtual fire wall of future generation are located in virtualized host, At least one virtual machine is deployed in the virtualized host;
The virtual firewall management platform of future generation, for issuing security strategy to the virtual fire wall of future generation, and under Stream rule carry out the coffin upon burial to the drainage plug-in unit;
The drainage plug-in unit, it is described virtual of future generation for being redirected to the flow of the virtual machine according to the drainage rule Fire wall;
The virtual fire wall of future generation is used to handle the flow of the virtual machine according to the security strategy;
The drainage plug-in unit, it is additionally operable to receive the flow let pass after the virtual fire wall of future generation is handled, is put described Capable flow is sent to the target port of target virtual machine or virtual switch.
2. system according to claim 1, it is characterised in that:
The virtual fire wall of future generation, the flow specifically for handling the virtual machine according to the security strategy, judgement are The no flow to the virtual machine is let pass, however, it is determined that the flow of the virtual machine is let pass, then by the virtual machine Flow send to the drainage plug-in unit.
3. system according to claim 1, it is characterised in that:
The virtual firewall management platform of future generation, the security strategy set specifically for obtaining user, issues security strategy Drainage rule is generated to the virtual fire wall of future generation, and according to the security strategy, issues the drainage rule to described Drain plug-in unit.
4. system according to claim 1, it is characterised in that:
The drainage plug-in unit, specifically for when it is determined that the clearance flow for access virtual machine flow when, according to storage The MAC Address of virtual machine determines the destination-mac address with the mapping table of virtual switch port, by the access virtual machine Flow is sent to target virtual machine corresponding to the destination-mac address.
5. system according to any one of claim 1 to 4, it is characterised in that:
The drainage plug-in unit, specifically for when it is determined that the flow of the clearance initiated for the virtual machine flow when, according to depositing The MAC Address of the virtual machine of storage determines the target port of the virtual switch with the mapping table of virtual switch port, by institute The flow for stating virtual machine initiation is sent to the target port of the virtual switch.
6. system according to any one of claim 1 to 4, it is characterised in that the virtual network security protection system Also include:
Virtual authorization server, for obtaining authorization message, according to the authorization message at least one described virtual of future generation Fire wall provides authorization service.
7. a kind of flow lead method of virtual platform, it is characterised in that methods described is applied to virtual network security protection System, the virtual network security protection system include virtual fire wall of future generation, drainage plug-in unit, virtual fire prevention wall coil of future generation Platform, wherein, the drainage plug-in unit and the virtual fire wall of future generation are located in virtualized host, the virtualized host On deploy at least one virtual machine, methods described includes:
Drainage plug-in unit receives the drainage rule that virtual firewall management platform of future generation issues;
The flow of virtual machine is redirected to virtual fire wall of future generation, the void by the drainage plug-in unit according to the drainage rule Intend fire wall of future generation to be used to handle the flow of the virtual machine;
The drainage plug-in unit receives the flow let pass after the virtual fire wall of future generation is handled, by the flow of the clearance It is sent to the target port or target virtual machine of virtual switch.
8. according to the method for claim 7, it is characterised in that the flow by the clearance is sent to virtual switch Target port or target virtual machine include:
If the flow of the clearance is the flow that the virtual machine is initiated, the drainage plug-in unit is according to the virtual machine of storage MAC Address and the mapping table of virtual switch port determine the target port of the virtual switch, and the virtual machine is initiated Flow be sent to the target port of the virtual switch;
Or,
If the flow of the clearance is accesses the flow of virtual machine, the drainage plug-in unit is according to the MAC of the virtual machine of storage The mapping table of location and virtual switch port determines destination-mac address, and the flow of the access virtual machine is sent into the target Target virtual machine corresponding to MAC Address.
A kind of 9. flow lead device of virtual platform, it is characterised in that including:
Receiving unit, the drainage rule issued for receiving virtual firewall management platform of future generation;
Unit is redirected, for the flow of virtual machine to be redirected into virtual fire wall of future generation, institute according to the drainage rule Virtual fire wall of future generation is stated to be used to handle the flow of the virtual machine;
The receiving unit, it is additionally operable to receive the flow let pass after the virtual fire wall of future generation is handled;
Transmitting element, for the flow of the clearance to be sent to the target port of target virtual machine or virtual switch.
10. flow lead device according to claim 9, it is characterised in that:
The transmitting element, specifically for when the clearance flow for the virtual machine initiate flow when, according to storage The MAC Address of virtual machine determines the target port of the virtual switch with the mapping table of virtual switch port, by the void The flow that plan machine is initiated is sent to the target port of the virtual switch;
Or,
When the flow that the flow of the clearance is access virtual machine, according to the MAC Address and virtual switch of the virtual machine of storage The mapping table of port determines destination-mac address, and it is corresponding that the flow of the access virtual machine is sent into the target destination-mac address Target virtual machine.
CN201610861833.6A 2016-09-28 2016-09-28 Virtual network security protection system, flow lead method and device Pending CN107872443A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610861833.6A CN107872443A (en) 2016-09-28 2016-09-28 Virtual network security protection system, flow lead method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610861833.6A CN107872443A (en) 2016-09-28 2016-09-28 Virtual network security protection system, flow lead method and device

Publications (1)

Publication Number Publication Date
CN107872443A true CN107872443A (en) 2018-04-03

Family

ID=61762020

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610861833.6A Pending CN107872443A (en) 2016-09-28 2016-09-28 Virtual network security protection system, flow lead method and device

Country Status (1)

Country Link
CN (1) CN107872443A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450871A (en) * 2018-10-22 2019-03-08 龙岩学院 A kind of distributed virtual firewall device and its system deployment method
CN110213181A (en) * 2019-04-28 2019-09-06 华为技术有限公司 Data drainage device and data drainage method in virtual network
CN110247928A (en) * 2019-06-29 2019-09-17 河南信大网御科技有限公司 A kind of mimicry interchanger safe traffic control device and method
CN110378103A (en) * 2019-07-22 2019-10-25 电子科技大学 A kind of micro- isolating and protecting method and system based on OpenFlow agreement
CN110855656A (en) * 2019-11-06 2020-02-28 云深互联(北京)科技有限公司 Plug-in flow proxy method, device and system capable of realizing application server protection
CN111756651A (en) * 2020-06-19 2020-10-09 浪潮电子信息产业股份有限公司 Traffic transmission method, device, equipment and medium
CN111752679A (en) * 2020-06-22 2020-10-09 中国电子科技集团公司第五十四研究所 Dynamic arranging device for safety service chain
CN112491789A (en) * 2020-10-20 2021-03-12 苏州浪潮智能科技有限公司 OpenStack framework-based virtual firewall construction method and storage medium
CN113630315A (en) * 2021-09-03 2021-11-09 中国联合网络通信集团有限公司 Network drainage method and device, electronic equipment and storage medium
CN114039789A (en) * 2021-11-17 2022-02-11 北京天融信网络安全技术有限公司 Flow protection method, electronic device and storage medium
CN114629726A (en) * 2022-04-26 2022-06-14 深信服科技股份有限公司 Cloud management method, device, equipment, system and readable storage medium
CN115695086A (en) * 2022-09-19 2023-02-03 中电信数智科技有限公司 System and method for realizing service chain function based on VLAN network
CN117544422A (en) * 2024-01-09 2024-02-09 深圳市科服信息技术有限公司 Firewall virtualization deployment method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120174184A1 (en) * 2004-09-30 2012-07-05 Arn Hyndman Method and Apparatus for Enabling Enhanced Control of Traffic Propagation Through a Network Firewall
CN104113522A (en) * 2014-02-20 2014-10-22 西安未来国际信息股份有限公司 Design of virtual firewall assembly acting on cloud computing data center security domain
CN104301321A (en) * 2014-10-22 2015-01-21 北京启明星辰信息技术股份有限公司 Method and system for achieving distributed network safety protection
CN104917653A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Virtual flow monitoring method based on cloud platform and device thereof
CN105141571A (en) * 2014-06-09 2015-12-09 中兴通讯股份有限公司 Distributed virtual firewall device and method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120174184A1 (en) * 2004-09-30 2012-07-05 Arn Hyndman Method and Apparatus for Enabling Enhanced Control of Traffic Propagation Through a Network Firewall
CN104113522A (en) * 2014-02-20 2014-10-22 西安未来国际信息股份有限公司 Design of virtual firewall assembly acting on cloud computing data center security domain
CN105141571A (en) * 2014-06-09 2015-12-09 中兴通讯股份有限公司 Distributed virtual firewall device and method
CN104301321A (en) * 2014-10-22 2015-01-21 北京启明星辰信息技术股份有限公司 Method and system for achieving distributed network safety protection
CN104917653A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Virtual flow monitoring method based on cloud platform and device thereof

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
大连航远网络建设: "如何让你云上的业务更加安全可控", 《新浪博客,HTTP://BLOG.SINA.COM.CN/S/BLOG_135B6FEF60102W01V.HTML》 *
深信服科技: "阿里云官方推荐:深信服虚拟化下一代防火墙", 《HTTP://WWW.SANGFOR.COM.CN/ABOUT/SOURCE-NEWS-PRODUCT-NEWS/525.HTML》 *

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450871B (en) * 2018-10-22 2021-02-23 龙岩学院 Distributed virtual firewall device and system deployment method thereof
CN109450871A (en) * 2018-10-22 2019-03-08 龙岩学院 A kind of distributed virtual firewall device and its system deployment method
CN110213181A (en) * 2019-04-28 2019-09-06 华为技术有限公司 Data drainage device and data drainage method in virtual network
CN110213181B (en) * 2019-04-28 2021-01-29 华为技术有限公司 Data stream guiding device and data stream guiding method in virtual network
CN110247928A (en) * 2019-06-29 2019-09-17 河南信大网御科技有限公司 A kind of mimicry interchanger safe traffic control device and method
CN110378103B (en) * 2019-07-22 2022-11-25 电子科技大学 Micro-isolation protection method and system based on OpenFlow protocol
CN110378103A (en) * 2019-07-22 2019-10-25 电子科技大学 A kind of micro- isolating and protecting method and system based on OpenFlow agreement
CN110855656A (en) * 2019-11-06 2020-02-28 云深互联(北京)科技有限公司 Plug-in flow proxy method, device and system capable of realizing application server protection
CN111756651A (en) * 2020-06-19 2020-10-09 浪潮电子信息产业股份有限公司 Traffic transmission method, device, equipment and medium
CN111752679A (en) * 2020-06-22 2020-10-09 中国电子科技集团公司第五十四研究所 Dynamic arranging device for safety service chain
CN112491789A (en) * 2020-10-20 2021-03-12 苏州浪潮智能科技有限公司 OpenStack framework-based virtual firewall construction method and storage medium
CN112491789B (en) * 2020-10-20 2022-12-27 苏州浪潮智能科技有限公司 OpenStack framework-based virtual firewall construction method and storage medium
CN113630315A (en) * 2021-09-03 2021-11-09 中国联合网络通信集团有限公司 Network drainage method and device, electronic equipment and storage medium
CN114039789A (en) * 2021-11-17 2022-02-11 北京天融信网络安全技术有限公司 Flow protection method, electronic device and storage medium
CN114039789B (en) * 2021-11-17 2023-11-14 北京天融信网络安全技术有限公司 Traffic protection method, electronic device and storage medium
CN114629726A (en) * 2022-04-26 2022-06-14 深信服科技股份有限公司 Cloud management method, device, equipment, system and readable storage medium
CN115695086A (en) * 2022-09-19 2023-02-03 中电信数智科技有限公司 System and method for realizing service chain function based on VLAN network
CN115695086B (en) * 2022-09-19 2024-01-19 中电信数智科技有限公司 System and method for realizing service chain function based on VLAN (virtual local area network)
CN117544422A (en) * 2024-01-09 2024-02-09 深圳市科服信息技术有限公司 Firewall virtualization deployment method and system
CN117544422B (en) * 2024-01-09 2024-03-29 深圳市科服信息技术有限公司 Firewall virtualization deployment method and system

Similar Documents

Publication Publication Date Title
CN107872443A (en) Virtual network security protection system, flow lead method and device
US11290346B2 (en) Providing mobile device management functionalities
TWI526931B (en) Inherited product activation for virtual machines
CN102420846B (en) Remote access to hosted virtual machines by enterprise users
CN101257413B (en) Method, apparatus and system for enabling a secure location-aware platform
US11755349B2 (en) Secure digital workspace using machine learning and microsegmentation
CN101443746B (en) Method for protecting client and server
US20090276774A1 (en) Access control for virtual machines in an information system
US10972449B1 (en) Communication with components of secure environment
WO2020005540A1 (en) Managed forwarding element detecting invalid packet addresses
US8782782B1 (en) Computer system with risk-based assessment and protection against harmful user activity
JP2009540408A (en) System, method, and computer program for secure access control to storage device
US9977896B2 (en) Systems and methods for generating policies for an application using a virtualized environment
US20170230251A1 (en) System and Method for Providing Management Network Communication and Control in a Data Center
US20200314126A1 (en) Persona-based contextual security
CN108885572A (en) Safe driver platform
US11048770B2 (en) Adaptive response generation on an endpoint
EP3516841B1 (en) Remote computing system providing malicious file detection and mitigation features for virtual machines
US20190364047A1 (en) Methods to restrict network file access in guest virtual machines using in-guest agents
US20120331522A1 (en) System and method for logical separation of a server by using client virtualization
TW202121211A (en) Method and system for detecting web shell using process information
CN111818081A (en) Virtual encryption machine management method and device, computer equipment and storage medium
CN107454050A (en) A kind of method and device for accessing Internet resources
CN108241801B (en) Method and device for processing system call
Fu et al. Curtain: keep your hosts away from USB attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180403

RJ01 Rejection of invention patent application after publication