CN109150860A - A kind of method and system for realizing the micro- isolation of network under OpenStack environment - Google Patents

A kind of method and system for realizing the micro- isolation of network under OpenStack environment Download PDF

Info

Publication number
CN109150860A
CN109150860A CN201810874200.8A CN201810874200A CN109150860A CN 109150860 A CN109150860 A CN 109150860A CN 201810874200 A CN201810874200 A CN 201810874200A CN 109150860 A CN109150860 A CN 109150860A
Authority
CN
China
Prior art keywords
network
management end
isolation
access control
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810874200.8A
Other languages
Chinese (zh)
Inventor
崔士伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201810874200.8A priority Critical patent/CN109150860A/en
Publication of CN109150860A publication Critical patent/CN109150860A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Pharmaceuticals Containing Other Organic And Inorganic Compounds (AREA)

Abstract

The present invention provides a kind of under OpenStack environment realizes the method and system of the micro- isolation of network, comprising the following steps: installation agent on S1, each calculate node in OpenStack environment is managed collectively by management end;S2, management end issue intrusion detection signature library and access control policy;S3, agent side network data packet implement Network Isolation, and record log is sent to management end;S4, management end will upload network interface/ip address conversion in log into tenant/virtual machine name, and show administrator.The present invention solves the problems, such as effectively obstruct network attack between network internal host in the prior art, realize that virtual machine is to the access control of east-west traffic between virtual machine in OpenStack environment, and deeper intrusion detection is carried out to flow using the snort of open source, security protection effectively can be carried out to the network in cloud computing environment.

Description

A kind of method and system for realizing the micro- isolation of network under OpenStack environment
Technical field
The present invention relates to cloud computing security technology area, especially one kind realized under OpenStack environment network it is micro- every From method and system.
Background technique
In attack, the attack from network internal and affiliate persistently rises, and traditional network Perimeter firewall can not attack between defending against network inside.Common example as utilize internal permission administrative vulnerability, hacker around Outer boundary firewall is crossed, internal host permission is obtained, it is straightway to be attacked in inside.Once hacker obtains some The permission of internal host, then entire internal network will face following threat:
1, internal to explore: internal network explores, available loophole in scanning host, virtual machine, application system;
2, deception proposes power: using means such as network cheating, Malwares, extracting crucial application system access right;
3, Malware is propagated: the rogue programs such as transmitted virus, wooden horse, worm;
4, DDOS attack source: being utilized by hacker, becomes broiler chicken, to network internal, external initiation DDOS attack;
5, steal data: by user's critical data, the common application that disguises oneself as agreement is transmitted outward.
It is controlled so needing mutually to access the host inside consolidated network, at this moment just needs to use the micro- isolation of network Technology.
Summary of the invention
The object of the present invention is to provide a kind of under OpenStack environment realizes the method and system of the micro- isolation of network, purport It is solving the problems, such as effectively obstruct network attack between network internal host in the prior art, is realizing OpenStack environment Middle virtual machine effectively carries out security protection to the network in cloud computing environment to the access control of east-west traffic between virtual machine.
To reach above-mentioned technical purpose, the present invention provides a kind of to realize the micro- isolation of network under OpenStack environment Method, comprising the following steps:
Installation agent on S1, each calculate node in OpenStack environment, is managed collectively by management end;
S2, management end issue intrusion detection signature library and access control policy;
S3, agent side network data packet implement Network Isolation, and record log is sent to management end;
The log of upload is showed administrator by S4, management end.
Preferably, the step S2 concrete operations are as follows:
Feature database required for the synchronous snort of S201, agent side;
S202, server access control strategy is issued to agent side;
S203, tenant/virtual machine name is converted into corresponding network interface/address ip.
Preferably, the step S3 concrete operations are as follows:
The hook function that S301, agent side register netfilter is used to data interception packet;
S302, the access control that five-tuple is carried out according to the server access control strategy that management end issues;
S303, the snort that application layer is transmitted to by the NFQUEUE of netfilter;
S304, snort carry out intrusion prevention detection according to the intrusion detection signature library that management end issues.
Preferably, the step S4 concrete operations are as follows:
Management end will upload network interface/ip address conversion in log into tenant/virtual machine name, and show management Member.
The system that the present invention also provides a kind of to realize the micro- isolation of network under OpenStack environment, the system comprises:
Deployment module is acted on behalf of, the installation agent in each calculate node in OpenStack environment is united by management end One management;
Policy distribution module issues intrusion detection signature library and access control policy for management end;
Network data processing module is used for agent side network data packet, implements Network Isolation, and record log is sent To management end;
The log of upload is showed administrator for management end by log processing module.
Preferably, the policy distribution module includes:
Feature database synchronization unit, for feature database required for the synchronous snort of agent side;
Policy synchronization unit, for server access control strategy to be issued to agent side;
Tactful converting unit, for tenant/virtual machine name to be converted into corresponding network interface/address ip.
Preferably, the network data processing module includes:
Data package capture unit, the hook function for agent side registration netfilter are used to data interception packet;
Access control unit, the server access control strategy for being issued according to management end carry out the access control of five-tuple System;
Data transfer elements are transmitted to the snort of application layer for the NFQUEUE by netfilter;
Intrusion detecting unit carries out intrusion prevention detection according to the intrusion detection signature library that management end issues for snort.
Preferably, the log processing module includes:
Log converting unit will upload network interface/ip address conversion in log into tenant/virtual machine for management end Name, and show administrator.
The effect provided in summary of the invention is only the effect of embodiment, rather than invents all whole effects, above-mentioned A technical solution in technical solution have the following advantages that or the utility model has the advantages that
Compared with prior art, the present invention is by installation agent in each calculate node in OpenStack environment, and It is managed collectively by management end, realizes the framework of unified management, distributed deployment.Flow in calculate node is first subjected to five-tuple Access control, then perform intrusion detection again, to reach 2-7 layers of network of access control.The present invention solves existing skill The problem of network attack can not effectively be obstructed in art between network internal host, realizes that virtual machine is to void in OpenStack environment The access control of east-west traffic between quasi- machine, and deeper intrusion detection is carried out to flow using the snort of open source, it can Effectively to carry out security protection to the network in cloud computing environment.
Detailed description of the invention
Fig. 1 is a kind of method that the micro- isolation of network is realized under OpenStack environment provided in the embodiment of the present invention Flow chart;
Fig. 2 is a kind of system that the micro- isolation of network is realized under OpenStack environment provided in the embodiment of the present invention Structural block diagram.
Specific embodiment
In order to clearly illustrate the technical characterstic of this programme, below by specific embodiment, and its attached drawing is combined, to this Invention is described in detail.Following disclosure provides many different embodiments or example is used to realize different knots of the invention Structure.In order to simplify disclosure of the invention, hereinafter the component of specific examples and setting are described.In addition, the present invention can be with Repeat reference numerals and/or letter in different examples.This repetition is that for purposes of simplicity and clarity, itself is not indicated Relationship between various embodiments and/or setting is discussed.It should be noted that illustrated component is not necessarily to scale in the accompanying drawings It draws.Present invention omits the descriptions to known assemblies and treatment technology and process to avoid the present invention is unnecessarily limiting.
It is provided for the embodiments of the invention one kind with reference to the accompanying drawing and realizes the micro- isolation of network under OpenStack environment Method and system be described in detail.
The side of the micro- isolation of network is realized as shown in Figure 1, the embodiment of the invention discloses a kind of under OpenStack environment Method, comprising the following steps:
Installation agent on S1, each calculate node in OpenStack environment, is managed collectively by management end;
S2, management end issue intrusion detection signature library and access control policy;
S3, agent side network data packet implement Network Isolation, and record log is sent to management end;
The log of upload is showed administrator by S4, management end.
For the embodiment of the present invention by the installation agent in the calculate node of each OpenStack, all agencies are unified by pipe End pipe reason is managed, the framework of a centralized management, distributed deployment is formed.
The agency includes firewall module and intrusion detection module, firewall module work in kernel, to data packet into The filtering of row five-tuple, intrusion detection module work in application layer, and the data packet for having passed through firewall module will enter intrusion detection Module is detected whether comprising malicious attack.
The management end will manage all agencies, carry out plan when newly-built, deletion virtual machine or generation virtual machine (vm) migration It is slightly synchronous, while for the visualization of flow, depth will be carried out with OpenStack in conjunction with, source, purpose IP address are converted into renting Family/virtual machine name, in this way will be more intuitive in strategy configuration and log analysis.
Firstly, management end issues intrusion detection signature library and access control policy.
Management end issues intrusion detection signature library, the feature database required for the synchronous snort of agent side.Furthermore by administrator The server access control strategy of configuration is issued to agent side, and in server access control strategy, tenant/virtual machine name is turned Corresponding network interface/address ip is changed into, in conjunction with OpenStack environment depth, so that traffic visualization.When creation, delete When virtual machine or generation virtual machine (vm) migration, dynamic synchronization access control policy.
Then, agent side network data packet implements Network Isolation, and record log is sent to management end.
The hook function that agent side registers netfilter is used to data interception packet, is visited according to the server that management end issues It asks that control strategy carries out the access control of five-tuple, for the network packet of denied access, abandons simultaneously record log.Pass through clothes The network packet of business device access control policy detection is transmitted to the snort of application layer by the NFQUEUE of netfilter, Snort carries out intrusion prevention detection, the network number passed through for intrusion detection according to the intrusion detection signature library that management end issues According to packet, it will be feedbacked to inner nuclear layer and continue with data packet, the network packet of intrusion detection refusal by packet discard and is remembered Record log.
The log of record is uploaded to management end by agent side.
Finally, the log of upload is showed administrator by management end.
Management end receives the log of agent side transmission, by the network interface in log/ip address conversion at tenant/virtual Machine name, and show administrator.
The embodiment of the present invention is by installation agent in each calculate node in OpenStack environment, and by management end The framework of unified management, distributed deployment is realized in unified management.Flow in calculate node is first carried out to the access control of five-tuple System, then performs intrusion detection, again to reach 2-7 layers of network of access control.The present invention solves network in the prior art The problem of network attack can not be effectively obstructed between internal host, realizes that virtual machine is between virtual machine in OpenStack environment The access control of east-west traffic, and deeper intrusion detection is carried out to flow using the snort of open source, it can be effectively right Network in cloud computing environment carries out security protection.
As shown in Fig. 2, the embodiment of the invention also discloses a kind of under OpenStack environment realize the micro- isolation of network be System, the system comprises:
Deployment module is acted on behalf of, the installation agent in each calculate node in OpenStack environment is united by management end One management;
Policy distribution module issues intrusion detection signature library and access control policy for management end;
Network data processing module is used for agent side network data packet, implements Network Isolation, and record log is sent To management end;
The log of upload is showed administrator for management end by log processing module.
The policy distribution module includes:
Feature database synchronization unit, for feature database required for the synchronous snort of agent side;
Policy synchronization unit, for server access control strategy to be issued to agent side;
Tactful converting unit, for tenant/virtual machine name to be converted into corresponding network interface/address ip.
The network data processing module includes:
Data package capture unit, the hook function for agent side registration netfilter are used to data interception packet;
Access control unit, the server access control strategy for being issued according to management end carry out the access control of five-tuple System;
Data transfer elements are transmitted to the snort of application layer for the NFQUEUE by netfilter;
Intrusion detecting unit carries out intrusion prevention detection according to the intrusion detection signature library that management end issues for snort.
The log processing module includes:
Log converting unit will upload network interface/ip address conversion in log into tenant/virtual machine for management end Name, and show administrator.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Made any modifications, equivalent replacements, and improvements etc., should all be included in the protection scope of the present invention within mind and principle.

Claims (8)

1. a kind of method for realizing the micro- isolation of network under OpenStack environment, which comprises the following steps:
Installation agent on S1, each calculate node in OpenStack environment, is managed collectively by management end;
S2, management end issue intrusion detection signature library and access control policy;
S3, agent side network data packet implement Network Isolation, and record log is sent to management end;
The log of upload is showed administrator by S4, management end.
2. a kind of method for realizing the micro- isolation of network under OpenStack environment according to claim 1, feature exist In the step S2 concrete operations are as follows:
Feature database required for the synchronous snort of S201, agent side;
S202, server access control strategy is issued to agent side;
S203, tenant/virtual machine name is converted into corresponding network interface/address ip.
3. a kind of method for realizing the micro- isolation of network under OpenStack environment according to claim 1, feature exist In the step S3 concrete operations are as follows:
The hook function that S301, agent side register netfilter is used to data interception packet;
S302, the access control that five-tuple is carried out according to the server access control strategy that management end issues;
S303, the snort that application layer is transmitted to by the NFQUEUE of netfilter;
S304, snort carry out intrusion prevention detection according to the intrusion detection signature library that management end issues.
4. a kind of method that the micro- isolation of network is realized under OpenStack environment according to claim 1 to 3, It is characterized in that, the step S4 concrete operations are as follows:
Management end will upload network interface/ip address conversion in log into tenant/virtual machine name, and show administrator.
5. a kind of system for realizing the micro- isolation of network under OpenStack environment, which is characterized in that the system comprises:
Deployment module is acted on behalf of, the installation agent in each calculate node in OpenStack environment is managed by management end is unified Reason;
Policy distribution module issues intrusion detection signature library and access control policy for management end;
Network data processing module is used for agent side network data packet, implements Network Isolation, and record log is sent to pipe Manage end;
The log of upload is showed administrator for management end by log processing module.
6. a kind of system for realizing the micro- isolation of network under OpenStack environment according to claim 5, feature exist In the policy distribution module includes:
Feature database synchronization unit, for feature database required for the synchronous snort of agent side;
Policy synchronization unit, for server access control strategy to be issued to agent side;
Tactful converting unit, for tenant/virtual machine name to be converted into corresponding network interface/address ip.
7. a kind of system for realizing the micro- isolation of network under OpenStack environment according to claim 5, feature exist In the network data processing module includes:
Data package capture unit, the hook function for agent side registration netfilter are used to data interception packet;
Access control unit, the server access control strategy for being issued according to management end carry out the access control of five-tuple;
Data transfer elements are transmitted to the snort of application layer for the NFQUEUE by netfilter;
Intrusion detecting unit carries out intrusion prevention detection according to the intrusion detection signature library that management end issues for snort.
8. a kind of system that the micro- isolation of network is realized under OpenStack environment according to claim 5-7 any one, It is characterized in that, the log processing module includes:
Log converting unit will upload network interface/ip address conversion in log into tenant/virtual machine name for management end, And show administrator.
CN201810874200.8A 2018-08-02 2018-08-02 A kind of method and system for realizing the micro- isolation of network under OpenStack environment Pending CN109150860A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810874200.8A CN109150860A (en) 2018-08-02 2018-08-02 A kind of method and system for realizing the micro- isolation of network under OpenStack environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810874200.8A CN109150860A (en) 2018-08-02 2018-08-02 A kind of method and system for realizing the micro- isolation of network under OpenStack environment

Publications (1)

Publication Number Publication Date
CN109150860A true CN109150860A (en) 2019-01-04

Family

ID=64798819

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810874200.8A Pending CN109150860A (en) 2018-08-02 2018-08-02 A kind of method and system for realizing the micro- isolation of network under OpenStack environment

Country Status (1)

Country Link
CN (1) CN109150860A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110378103A (en) * 2019-07-22 2019-10-25 电子科技大学 A kind of micro- isolating and protecting method and system based on OpenFlow agreement
CN111800490A (en) * 2020-06-23 2020-10-20 深信服科技股份有限公司 Method and device for acquiring network behavior data and terminal equipment
CN112003877A (en) * 2020-09-03 2020-11-27 上海优扬新媒信息技术有限公司 Network isolation method and device, electronic equipment and storage medium
CN114070622A (en) * 2021-11-16 2022-02-18 北京宏达隆和科技有限公司 Micro-isolation system based on network port security

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141571A (en) * 2014-06-09 2015-12-09 中兴通讯股份有限公司 Distributed virtual firewall device and method
CN107332851A (en) * 2017-07-07 2017-11-07 深信服科技股份有限公司 Flow is controlled in a kind of virtual environment collocation method and system
CN108156153A (en) * 2017-12-22 2018-06-12 国家电网公司 A kind of differential section means of defence based on distributed security domain
US20180176252A1 (en) * 2016-12-16 2018-06-21 Nicira, Inc. Application template generation and deep packet inspection approach for creation of micro-segmentation policy for network applications

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141571A (en) * 2014-06-09 2015-12-09 中兴通讯股份有限公司 Distributed virtual firewall device and method
US20180176252A1 (en) * 2016-12-16 2018-06-21 Nicira, Inc. Application template generation and deep packet inspection approach for creation of micro-segmentation policy for network applications
CN107332851A (en) * 2017-07-07 2017-11-07 深信服科技股份有限公司 Flow is controlled in a kind of virtual environment collocation method and system
CN108156153A (en) * 2017-12-22 2018-06-12 国家电网公司 A kind of differential section means of defence based on distributed security domain

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
耿晓菊 等: "一种基于Netlink和Libipq实现安全模块联动的设计", 《计算机应用与软件》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110378103A (en) * 2019-07-22 2019-10-25 电子科技大学 A kind of micro- isolating and protecting method and system based on OpenFlow agreement
CN110378103B (en) * 2019-07-22 2022-11-25 电子科技大学 Micro-isolation protection method and system based on OpenFlow protocol
CN111800490A (en) * 2020-06-23 2020-10-20 深信服科技股份有限公司 Method and device for acquiring network behavior data and terminal equipment
CN112003877A (en) * 2020-09-03 2020-11-27 上海优扬新媒信息技术有限公司 Network isolation method and device, electronic equipment and storage medium
CN112003877B (en) * 2020-09-03 2023-04-18 度小满科技(北京)有限公司 Network isolation method and device, electronic equipment and storage medium
CN114070622A (en) * 2021-11-16 2022-02-18 北京宏达隆和科技有限公司 Micro-isolation system based on network port security
CN114070622B (en) * 2021-11-16 2024-02-09 北京宏达隆和科技有限公司 Micro-isolation system based on network port security

Similar Documents

Publication Publication Date Title
US11888897B2 (en) Implementing decoys in a network environment
US9942270B2 (en) Database deception in directory services
CN109150860A (en) A kind of method and system for realizing the micro- isolation of network under OpenStack environment
Jamil et al. Security issues in cloud computing and countermeasures
US20150326588A1 (en) System and method for directing malicous activity to a monitoring system
WO2020103454A1 (en) Defense method for configuring weak password vulnerabilities of internal and external network cameras
CN107872456A (en) Network intrusion prevention method, apparatus, system and computer-readable recording medium
US20120311715A1 (en) System and method for protecting a website from hacking attacks
Mell et al. A denial-of-service resistant intrusion detection architecture
Bao et al. Research on network security of defense based on Honeypot
CN103051707A (en) Dynamic user behavior-based cloud forensics method and dynamic user behavior-based cloud forensics system
Catuogno et al. A honeypot system with honeyword-driven fake interactive sessions
US11425150B1 (en) Lateral movement visualization for intrusion detection and remediation
Irfan et al. A framework for cloud forensics evidence collection and analysis using security information and event management
Aldribi et al. Data sources and datasets for cloud intrusion detection modeling and evaluation
CN106341426A (en) Method for defending APT attack and safety controller
Paharia et al. Fog computing as a defensive approach against distributed denial of service (DDoS): A proposed architecture
Teng et al. A cooperative intrusion detection model for cloud computing networks
Mehta Distributed Denial of service Attacks on Cloud Environment.
CN102325132B (en) System level safety domain name system (DNS) protection method
Zhang et al. Xen-based virtual honeypot system for smart device
Chaudhari et al. A review on cloud security issues and solutions
Lakh et al. Using Honeypot Programs for Providing Defense of Banking Network Infrastructure
Wani et al. A Survey of security issues and attacks in cloud and their possible defenses
Santwana et al. Hypervisor based Mitigation Technique for Keylogger Spyware Attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190104

RJ01 Rejection of invention patent application after publication