CN107959689B - Cloud platform tenant network isolation test method - Google Patents

Cloud platform tenant network isolation test method Download PDF

Info

Publication number
CN107959689B
CN107959689B CN201810024453.6A CN201810024453A CN107959689B CN 107959689 B CN107959689 B CN 107959689B CN 201810024453 A CN201810024453 A CN 201810024453A CN 107959689 B CN107959689 B CN 107959689B
Authority
CN
China
Prior art keywords
tenant
network
name
cloud platform
isolation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810024453.6A
Other languages
Chinese (zh)
Other versions
CN107959689A (en
Inventor
詹静
高雅琪
赵勇
樊旭东
王霞
韩瑾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN201810024453.6A priority Critical patent/CN107959689B/en
Publication of CN107959689A publication Critical patent/CN107959689A/en
Application granted granted Critical
Publication of CN107959689B publication Critical patent/CN107959689B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The method discloses a cloud platform tenant network isolation testing method, and belongs to the technical field of computer cloud security testing. Establishing an expected cloud platform tenant network isolation matrix; and acquiring basic information of all tenant networks on the tenant control node and all the computing nodes. And acquiring the network three-layer and above isolation information of all tenant networks on the network node. And acquiring two-layer isolation information of the tenant subnet on the network node and the computing node. Network access information of tenants and tenant subnets on the computing nodes is obtained, and an actual cloud platform tenant network isolation matrix Ma is generated. And comparing the generated actual cloud platform tenant network isolation matrix Ma with the expected matrix Me. By acquiring the tenant network isolation condition in the operating environment from the cloud platform network bottom layer, whether the current cloud platform network isolation is abnormal or not is detected in real time, a visual network isolation report is provided for a cloud auditor, and a responsibility following way is provided for the safety problem possibly generated by the cloud tenant network service.

Description

Cloud platform tenant network isolation test method
Technical Field
The method relates to the aspect of cloud security testing, in particular to a tenant network isolation testing method based on a cloud platform, and belongs to the technical field of computers.
Background
With the continuous maturity of cloud computing technology, more and more enterprises and individuals choose to deploy systems on a cloud platform, but the cloud platform is equivalent to a black box for cloud tenants. The cloud provider cannot answer the consultation of the cloud tenant about the security problem and cannot provide the tenant with an isolated report of the cloud platform multi-tenant network. The tenant cannot completely know the cloud platform environment and cannot timely find whether the data in the tenant network is safe or not, so that the tenant cannot completely trust the cloud platform environment.
The existing cloud platform management software mainly comprises Openstack, CloudStack, Eucalyptus and the like, and all comprise basic management components such as computation, storage, network and the like. Among them, Openstack currently supports more technologies, has a wider audience, and is most popular. On one hand, the internal virtual machine network of the cloud platform is actually a large local area network, so local area network isolation technologies such as VLAN, GRE, VXLAN and the like are also adopted. VXLAN and GRE have improved on the basis of VLAN, use the mode of forwarding of the tunnel to transmit the network flow of the virtual machine. On the other hand, the cloud platform management software adopts a multi-level network virtualization technology to provide network services for tenants, and the method comprises the steps of using a virtual bridge to access virtual machines into a network, using a virtual switch to transfer traffic between the virtual machines, and using a virtual router and a firewall to isolate network equipment and services.
At present, the industry has conducted many researches on tenant network isolation technology and testing on cloud platforms. Strictly speaking, etc. proposes that virtual routers/firewalls originally concentrated on Openstack network nodes are distributed to each computing node to isolate tenant virtual machines, but if the strategy of the virtual routers/firewalls changes, the problem that the isolation states of the virtual machines of the same tenant on different nodes are inconsistent easily occurs; the measuring component Ceilometer provided by Openstack carries out flow analysis by collecting cloud platform network data, can find abnormal flow according to some known flow rules, but cannot rapidly locate the problem where the abnormal flow is located; the Yang Xu provides a method for checking consistency of network states of each layer of a control node and a host terminal by facing to an SDN background based on a boundary, but does not fully cover all network devices in a cloud platform, so that whether isolation is damaged or not can not be fully tested, for example, state testing of tenant network access devices is not considered.
According to the scheme, the isolation and test problems of the tenant network are researched to a certain extent, the problems that an isolation failure point cannot be effectively positioned, the test is not comprehensive enough and the like still exist, so that an auditor in the cloud or a third party auditor cannot directly know whether the isolation strategy and mechanism of the multi-tenant network on the cloud platform are damaged or not, and the safe operation and responsibility pursuing of the cloud platform are not facilitated. Aiming at the problems, the invention provides a method for testing the isolation of a cloud platform tenant network.
Disclosure of Invention
Aiming at the test requirement of the current cloud platform tenant network isolation, the invention provides a tenant network isolation test method facing a cloud platform. By acquiring the tenant network isolation condition in the operating environment from the cloud platform network bottom layer, whether the current cloud platform network isolation is abnormal or not is detected in real time, a visual network isolation report is provided for a cloud auditor, and a responsibility following way is provided for the safety problem possibly generated by the cloud tenant network service.
The technical scheme adopted by the invention is a method for testing the isolation of a cloud platform tenant network, which comprises the following steps:
establishing an expected cloud platform tenant network isolation matrix; the matrix comprises virtual machines VM in tenant subnets of all tenants of the cloud platform, application ports in the virtual machines and connection relations among the application ports of different virtual machines; and 1 represents the communication between the VM application ports of different virtual machines, and 0 represents the non-communication between the VM application ports of different virtual machines.
All tenants of the cloud platform are represented by Tenant-name, a Tenant subnet is represented by subnet-name, and an application port in the virtual machine is represented by port-id;
according to a default network isolation strategy (different tenant networks are not communicated) of the cloud platform and a user-defined network isolation strategy (for example, certain tenant subnets are communicated with each other, and the like), an expected matrix Me containing network isolation states of all VMs on the cloud platform is automatically generated.
And step two, acquiring basic information of all tenant networks on the tenant control node and all the computing nodes. Firstly, collecting the name Tenant-name of a cloud platform Tenant, the subnet-name of the Tenant and the MAC addresses and IP addresses of all VMs in a control node database, and determining the incidence relation among the name Tenant-name, the subnet-name, the MAC and the IP; and then acquiring related information on all the computing nodes, wherein the related information comprises VM-name, the traditional virtual bridge name mounted by the VM, MAC address and internal mark, the traditional virtual bridge name mounted by the VM is represented by qbr-id, the MAC address and the internal mark are represented by in-tag, VMs with the same in-tag are represented in the same subnet, and then determining < VM-name, qbr-id, MAC, in-tag >. The association between < Tenant-name, subnet-name, VM-name, MAC, IP, qbr-id, in-tag > is determined by two tuple relationships.
And step three, acquiring the network three-layer and above isolation information of all the tenant networks on the network node. First, cloud platform virtual routing information is collected, including virtual router names and routing rules. Since only networks connected to the same virtual router can communicate with each other, it can be determined whether the tenant subnet is isolated with respect to the relationship between subnet-name and IP in step two by associating the IP addresses in the virtual router rule.
And step four, acquiring two-layer isolation information of the tenant subnet on the network node and the computing node, wherein the computing node is taken as an example for explanation, and the method for acquiring the information on the network node and the computing node is the same. Firstly, the virtual bridge name of the computing node is obtained, and then the mark on the bridge rule is obtained. If the two bridge rules are reversible, the interior of the subnet is communicated, and the isolation between the same tenant and the same subnet VM is determined by the relationship between the in-tag and the VM-name in the step two through the mark of the associated bridge rule.
And step five, acquiring network access information of tenants and tenant subnets on the computing nodes. Firstly, acquiring traditional bridge rules on all computing nodes, wherein the traditional bridge rules comprise a traditional bridge name qbr-id, an IP address appearing in the rules and an application port-id of a virtual machine, associating qbr-id and VM-name in the second step, and determining the VM-name for which the current rule is directed; and associating the < VM-name and IP > in the second step through the IP address and the port-id appearing in the rule, and determining the port-id isolation condition between the VMs.
And step six, determining the connectivity of the < Tenant-name, subnet-name, VM-name and port-id > according to the information acquired in the step two to the step five, and generating an actual network isolation matrix Ma of the cloud platform Tenant.
And step seven, comparing the generated actual cloud platform tenant network isolation matrix Ma with the expected matrix Me. And respectively traversing each row of the comparison matrix, observing whether the actual matrix is changed compared with the expected matrix, and if the actual matrix is changed, indicating that the tenant network isolation of the cloud platform is damaged.
Through comparing the actual cloud platform tenant network isolation matrix with the expected matrix and generating corresponding results, the method can determine the connection condition of the cloud platform multi-tenant network, so that a communication path which is not consistent with the expected network is found, a real-time cloud platform tenant network isolation report is provided for a cloud auditor, and a responsibility tracing way is provided for security problems possibly occurring in cloud tenant network services.
Drawings
Fig. 1 is a view of a tenant network isolation scene based on an Openstack cloud platform.
Fig. 2 contemplates a cloud platform network isolation matrix generation algorithm flow diagram.
FIG. 3 is a flowchart of an actual cloud platform network isolation matrix generation algorithm.
Detailed Description
The invention is further described with reference to the following figures and detailed description.
The method is suitable for cloud platforms adopting network virtualization technology, such as cloud platforms adopting cloud management software of CloudStack, Eucalyptus, OpenStack and the like, and the internal network of the cloud platform can adopt a VLAN (virtual local area network), GRE (generic routing encapsulation) or VXLAN (virtual extensible local area network) mode to isolate tenant network traffic. The invention discloses a cloud platform tenant network isolation test method by taking cloud platform management software Openstack with the highest market occupancy rate as an example, and is suitable for all isolation modes.
A tenant network isolation scenario on a cloud platform under Openstack is shown in fig. 1. Openstack adopts a Neutron network component to perform tenant network management. Tenant represents a Tenant name, VM represents a virtual machine, Linux Bridge represents a traditional Bridge, OVS Bridge represents a virtual Bridge, Namespace represents a network Namespace (network namespaces are often used to isolate network devices and services, and only devices with the same network Namespace can see each other), and Br-ex represents a Bridge connecting to an external network. Under the scene, the isolation of the multi-tenant network is mainly realized by Linux Bridge, OVS Bridge and Namespace. The Linux Bridge, the OVS Bridge and the virtual machine are deployed on each computing node, isolation among tenants, isolation between tenant subnets and isolation inside a tenant network are achieved through the Linux Bridge, and isolation inside the tenant network is achieved through the OVS Bridge. The Namespace deployed on the network node realizes isolation between tenants and tenant subnets. Under the cloud platform tenant network isolation architecture, any point of security risk can break the network isolation between cloud tenants and inside the cloud platform tenant network isolation architecture.
In order to illustrate the actual application effect of the method, a specific cloud platform environment is designed as a tested object for example. The tested objects are as follows: assuming that the cloud platform has two tenants, namely TenantA and TenantB, wherein TenantA tenant creates two subnets, namely an a1 subnet and an a2 subnet, a1 subnet creates VM1 at compute node 1, VM2 at compute node 2, a2 subnet creates VM3 at compute node 1, and VM4 at compute node 2; TenantB tenant creates one subnet, namely B subnet creates VM5 in compute node 1, where each VM has two port numbers potr1 and port 2.
Step one, according to a default network isolation strategy of the cloud platform and a user-defined network isolation strategy. The network isolation policy is defaulted to be a total rejection policy by the cloud platform, namely: different tenant networks are isolated, different tenant subnets in each tenant network are isolated, each VM in each tenant subnet is isolated, and ports of each VM are isolated from each other; the cloud tenant provides a user-defined network isolation strategy, and the user-defined network isolation strategy provided by the invention comprises the following examples: certain subnetworks inside the tenant are connected, certain VMs in the connected subnetworks are disconnected, and certain ports in certain VMs in the connected subnetworks are connected.
According to a default network isolation strategy and a user-defined network isolation strategy of the cloud platform, an expected cloud platform network isolation matrix generation algorithm getmatrix E (PlatformStra, UserStra-Subnets, UserStra-VMs, UserStra-Ports, Me) is used to obtain an expected matrix Me. The algorithm flow chart is shown in fig. 2. The platform-fork-mData is a cloud platform default strategy, UserStra-subnet is a user expected subnet strategy, UserStra-VMs are user expected virtual machine strategies, UserStra-Ports are user expected application port strategies, and Me is an expected cloud platform network isolation matrix.
As shown in table 1, the expected cloud platform network isolation matrix represents isolation or connectivity status between all tenant networks, tenant subnets, tenant virtual machines, and network application ports on the virtual machines on the expected cloud platform. The first row and the first column of the matrix represent the network mark information of the tenants on the cloud platform, and if n tenants exist on the cloud platform, Tenant is used1~TenantnAnd (4) showing. The second row and the second column of the matrix represent tenant subnet tag information on the cloud platform, and assume that tenant 1 has m1Personal network, using subnet1~subentm1Representing, by analogy, tenant n has mnPersonal network, using subnet1~subentmnAnd (4) showing. The third row and the third column of the matrix represent the virtual machine mark information on the cloud platform, and the tenant subnet thereofmnFor example, assume that there are p virtual machines in the subnet, with the VM1~VMpAnd (4) showing. The fourth row and the fourth column of the matrix represent the network port mark information of the virtual machine on the cloud platform, and the sub-network of the tenantmnVirtual machine VM of (1)pIn, assume a virtual machine VMpHaving q application ports, using port1~portqAnd (4) showing. All ports in the fourth row and fourth column are numbered again starting with 1, provided that there are a total of Q ports. Then a matrix of Q x Q will be formed starting from the fifth row and the fifth column of the matrix. If the value I corresponding to the ith row and jth column element in the matrixaIs 1, then represents the IaCorresponding Tenant TenantwTenant subnet ofxVirtual machine VM ofyPort of (2)zTenant with Tenantw' tenant subnet ofx' virtual machine VMyPort ofz' is connected, and if 0, it means that the application ports of the two tenant subnet virtual machines are not connected.
Table 1 prospective cloud platform network isolation matrix
Figure BDA0001544502810000041
Based on the tested object, an expected cloud platform network isolation matrix Me algorithm is generated according to the flow operation of fig. 2, and the generated expected cloud platform network isolation matrix Me is shown in table 2.
Table2 example of expected cloud platform network isolation matrix
Figure BDA0001544502810000042
Figure BDA0001544502810000051
Secondly, inquiring a database at the control node through a command mysql-u root-p, determining < Tenant-id, subnet-name, MAC and IP > through inquiring a ports table of the neutron database, and finally determining the incidence relation between the < Tenant-name, subnet-name, MAC and IP > through inquiring a user table < Tenant-id and Tenant-name > in a keystone database; running virsh list-all on all the computing nodes, checking each computing node VM-name, running virsh dumpxml VM-name to obtain qbr-id and MAC (media access control) of a traditional Bridge (Linux Bridge) related to VM mounting, and accordingly determining the incidence relation among the (VM-name, qbr-id and MAC); the association relation < qbr-id, in-tag > between id and tag in-tag in qbr-id is viewed through a command ovs-vsctl show; thus, the incidence relation among < Tenant-name, subnet-name, VM-name, MAC, IP, qbr-id, in-tag > is determined.
And copying an expected cloud platform network isolation matrix Me into an actual matrix Ma, updating the Tenant-name, subnet-name and VM-name information into the actual cloud platform network isolation matrix, and assigning 0 to all elements in the actual matrix at the moment and recording as Ma'.
And step three, operating the ip netns list at the network node to obtain all Namespace information of the cloud platform. Where rules beginning with qrouter are typically used as a three-tier routing service. Executing ip netns exec namespace-nameip route to view a certain oneThe routing rule defines that each routing rule under Namespace carries out the following form definition conversion: r (R) ═ RS,Rd,Ra). Wherein R isS,RdAre all 32 bits of IP address information, RaAn Action indicating this route, 1 for allow and 0 for deny.
Traversing all Namespace rules of the network nodes to obtain relevant IP address information in the rules, associating the relation between the two steps and the < subnet-name, IP >, and carrying out the form transformation on each routing rule to obtain a communication state set between the subnets. Traversing the inter-subnet connectivity state set to form an inter-subnet isolation matrix, as shown in table 3:
TABLE 3 subnet isolation matrix
Figure BDA0001544502810000052
In the above table, if a certain R in the matrix is presentaIs 1, then represents the RaTwo tenant subnets of the corresponding tenant are connected, if 0, the two tenant subnets are not connected, and R is usedaUpdating the actual cloud platform network isolation matrix into an actual cloud platform network isolation matrix, and recording the actual matrix at the moment as RM
And step four, on the nodes of the cloud platform, two bridges are usually used to assist in completing the conversion of the internal and external labels (in-tag, out-tag) of the network data packet, in the cloud platform, the network packet is provided with the in-tag label, and when the network packet communicates with other nodes VM, the in-tag needs to be converted into the out-tag. The internal network of the cloud platform may adopt a VLAN, GRE or VXLAN mode to perform tenant network traffic isolation.
First, the VLAN mode is taken as an example to describe: on the compute node, OVS-ofctl listbridge is run to see the current compute node OVS Bridge name, br-int and br-eth. Running the OVS-inverted dump-flows OVS-bridge-name command may view the OVS flow table information for the corresponding bridge. Each subnet corresponds to a tag number, if br-int shows that out-tag is converted into in-tag and the rule forms link O, and br-eth shows that flow table information shows that out-tag is converted into in-tag and the rule forms link O'.The two links process information in the opposite way, which indicates that the interior of the subnet can be connected. According to step two<subnet-name,VM-name,in-tag>The relationship of (2) makes the following formal definition conversion for each rule of the OVS flow table: v (vlan) ═ O, O', Va). Wherein, VaJudging whether the linked list O 'is the reverse of the linked list O, if the linked list O' is the reverse of the linked list O, VaSetting 1, otherwise, setting 0. Resulting in a set of v (vlans) on the compute node. Similarly, the same processing is performed on the network nodes to obtain a v (vlan) set. Traversing the v (vlan) sets on the compute nodes and the network nodes, any two virtual machine isolation matrices in the subnet can be obtained as shown in table 4:
TABLE4 isolation matrix between any two VMs in the subnet
Figure BDA0001544502810000061
The meanings of table4 are: tenant for any TenantxAny one tenant subnet ofyAssume that n virtual machines are included: VM1~VMn. If a certain V in the matrixaIs 1, then represents the VaCorresponding Tenant TenantxTenant subnet ofyVMa and VM of the virtual machinebAnd if the virtual machine is connected, the virtual machine is not connected if the virtual machine is 0. Table4 lists only the virtual machine connected state in one tenant subnet, and complements the virtual machine separated state V in all the tenant subnetsaThe actual cloud platform network isolation matrix can be updated, and the actual matrix at the moment is recorded as VM
Second, if the network mode is GRE, an OVS-ofctl listbridge command is run on the compute node to query the OVS Bridge name in GRE mode. The OVS Bridge name obtained is two br-int and br-tun: the bridge br-int forwards all traffic normally, and the bridge br-tun realizes the conversion of the internal tag and the external tunnel tag. Run command ovs-offsctldump br-tun, from which the rules of table2 and table20 tables are retrieved. The former contains the rule of internal tag to external tunnel tag, the latter contains the external tunnel tag translates to internal tag rules. Traversing each rule of table2 and table20 to form V (vlan) ═ O, O', V in GRE modea) And (4) collecting. Traversing the V (VLAN) sets on the computing nodes and the network nodes to obtain a virtual machine isolation matrix in the subnet, and updating the actual cloud platform network isolation matrix VM
Thirdly, the VXLAN mode is similar to the GRE mode, and instead of obtaining table2 and table20 table rules, table4 and table20 table rules are obtained, and the two tables are traversed to form V (vlan) value (O, O', V) in the VXLAN modea) And (4) collecting. Traversing the V (VLAN) sets on the computing nodes and the network nodes to obtain a virtual machine isolation matrix in the sub-network, and updating the actual cloud platform network isolation matrix VM
Step five, operating iptables-line-number-vnL neutron-openvski-iXXX at the computing node, wherein XXX is the first nine bits of the qbr-id obtained in the step two, each strategy corresponds to source and destination ip address information, and iptables rules are defined as follows: f (VM-name) ═ Fs,Fd,Fp,Fa) F (VM-name) denotes the iptables rule of the VM, Fs,FdRespectively representing a 32-bit source, destination IP address, FpIndicating the application port number, FaAn Action representing the iptables rule sets 1 if the Action is ACCEPT, which indicates that the port-id of the current VM and the destination VM can be communicated, and otherwise sets 0. Traversing all iptables rules, combining the step two<VM-name,IP,port-id>Creates an iptables rule table for the VM, resulting in a matrix as shown in table 5:
TABLE 5 isolation matrix between application ports of arbitrary virtual machines
Figure BDA0001544502810000071
The meanings of table 5 are: tenant for any TenantxAny one tenant subnet ofyAny one of the virtual machines VM ofzAssume that there are n network application ports in the virtual machine: port (port)1~portn. If a certain F in the matrixaIs 1, then representsThe FaCorresponding Tenant TenantxTenant subnet ofyVirtual machine VM ofzPort of (2)a~portbIs connected, if 0, it means that the two application ports are not connected. Table 5 lists only the application port connection state in one tenant virtual machine, and completes the application port isolation state F in all tenants, subnets, and virtual machinesaThe port communication state of the virtual machines in the sub-networks of all tenants can be updated to the actual cloud platform network isolation matrix, and the actual matrix at the moment is marked as FM
Step six, generating an algorithm getMatrix (Ma', R) by using an actual cloud platform network isolation matrixM,VM,FMMa), matrix Ma', R in steps two to fiveM,VM,FMAnd performing and operation processing to obtain an actual cloud platform network isolation matrix Ma. The algorithm flow is shown in FIG. 3, where Ma', RM,VM,FMAnd E, respectively updating the matrixes in the second step, the third step, the fourth step and the fifth step, and Ma is an actual cloud platform network isolation matrix.
Assuming that the tenant network isolation state of the tested object is destroyed, based on the tested object, an actual cloud platform network isolation matrix Ma algorithm is generated according to the flow of fig. 3, and the actual cloud platform network isolation matrix Ma can be generated as shown in table 6. The italicized labeled part is different from the expected matrix, which means that the tenant network isolation state is detected to be damaged.
TABLE 6 actual cloud platform network isolation matrix example
Figure BDA0001544502810000072
Figure BDA0001544502810000081
And seventhly, by comparing the expected matrix with the actual matrix, the tenant network isolation problem can be positioned according to the tenant, the subnet, the virtual machine and the application port corresponding to the change of the matrix content. The method is characterized in that the isolation among different tenant networks is damaged due to the fact that part or all of configurations in the third step, the fourth step and the fifth step are tampered; the damage of the isolation between different subnets of the same tenant is caused by tampering of part or all of the configuration of the third step and the fifth step; the damage of the isolation among different virtual machines of the same subnet is caused by the tampering of the configuration in the step four; the disruption of isolation between different network applications is the result of tampering with the step five configuration.
As shown in table 6, assuming that the tenant network isolation state of the object under test has been destroyed, based on the aforementioned object under test, the italic part in the Ma matrix is the difference between the actual matrix and the expected matrix, which indicates that the tenant network isolation state is detected to be destroyed. From this it can be found that: unknown VM is accessed to the subnet A of the tenant A1, which shows that the isolation of the tenant network is damaged, and the method can be positioned to the step two, namely the access device is attacked; the VM1 of the a tenant a1 subnet and the VM5 of the B tenant B subnet should be isolated, but now in a connected state, which means that the tenant network is broken, and can be positioned to the steps of two, three, four and five, that is, some or all of the access device, the virtual routing device, the virtual switching device and the virtual firewall device are attacked; the A tenant A1 subnet VM1 and the A2 subnet VM4 are originally isolated, but are in a connected state, which shows that the tenant subnet isolation is damaged, and the method can be positioned to the third step and the fifth step, namely, part or all of the virtual switching equipment and the virtual firewall equipment are attacked; the subnet VM3 and VM4 of A tenant A2 should be connected, but now in an isolated state, which shows that the tenant virtual machine connectivity is broken, and can be positioned to step four, namely the virtual switching device is attacked; port1 of sub-network VM1 and port1 of VM2 of a-tenant a1 should be connected, but now in an isolated state, which shows that the network port connectivity of the tenant virtual machine is broken, and the process goes to step five, that is, the virtual firewall device is attacked.
Therefore, after the method and the system are adopted, the cloud or third-party auditor can accurately detect whether the condition violating the current cloud platform tenant network isolation strategy exists, quickly locate the source of the problem, and facilitate the following responsibility and timely solve the problem.

Claims (1)

1. A cloud platform tenant network isolation test method is characterized by comprising the following steps: the method comprises the following steps:
establishing an expected cloud platform tenant network isolation matrix; the matrix comprises virtual machines VM in tenant subnets of all tenants of the cloud platform, application ports in the virtual machines and connection relations among the application ports of different virtual machines; using 1 to represent communication between VM application ports of different virtual machines, and using 0 to represent non-communication between VM application ports of different virtual machines;
all tenants of the cloud platform are represented by Tenant-name, a Tenant subnet is represented by subnet-name, and an application port in the virtual machine is represented by port-id;
automatically generating an expected matrix Me containing network isolation states of all VMs on the cloud platform according to a default network isolation strategy of the cloud platform and a user-defined network isolation strategy;
acquiring basic information of all tenant networks on the tenant control node and all the computing nodes; firstly, collecting the name Tenant-name of a cloud platform Tenant, the subnet-name of the Tenant and the MAC addresses and IP addresses of all VMs in a control node database, and determining the incidence relation among the name Tenant-name, the subnet-name, the MAC and the IP; then acquiring related information on all the computing nodes, wherein the related information comprises VM-name, a traditional virtual bridge name mounted by the VM, MAC address and internal mark, the traditional virtual bridge name mounted by the VM is represented by qbr-id, the MAC address and the internal mark are represented by in-tag, VMs with the same in-tag are represented in the same subnet, and then determining < VM-name, qbr-id, MAC, in-tag >; determining the relation between < Tenant-name, subnet-name, VM-name, MAC, IP, qbr-id, in-tag > through two tuple relations;
acquiring network three-layer and above isolation information of all tenant networks on the network node; firstly, collecting virtual routing information of a cloud platform, wherein the virtual routing information comprises a virtual router name and routing rules; since only the networks connected to the same virtual router can be connected to each other, by associating the IP addresses in the virtual router rule, it can be determined whether the tenant subnet is isolated with respect to the relationship between subnet-name and IP in step two;
step four, acquiring two-layer isolation information of the tenant subnet on the network node and the computing node, wherein the method for acquiring the information on the network node and the computing node in the computing node is the same; firstly, acquiring a virtual network bridge name of a computing node, and then acquiring a mark on a network bridge rule; if the two bridge rules are reversible, the interior of the subnet is communicated with each other, and the isolation between the same tenant and the same subnet VM is determined by the relationship between the in-tag and the VM-name in the step two through the mark of the associated bridge rule;
acquiring network access information of tenants and tenant subnets on the computing nodes; firstly, acquiring traditional bridge rules on all computing nodes, wherein the traditional bridge rules comprise a traditional bridge name qbr-id, an IP address appearing in the rules and an application port-id of a virtual machine, associating qbr-id and VM-name in the second step, and determining the VM-name for which the current rule is directed; correlating the < VM-name and IP > in the second step through the IP address and the port-id appearing in the rule, and determining the port-id isolation condition between the VMs;
step six, determining the connectivity of < Tenant-name, subnet-name, VM-name and port-id > according to the information acquired in the step two to the step five, and generating an actual network isolation matrix Ma of the cloud platform Tenant;
step seven, comparing the generated actual cloud platform tenant network isolation matrix Ma with the expected matrix Me; respectively traversing each row of the comparison matrix, observing whether the actual matrix is changed compared with the expected matrix, and if the actual matrix is changed, indicating that the tenant network isolation of the cloud platform is damaged;
through comparing the actual cloud platform tenant network isolation matrix with the expected matrix and generating corresponding results, the communication condition of the cloud platform multi-tenant network can be determined, so that a communication path which is not consistent with the expected network is found, a real-time cloud platform tenant network isolation report is provided for a cloud auditor, and a responsibility tracing way is provided for security problems possibly occurring in cloud tenant network services.
CN201810024453.6A 2018-01-10 2018-01-10 Cloud platform tenant network isolation test method Active CN107959689B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810024453.6A CN107959689B (en) 2018-01-10 2018-01-10 Cloud platform tenant network isolation test method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810024453.6A CN107959689B (en) 2018-01-10 2018-01-10 Cloud platform tenant network isolation test method

Publications (2)

Publication Number Publication Date
CN107959689A CN107959689A (en) 2018-04-24
CN107959689B true CN107959689B (en) 2020-09-25

Family

ID=61956168

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810024453.6A Active CN107959689B (en) 2018-01-10 2018-01-10 Cloud platform tenant network isolation test method

Country Status (1)

Country Link
CN (1) CN107959689B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10484302B2 (en) 2016-08-27 2019-11-19 Nicira, Inc. Managed forwarding element executing in public cloud data compute node with different internal and external network addresses
CN114584465A (en) 2017-08-27 2022-06-03 Nicira股份有限公司 Executing online services in a public cloud
CN108989086B (en) * 2018-06-20 2021-03-30 复旦大学 Open vSwitch illegal port operation automatic discovery and tracing system in OpenStack platform
CN110636036A (en) * 2018-06-22 2019-12-31 复旦大学 OpenStack cloud host network access control method based on SDN
EP3605333B1 (en) * 2018-08-03 2022-06-15 Accenture Global Solutions Limited Intelligent quality assurance orchestration tool
CN109039823B (en) * 2018-08-23 2022-03-04 郑州云海信息技术有限公司 Network system firewall detection method, device, equipment and storage medium
CN116032836A (en) * 2018-08-24 2023-04-28 Vm维尔股份有限公司 Intelligently using peers in public clouds
CN109688139B (en) * 2018-12-27 2021-08-31 成都国信安信息产业基地有限公司 Cloud platform safety detection system
CN109474627B (en) * 2018-12-27 2021-08-13 南京优速网络科技有限公司 Virtual tenant network isolation method and system based on SDN
CN111147345B (en) * 2019-12-20 2022-01-07 航天信息股份有限公司 Cloud environment network isolation device and method and cloud system
CN111884903B (en) * 2020-07-15 2022-02-01 迈普通信技术股份有限公司 Service isolation method and device, SDN network system and routing equipment
CN111709016B (en) * 2020-08-20 2020-11-10 创智和宇信息技术股份有限公司 Method and system for protecting basic medical insurance settlement data
CN111935198B (en) * 2020-10-15 2021-01-15 南斗六星系统集成有限公司 Visual V2X network security defense method and equipment
CN113965515B (en) * 2021-09-26 2023-04-18 杭州安恒信息技术股份有限公司 Virtualized network link visualization method, system, computer and storage medium
CN114553471A (en) * 2022-01-05 2022-05-27 广东南方通信建设有限公司 Tenant safety management system
CN114679450A (en) * 2022-02-11 2022-06-28 锐捷网络股份有限公司 Access control method and device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104104513A (en) * 2014-07-22 2014-10-15 浪潮电子信息产业股份有限公司 Safety isolation method for cloud side multi-tenant data storage
CN104270349A (en) * 2014-09-17 2015-01-07 广州中国科学院软件应用技术研究所 Isolation method and device for cloud computing multi-tenant application
CN106803796A (en) * 2017-03-05 2017-06-06 北京工业大学 Multi-tenant network topology reconstructing method based on cloud platform

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9292673B2 (en) * 2013-03-15 2016-03-22 International Business Machines Corporation Virtual key management and isolation of data deployments in multi-tenant environments
US9313171B2 (en) * 2013-11-19 2016-04-12 Cisco Technology, Inc. Path selection in a multi-service and multi-tenant secure cloud environment
US9565198B2 (en) * 2014-01-31 2017-02-07 Microsoft Technology Licensing, Llc Tenant based signature validation
CN106354544A (en) * 2016-08-24 2017-01-25 华为技术有限公司 Virtual machine creating method and system and host

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104104513A (en) * 2014-07-22 2014-10-15 浪潮电子信息产业股份有限公司 Safety isolation method for cloud side multi-tenant data storage
CN104270349A (en) * 2014-09-17 2015-01-07 广州中国科学院软件应用技术研究所 Isolation method and device for cloud computing multi-tenant application
CN106803796A (en) * 2017-03-05 2017-06-06 北京工业大学 Multi-tenant network topology reconstructing method based on cloud platform

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Multi-tenancy authorization models for collaborative cloud services;Bo Tang等;《2013 International Conference on Collaboration Technologies and Systems (CTS)》;20130725;第132-138页 *
云计算网络中多租户虚拟网络隔离的分布式实现研究;严立宇等;《计算机应用与软件》;20161115;第33卷(第11期);第93-98页 *

Also Published As

Publication number Publication date
CN107959689A (en) 2018-04-24

Similar Documents

Publication Publication Date Title
CN107959689B (en) Cloud platform tenant network isolation test method
US20210243276A1 (en) Systems and methods for protecting an identity in network communications
CN107925589B (en) Method and medium for processing remote device data messages entering a logical overlay network
CN104350467B (en) Elasticity for the cloud security using SDN carries out layer
US9065775B2 (en) Switching apparatus and method based on virtual interfaces
US9621431B1 (en) Classification techniques to identify network entity types and determine network topologies
JP2021087222A (en) Fault root cause determining method and apparatus, and computer storage medium
CN108696402A (en) The dialogue-based business statistics record of virtual router
US11641320B2 (en) Intent-based network virtualization design
US9882784B1 (en) Holistic validation of a network via native communications across a mirrored emulation of the network
US10038624B1 (en) Flexible packet replication and filtering for multicast/broadcast
US10608890B2 (en) Holistic validation of a network via native communications across a mirrored emulation of the network
CN112956158A (en) Structured data plane monitoring
US10862850B2 (en) Network-address-to-identifier translation in virtualized computing environments
CN109756411B (en) Message forwarding method and device, first VTEP device and storage medium
CN105978808B (en) A kind of method and apparatus of double layer network link calculation
US20150098474A1 (en) System and method for managing vlan associations with network ports
US11570077B2 (en) Traffic flow trace in a network
Koorevaar Dynamic enforcement of security policies in multi-tenant cloud networks
US9240961B2 (en) VLAN bridging path for virtual machines in MVRP environment without administrator intervention
CN102075364A (en) Method and equipment for determining direct link
US11646995B2 (en) Partitioned intrusion detection
CN114553707A (en) Method and device for generating topology information of network and delimiting network fault
Yan et al. Simulation of a software-defined network as one Big switch
CN109525582A (en) Message processing method, system and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant