CN109040101A - A method of different security services are used based on openflow protocol realization multi-tenant - Google Patents
A method of different security services are used based on openflow protocol realization multi-tenant Download PDFInfo
- Publication number
- CN109040101A CN109040101A CN201810978545.8A CN201810978545A CN109040101A CN 109040101 A CN109040101 A CN 109040101A CN 201810978545 A CN201810978545 A CN 201810978545A CN 109040101 A CN109040101 A CN 109040101A
- Authority
- CN
- China
- Prior art keywords
- tenant
- service
- virtual switch
- openflow
- secure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of methods for using different security services based on openflow protocol realization multi-tenant, include the following steps: the hardware device for (1) using a server as secure resources pond;(2) a virtual switch is created, and the message that the virtual switch is arranged is controlled by openflow flow table;(3) the physical network card on the server is mounted on virtual switch, and creates multiple secure virtual machines, the secure virtual machine is respectively mounted on virtual switch there are two business Microsoft Loopback Adapter;(4) configuration service Microsoft Loopback Adapter is bridge mode in the secure virtual machine;(5) using each secure virtual machine as a security service, service chaining is formed by one or more security services, using SDN technology, may be implemented to same tenant while a variety of security services being provided, the different security service demands of different tenants can also be met simultaneously.
Description
Technical field
The present invention relates to a kind of filed of network information security, and in particular to multi-tenant is required using different under a kind of cloud environment
The implementation method of security service.
Background technique
With cloud computing and the development of cloud security, requirement of the cloud client to cloud security is higher and higher, does not require nothing more than safe factory
Quotient meets the needs of security function, more to require to solve under current multi-tenant, and safety equipment dispersion, security service is single, pacifies
Full service is arranged in pairs or groups the problems such as not flexible.Virtual secure service chaining is a new concept in cloud security, is serviced in existing technology
Security service is single in chain, protection mode is not flexible, under multi-tenant scene to the network technology used in protection object by force according to
Rely, for example requires to use vxlan.Therefore, how the virtualization Network Security Service resource pool based on openFlow agreement, utilize
Virtualization and SDN technology carry out super all kinds of safety products of fusion and flexibly meet multi-tenant to provide security service chain abundant
The requirement of lower difference security service, is that this field one needs the technical issues of solving.
Summary of the invention
The present invention provides a kind of methods for using different security services based on openflow protocol realization multi-tenant, utilize
Virtualization and the super all kinds of safety products of fusion of openflow technology, provide security service chain abundant, neatly meet multi-tenant
The requirement of lower difference security service.The specific technical solution of the present invention is as follows:
A method of different security services are used based on openflow protocol realization multi-tenant, which is characterized in that including
Following steps:
(1) use hardware device of the server as secure resources pond, on the server installation support virtualization and
The linux system of openflow, at least there are two physical network cards for the server;
(2) a virtual switch is created, and the message that the virtual switch is arranged is controlled by openflow flow table;
(3) the physical network card on the server is mounted on virtual switch, and creates multiple secure virtual machines, institute
Secure virtual machine is stated respectively to be mounted on virtual switch there are two business Microsoft Loopback Adapter;
(4) configuration service Microsoft Loopback Adapter is bridge mode in the secure virtual machine, is provided by the virtual switch
Order, inquire the business of associated port and secure virtual machine on the virtual switch where the business Microsoft Loopback Adapter
Microsoft Loopback Adapter is No. port corresponding, and makes a record;
(5) using each secure virtual machine as a security service, service chaining is formed by one or more security services, is led to
It crosses in messageNetwork identityTenant is distinguished, when all tenants use security service chain, using openflow agreement, to be looked into
To No. port issue flow entry for unique identification of the network interface card on virtual switch, specify from a physical network card into message
Go out after the service chaining from another physical network card;When different tenants use different service chainings, using openflow
The flow entry of different service chainings is configured in different flow tables by agreement, setting default flow table, has identical tenant mark for all
The message of knowledge jumps to same flow table.
Further, the physical network card of the server is two, and physical network card is for linking external network, one
Physical network card requires protected user network for linking.
Further, the secure virtual machine is2 to 10。
Further, describedNetwork identityFor the ip of tenant, subnet, vlan, port numbers or combinations thereof.
The beneficial effects of the present invention are using virtualization and SDN technology, a security service resource pool, which can merge, appoints
The safety equipment of meaning can provide a variety of security services simultaneously to same tenant, can also meet the not TongAn of different tenants simultaneously
Full demand for services.
Detailed description of the invention
Fig. 1 is a kind of original based on openflow protocol realization multi-tenant using the method for different security services of the invention
Manage schematic diagram;
Fig. 2 is a kind of report based on openflow protocol realization multi-tenant using the method for different security services of the invention
Text moves towards structure principle chart.
Specific embodiment
The present invention will be further explained below with reference to the attached drawings.
Fig. 1 is a kind of original based on openflow protocol realization multi-tenant using the method for different security services of the invention
Manage schematic diagram.A kind of method that different security services are used based on openflow protocol realization multi-tenant, including walk as follows
It is rapid:
(1) use hardware device of the server as secure resources pond, on the server installation support virtualization and
The linux system of openflow, there are two physical network card, a Physical Networks to be clamped outer net, a physical network card for the server
It connects by protection business network, outer net can use router according to practical application scene by protection business network, traditional network
Or physical switches access.
(2) a virtual switch is created, and the message that the virtual switch is arranged is controlled by openflow flow table;
(2), by two physical network cards on the server, it is mounted on virtual switch, and create multiple secure virtuals
Machine, the present embodiment are illustrated by taking three secure virtual machines A, B, C as an example, according to actual needs, can also be with when implementing the present invention
Create more secure virtual machines;The secure virtual machine is respectively mounted on virtual switch there are two business Microsoft Loopback Adapter, will
Each secure virtual machine is as a security service;
(4) configuration service Microsoft Loopback Adapter is bridge mode, i.e. two business void of virtual machine internal in the secure virtual machine
Quasi- network interface card is directly communicated by inside ensuring.Entered by business Microsoft Loopback Adapter 1 message working business Microsoft Loopback Adapter 2 go out, equally by
The message that business Microsoft Loopback Adapter 2 is entered can be gone out with business Microsoft Loopback Adapter 1.The order provided by the virtual switch, inquiry
The business Microsoft Loopback Adapter of associated port and secure virtual machine is corresponding on to the virtual switch where business Microsoft Loopback Adapter
No. port, and make a record;
(5) service chaining is formed by one or more security services, include A+B, A+C, B+C, A+B+C clothes in the present embodiment
Business chain.Tenant is distinguished by ip, vlan, subnet, port numbers or combinations thereof in message, when all tenants useIt is sameSafety clothes
Be engaged in chain when, using openflow agreement, with found No. port for unique mark of the business Microsoft Loopback Adapter on virtual switch
Knowledge issues flow entry, it is specified from a physical network card into message go out after the service chaining from another physical network card;When
When different tenants use different service chainings, using openflow agreement, the flow entry of different service chainings is configured at different
In flow table, all messages with identical tenant identification are jumped to same flow table by setting default flow table.
Fig. 2 is a kind of report based on openflow protocol realization multi-tenant using the method for different security services of the invention
Text moves towards structure principle chart.Specifically includes the following steps:
(1) prepare hardware device of the server as secure resources pond, on the server installation support to virtualize and
The linux system of openflow, the server can be used there are two physical network card, and a physical network card links external network,
One physical network card links protected tenant network.
(2) virtual machine interchanger is created, and the message that the interchanger is arranged is controlled by openflow flow table.
(3) two physical internet ports that will be used on server for secure virtual machine, are mounted on virtual switch, and create
Secure virtual machine A, B, C, virtual machine A, B, C respectively need to be mounted on the same virtual switch there are two business Microsoft Loopback Adapter.
The present embodiment is illustrated by taking three secure virtual machines as an example, when implementing the present invention, according to actual needs, can also be created more
Secure virtual machine.
(4) configuration service Microsoft Loopback Adapter is bridge mode in secure virtual machine, to guarantee industry of the message from secure virtual machine
Can obtain employment after entering Microsoft Loopback Adapter 2 of being engaged in of business Microsoft Loopback Adapter 1 is gone out.
(5) the order provided by virtual switch inquires associated on the virtual switch where business Microsoft Loopback Adapter
The business Microsoft Loopback Adapter of port and virtual machine is No. port corresponding, and makes a record.
(6) using each secure virtual machine as a security service, corresponding function of safety protection is externally provided, by one
Or multiple security services can form service chaining.Tenant can be distinguished by ip, subnet, vlan etc..It is specific as follows:
A, all tenants use same security service chain.For example, all tenants in the present embodiment use A+B security service
Chain issues flow table with aforementioned find No. port using openflow agreement for unique identification of the network interface card on virtual switch
:
A, it is specified to enter from the message that physical network card eth1 comes in from the business Microsoft Loopback Adapter A-1 of security service A, from safety clothes
A business Microsoft Loopback Adapter A-2 go out message enter from security service B business Microsoft Loopback Adapter B-1, from security service B-2 go out message from
Physical network card 2 goes out.
B, when message flow is reversed: specified virtual from the business of security service B from the message that physical network card eth2 comes in
Network interface card B-2 enters, and the message gone out from safety clothes B business Microsoft Loopback Adapter B-1 enters from security service A business Microsoft Loopback Adapter A-2, from safety
The message that service A-1 goes out goes out from physical network card eth1.
Such a to be directed to all tenants, the service chain building for enjoying security service A and B is completed.Service in service chaining
Completely can be customized, it can be A and B, be also possible to A and C, be also possible to any combination such as A, B, C or in which one.
B, different tenants use different service chainings, illustrate by taking the tenant that ip is divided as an example.
Tenant 1 uses A+B security service chain, specifies from the message that physical network card eth1 comes in from the business of security service A
Microsoft Loopback Adapter A-1 enters, and the message gone out from safety clothes A business Microsoft Loopback Adapter A-2 enters from security service B business Microsoft Loopback Adapter B-1, from
The message that security service B-2 goes out goes out from physical network card 2.
Tenant 2 uses A+C service chaining, specifies virtual from the business of security service A from the message that physical network card eth1 comes in
Network interface card A-1 enters, and the message gone out from safety clothes A business Microsoft Loopback Adapter A-2 enters from security service C business Microsoft Loopback Adapter C-1, from safety
The message that service C-2 goes out goes out from physical network card 2.
Using openflow agreement, flow entry is issued:
A. referring to step A, the flow entry of A+B service chaining is configured in table1, the flow entry of A+C service chaining is configured
In table2.
Configuration in b.table0 (default table): all messages with ip belonging to tenant 1 all jump to table1 by
Table1 processing, all messages with ip belonging to tenant 2 all jump to table2 and are handled by table2.
In this way, the function that multi-tenant uses different security services can be realized.
Claims (4)
1. a kind of method for using different security services based on openflow protocol realization multi-tenant, which is characterized in that including such as
Lower step:
(1) use hardware device of the server as secure resources pond, on the server installation support virtualization and
The linux system of openflow, at least there are two physical network cards for the server;
(2) a virtual switch is created, and the message that the virtual switch is arranged is controlled by openflow flow table;
(3) the physical network card on the server is mounted on virtual switch, and creates multiple secure virtual machines, the peace
Full virtual machine is respectively mounted on virtual switch there are two business Microsoft Loopback Adapter;
(4) configuration service Microsoft Loopback Adapter is bridge mode, the life provided by the virtual switch in the secure virtual machine
It enables, it is virtual to inquire the business of associated port and secure virtual machine on the virtual switch where the business Microsoft Loopback Adapter
Network interface card is No. port corresponding, and makes a record;
(5), using each secure virtual machine as a security service, service chaining is formed by one or more security services, passes through report
Network identity distinguishes tenant in text, when all tenants use security service chain, using openflow agreement, with what is found
No. port issues flow entry for unique identification of the network interface card on virtual switch, specify from a physical network card into message pass through
Go out after the service chaining from another physical network card;When different tenants use different service chainings, using openflow agreement,
The flow entry of different service chainings is configured in different flow tables, setting default flow table, by all with identical tenant identification
Message jumps to same flow table.
2. a kind of method that different security services are used based on openflow protocol realization multi-tenant as described in claim 1,
It is characterized in that, the physical network card of the server is two, a physical network card is for linking external network, a Physical Network
Card requires protected tenant network for linking.
3. a kind of method that different security services are used based on openflow protocol realization multi-tenant as claimed in claim 2,
It is characterized in that, the secure virtual machine is 2 to 10.
4. one kind as described in any claim in claims 1 to 3 is based on openflow protocol realization multi-tenant using not
With the method for security service, which is characterized in that the network identity is the ip of tenant, subnet, vlan, port numbers or combinations thereof.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810978545.8A CN109040101A (en) | 2018-08-27 | 2018-08-27 | A method of different security services are used based on openflow protocol realization multi-tenant |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810978545.8A CN109040101A (en) | 2018-08-27 | 2018-08-27 | A method of different security services are used based on openflow protocol realization multi-tenant |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109040101A true CN109040101A (en) | 2018-12-18 |
Family
ID=64624564
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810978545.8A Pending CN109040101A (en) | 2018-08-27 | 2018-08-27 | A method of different security services are used based on openflow protocol realization multi-tenant |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109040101A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110995680A (en) * | 2019-11-22 | 2020-04-10 | 北京浪潮数据技术有限公司 | Virtual machine message receiving method, system, device and computer readable storage medium |
| CN111683308A (en) * | 2020-05-29 | 2020-09-18 | 烽火通信科技股份有限公司 | Method and device for realizing flexible bridging service on home gateway |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN115914135A (en) * | 2021-08-03 | 2023-04-04 | 中移动信息技术有限公司 | Data transmission method, virtual switch and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102710432A (en) * | 2012-04-27 | 2012-10-03 | 北京云杉世纪网络科技有限公司 | System and method for managing virtual network in cloud computation data center |
| US20160344611A1 (en) * | 2013-12-18 | 2016-11-24 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and control node for handling data packets |
| CN107819663A (en) * | 2017-11-27 | 2018-03-20 | 锐捷网络股份有限公司 | A kind of method and apparatus for realizing virtual network function service chaining |
| CN107911258A (en) * | 2017-12-29 | 2018-04-13 | 深信服科技股份有限公司 | A kind of realization method and system in the secure resources pond based on SDN network |
| CN107920023A (en) * | 2017-12-29 | 2018-04-17 | 深信服科技股份有限公司 | A kind of realization method and system in secure resources pond |
| CN107959614A (en) * | 2017-10-30 | 2018-04-24 | 广东睿江云计算股份有限公司 | A kind of self-defined network-building method of multi-tenant based on network namespace, system |
-
2018
- 2018-08-27 CN CN201810978545.8A patent/CN109040101A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102710432A (en) * | 2012-04-27 | 2012-10-03 | 北京云杉世纪网络科技有限公司 | System and method for managing virtual network in cloud computation data center |
| US20160344611A1 (en) * | 2013-12-18 | 2016-11-24 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and control node for handling data packets |
| CN107959614A (en) * | 2017-10-30 | 2018-04-24 | 广东睿江云计算股份有限公司 | A kind of self-defined network-building method of multi-tenant based on network namespace, system |
| CN107819663A (en) * | 2017-11-27 | 2018-03-20 | 锐捷网络股份有限公司 | A kind of method and apparatus for realizing virtual network function service chaining |
| CN107911258A (en) * | 2017-12-29 | 2018-04-13 | 深信服科技股份有限公司 | A kind of realization method and system in the secure resources pond based on SDN network |
| CN107920023A (en) * | 2017-12-29 | 2018-04-17 | 深信服科技股份有限公司 | A kind of realization method and system in secure resources pond |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110995680A (en) * | 2019-11-22 | 2020-04-10 | 北京浪潮数据技术有限公司 | Virtual machine message receiving method, system, device and computer readable storage medium |
| CN111683308A (en) * | 2020-05-29 | 2020-09-18 | 烽火通信科技股份有限公司 | Method and device for realizing flexible bridging service on home gateway |
| CN111683308B (en) * | 2020-05-29 | 2022-04-29 | 烽火通信科技股份有限公司 | Method and device for realizing flexible bridging service on home gateway |
| CN115914135A (en) * | 2021-08-03 | 2023-04-04 | 中移动信息技术有限公司 | Data transmission method, virtual switch and storage medium |
| CN114944952A (en) * | 2022-05-20 | 2022-08-26 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN114944952B (en) * | 2022-05-20 | 2023-11-07 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109040101A (en) | A method of different security services are used based on openflow protocol realization multi-tenant | |
| US9178828B2 (en) | Architecture for agentless service insertion | |
| CN111614605B (en) | Method for configuring firewall, security management system and computer readable medium | |
| US10452422B2 (en) | Method and apparatus for deploying virtual machine instance, and device | |
| CN107278362B (en) | The method of Message processing, host and system in cloud computing system | |
| US10177936B2 (en) | Quality of service (QoS) for multi-tenant-aware overlay virtual networks | |
| EP3072263B1 (en) | Multi-tenant isolation in a cloud environment using software defined networking | |
| CN110301104B (en) | Optical line terminal OLT equipment virtualization method and related equipment | |
| EP3273640A1 (en) | Link selection for communication with a service function cluster | |
| US20180013841A1 (en) | Automatic service function validation in a virtual network environment | |
| CN105100026B (en) | A kind of safe retransmission method of message and device | |
| US10050739B2 (en) | Optical communication system with hardware root of trust (HRoT) and network function virtualization (NFV) | |
| CN105933248B (en) | Service insertion within a basic virtual network environment | |
| US20110035494A1 (en) | Network virtualization for a virtualized server data center environment | |
| CN112130957B (en) | Method and system for using intelligent network card for breaking through virtualization isolation of container | |
| CN106936715A (en) | virtual machine message control method and device | |
| Masutani et al. | Requirements and design of flexible NFV network infrastructure node leveraging SDN/OpenFlow | |
| CN114584511A (en) | Extending software-defined networks between public cloud computing infrastructures and data centers | |
| Chandramouli et al. | Secure virtual network configuration for virtual machine (vm) protection | |
| CN104144130B (en) | Method, system and the access switch of virtual machine system interconnection | |
| CN104168200A (en) | Open vSwitch-based method and system for realizing ACL function | |
| US11962499B2 (en) | Multitenancy for service machines | |
| CN104579778A (en) | Simple implementation method for enterprise internal network virtualization | |
| Liu et al. | To achieve a security service chain by integration of NFV and SDN | |
| Jeuk et al. | Tenant-id: Tagging tenant assets in cloud environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20181218 |