CN113285983A - Virtual experiment system supporting multiple virtualized security devices to share single encryption card - Google Patents
Virtual experiment system supporting multiple virtualized security devices to share single encryption card Download PDFInfo
- Publication number
- CN113285983A CN113285983A CN202110453134.9A CN202110453134A CN113285983A CN 113285983 A CN113285983 A CN 113285983A CN 202110453134 A CN202110453134 A CN 202110453134A CN 113285983 A CN113285983 A CN 113285983A
- Authority
- CN
- China
- Prior art keywords
- virtual
- openstack
- service
- card
- security device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 claims description 21
- 238000004891 communication Methods 0.000 claims description 17
- 230000006870 function Effects 0.000 claims description 15
- 238000002474 experimental method Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 230000015654 memory Effects 0.000 claims description 6
- 230000007123 defense Effects 0.000 claims description 4
- 238000005553 drilling Methods 0.000 claims description 4
- 238000013500 data storage Methods 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 9
- 238000000034 method Methods 0.000 description 8
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 7
- 238000004590 computer program Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 230000007547 defect Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000011534 incubation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a virtual experiment system supporting multiple virtualized security devices to share a single encryption card, wherein a cloud platform is built based on OpenStack, the platform is provided with a plurality of hardware servers and switches, one hardware server is configured to be a control node, and the other hardware servers are OpenStack computing nodes; and creating a virtual security device and a virtualized encryption token at the computing node, and deploying a hardware encryption card service program at the control node for the virtual security device to call. According to the invention, only one encryption card is needed to be arranged in the system to provide the password service, and all virtual security devices can finish data encryption and decryption by using one hardware encryption card through sharing the password service of the single encryption card, so that the cost for building service topology of the security device is reduced, and the use efficiency of the hardware encryption card is improved.
Description
Technical Field
The invention belongs to the technical field of communication safety, and particularly relates to a virtual experiment system supporting multiple virtualized security devices to share a single encryption card.
Background
The platform management technology of the cloud computing system can enable a large number of servers to work cooperatively, service deployment and activation are convenient, system faults are found and recovered quickly, and reliable operation of a large-scale system is achieved through automatic and intelligent means. One core idea of cloud computing is to provide centralized physical computing resources on a server side, and these computing resources can be decomposed into smaller units to independently serve different users, that is, while sharing the physical resources, an isolated, safe and trusted virtual working environment is provided for each user, and this inevitably depends on virtualization technology.
Virtualization is one of the indispensable key technologies for building a cloud infrastructure. The cloud system of cloud computing is essentially a large distributed system. More virtual platforms are virtualized on one physical platform, and each virtual platform can be used as an independent terminal to join in a cloud distributed system. Compared with the direct use of a physical platform, virtualization has great advantages in the aspects of effective utilization of resources, dynamic allocation and high reliability. By using virtualization, an enterprise can construct a brand new information infrastructure without discarding the existing infrastructure, thereby more fully utilizing the original IT investment.
The virtualization technology has the advantages of reducing over-provision of the server, improving the utilization rate of equipment, reducing the total investment of IT, enhancing the flexibility of providing an IT environment, sharing resources and the like, but the virtualization technology is weak in safety performance, and the virtualization equipment is a preferred attack object of potential malicious codes or hackers.
The virtual laboratory realized based on the cloud computing and virtualization technology supports the creation of various network devices, including a virtual switch, a virtual router, a virtual firewall, a virtual security device, a virtual power isolation device and various virtual hosts (Windows and linux), and can provide networking and configuration of various network devices in a power environment and simulate real network scenes.
In the hardware security device, the hardware security device needs to install an independent hardware encryption card, and data encryption and decryption are completed by calling the hardware encryption card. The prior art has the following defects: each hardware security device needs to use an independent hardware encryption card, the hardware encryption card is high in price, and the use cost is increased. The hardware uses a separate encryption card, which causes resource waste and has low use efficiency of the hardware encryption card.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, provides a virtual experiment system supporting multiple virtual security devices to share a single encryption card, and solves the technical problem of resource waste caused by the fact that the virtual security devices use the same hardware encryption card and the hardware security devices need to use separate hardware encryption cards.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
the invention provides a virtual experiment system supporting multiple virtualized security devices to share a single encryption card, which comprises the following steps:
building a cloud platform based on OpenStack; the cloud platform adopts a plurality of hardware servers and switches with the same configuration to build a network; a hardware server is configured as an OpenStack control node and used for controlling, managing and scheduling cloud platform resources; the other hardware servers are configured as OpenStack computing nodes and used for scheduling and processing computing resources;
the OpenStack computing node is used for creating a security device virtual machine and virtualizing an encryption token;
and the OpenStack control node deploys a hardware encryption card service program for the virtual security device to call.
Further, the hardware server is provided with a processor, a memory, a magnetic disk and a network card, the number of the network cards is more than or equal to 3, and the CentOS 7 operating system is installed on the hardware server.
Further, the OpenStack computing node deploys computing services and network agents; the network agent comprises a DHCP agent, a virtual switch agent and a virtual router agent;
the OpenStack control node deploys network service, authentication service, graphical service and mirror image service; the mirror image service is used for managing mirror image files required by the virtual experiment system.
Furthermore, the OpenStack control node configures a network card as a management network card for controlling communication between the OpenStack control node and the OpenStack computing node; the OpenStack control node is configured with a second network card for establishing a communication tunnel with the second network card of the OpenStack computing node;
the OpenStack computing node is provided with a network card as a management network card and is used for controlling communication between the OpenStack control node and the OpenStack computing node; and the OpenStack computing node is configured with a second network card for communication among virtual devices on different OpenStack computing nodes.
Further, the OpenStack computing node is specifically configured to,
copying a mirror image file of the security device from an OpenStack control node to create a virtual machine of the security device, and configuring two virtual service network cards, one virtual management network card and one virtual encryption and decryption communication network card for the virtual machine of the security device;
creating a standby working directory in the created virtual machine of the security device;
storing the equipment program of the security device to the established equipment work directory, and setting the equipment program to be started up and started up automatically;
bridging a virtual management network card of a virtual machine of the security device to a management network card of an OpenStack computing node; bridging one virtual service network card of the virtual machine of the security device with the virtual service network cards of the other virtual machines of the security device; and bridging the other service network card of the security device virtual machine to the non-security device virtual machine.
Further, the OpenStack computing node is specifically configured to,
and transmitting the encrypted token information including the user name, the password and the connection state to a virtual machine of the security device by transmitting a two-layer message, and virtualizing the encrypted token.
Further, the security device virtual machine is used for,
initiating TCP connection to a hardware encryption card service program deployed in an OpenStack control node through a virtual encryption and decryption communication network card, and applying for data encryption or data decryption;
and receiving the encrypted or decrypted data returned by the hardware encryption card service program.
Further, the data encryption or data decryption application format is as follows:
host machine ID | virtual machine ID | ip address | key | function code | data length | data | to be encrypted or decrypted |;
the data is encrypted or decrypted and then the reply format is as follows:
| host ID | virtual machine ID | data length | encrypted or decrypted data |.
Further, the OpenStack control node runs a virtual experiment system manager in a Web service form;
the virtual experiment system manager is used for providing a virtualized component under an electric power security scene, providing a graphical management tool and providing an API;
the graphical management tool is used for building and configuring a power security topology experiment scene, a virtual-real intercommunication scene, an experiment case and attack and defense drilling;
the API is used for embedding the virtual experiment system into a third-party platform.
Further, the back end of the virtual experiment system manager adopts Django to realize Web service, uWsgi + Nginx are used as Web containers and access scheduling, and the MySQL database + Redis is used as data storage/cache service; the front end adopts HTML5 + CSS3 + React.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides a virtual experiment system supporting multiple virtualized security devices to share a single encryption card, which only needs to embed one encryption card to provide password service, and all virtual security devices can finish data encryption and decryption by using one hardware encryption card together through the technology of sharing the single encryption card password service, so that the cost of building service topology of the security device is reduced, and the use efficiency of the hardware encryption card is improved.
Drawings
FIG. 1 is a diagram of a virtual laboratory architecture of the present invention.
Fig. 2 shows the encryption and decryption processes of the virtual device and the encryption card program according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
The virtual laboratory for dynamically constructing the safety protection model of the power monitoring system aims to design and configure a cloud computing system which provides experiment, teaching and attack and defense drilling services for the power system in an economic and cost-effective mode. Compared with the system architecture in fig. 1, the virtual experiment system supporting multiple virtualized security devices to share a single encryption card has the following specific construction process:
step 1: building private cloud platform service based on OpenStack (Queens version) by using a hardware server; a network topology is reconstructed on the basis of a native OpenStack network service (Neutron) to realize a virtual-real intercommunication network scene (namely interconnection and intercommunication between a cloud internal virtual device and a cloud external physical device). This platform will provide the basic cloud environment support for the virtual laboratory.
The OpenStack is an open-source cloud computing management platform, a plurality of components are combined to complete specific work, the aim is to provide a cloud computing platform which is simple to implement, can be expanded in a large scale, is rich and unified in standard, and a solution of basic setting as a service (IaaS) is provided through various complementary services.
The virtual laboratory builds a cloud platform based on OpenStack (Queens version), and the main utilized specific services are as follows: computing services (Nova), network services (Neutron), authentication services (Keystone), graphical services (Horizon), and mirroring services (liance).
The main deployment mode is as follows:
required hardware: a plurality of hardware servers with the same configuration (the servers at least comprise a processor, a memory, a magnetic disk and a network card, the number of the network cards is more than or equal to 3, and a CentOS 7 operating system is installed on the servers); the switches are used for cooperating with the hardware server to build a network;
one of the hardware servers serves as an OpenStack control node (Controller) and is used for controlling, managing and scheduling resources of the cloud platform and other component services, and the services specifically deployed by the control node include: web services, authentication services, graphical services, and mirroring services. The mirror service is used to manage the mirror files needed by the virtual laboratory, mainly virtual mirror files. The mirror image file is a special file, which makes some specific files into a single file according to a certain format, so as to be convenient for users to download and use, and can be identified and loaded by a specific program; in a virtual laboratory, a device virtual machine can be created from a virtual device file managed by a mirroring service. The first network card (eth 0) of the control node is used as a management network for communication between the control node and the computing node, and the second network card (eth 1) is used as an OverLay network, namely a cross network: and accessing the control node management network by the virtual device through the Float IP for the virtual device in the cloud internal communication network. A vxlan tunnel is formed between the port eth1 of the control node and the port eth1 of the computing node, and the virtual machine traffic is communicated through the vxlan tunnel.
The rest hardware servers in the plurality of hardware servers are all used as OpenStack computing nodes (computers) and used for scheduling and processing computing resources (CPUs, memories, disks, networks and the like). The services specifically deployed by each computing node are: the network agent comprises a DHCP agent, a virtual switch agent and a virtual router agent, each agent is managed by the network service of the control node to finally realize respective specific functions, the DHCP agent realizes the functions of a DHCP server and a client, the virtual switch agent realizes the function of a two-layer switch, and the virtual router agent realizes the function of a three-layer router. A first network card (eth 0) of the computing node is used as a management network, is the same as the management network of the control node, and is used for the direct communication between the control node and each computing node; the second network card (eth 1) acts as a tunnel network for devices communicating across the computing nodes, i.e., between virtual machines on different computing nodes.
Step 2: based on OpenStack, a security device encryption authentication network management virtualization version is developed, and virtual component support of electric power special equipment is provided for a virtual laboratory.
Virtualization of a security device:
the security device is an existing entity hardware device (entity device), is a wide area network boundary protection device specially developed for a power dispatching data network, and is a password device with an authentication function. In order to use the device in the virtual laboratory, the original physical device needs to be modified into a virtual device (a virtual device, that is, a device capable of normally operating in a virtual machine).
The transformation process is as follows:
firstly, a virtual machine is established at any computing node, an api interface and an image file of an image service are on a control node, and when the virtual machine is established at the computing node, the image file is copied to the computing node for incubation.
The operating system is CentOS 7, four virtual network cards are distributed (the virtual network card eth0 and the virtual network card eth1 are service network cards, the functions of the service network cards are consistent with those of original entity equipment; the virtual network card eth2 is a management network card and used for managing and configuring equipment; the virtual network card eth3 is a virtual encryption and decryption communication network card, a Float IP is required to be distributed, and the management network card eth0 of the control node is communicated through the virtual network card);
secondly, a device working directory is created in the created virtual machine and used for storing and running the device program;
thirdly, uploading the existing equipment program (the program is basically consistent with the original entity equipment program, and only the moving to adaptation of the running platform is carried out, namely the program is moved to the x86 platform from the ARM platform) to the newly created equipment work directory, and setting the equipment program to be started up and self-started, namely the equipment program can automatically run in the form of a daemon process after the virtual machine is started up;
finally, bridging the virtual management network card eth2 of the virtual machine to the management network card eth0 of the computing node, and managing and configuring the virtual machine; bridging a virtual service network card eth1 of the virtual machine with a virtual service network card eth1 of other virtual machines (the creation mode of the other virtual machines is the same as that of the virtual machine, and can be a virtual machine on the same computing node, or a virtual machine on different computing nodes) for simulated connection; the virtual service network card eth0 of the master station longitudinal virtual machine and the plant station longitudinal virtual machine is respectively bridged to other common virtual machines (the common virtual machines running normal windows or linux systems in a virtual laboratory) and is used for simulating the connection between the common virtual host and the virtual machine of the security equipment.
Virtualization of encrypted token (UKEY):
the encrypted token is a digital certificate device (entity encrypted token) which is unique for each user and is used for unique authentication of the user logging in the virtual device, wherein personal information (user name, password, connection state information and the like) of the user is stored. To use the cryptographic token device in a virtual laboratory, it is necessary to reform the original entity cryptographic token into a virtualized version (virtualized cryptographic token).
The transformation process comprises the following steps:
when the virtual UKEY is used for connecting the virtual machine of the security equipment, token information (user name, password and connection state) is sent to the virtual machine of the security equipment by sending a two-layer message, and the basic function of the UKEY is simulated.
Taking the virtualized device UKEY components as an example, each UKEY component corresponds to a file, and the file records information such as a virtual machine id, a user name, a user password, a connection state and the like, and is verified and matched with the virtualized device.
And step 3: and building a manager of the virtual laboratory and releasing a calling interface to the outside by using various Web technologies. Convenient and flexible operation experience is provided for users; while providing an interface to external third party applications that is modulatable.
An important role of the virtual laboratory manager is to provide a virtualized component in a power security scene for a user, including but not limited to virtual devices, virtual power isolation, virtual UKEY, virtual hosts (Windows 7, CentOS 7), virtual routers, virtual switches, virtual network lines, etc.; the virtual laboratory manager has another important function of providing a set of laboratory graphical management tools for users, the users can use browsers to access and complete building and configuring a classic electric power security topology experiment scene, a virtual-real intercommunication scene, an experiment case calling, attack and defense drilling and the like through flexible and convenient operation, and an experiment platform is provided for the users to know and skillfully build and configure an electric power special service security scene; the third role of the manager is to enable the lab to be flexibly embedded into other third party platforms, and to provide a complete API (Application Programming Interface).
The virtual laboratory manager (running on a control node in the form of Web service), the back end adopts Django (Python Web framework) to realize the Web service, uWsgi + Nginx are used as Web containers and access scheduling, and MySQL (database) + Redis (NoSQL) is used as data storage/cache service; the front end implements the front end using currently popular HTML5 + CSS3 + React.
And 4, step 4: and deploying the hardware encryption card service program into the OpenStack control node, and calling the hardware encryption card service program of the control node by the virtualization security device to encrypt and decrypt data.
Because the number of virtual devices on the OpenStack computing node is random, (a virtual laboratory can create a plurality of virtual security devices), a hardware encryption card cannot be independently occupied by a certain virtual security device, and indiscriminate encryption service needs to be provided for all virtual devices. Therefore, a hardware encryption card and an encryption card service program are deployed in the OpenStack control node, the encryption and decryption service program is realized on the OpenStack control node and used as a service end to start with the OpenStack control node, the TCP port 60000 is monitored, an encryption and decryption concurrent service is realized by adopting a multi-thread network service model, and the program calls the encryption card port to provide data encryption service for all virtual security devices.
Referring to fig. 2, when the virtual security device needs to encrypt the card encrypted data, the virtual security device, as a TCP client, initiates a TCP connection application to the hardware encryption card service program for data encryption or data decryption. The encryption and decryption application message needs to carry a host ID and a virtual device ID. And the encryption and decryption service program encrypts (decrypts) the data and then replies the data to the virtual security device, and the replied message also carries the ID of the host of the OpenStack computing node and the ID of the virtual device. The message replied to which virtual security device can be confirmed by identifying the host ID and the virtual device ID of the OpenStack computing node. The multiple virtual security devices can be connected with the TCP service to apply data encryption and decryption at the same time, and therefore the technology that multiple virtual devices share the single encryption card password service is achieved.
The encryption or decryption applies for the TCP data format as follows:
host ID | virtual machine ID | ip address | key | function code | data length | data that needs to be encrypted (decrypted).
And (3) replying a TCP data format after data encryption or decryption:
host ID | virtual machine ID | data length | encrypted (decrypted) data |.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Claims (10)
1. A virtual experiment system supporting multiple virtualized security devices to share a single encryption card is characterized by comprising:
building a cloud platform based on OpenStack; the cloud platform adopts a plurality of hardware servers and switches with the same configuration to build a network; a hardware server is configured as an OpenStack control node and used for controlling, managing and scheduling cloud platform resources; the other hardware servers are configured as OpenStack computing nodes and used for scheduling and processing computing resources;
the OpenStack computing node is used for creating a security device virtual machine and virtualizing an encryption token;
and the OpenStack control node deploys a hardware encryption card service program for the virtual security device to call.
2. The virtual experiment system supporting multiple virtualized security devices to share a single encryption card according to claim 1, wherein the hardware server is configured with a processor, a memory, a disk and a network card, the number of the network cards is greater than or equal to 3, and the hardware server is provided with a CentOS 7 operating system.
3. The virtual experiment system supporting multiple virtualized security devices to share a single encryption card according to claim 1, wherein the OpenStack compute node deploys computing services and network agents; the network agent comprises a DHCP agent, a virtual switch agent and a virtual router agent;
the OpenStack control node deploys network service, authentication service, graphical service and mirror image service; the mirror image service is used for managing mirror image files required by the virtual experiment system.
4. The virtual experiment system supporting the sharing of the single encryption card by the multiple virtualized security devices according to claim 1,
the OpenStack control node is provided with a network card as a management network card and is used for controlling communication between the OpenStack control node and the OpenStack computing node; the OpenStack control node is configured with a second network card for establishing a communication tunnel with the second network card of the OpenStack computing node;
the OpenStack computing node is provided with a network card as a management network card and is used for controlling communication between the OpenStack control node and the OpenStack computing node; and the OpenStack computing node is configured with a second network card for communication among virtual devices on different OpenStack computing nodes.
5. The virtual experiment system supporting multiple virtualized security devices to share a single encryption card according to claim 4, wherein the OpenStack compute node is specifically configured to,
copying a mirror image file of the security device from an OpenStack control node to create a virtual machine of the security device, and configuring two virtual service network cards, one virtual management network card and one virtual encryption and decryption communication network card for the virtual machine of the security device;
creating a standby working directory in the created virtual machine of the security device;
storing the equipment program of the security device to the established equipment work directory, and setting the equipment program to be started up and started up automatically;
bridging a virtual management network card of a virtual machine of the security device to a management network card of an OpenStack computing node; bridging one virtual service network card of the virtual machine of the security device with the virtual service network cards of the other virtual machines of the security device; and bridging the other service network card of the security device virtual machine to the non-security device virtual machine.
6. The virtual experiment system supporting multiple virtualized security devices to share a single encryption card according to claim 5, wherein the OpenStack compute node is specifically configured to,
and transmitting the encrypted token information including the user name, the password and the connection state to a virtual machine of the security device by transmitting a two-layer message, and virtualizing the encrypted token.
7. The virtual experiment system supporting multiple virtualized security devices to share a single encryption card according to claim 5, wherein the security device virtual machine is used for,
initiating TCP connection to a hardware encryption card service program deployed in an OpenStack control node through a virtual encryption and decryption communication network card, and applying for data encryption or data decryption;
and receiving the encrypted or decrypted data returned by the hardware encryption card service program.
8. The virtual experiment system supporting the sharing of the single encryption card by the multiple virtualized security devices according to claim 7,
the data encryption or data decryption application format is as follows:
host machine ID | virtual machine ID | ip address | key | function code | data length | data | to be encrypted or decrypted |;
the data is encrypted or decrypted and then the reply format is as follows:
| host ID | virtual machine ID | data length | encrypted or decrypted data |.
9. The virtual experiment system supporting multiple virtualized security devices to share a single encryption card according to claim 1, wherein the OpenStack control node runs a virtual experiment system manager in a Web service manner;
the virtual experiment system manager is used for providing a virtualized component under an electric power security scene, providing a graphical management tool and providing an API;
the graphical management tool is used for building and configuring a power security topology experiment scene, a virtual-real intercommunication scene, an experiment case and attack and defense drilling;
the API is used for embedding the virtual experiment system into a third-party platform.
10. The virtual experiment system supporting multiple virtualized security devices to share a single encryption card according to claim 9, wherein the back end of the virtual experiment system manager implements Web services by using Django, and uses uWsgi + Nginx as a Web container and access scheduling, and uses MySQL database + Redis as a data storage/cache service; the front end adopts HTML5 + CSS3 + React.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110453134.9A CN113285983A (en) | 2021-04-26 | 2021-04-26 | Virtual experiment system supporting multiple virtualized security devices to share single encryption card |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110453134.9A CN113285983A (en) | 2021-04-26 | 2021-04-26 | Virtual experiment system supporting multiple virtualized security devices to share single encryption card |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113285983A true CN113285983A (en) | 2021-08-20 |
Family
ID=77275806
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110453134.9A Pending CN113285983A (en) | 2021-04-26 | 2021-04-26 | Virtual experiment system supporting multiple virtualized security devices to share single encryption card |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113285983A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114629789A (en) * | 2022-03-10 | 2022-06-14 | 常州工程职业技术学院 | Private cloud IaaS practice platform construction method based on OpenStack architecture |
| CN114844744A (en) * | 2022-03-04 | 2022-08-02 | 阿里巴巴(中国)有限公司 | Virtual private cloud network configuration method and device, electronic equipment and computer-readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102270153A (en) * | 2011-08-12 | 2011-12-07 | 曙光信息产业(北京)有限公司 | Method and device for sharing encrypted card in virtual environment |
| CN104951712A (en) * | 2014-03-24 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Data safety protection method in Xen virtualization environment |
| US20170063532A1 (en) * | 2015-06-29 | 2017-03-02 | Intel Corporation | Efficient sharing of hardware encryption pipeline for multiple security solutions |
| CN111049686A (en) * | 2019-12-20 | 2020-04-21 | 北京科东电力控制系统有限责任公司 | Safety protection virtual laboratory of power monitoring system and construction method thereof |
| CN111291332A (en) * | 2020-02-24 | 2020-06-16 | 山东超越数控电子股份有限公司 | Method and system for sharing and using encryption card in virtualization environment |
-
2021
- 2021-04-26 CN CN202110453134.9A patent/CN113285983A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102270153A (en) * | 2011-08-12 | 2011-12-07 | 曙光信息产业(北京)有限公司 | Method and device for sharing encrypted card in virtual environment |
| CN104951712A (en) * | 2014-03-24 | 2015-09-30 | 国家计算机网络与信息安全管理中心 | Data safety protection method in Xen virtualization environment |
| US20170063532A1 (en) * | 2015-06-29 | 2017-03-02 | Intel Corporation | Efficient sharing of hardware encryption pipeline for multiple security solutions |
| CN111049686A (en) * | 2019-12-20 | 2020-04-21 | 北京科东电力控制系统有限责任公司 | Safety protection virtual laboratory of power monitoring system and construction method thereof |
| CN111291332A (en) * | 2020-02-24 | 2020-06-16 | 山东超越数控电子股份有限公司 | Method and system for sharing and using encryption card in virtualization environment |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114844744A (en) * | 2022-03-04 | 2022-08-02 | 阿里巴巴(中国)有限公司 | Virtual private cloud network configuration method and device, electronic equipment and computer-readable storage medium |
| CN114844744B (en) * | 2022-03-04 | 2023-07-21 | 阿里巴巴(中国)有限公司 | Virtual private cloud network configuration method and device, electronic equipment and computer readable storage medium |
| CN114629789A (en) * | 2022-03-10 | 2022-06-14 | 常州工程职业技术学院 | Private cloud IaaS practice platform construction method based on OpenStack architecture |
| CN114629789B (en) * | 2022-03-10 | 2024-05-14 | 常州工程职业技术学院 | Private cloud IaaS practice platform construction method based on OpenStack architecture |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111049686B (en) | Safety protection virtual laboratory of power monitoring system and construction method thereof | |
| US20210058301A1 (en) | Extension resource groups of provider network services | |
| AU2020234675B2 (en) | Binding secure keys of secure guests to a hardware security module | |
| US7761573B2 (en) | Seamless live migration of virtual machines across optical networks | |
| RU2683630C2 (en) | Method for update of nsd network service descriptor and device | |
| US20130173900A1 (en) | Key transmission method and device of a virtual machine under full disk encryption during pre-boot | |
| US10361970B2 (en) | Automated instantiation of wireless virtual private networks | |
| US11659058B2 (en) | Provider network connectivity management for provider network substrate extensions | |
| US11563799B2 (en) | Peripheral device enabling virtualized computing service extensions | |
| CN104901923A (en) | Virtual machine access device and method | |
| US20200159555A1 (en) | Provider network service extensions | |
| CN113285983A (en) | Virtual experiment system supporting multiple virtualized security devices to share single encryption card | |
| CN104486234A (en) | Method and server for uninstalling service exchanger to physical network card | |
| CN104735176A (en) | PXE booting method and device and server single board | |
| US11411771B1 (en) | Networking in provider network substrate extensions | |
| CN113626133B (en) | Virtual machine control method, device, equipment and computer readable storage medium | |
| US20210089239A1 (en) | Peripheral device for configuring compute instances at client-selected servers | |
| US20210281443A1 (en) | Systems and methods for preserving system contextual information in an encapsulated packet | |
| CN112099913A (en) | Method for realizing safety isolation of virtual machine based on OpenStack | |
| CN111190700B (en) | Cross-domain security access and resource control method for virtualized equipment | |
| US11374789B2 (en) | Provider network connectivity to provider network substrate extensions | |
| EP3987397A1 (en) | Provider network connectivity management for provider network substrate extensions | |
| CN115314558B (en) | Resource allocation method and device in computing power network, storage medium and electronic equipment | |
| CN113268252B (en) | Mirror image manufacturing method, system and storage medium based on virtual chemical control equipment | |
| CN108540301B (en) | Password initialization method for preset account and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20211217 Address after: No. 19, Chengxin Avenue, Jiangning District, Nanjing, Jiangsu 210006 Applicant after: STATE GRID ELECTRIC POWER RESEARCH INSTITUTE Co.,Ltd. Applicant after: BEIJING KEDONG POWER CONTROL SYSTEM Co.,Ltd. Applicant after: STATE GRID FUJIAN ELECTRIC POWER Co.,Ltd. Applicant after: STATE GRID CORPORATION TECHNICAL College BRANCH Address before: 5 / F, main building, No.15, Xiaoying East Road, Qinghe, Haidian District, Beijing 100192 Applicant before: BEIJING KEDONG POWER CONTROL SYSTEM Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210820 |