Distributed virtual firewall device and system deployment method thereof
Technical Field
The present invention relates to the field of computer network technologies, and in particular, to a distributed virtual firewall apparatus and a system deployment method thereof.
Background
Virtualization is one of the hot technologies at present, and has been widely applied to the fields of cloud computing platforms, virtual storage, virtual operating systems, virtual desktops, virtual terminals, and the like. The security of virtualization is also becoming more and more important, and firewalls (also known as guard walls) were invented in 1993 by the firm Point founder Gil shewed and introduced into the internet (US5606668(a) 1993-12-15). It is a network security system located between an internal network and an external network. A secure guard system allows or restricts the passage of transmitted data according to certain rules.
At present, most of the existing virtual firewall devices for computers are centralized virtual firewall devices, which have slow processing speed and poor processing effect.
Therefore, it is necessary to provide a distributed virtual firewall device and a system deployment method thereof to solve the above problems.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects of the prior art, the invention provides a distributed virtual firewall device and a system deployment method thereof, which solve the problems of low processing speed and poor processing effect of the traditional centralized virtual firewall device.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme:
a distributed virtual firewall device comprises a network virtual firewall, a host virtual firewall, a virtual switch, a host, a cloud computer and an external interface;
the output end of the host virtual firewall is electrically connected with the input end of the host, the output end of the virtual switch is electrically connected with the input end of the network virtual firewall, the output end of the host is electrically connected with the input end of the network virtual firewall, the external interface is electrically connected with the input end of the host virtual firewall, and the output end of the network virtual firewall is electrically connected with the input end of the cloud computer;
the network virtual firewall comprises a network virtual firewall access rule platform and a network information processing and sending module, wherein the network virtual firewall access rule platform comprises a network virtual firewall information verification filtering module;
the output end of the network virtual firewall access rule platform is electrically connected with the input end of a network virtual firewall information verification filtering module, and the output end of the network virtual firewall information verification filtering module is electrically connected with the input end of a network information processing and sending module;
the host virtual firewall comprises a host virtual firewall access rule platform and a host information processing and sending module, wherein the host virtual firewall access rule platform comprises a host virtual firewall information verification and filtering module;
the output end of the host virtual firewall access rule platform is electrically connected with the input end of the host virtual firewall information verification filtering module, and the output end of the host virtual firewall information verification filtering module is electrically connected with the input end of the host information processing and sending module;
the cloud computer includes cloud computer intranet node, user information setting platform and virtual hot wall management platform that prevents, the virtual output that prevents hot wall of network is connected with the input electricity of cloud computer intranet node, the output that user information set up the platform is connected with the virtual input electricity that prevents hot wall management platform, the virtual output that prevents hot wall management platform is connected with the input electricity that user information set up the platform.
Optionally, the output end of the network information processing and sending module is electrically connected with the input end of the cloud computer;
the output end of the host information processing and sending module is electrically connected with the input end of the host.
Optionally, the user information setting platform includes an information setting module, a feedback information receiving module and a sending module;
the output end of the information setting module is electrically connected with the input end of the sending module;
the output end of the feedback information receiving module is electrically connected with the input end of the information setting module.
Optionally, the virtual firewall management platform includes an information receiving module, an information confirming module, an information sending module, and a feedback module;
and the output end of the information receiving module is electrically connected with the input end of the information confirming module.
Optionally, the network virtual firewall access rule platform and the host virtual firewall access rule platform are both internally provided with an information updating module;
the input end of the information updating module is electrically connected with the output end of the information sending module.
Optionally, the output end of the sending module is electrically connected with the input end of the information receiving module;
the input end of the feedback information receiving module is electrically connected with the output end of the feedback module.
Optionally, the intranet nodes of the cloud computer are arranged inside the cloud computer;
the user information setting platform and the virtual firewall management platform are both arranged inside the cloud computer.
A system deployment method of a distributed virtual firewall device comprises a network virtual firewall, a host virtual firewall, a network virtual firewall access rule platform, a host virtual firewall access rule platform and a user information setting platform; the network virtual firewall is arranged inside the cloud computer, the network virtual firewall access rule platform receives and contrasts and filters information obtained from the virtual switch through a network virtual firewall information verification filtering module, and the network virtual firewall information verification filtering module transmits the information which is contrasted and filtered and accords with the network virtual firewall access rule to an intranet node of the cloud computer through a network information processing and transmitting module;
the host virtual firewall is arranged in the host, the host virtual firewall access rule platform receives and filters information acquired from an external interface through a host virtual firewall information verification filtering module in a comparison mode, and the host virtual firewall information verification filtering module transmits the information which is matched with the host virtual firewall access rule after the comparison and the filtering to the host through a host information processing and sending module;
the information received by the host is transmitted to a network virtual firewall, and the network virtual firewall compares, filters and transmits the information transmitted by the host to the intranet node of the cloud computer again;
the user information setting platform sets target information which a user wants to intercept through an information setting module, the information setting module transmits the target information set by the user to an information receiving module of the virtual firewall management platform through a sending module, the information receiving module transmits the target information to an information confirming module, and the information confirming module confirms whether the received target information can be realized and normally used;
the information confirmation module transmits the confirmed target information meeting the requirements to the information sending module, and the information confirmation module transmits the confirmed target information not meeting the requirements to the feedback module.
Optionally, the information sending module respectively sends the target information meeting the requirements to the information updating module;
and the information updating module respectively updates the network virtual firewall access rule of the network virtual firewall access rule platform and the host virtual firewall access rule of the host virtual firewall access rule platform according to the target information.
Optionally, the feedback module feeds back the target information which does not meet the requirement to the feedback information receiving module;
the feedback information receiving module feeds the target information which does not meet the requirement back to the information setting module, so that the user can input the target information again.
(III) advantageous effects
The invention provides a distributed virtual firewall device and a system deployment method thereof, which have the following beneficial effects:
(1) according to the invention, when the host is connected with the external hardware, the phenomenon that the internal file of the cloud computer is damaged due to the fact that the virus information in the external hardware invades into the cloud computer can be prevented through the host virtual firewall, and the phenomenon that the virus information or the garbage information in the virtual switch directly enters into the cloud computer to cause system breakdown of the cloud computer or inconvenience in cleaning excessive internal garbage files can be prevented through the network virtual firewall.
(2) The information processed and filtered by the host virtual firewall is transmitted to the network virtual firewall, so that the information is secondarily authenticated and filtered by the network virtual firewall, the safety of the cloud computer is improved, the user information setting platform can enable a user to set the information to be intercepted by the user, the operability of the user is improved, the information updating module can update the access rule of the network virtual firewall and the access rule of the host virtual firewall after the user sets correct target information, and the network virtual firewall and the host virtual firewall can intercept the target information set by the user in time.
Drawings
Fig. 1 is a schematic diagram of a distributed virtual firewall according to the present invention.
FIG. 2 is a schematic diagram of a network virtual firewall according to the present invention.
FIG. 3 is a diagram illustrating a virtual firewall architecture of a host according to the present invention.
Fig. 4 is a schematic structural diagram of a user information setting platform according to the present invention.
Fig. 5 is a schematic diagram of the working process of the user information setting platform according to the present invention.
FIG. 6 is a flowchart illustrating the operation of the host virtual firewall according to the present invention.
FIG. 7 is a schematic diagram illustrating a working process of the network virtual firewall according to the present invention.
In the figure: 1-network virtual firewall, 2-host virtual firewall, 3-virtual switch, 4-host, 5-cloud computer, 6-external interface, 7-network virtual firewall access rule platform, 8-network information processing sending module, 9-network virtual firewall information verification filtering module, 10-host virtual firewall access rule platform, 11-host information processing sending module, 12-host virtual firewall information verification filtering module, 13-cloud computer intranet node, 14-user information setting platform, 141-information setting module, 142-feedback information receiving module, 143-sending module, 15-virtual firewall management platform, 151-information receiving module, 152-information confirmation module, 153-information sending module, 154-feedback module, 16-information updating module.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it is to be understood that the terms "central," "longitudinal," "lateral," "length," "width," "thickness," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," "clockwise," "counterclockwise," "axial," "radial," "circumferential," and the like are used in the orientations and positional relationships indicated in the drawings for convenience in describing the invention and to simplify the description, and are not intended to indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and are therefore not to be considered limiting of the invention.
In the present invention, unless otherwise expressly specified or limited, the terms "disposed," "mounted," "connected," and "fixed" are to be construed broadly and may, for example, be fixedly connected or detachably connected; may be a mechanical connection; may be directly connected or indirectly connected through an intermediate. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
According to the present invention, as shown in fig. 1-7, there is provided a technical solution:
a distributed virtual firewall device comprises a network virtual firewall 1, a host virtual firewall 2, a virtual switch 3, a host 4, a cloud computer 5 and an external interface 6;
the output end of the host virtual firewall 2 is electrically connected with the input end of the host 4, the output end of the virtual switch 3 is electrically connected with the input end of the network virtual firewall 1, the output end of the host 4 is electrically connected with the input end of the network virtual firewall 1, the external interface 6 is electrically connected with the input end of the host virtual firewall 2, and the output end of the network virtual firewall 1 is electrically connected with the input end of the cloud computer 5;
the network virtual firewall 1 comprises a network virtual firewall access rule platform 7 and a network information processing and sending module 8, wherein the network virtual firewall access rule platform 7 comprises a network virtual firewall information verification and filtering module 9;
the output end of the network virtual firewall access rule platform 7 is electrically connected with the input end of a network virtual firewall information verification filtering module 9, and the output end of the network virtual firewall information verification filtering module 9 is electrically connected with the input end of a network information processing and sending module 8;
the host virtual firewall 2 comprises a host virtual firewall access rule platform 10 and a host information processing and sending module 11, wherein the host virtual firewall access rule platform 10 comprises a host virtual firewall information verification and filtering module 12;
the output end of the host virtual firewall access rule platform 10 is electrically connected with the input end of the host virtual firewall information verification filtering module 12, and the output end of the host virtual firewall information verification filtering module 12 is electrically connected with the input end of the host information processing and sending module 11;
the cloud computer 5 comprises a cloud computer intranet node 13, a user information setting platform 14 and a virtual firewall management platform 15, wherein the output end of the network virtual firewall 1 is electrically connected with the input end of the cloud computer intranet node 13, the output end of the user information setting platform 14 is electrically connected with the input end of the virtual firewall management platform 15, and the output end of the virtual firewall management platform 15 is electrically connected with the input end of the user information setting platform 14.
As an optional technical scheme of the invention: the output end of the network information processing and sending module 8 is electrically connected with the input end of the cloud computer 5;
the output end of the host information processing and sending module 11 is electrically connected with the input end of the host 4.
As an optional technical scheme of the invention: the user information setting platform 14 comprises an information setting module 141, a feedback information receiving module 142 and a sending module 143;
the output end of the information setting module 141 is electrically connected with the input end of the sending module 143;
an output terminal of the feedback information receiving module 142 is electrically connected to an input terminal of the information setting module 141.
As an optional technical scheme of the invention: the virtual firewall management platform 15 comprises an information receiving module 151, an information confirming module 152, an information sending module 153 and a feedback module 154;
an output terminal of the information receiving module 151 is electrically connected to an input terminal of the information confirmation module 152.
As an optional technical scheme of the invention: the network virtual firewall access rule platform 7 and the host virtual firewall access rule platform 10 are internally provided with information updating modules 16;
the input end of the information updating module 16 is electrically connected with the output end of the information sending module 153.
As an optional technical scheme of the invention: the output end of the sending module 143 is electrically connected with the input end of the information receiving module 151;
an input of the feedback information receiving module 142 is electrically connected to an output of the feedback module 154.
As an optional technical scheme of the invention: the cloud computer intranet node 13 is arranged inside the cloud computer 5;
the user information setting platform 14 and the virtual firewall management platform 15 are both provided inside the cloud computer 5.
A system deployment method of a distributed virtual firewall device comprises a network virtual firewall 1, a host virtual firewall 2, a network virtual firewall access rule platform 7, a host virtual firewall access rule platform 10 and a user information setting platform 14; the network virtual firewall 1 is arranged inside the cloud computer 5, the network virtual firewall access rule platform 7 receives and contrasts and filters information obtained from the virtual switch 3 through a network virtual firewall information verification filtering module 9, and the network virtual firewall information verification filtering module 9 transmits the information which is contrasted and filtered and accords with the network virtual firewall access rule to a cloud computer intranet node 13 through a network information processing and sending module 8;
the host virtual firewall 2 is arranged inside the host 4, the host virtual firewall access rule platform 10 receives and contrasts and filters the information acquired from the external interface 6 through the host virtual firewall information verification filtering module 12, and the host virtual firewall information verification filtering module 12 transmits the information which is contrasted and filtered and accords with the host virtual firewall access rule to the host 4 through the host information processing and transmitting module 11;
the information received by the host 4 is transmitted to the network virtual firewall 1, and the network virtual firewall 1 compares, filters and transmits the information transmitted by the host 4 to the cloud computer intranet node 13 again;
the user information setting platform 14 sets target information that a user wants to intercept through the information setting module 141, the information setting module 141 transmits the target information set by the user to the information receiving module 151 of the virtual firewall management platform 15 through the sending module 143, the information receiving module 151 transmits the target information to the information confirming module 152, and the information confirming module 152 confirms whether the received target information can be realized and normally used;
the information confirmation module 152 sends the confirmed target information meeting the requirement to the information sending module 153, and the information confirmation module 152 sends the confirmed target information not meeting the requirement to the feedback module 154.
As an optional technical scheme of the invention: the information sending module 153 sends the target information meeting the requirements to the information updating module 16;
the information updating module 16 respectively updates the network virtual firewall access rule of the network virtual firewall access rule platform 7 and the host virtual firewall access rule of the host virtual firewall access rule platform 10 according to the target information.
As an optional technical scheme of the invention: the feedback module 154 feeds the unsatisfactory target information back to the feedback information receiving module 142;
the feedback information receiving module 142 feeds the unsatisfactory target information back to the information setting module 141, so that the user can input the target information again.
It is noted that in the present disclosure, unless otherwise explicitly specified or limited, a first feature "on" or "under" a second feature may be directly contacted with the first and second features, or indirectly contacted with the first and second features through intervening media. Also, a first feature "on," "over," and "above" a second feature may be directly or diagonally above the second feature, or may simply indicate that the first feature is at a higher level than the second feature. A first feature being "under," "below," and "beneath" a second feature may be directly under or obliquely under the first feature, or may simply mean that the first feature is at a lesser elevation than the second feature.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments or portions thereof without departing from the spirit and scope of the invention.