CN113872922A - Firewall virtualization deployment method, system, server and storage medium - Google Patents

Firewall virtualization deployment method, system, server and storage medium Download PDF

Info

Publication number
CN113872922A
CN113872922A CN202010620770.1A CN202010620770A CN113872922A CN 113872922 A CN113872922 A CN 113872922A CN 202010620770 A CN202010620770 A CN 202010620770A CN 113872922 A CN113872922 A CN 113872922A
Authority
CN
China
Prior art keywords
firewall
virtual
model
function
creating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010620770.1A
Other languages
Chinese (zh)
Inventor
叶成
杨凯
王澈
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN202010620770.1A priority Critical patent/CN113872922A/en
Publication of CN113872922A publication Critical patent/CN113872922A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention relates to the field of communication, and discloses a firewall virtualization deployment method, a firewall virtualization deployment system, a server, a storage medium, a server and a storage medium. The invention discloses a firewall virtualization deployment method, which comprises the following steps: different firewall network devices are accessed into a virtualized resource pool; creating a function model of the virtual firewall according to the function requirement of the virtual firewall; and configuring firewall network equipment depended on by the function model of the virtual firewall according to the virtualized resources in the virtualized resource pool. Through the technical means, the method and the device determine the function requirements of the firewall according to the communication requirements of the user, thereby establishing a virtual firewall model corresponding to the function requirements, separating a forwarding plane of data flow from a control plane, standardizing and simplifying the forwarding plane, and enabling the virtual firewall to be rapidly deployed on different hardware-dedicated firewall devices.

Description

Firewall virtualization deployment method, system, server and storage medium
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a firewall virtualization deployment method, a firewall virtualization deployment system, a firewall virtualization deployment server and a storage medium.
Background
With the development of information technology, virtualization technology has been one of the hot spots in the field of computer networks. The data center virtualization technology is a method for realizing automatic deployment of a data center by abstractly integrating physical resources and dynamically allocating the resources through the virtualization technology, and specifically comprises the steps of computing, storing and virtualizing a network part; in the network part, the virtualization of the firewall is one of the key links.
At present, virtual switches adopting the Openflow technology are deployed on a data center in a large scale, managed through an OpenStack cloud platform, and controlled by adopting a corresponding software Defined network (sdn) (software Defined network) controller, so that the related technologies of the switches and the routers are quite mature. However, for the virtual firewall technology, the prior art is implemented based on linux namespace and iptables technologies, but high-performance hardware-dedicated firewall devices cannot be transplanted to corresponding linux system general servers from the perspective of an operating system or hardware such as a CPU, and certain difficulty is caused to deployment of the virtual firewall.
Disclosure of Invention
The embodiment of the invention aims to provide a method, a system, a server and a storage medium for the virtual deployment of a firewall, which can flexibly and quickly deploy virtual firewalls meeting various functional requirements on different firewall network devices.
To solve the foregoing technical problem, an embodiment of the present invention provides a firewall virtualization deployment method, including: different firewall network devices are accessed into a virtualized resource pool; creating a function model of the virtual firewall according to the function requirement of the virtual firewall; and configuring firewall network equipment depended on by the function model of the virtual firewall according to the virtualized resources in the virtualized resource pool.
The embodiment of the invention also provides a firewall virtualization deployment system, which comprises: the device access module is used for accessing different firewall network devices into the virtualized resource pool; the model creating module is used for creating the virtual firewall according to the creating requirement of the virtual firewall; and the resource management module is used for configuring firewall network equipment depended by the virtual firewall according to the virtualized resources in the virtualized resource pool.
Compared with the prior art, the embodiment of the invention has the advantages that different firewall network devices are accessed into the virtual resource pool, the virtual firewall model is established according to the functional requirements of the virtual firewall, and the firewall network devices depending on the virtual firewall functions are configured through the resources in the virtual resource pool; that is, in this embodiment of the present application, a virtual resource may be used to configure a firewall network device based on a functional requirement of a virtual firewall, so as to separate a forwarding plane of data traffic (a hardware device that implements traffic forwarding) from a control plane, so that the forwarding plane may be standardized and simplified, and thus, virtual firewalls that meet various functional requirements may be rapidly deployed on different firewall network devices.
Drawings
One or more embodiments are illustrated by the corresponding figures in the drawings, which are not meant to be limiting.
Fig. 1 is a flowchart of a firewall virtualization deployment method according to a first embodiment of the invention;
fig. 2 is a schematic structural diagram of a system to which the firewall virtualization method according to the first embodiment of the present invention is applied;
FIG. 3 is a schematic structural diagram of a north-south functional model according to a first embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a east-west functional model according to a first embodiment of the present invention;
FIG. 5 is a flowchart of a firewall virtualization deployment method according to a second embodiment of the invention;
fig. 6 is a schematic structural diagram of a firewall virtualization system according to a third embodiment of the present invention;
fig. 7 is a schematic configuration diagram of a server according to a fourth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that in various embodiments of the invention, numerous technical details are set forth in order to provide a better understanding of the present application. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually incorporated and referred to without contradiction.
A first embodiment of the invention relates to a firewall virtualization deployment method,
the following describes implementation details of the firewall virtualization deployment method of this embodiment, and the following description is provided only for convenience of understanding and is not necessary to implement this embodiment.
The firewall virtualization deployment method in the embodiment includes: different firewall network devices are accessed into a virtualized resource pool; creating a function model of the virtual firewall according to the function requirement of the virtual firewall; and configuring firewall network equipment depended on by the function model of the virtual firewall according to the virtualized resources in the virtualized resource pool.
In this embodiment, the deployment of the virtual firewall may be implemented by a cloud resource management platform, and the execution subject may be an SDN controller. The SDN is a novel network architecture and is an implementation mode of network virtualization. The core technology OpenFlow separates the control plane and the data plane of the network device, but with the development of the SDN technology and the smooth evolution of the network device, the technology satisfying the separation of forwarding and control, even the technology of separation of management and control, can be regarded as a broad SDN technology. For traditional data center virtual firewall deployment, operation and maintenance generally need to be performed on equipment of each network equipment provider, and related network equipment is virtualized by using an SDN technology, so that network deployment and operation and maintenance costs can be saved to the greatest extent by using the advantages of an SDN network architecture. By taking an Openstack platform as a cloud resource management platform as an example, a firewall virtualization deployment method based on an SDN technology is realized through a FWASS1.0 interface provided by Openstack fwaas, so that the configuration of a firewall function can be realized according to the communication requirement of a user.
The specific flow of this embodiment is shown in fig. 1, and specifically includes the following steps:
step 101, different firewall network devices are accessed to a virtualized resource pool.
Specifically, the hardware resources of the dedicated firewall network device of the entity to be utilized are virtualized to obtain firewall virtual resources, and a virtualized resource pool formed by the firewall virtual resources is controlled and managed by the SDN controller. And controlling each firewall network device through different device driving resources in the virtual resource pool. For each different private firewall network device, a standard netconf protocol interface provided by a network device provider is used to access the virtualized resource pool, at this time, the private firewall network device serves as a server under the netconf protocol, and the SDN controller serves as a client under the netconf protocol.
Further, the firewall virtualization deployment method in this embodiment may be applied in a system architecture as shown in fig. 2, where the SDN controller includes: the northbound data center manages an NDCM module, an access management AM module and a public resource management CRM module.
And 102, creating a function model of the virtual firewall according to the function requirement of the virtual firewall.
Specifically, the NDCM module of the SDN controller creates a functional model of the virtual firewall in advance according to various requirements of the virtual firewall, such as functional requirements of a private network accessing the virtual firewall and functional requirements of a firewall by a firewall designer. The functional requirements of the virtual firewall may include: firewall communication requirements, firewall policy functions, and network address translation functions, among others. If the function requirement comprises a firewall communication function, a firewall communication model for realizing the firewall communication function is established; if the function requirement comprises a firewall policy function, a firewall policy model for realizing the firewall policy function is established; if the functional requirement includes a network address translation function, a network address translation model for implementing the network address translation function is created.
In one example, the network address translation model includes two levels: the first level is a virtual network address translation instance, and the second level is a port mapping rule, a source address translation rule or a destination address translation rule.
In one example, the firewall policy model may be a unified five-tuple model.
In one example, a firewall communication model for implementing firewall communication functionality has a three-layer abstraction structure, comprising: the system comprises a virtual port layer, a virtual security zone layer and a virtual firewall layer. The firewall communication model realizes the control of a data traffic forwarding path in the model through the three-layer structure.
In another example, the virtual secure enclave layer may include: the virtual port layer comprises an internal port positioned in the trusted domain, and data of the intranet enters the trusted domain through the internal port; the virtual security zone layer further comprises an untrusted domain and/or an internal domain, and the port layer further comprises a north-south port located in the untrusted domain and/or an east-west port located in the internal domain; the virtual firewall layer is used for determining a routing entry of the data according to the destination address of the data, and is also used for forwarding the data from the trusted domain to the untrusted domain and forwarding the data through the north-south port according to the routing entry, or forwarding the data from the trusted domain to the internal domain and forwarding the data through the east-west port according to the routing entry. The south and north ports of the untrusted domain are connected with an external network; the east-west port of an inside realm is connected to another inside realm.
In addition, the virtual firewall layer comprises at least one virtual routing instance, and the virtual routing instance is used for realizing the routing entry matching of data traffic, completing the path selection of the data traffic and determining the port address through which the data reaches the destination address.
Further, the structure of the north-south communication model of the virtual firewall is shown in fig. 3, and the virtual security domain layer in the north-south communication model includes an untrusted domain 301 and a trusted domain 302. The virtual firewall layer 303 contains therein a virtual routing instance located in the trusted domain 302. The traffic of the user server is forwarded to the virtual routing instance 303 of the trusted domain 302 inside the virtual firewall through the internal port 305, and is forwarded to the untrusted domain 301 according to the specific routing entry in the virtual routing instance. At this time, if the user uses the address translation function, the traffic is forwarded to the north-south port 304 of the untrusted domain through the corresponding address translation rule; if the address translation function is not used, the traffic is directly forwarded to the north-south port 304, so that the process of forwarding the traffic to the external network is realized.
The structure of the east-west communication model is shown in fig. 4, and the virtual security domain layer in the east-west communication model includes an internal domain 401 and a trusted domain 402. The virtual firewall layer 403 contains therein a virtual routing instance located in the trusted domain 402. The traffic of the user server is forwarded to the virtual routing instance a2 of the trusted domain 402 inside the virtual firewall a1 through the internal port, then forwarded to the internal domain 401 according to the specific routing entry in the virtual routing instance a2, forwarded to the internal domain of another virtual firewall B1 through the east-west port 405, and forwarded to the internal port of the trusted domain through the backhaul route inside the home virtual routing instance B2, thereby realizing the forwarding of the traffic to the target server.
In the present embodiment, the north-south communication model and the east-west communication model may have independent network structures as shown in fig. 3 and 4, or may be combined with each other. That is, the virtual security domain layer includes both an untrusted domain and an internal domain, and user traffic forwarded from the internal port can be forwarded to the untrusted domain from a north-south port to an external network according to different routing entries to implement a north-south communication behavior, or forwarded to the internal domain from an east-west port to an internal domain of another virtual firewall to be forwarded to another user server to implement a east-west communication behavior.
And 103, configuring firewall network equipment depending on the function model of the virtual firewall according to the virtualized resources in the virtualized resource pool.
Specifically, virtualized resources are uniformly managed by a CRM module of the SDN controller in a virtualized resource pool, scheduled virtualized resources required by different functional models are created, and when the functional models are created, an AM module of the SDN controller is driven by different devices to realize automatic configuration operation from the models to specific firewall network devices. In step 101, the SDN controller has already established a netconf session with the firewall network device, and during the operation process, the SDN controller may interact with the firewall network device according to the capability required by the firewall, and may also configure the firewall network device in a customized manner if the capability model of the device is inconsistent with the requirement of the function model.
Therefore, the embodiment provides a firewall virtualization deployment method, which is characterized in that a virtual firewall model corresponding to functional requirements is pre-established according to the functional requirements of a firewall, a forwarding plane of data flow is separated from a control plane, so that the forwarding plane is standardized and simplified, when a communication request of a user is received, the firewall can be rapidly configured according to the request of the user, so that the virtual firewall can be rapidly deployed on different firewall network devices, and different communication requirements of the user can be flexibly met.
A second embodiment of the present invention relates to a firewall virtualization deployment method, which is substantially the same as the first embodiment, and in this embodiment, after a function of a virtual firewall is created according to a function requirement of the virtual firewall, if a creation request of the virtual firewall is received, a function model of the virtual firewall is configured according to a network parameter included in the creation request.
A specific flowchart of the firewall virtualization deployment method in this embodiment is shown in fig. 5, and specifically includes the following steps:
step 501, different firewall network devices are accessed into a virtualized resource pool.
Step 502, according to the function requirement of the virtual firewall, a function model of the virtual firewall is created.
Step 503, configuring firewall network devices, which depend on the function model of the virtual firewall, according to the virtualized resources in the virtualized resource pool.
Steps 501 to 503 in this embodiment are the same as steps 101 to 103 in the first embodiment of the present invention, and specific implementation details have been described in the first embodiment of the present application, and are not described herein again.
Step 504, if a request for creating the virtual firewall is received, configuring the function model of the virtual firewall according to the network parameters included in the request for creating.
Specifically, when a function model of a virtual firewall and a network device of a butted firewall are initialized and a request for creating the virtual firewall is received, an internal network, an external network or other private networks associated with different private networks are different, so that the function model of the virtual firewall created in advance needs to be configured according to network parameters, so that the virtual firewall can meet the requirements of users. Wherein the network parameters include virtual router information and virtual router information for a network associated with the target network. In addition, the network parameters may also include the name of the firewall, that is, the name of the virtual firewall created for the current private network; and the virtual router information includes a router name associated with the network, thereby setting as a name a router in the virtual firewall; the virtual router information of the network associated with the target network includes a router name of the network associated with the target network, a subnet associated with the router, and the subnet information is attached to the virtual router in the virtual firewall. The information of each associated virtual router is analyzed and processed, so that the related configuration of a virtual firewall layer in a firewall communication model and the configuration of a virtual routing instance are completed, and a firewall can realize the control of a traffic data forwarding path according to the requirements of a user.
In one example, the information carried in the request for creating the target network firewall further includes: firewall policy information. And when the firewall policy information is different from the default policy of the firewall policy model, obtaining the firewall policy which accords with the rule preset by the network designer according to the firewall policy model.
Further, after the virtual firewall configures the function model according to the creation request to obtain the virtual firewall, if an adjustment request of the firewall policy is received, the firewall policy is adjusted by using the firewall policy model in the function model of the virtual firewall. In addition, for two different virtual firewalls, the two virtual firewalls can be implemented on the same physical firewall network device or based on different physical firewall network devices. Specifically, in the forwarding behavior of the user traffic, that is, in terms of the east-west communication behavior of the virtual firewall, the user traffic may be forwarded between different virtual firewalls within the same entity firewall network device, or may be forwarded across entity firewall network devices through the east-west ports in the virtual port layer, that is, forwarded from one firewall network device to another firewall network device.
Therefore, after the function model of the virtual firewall and the initialization of the butted firewall network devices are completed, the function model of the firewall is configured in a targeted manner in response to the received firewall creation request of the private network, so that the flexible configuration of the virtualized firewall on different private networks is realized, and the deployment efficiency of the firewall on different private network firewall devices is further improved.
In addition, those skilled in the art can understand that the steps of the above methods are divided for clarity, and the implementation can be combined into one step or split into some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, and the method is within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
A third embodiment of the present invention relates to a firewall virtualization deployment system, as shown in fig. 6, including:
and the device access module 601 is configured to access different firewall network devices to the virtualized resource pool.
And a model creating module 602, configured to create a virtual firewall according to a creation requirement of the virtual firewall.
Specifically, the SDN controller sends the user communication requirements of the OpenStack cloud platform to the model creation module 602 through a standard rest interface, and the NDCM module creates a virtual firewall according to the user communication requirements.
In one example, the model creation module 602 further includes a first sub-module 6021, a second sub-module 6022, and a third sub-module 6023; the first sub-module 6021 is configured to create a firewall communication model for implementing the firewall communication function according to the firewall communication function included in the creation requirement; a second sub-module 6022, configured to create a firewall policy model for implementing the firewall policy function according to the firewall policy function included in the creation requirement; a third sub-module 6023, configured to create a network address translation model for implementing the network address translation function according to the network address translation function included in the creation requirement.
In another example, the model creation module 602 is further configured to create a virtual port layer, a virtual security zone layer, and a virtual firewall layer in the firewall communication model.
In another example, the model creating module 602 is further configured to, when a request for creating the virtual firewall is received, configure the functional model of the virtual firewall according to the network parameters included in the request for creating, so as to obtain the virtual firewall.
In another example, the model creation module 602 is further configured to, upon receiving a request for an adjustment of a firewall policy, adjust the firewall policy using a firewall policy model in the functional model of the virtual firewall.
The resource management module 603 is configured to configure, according to the virtualized resource in the virtualized resource pool, a firewall device on which the virtual firewall depends.
This embodiment is a device embodiment corresponding to the first or second embodiment, and can be implemented in cooperation with the first or second embodiment. The related technical details mentioned in the first or second embodiment are still valid in this embodiment, and are not described herein again to reduce repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the first or second embodiment.
It should be noted that, all the modules involved in this embodiment are logic modules, and in practical application, one logic unit may be one physical unit, may also be a part of one physical unit, and may also be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, a unit which is not so closely related to solve the technical problem proposed by the present invention is not introduced in the present embodiment, but this does not indicate that there is no other unit in the present embodiment.
A fourth embodiment of the present invention relates to a server, as shown in fig. 7, including: at least one processor 701; and, a memory 702 communicatively coupled to the at least one processor 701; the memory 702 stores instructions executable by the at least one processor 701, and the instructions are executed by the at least one processor 701 to enable the at least one processor 701 to execute the firewall virtualization deployment method.
Where the memory and processor are connected by a bus, the bus may comprise any number of interconnected buses and bridges, the buses connecting together one or more of the various circuits of the processor and the memory. The bus may also connect various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor is transmitted over a wireless medium via an antenna, which further receives the data and transmits the data to the processor.
The processor is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And the memory may be used to store data used by the processor in performing operations.
A fifth embodiment of the present invention relates to a computer-readable storage medium storing a computer program. The computer program realizes the above-described method embodiments when executed by a processor.
That is, as can be understood by those skilled in the art, all or part of the steps in the method for implementing the embodiments described above may be implemented by a program instructing related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific embodiments for practicing the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.

Claims (12)

1. A firewall virtualization deployment method is characterized by comprising the following steps:
different firewall network devices are accessed into a virtualized resource pool;
creating a function model of the virtual firewall according to the function requirement of the virtual firewall;
and configuring firewall network equipment depended by the function model of the virtual firewall according to the virtualized resources in the virtualized resource pool.
2. The firewall virtualization deployment method according to claim 1, wherein the creating a functional model of the virtual firewall according to a functional requirement of the virtual firewall comprises:
if the function requirement comprises a firewall communication function, a firewall communication model for realizing the firewall communication function is established;
if the function requirement comprises a firewall policy function, creating a firewall policy model for realizing the firewall policy function;
and if the function requirement comprises a network address translation function, creating a network address translation model for realizing the network address translation function.
3. The firewall virtualization deployment method according to claim 2, wherein the creating a firewall communication model for implementing the firewall communication function comprises:
creating a virtual port layer, a virtual safe zone layer and a virtual firewall layer in the firewall communication model;
the virtual security area layer comprises a trusted domain, the virtual port layer comprises an internal port located in the trusted domain, and data of the intranet enters the trusted domain through the internal port; the virtual secure enclave layer further comprises an untrusted domain and/or an internal domain, and the port layer further comprises a north-south port located in the untrusted domain and/or an east-west port located in the internal domain; the virtual firewall layer is configured to determine a routing entry of the data according to a destination address of the data, and further configured to forward the data from the trusted domain to the untrusted domain and forward the data through the north-south port according to the routing entry, or forward the data from the trusted domain to the internal domain and forward the data through the east-west port according to the routing entry.
4. The firewall virtualization deployment method of claim 3, wherein the virtual firewall layer comprises at least one virtual routing instance.
5. The firewall virtualization deployment method according to any one of claims 1 to 4, wherein after the creating of the functional model of the virtual firewall according to the functional requirements of the virtual firewall, the method further comprises:
and if a creating request of the virtual firewall is received, configuring a functional model of the virtual firewall according to the network parameters included in the creating request to obtain the virtual firewall.
6. The firewall virtualization deployment method of claim 5, wherein the network parameters comprise subnet information and virtual router information associated with the target network.
7. The firewall virtualization deployment method of claim 5, wherein the create request further comprises: the firewall policy information.
8. The firewall virtualization deployment method according to claim 5, wherein after the virtual firewall is obtained by configuring a functional model of the virtual firewall according to the network parameters included in the creation request, the method further comprises:
and if the firewall policy adjustment request is received, adjusting the firewall policy by using a firewall policy model in the function model of the virtual firewall.
9. A firewall virtualization deployment system, comprising:
the device access module is used for accessing different firewall network devices into the virtualized resource pool;
the model creating module is used for creating the virtual firewall according to the creating requirement of the virtual firewall;
and the resource management module is used for configuring firewall network equipment depended by the virtual firewall according to the virtualized resources in the virtualized resource pool.
10. The firewall virtualization deployment system of claim 9 wherein the model creation module comprises:
the first sub-module is used for creating a firewall communication model for realizing the firewall communication function according to the firewall communication function contained in the creation requirement;
the second sub-module is used for creating a firewall policy model for realizing the firewall policy function according to the firewall policy function contained in the creation requirement;
and the third sub-module is used for creating a network address conversion model for realizing the network address conversion function according to the network address conversion function contained in the creation requirement.
11. A server, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processing processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the firewall virtualization deployment method of any of claims 1-8.
12. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the firewall virtualization deployment method of any of claims 1-8.
CN202010620770.1A 2020-06-30 2020-06-30 Firewall virtualization deployment method, system, server and storage medium Pending CN113872922A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010620770.1A CN113872922A (en) 2020-06-30 2020-06-30 Firewall virtualization deployment method, system, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010620770.1A CN113872922A (en) 2020-06-30 2020-06-30 Firewall virtualization deployment method, system, server and storage medium

Publications (1)

Publication Number Publication Date
CN113872922A true CN113872922A (en) 2021-12-31

Family

ID=78981868

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010620770.1A Pending CN113872922A (en) 2020-06-30 2020-06-30 Firewall virtualization deployment method, system, server and storage medium

Country Status (1)

Country Link
CN (1) CN113872922A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114553492A (en) * 2022-01-25 2022-05-27 杭州迪普科技股份有限公司 Operation request processing method and device based on cloud platform
CN115314262A (en) * 2022-07-20 2022-11-08 杭州熠芯科技有限公司 Design method of trusted network card and networking method thereof
CN117544422A (en) * 2024-01-09 2024-02-09 深圳市科服信息技术有限公司 Firewall virtualization deployment method and system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114553492A (en) * 2022-01-25 2022-05-27 杭州迪普科技股份有限公司 Operation request processing method and device based on cloud platform
CN114553492B (en) * 2022-01-25 2023-07-07 杭州迪普科技股份有限公司 Cloud platform-based operation request processing method and device
CN115314262A (en) * 2022-07-20 2022-11-08 杭州熠芯科技有限公司 Design method of trusted network card and networking method thereof
CN115314262B (en) * 2022-07-20 2024-04-23 杭州熠芯科技有限公司 Design method of trusted network card and networking method thereof
CN117544422A (en) * 2024-01-09 2024-02-09 深圳市科服信息技术有限公司 Firewall virtualization deployment method and system
CN117544422B (en) * 2024-01-09 2024-03-29 深圳市科服信息技术有限公司 Firewall virtualization deployment method and system

Similar Documents

Publication Publication Date Title
US9912582B2 (en) Multi-tenant isolation in a cloud environment using software defined networking
US10003540B2 (en) Flow forwarding method, device, and system
US9887959B2 (en) Methods and system for allocating an IP address for an instance in a network function virtualization (NFV) system
US11489873B2 (en) Security policy deployment method and apparatus
GB2511435B (en) Virtual network overlays
EP3462311A1 (en) Virtual network function deployment method, device and system adopting network edge computing
US9137105B2 (en) Method and system for deploying at least one virtual network on the fly and on demand
US9515890B2 (en) Method, system and controlling bridge for obtaining port extension topology information
CN113872922A (en) Firewall virtualization deployment method, system, server and storage medium
CN117614890A (en) Loop prevention in virtual L2 networks
CN110476453A (en) For providing the service granting that network is sliced to client
EP3637687B1 (en) Method for orchestrating software defined network, and sdn controller
WO2016180181A1 (en) Service function deployment method and apparatus
WO2013154529A1 (en) Associating an identifier for a virtual machine with a published network configuration service type
Mechtri et al. Inter and intra Cloud Networking Gateway as a service
US11283804B2 (en) Group zoning and access control over a network
Mechtri et al. Inter-cloud networking gateway architecture
Großmann et al. Cloudless computing-a vision to become reality
KR102385707B1 (en) SDN network system by a host abstraction and implemented method therefor
CN112565048B (en) Three-layer VPN (virtual private network) network creation method, three-layer VPN network data transmission method, three-layer VPN network creation device, three-layer VPN network data transmission device and electronic equipment
CN117201135B (en) Service following method, device, computer equipment and storage medium
WO2023035777A1 (en) Network configuration method, proxy component, controller, electronic device and storage medium
Janovic Integrating ACI with Virtualization and Container Platforms
CN117222995A (en) System and method for restricting communication between virtual private cloud networks through a security domain
CN117203938A (en) System and method for partitioning transit capabilities within a multi-cloud architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination