Disclosure of Invention
The invention aims to overcome the defects in the prior art, provides a virtual experiment system supporting multiple virtual security devices to share a single encryption card, and solves the technical problem of resource waste caused by the fact that the virtual security devices use the same hardware encryption card and the hardware security devices need to use separate hardware encryption cards.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
the invention provides a virtual experiment system supporting multiple virtualized security devices to share a single encryption card, which comprises the following steps:
building a cloud platform based on OpenStack; the cloud platform adopts a plurality of hardware servers and switches with the same configuration to build a network; a hardware server is configured as an OpenStack control node and used for controlling, managing and scheduling cloud platform resources; the other hardware servers are configured as OpenStack computing nodes and used for scheduling and processing computing resources;
the OpenStack computing node is used for creating a security device virtual machine and virtualizing an encryption token;
and the OpenStack control node deploys a hardware encryption card service program for the virtual security device to call.
Further, the hardware server is provided with a processor, a memory, a magnetic disk and a network card, the number of the network cards is more than or equal to 3, and the CentOS 7 operating system is installed on the hardware server.
Further, the OpenStack computing node deploys computing services and network agents; the network agent comprises a DHCP agent, a virtual switch agent and a virtual router agent;
the OpenStack control node deploys network service, authentication service, graphical service and mirror image service; the mirror image service is used for managing mirror image files required by the virtual experiment system.
Furthermore, the OpenStack control node configures a network card as a management network card for controlling communication between the OpenStack control node and the OpenStack computing node; the OpenStack control node is configured with a second network card for establishing a communication tunnel with the second network card of the OpenStack computing node;
the OpenStack computing node is provided with a network card as a management network card and is used for controlling communication between the OpenStack control node and the OpenStack computing node; and the OpenStack computing node is configured with a second network card for communication among virtual devices on different OpenStack computing nodes.
Further, the OpenStack computing node is specifically configured to,
copying a mirror image file of the security device from an OpenStack control node to create a virtual machine of the security device, and configuring two virtual service network cards, one virtual management network card and one virtual encryption and decryption communication network card for the virtual machine of the security device;
creating a standby working directory in the created virtual machine of the security device;
storing the equipment program of the security device to the established equipment work directory, and setting the equipment program to be started up and started up automatically;
bridging a virtual management network card of a virtual machine of the security device to a management network card of an OpenStack computing node; bridging one virtual service network card of the virtual machine of the security device with the virtual service network cards of the other virtual machines of the security device; and bridging the other service network card of the security device virtual machine to the non-security device virtual machine.
Further, the OpenStack computing node is specifically configured to,
and transmitting the encrypted token information including the user name, the password and the connection state to a virtual machine of the security device by transmitting a two-layer message, and virtualizing the encrypted token.
Further, the security device virtual machine is used for,
initiating TCP connection to a hardware encryption card service program deployed in an OpenStack control node through a virtual encryption and decryption communication network card, and applying for data encryption or data decryption;
and receiving the encrypted or decrypted data returned by the hardware encryption card service program.
Further, the data encryption or data decryption application format is as follows:
host machine ID | virtual machine ID | ip address | key | function code | data length | data | to be encrypted or decrypted |;
the data is encrypted or decrypted and then the reply format is as follows:
| host ID | virtual machine ID | data length | encrypted or decrypted data |.
Further, the OpenStack control node runs a virtual experiment system manager in a Web service form;
the virtual experiment system manager is used for providing a virtualized component under an electric power security scene, providing a graphical management tool and providing an API;
the graphical management tool is used for building and configuring a power security topology experiment scene, a virtual-real intercommunication scene, an experiment case and attack and defense drilling;
the API is used for embedding the virtual experiment system into a third-party platform.
Further, the back end of the virtual experiment system manager adopts Django to realize Web service, uWsgi + Nginx are used as Web containers and access scheduling, and the MySQL database + Redis is used as data storage/cache service; the front end adopts HTML5 + CSS3 + React.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides a virtual experiment system supporting multiple virtualized security devices to share a single encryption card, which only needs to embed one encryption card to provide password service, and all virtual security devices can finish data encryption and decryption by using one hardware encryption card together through the technology of sharing the single encryption card password service, so that the cost of building service topology of the security device is reduced, and the use efficiency of the hardware encryption card is improved.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
The virtual laboratory for dynamically constructing the safety protection model of the power monitoring system aims to design and configure a cloud computing system which provides experiment, teaching and attack and defense drilling services for the power system in an economic and cost-effective mode. Compared with the system architecture in fig. 1, the virtual experiment system supporting multiple virtualized security devices to share a single encryption card has the following specific construction process:
step 1: building private cloud platform service based on OpenStack (Queens version) by using a hardware server; a network topology is reconstructed on the basis of a native OpenStack network service (Neutron) to realize a virtual-real intercommunication network scene (namely interconnection and intercommunication between a cloud internal virtual device and a cloud external physical device). This platform will provide the basic cloud environment support for the virtual laboratory.
The OpenStack is an open-source cloud computing management platform, a plurality of components are combined to complete specific work, the aim is to provide a cloud computing platform which is simple to implement, can be expanded in a large scale, is rich and unified in standard, and a solution of basic setting as a service (IaaS) is provided through various complementary services.
The virtual laboratory builds a cloud platform based on OpenStack (Queens version), and the main utilized specific services are as follows: computing services (Nova), network services (Neutron), authentication services (Keystone), graphical services (Horizon), and mirroring services (liance).
The main deployment mode is as follows:
required hardware: a plurality of hardware servers with the same configuration (the servers at least comprise a processor, a memory, a magnetic disk and a network card, the number of the network cards is more than or equal to 3, and a CentOS 7 operating system is installed on the servers); the switches are used for cooperating with the hardware server to build a network;
one of the hardware servers serves as an OpenStack control node (Controller) and is used for controlling, managing and scheduling resources of the cloud platform and other component services, and the services specifically deployed by the control node include: web services, authentication services, graphical services, and mirroring services. The mirror service is used to manage the mirror files needed by the virtual laboratory, mainly virtual mirror files. The mirror image file is a special file, which makes some specific files into a single file according to a certain format, so as to be convenient for users to download and use, and can be identified and loaded by a specific program; in a virtual laboratory, a device virtual machine can be created from a virtual device file managed by a mirroring service. The first network card (eth 0) of the control node is used as a management network for communication between the control node and the computing node, and the second network card (eth 1) is used as an OverLay network, namely a cross network: and accessing the control node management network by the virtual device through the Float IP for the virtual device in the cloud internal communication network. A vxlan tunnel is formed between the port eth1 of the control node and the port eth1 of the computing node, and the virtual machine traffic is communicated through the vxlan tunnel.
The rest hardware servers in the plurality of hardware servers are all used as OpenStack computing nodes (computers) and used for scheduling and processing computing resources (CPUs, memories, disks, networks and the like). The services specifically deployed by each computing node are: the network agent comprises a DHCP agent, a virtual switch agent and a virtual router agent, each agent is managed by the network service of the control node to finally realize respective specific functions, the DHCP agent realizes the functions of a DHCP server and a client, the virtual switch agent realizes the function of a two-layer switch, and the virtual router agent realizes the function of a three-layer router. A first network card (eth 0) of the computing node is used as a management network, is the same as the management network of the control node, and is used for the direct communication between the control node and each computing node; the second network card (eth 1) acts as a tunnel network for devices communicating across the computing nodes, i.e., between virtual machines on different computing nodes.
Step 2: based on OpenStack, a security device encryption authentication network management virtualization version is developed, and virtual component support of electric power special equipment is provided for a virtual laboratory.
Virtualization of a security device:
the security device is an existing entity hardware device (entity device), is a wide area network boundary protection device specially developed for a power dispatching data network, and is a password device with an authentication function. In order to use the device in the virtual laboratory, the original physical device needs to be modified into a virtual device (a virtual device, that is, a device capable of normally operating in a virtual machine).
The transformation process is as follows:
firstly, a virtual machine is established at any computing node, an api interface and an image file of an image service are on a control node, and when the virtual machine is established at the computing node, the image file is copied to the computing node for incubation.
The operating system is CentOS 7, four virtual network cards are distributed (the virtual network card eth0 and the virtual network card eth1 are service network cards, the functions of the service network cards are consistent with those of original entity equipment; the virtual network card eth2 is a management network card and used for managing and configuring equipment; the virtual network card eth3 is a virtual encryption and decryption communication network card, a Float IP is required to be distributed, and the management network card eth0 of the control node is communicated through the virtual network card);
secondly, a device working directory is created in the created virtual machine and used for storing and running the device program;
thirdly, uploading the existing equipment program (the program is basically consistent with the original entity equipment program, and only the moving to adaptation of the running platform is carried out, namely the program is moved to the x86 platform from the ARM platform) to the newly created equipment work directory, and setting the equipment program to be started up and self-started, namely the equipment program can automatically run in the form of a daemon process after the virtual machine is started up;
finally, bridging the virtual management network card eth2 of the virtual machine to the management network card eth0 of the computing node, and managing and configuring the virtual machine; bridging a virtual service network card eth1 of the virtual machine with a virtual service network card eth1 of other virtual machines (the creation mode of the other virtual machines is the same as that of the virtual machine, and can be a virtual machine on the same computing node, or a virtual machine on different computing nodes) for simulated connection; the virtual service network card eth0 of the master station longitudinal virtual machine and the plant station longitudinal virtual machine is respectively bridged to other common virtual machines (the common virtual machines running normal windows or linux systems in a virtual laboratory) and is used for simulating the connection between the common virtual host and the virtual machine of the security equipment.
Virtualization of encrypted token (UKEY):
the encrypted token is a digital certificate device (entity encrypted token) which is unique for each user and is used for unique authentication of the user logging in the virtual device, wherein personal information (user name, password, connection state information and the like) of the user is stored. To use the cryptographic token device in a virtual laboratory, it is necessary to reform the original entity cryptographic token into a virtualized version (virtualized cryptographic token).
The transformation process comprises the following steps:
when the virtual UKEY is used for connecting the virtual machine of the security equipment, token information (user name, password and connection state) is sent to the virtual machine of the security equipment by sending a two-layer message, and the basic function of the UKEY is simulated.
Taking the virtualized device UKEY components as an example, each UKEY component corresponds to a file, and the file records information such as a virtual machine id, a user name, a user password, a connection state and the like, and is verified and matched with the virtualized device.
And step 3: and building a manager of the virtual laboratory and releasing a calling interface to the outside by using various Web technologies. Convenient and flexible operation experience is provided for users; while providing an interface to external third party applications that is modulatable.
An important role of the virtual laboratory manager is to provide a virtualized component in a power security scene for a user, including but not limited to virtual devices, virtual power isolation, virtual UKEY, virtual hosts (Windows 7, CentOS 7), virtual routers, virtual switches, virtual network lines, etc.; the virtual laboratory manager has another important function of providing a set of laboratory graphical management tools for users, the users can use browsers to access and complete building and configuring a classic electric power security topology experiment scene, a virtual-real intercommunication scene, an experiment case calling, attack and defense drilling and the like through flexible and convenient operation, and an experiment platform is provided for the users to know and skillfully build and configure an electric power special service security scene; the third role of the manager is to enable the lab to be flexibly embedded into other third party platforms, and to provide a complete API (Application Programming Interface).
The virtual laboratory manager (running on a control node in the form of Web service), the back end adopts Django (Python Web framework) to realize the Web service, uWsgi + Nginx are used as Web containers and access scheduling, and MySQL (database) + Redis (NoSQL) is used as data storage/cache service; the front end implements the front end using currently popular HTML5 + CSS3 + React.
And 4, step 4: and deploying the hardware encryption card service program into the OpenStack control node, and calling the hardware encryption card service program of the control node by the virtualization security device to encrypt and decrypt data.
Because the number of virtual devices on the OpenStack computing node is random, (a virtual laboratory can create a plurality of virtual security devices), a hardware encryption card cannot be independently occupied by a certain virtual security device, and indiscriminate encryption service needs to be provided for all virtual devices. Therefore, a hardware encryption card and an encryption card service program are deployed in the OpenStack control node, the encryption and decryption service program is realized on the OpenStack control node and used as a service end to start with the OpenStack control node, the TCP port 60000 is monitored, an encryption and decryption concurrent service is realized by adopting a multi-thread network service model, and the program calls the encryption card port to provide data encryption service for all virtual security devices.
Referring to fig. 2, when the virtual security device needs to encrypt the card encrypted data, the virtual security device, as a TCP client, initiates a TCP connection application to the hardware encryption card service program for data encryption or data decryption. The encryption and decryption application message needs to carry a host ID and a virtual device ID. And the encryption and decryption service program encrypts (decrypts) the data and then replies the data to the virtual security device, and the replied message also carries the ID of the host of the OpenStack computing node and the ID of the virtual device. The message replied to which virtual security device can be confirmed by identifying the host ID and the virtual device ID of the OpenStack computing node. The multiple virtual security devices can be connected with the TCP service to apply data encryption and decryption at the same time, and therefore the technology that multiple virtual devices share the single encryption card password service is achieved.
The encryption or decryption applies for the TCP data format as follows:
host ID | virtual machine ID | ip address | key | function code | data length | data that needs to be encrypted (decrypted).
And (3) replying a TCP data format after data encryption or decryption:
host ID | virtual machine ID | data length | encrypted (decrypted) data |.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.