CN114301656B - Virtual-real combination system and method for network attack and defense platform - Google Patents
Virtual-real combination system and method for network attack and defense platform Download PDFInfo
- Publication number
- CN114301656B CN114301656B CN202111590315.2A CN202111590315A CN114301656B CN 114301656 B CN114301656 B CN 114301656B CN 202111590315 A CN202111590315 A CN 202111590315A CN 114301656 B CN114301656 B CN 114301656B
- Authority
- CN
- China
- Prior art keywords
- vlan
- entity
- access switch
- virtual
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000007123 defense Effects 0.000 title claims abstract description 18
- 238000000034 method Methods 0.000 title claims abstract description 14
- 238000004088 simulation Methods 0.000 claims abstract description 22
- 238000002955 isolation Methods 0.000 claims description 4
- 230000000694 effects Effects 0.000 claims description 3
- 238000006243 chemical reaction Methods 0.000 abstract description 3
- 230000007547 defect Effects 0.000 abstract description 3
- 238000012423 maintenance Methods 0.000 abstract description 2
- 230000006378 damage Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Abstract
The invention discloses a virtual-real combination system and a method of a network attack and defense platform, wherein the invention manages the port number of an exchanger which can be used for accessing entity equipment and vlan numbers preconfigured by the ports through an access exchanger management unit; and manage the port of the access switch that the entity apparatus connects through the entity apparatus management unit; when a simulation scene is created, a scene management unit judges vlan numbers of virtual networks connected with entity equipment in the scene, obtains vlan numbers of access switch ports connected with the entity equipment, and adds a vlan converted flow table in a virtual network bridge of a platform computing node when the vlan numbers are different. The invention avoids the defects of temporarily configuring the access switch and inputting the MAC of the access entity equipment through the script by pre-configuring the access switch vlan and then combining the flow table vlan conversion, so that the virtual-real combination is more convenient to use, the expansibility is better, and the use and maintenance cost is lower.
Description
Technical Field
The invention relates to a system and a method for combining virtual and real states of a network attack and defense platform, and belongs to the technical field of networks.
Background
The network attack and defense platform provides a highly-simulated information security attack and defense actual combat exercise environment in a virtualized scene mode, and can meet the requirements of client information security countermeasure exercise and competition in various industries. Sometimes, in order to improve the simulation degree of the virtualized scene, real physical equipment (a server, a printer, a three-layer physical switch and the like) needs to be accessed, so that a virtual-real combined simulation scene is constructed. Because the network attack and defense platform is generally carried out by multiple persons or teams during the countermeasure exercise and the competition, a plurality of virtual simulation scenes exist on the network attack and defense platform, one scene is used for each person or team, and vlan is used for carrying out network isolation among the scenes.
At present, the combination of deficiency and excess is mainly characterized by the following three schemes: 1. the access switch is a common switch, virtual-real combination is realized by remotely configuring a port vlan of the switch through ssh, for example, if the vlan number of a virtual device to be communicated with the entity device is 10, the management port of the switch is connected through ssh, interaction is performed through script, and the port vlan number of the entity device connected with the switch is configured to be 10. In this way, each brand or model switch needs to write an interaction script. 2. The access switch is a common switch, and virtual-real combination is realized by using a flow table to play vlan to traffic entering from the entity device and removing vlan to traffic sent to the entity device based on the MAC of the entity device on the virtual network bridge. In this way, when the access switch is not isolated and the entity equipment is added, the MAC of the entity equipment needs to be input, which increases the use cost. 3. The access switch uses the SDN switch, and can directly play vlan at the switch port, and the implementation scheme is similar to that of scheme 1. But SDN switches are relatively costly.
Disclosure of Invention
The invention aims to: aiming at the problems existing in the prior art, the invention aims to provide a system and a method for combining virtual and real of a network attack and defense platform, which improve the expandability and usability of virtual and real combination.
The technical scheme is as follows: in order to achieve the aim of the invention, the invention adopts the following technical scheme: a network attack and defense platform virtual-real combination system comprises:
the access switch management unit is used for managing the information of the access switch of the entity equipment, and comprises the port number of the access switch for accessing the entity equipment and vlan numbers corresponding to each port; the vlan number is a fixed vlan number which is pre-configured;
the entity equipment management unit is used for managing the information of the accessed entity equipment, and comprises ports of an access switch connected with the entity equipment;
the scene management unit is used for managing a simulation scene, and the simulation scene comprises a plurality of virtual machines and at least one entity device; network isolation is carried out between different simulation scenes through vlan; when the simulation scene is created, the scene management unit judges vlan numbers of virtual networks connected with the entity equipment in the scene, obtains vlan numbers of access switch ports connected with the entity equipment from the entity equipment management unit, and adds a vlan-converted flow table in a virtual network bridge of a platform computing node when the vlan numbers are different.
Further, the entity equipment information managed by the entity equipment management unit includes an entity equipment name, a port of an access switch to which the entity equipment is connected, and a brand model; the MAC of the entity device is not included.
Further, the vlan number of the access switch of the entity device is a fixed vlan number configured in a preset range when the physical environment is deployed.
Further, a vlan-switched flow table added by an entity device accessed in a simulation scene is:
the method comprises the steps of setting in_port=port of a virtual network card connected with a virtual network bridge of a computing node, dl_vlan=flow of vlan number of an access switch port connected with an entity device as mod_vlan_vid;
and setting the traffic of vlan number of the virtual network connected with the entity equipment in the dl_vlan=simulation scene as mod_vlan_vid, wherein the vlan number of the access switch port connected with the entity equipment is set as the activity.
A network attack and defense platform virtual-real combination method comprises the following steps:
when the physical environment is deployed, configuring fixed vlan for each port of the access switch, which can be used for accessing the entity equipment, and recording the number of ports of the access switch, which can be used for accessing the entity equipment, and vlan numbers corresponding to each port;
when the virtual simulation scene needs to be accessed to the entity equipment, the entity equipment is inserted into one port of an access switch, and the port number of the switch connected with the entity equipment is recorded;
when a virtual simulation scene is created, judging the vlan number of a virtual network connected with the entity equipment, simultaneously acquiring the vlan number of an access switch port connected with the entity equipment, and adding a vlan converted flow table in a virtual network bridge of a platform computing node when the vlan number and the vlan number are different.
The beneficial effects are that: the invention realizes the virtual-real combination requirement of the network attack and defense platform by configuring the access switch port vlan in advance and combining the flow chart technology, avoids the defects that the access switch is temporarily configured through a script and the MAC of the access entity equipment is required to be input in the prior mode, and ensures that the virtual-real combination is more convenient and simpler to use. Compared with the prior art, the invention removes the dependence on the brand and model of the switch, improves the expansibility of virtual-real combination, avoids the manual input of MAC and improves the usability.
Drawings
Fig. 1 is a schematic diagram of a system structure according to an embodiment of the present invention.
FIG. 2 is a flow chart of a method according to an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, are intended to fall within the scope of the present invention.
As shown in fig. 1, the system for integrating virtual and real network attack and defense platforms disclosed in the embodiment of the invention mainly comprises an access switch management unit, an entity device management unit and a scene management unit on a platform control node. The physical machine cluster of the network attack and defense platform comprises a control node and a plurality of computing nodes; the entity device accesses the computing node through the common access switch. In this embodiment, the access switch management unit mainly manages information of the access switch, including the number of switch ports, and vlan corresponding to each port, and may perform port addition, port deletion, vlan update, etc. on the interface. And the entity equipment management unit is used for mainly managing the information of the accessed entity equipment, including the information of the port, name, brand model and the like of the access switch connected with the entity equipment. The scene management unit is used for mainly managing simulation scenes, and comprises operations such as scene creation, destruction and the like, wherein the operations comprise creation of a virtual machine and addition of virtual and real combination flow tables. The simulation scene comprises a plurality of virtual machines and at least one entity device, the creation and destruction of the simulation scene are the existing functions, and the scheme is not repeated.
As shown in fig. 2, the following details the specific process of the network attack and defense platform virtual-real combination method disclosed in the embodiment of the present invention:
1. at the time of physical environment deployment, each port of the access switch available for accessing the physical device is configured with a fixed vlan. For example, 48 ports of the switch, one vlan per port, may be configured from 2-49. And adding information of the switch, including the number of ports and vlan corresponding to each port, to the access switch management page.
2. When the virtual scene needs to be accessed to the entity equipment, the entity equipment is firstly inserted into one port of the access switch, and then the port number of the switch connected with the entity equipment is added into the entity equipment management page.
3. When creating a virtual scene, judging the vlan number of the virtual network connected with the entity equipment, simultaneously acquiring the vlan number of the access switch port connected with the entity equipment, judging whether the vlan numbers are the same, and if not, adding a vlan converted flow table in the virtual network bridge. The configuration information of the flow table may be sent to the computing node where the virtual network is located according to the scene topology information.
The flow table is as follows:
ovs-offal add-flow br-int (virtual bridge name) "table=0, priority=10000, in_port=1 (eth 0 port connected to virtual bridge) dl_vlan=10 (vlan number of access switch port to which physical device is connected) actions=mod_vlan_vid: 100 (vlan number of virtual network), normal"
ovs-offal add-flow br-int (virtual bridge name) "table=0, priority=10000, dl_vlan=100 (vlan number of virtual network) actions=mod_vlan_vid 10 (vlan number of access switch port to which physical device is connected), normal"
The two flow tables realize the conversion between the entity equipment vlan and the virtual network vlan and realize the communication between the entity equipment and the virtual network.
By pre-configuring the access switch vlan and combining the flow table vlan conversion, the defect that the access switch is temporarily configured through a script and the MAC of the access entity equipment is input is avoided, so that the virtual and the actual combination are more convenient to use, the expansibility is better, and the use and maintenance cost is lower.
Claims (5)
1. The utility model provides a network attack and defense platform virtual reality combines system which characterized in that includes:
the access switch management unit is used for managing the information of the access switch of the entity equipment, and comprises the port number of the access switch for accessing the entity equipment and vlan numbers corresponding to each port; the vlan number is a fixed vlan number which is pre-configured;
the entity equipment management unit is used for managing the information of the accessed entity equipment, and comprises ports of an access switch connected with the entity equipment;
the scene management unit is used for managing a simulation scene, and the simulation scene comprises a plurality of virtual machines on a platform computing node and at least one entity device connected to an access switch; the entity equipment is accessed to the computing node through an access switch; network isolation is carried out between different simulation scenes through vlan; when the scene management unit creates a simulation scene, judging vlan numbers of virtual networks connected with entity equipment in the scene, simultaneously acquiring vlan numbers of access switch ports connected with the entity equipment from the entity equipment management unit, and adding vlan-converted flow tables in virtual bridges of platform computing nodes when the vlan numbers are different from each other, wherein the vlan-converted flow table added by one entity equipment accessed in one simulation scene is: the method comprises the steps of setting in_port=port of a virtual network card connected with a virtual network bridge of a computing node, dl_vlan=flow of vlan number of an access switch port connected with an entity device as mod_vlan_vid; and setting the traffic of vlan number of the virtual network connected with the entity equipment in the dl_vlan=simulation scene as mod_vlan_vid, wherein the vlan number of the access switch port connected with the entity equipment is set as the activity.
2. The system according to claim 1, wherein the entity device information managed by the entity device management unit includes an entity device name, a port of an access switch to which the entity device is connected, and a brand model; the MAC of the entity device is not included.
3. The system of claim 1, wherein the vlan number of the physical device access switch is a fixed vlan number configured in a predetermined range during deployment in the physical environment.
4. A network attack and defense platform virtual-real combination method is characterized by comprising the following steps:
when the physical environment is deployed, configuring fixed vlan for each port of the access switch, which can be used for accessing the entity equipment, and recording the number of ports of the access switch, which can be used for accessing the entity equipment, and vlan numbers corresponding to each port;
when the virtual simulation scene needs to be accessed to the entity equipment, the entity equipment is inserted into one port of an access switch, and the port number of the switch connected with the entity equipment is recorded;
when a virtual simulation scene is created, judging vlan numbers of a virtual network connected with entity equipment, simultaneously acquiring vlan numbers of access switch ports connected with the entity equipment, and adding a vlan converted flow table in a virtual network bridge of a platform computing node when the vlan numbers are different; the simulation scene comprises a plurality of virtual machines on a platform computing node and at least one entity device connected to an access switch; the entity equipment is accessed to the computing node through an access switch; network isolation is carried out between different simulation scenes through vlan; the vlan-switched flow table added by an entity device accessed in a simulation scene is as follows: the method comprises the steps of setting in_port=port of a virtual network card connected with a virtual network bridge of a computing node, dl_vlan=flow of vlan number of an access switch port connected with an entity device as mod_vlan_vid; and setting the traffic of vlan number of the virtual network connected with the entity equipment in the dl_vlan=simulation scene as mod_vlan_vid, wherein the vlan number of the access switch port connected with the entity equipment is set as the activity.
5. The network attack and defense platform virtual-real combination method according to claim 4, wherein when recording the entity equipment information, the recording content includes entity equipment name, port of access switch to which the entity equipment is connected, and brand model; the MAC of the entity device is not included.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111590315.2A CN114301656B (en) | 2021-12-23 | 2021-12-23 | Virtual-real combination system and method for network attack and defense platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111590315.2A CN114301656B (en) | 2021-12-23 | 2021-12-23 | Virtual-real combination system and method for network attack and defense platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301656A CN114301656A (en) | 2022-04-08 |
| CN114301656B true CN114301656B (en) | 2023-10-27 |
Family
ID=80970426
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111590315.2A Active CN114301656B (en) | 2021-12-23 | 2021-12-23 | Virtual-real combination system and method for network attack and defense platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301656B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115348126A (en) * | 2022-07-26 | 2022-11-15 | 北京永信至诚科技股份有限公司 | Network target range entity equipment access method, device and implementation system |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011043416A1 (en) * | 2009-10-07 | 2011-04-14 | 日本電気株式会社 | Information system, control server, virtual network management method, and program |
| WO2014094218A1 (en) * | 2012-12-18 | 2014-06-26 | 华为技术有限公司 | Switch configuration method and cluster management device base on virtual networking |
| WO2017173952A1 (en) * | 2016-04-08 | 2017-10-12 | 中兴通讯股份有限公司 | Method, device, and system for centralizing management of virtual machines and implementing communications between virtual machines |
| CN107580077A (en) * | 2016-07-04 | 2018-01-12 | 南京中兴新软件有限责任公司 | Public network IP distribution method, device and Visualized data centre system |
| CN108123818A (en) * | 2016-11-30 | 2018-06-05 | 江南大学 | A kind of emulation mode of the expansible fusion of actual situation network agile |
| CN108123819A (en) * | 2016-11-30 | 2018-06-05 | 江南大学 | A kind of emulation mode of actual situation network seamless fusion |
| CN109660443A (en) * | 2018-12-26 | 2019-04-19 | 江苏省未来网络创新研究院 | Physical equipment and virtual network communication method and system based on SDN |
| CN110838964A (en) * | 2018-08-16 | 2020-02-25 | 上海仪电(集团)有限公司中央研究院 | Network docking system for virtual network and physical network |
| CN111651241A (en) * | 2020-08-04 | 2020-09-11 | 北京赛宁网安科技有限公司 | Flow acquisition system and method for network target range |
| CN112202624A (en) * | 2020-12-07 | 2021-01-08 | 南京赛宁信息技术有限公司 | Real equipment fast access system and method for network target range scene arrangement |
-
2021
- 2021-12-23 CN CN202111590315.2A patent/CN114301656B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011043416A1 (en) * | 2009-10-07 | 2011-04-14 | 日本電気株式会社 | Information system, control server, virtual network management method, and program |
| WO2014094218A1 (en) * | 2012-12-18 | 2014-06-26 | 华为技术有限公司 | Switch configuration method and cluster management device base on virtual networking |
| WO2017173952A1 (en) * | 2016-04-08 | 2017-10-12 | 中兴通讯股份有限公司 | Method, device, and system for centralizing management of virtual machines and implementing communications between virtual machines |
| CN107580077A (en) * | 2016-07-04 | 2018-01-12 | 南京中兴新软件有限责任公司 | Public network IP distribution method, device and Visualized data centre system |
| CN108123818A (en) * | 2016-11-30 | 2018-06-05 | 江南大学 | A kind of emulation mode of the expansible fusion of actual situation network agile |
| CN108123819A (en) * | 2016-11-30 | 2018-06-05 | 江南大学 | A kind of emulation mode of actual situation network seamless fusion |
| CN110838964A (en) * | 2018-08-16 | 2020-02-25 | 上海仪电(集团)有限公司中央研究院 | Network docking system for virtual network and physical network |
| CN109660443A (en) * | 2018-12-26 | 2019-04-19 | 江苏省未来网络创新研究院 | Physical equipment and virtual network communication method and system based on SDN |
| CN111651241A (en) * | 2020-08-04 | 2020-09-11 | 北京赛宁网安科技有限公司 | Flow acquisition system and method for network target range |
| CN112202624A (en) * | 2020-12-07 | 2021-01-08 | 南京赛宁信息技术有限公司 | Real equipment fast access system and method for network target range scene arrangement |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301656A (en) | 2022-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111600913B (en) | Self-adaptive access method and system for real equipment in attack and defense scene of network shooting range | |
| CN112202624B (en) | Real equipment fast access system and method for network target range scene arrangement | |
| CN110301104B (en) | Optical line terminal OLT equipment virtualization method and related equipment | |
| CN103036703A (en) | Configuration management method of logical topology in virtual network and management server | |
| CN109802985A (en) | Data transmission method, device, equipment and read/write memory medium | |
| CN107113219A (en) | VLAN marks in virtual environment | |
| CN107846313B (en) | A kind of method and the network equipment of the generation of network service moulding plate | |
| CN106687974A (en) | Attack observation device and attack observation method | |
| CN114301656B (en) | Virtual-real combination system and method for network attack and defense platform | |
| CN107547242A (en) | The acquisition methods and device of VM configuration informations | |
| CN110224917B (en) | Data transmission method, device and system and server | |
| CN111669367B (en) | Mimicry intranet and construction method thereof | |
| CN109981493A (en) | A kind of method and apparatus for configuring virtual machine network | |
| CN112600903B (en) | Elastic virtual network card migration method | |
| JP2015231138A (en) | Cyber attack practice system, practice environment providing method, and, practice environment providing program | |
| CN106528289A (en) | Resource operation processing method and apparatus | |
| CN108833472B (en) | System is established in the connection of cloud host | |
| CN104363306A (en) | Private cloud management control method for enterprise | |
| CN106878095A (en) | A kind of network collocating method and system based on scenario distributed emulation | |
| CN106612193A (en) | Network deployment configuration method and device in virtualization technology | |
| CN108540408A (en) | A kind of management method and system of the distributed virtual switch based on Openstack | |
| KR100889753B1 (en) | Method of protection switching for link aggregation group and Apparatus thereof | |
| CN115208660B (en) | Transparent access method for network target range equipment | |
| CN110109623A (en) | A kind of implementation method of the USB flash disk remote operation of kvm system | |
| CN105376231A (en) | Method and device for realizing service isolation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |