CN107920022B - Virtual machine safety communication system and virtual machine safety communication method - Google Patents

Virtual machine safety communication system and virtual machine safety communication method Download PDF

Info

Publication number
CN107920022B
CN107920022B CN201711434343.9A CN201711434343A CN107920022B CN 107920022 B CN107920022 B CN 107920022B CN 201711434343 A CN201711434343 A CN 201711434343A CN 107920022 B CN107920022 B CN 107920022B
Authority
CN
China
Prior art keywords
flow
firewall
traffic
ovs
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711434343.9A
Other languages
Chinese (zh)
Other versions
CN107920022A (en
Inventor
李玮
粟兴旺
张献宾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN201711434343.9A priority Critical patent/CN107920022B/en
Publication of CN107920022A publication Critical patent/CN107920022A/en
Application granted granted Critical
Publication of CN107920022B publication Critical patent/CN107920022B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a virtual machine safety communication system, which comprises: the flow switching unit is used for acquiring the flow information when any virtual machine sends the flow information to other virtual machines and sending the flow information to the firewall unit based on a preset flow forwarding configuration table; the firewall unit is used for judging whether the flow information is legal or not based on a preset security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the flow exchange unit; otherwise, isolating the flow information; and the traffic switching unit is further configured to send the received traffic information sent by the firewall unit to the other virtual machines based on the traffic forwarding configuration table. The invention also discloses a virtual machine safety communication method, by implementing the scheme, the universality of the virtual machine safety communication system is effectively improved; the load of flow processing is effectively reduced.

Description

Virtual machine safety communication system and virtual machine safety communication method
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a virtual machine secure communication system and a virtual machine secure communication method.
Background
With the rapid development of cloud Technology, cloud has become an important way for IT (Information Technology) construction deployment today. Meanwhile, virus propagation between virtual machines in the cloud becomes a key concern of cloud security developers.
At present, the methods for preventing virus propagation between virtual machines in the cloud mainly include: firstly, VMware (Borui) traffic redirection technology adds a traffic redirection driver at a driver layer when a physical server is created; when the flow transmission is carried out between the application layer virtual machines, the flow redirection is carried out when the flow of the virtual machines reaches the driving layer, and after the validity judgment of the flow is passed, the flow is allowed to be sent to the target virtual machine, so that the safety of the flow transmission between the virtual machines is realized; the second mode is a VEPA (Virtual Ethernet Port Aggregator) technology, which mainly uses an extracorporeal circulation scheme to pull all the Virtual machine traffic inside the server to a dedicated security device outside the server, and performs security processing such as filtering and protection on the Virtual machine traffic through the security device; that is, network traffic generated by the virtual machine is completely handed over to a physical switch connected with the server for processing through the VEPA technology. Even if the flow among the virtual machines of the same server is sent to an external physical switch for forwarding processing, then the flow needing security protection is redirected to a physical firewall which is hung by the server, the physical firewall performs protection processing on the flow, and the flow returns to the inside of the server after the processing is finished.
However, the above-mentioned method for preventing infection of Trojan virus between virtual machines in cloud mainly has the following defects: firstly, when a virtual boundary dynamically changes along with dynamic migration of a virtual machine among a plurality of physical servers, a VMware traffic redirection technology needs to install a corresponding driver on a new server and configure a corresponding strategy, so that the problems of insufficient flexibility, high cost and the like exist; secondly, the VMware traffic redirection technology can only be applied to the own virtualization platform of the VMware, but cannot be applied to other virtualization platforms (such as KVM (Kernel-based Virtual Machine) and an open source code Virtual Machine monitor Xen), and the application range is limited; thirdly, the VMware traffic redirection technology needs to install a corresponding traffic redirection driver on a Hypervisor layer (driver layer), and as a third-party security server, secondary development needs to be carried out according to an external interface provided by the VMware, so that the difficulty is high, and the cost is high; firstly, when the virtual machine dynamically migrates among a plurality of physical servers, the VEPA technology needs to perform configuration of corresponding strategies, newly add special physical equipment on a new server and the like, so that the cost is high and the development efficiency is low; secondly, the VEPA technology guides all the internal traffic of the server to external processing, which increases the load of traffic processing and affects the performance of the server and the exchanger; thirdly, the traffic guidance needs the external access switch to be matched, and special physical switching equipment is needed, so that the cost is high.
Disclosure of Invention
The invention provides a virtual machine safety communication system and a virtual machine safety communication method, which are used for solving the problem that the data safety communication cost between virtual machines is too high in the prior art.
The invention provides a virtual machine safety communication system, comprising:
the flow switching unit is used for acquiring the flow information when any virtual machine sends the flow information to other virtual machines and sending the flow information to the firewall unit based on a preset flow forwarding configuration table;
the firewall unit is used for judging whether the flow information is legal or not based on a preset security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the flow exchange unit; otherwise, isolating the flow information;
and the traffic switching unit is further configured to send the received traffic information sent by the firewall unit to the other virtual machines based on the traffic forwarding configuration table.
Optionally, the traffic switching unit includes: the system comprises a first traffic exchange module and a second traffic exchange module; the firewall unit includes: a first firewall module and a second firewall module; the flow forwarding configuration table comprises a first flow forwarding configuration table corresponding to any virtual machine and a second flow forwarding configuration table corresponding to other virtual machines;
the first traffic exchange module, the first firewall module and any virtual machine are arranged on a first server; the second traffic exchange module, the second firewall module and the other virtual machines are arranged on a second server;
the first traffic exchange module is configured to, when the any virtual machine sends traffic information to the other virtual machines, obtain the traffic information, and send the traffic information to a first firewall module based on the first traffic forwarding configuration table;
the first firewall module is used for judging whether the flow information is legal or not based on the security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the first flow exchange module; otherwise, isolating the flow information;
the first traffic exchange module is further configured to send the received traffic information sent by the first firewall module to the second traffic exchange module based on the first traffic forwarding configuration table;
the second traffic exchange module is configured to send the traffic information to the second firewall module based on the second traffic forwarding configuration table;
the second firewall module is used for judging whether the flow information is legal or not based on the security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the second traffic exchange module; otherwise, isolating the flow information;
the second traffic exchange module is further configured to send the received traffic information sent by the second firewall module to the other virtual machines based on the second traffic forwarding configuration table.
Optionally, the traffic exchange unit further includes a third traffic exchange module; the firewall unit also comprises a third firewall module; the third flow exchange module and the third firewall module are arranged on a third server;
the third traffic exchange module is configured to acquire a first traffic forwarding configuration table in the first traffic exchange module when the any virtual machine is migrated to the third server; when any virtual machine sends flow information to other virtual machines, obtaining the flow information, and sending the flow information to a third firewall module based on the first flow forwarding configuration table;
the third fire wall module is used for judging whether the flow information is legal or not based on the safety strategy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the third traffic exchange module; otherwise, isolating the flow information;
the third traffic exchange module is further configured to send the received traffic information sent by the first firewall module to the second traffic exchange module based on the first traffic forwarding configuration table.
Optionally, the traffic switching unit further includes a fourth traffic switching module; the firewall unit further comprises a fourth firewall module; the fourth traffic exchange module and the fourth firewall module are arranged on a fourth server;
the fourth traffic switching module is configured to acquire a second traffic forwarding configuration table in the second traffic switching module when the other virtual machines are migrated to the fourth server; when receiving the traffic information sent by the first traffic exchange module, acquiring the traffic information, and sending the traffic information to a fourth firewall module based on the second traffic forwarding configuration table;
the fourth firewall module is configured to determine whether the traffic information is legal based on the security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the fourth flow exchange module; otherwise, isolating the flow information;
the fourth traffic switching module is further configured to send the received traffic information sent by the fourth firewall module to the other virtual machines based on the second traffic forwarding configuration table.
Optionally, the traffic switching unit, the firewall module unit, the any virtual machine, and the other virtual machines are disposed in a fifth server.
The invention also provides a virtual machine secure communication method of the virtual machine secure communication system, which comprises the following steps:
when any virtual machine sends flow information to other virtual machines, the flow information is obtained through a flow exchange unit, and the flow information is sent to a firewall unit based on a preset flow forwarding configuration table;
judging whether the flow information is legal or not through the firewall unit based on a preset security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the flow exchange unit; otherwise, isolating the flow information;
and sending the received flow information sent by the firewall unit to the other virtual machines through the flow switching unit based on the flow forwarding configuration table.
Optionally, the traffic switching unit includes: the system comprises a first traffic exchange module and a second traffic exchange module; the firewall unit includes: a first firewall module and a second firewall module; the flow forwarding configuration table comprises a first flow forwarding configuration table corresponding to any virtual machine and a second flow forwarding configuration table corresponding to other virtual machines; the first traffic exchange module, the first firewall module and any virtual machine are arranged on a first server; the second traffic exchange module, the second firewall module and the other virtual machines are arranged on a second server;
the method specifically comprises the following steps:
when any virtual machine sends flow information to other virtual machines, the first flow exchange module obtains the flow information, and the flow information is sent to a first firewall module based on the first flow forwarding configuration table;
judging whether the flow information is legal or not through the first firewall module based on the security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the first flow exchange module; otherwise, isolating the flow information;
sending, by the first traffic exchange module, the received traffic information sent by the first firewall module to the second traffic exchange module based on the first traffic forwarding configuration table;
sending, by the second traffic exchange module, the traffic information to the second firewall module based on the second traffic forwarding configuration table;
judging whether the flow information is legal or not through the second firewall module based on the security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the second traffic exchange module; otherwise, isolating the flow information;
and sending the received flow information sent by the second firewall module to the other virtual machines through the second flow exchange module based on the second flow forwarding configuration table.
Optionally, the traffic exchange unit further includes a third traffic exchange module; the firewall unit also comprises a third firewall module; the third flow exchange module and the third firewall module are arranged on a third server;
the method further comprises the following steps:
under the condition that any virtual machine is migrated to the third server, acquiring a first traffic forwarding configuration table in the first traffic exchange module through the third traffic exchange module; when any virtual machine sends flow information to other virtual machines, the flow information is obtained through the third flow exchange module, and the flow information is sent to a third firewall module based on the first flow forwarding configuration table;
judging whether the flow information is legal or not through the third firewall module based on the safety strategy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the third traffic exchange module; otherwise, isolating the flow information;
and sending the received traffic information sent by the first firewall module to the second traffic exchange module through the third traffic exchange module based on the first traffic forwarding configuration table.
Optionally, the traffic switching unit further includes a fourth traffic switching module; the firewall unit further comprises a fourth firewall module; the fourth traffic exchange module and the fourth firewall module are arranged on a fourth server;
the method further comprises the following steps:
under the condition that the other virtual machines are migrated to the fourth server, acquiring a second traffic forwarding configuration table in the second traffic switching module through the fourth traffic switching module; when receiving the traffic information sent by the first traffic exchange module, obtaining the traffic information through the fourth traffic exchange module, and sending the traffic information to a fourth firewall module based on the second traffic forwarding configuration table;
judging whether the flow information is legal or not through a fourth fire wall module based on the security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the fourth flow exchange module; otherwise, isolating the flow information;
and sending the received traffic information sent by the fourth firewall module to the other virtual machines through the fourth traffic switching module based on the second traffic forwarding configuration table.
Optionally, the traffic switching unit, the firewall module unit, the any virtual machine, and the other virtual machines are disposed in a first server.
By adopting the technical scheme, the invention at least has the following advantages:
according to the virtual machine safety communication system and the virtual machine safety communication method, the flow information sent between the virtual machines is redirected through the preset flow forwarding configuration table, so that the virtual machine safety communication system is used on multiple types of virtual machine platforms, and the universality of the virtual machine safety communication system is effectively improved; the virtual machine safety communication system avoids setting a driver outside the Hypervisor layer, thereby effectively reducing the cost; the virtual machine safety communication system performs flow protection inside the server, effectively prevents flow information sent between the virtual machines from being forwarded to the outside of the server for safety passing processing, effectively reduces the load of flow processing, and avoids the loss of the performance of the server and the exchanger; the virtual machine safety communication system does not need to be externally accessed to special physical exchange equipment, so that the cost is effectively saved; when the virtual machine is migrated, the automatic migration of the flow forwarding configuration table of the virtual machine is realized, and the communication safety of the virtual machine is effectively improved.
Drawings
Fig. 1 is a schematic structural diagram of a secure communication system of a virtual machine according to a first embodiment of the present invention;
FIG. 2 is a schematic diagram of a virtual machine secure communication system according to a second embodiment of the present invention;
FIG. 3 is a schematic diagram of a virtual machine secure communication system according to a second embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a secure communication system of a virtual machine according to a second embodiment of the present invention;
FIG. 5 is a flowchart illustrating a secure communication method for a virtual machine according to a third embodiment of the present invention;
FIG. 6 is a flowchart illustrating a secure communication method for a virtual machine according to a fourth embodiment of the present invention;
FIG. 7 is a flowchart illustrating a secure communication method for a virtual machine according to a fifth embodiment of the present invention;
FIG. 8 is a flowchart illustrating a secure communication method for a virtual machine according to a sixth embodiment of the present invention;
fig. 9 is a schematic structural diagram of a virtual machine secure communication system according to a seventh embodiment of the present invention.
Detailed Description
To further explain the technical means and effects of the present invention adopted to achieve the intended purpose, the present invention will be described in detail with reference to the accompanying drawings and preferred embodiments.
A first embodiment of the present invention is a secure communication system for virtual machines, as shown in fig. 1, including the following components:
a traffic switching unit 100, configured to, when any virtual machine 400 sends traffic information to another virtual machine 500, obtain the traffic information, and send the traffic information to the firewall unit 200 based on a preset traffic forwarding configuration table;
the firewall unit 200 is configured to determine whether the traffic information is legal based on a preset security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the traffic switching unit 100; otherwise, isolating the flow information;
the traffic switching unit 100 is further configured to send the received traffic information sent by the firewall unit 200 to the other virtual machine 500 based on the traffic forwarding configuration table.
Optionally, the traffic switching unit 100, the firewall module unit, any virtual machine 400, and the other virtual machines 500 are disposed in the fifth server 405.
Optionally, the virtual machine secure communication system further includes:
the firewall management unit 300 is configured to send a preset traffic forwarding configuration table to the traffic switching unit 100 and send a preset security policy configuration table to the firewall unit 200 before any virtual machine 400 sends traffic information to other virtual machines 500.
The flow forwarding configuration table at least comprises one of the following flow forwarding configuration modes:
the first mode, all redirection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the restore default policy can be re-enforced;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than the default strategy of the outlet of the firewall;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
adding a default policy normal (at least required by a broadcast packet) to an exit of the firewall, wherein the priority is higher than the default policy of redirecting into the firewall, the data packet is prevented from being redirected into the firewall again, and the adding sequence is earlier than the redirecting policy;
ovs-ofctl add-flow$SWITCH priority=1,in_port=$OUTPORT,actions=normal;
the # default policy is to redirect to the firewall entrance with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=output:$INPORT;
and the second mode is a directional protection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the resume Default policy ovs-ofctl add-flow $ SWITCH can be re-executed
priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than other strategies of the firewall outlet;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
# makes a special judgment on the broadcast packet at the egress, only allows the broadcast packet of the protected virtual machine, prevents multiple broadcasts, because the broadcast packet is also sent to the import;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM1MAC},actions=normal;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM2MAC},actions=normal;
adding a default strategy drop to an outlet of the firewall, wherein the priority is higher than the default strategy of redirecting into the firewall, preventing the data packet from being redirected into the firewall again, and the adding sequence is earlier than the redirecting strategy;
ovs-ofctl add-flow$SWITCH priority=2,in_port=$OUTPORT,actions=drop;
data packets sent by the protected virtual machine are redirected into a firewall;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM1PORT,actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM2PORT,actions=output:$INPORT;
# the packet destined for the protected virtual machine enters the firewall without passing through the firewall;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM1MAC},actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM2MAC},actions=output:$INPORT;
the # default policy is to pass, not redirect to the firewall entrance, with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal。
in the virtual machine secure communication system of the first embodiment of the present invention, the preset traffic forwarding configuration table is used to redirect the traffic information sent between the virtual machines, so that the virtual machine secure communication system is used on multiple types of virtual machine platforms, and the universality of the virtual machine secure communication system is effectively improved; the virtual machine safety communication system avoids setting a driver outside the Hypervisor layer, thereby effectively reducing the cost; the virtual machine safety communication system performs flow protection inside the server, effectively prevents flow information sent between the virtual machines from being forwarded to the outside of the server for safety passing processing, effectively reduces the load of flow processing, and avoids the loss of the performance of the server and the exchanger; because the virtual machine safety communication system does not need external access special physical exchange equipment, the cost is effectively saved.
A second embodiment of the present invention is a virtual machine secure communication system, as shown in fig. 2 to 4, including the following components:
a traffic switching unit 100, configured to, when any virtual machine 400 sends traffic information to another virtual machine 500, obtain the traffic information, and send the traffic information to the firewall unit 200 based on a preset traffic forwarding configuration table;
the firewall unit 200 is configured to determine whether the traffic information is legal based on a preset security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the traffic switching unit 100; otherwise, isolating the flow information;
the traffic switching unit 100 is further configured to send the received traffic information sent by the firewall unit 200 to the other virtual machine 500 based on the traffic forwarding configuration table.
Optionally, as shown in fig. 2, the traffic switching unit 100 includes: a first traffic exchange module 101 and a second traffic exchange module 102; the firewall unit 200 includes: a first firewall module 201 and a second firewall module 202; the traffic forwarding configuration table includes a first traffic forwarding configuration table corresponding to any virtual machine 400 and a second traffic forwarding configuration table corresponding to other virtual machines 500;
the first traffic exchange module 101, the first firewall module 201 and any virtual machine 400 are disposed on the first server 401; the second traffic exchange module 102, the second firewall module 202 and the other virtual machines 500 are disposed at the second server 402;
the first traffic exchange module 101 is configured to, when any virtual machine 400 sends traffic information to another virtual machine 500, obtain the traffic information, and send the traffic information to the first firewall module 201 based on the first traffic forwarding configuration table;
a first firewall module 201, configured to determine whether the traffic information is legal based on the security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the first traffic exchange module 101; otherwise, isolating the flow information;
the first traffic exchange module 101 is further configured to send the received traffic information sent by the first firewall module 201 to the second traffic exchange module 102 based on the first traffic forwarding configuration table;
the second traffic switching module 102 is configured to send traffic information to the second firewall module 202 based on the second traffic forwarding configuration table;
the second firewall module 202 is configured to determine whether the traffic information is legal based on the security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the second traffic exchange module 102; otherwise, isolating the flow information;
the second traffic exchange module 102 is further configured to send the received traffic information sent by the second firewall module 202 to the other virtual machine 500 based on the second traffic forwarding configuration table.
Optionally, the virtual machine secure communication system further includes:
before any virtual machine 400 sends traffic information to other virtual machines 500, the firewall management unit 300 is configured to send a preset first traffic forwarding configuration table to the first traffic switching module 101, send a preset second traffic forwarding configuration table to the second traffic switching module 102, and send preset security policy configuration tables to the first firewall module 201 and the second firewall module 202, respectively.
Optionally, as shown in fig. 3, the traffic exchange unit 100 further includes a third traffic exchange module 103; the firewall unit 200 further includes a third firewall module 203; the third flow exchange module 103 and the third firewall module 203 are arranged in the third server 403;
the third traffic exchange module 103 is configured to, when any virtual machine 400 migrates to the third server 403, obtain a first traffic forwarding configuration table in the first traffic exchange module 101; when any virtual machine 400 sends flow information to other virtual machines 500, the flow information is obtained, and the flow information is sent to the third firewall module 203 based on the first flow forwarding configuration table;
the third firewall module 203 is configured to determine whether the flow information is legal based on the security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the third traffic exchange module 103; otherwise, isolating the flow information;
the third traffic exchange module 103 is further configured to send the received traffic information sent by the first firewall module 201 to the second traffic exchange module 102 based on the first traffic forwarding configuration table.
Optionally, as shown in fig. 4, the traffic switching unit 100 further includes a fourth traffic switching module 104; the firewall unit 200 further includes a fourth firewall module 204; the fourth traffic switching module 104 and the fourth firewall module 204 are disposed on the fourth server 404;
the fourth traffic switching module 104 is configured to obtain a second traffic forwarding configuration table in the second traffic switching module 102 when the other virtual machine 500 is migrated to the fourth server 404; when receiving the traffic information sent by the first traffic exchange module 101, obtaining the traffic information, and sending the traffic information to the fourth firewall module 204 based on the second traffic forwarding configuration table;
the fourth firewall module 204 is configured to determine whether the traffic information is legal based on the security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the fourth traffic exchange module 104; otherwise, isolating the flow information;
the fourth traffic switching module 104 is further configured to send the received traffic information sent by the fourth firewall module 204 to the other virtual machines 500 based on the second traffic forwarding configuration table.
The flow forwarding configuration table at least comprises one of the following flow forwarding configuration modes:
the first mode, all redirection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the restore default policy can be re-enforced;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than the default strategy of the outlet of the firewall;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
adding a default policy normal (at least required by a broadcast packet) to an exit of the firewall, wherein the priority is higher than the default policy of redirecting into the firewall, the data packet is prevented from being redirected into the firewall again, and the adding sequence is earlier than the redirecting policy;
ovs-ofctl add-flow$SWITCH priority=1,in_port=$OUTPORT,actions=normal;
the # default policy is to redirect to the firewall entrance with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=output:$INPORT;
and the second mode is a directional protection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the resume Default policy ovs-ofctl add-flow $ SWITCH can be re-executed
priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than other strategies of the firewall outlet;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
# makes a special judgment on the broadcast packet at the egress, only allows the broadcast packet of the protected virtual machine, prevents multiple broadcasts, because the broadcast packet is also sent to the import;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM1MAC},actions=normal;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM2MAC},actions=normal;
adding a default strategy drop to an outlet of the firewall, wherein the priority is higher than the default strategy of redirecting into the firewall, preventing the data packet from being redirected into the firewall again, and the adding sequence is earlier than the redirecting strategy;
ovs-ofctl add-flow$SWITCH priority=2,in_port=$OUTPORT,actions=drop;
data packets sent by the protected virtual machine are redirected into a firewall;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM1PORT,actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM2PORT,actions=output:$INPORT;
# the packet destined for the protected virtual machine enters the firewall without passing through the firewall;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM1MAC},actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM2MAC},actions=output:$INPORT;
the # default policy is to pass, not redirect to the firewall entrance, with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal。
in the virtual machine secure communication system according to the second embodiment of the present invention, the preset traffic forwarding configuration table is used to redirect the traffic information sent between the virtual machines, so that the virtual machine secure communication system is used on multiple types of virtual machine platforms, and the universality of the virtual machine secure communication system is effectively improved; the virtual machine safety communication system avoids setting a driver outside the Hypervisor layer, thereby effectively reducing the cost; the virtual machine safety communication system performs flow protection inside the server, effectively prevents flow information sent between the virtual machines from being forwarded to the outside of the server for safety passing processing, effectively reduces the load of flow processing, and avoids the loss of the performance of the server and the exchanger; the virtual machine safety communication system does not need to be externally accessed to special physical exchange equipment, so that the cost is effectively saved; when the virtual machine is migrated, the automatic migration of the flow forwarding configuration table of the virtual machine is realized, and the communication safety of the virtual machine is effectively improved.
A third embodiment of the present invention provides a virtual machine secure communication method of a virtual machine secure communication system according to the first embodiment of the present invention, as shown in fig. 5, including the following specific steps:
step S302, when any virtual machine sends flow information to other virtual machines, the flow information is obtained through the flow exchange unit, and the flow information is sent to the firewall unit based on the preset flow forwarding configuration table.
Step S303, judging whether the flow information is legal or not through a firewall unit based on a preset security policy configuration table; if the flow information is judged to be legal, the flow information is sent to a flow exchange unit; otherwise, the flow information is isolated.
And step S304, the received flow information sent by the firewall unit is sent to other virtual machines through the flow exchange unit based on the flow forwarding configuration table.
Optionally, the traffic switching unit, the firewall module unit, any virtual machine, and other virtual machines are disposed in the fifth server.
Optionally, before step S302, the method further includes:
step S301, the preset flow forwarding configuration table is sent to the flow exchange unit through the firewall management unit, and the preset security policy configuration table is sent to the firewall unit.
The flow forwarding configuration table at least comprises one of the following flow forwarding configuration modes:
the first mode, all redirection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the restore default policy can be re-enforced;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than the default strategy of the outlet of the firewall;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
adding a default policy normal (at least required by a broadcast packet) to an exit of the firewall, wherein the priority is higher than the default policy of redirecting into the firewall, the data packet is prevented from being redirected into the firewall again, and the adding sequence is earlier than the redirecting policy;
ovs-ofctl add-flow$SWITCH priority=1,in_port=$OUTPORT,actions=normal;
the # default policy is to redirect to the firewall entrance with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=output:$INPORT;
and the second mode is a directional protection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the resume Default policy ovs-ofctl add-flow $ SWITCH can be re-executed
priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than other strategies of the firewall outlet;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
# makes a special judgment on the broadcast packet at the egress, only allows the broadcast packet of the protected virtual machine, prevents multiple broadcasts, because the broadcast packet is also sent to the import;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM1MAC},actions=normal;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM2MAC},actions=normal;
adding a default strategy drop to an outlet of the firewall, wherein the priority is higher than the default strategy of redirecting into the firewall, preventing the data packet from being redirected into the firewall again, and the adding sequence is earlier than the redirecting strategy;
ovs-ofctl add-flow$SWITCH priority=2,in_port=$OUTPORT,actions=drop;
data packets sent by the protected virtual machine are redirected into a firewall;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM1PORT,actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM2PORT,actions=output:$INPORT;
# the packet destined for the protected virtual machine enters the firewall without passing through the firewall;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM1MAC},actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM2MAC},actions=output:$INPORT;
the # default policy is to pass, not redirect to the firewall entrance, with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal。
in the method of the virtual machine secure communication system according to the third embodiment of the present invention, the preset traffic forwarding configuration table is used to redirect the traffic information sent between the virtual machines, so that the virtual machine secure communication system is used on multiple types of virtual machine platforms, and the universality of the virtual machine secure communication system is effectively improved; the virtual machine safety communication system avoids setting a driver outside the Hypervisor layer, thereby effectively reducing the cost; the virtual machine safety communication system performs flow protection inside the server, effectively prevents flow information sent between the virtual machines from being forwarded to the outside of the server for safety passing processing, effectively reduces the load of flow processing, and avoids the loss of the performance of the server and the exchanger; because the virtual machine safety communication system does not need external access special physical exchange equipment, the cost is effectively saved.
A fourth embodiment of the present invention provides a virtual machine secure communication method of a virtual machine secure communication system according to the second embodiment of the present invention, as shown in fig. 6, including the following specific steps:
step S401, when any virtual machine sends flow information to other virtual machines, the flow information is obtained through the first flow exchange module, and the flow information is sent to the first firewall module based on the first flow forwarding configuration table.
Step S402, judging whether the flow information is legal or not through a first firewall module based on a security policy configuration table; if the flow information is judged to be legal, the flow information is sent to a first flow exchange module; otherwise, the flow information is isolated.
Step S403, the first traffic exchange module sends the received traffic information sent by the first firewall module to the second traffic exchange module based on the first traffic forwarding configuration table.
Step S404, the second traffic exchange module sends the traffic information to the second firewall module based on the second traffic forwarding configuration table.
Step S405, judging whether the flow information is legal or not through a second firewall module based on a security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to a second traffic exchange module; otherwise, the flow information is isolated.
Step S406, the second traffic exchange module sends the received traffic information sent by the second firewall module to other virtual machines based on the second traffic forwarding configuration table.
The first flow exchange module, the first firewall module and any virtual machine are arranged on the first server; and the second traffic exchange module, the second firewall module and other virtual machines are arranged on the second server.
The flow forwarding configuration table at least comprises one of the following flow forwarding configuration modes:
the first mode, all redirection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the restore default policy can be re-enforced;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than the default strategy of the outlet of the firewall;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
adding a default policy normal (at least required by a broadcast packet) to an exit of the firewall, wherein the priority is higher than the default policy of redirecting into the firewall, the data packet is prevented from being redirected into the firewall again, and the adding sequence is earlier than the redirecting policy;
ovs-ofctl add-flow$SWITCH priority=1,in_port=$OUTPORT,actions=normal;
the # default policy is to redirect to the firewall entrance with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=output:$INPORT;
and the second mode is a directional protection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the resume Default policy ovs-ofctl add-flow $ SWITCH can be re-executed
priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than other strategies of the firewall outlet;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
# makes a special judgment on the broadcast packet at the egress, only allows the broadcast packet of the protected virtual machine, prevents multiple broadcasts, because the broadcast packet is also sent to the import;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM1MAC},actions=normal;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM2MAC},actions=normal;
adding a default strategy drop to an outlet of the firewall, wherein the priority is higher than the default strategy of redirecting into the firewall, preventing the data packet from being redirected into the firewall again, and the adding sequence is earlier than the redirecting strategy;
ovs-ofctl add-flow$SWITCH priority=2,in_port=$OUTPORT,actions=drop;
data packets sent by the protected virtual machine are redirected into a firewall;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM1PORT,actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM2PORT,actions=output:$INPORT;
# the packet destined for the protected virtual machine enters the firewall without passing through the firewall;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM1MAC},actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM2MAC},actions=output:$INPORT;
the # default policy is to pass, not redirect to the firewall entrance, with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal。
in the virtual machine secure communication method according to the fourth embodiment of the present invention, the preset traffic forwarding configuration table is used to redirect the traffic information sent between the virtual machines, so that the virtual machine secure communication system is used on multiple types of virtual machine platforms, and the universality of the virtual machine secure communication system is effectively improved; the virtual machine safety communication system avoids setting a driver outside the Hypervisor layer, thereby effectively reducing the cost; the virtual machine safety communication system performs flow protection inside the server, effectively prevents flow information sent between the virtual machines from being forwarded to the outside of the server for safety passing processing, effectively reduces the load of flow processing, and avoids the loss of the performance of the server and the exchanger; the virtual machine safety communication system does not need to be externally accessed to special physical exchange equipment, so that the cost is effectively saved; when the virtual machine is migrated, the automatic migration of the flow forwarding configuration table of the virtual machine is realized, and the communication safety of the virtual machine is effectively improved.
A fifth embodiment of the present invention is a secure communication method for virtual machines, and the method in this embodiment is substantially the same as the method in the fourth embodiment, except that when any virtual machine is migrated from a first server to a third server, a first traffic forwarding configuration table in a first traffic exchange module is automatically migrated, and as shown in fig. 7, the method in this embodiment includes the following specific steps:
step S501, under the condition that any virtual machine is migrated from a first server to a third server, a first traffic forwarding configuration table in a first traffic exchange module is obtained through a third traffic exchange module; when any virtual machine sends flow information to other virtual machines, the flow information is obtained through the third flow exchange module, and the flow information is sent to the third firewall module based on the first flow forwarding configuration table.
Step S502, judging whether the flow information is legal or not through a third firewall module based on a safety strategy configuration table; if the flow information is judged to be legal, the flow information is sent to a third flow exchange module; otherwise, the flow information is isolated.
Step S503, the third traffic switching module sends the received traffic information sent by the first firewall module to the second traffic switching module based on the first traffic forwarding configuration table.
Step S504, the second traffic exchange module sends the traffic information to the second firewall module based on the second traffic forwarding configuration table.
Step S505, judging whether the flow information is legal or not through a second firewall module based on a security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to a second traffic exchange module; otherwise, the flow information is isolated.
Step S506, the received traffic information sent by the second firewall module is sent to other virtual machines through the second traffic switching module based on the second traffic forwarding configuration table.
The first traffic exchange module is arranged on the first server; the second traffic exchange module, the second firewall module and other virtual machines are arranged on the second server; and the third flow exchange module and the third fire prevention wall module are arranged on the third server.
The flow forwarding configuration table at least comprises one of the following flow forwarding configuration modes:
the first mode, all redirection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the restore default policy can be re-enforced;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than the default strategy of the outlet of the firewall;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
adding a default policy normal (at least required by a broadcast packet) to an exit of the firewall, wherein the priority is higher than the default policy of redirecting into the firewall, the data packet is prevented from being redirected into the firewall again, and the adding sequence is earlier than the redirecting policy;
ovs-ofctl add-flow$SWITCH priority=1,in_port=$OUTPORT,actions=normal;
the # default policy is to redirect to the firewall entrance with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=output:$INPORT;
and the second mode is a directional protection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the resume Default policy ovs-ofctl add-flow $ SWITCH can be re-executed
priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than other strategies of the firewall outlet;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
# makes a special judgment on the broadcast packet at the egress, only allows the broadcast packet of the protected virtual machine, prevents multiple broadcasts, because the broadcast packet is also sent to the import;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM1MAC},actions=normal;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM2MAC},actions=normal;
adding a default strategy drop to an outlet of the firewall, wherein the priority is higher than the default strategy of redirecting into the firewall, preventing the data packet from being redirected into the firewall again, and the adding sequence is earlier than the redirecting strategy;
ovs-ofctl add-flow$SWITCH priority=2,in_port=$OUTPORT,actions=drop;
data packets sent by the protected virtual machine are redirected into a firewall;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM1PORT,actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM2PORT,actions=output:$INPORT;
# the packet destined for the protected virtual machine enters the firewall without passing through the firewall;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM1MAC},actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM2MAC},actions=output:$INPORT;
the # default policy is to pass, not redirect to the firewall entrance, with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal。
in the virtual machine secure communication method according to the fifth embodiment of the present invention, the preset traffic forwarding configuration table is used to redirect the traffic information sent between the virtual machines, so that the virtual machine secure communication system is used on multiple types of virtual machine platforms, and the universality of the virtual machine secure communication system is effectively improved; the virtual machine safety communication system avoids setting a driver outside the Hypervisor layer, thereby effectively reducing the cost; the virtual machine safety communication system performs flow protection inside the server, effectively prevents flow information sent between the virtual machines from being forwarded to the outside of the server for safety passing processing, effectively reduces the load of flow processing, and avoids the loss of the performance of the server and the exchanger; the virtual machine safety communication system does not need to be externally accessed to special physical exchange equipment, so that the cost is effectively saved; when the virtual machine is migrated, the automatic migration of the flow forwarding configuration table of the virtual machine is realized, and the communication safety of the virtual machine is effectively improved.
A sixth embodiment of the present invention is a secure communication method for virtual machines, and the method in this embodiment is substantially the same as that in the fourth embodiment, except that when other virtual machines are migrated from a second server to a fourth server, a second traffic forwarding configuration table in a second traffic exchange module is automatically migrated, and as shown in fig. 8, the method in this embodiment includes the following specific steps:
step S601, when any virtual machine sends traffic information to other virtual machines, the first traffic exchange module obtains the traffic information, and sends the traffic information to the first firewall module based on the first traffic forwarding configuration table.
Step S602, judging whether the flow information is legal or not through a first firewall module based on a security policy configuration table; if the flow information is judged to be legal, the flow information is sent to a first flow exchange module; otherwise, the flow information is isolated.
Step S603, sending the received traffic information sent by the first firewall module to the second traffic exchange module through the first traffic exchange module based on the first traffic forwarding configuration table.
Step S604, under the condition that other virtual machines are migrated from the second server to the fourth server, a second traffic forwarding configuration table in the second traffic switching module is obtained through the fourth traffic switching module; and when the flow information sent by the first flow exchange module is received, the flow information is obtained through the fourth flow exchange module, and the flow information is sent to the fourth fire wall module based on the second flow forwarding configuration table.
Step S605, judging whether the flow information is legal or not through a fourth fire wall module based on a safety strategy configuration table; if the flow information is judged to be legal, the flow information is sent to a fourth flow exchange module; otherwise, the flow information is isolated.
Step S606, the received traffic information sent by the fourth firewall module is sent to other virtual machines through the fourth traffic exchange module based on the second traffic forwarding configuration table.
The first flow exchange module, the first firewall module and any virtual machine are arranged on the first server; the second traffic exchange module is arranged on the second server; the fourth flow exchange module and the fourth fire wall module are arranged on the fourth server.
The flow forwarding configuration table at least comprises one of the following flow forwarding configuration modes:
the first mode, all redirection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the restore default policy can be re-enforced;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than the default strategy of the outlet of the firewall;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
adding a default policy normal (at least required by a broadcast packet) to an exit of the firewall, wherein the priority is higher than the default policy of redirecting into the firewall, the data packet is prevented from being redirected into the firewall again, and the adding sequence is earlier than the redirecting policy;
ovs-ofctl add-flow$SWITCH priority=1,in_port=$OUTPORT,actions=normal;
the # default policy is to redirect to the firewall entrance with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=output:$INPORT;
and the second mode is a directional protection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the resume Default policy ovs-ofctl add-flow $ SWITCH can be re-executed
priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than other strategies of the firewall outlet;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
# makes a special judgment on the broadcast packet at the egress, only allows the broadcast packet of the protected virtual machine, prevents multiple broadcasts, because the broadcast packet is also sent to the import;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM1MAC},actions=normal;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM2MAC},actions=normal;
adding a default strategy drop to an outlet of the firewall, wherein the priority is higher than the default strategy of redirecting into the firewall, preventing the data packet from being redirected into the firewall again, and the adding sequence is earlier than the redirecting strategy;
ovs-ofctl add-flow$SWITCH priority=2,in_port=$OUTPORT,actions=drop;
data packets sent by the protected virtual machine are redirected into a firewall;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM1PORT,actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM2PORT,actions=output:$INPORT;
# the packet destined for the protected virtual machine enters the firewall without passing through the firewall;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM1MAC},actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM2MAC},actions=output:$INPORT;
the # default policy is to pass, not redirect to the firewall entrance, with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal。
in the virtual machine secure communication method according to the sixth embodiment of the present invention, the preset traffic forwarding configuration table is used to redirect the traffic information sent between the virtual machines, so that the virtual machine secure communication system is used on multiple types of virtual machine platforms, and the universality of the virtual machine secure communication system is effectively improved; the virtual machine safety communication system avoids setting a driver outside the Hypervisor layer, thereby effectively reducing the cost; the virtual machine safety communication system performs flow protection inside the server, effectively prevents flow information sent between the virtual machines from being forwarded to the outside of the server for safety passing processing, effectively reduces the load of flow processing, and avoids the loss of the performance of the server and the exchanger; the virtual machine safety communication system does not need to be externally accessed to special physical exchange equipment, so that the cost is effectively saved; when the virtual machine is migrated, the automatic migration of the flow forwarding configuration table of the virtual machine is realized, and the communication safety of the virtual machine is effectively improved.
A seventh embodiment of the present invention is, on the basis of the above embodiments, described with reference to fig. 9 by taking a virtual machine secure communication system as an example.
The virtual machine secure communication system includes:
the firewall management vSecCenter unit 30 is configured to send a preset traffic forwarding configuration table to the traffic switching openvswitch unit 10 and send a preset security policy configuration table to the firewall VFW unit 20 before the first virtual machine 40 sends traffic information to the second virtual machine 50.
The traffic switching openvswitch unit 10 is configured to obtain traffic information when the first virtual machine 40 sends the traffic information to the second virtual machine 50, and send the traffic information to the firewall VFW unit 20 based on the traffic forwarding configuration table;
the firewall VFW unit 20 is used for judging whether the flow information is legal or not based on a preset security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to a traffic exchange vSecCenter unit 10; otherwise, isolating the flow information;
and the traffic exchange vSecCenter unit 10 is further configured to send the received traffic information sent by the firewall VFW unit 20 to the second virtual machine 50 based on the traffic forwarding configuration table.
The traffic switching openvswitch unit 10, the firewall VFW unit 20, the first virtual machine 40, and the second virtual machine 50 are all disposed in the server 60.
The flow forwarding configuration table at least comprises one of the following flow forwarding configuration modes:
the first mode, all redirection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the restore default policy can be re-enforced;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than the default strategy of the outlet of the firewall;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=2,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
adding a default policy normal (at least required by a broadcast packet) to an exit of the firewall, wherein the priority is higher than the default policy of redirecting into the firewall, the data packet is prevented from being redirected into the firewall again, and the adding sequence is earlier than the redirecting policy;
ovs-ofctl add-flow$SWITCH priority=1,in_port=$OUTPORT,actions=normal;
the # default policy is to redirect to the firewall entrance with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=output:$INPORT;
and the second mode is a directional protection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port$SWITCH$OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port$SWITCH$INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows$SWITCH;
# the resume Default policy ovs-ofctl add-flow $ SWITCH can be re-executed
priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow$SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than other strategies of the firewall outlet;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow$SWITCH
priority=4,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
# makes a special judgment on the broadcast packet at the egress, only allows the broadcast packet of the protected virtual machine, prevents multiple broadcasts, because the broadcast packet is also sent to the import;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM1MAC},actions=normal;
ovs-ofctl add-flow$SWITCH
priority=3,in_port=$OUTPORT,dl_src=${VM2MAC},actions=normal;
adding a default strategy drop to an outlet of the firewall, wherein the priority is higher than the default strategy of redirecting into the firewall, preventing the data packet from being redirected into the firewall again, and the adding sequence is earlier than the redirecting strategy;
ovs-ofctl add-flow$SWITCH priority=2,in_port=$OUTPORT,actions=drop;
data packets sent by the protected virtual machine are redirected into a firewall;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM1PORT,actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,in_port=$VM2PORT,actions=output:$INPORT;
# the packet destined for the protected virtual machine enters the firewall without passing through the firewall;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM1MAC},actions=output:$INPORT;
ovs-ofctl add-flow$SWITCH
priority=1,dl_dst=${VM2MAC},actions=output:$INPORT;
the # default policy is to pass, not redirect to the firewall entrance, with the lowest priority;
ovs-ofctl add-flow$SWITCH priority=0,actions=normal。
in the virtual machine secure communication method according to the seventh embodiment of the present invention, the preset traffic forwarding configuration table is used to redirect the traffic information sent between the virtual machines, so that the virtual machine secure communication system is used on multiple types of virtual machine platforms, and the universality of the virtual machine secure communication system is effectively improved; the virtual machine safety communication system avoids setting a driver outside the Hypervisor layer, thereby effectively reducing the cost; the virtual machine safety communication system performs flow protection inside the server, effectively prevents flow information sent between the virtual machines from being forwarded to the outside of the server for safety passing processing, effectively reduces the load of flow processing, and avoids the loss of the performance of the server and the exchanger; because the virtual machine safety communication system does not need external access special physical exchange equipment, the cost is effectively saved.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (8)

1. A virtual machine secure communication system, comprising:
the flow switching unit is used for acquiring the flow information when any virtual machine sends the flow information to other virtual machines and sending the flow information to the firewall unit based on a preset flow forwarding configuration table;
the flow forwarding configuration table at least comprises one of the following flow forwarding configuration modes:
the first mode, all redirection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port $SWITCH $OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port $SWITCH $INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows $SWITCH;
# execute the resume default policy again;
ovs-ofctl add-flow $SWITCH priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow $SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than the default strategy of the outlet of the firewall;
ovs-ofctl add-flow $SWITCHpriority=2,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow $SWITCH priority=2,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
adding at least a default policy normal required by a broadcast packet to an exit of the firewall, wherein the priority is higher than the default policy of redirecting into the firewall, the data packet is prevented from being redirected into the firewall again, and the adding sequence is earlier than the redirecting policy;
ovs-ofctl add-flow $SWITCH priority=1,in_port=$OUTPORT,actions=normal;
the # default policy is to redirect to the firewall entrance with the lowest priority;
ovs-ofctl add-flow $SWITCH priority=0,actions=output:$INPORT;
and the second mode is a directional protection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port $SWITCH $OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port $SWITCH $INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows $SWITCH;
# execute again restore default policy ovs-offsctl add-flow $ SWITCH priority =0, actions = normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow $SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than other strategies of the firewall outlet;
ovs-ofctl add-flow $SWITCH priority=4,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow $SWITCH priority=4,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
# makes a special judgment on the broadcast packet at the egress, only allows the broadcast packet of the protected virtual machine, prevents multiple broadcasts, because the broadcast packet is also sent to the import;
ovs-ofctl add-flow $SWITCH priority=3,in_port=$OUTPORT,dl_src=${VM1MAC},actions=normal;
ovs-ofctl add-flow $SWITCH priority=3,in_port=$OUTPORT,dl_src=${VM2MAC},actions=normal;
adding a default strategy drop to an outlet of the firewall, wherein the priority is higher than the default strategy of redirecting into the firewall, preventing the data packet from being redirected into the firewall again, and the adding sequence is earlier than the redirecting strategy;
ovs-ofctl add-flow $SWITCH priority=2,in_port=$OUTPORT,actions=drop;
data packets sent by the protected virtual machine are redirected into a firewall;
ovs-ofctl add-flow $SWITCHpriority=1,in_port=$VM1PORT,actions=output:$INPORT;
ovs-ofctl add-flow $SWITCH priority=1,in_port=$VM2PORT,actions=output:$INPORT;
# the packet destined for the protected virtual machine enters the firewall without passing through the firewall;
ovs-ofctl add-flow $SWITCH priority=1,dl_dst=${VM1MAC},actions=output:$INPORT;
ovs-ofctl add-flow $SWITCH priority=1,dl_dst=${VM2MAC},actions=output:$INPORT;
the # default policy is to pass, not redirect to the firewall entrance, with the lowest priority;
ovs-ofctl add-flow $SWITCH priority=0,actions=normal;
the firewall unit is used for judging whether the flow information is legal or not based on a preset security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the flow exchange unit; otherwise, isolating the flow information;
the flow switching unit is further configured to send the received flow information sent by the firewall unit to the other virtual machines based on the flow forwarding configuration table;
the traffic switching unit includes: the system comprises a first traffic exchange module and a second traffic exchange module; the firewall unit includes: a first firewall module and a second firewall module; the flow forwarding configuration table comprises a first flow forwarding configuration table corresponding to any virtual machine and a second flow forwarding configuration table corresponding to other virtual machines;
the first traffic exchange module, the first firewall module and any virtual machine are arranged on a first server; the second traffic exchange module, the second firewall module and the other virtual machines are arranged on a second server;
the first traffic exchange module is configured to, when the any virtual machine sends traffic information to the other virtual machines, obtain the traffic information, and send the traffic information to a first firewall module based on the first traffic forwarding configuration table;
the first firewall module is used for judging whether the flow information is legal or not based on the security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the first flow exchange module; otherwise, isolating the flow information;
the first traffic exchange module is further configured to send the received traffic information sent by the first firewall module to the second traffic exchange module based on the first traffic forwarding configuration table;
the second traffic exchange module is configured to send the traffic information to the second firewall module based on the second traffic forwarding configuration table;
the second firewall module is used for judging whether the flow information is legal or not based on the security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the second traffic exchange module; otherwise, isolating the flow information;
the second traffic exchange module is further configured to send the received traffic information sent by the second firewall module to the other virtual machines based on the second traffic forwarding configuration table.
2. The system of claim 1, wherein the traffic exchange unit further comprises a third traffic exchange module; the firewall unit also comprises a third firewall module; the third flow exchange module and the third firewall module are arranged on a third server;
the third traffic exchange module is configured to acquire a first traffic forwarding configuration table in the first traffic exchange module when the any virtual machine is migrated to the third server; when any virtual machine sends flow information to other virtual machines, obtaining the flow information, and sending the flow information to a third firewall module based on the first flow forwarding configuration table;
the third fire wall module is used for judging whether the flow information is legal or not based on the safety strategy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the third traffic exchange module; otherwise, isolating the flow information;
the third traffic exchange module is further configured to send the received traffic information sent by the third firewall module to the second traffic exchange module based on the first traffic forwarding configuration table.
3. The system of claim 1, wherein the traffic switching unit further comprises a fourth traffic switching module; the firewall unit further comprises a fourth firewall module; the fourth traffic exchange module and the fourth firewall module are arranged on a fourth server;
the fourth traffic switching module is configured to acquire a second traffic forwarding configuration table in the second traffic switching module when the other virtual machines are migrated to the fourth server; when receiving the traffic information sent by the first traffic exchange module, acquiring the traffic information, and sending the traffic information to a fourth firewall module based on the second traffic forwarding configuration table;
the fourth firewall module is configured to determine whether the traffic information is legal based on the security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the fourth flow exchange module; otherwise, isolating the flow information;
the fourth traffic switching module is further configured to send the received traffic information sent by the fourth firewall module to the other virtual machines based on the second traffic forwarding configuration table.
4. A virtual machine secure communication system, comprising:
the flow switching unit is used for acquiring the flow information when any virtual machine sends the flow information to other virtual machines and sending the flow information to the firewall unit based on a preset flow forwarding configuration table;
the flow forwarding configuration table at least comprises one of the following flow forwarding configuration modes:
the first mode, all redirection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port $SWITCH $OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port $SWITCH $INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows $SWITCH;
# execute the resume default policy again;
ovs-ofctl add-flow $SWITCH priority=0,actions=normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow $SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than the default strategy of the outlet of the firewall;
ovs-ofctl add-flow $SWITCHpriority=2,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow $SWITCH priority=2,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
adding at least a default policy normal required by a broadcast packet to an exit of the firewall, wherein the priority is higher than the default policy of redirecting into the firewall, the data packet is prevented from being redirected into the firewall again, and the adding sequence is earlier than the redirecting policy;
ovs-ofctl add-flow $SWITCH priority=1,in_port=$OUTPORT,actions=normal;
the # default policy is to redirect to the firewall entrance with the lowest priority;
ovs-ofctl add-flow $SWITCH priority=0,actions=output:$INPORT;
and the second mode is a directional protection flow forwarding configuration mode:
# forbids the packet receiving function of the firewall outlet;
ovs-ofctl mod-port $SWITCH $OUTPORT no-forward;
# the flow function at the entrance of the firewall is forbidden;
ovs-ofctl mod-port $SWITCH $INPORT no-flood;
# clean out strategy on bridge;
ovs-ofctl del-flows $SWITCH;
# execute again restore default policy ovs-offsctl add-flow $ SWITCH priority =0, actions = normal;
# cannot receive packets from the firewall entrance, has the highest priority, prevents loopback, and needs to be added first;
ovs-ofctl add-flow $SWITCH priority=65535,in_port=$INPORT,actions=drop;
identifying the outlet data of the firewall, sending the outlet data to different ports according to the destination MAC, wherein the priority is higher than other strategies of the firewall outlet;
ovs-ofctl add-flow $SWITCH priority=4,in_port=$OUTPORT,dl_dst=${VM1MAC},actions=output:$VM1PORT;
ovs-ofctl add-flow $SWITCH priority=4,in_port=$OUTPORT,dl_dst=${VM2MAC},actions=output:$VM2PORT;
# makes a special judgment on the broadcast packet at the egress, only allows the broadcast packet of the protected virtual machine, prevents multiple broadcasts, because the broadcast packet is also sent to the import;
ovs-ofctl add-flow $SWITCH priority=3,in_port=$OUTPORT,dl_src=${VM1MAC},actions=normal;
ovs-ofctl add-flow $SWITCH priority=3,in_port=$OUTPORT,dl_src=${VM2MAC},actions=normal;
adding a default strategy drop to an outlet of the firewall, wherein the priority is higher than the default strategy of redirecting into the firewall, preventing the data packet from being redirected into the firewall again, and the adding sequence is earlier than the redirecting strategy;
ovs-ofctl add-flow $SWITCH priority=2,in_port=$OUTPORT,actions=drop;
data packets sent by the protected virtual machine are redirected into a firewall;
ovs-ofctl add-flow $SWITCHpriority=1,in_port=$VM1PORT,actions=output:$INPORT;
ovs-ofctl add-flow $SWITCH priority=1,in_port=$VM2PORT,actions=output:$INPORT;
# the packet destined for the protected virtual machine enters the firewall without passing through the firewall;
ovs-ofctl add-flow $SWITCH priority=1,dl_dst=${VM1MAC},actions=output:$INPORT;
ovs-ofctl add-flow $SWITCH priority=1,dl_dst=${VM2MAC},actions=output:$INPORT;
the # default policy is to pass, not redirect to the firewall entrance, with the lowest priority;
ovs-ofctl add-flow $SWITCH priority=0,actions=normal;
the firewall unit is used for judging whether the flow information is legal or not based on a preset security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the flow exchange unit; otherwise, isolating the flow information;
the flow switching unit is further configured to send the received flow information sent by the firewall unit to the other virtual machines based on the flow forwarding configuration table;
the flow switching unit, the firewall unit, the any virtual machine and the other virtual machines are arranged on a fifth server.
5. The virtual machine secure communication method of the virtual machine secure communication system according to claim 1, characterized by comprising:
when any virtual machine sends flow information to other virtual machines, the flow information is obtained through a flow exchange unit, and the flow information is sent to a firewall unit based on a preset flow forwarding configuration table;
judging whether the flow information is legal or not through the firewall unit based on a preset security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the flow exchange unit; otherwise, isolating the flow information;
sending the received flow information sent by the firewall unit to the other virtual machines through the flow switching unit based on the flow forwarding configuration table;
the traffic switching unit includes: the system comprises a first traffic exchange module and a second traffic exchange module; the firewall unit includes: a first firewall module and a second firewall module; the flow forwarding configuration table comprises a first flow forwarding configuration table corresponding to any virtual machine and a second flow forwarding configuration table corresponding to other virtual machines; the first traffic exchange module, the first firewall module and any virtual machine are arranged on a first server; the second traffic exchange module, the second firewall module and the other virtual machines are arranged on a second server;
the method specifically comprises the following steps:
when any virtual machine sends flow information to other virtual machines, the first flow exchange module obtains the flow information, and the flow information is sent to a first firewall module based on the first flow forwarding configuration table;
judging whether the flow information is legal or not through the first firewall module based on the security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the first flow exchange module; otherwise, isolating the flow information;
sending, by the first traffic exchange module, the received traffic information sent by the first firewall module to the second traffic exchange module based on the first traffic forwarding configuration table;
sending, by the second traffic exchange module, the traffic information to the second firewall module based on the second traffic forwarding configuration table;
judging whether the flow information is legal or not through the second firewall module based on the security policy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the second traffic exchange module; otherwise, isolating the flow information;
and sending the received flow information sent by the second firewall module to the other virtual machines through the second flow exchange module based on the second flow forwarding configuration table.
6. The method of claim 5, wherein the traffic exchange unit further comprises a third traffic exchange module; the firewall unit also comprises a third firewall module; the third flow exchange module and the third firewall module are arranged on a third server;
the method further comprises the following steps:
under the condition that any virtual machine is migrated to the third server, acquiring a first traffic forwarding configuration table in the first traffic exchange module through the third traffic exchange module; when any virtual machine sends flow information to other virtual machines, the flow information is obtained through the third flow exchange module, and the flow information is sent to a third firewall module based on the first flow forwarding configuration table;
judging whether the flow information is legal or not through the third firewall module based on the safety strategy configuration table; if the traffic information is judged to be legal, the traffic information is sent to the third traffic exchange module; otherwise, isolating the flow information;
and sending the received flow information sent by the third firewall module to the second flow exchange module through the third flow exchange module based on the first flow forwarding configuration table.
7. The method of claim 5, wherein the traffic switching unit further comprises a fourth traffic switching module; the firewall unit further comprises a fourth firewall module; the fourth traffic exchange module and the fourth firewall module are arranged on a fourth server;
the method further comprises the following steps:
under the condition that the other virtual machines are migrated to the fourth server, acquiring a second traffic forwarding configuration table in the second traffic switching module through the fourth traffic switching module; when receiving the traffic information sent by the first traffic exchange module, obtaining the traffic information through the fourth traffic exchange module, and sending the traffic information to a fourth firewall module based on the second traffic forwarding configuration table;
judging whether the flow information is legal or not through a fourth fire wall module based on the security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the fourth flow exchange module; otherwise, isolating the flow information;
and sending the received traffic information sent by the fourth firewall module to the other virtual machines through the fourth traffic switching module based on the second traffic forwarding configuration table.
8. The virtual machine secure communication method of the virtual machine secure communication system according to claim 4, characterized by comprising:
when any virtual machine sends flow information to other virtual machines, the flow information is obtained through a flow exchange unit, and the flow information is sent to a firewall unit based on a preset flow forwarding configuration table;
judging whether the flow information is legal or not through the firewall unit based on a preset security policy configuration table; if the flow information is judged to be legal, the flow information is sent to the flow exchange unit; otherwise, isolating the flow information;
sending the received flow information sent by the firewall unit to the other virtual machines through the flow switching unit based on the flow forwarding configuration table;
the flow exchange unit, the firewall unit, the any virtual machine and the other virtual machines are arranged on a first server.
CN201711434343.9A 2017-12-26 2017-12-26 Virtual machine safety communication system and virtual machine safety communication method Active CN107920022B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711434343.9A CN107920022B (en) 2017-12-26 2017-12-26 Virtual machine safety communication system and virtual machine safety communication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711434343.9A CN107920022B (en) 2017-12-26 2017-12-26 Virtual machine safety communication system and virtual machine safety communication method

Publications (2)

Publication Number Publication Date
CN107920022A CN107920022A (en) 2018-04-17
CN107920022B true CN107920022B (en) 2021-08-24

Family

ID=61894387

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711434343.9A Active CN107920022B (en) 2017-12-26 2017-12-26 Virtual machine safety communication system and virtual machine safety communication method

Country Status (1)

Country Link
CN (1) CN107920022B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103763310A (en) * 2013-12-31 2014-04-30 曙光云计算技术有限公司 Firewall service system and method based on virtual network
CN105530259A (en) * 2015-12-22 2016-04-27 华为技术有限公司 Message filtering method and equipment
CN106911572A (en) * 2017-02-24 2017-06-30 郑州云海信息技术有限公司 A kind of message processing method and device of the virtual machine realized based on SDN frameworks
CN103812823B (en) * 2012-11-07 2017-10-10 华为技术有限公司 Configuration information is migrated during live migration of virtual machine method, equipment and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10009381B2 (en) * 2015-03-30 2018-06-26 Varmour Networks, Inc. System and method for threat-driven security policy controls

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103812823B (en) * 2012-11-07 2017-10-10 华为技术有限公司 Configuration information is migrated during live migration of virtual machine method, equipment and system
CN103763310A (en) * 2013-12-31 2014-04-30 曙光云计算技术有限公司 Firewall service system and method based on virtual network
CN105530259A (en) * 2015-12-22 2016-04-27 华为技术有限公司 Message filtering method and equipment
CN106911572A (en) * 2017-02-24 2017-06-30 郑州云海信息技术有限公司 A kind of message processing method and device of the virtual machine realized based on SDN frameworks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《【干货分享】NSX 简介(2)— 分布式防火墙》;Vmware中国;《http://www.virtualclient.cn/InfoDetail.aspx?id=10523》;20171203;参见第1页至第2页 *

Also Published As

Publication number Publication date
CN107920022A (en) 2018-04-17

Similar Documents

Publication Publication Date Title
US11893409B2 (en) Securing a managed forwarding element that operates within a data compute node
US11533340B2 (en) On-demand security policy provisioning
US8743894B2 (en) Bridge port between hardware LAN and virtual switch
US10476845B2 (en) Traffic handling for containers in a virtualized computing environment
EP2909780B1 (en) Providing a virtual security appliance architecture to a virtual cloud infrastructure
US9148360B2 (en) Managing MAC moves with secure port groups
EP2685676B1 (en) Multicast data forwarding method and device supporting virtual terminal
US9391803B2 (en) Methods systems and apparatuses for dynamically tagging VLANs
WO2017100365A1 (en) Directing data traffic between intra-server virtual machines
US8732817B2 (en) Switching hub, a system, a method of the switching hub and a program thereof
US20130301425A1 (en) Preventing Leaks Among Private Virtual Local Area Network Ports Due to Configuration Changes in a Headless Mode
CN101635731B (en) Method and equipment for defending MAC address deception attack
EP3479532B1 (en) A data packet forwarding unit in software defined networks
US9509630B2 (en) Method of selectively and seamlessly segregating SAN traffic in I/O consolidated networks
CN108156079B (en) Data packet forwarding system and method based on cloud service platform
KR101290963B1 (en) System and method for separating network based virtual environment
US20090164630A1 (en) Network adapter based zoning enforcement
CN107920022B (en) Virtual machine safety communication system and virtual machine safety communication method
RU2714383C2 (en) Method and device for processing switch routing conflict
CN111884863A (en) VPC service chain implementation method and system for cloud computing environment
CN109639551B (en) Virtualization drainage device and method
KR20160036182A (en) Hybrid OpenFlow switch, system, and method for combining legacy switch protocol function and SDN function
US8402084B2 (en) Host embedded controller interface bridge
KR101854996B1 (en) SDN for preventing malicious application and Determination apparatus comprising the same
CN108989206B (en) Message forwarding method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant