CN107872443A - Virtual network security protection system, flow lead method and device - Google Patents
Virtual network security protection system, flow lead method and device Download PDFInfo
- Publication number
- CN107872443A CN107872443A CN201610861833.6A CN201610861833A CN107872443A CN 107872443 A CN107872443 A CN 107872443A CN 201610861833 A CN201610861833 A CN 201610861833A CN 107872443 A CN107872443 A CN 107872443A
- Authority
- CN
- China
- Prior art keywords
- virtual
- flow
- virtual machine
- unit
- future generation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Abstract
The embodiment of the invention discloses a kind of virtual network security protection system, flow lead method and device, for providing security protection to the virtual network on virtual platform.The virtual network security protection system of the embodiment of the present invention includes:Virtual firewall management platform (CSSP) of future generation, drainage plug-in unit, virtual fire wall (vNGAF) of future generation.The embodiment of the present invention issues security strategy, and issue drainage rule and give drainage plug-in unit by disposing vNGAF and drainage plug-in unit in every virtualized host from CSSP to vNGAF;The flow of virtual machine is redirected to vNGAF by drainage plug-in unit according to drainage rule;VNGAF is sent to drainage plug-in unit after being handled according to security strategy flow, the target port of target virtual machine or virtual switch is sent traffic to by drainage plug-in unit.The embodiment of the present invention can realize seven layers of security protection by way of distributed deployment vNGAF between virtualized host, and between virtual machine, so as to provide security protection for the virtual network on virtual platform.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of virtual network security protection system, flow lead side
Method and device.
Background technology
Virtualization has been widely used for cloud computing platform, virtual memory, pseudo operation as one of current hot spot technology
The fields such as system, virtual desktop, virtual terminal.The safety of virtualization also increasingly seems important.
Under scene as shown in Figure 1, on same virtual data center, more virtual machine (Virtual be present
Manufacturing, VM), VM1, VM2, VM3, every VM are responsible for a kind of business, and if VM1 is WEB server, VM2 is mail clothes
Business device, VM3 is MYSQL servers.Assuming that will to VM1, VM2, VM3 carry out security protection, but between VM1, VM2, VM3 but
Data interaction be present;Such as WEB server, mail server needs to access the upper resource of MYSQL servers.
Existing safety protection technique mainly includes:
The first:Network security component (the vShield components that such as VWARE is provided) configuration provided by virtualizing manufacturer
Accesses control list (English:Access Control Lists, referred to as:ACL) strategy is realized.This technology can only be carried out between VM
Isolation, seven layers of security protection can not be realized;Such as when gateway discovery virtual machine has had security risk, this is anti-safely
Shield technology can not prevent further diffusion of the security risk in Intranet.As above there is security risk in the VM1 of figure, may infect
VM2 and VM3, now VM1 security risk can not be effectively prevented to be diffused into VM2 and VM3.
Second:By buying the physics fire wall or virtual firewall of well-known security firm, by network configuration, such as
Vlan or route technology are divided, the flow of multiple virtual machines on multiple fictitious host computers is guided into physics fire wall or virtual anti-
Wall with flues, then realized by configuring firewall policy.This technology needs to change original network topology structure, and deployment is complicated, unfavorable
In the network capacity extension and upgrading;When virtual machine increasing number, fire wall can not bear huge flow, and buy more fire walls
It is costly;And using after this scheme, if fire wall breaks down, virtual machine service disconnection can be directly resulted in.
The content of the invention
The embodiments of the invention provide a kind of virtual network security protection system, flow lead method and device, for
Virtual network on virtual platform provides security solution.
In a first aspect, the embodiments of the invention provide a kind of virtual network security protection system, it is characterised in that the system
Including virtual firewall management platform of future generation, drainage plug-in unit, virtual fire wall of future generation, wherein, drainage plug-in unit and it is virtual under
Generation fire wall is deployed in virtualized host, and at least one virtual machine is deployed in the virtualized host;Wherein, it is virtual next
For firewall management platform, for issuing security strategy to virtual fire wall of future generation, and issue drainage rule and give drainage plug-in unit;
Plug-in unit is drained, for the flow of virtual machine to be redirected into virtual fire wall of future generation according to drainage rule;It is virtual of future generation anti-
Wall with flues is used to handle the flow of virtual machine according to security strategy;Plug-in unit is drained, is additionally operable to receive virtual fire prevention of future generation
The flow that wall is let pass after being handled, the flow of clearance is sent to the target port of target virtual machine or virtual switch.
Optionally, virtual fire wall of future generation, the flow specifically for handling virtual machine according to security strategy, judges whether
The flow of virtual machine is let pass, however, it is determined that the flow of virtual machine is let pass, then sent the flow of virtual machine to drawing
Flow plug-in unit.
Optionally, virtual firewall management platform of future generation, the security strategy set specifically for obtaining user, issues peace
Full strategy generates drainage rule to virtual fire wall of future generation, and according to security strategy, issues drainage rule and gives drainage plug-in unit.
Optionally, drain plug-in unit, specifically for when it is determined that let pass flow for access virtual machine flow when, according to storage
The MAC Address of virtual machine and the mapping table of virtual switch port determine destination-mac address, the flow hair of virtual machine will be accessed
Toward target virtual machine corresponding to destination-mac address.
Optionally, drain plug-in unit, specifically for when it is determined that let pass flow for virtual machine initiate flow when, according to storage
The MAC Address of virtual machine and the mapping table of virtual switch port determine the target port of virtual switch, virtual machine is sent out
The flow risen is sent to the target port of virtual switch.
Optionally, the virtual network security protection system also includes:Virtual authorization server, for obtaining authorization message,
According to authorization message authorization service is provided at least one virtual fire wall of future generation.
Optionally, the virtual authorization server, specifically for obtaining authorization message from physics U-key, awarded according to described
Weigh information and provide authorization service at least one virtual fire wall of future generation, the authorization message enables including security function
License Info and allow deployment virtual fire wall of future generation information.
Optionally, the virtual authorization server, specifically for obtaining authorization message from public network by network, according to described
Authorization message provides authorization service at least one virtual fire wall of future generation, and the authorization message opens including security function
With the information of License Info and the virtual fire wall of future generation for allowing deployment.
Second aspect, the embodiments of the invention provide a kind of flow lead method of virtual platform, it is characterised in that should
Method is applied to virtual network security protection system, and virtual network security protection system includes virtual fire wall of future generation, drainage
Plug-in unit, virtual firewall management platform of future generation, wherein, drainage plug-in unit and virtual fire wall of future generation are located at virtualized host
On, at least one virtual machine is deployed in virtualized host, this method includes:Drain plug-in unit and receive virtual fire prevention wall coil of future generation
The drainage rule that platform issues;The flow of virtual machine is redirected to virtual fire prevention of future generation by drainage plug-in unit according to drainage rule
Wall, virtual fire wall of future generation are used to handle the flow of virtual machine;Drainage plug-in unit receives virtual fire wall of future generation and entered
The flow let pass after row processing, the flow of clearance is sent to the target port or target virtual machine of virtual switch.
Optionally, the flow of clearance is sent to the target port or target virtual machine bag of virtual switch by drainage plug-in unit
Include:If the flow let pass is the flow that virtual machine is initiated, drainage plug-in unit is handed over according to the MAC Address of the virtual machine of storage with virtual
The mapping table of port of changing planes determines the target port of virtual switch, and the flow that virtual machine is initiated is sent to the mesh of virtual switch
Mark port.
Optionally, the flow of clearance is sent to the target port or target virtual machine bag of virtual switch by drainage plug-in unit
Include:If the flow let pass is accesses the flow of virtual machine, drainage plug-in unit is handed over according to the MAC Address of the virtual machine of storage with virtual
The mapping table of port of changing planes determines destination-mac address, and it is empty that the flow for accessing virtual machine is sent into target corresponding to destination-mac address
Plan machine.
The third aspect, the embodiments of the invention provide a kind of flow lead device of virtual platform, the flow lead
The specific implementation of device corresponds to the function for the flow lead method that above-mentioned second aspect provides.The function can pass through hardware
Realize, corresponding software program can also be performed by hardware and is realized.Hardware and software includes one or more and above-mentioned function
Corresponding unit module, the unit module can be software and/or hardware.
In a kind of possible realization, the flow lead device includes:
Receiving unit, the drainage rule issued for receiving virtual firewall management platform of future generation;
Unit is redirected, it is empty for the flow of virtual machine to be redirected into virtual fire wall of future generation according to drainage rule
Intend fire wall of future generation to be used to handle the flow of virtual machine;
Receiving unit, it is additionally operable to receive the flow let pass after virtual fire wall of future generation is handled;
Transmitting element, for the flow of clearance to be sent to the target port of target virtual machine or virtual switch.
As can be seen from the above technical solutions, the embodiment of the present invention has advantages below:
In the embodiment of the present invention, by disposing a virtual fire wall of future generation in every virtualized host, and install
Plug-in unit is drained, issues security strategy to virtual fire wall of future generation from virtual firewall management platform of future generation, and issue drainage
Rule gives the drainage plug-in unit;When the flow of virtual machine flows through drainage plug-in unit, drainage plug-in unit is regular by virtual machine according to drainage
Flow be redirected to virtual fire wall of future generation;Virtual flow of the fire wall of future generation according to security strategy to the virtual machine
Handled, the flow of clearance is sent to drainage plug-in unit, then the flow of the clearance is sent to target void by drainage plug-in unit
The target port of plan machine or virtual switch.The embodiment of the present invention by way of distributed deployment virtually fire wall of future generation,
Seven layers of security protection are realized between virtualized host, and between virtual machine;And the embodiment of the present invention uses distributed portion
The mode of administration, without changing original network topology structure, deployment is simple, is advantageous to the network capacity extension and upgrading;And every virtual
Change and a virtual fire wall of future generation is disposed on main frame, immediately when virtual machine increasing number, virtually fire wall of future generation is not yet
It can therefore overload, without buying more fire walls, cost can be saved.
Brief description of the drawings
Fig. 1 is to virtualize schematic diagram in the prior art;
Fig. 2 is that the virtual network security solution in the embodiment of the present invention on virtual platform disposes schematic diagram;
Fig. 3 is the realization principle schematic diagram of virtual network guard system in the embodiment of the present invention;
Fig. 4 is the flow handling process schematic diagram of virtual network guard system in the embodiment of the present invention;
Fig. 5 is the method flow diagram of flow lead in the embodiment of the present invention;
Fig. 6 is that the virtual machine MAC Address stored in plug-in unit and the mapping table of vSwitch ports are drained in the embodiment of the present invention
Schematic diagram;
Fig. 7 is flow lead apparatus function structural representation in the embodiment of the present invention.
Embodiment
In order that technical scheme and beneficial effect are clearer, below in conjunction with drawings and Examples, to this hair
It is bright to be further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and do not have to
It is of the invention in limiting.
The embodiment of the present invention is described in detail below in conjunction with the accompanying drawings.
Fig. 2 is the virtual network security solution deployment schematic diagram on virtual platform in the embodiment of the present invention.Such as Fig. 2
Shown, trust region refers to deploying the virtualized host of virtual network security protection system, and non-trusted region then includes
INTERNET, the server not virtualized, the PC independently to handle official business, mobile device.For physical network border, still use
Physics fire wall carries out security protection, and is then prevented for virtualized host by disposing virtual network security protection system
Shield.
Virtual network security protection system in the embodiment of the present invention can include with lower component:
Virtual fire wall (English of future generation:Next Generation Application Firewall, referred to as:
VNGAF), it is deployed on virtual data center, there is provided seven layers of function of safety protection.
Virtual firewall management platform (English of future generation:Cloud Security Service Platform, referred to as:
CSSP), vNGAF is managed, there is provided security strategy configures, status inquiry, the function such as log query.
Also include drainage plug-in unit in each virtualized host, drainage plug-in unit is arranged in virtual machine host, will flow into virtual machine
Flow and flow from virtual machine outflow be transmitted to virtual fire wall of future generation and carry out security protection.
Virtual authorization server (Virtual License Server, VLS), the mandate of security function is provided to vNGAF
Service.
By CSSP configure Safeguard tactics, can be achieved trust region between the micro- isolation of virtual machine, intrusion prevention system
(Intrusion Prevention System, IPS), Web applications guard system (Web Application Firewall,
Seven layers of security protection such as WAF);Also seven layers of security protection between trust region and non-trusted region can be realized.
The realization principle of virtual network guard system in the embodiment of the present invention is introduced below, as shown in figure 3, more
Virtualized host passes through NIC (English:Network Interface Card, full name:NIC) it is connected with interchanger, often
There are multiple virtual machines (VM) in platform virtualized host, multiple virtual machines on every virtual machine pass through virtual switch and network
Interface cartoon letters.Virtual fire wall (vNGAF) of future generation is deployed in virtualized host, drains plug-in unit, each virtual machine disengaging
Flow all redirect virtual fire wall of future generation by the drainage plug-in unit in virtualized host and carry out at security protection
Reason.Virtual firewall management platform (CSSP) of future generation can manage the virtual fire wall of future generation in more virtualized hosts.
Specifically, component and the function of each component that the virtual network guard system in the embodiment of the present invention includes are realized such as
Under:
vNGAF:Virtual fire wall of future generation is disposed in the form of virtual machine, and one is disposed on each virtual machine main frame,
There is provided and include but is not limited to ACL, application control, IPS, WAF, advanced continuation threat (Advanced Persistent
Threat, APT), the security protection ability such as UTM (Unified Threat Management, UTM).
CSSP:Virtual firewall management platform of future generation is individually disposed in the form of virtual machine or physical host, there is provided
The function such as check to being managed collectively of vNGAF, tactful configuration, policy distribution, condition monitoring, daily record.CSSP provides user's operation
Interface, user can be by the tactful configurations of operation interface progress, the operations such as daily record is checked.
VLS:Virtual authorization server is individually disposed in the form of virtual machine or physical host, and function is provided to vNGAF
Authorization service.Optionally, the authorization of support includes but is not limited to authorize by USB KEY, authorized online by internet.
Drain plug-in unit:Plug-in unit is drained to be arranged in virtual machine host, the platform of support include but is not limited to VMware, KVM,
The platforms such as XEN.
VLS, CSSP, vNGAF, the workflow of drainage plug-in unit are as shown in Figure 4:
Step 1:VLS needs to connect Internet or and hardware binding;VLS can be obtained by the USB KEY of physics
To authorization message, or VLS is connected to the authorization server of public network by Internet and gets the authorization message of itself.Authorize
Information includes but is not limited to:The vNGAF numbers for enabling license, allowing deployment of each security function (WAF, IPS, APT, UTM etc.),
VNGAF model (CPU numbers, internal memory number etc.);
Step 2:CSSP without and hardware binding, without UNICOM Internet, CSSP gets oneself by interact with VLS
The authorization message of body;
Step 3:The user interface that user is provided by CSSP carries out security strategy and functional configuration;
Step 4:The security strategy of user configuration is passed through intellectual analysis by CSSP, determines target corresponding to the security strategy
VNGAF, and the specific security strategy being issued on these targets vNGAF, afterwards, corresponding specific security strategy is issued to pair
On the every vNGAF answered;
Step 5:The security strategy of user configuration is passed through intellectual analysis by CSSP, and generation drainage rule is issued to drainage and inserted
Part;Such as:Draining rule can be:The flow initiated on every virtual machine in virtualized host 1 is all redirected to vNGAF.
Step 6:Drainage plug-in unit is matched according to drainage rule to flow, and the flow for meeting drainage rule condition is reset
To vNGAF;
Step 7:The flow that vNGAF comes to drainage plug-in unit drainage carries out safety detection, and according to the safety of user configuration
Strategy execution acts accordingly, and the optional action of execution includes:Let pass the flow, block the flow, the stream recorded in daily record
Measure related information etc.;
Step 8:The UI interfaces that user is provided by CSSP are observed and the safe condition of monitoring virtualized environment, check safety
Daily record etc..
Specifically, the flow that drainage plug-in unit carries out flow lead is as shown in Figure 5.
501st, drain plug-in unit and receive the drainage rule that virtual firewall management platform of future generation issues;
As shown in step 5 and step 6 in Fig. 4, drainage plug-in unit receives the drainage rule that CSSP is issued.
502nd, drain plug-in unit and the flow of virtual machine is redirected to by virtual fire wall of future generation according to drainage rule;
The flow (i.e. virtual machine initiates to access internet flow) initiated by virtual machine, or initiated by internet
The flow of virtual machine is accessed, is required for by draining plug-in unit, initiates to access internet's when drainage plug-in unit receives virtual machine
When flow or internet initiate to access the flow of virtual machine, if the flow meets drainage rule, drainage rule will be met
Flow is redirected to vNGAF, and safety detection is carried out to the flow that drainage comes by vNGAF, and according to the safe plan of user configuration
Slightly perform corresponding action, however, it is determined that the flow to come to drainage is let pass, then is sent the flow to drainage plug-in unit.If need
Flow blocked, then abandon the flow, the flow not sent to drainage plug-in unit.Meanwhile to letting pass or blocking flow
Behavior carry out log recording.
503rd, drain plug-in unit and receive the flow let pass after virtual fire wall of future generation is handled, the flow of clearance is sent
To target virtual machine or the target port of virtual switch.
As shown in fig. 6, for the virtual machine of virtual platform, drainage plug-in unit maintains the media interviews control of a virtual machine
System (English:Media Access Control, referred to as:MAC) the mapping table of address and virtual switch (vSwitch) port,
The mapping relations that element in table includes but is not limited between the MAC and vSwitch of virtual machine port numbers PORT.
Virtual machine initiates to access Internet stream, or the stream by the Internet access virtual machines initiated, and is passing through
Drain plug-in unit when can be redirected to vNGAF, via vNGAF carry out safe handling after, by look into MAC Address and
The mapping table of vSwitch ports, determine that the flow needs the target port for the target virtual machine or virtual switch being sent to.
Specially:
It is described to drain virtual machine of the plug-in unit according to storage if the flow of the clearance is the flow that the virtual machine is initiated
MAC Address and the mapping table of virtual switch port determine the target port of the virtual switch, and the virtual machine is initiated
Flow be sent to the target port of the virtual switch;
Or,
If the flow of the clearance is accesses the flow of virtual machine, described to drain virtual machine Mac of the plug-in unit according to storage
The mapping table of address and virtual switch port determines the target virtual machine MAC Address, by the flow of the access virtual machine
It is sent to the target virtual machine MAC Address.
In the embodiment of the present invention, by disposing a virtual fire wall of future generation in every virtualized host, and install
Plug-in unit is drained, issues security strategy to virtual fire wall of future generation from virtual firewall management platform of future generation, and issue drainage
Rule gives the drainage plug-in unit;When the flow of virtual machine flows through drainage plug-in unit, drainage plug-in unit is regular by virtual machine according to drainage
Flow be redirected to virtual fire wall of future generation;Virtual flow of the fire wall of future generation according to security strategy to the virtual machine
Handled, the flow of clearance is sent to drainage plug-in unit, then the flow of the clearance is sent to target void by drainage plug-in unit
The target port of plan machine or virtual switch.The embodiment of the present invention by way of distributed deployment virtually fire wall of future generation,
Seven layers of security protection are realized between virtualized host, and between virtual machine;And the embodiment of the present invention uses distributed portion
The mode of administration, without changing original network topology structure, deployment is simple, is advantageous to the network capacity extension and upgrading;And every virtual
Change and a virtual fire wall of future generation is disposed on main frame, immediately when virtual machine increasing number, virtually fire wall of future generation is not yet
It can therefore overload, without buying more fire walls, cost can be saved.
Above is the introduction to virtual network security protection system and flow lead method in the embodiment of the present invention, below
To the flow lead device in the embodiment of the present invention is introduced from functional structure angle.
Flow lead device in the embodiment of the present invention can be mounted in plug-in unit in virtualized host or soft
The functional module of combination of hardware.The step performed by plug-in unit is drained specifically for realizing above-mentioned Fig. 2 into the embodiment shown in Fig. 6
Suddenly.As shown in fig. 7, in a kind of possible realization, the flow lead device includes:
Receiving unit 701, the drainage rule issued for receiving virtual firewall management platform of future generation;
Unit 702 is redirected, it is virtual of future generation anti-for being redirected to the flow of virtual machine according to the drainage rule
Wall with flues, the virtual fire wall of future generation are used to handle the flow of the virtual machine;
The receiving unit 701, it is additionally operable to receive the flow let pass after the virtual fire wall of future generation is handled;
Transmitting element 703, for the flow of the clearance to be sent to the destination end of target virtual machine or virtual switch
Mouthful.
In some specific implementations, the transmitting element 703, specifically for being described virtual when the flow of the clearance
During the flow that machine is initiated, determined according to the mapping table of the MAC Address of the virtual machine of storage and virtual switch port described virtual
The target port of interchanger, the flow that the virtual machine is initiated is sent to the target port of the virtual switch;
In some specific implementations, the transmitting element 703 is specifically used for, when the flow of the clearance is virtual to access
The flow of machine, destination-mac address is determined according to the mapping table of the MAC Address of the virtual machine of storage and virtual switch port, will
The flow for accessing virtual machine is sent to target virtual machine corresponding to the target destination-mac address.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method can be with
Realize by another way.For example, device embodiment described above is only schematical, for example, the unit
Division, only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing
Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or
The mutual coupling discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, device or unit
Close or communicate to connect, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If the integrated unit is realized in the form of SFU software functional unit and is used as independent production marketing or use
When, it can be stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially
The part to be contributed in other words to prior art or all or part of the technical scheme can be in the form of software products
Embody, the computer software product is stored in a storage medium, including some instructions are causing a computer
Equipment (can be personal computer, server, or network equipment etc.) performs the complete of each embodiment methods described of the present invention
Portion or part steps.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can store journey
The medium of sequence code.
Described above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to before
Embodiment is stated the present invention is described in detail, it will be understood by those within the art that:It still can be to preceding
State the technical scheme described in each embodiment to modify, or equivalent substitution is carried out to which part technical characteristic;And these
Modification is replaced, and the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (10)
1. a kind of virtual network security protection system, it is characterised in that inserted including virtually firewall management platform of future generation, drainage
Part, virtual fire wall of future generation, wherein, the drainage plug-in unit and the virtual fire wall of future generation are located in virtualized host,
At least one virtual machine is deployed in the virtualized host;
The virtual firewall management platform of future generation, for issuing security strategy to the virtual fire wall of future generation, and under
Stream rule carry out the coffin upon burial to the drainage plug-in unit;
The drainage plug-in unit, it is described virtual of future generation for being redirected to the flow of the virtual machine according to the drainage rule
Fire wall;
The virtual fire wall of future generation is used to handle the flow of the virtual machine according to the security strategy;
The drainage plug-in unit, it is additionally operable to receive the flow let pass after the virtual fire wall of future generation is handled, is put described
Capable flow is sent to the target port of target virtual machine or virtual switch.
2. system according to claim 1, it is characterised in that:
The virtual fire wall of future generation, the flow specifically for handling the virtual machine according to the security strategy, judgement are
The no flow to the virtual machine is let pass, however, it is determined that the flow of the virtual machine is let pass, then by the virtual machine
Flow send to the drainage plug-in unit.
3. system according to claim 1, it is characterised in that:
The virtual firewall management platform of future generation, the security strategy set specifically for obtaining user, issues security strategy
Drainage rule is generated to the virtual fire wall of future generation, and according to the security strategy, issues the drainage rule to described
Drain plug-in unit.
4. system according to claim 1, it is characterised in that:
The drainage plug-in unit, specifically for when it is determined that the clearance flow for access virtual machine flow when, according to storage
The MAC Address of virtual machine determines the destination-mac address with the mapping table of virtual switch port, by the access virtual machine
Flow is sent to target virtual machine corresponding to the destination-mac address.
5. system according to any one of claim 1 to 4, it is characterised in that:
The drainage plug-in unit, specifically for when it is determined that the flow of the clearance initiated for the virtual machine flow when, according to depositing
The MAC Address of the virtual machine of storage determines the target port of the virtual switch with the mapping table of virtual switch port, by institute
The flow for stating virtual machine initiation is sent to the target port of the virtual switch.
6. system according to any one of claim 1 to 4, it is characterised in that the virtual network security protection system
Also include:
Virtual authorization server, for obtaining authorization message, according to the authorization message at least one described virtual of future generation
Fire wall provides authorization service.
7. a kind of flow lead method of virtual platform, it is characterised in that methods described is applied to virtual network security protection
System, the virtual network security protection system include virtual fire wall of future generation, drainage plug-in unit, virtual fire prevention wall coil of future generation
Platform, wherein, the drainage plug-in unit and the virtual fire wall of future generation are located in virtualized host, the virtualized host
On deploy at least one virtual machine, methods described includes:
Drainage plug-in unit receives the drainage rule that virtual firewall management platform of future generation issues;
The flow of virtual machine is redirected to virtual fire wall of future generation, the void by the drainage plug-in unit according to the drainage rule
Intend fire wall of future generation to be used to handle the flow of the virtual machine;
The drainage plug-in unit receives the flow let pass after the virtual fire wall of future generation is handled, by the flow of the clearance
It is sent to the target port or target virtual machine of virtual switch.
8. according to the method for claim 7, it is characterised in that the flow by the clearance is sent to virtual switch
Target port or target virtual machine include:
If the flow of the clearance is the flow that the virtual machine is initiated, the drainage plug-in unit is according to the virtual machine of storage
MAC Address and the mapping table of virtual switch port determine the target port of the virtual switch, and the virtual machine is initiated
Flow be sent to the target port of the virtual switch;
Or,
If the flow of the clearance is accesses the flow of virtual machine, the drainage plug-in unit is according to the MAC of the virtual machine of storage
The mapping table of location and virtual switch port determines destination-mac address, and the flow of the access virtual machine is sent into the target
Target virtual machine corresponding to MAC Address.
A kind of 9. flow lead device of virtual platform, it is characterised in that including:
Receiving unit, the drainage rule issued for receiving virtual firewall management platform of future generation;
Unit is redirected, for the flow of virtual machine to be redirected into virtual fire wall of future generation, institute according to the drainage rule
Virtual fire wall of future generation is stated to be used to handle the flow of the virtual machine;
The receiving unit, it is additionally operable to receive the flow let pass after the virtual fire wall of future generation is handled;
Transmitting element, for the flow of the clearance to be sent to the target port of target virtual machine or virtual switch.
10. flow lead device according to claim 9, it is characterised in that:
The transmitting element, specifically for when the clearance flow for the virtual machine initiate flow when, according to storage
The MAC Address of virtual machine determines the target port of the virtual switch with the mapping table of virtual switch port, by the void
The flow that plan machine is initiated is sent to the target port of the virtual switch;
Or,
When the flow that the flow of the clearance is access virtual machine, according to the MAC Address and virtual switch of the virtual machine of storage
The mapping table of port determines destination-mac address, and it is corresponding that the flow of the access virtual machine is sent into the target destination-mac address
Target virtual machine.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610861833.6A CN107872443A (en) | 2016-09-28 | 2016-09-28 | Virtual network security protection system, flow lead method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610861833.6A CN107872443A (en) | 2016-09-28 | 2016-09-28 | Virtual network security protection system, flow lead method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107872443A true CN107872443A (en) | 2018-04-03 |
Family
ID=61762020
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610861833.6A Pending CN107872443A (en) | 2016-09-28 | 2016-09-28 | Virtual network security protection system, flow lead method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107872443A (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109450871A (en) * | 2018-10-22 | 2019-03-08 | 龙岩学院 | A kind of distributed virtual firewall device and its system deployment method |
CN110213181A (en) * | 2019-04-28 | 2019-09-06 | 华为技术有限公司 | Data drainage device and data drainage method in virtual network |
CN110247928A (en) * | 2019-06-29 | 2019-09-17 | 河南信大网御科技有限公司 | A kind of mimicry interchanger safe traffic control device and method |
CN110378103A (en) * | 2019-07-22 | 2019-10-25 | 电子科技大学 | A kind of micro- isolating and protecting method and system based on OpenFlow agreement |
CN110855656A (en) * | 2019-11-06 | 2020-02-28 | 云深互联(北京)科技有限公司 | Plug-in flow proxy method, device and system capable of realizing application server protection |
CN111756651A (en) * | 2020-06-19 | 2020-10-09 | 浪潮电子信息产业股份有限公司 | Traffic transmission method, device, equipment and medium |
CN111752679A (en) * | 2020-06-22 | 2020-10-09 | 中国电子科技集团公司第五十四研究所 | Dynamic arranging device for safety service chain |
CN112491789A (en) * | 2020-10-20 | 2021-03-12 | 苏州浪潮智能科技有限公司 | OpenStack framework-based virtual firewall construction method and storage medium |
CN113630315A (en) * | 2021-09-03 | 2021-11-09 | 中国联合网络通信集团有限公司 | Network drainage method and device, electronic equipment and storage medium |
CN114039789A (en) * | 2021-11-17 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Flow protection method, electronic device and storage medium |
CN114629726A (en) * | 2022-04-26 | 2022-06-14 | 深信服科技股份有限公司 | Cloud management method, device, equipment, system and readable storage medium |
CN115695086A (en) * | 2022-09-19 | 2023-02-03 | 中电信数智科技有限公司 | System and method for realizing service chain function based on VLAN network |
CN117544422A (en) * | 2024-01-09 | 2024-02-09 | 深圳市科服信息技术有限公司 | Firewall virtualization deployment method and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120174184A1 (en) * | 2004-09-30 | 2012-07-05 | Arn Hyndman | Method and Apparatus for Enabling Enhanced Control of Traffic Propagation Through a Network Firewall |
CN104113522A (en) * | 2014-02-20 | 2014-10-22 | 西安未来国际信息股份有限公司 | Design of virtual firewall assembly acting on cloud computing data center security domain |
CN104301321A (en) * | 2014-10-22 | 2015-01-21 | 北京启明星辰信息技术股份有限公司 | Method and system for achieving distributed network safety protection |
CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
CN105141571A (en) * | 2014-06-09 | 2015-12-09 | 中兴通讯股份有限公司 | Distributed virtual firewall device and method |
-
2016
- 2016-09-28 CN CN201610861833.6A patent/CN107872443A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120174184A1 (en) * | 2004-09-30 | 2012-07-05 | Arn Hyndman | Method and Apparatus for Enabling Enhanced Control of Traffic Propagation Through a Network Firewall |
CN104113522A (en) * | 2014-02-20 | 2014-10-22 | 西安未来国际信息股份有限公司 | Design of virtual firewall assembly acting on cloud computing data center security domain |
CN105141571A (en) * | 2014-06-09 | 2015-12-09 | 中兴通讯股份有限公司 | Distributed virtual firewall device and method |
CN104301321A (en) * | 2014-10-22 | 2015-01-21 | 北京启明星辰信息技术股份有限公司 | Method and system for achieving distributed network safety protection |
CN104917653A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Virtual flow monitoring method based on cloud platform and device thereof |
Non-Patent Citations (2)
Title |
---|
大连航远网络建设: "如何让你云上的业务更加安全可控", 《新浪博客,HTTP://BLOG.SINA.COM.CN/S/BLOG_135B6FEF60102W01V.HTML》 * |
深信服科技: "阿里云官方推荐:深信服虚拟化下一代防火墙", 《HTTP://WWW.SANGFOR.COM.CN/ABOUT/SOURCE-NEWS-PRODUCT-NEWS/525.HTML》 * |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109450871B (en) * | 2018-10-22 | 2021-02-23 | 龙岩学院 | Distributed virtual firewall device and system deployment method thereof |
CN109450871A (en) * | 2018-10-22 | 2019-03-08 | 龙岩学院 | A kind of distributed virtual firewall device and its system deployment method |
CN110213181A (en) * | 2019-04-28 | 2019-09-06 | 华为技术有限公司 | Data drainage device and data drainage method in virtual network |
CN110213181B (en) * | 2019-04-28 | 2021-01-29 | 华为技术有限公司 | Data stream guiding device and data stream guiding method in virtual network |
CN110247928A (en) * | 2019-06-29 | 2019-09-17 | 河南信大网御科技有限公司 | A kind of mimicry interchanger safe traffic control device and method |
CN110378103B (en) * | 2019-07-22 | 2022-11-25 | 电子科技大学 | Micro-isolation protection method and system based on OpenFlow protocol |
CN110378103A (en) * | 2019-07-22 | 2019-10-25 | 电子科技大学 | A kind of micro- isolating and protecting method and system based on OpenFlow agreement |
CN110855656A (en) * | 2019-11-06 | 2020-02-28 | 云深互联(北京)科技有限公司 | Plug-in flow proxy method, device and system capable of realizing application server protection |
CN111756651A (en) * | 2020-06-19 | 2020-10-09 | 浪潮电子信息产业股份有限公司 | Traffic transmission method, device, equipment and medium |
CN111752679A (en) * | 2020-06-22 | 2020-10-09 | 中国电子科技集团公司第五十四研究所 | Dynamic arranging device for safety service chain |
CN112491789A (en) * | 2020-10-20 | 2021-03-12 | 苏州浪潮智能科技有限公司 | OpenStack framework-based virtual firewall construction method and storage medium |
CN112491789B (en) * | 2020-10-20 | 2022-12-27 | 苏州浪潮智能科技有限公司 | OpenStack framework-based virtual firewall construction method and storage medium |
CN113630315A (en) * | 2021-09-03 | 2021-11-09 | 中国联合网络通信集团有限公司 | Network drainage method and device, electronic equipment and storage medium |
CN114039789A (en) * | 2021-11-17 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Flow protection method, electronic device and storage medium |
CN114039789B (en) * | 2021-11-17 | 2023-11-14 | 北京天融信网络安全技术有限公司 | Traffic protection method, electronic device and storage medium |
CN114629726A (en) * | 2022-04-26 | 2022-06-14 | 深信服科技股份有限公司 | Cloud management method, device, equipment, system and readable storage medium |
CN115695086A (en) * | 2022-09-19 | 2023-02-03 | 中电信数智科技有限公司 | System and method for realizing service chain function based on VLAN network |
CN115695086B (en) * | 2022-09-19 | 2024-01-19 | 中电信数智科技有限公司 | System and method for realizing service chain function based on VLAN (virtual local area network) |
CN117544422A (en) * | 2024-01-09 | 2024-02-09 | 深圳市科服信息技术有限公司 | Firewall virtualization deployment method and system |
CN117544422B (en) * | 2024-01-09 | 2024-03-29 | 深圳市科服信息技术有限公司 | Firewall virtualization deployment method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107872443A (en) | Virtual network security protection system, flow lead method and device | |
US11290346B2 (en) | Providing mobile device management functionalities | |
TWI526931B (en) | Inherited product activation for virtual machines | |
CN102420846B (en) | Remote access to hosted virtual machines by enterprise users | |
CN101257413B (en) | Method, apparatus and system for enabling a secure location-aware platform | |
US11755349B2 (en) | Secure digital workspace using machine learning and microsegmentation | |
CN101443746B (en) | Method for protecting client and server | |
US20090276774A1 (en) | Access control for virtual machines in an information system | |
US10972449B1 (en) | Communication with components of secure environment | |
WO2020005540A1 (en) | Managed forwarding element detecting invalid packet addresses | |
US8782782B1 (en) | Computer system with risk-based assessment and protection against harmful user activity | |
JP2009540408A (en) | System, method, and computer program for secure access control to storage device | |
US9977896B2 (en) | Systems and methods for generating policies for an application using a virtualized environment | |
US20170230251A1 (en) | System and Method for Providing Management Network Communication and Control in a Data Center | |
US20200314126A1 (en) | Persona-based contextual security | |
CN108885572A (en) | Safe driver platform | |
US11048770B2 (en) | Adaptive response generation on an endpoint | |
EP3516841B1 (en) | Remote computing system providing malicious file detection and mitigation features for virtual machines | |
US20190364047A1 (en) | Methods to restrict network file access in guest virtual machines using in-guest agents | |
US20120331522A1 (en) | System and method for logical separation of a server by using client virtualization | |
TW202121211A (en) | Method and system for detecting web shell using process information | |
CN111818081A (en) | Virtual encryption machine management method and device, computer equipment and storage medium | |
CN107454050A (en) | A kind of method and device for accessing Internet resources | |
CN108241801B (en) | Method and device for processing system call | |
Fu et al. | Curtain: keep your hosts away from USB attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180403 |
|
RJ01 | Rejection of invention patent application after publication |