CN109150860A - A kind of method and system for realizing the micro- isolation of network under OpenStack environment - Google Patents
A kind of method and system for realizing the micro- isolation of network under OpenStack environment Download PDFInfo
- Publication number
- CN109150860A CN109150860A CN201810874200.8A CN201810874200A CN109150860A CN 109150860 A CN109150860 A CN 109150860A CN 201810874200 A CN201810874200 A CN 201810874200A CN 109150860 A CN109150860 A CN 109150860A
- Authority
- CN
- China
- Prior art keywords
- network
- management end
- isolation
- access control
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Pharmaceuticals Containing Other Organic And Inorganic Compounds (AREA)
Abstract
The present invention provides a kind of under OpenStack environment realizes the method and system of the micro- isolation of network, comprising the following steps: installation agent on S1, each calculate node in OpenStack environment is managed collectively by management end;S2, management end issue intrusion detection signature library and access control policy;S3, agent side network data packet implement Network Isolation, and record log is sent to management end;S4, management end will upload network interface/ip address conversion in log into tenant/virtual machine name, and show administrator.The present invention solves the problems, such as effectively obstruct network attack between network internal host in the prior art, realize that virtual machine is to the access control of east-west traffic between virtual machine in OpenStack environment, and deeper intrusion detection is carried out to flow using the snort of open source, security protection effectively can be carried out to the network in cloud computing environment.
Description
Technical field
The present invention relates to cloud computing security technology area, especially one kind realized under OpenStack environment network it is micro- every
From method and system.
Background technique
In attack, the attack from network internal and affiliate persistently rises, and traditional network
Perimeter firewall can not attack between defending against network inside.Common example as utilize internal permission administrative vulnerability, hacker around
Outer boundary firewall is crossed, internal host permission is obtained, it is straightway to be attacked in inside.Once hacker obtains some
The permission of internal host, then entire internal network will face following threat:
1, internal to explore: internal network explores, available loophole in scanning host, virtual machine, application system;
2, deception proposes power: using means such as network cheating, Malwares, extracting crucial application system access right;
3, Malware is propagated: the rogue programs such as transmitted virus, wooden horse, worm;
4, DDOS attack source: being utilized by hacker, becomes broiler chicken, to network internal, external initiation DDOS attack;
5, steal data: by user's critical data, the common application that disguises oneself as agreement is transmitted outward.
It is controlled so needing mutually to access the host inside consolidated network, at this moment just needs to use the micro- isolation of network
Technology.
Summary of the invention
The object of the present invention is to provide a kind of under OpenStack environment realizes the method and system of the micro- isolation of network, purport
It is solving the problems, such as effectively obstruct network attack between network internal host in the prior art, is realizing OpenStack environment
Middle virtual machine effectively carries out security protection to the network in cloud computing environment to the access control of east-west traffic between virtual machine.
To reach above-mentioned technical purpose, the present invention provides a kind of to realize the micro- isolation of network under OpenStack environment
Method, comprising the following steps:
Installation agent on S1, each calculate node in OpenStack environment, is managed collectively by management end;
S2, management end issue intrusion detection signature library and access control policy;
S3, agent side network data packet implement Network Isolation, and record log is sent to management end;
The log of upload is showed administrator by S4, management end.
Preferably, the step S2 concrete operations are as follows:
Feature database required for the synchronous snort of S201, agent side;
S202, server access control strategy is issued to agent side;
S203, tenant/virtual machine name is converted into corresponding network interface/address ip.
Preferably, the step S3 concrete operations are as follows:
The hook function that S301, agent side register netfilter is used to data interception packet;
S302, the access control that five-tuple is carried out according to the server access control strategy that management end issues;
S303, the snort that application layer is transmitted to by the NFQUEUE of netfilter;
S304, snort carry out intrusion prevention detection according to the intrusion detection signature library that management end issues.
Preferably, the step S4 concrete operations are as follows:
Management end will upload network interface/ip address conversion in log into tenant/virtual machine name, and show management
Member.
The system that the present invention also provides a kind of to realize the micro- isolation of network under OpenStack environment, the system comprises:
Deployment module is acted on behalf of, the installation agent in each calculate node in OpenStack environment is united by management end
One management;
Policy distribution module issues intrusion detection signature library and access control policy for management end;
Network data processing module is used for agent side network data packet, implements Network Isolation, and record log is sent
To management end;
The log of upload is showed administrator for management end by log processing module.
Preferably, the policy distribution module includes:
Feature database synchronization unit, for feature database required for the synchronous snort of agent side;
Policy synchronization unit, for server access control strategy to be issued to agent side;
Tactful converting unit, for tenant/virtual machine name to be converted into corresponding network interface/address ip.
Preferably, the network data processing module includes:
Data package capture unit, the hook function for agent side registration netfilter are used to data interception packet;
Access control unit, the server access control strategy for being issued according to management end carry out the access control of five-tuple
System;
Data transfer elements are transmitted to the snort of application layer for the NFQUEUE by netfilter;
Intrusion detecting unit carries out intrusion prevention detection according to the intrusion detection signature library that management end issues for snort.
Preferably, the log processing module includes:
Log converting unit will upload network interface/ip address conversion in log into tenant/virtual machine for management end
Name, and show administrator.
The effect provided in summary of the invention is only the effect of embodiment, rather than invents all whole effects, above-mentioned
A technical solution in technical solution have the following advantages that or the utility model has the advantages that
Compared with prior art, the present invention is by installation agent in each calculate node in OpenStack environment, and
It is managed collectively by management end, realizes the framework of unified management, distributed deployment.Flow in calculate node is first subjected to five-tuple
Access control, then perform intrusion detection again, to reach 2-7 layers of network of access control.The present invention solves existing skill
The problem of network attack can not effectively be obstructed in art between network internal host, realizes that virtual machine is to void in OpenStack environment
The access control of east-west traffic between quasi- machine, and deeper intrusion detection is carried out to flow using the snort of open source, it can
Effectively to carry out security protection to the network in cloud computing environment.
Detailed description of the invention
Fig. 1 is a kind of method that the micro- isolation of network is realized under OpenStack environment provided in the embodiment of the present invention
Flow chart;
Fig. 2 is a kind of system that the micro- isolation of network is realized under OpenStack environment provided in the embodiment of the present invention
Structural block diagram.
Specific embodiment
In order to clearly illustrate the technical characterstic of this programme, below by specific embodiment, and its attached drawing is combined, to this
Invention is described in detail.Following disclosure provides many different embodiments or example is used to realize different knots of the invention
Structure.In order to simplify disclosure of the invention, hereinafter the component of specific examples and setting are described.In addition, the present invention can be with
Repeat reference numerals and/or letter in different examples.This repetition is that for purposes of simplicity and clarity, itself is not indicated
Relationship between various embodiments and/or setting is discussed.It should be noted that illustrated component is not necessarily to scale in the accompanying drawings
It draws.Present invention omits the descriptions to known assemblies and treatment technology and process to avoid the present invention is unnecessarily limiting.
It is provided for the embodiments of the invention one kind with reference to the accompanying drawing and realizes the micro- isolation of network under OpenStack environment
Method and system be described in detail.
The side of the micro- isolation of network is realized as shown in Figure 1, the embodiment of the invention discloses a kind of under OpenStack environment
Method, comprising the following steps:
Installation agent on S1, each calculate node in OpenStack environment, is managed collectively by management end;
S2, management end issue intrusion detection signature library and access control policy;
S3, agent side network data packet implement Network Isolation, and record log is sent to management end;
The log of upload is showed administrator by S4, management end.
For the embodiment of the present invention by the installation agent in the calculate node of each OpenStack, all agencies are unified by pipe
End pipe reason is managed, the framework of a centralized management, distributed deployment is formed.
The agency includes firewall module and intrusion detection module, firewall module work in kernel, to data packet into
The filtering of row five-tuple, intrusion detection module work in application layer, and the data packet for having passed through firewall module will enter intrusion detection
Module is detected whether comprising malicious attack.
The management end will manage all agencies, carry out plan when newly-built, deletion virtual machine or generation virtual machine (vm) migration
It is slightly synchronous, while for the visualization of flow, depth will be carried out with OpenStack in conjunction with, source, purpose IP address are converted into renting
Family/virtual machine name, in this way will be more intuitive in strategy configuration and log analysis.
Firstly, management end issues intrusion detection signature library and access control policy.
Management end issues intrusion detection signature library, the feature database required for the synchronous snort of agent side.Furthermore by administrator
The server access control strategy of configuration is issued to agent side, and in server access control strategy, tenant/virtual machine name is turned
Corresponding network interface/address ip is changed into, in conjunction with OpenStack environment depth, so that traffic visualization.When creation, delete
When virtual machine or generation virtual machine (vm) migration, dynamic synchronization access control policy.
Then, agent side network data packet implements Network Isolation, and record log is sent to management end.
The hook function that agent side registers netfilter is used to data interception packet, is visited according to the server that management end issues
It asks that control strategy carries out the access control of five-tuple, for the network packet of denied access, abandons simultaneously record log.Pass through clothes
The network packet of business device access control policy detection is transmitted to the snort of application layer by the NFQUEUE of netfilter,
Snort carries out intrusion prevention detection, the network number passed through for intrusion detection according to the intrusion detection signature library that management end issues
According to packet, it will be feedbacked to inner nuclear layer and continue with data packet, the network packet of intrusion detection refusal by packet discard and is remembered
Record log.
The log of record is uploaded to management end by agent side.
Finally, the log of upload is showed administrator by management end.
Management end receives the log of agent side transmission, by the network interface in log/ip address conversion at tenant/virtual
Machine name, and show administrator.
The embodiment of the present invention is by installation agent in each calculate node in OpenStack environment, and by management end
The framework of unified management, distributed deployment is realized in unified management.Flow in calculate node is first carried out to the access control of five-tuple
System, then performs intrusion detection, again to reach 2-7 layers of network of access control.The present invention solves network in the prior art
The problem of network attack can not be effectively obstructed between internal host, realizes that virtual machine is between virtual machine in OpenStack environment
The access control of east-west traffic, and deeper intrusion detection is carried out to flow using the snort of open source, it can be effectively right
Network in cloud computing environment carries out security protection.
As shown in Fig. 2, the embodiment of the invention also discloses a kind of under OpenStack environment realize the micro- isolation of network be
System, the system comprises:
Deployment module is acted on behalf of, the installation agent in each calculate node in OpenStack environment is united by management end
One management;
Policy distribution module issues intrusion detection signature library and access control policy for management end;
Network data processing module is used for agent side network data packet, implements Network Isolation, and record log is sent
To management end;
The log of upload is showed administrator for management end by log processing module.
The policy distribution module includes:
Feature database synchronization unit, for feature database required for the synchronous snort of agent side;
Policy synchronization unit, for server access control strategy to be issued to agent side;
Tactful converting unit, for tenant/virtual machine name to be converted into corresponding network interface/address ip.
The network data processing module includes:
Data package capture unit, the hook function for agent side registration netfilter are used to data interception packet;
Access control unit, the server access control strategy for being issued according to management end carry out the access control of five-tuple
System;
Data transfer elements are transmitted to the snort of application layer for the NFQUEUE by netfilter;
Intrusion detecting unit carries out intrusion prevention detection according to the intrusion detection signature library that management end issues for snort.
The log processing module includes:
Log converting unit will upload network interface/ip address conversion in log into tenant/virtual machine for management end
Name, and show administrator.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.
Claims (8)
1. a kind of method for realizing the micro- isolation of network under OpenStack environment, which comprises the following steps:
Installation agent on S1, each calculate node in OpenStack environment, is managed collectively by management end;
S2, management end issue intrusion detection signature library and access control policy;
S3, agent side network data packet implement Network Isolation, and record log is sent to management end;
The log of upload is showed administrator by S4, management end.
2. a kind of method for realizing the micro- isolation of network under OpenStack environment according to claim 1, feature exist
In the step S2 concrete operations are as follows:
Feature database required for the synchronous snort of S201, agent side;
S202, server access control strategy is issued to agent side;
S203, tenant/virtual machine name is converted into corresponding network interface/address ip.
3. a kind of method for realizing the micro- isolation of network under OpenStack environment according to claim 1, feature exist
In the step S3 concrete operations are as follows:
The hook function that S301, agent side register netfilter is used to data interception packet;
S302, the access control that five-tuple is carried out according to the server access control strategy that management end issues;
S303, the snort that application layer is transmitted to by the NFQUEUE of netfilter;
S304, snort carry out intrusion prevention detection according to the intrusion detection signature library that management end issues.
4. a kind of method that the micro- isolation of network is realized under OpenStack environment according to claim 1 to 3,
It is characterized in that, the step S4 concrete operations are as follows:
Management end will upload network interface/ip address conversion in log into tenant/virtual machine name, and show administrator.
5. a kind of system for realizing the micro- isolation of network under OpenStack environment, which is characterized in that the system comprises:
Deployment module is acted on behalf of, the installation agent in each calculate node in OpenStack environment is managed by management end is unified
Reason;
Policy distribution module issues intrusion detection signature library and access control policy for management end;
Network data processing module is used for agent side network data packet, implements Network Isolation, and record log is sent to pipe
Manage end;
The log of upload is showed administrator for management end by log processing module.
6. a kind of system for realizing the micro- isolation of network under OpenStack environment according to claim 5, feature exist
In the policy distribution module includes:
Feature database synchronization unit, for feature database required for the synchronous snort of agent side;
Policy synchronization unit, for server access control strategy to be issued to agent side;
Tactful converting unit, for tenant/virtual machine name to be converted into corresponding network interface/address ip.
7. a kind of system for realizing the micro- isolation of network under OpenStack environment according to claim 5, feature exist
In the network data processing module includes:
Data package capture unit, the hook function for agent side registration netfilter are used to data interception packet;
Access control unit, the server access control strategy for being issued according to management end carry out the access control of five-tuple;
Data transfer elements are transmitted to the snort of application layer for the NFQUEUE by netfilter;
Intrusion detecting unit carries out intrusion prevention detection according to the intrusion detection signature library that management end issues for snort.
8. a kind of system that the micro- isolation of network is realized under OpenStack environment according to claim 5-7 any one,
It is characterized in that, the log processing module includes:
Log converting unit will upload network interface/ip address conversion in log into tenant/virtual machine name for management end,
And show administrator.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810874200.8A CN109150860A (en) | 2018-08-02 | 2018-08-02 | A kind of method and system for realizing the micro- isolation of network under OpenStack environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810874200.8A CN109150860A (en) | 2018-08-02 | 2018-08-02 | A kind of method and system for realizing the micro- isolation of network under OpenStack environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109150860A true CN109150860A (en) | 2019-01-04 |
Family
ID=64798819
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810874200.8A Pending CN109150860A (en) | 2018-08-02 | 2018-08-02 | A kind of method and system for realizing the micro- isolation of network under OpenStack environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109150860A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110378103A (en) * | 2019-07-22 | 2019-10-25 | 电子科技大学 | A kind of micro- isolating and protecting method and system based on OpenFlow agreement |
CN111800490A (en) * | 2020-06-23 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for acquiring network behavior data and terminal equipment |
CN112003877A (en) * | 2020-09-03 | 2020-11-27 | 上海优扬新媒信息技术有限公司 | Network isolation method and device, electronic equipment and storage medium |
CN114070622A (en) * | 2021-11-16 | 2022-02-18 | 北京宏达隆和科技有限公司 | Micro-isolation system based on network port security |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105141571A (en) * | 2014-06-09 | 2015-12-09 | 中兴通讯股份有限公司 | Distributed virtual firewall device and method |
CN107332851A (en) * | 2017-07-07 | 2017-11-07 | 深信服科技股份有限公司 | Flow is controlled in a kind of virtual environment collocation method and system |
CN108156153A (en) * | 2017-12-22 | 2018-06-12 | 国家电网公司 | A kind of differential section means of defence based on distributed security domain |
US20180176252A1 (en) * | 2016-12-16 | 2018-06-21 | Nicira, Inc. | Application template generation and deep packet inspection approach for creation of micro-segmentation policy for network applications |
-
2018
- 2018-08-02 CN CN201810874200.8A patent/CN109150860A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105141571A (en) * | 2014-06-09 | 2015-12-09 | 中兴通讯股份有限公司 | Distributed virtual firewall device and method |
US20180176252A1 (en) * | 2016-12-16 | 2018-06-21 | Nicira, Inc. | Application template generation and deep packet inspection approach for creation of micro-segmentation policy for network applications |
CN107332851A (en) * | 2017-07-07 | 2017-11-07 | 深信服科技股份有限公司 | Flow is controlled in a kind of virtual environment collocation method and system |
CN108156153A (en) * | 2017-12-22 | 2018-06-12 | 国家电网公司 | A kind of differential section means of defence based on distributed security domain |
Non-Patent Citations (1)
Title |
---|
耿晓菊 等: "一种基于Netlink和Libipq实现安全模块联动的设计", 《计算机应用与软件》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110378103A (en) * | 2019-07-22 | 2019-10-25 | 电子科技大学 | A kind of micro- isolating and protecting method and system based on OpenFlow agreement |
CN110378103B (en) * | 2019-07-22 | 2022-11-25 | 电子科技大学 | Micro-isolation protection method and system based on OpenFlow protocol |
CN111800490A (en) * | 2020-06-23 | 2020-10-20 | 深信服科技股份有限公司 | Method and device for acquiring network behavior data and terminal equipment |
CN112003877A (en) * | 2020-09-03 | 2020-11-27 | 上海优扬新媒信息技术有限公司 | Network isolation method and device, electronic equipment and storage medium |
CN112003877B (en) * | 2020-09-03 | 2023-04-18 | 度小满科技(北京)有限公司 | Network isolation method and device, electronic equipment and storage medium |
CN114070622A (en) * | 2021-11-16 | 2022-02-18 | 北京宏达隆和科技有限公司 | Micro-isolation system based on network port security |
CN114070622B (en) * | 2021-11-16 | 2024-02-09 | 北京宏达隆和科技有限公司 | Micro-isolation system based on network port security |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11888897B2 (en) | Implementing decoys in a network environment | |
US9942270B2 (en) | Database deception in directory services | |
CN109150860A (en) | A kind of method and system for realizing the micro- isolation of network under OpenStack environment | |
Jamil et al. | Security issues in cloud computing and countermeasures | |
US20150326588A1 (en) | System and method for directing malicous activity to a monitoring system | |
WO2020103454A1 (en) | Defense method for configuring weak password vulnerabilities of internal and external network cameras | |
CN107872456A (en) | Network intrusion prevention method, apparatus, system and computer-readable recording medium | |
US20120311715A1 (en) | System and method for protecting a website from hacking attacks | |
Mell et al. | A denial-of-service resistant intrusion detection architecture | |
Bao et al. | Research on network security of defense based on Honeypot | |
CN103051707A (en) | Dynamic user behavior-based cloud forensics method and dynamic user behavior-based cloud forensics system | |
Catuogno et al. | A honeypot system with honeyword-driven fake interactive sessions | |
US11425150B1 (en) | Lateral movement visualization for intrusion detection and remediation | |
Irfan et al. | A framework for cloud forensics evidence collection and analysis using security information and event management | |
Aldribi et al. | Data sources and datasets for cloud intrusion detection modeling and evaluation | |
CN106341426A (en) | Method for defending APT attack and safety controller | |
Paharia et al. | Fog computing as a defensive approach against distributed denial of service (DDoS): A proposed architecture | |
Teng et al. | A cooperative intrusion detection model for cloud computing networks | |
Mehta | Distributed Denial of service Attacks on Cloud Environment. | |
CN102325132B (en) | System level safety domain name system (DNS) protection method | |
Zhang et al. | Xen-based virtual honeypot system for smart device | |
Chaudhari et al. | A review on cloud security issues and solutions | |
Lakh et al. | Using Honeypot Programs for Providing Defense of Banking Network Infrastructure | |
Wani et al. | A Survey of security issues and attacks in cloud and their possible defenses | |
Santwana et al. | Hypervisor based Mitigation Technique for Keylogger Spyware Attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190104 |
|
RJ01 | Rejection of invention patent application after publication |