CN114301656A - Virtual-real combination system and method for network attack and defense platform - Google Patents
Virtual-real combination system and method for network attack and defense platform Download PDFInfo
- Publication number
- CN114301656A CN114301656A CN202111590315.2A CN202111590315A CN114301656A CN 114301656 A CN114301656 A CN 114301656A CN 202111590315 A CN202111590315 A CN 202111590315A CN 114301656 A CN114301656 A CN 114301656A
- Authority
- CN
- China
- Prior art keywords
- vlan
- virtual
- entity
- port
- access switch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000007123 defense Effects 0.000 title claims abstract description 21
- 238000000034 method Methods 0.000 title claims abstract description 13
- 238000004088 simulation Methods 0.000 claims abstract description 25
- 230000009471 action Effects 0.000 claims description 11
- 238000002955 isolation Methods 0.000 claims description 3
- 238000013519 translation Methods 0.000 claims description 2
- 230000009466 transformation Effects 0.000 claims 1
- 238000013515 script Methods 0.000 abstract description 5
- 238000006243 chemical reaction Methods 0.000 abstract description 3
- 230000007547 defect Effects 0.000 abstract description 3
- 238000012423 maintenance Methods 0.000 abstract description 2
- 230000006378 damage Effects 0.000 description 2
- 238000005553 drilling Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a virtual-real combination system and a virtual-real combination method of a network attack and defense platform.A management unit of an access switch is used for managing the number of ports of the access switch, which can be used for accessing entity equipment, and vlan numbers pre-configured for the ports; managing ports of access switches connected with the entity equipment through an entity equipment management unit; when a simulation scene is created, a scene management unit judges the vlan number of a virtual network connected with an entity device in the scene, acquires the vlan number of an access switch port connected with the entity device, and adds a vlan-converted flow table in a virtual bridge of a platform computing node when the vlan number and the vlan number are different. The invention avoids the defects of temporarily configuring the access switch and inputting the MAC of the access entity equipment through the script by pre-configuring the access switch vlan and combining the flow table vlan conversion, thereby leading the virtual and real combination to be more convenient to use, having better expansibility and lower use and maintenance cost.
Description
Technical Field
The invention relates to a virtual-real combination system and method for a network attack and defense platform, and belongs to the technical field of networks.
Background
The network attack and defense platform provides a highly-simulated information security attack and defense actual combat drilling environment in a virtual scene mode, and can meet the requirements of client information security countermeasure drilling and competition in various industries. Sometimes, in order to improve the simulation degree of the virtualized scene, real physical devices (a server, a printer, a three-layer physical switch, and the like) need to be accessed to construct a virtual-real combined simulation scene. Because multiple persons or multiple teams generally carry out the practice and match, a plurality of virtual simulation scenes exist on the network attack and defense platform, and each person or team has a scene, and the network isolation among the scenes is carried out by using the vlan.
At present, there are probably three schemes for combining deficiency and excess: 1. the access switch is a common switch, virtual-real combination is realized by remotely configuring a port vlan of the switch through ssh, for example, the vlan number of a virtual device to be connected to an entity device is 10, a management port of the switch is connected through ssh, interaction is performed through a script, and the port vlan number of the switch connected to the entity device is 10. This approach requires writing an interaction script for each make or model of switch. 2. The access switch is a common switch, and virtual-real combination is realized by using a flow table on a virtual bridge based on MAC of the entity equipment, marking vlan for the traffic entering from the entity equipment, and removing the vlan for the traffic sent to the entity equipment. In this way, when the access switch is not isolated and the entity device is added, the MAC of the entity device needs to be entered, which increases the use cost. 3. The access switch uses an SDN switch, and a vlan can be directly marked on a switch port, and the implementation scheme is similar to that of scheme 1. But SDN switches are relatively costly.
Disclosure of Invention
The purpose of the invention is as follows: in view of the problems in the prior art, the present invention aims to provide a virtual-real combination system and method for a network defense and attack platform, which improve the expansibility and usability of virtual-real combination.
The technical scheme is as follows: in order to achieve the purpose, the invention adopts the following technical scheme: a network defense platform virtual-real combination system comprises:
the access switch management unit is used for managing information of the entity equipment access switch, and comprises the port number of the switch which can be used for accessing the entity equipment and a vlan number corresponding to each port; the vlan number is a preset fixed vlan number;
the entity equipment management unit is used for managing the information of the accessed entity equipment and comprises a port of an access switch connected with the entity equipment;
the scene management unit is used for managing a simulation scene, and the simulation scene comprises a plurality of virtual machines and at least one entity device; network isolation is carried out between different simulation scenes through a vlan; when the scene management unit creates a simulation scene, the vlan number of the virtual network connected with the entity device in the scene is judged, the vlan number of the access switch port connected with the entity device is acquired from the entity device management unit, and when the vlan number of the access switch port connected with the entity device is different from the vlan number of the virtual network connected with the entity device, a vlan-converted flow table is added to a virtual bridge of the platform computing node.
Further, the entity device information managed by the entity device management unit includes a name of the entity device, a port of an access switch to which the entity device is connected, and a brand model; not including the MAC of the physical device.
Further, the vlan number of the entity device access switch is a fixed vlan number configured within a preset range when the entity device is deployed in the physical environment.
Further, a flow table of vlan translation added to an entity device accessed in a simulation scenario is:
setting actions as mod _ vlan _ vid for in _ port = port of a virtual bridge connected to a physical network card of a computing node and dl _ vlan = vlan number of a port of an access switch connected to an entity device, wherein the actions are the vlan number of a virtual network connected to the entity device in a simulation scene;
and setting dl _ vlan = vlan number of the virtual network connected with the entity device in the simulation scene, and action to mod _ vlan _ vid, which is the vlan number of the access switch port connected with the entity device.
A network attack and defense platform virtual-real combination method comprises the following steps:
when the physical environment is deployed, configuring a fixed vlan for each port of an access switch, which can be used for accessing the entity equipment, and recording the number of the ports of the access switch, which can be used for accessing the entity equipment, and a vlan number corresponding to each port;
when the virtual simulation scene needs to be accessed into the entity equipment, the entity equipment is inserted into one port of an access switch, and the port number of the switch connected with the entity equipment is recorded;
when a virtual simulation scene is created, the vlan number of a virtual network connected with the entity device is judged, the vlan number of an access switch port connected with the entity device is acquired, and when the vlan number of the access switch port connected with the entity device is different from the vlan number of the access switch port connected with the entity device, a vlan-converted flow table is added into a virtual bridge of a platform computing node.
Has the advantages that: the invention realizes the virtual and real combination requirement of the network attack and defense platform by configuring the access switch port vlan in advance and combining the flow table technology, avoids the defects that the access switch is temporarily configured through scripts and the MAC of the access entity equipment needs to be input in the existing mode, and ensures that the virtual and real combination is more convenient and simple to use. Compared with the prior art, the method and the system remove the dependence on the brand and the model of the switch, improve the expansibility of virtual-real combination, avoid manual input of MAC and improve the usability.
Drawings
Fig. 1 is a schematic diagram of a system configuration according to an embodiment of the present invention.
FIG. 2 is a flow chart of a method according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments that can be obtained by a person skilled in the art based on the embodiments of the present invention without any inventive step are within the scope of the present invention.
As shown in fig. 1, a virtual-real combination system of a network attack and defense platform disclosed in the embodiment of the present invention mainly includes an access switch management unit, an entity device management unit, and a scene management unit on a platform control node. The physical machine cluster of the network attack and defense platform comprises a control node and a plurality of computing nodes; the entity equipment is accessed to the computing node through the common access switch. In this embodiment, the access switch management unit mainly manages information of the access switch, including the number of switch ports and the vlan corresponding to each port, and may add or delete a port and update a vlan at an interface. And the entity equipment management unit is mainly used for managing the information of the accessed entity equipment, and comprises information such as ports, names, brand models and the like of access switches connected with the entity equipment. The scene management unit is mainly used for managing simulation scenes, and comprises operations of scene creation, destruction and the like, wherein the operations comprise creation of a virtual machine, and virtual and real are combined with an adding function of a flow table. The simulation scene comprises a plurality of virtual machines and at least one entity device, the creation and destruction of the simulation scene are the existing functions, and the scheme is not repeated.
As shown in fig. 2, the following describes in detail a specific process of the network defense platform virtual-real combination method disclosed in the embodiment of the present invention:
1. at the time of physical environment deployment, a fixed vlan is configured for each port of the access switch that is available for accessing the physical device. Such as 48 ports of the switch, the vlan can be configured from 2-49, one vlan per port. And then adding information of the switch, including the port number and the vlan corresponding to each port, in the access switch management page.
2. When the virtual scene needs to access the entity device, the entity device is firstly inserted into a port of the access switch, and then a switch port number connected with the entity device is added on an entity device management page.
3. When a virtual scene is created, the vlan number of the virtual network connected with the entity device is judged, the vlan number of the access switch port connected with the entity device is obtained at the same time, whether the vlan numbers are the same or not is judged, and if not, a vlan-converted flow table is added in the virtual bridge. The configuration information of the flow table can be sent to the computing node where the virtual network is located according to the scene topology information.
The flow tables are as follows:
ovs-ofctl add-flow br-int (virtual bridge name) "table =0, priority =10000, in _ port =1(eth0 connects port of virtual bridge) dl _ vlan =10 (vlan number of access switch port to which physical device is connected) actions = mod _ vlan _ vid:100 (vlan number of virtual network), normal ″.
ovs-ofctl add-flow br-int (virtual network bridge name) "table =0, priority =10000, dl _ vlan =100 (vlan number of virtual network) actions = mod _ vlan _ vid:10 (vlan number of access switch port to which physical device is connected), normal"
The two flow tables realize the conversion between the entity device vlan and the virtual network vlan, and realize the communication between the entity device and the virtual network.
By pre-configuring the access switch vlan and combining the flow table vlan conversion, the defects that the access switch is temporarily configured through scripts and the MAC of the access entity equipment is input are avoided, so that the virtual and real combined use is more convenient, the expansibility is better, and the use and maintenance cost is lower.
Claims (7)
1. A virtual-real combination system of a network attack and defense platform is characterized by comprising:
the access switch management unit is used for managing information of the entity equipment access switch, and comprises the port number of the switch which can be used for accessing the entity equipment and a vlan number corresponding to each port; the vlan number is a preset fixed vlan number;
the entity equipment management unit is used for managing the information of the accessed entity equipment and comprises a port of an access switch connected with the entity equipment;
the scene management unit is used for managing a simulation scene, and the simulation scene comprises a plurality of virtual machines and at least one entity device; network isolation is carried out between different simulation scenes through a vlan; when the scene management unit creates a simulation scene, the vlan number of the virtual network connected with the entity device in the scene is judged, the vlan number of the access switch port connected with the entity device is acquired from the entity device management unit, and when the vlan number of the access switch port connected with the entity device is different from the vlan number of the virtual network connected with the entity device, a vlan-converted flow table is added to a virtual bridge of the platform computing node.
2. The network defense platform virtual-real combination system of claim 1, wherein the entity device information managed by the entity device management unit includes a name of the entity device, a port of an access switch to which the entity device is connected, and a brand model; not including the MAC of the physical device.
3. The virtual-real combination system of the network defense platform according to claim 1, wherein the vlan number of the physical device access switch is a fixed vlan number configured within a preset range when deployed in a physical environment.
4. The virtual-real combined system of the network defense platform according to claim 1, wherein the flow table of vlan translation added to one entity device accessed in one simulation scenario is:
setting actions as mod _ vlan _ vid for in _ port = port of a virtual bridge connected to a physical network card of a computing node and dl _ vlan = vlan number of a port of an access switch connected to an entity device, wherein the actions are the vlan number of a virtual network connected to the entity device in a simulation scene;
and setting dl _ vlan = vlan number of the virtual network connected with the entity device in the simulation scene, and action to mod _ vlan _ vid, which is the vlan number of the access switch port connected with the entity device.
5. A network attack and defense platform virtual-real combination method is characterized by comprising the following steps:
when the physical environment is deployed, configuring a fixed vlan for each port of an access switch, which can be used for accessing the entity equipment, and recording the number of the ports of the access switch, which can be used for accessing the entity equipment, and a vlan number corresponding to each port;
when the virtual simulation scene needs to be accessed into the entity equipment, the entity equipment is inserted into one port of an access switch, and the port number of the switch connected with the entity equipment is recorded;
when a virtual simulation scene is created, judging a vlan number of a virtual network connected with an entity device, simultaneously acquiring the vlan number of an access switch port connected with the entity device, and adding a vlan-converted flow table in a virtual bridge of a platform computing node when the vlan number and the vlan number are different; the simulation scene comprises a plurality of virtual machines and at least one entity device; and different simulation scenes are isolated from each other through a vlan.
6. The virtual-real combination method of the network defense platform according to claim 5, wherein when recording the physical device information, the recording content includes a name of the physical device, a port of an access switch to which the physical device is connected, and a brand model; not including the MAC of the physical device.
7. The virtual-real combination method of the network defense platform according to claim 5, wherein the flow table of vlan transformation added to one entity device accessed in one simulation scenario is:
setting actions as mod _ vlan _ vid for in _ port = port of a virtual bridge connected to a physical network card of a computing node and dl _ vlan = vlan number of a port of an access switch connected to an entity device, wherein the actions are the vlan number of a virtual network connected to the entity device in a simulation scene;
and setting dl _ vlan = vlan number of the virtual network connected with the entity device in the simulation scene, and action to mod _ vlan _ vid, which is the vlan number of the access switch port connected with the entity device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111590315.2A CN114301656B (en) | 2021-12-23 | 2021-12-23 | Virtual-real combination system and method for network attack and defense platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111590315.2A CN114301656B (en) | 2021-12-23 | 2021-12-23 | Virtual-real combination system and method for network attack and defense platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301656A true CN114301656A (en) | 2022-04-08 |
| CN114301656B CN114301656B (en) | 2023-10-27 |
Family
ID=80970426
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111590315.2A Active CN114301656B (en) | 2021-12-23 | 2021-12-23 | Virtual-real combination system and method for network attack and defense platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301656B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115348126A (en) * | 2022-07-26 | 2022-11-15 | 北京永信至诚科技股份有限公司 | Network target range entity equipment access method, device and implementation system |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011043416A1 (en) * | 2009-10-07 | 2011-04-14 | 日本電気株式会社 | Information system, control server, virtual network management method, and program |
| WO2014094218A1 (en) * | 2012-12-18 | 2014-06-26 | 华为技术有限公司 | Switch configuration method and cluster management device base on virtual networking |
| WO2017173952A1 (en) * | 2016-04-08 | 2017-10-12 | 中兴通讯股份有限公司 | Method, device, and system for centralizing management of virtual machines and implementing communications between virtual machines |
| CN107580077A (en) * | 2016-07-04 | 2018-01-12 | 南京中兴新软件有限责任公司 | Public network IP distribution method, device and Visualized data centre system |
| CN108123819A (en) * | 2016-11-30 | 2018-06-05 | 江南大学 | A kind of emulation mode of actual situation network seamless fusion |
| CN108123818A (en) * | 2016-11-30 | 2018-06-05 | 江南大学 | A kind of emulation mode of the expansible fusion of actual situation network agile |
| CN109660443A (en) * | 2018-12-26 | 2019-04-19 | 江苏省未来网络创新研究院 | Physical equipment and virtual network communication method and system based on SDN |
| CN110838964A (en) * | 2018-08-16 | 2020-02-25 | 上海仪电(集团)有限公司中央研究院 | Network docking system for virtual network and physical network |
| CN111651241A (en) * | 2020-08-04 | 2020-09-11 | 北京赛宁网安科技有限公司 | Flow acquisition system and method for network target range |
| CN112202624A (en) * | 2020-12-07 | 2021-01-08 | 南京赛宁信息技术有限公司 | Real equipment fast access system and method for network target range scene arrangement |
-
2021
- 2021-12-23 CN CN202111590315.2A patent/CN114301656B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011043416A1 (en) * | 2009-10-07 | 2011-04-14 | 日本電気株式会社 | Information system, control server, virtual network management method, and program |
| WO2014094218A1 (en) * | 2012-12-18 | 2014-06-26 | 华为技术有限公司 | Switch configuration method and cluster management device base on virtual networking |
| WO2017173952A1 (en) * | 2016-04-08 | 2017-10-12 | 中兴通讯股份有限公司 | Method, device, and system for centralizing management of virtual machines and implementing communications between virtual machines |
| CN107580077A (en) * | 2016-07-04 | 2018-01-12 | 南京中兴新软件有限责任公司 | Public network IP distribution method, device and Visualized data centre system |
| CN108123819A (en) * | 2016-11-30 | 2018-06-05 | 江南大学 | A kind of emulation mode of actual situation network seamless fusion |
| CN108123818A (en) * | 2016-11-30 | 2018-06-05 | 江南大学 | A kind of emulation mode of the expansible fusion of actual situation network agile |
| CN110838964A (en) * | 2018-08-16 | 2020-02-25 | 上海仪电(集团)有限公司中央研究院 | Network docking system for virtual network and physical network |
| CN109660443A (en) * | 2018-12-26 | 2019-04-19 | 江苏省未来网络创新研究院 | Physical equipment and virtual network communication method and system based on SDN |
| CN111651241A (en) * | 2020-08-04 | 2020-09-11 | 北京赛宁网安科技有限公司 | Flow acquisition system and method for network target range |
| CN112202624A (en) * | 2020-12-07 | 2021-01-08 | 南京赛宁信息技术有限公司 | Real equipment fast access system and method for network target range scene arrangement |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115348126A (en) * | 2022-07-26 | 2022-11-15 | 北京永信至诚科技股份有限公司 | Network target range entity equipment access method, device and implementation system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301656B (en) | 2023-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111600913B (en) | Self-adaptive access method and system for real equipment in attack and defense scene of network shooting range | |
| CN111711557B (en) | Remote access system and method for network target range users | |
| CN110301104B (en) | Optical line terminal OLT equipment virtualization method and related equipment | |
| CN112202624B (en) | Real equipment fast access system and method for network target range scene arrangement | |
| CN114363021B (en) | Network target range system, virtual network implementation method and device of network target range system | |
| CN102843286B (en) | Implementation method, and system of virtual routers | |
| CN103036703A (en) | Configuration management method of logical topology in virtual network and management server | |
| CN110290045B (en) | Network target range software and hardware combination model construction method under cloud architecture | |
| CN107135134A (en) | Private network cut-in method and system based on virtual switch and SDN technologies | |
| CN108123818B (en) | Simulation method for flexible and extensible fusion of virtual and actual networks | |
| CN111049686B (en) | Safety protection virtual laboratory of power monitoring system and construction method thereof | |
| CN107113219A (en) | VLAN marks in virtual environment | |
| CN108777668B (en) | Routing resource control method and system of three-layer switch | |
| CN111585917B (en) | Bare metal server network system and implementation method thereof | |
| CN106687974A (en) | Attack observation device and attack observation method | |
| CN103414597A (en) | Status updating system and status updating method of logical ports | |
| Hucaby | CCNP SWITCH 642-813 official certification guide | |
| CN113612807A (en) | Distributed firewall definition method and system | |
| CN114301656B (en) | Virtual-real combination system and method for network attack and defense platform | |
| CN104506614A (en) | Design method for distributed multi-activity data center based on cloud computing | |
| CN104363306A (en) | Private cloud management control method for enterprise | |
| CN113259219B (en) | VPN construction method based on OVN environment, readable storage medium and cloud platform | |
| CN106878095A (en) | A kind of network collocating method and system based on scenario distributed emulation | |
| CN111865655B (en) | ARP table configuration method and system for service board card | |
| KR100889753B1 (en) | Method of protection switching for link aggregation group and Apparatus thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |