WO2015188579A1 - Distributed virtual firewall apparatus and method, and firewall controller - Google Patents

Distributed virtual firewall apparatus and method, and firewall controller Download PDF

Info

Publication number
WO2015188579A1
WO2015188579A1 PCT/CN2014/090473 CN2014090473W WO2015188579A1 WO 2015188579 A1 WO2015188579 A1 WO 2015188579A1 CN 2014090473 W CN2014090473 W CN 2014090473W WO 2015188579 A1 WO2015188579 A1 WO 2015188579A1
Authority
WO
WIPO (PCT)
Prior art keywords
firewall
module
policy information
information
controller
Prior art date
Application number
PCT/CN2014/090473
Other languages
French (fr)
Chinese (zh)
Inventor
耿兴元
王良家
丁杰
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015188579A1 publication Critical patent/WO2015188579A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A distributed virtual firewall apparatus and method, and a firewall controller. The apparatus comprises a firewall controller and a firewall module. The firewall controller is deployed on a cloud computing management node and is configured to deliver configuration information and firewall policy information to the firewall module. The firewall module is deployed on a host node, and is configured to detect and filter a network flow in a virtual switch vSwitch according to the received configuration information and the received firewall policy information. In the technical scheme, the firewall module can rapidly detect and filter the network flow in the virtual switch vSwitch according to the received configuration information and the received firewall policy, a performance bottleneck in networking is avoided, and the present invention has the characteristics of being rich and flexible in configuration policies, and the like.

Description

分布式虚拟防火墙装置、方法及防火墙控制器Distributed virtual firewall device, method and firewall controller 技术领域Technical field
本发明涉及计算机网络技术领域,尤其涉及一种分布式虚拟防火墙装置、方法及防火墙控制器。The present invention relates to the field of computer network technologies, and in particular, to a distributed virtual firewall device, method, and firewall controller.
背景技术Background technique
相关技术的云网络安全解决方案中,对于虚拟网络的东西向网络流量控制,可分为基于虚拟交换机的配置访问控制列表(Access Control List,简称ACL)控制策略和在虚拟机内运行虚拟防火墙软件两种解决方案。基于虚拟交换机的ACL控制策略的实现方案,存在可配置策略不够丰富、不灵活及控制策略无法识别业务层数据的缺点;而基于虚机防火墙软件的实现方案,存在组网要求苛刻、配置策略复杂以及性能瓶颈等缺点。In the related art cloud network security solution, the east-west network traffic control of the virtual network can be divided into a virtual switch-based configuration access control list (ACL) control policy and running virtual firewall software in the virtual machine. Two solutions. Based on the implementation scheme of the ACL control policy of the virtual switch, the configurable policy is not rich enough, the inflexibility, and the control policy cannot identify the data of the service layer. However, based on the implementation scheme of the virtual machine firewall software, the networking requirements are demanding and the configuration strategy is complicated. And performance bottlenecks and other shortcomings
发明内容Summary of the invention
本发明实施例要解决的技术问题是,提供一种分布式虚拟防火墙装置、方法及防火墙控制器,用以解决相关技术中存在可配置策略不够丰富、不灵活及控制策略无法识别业务层数据等问题。The technical problem to be solved by the embodiments of the present invention is to provide a distributed virtual firewall device, a method, and a firewall controller, which are used to solve the problem that the configurable policies in the related technologies are not rich and inflexible, and the control policies cannot identify the service layer data. problem.
为解决上述技术问题,本发明实施例提供了一种设置为云计算管理节点上的防火墙控制器,包括信息收集模块和信息发送模块,其中,To solve the above technical problem, an embodiment of the present invention provides a firewall controller, which is configured as a cloud computing management node, and includes an information collecting module and an information sending module, where
所述信息收集模块,设置为收集配置信息和防火墙策略信息;The information collection module is configured to collect configuration information and firewall policy information;
所述信息发送模块,设置为将配置信息和防火墙策略信息下发给防火墙模块。The information sending module is configured to send the configuration information and the firewall policy information to the firewall module.
可选地,Optionally,
所述信息收集模块,还设置为接收用户设置的防火墙策略信息;The information collection module is further configured to receive firewall policy information set by the user;
所述信息发送模块,还设置为将满足预设条件的所述防火墙策略信息发送给所述防火墙模块。 The information sending module is further configured to send the firewall policy information that meets a preset condition to the firewall module.
可选地,所述信息发送模块是设置为以如下方式将满足预设条件的所述防火墙策略信息发送给所述防火墙模块:Optionally, the information sending module is configured to send the firewall policy information that meets a preset condition to the firewall module in the following manner:
将所述防火墙策略信息与预设的实施性标准进行比较,当所述防火墙策略信息符合所述实施性标准时,将所述防火墙策略信息发送给所述防火墙模块。Comparing the firewall policy information with a preset implementation standard, and sending the firewall policy information to the firewall module when the firewall policy information meets the implementation standard.
可选地,所述信息发送模块是设置为以如下方式将所述防火墙策略信息与预设的实施性标准进行比较:Optionally, the information sending module is configured to compare the firewall policy information with a preset implementation standard in the following manner:
采用递归树Trie的方式将所述防火墙策略信息与所述预设的实施性标准进行比较。The firewall policy information is compared with the preset implementation criteria by means of a recursive tree Trie.
可选地,所述信息发送模块是设置为以如下方式将配置信息和防火墙策略信息下发给所述防火墙模块:Optionally, the information sending module is configured to send configuration information and firewall policy information to the firewall module in the following manner:
通过Rest API接口或代理程序执行命令行接口,将所述配置信息和所述防火墙策略信息下发给所述防火墙模块。The configuration information and the firewall policy information are sent to the firewall module by executing a command line interface through a Rest API interface or an agent.
为解决上述技术问题,本发明实施例提供了一种分布式虚拟防火墙装置,包括:防火墙控制器和防火墙模块;To solve the above technical problem, an embodiment of the present invention provides a distributed virtual firewall device, including: a firewall controller and a firewall module;
所述防火墙控制器,部署在云计算管理节点上,设置为将配置信息和防火墙策略信息下发给所述防火墙模块;The firewall controller is deployed on the cloud computing management node, and is configured to send configuration information and firewall policy information to the firewall module.
所述防火墙模块,部署在主机节点上,设置为根据接收到的所述配置信息和所述防火墙策略信息,对虚拟交换机vSwitch中的网络流量进行过滤或转发。The firewall module is deployed on the host node, and is configured to filter or forward network traffic in the virtual switch vSwitch according to the received configuration information and the firewall policy information.
可选地,Optionally,
所述防火墙控制器,还设置为接收用户设置的防火墙策略信息,将满足预设条件的所述防火墙策略信息发送给所述防火墙模块。The firewall controller is further configured to receive the firewall policy information set by the user, and send the firewall policy information that meets the preset condition to the firewall module.
可选地,所述防火墙控制器是设置为以如下方式将满足预设条件的所述防火墙策略信息发送给所述防火墙模块:Optionally, the firewall controller is configured to send the firewall policy information that meets a preset condition to the firewall module in the following manner:
将所述防火墙策略信息与预设的实施性标准进行比较,当所述防火墙策 略信息符合所述实施性标准时,将所述防火墙策略信息发送给所述防火墙模块。Comparing the firewall policy information with a preset implementation standard, when the firewall policy When the information is in compliance with the implementation standard, the firewall policy information is sent to the firewall module.
可选地,所述防火墙控制器是设置为以如下方式将所述防火墙策略信息与预设的实施性标准进行比较:Optionally, the firewall controller is configured to compare the firewall policy information with a preset implementation standard in the following manner:
采用递归树Trie的方式将所述防火墙策略信息与所述预设的实施性标准进行比较。The firewall policy information is compared with the preset implementation criteria by means of a recursive tree Trie.
可选地,Optionally,
所述防火墙控制器是设置为以如下方式将配置信息和防火墙策略信息下发给所述防火墙模块:The firewall controller is configured to send configuration information and firewall policy information to the firewall module in the following manner:
通过Rest API接口或代理程序执行命令行接口,将所述配置信息和所述防火墙策略信息下发给所述防火墙模块;The configuration information and the firewall policy information are sent to the firewall module by executing a command line interface through a Rest API interface or an agent;
所述防火墙模块是设置为以如下方式对虚拟交换机vSwitch中的网络流量进行过滤或转发:The firewall module is configured to filter or forward network traffic in the virtual switch vSwitch in the following manner:
通过钩子函数hook抓取所述vSwitch中的网络流量。The network traffic in the vSwitch is captured by a hook function hook.
为解决上述技术问题,本发明实施例提供额一种防火墙控制方法,包括:To solve the above technical problem, an embodiment of the present invention provides a firewall control method, including:
收集配置信息和防火墙策略信息;Collect configuration information and firewall policy information;
将配置信息和防火墙策略信息下发给防火墙模块。Send the configuration information and firewall policy information to the firewall module.
可选地,所述方法还包括:Optionally, the method further includes:
接收用户设置的防火墙策略信息;Receive firewall policy information set by the user;
将满足预设条件的所述防火墙策略信息发送给所述防火墙模块。Sending the firewall policy information that meets the preset condition to the firewall module.
可选地,所述将满足预设条件的所述防火墙策略信息发送给所述防火墙模块,包括:Optionally, the sending the firewall policy information that meets the preset condition to the firewall module includes:
将所述防火墙策略信息与预设的实施性标准进行比较,当所述防火墙策略信息符合所述实施性标准时,将所述防火墙策略信息发送给所述防火墙模块。Comparing the firewall policy information with a preset implementation standard, and sending the firewall policy information to the firewall module when the firewall policy information meets the implementation standard.
可选地,所述将所述防火墙策略信息与预设的实施性标准进行比较,包括: Optionally, comparing the firewall policy information with a preset implementation standard, including:
采用递归树Trie的方式将所述防火墙策略信息与所述预设的实施性标准进行比较。The firewall policy information is compared with the preset implementation criteria by means of a recursive tree Trie.
可选地,所述将配置信息和防火墙策略信息下发给所述防火墙模块,包括:Optionally, the sending the configuration information and the firewall policy information to the firewall module, including:
通过Rest API接口或代理程序执行命令行接口,将所述配置信息和所述防火墙策略信息下发给所述防火墙模块。The configuration information and the firewall policy information are sent to the firewall module by executing a command line interface through a Rest API interface or an agent.
为解决上述技术问题,本发明实施例还提供了一种分布式虚拟防火墙方法,包括:To solve the above technical problem, the embodiment of the present invention further provides a distributed virtual firewall method, including:
防火墙控制器将配置信息和防火墙策略信息下发给防火墙模块;The firewall controller sends configuration information and firewall policy information to the firewall module.
防火墙模块根据接收到的所述配置信息和所述防火墙策略信息,对虚拟交换机vSwitch中的网络流量进行检测过滤。The firewall module detects and filters the network traffic in the virtual switch vSwitch according to the received configuration information and the firewall policy information.
可选地,所述方法还包括:Optionally, the method further includes:
防火墙控制器接收用户设置的防火墙策略信息,将满足预设条件的防火墙策略信息发送给所述防火墙模块。The firewall controller receives the firewall policy information set by the user, and sends firewall policy information that meets the preset condition to the firewall module.
可选地,防火墙控制器将满足预设条件的防火墙策略信息发送给所述防火墙模块,包括:Optionally, the firewall controller sends the firewall policy information that meets the preset condition to the firewall module, including:
防火墙控制器将所述防火墙策略信息与预设的实施性标准进行比较,当所述防火墙策略信息符合所述实施性标准时,将所述防火墙策略信息发送给所述防火墙模块。The firewall controller compares the firewall policy information with a preset implementation standard, and sends the firewall policy information to the firewall module when the firewall policy information meets the implementation criteria.
可选地,防火墙控制器将所述防火墙策略信息与预设的实施性标准进行比较,包括:Optionally, the firewall controller compares the firewall policy information with a preset implementation standard, including:
防火墙控制器采用递归树Trie的方式将所述防火墙策略信息与所述预设的实施性标准进行比较。The firewall controller compares the firewall policy information with the preset implementation criteria by means of a recursive tree Trie.
可选地,Optionally,
防火墙控制器将配置信息和防火墙策略信息下发给防火墙模块,包括:The firewall controller sends configuration information and firewall policy information to the firewall module, including:
防火墙控制器通过Rest API接口或代理程序执行命令行接口,将所述配 置信息和所述防火墙策略信息下发给所述防火墙模块;The firewall controller executes the command line interface through the Rest API interface or the agent, and the matching The information and the firewall policy information are sent to the firewall module;
防火墙模块对虚拟交换机vSwitch中的网络流量进行检测过滤,包括:The firewall module detects and filters the network traffic in the virtual switch vSwitch, including:
防火墙模块通过钩子函数hook抓取所述vSwitch中的网络流量。The firewall module captures network traffic in the vSwitch through a hook function hook.
采用上述技术方案,本发明实施例至少具有下列优点:With the above technical solution, the embodiment of the present invention has at least the following advantages:
本发明实施例提供的分布式虚拟防火墙装置、方法及防火墙控制器,通过防火墙模块根据接收到的配置信息和防火墙策略,可以快速的对虚拟交换机vSwtich上的网络流量进行检测过滤,规避了组网中的性能瓶颈,具有配置策略丰富、灵活等特点。The distributed virtual firewall device, the method, and the firewall controller provided by the embodiment of the present invention can quickly detect and filter the network traffic on the virtual switch vSwtich according to the received configuration information and the firewall policy, and avoid the networking. The performance bottleneck in the performance bottle has a rich and flexible configuration strategy.
附图概述BRIEF abstract
图1为本发明第一实施例中分布式虚拟防火墙装置示意图;1 is a schematic diagram of a distributed virtual firewall device according to a first embodiment of the present invention;
图2为本发明第二实施例中的防火墙控制器结构示意图;2 is a schematic structural diagram of a firewall controller in a second embodiment of the present invention;
图3为本发明第三实施例中分布式虚拟防火墙方法的流程图;3 is a flowchart of a method for distributed virtual firewall in a third embodiment of the present invention;
图4为本发明第四实施例中防火墙控制方法的流程图;4 is a flowchart of a firewall control method according to a fourth embodiment of the present invention;
图5为本发明第五实施例中系统部署架构的应用示意图。FIG. 5 is a schematic diagram of application of a system deployment architecture in a fifth embodiment of the present invention.
本发明的较佳实施方式Preferred embodiment of the invention
为了解决相关技术中存在可配置策略不够丰富、不灵活及控制策略无法识别业务层数据等问题,本发明提供了一种分布式虚拟防火墙装置、方法及防火墙控制器,以下结合附图以及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不限定本发明。In order to solve the problem that the configurable policy in the related art is not rich enough, the inflexibility, and the control policy cannot identify the service layer data, the present invention provides a distributed virtual firewall device, method, and firewall controller, which are described below with reference to the accompanying drawings and embodiments. The invention is further described in detail. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
本发明第一实施例,一种分布式虚拟防火墙装置。A first embodiment of the present invention is a distributed virtual firewall device.
图1为本发明第一实施例中分布式虚拟防火墙装置示意图。FIG. 1 is a schematic diagram of a distributed virtual firewall device according to a first embodiment of the present invention.
如图1所示,本本发明实施例提供的分布式虚拟防火墙装置包括:防火墙模块10和防火墙控制器20。As shown in FIG. 1 , the distributed virtual firewall device provided by the embodiment of the present invention includes: a firewall module 10 and a firewall controller 20.
优选的,本发明实施例提供的分布式虚拟防火墙装置运用在云计算环境 中。对于云计算环境中的主机集群,每台主机上部署一个防火墙模块10;在主机集群的控制节点上部署防火墙控制器20,用于对整个集群环境中所有的防火墙模块进行统一管理和策略配置。其中:Preferably, the distributed virtual firewall device provided by the embodiment of the present invention is applied to a cloud computing environment. in. For a host cluster in a cloud computing environment, a firewall module 10 is deployed on each host; a firewall controller 20 is deployed on the control node of the host cluster to perform unified management and policy configuration on all firewall modules in the entire cluster environment. among them:
防火墙模块10设置为接收防火墙控制器20发送的配置信息和防火墙策略信息,并根据配置信息和防火墙策略信息,对主机虚拟化层内核中运行的虚拟交换机vSwitch中的网络流量进行检测过滤。The firewall module 10 is configured to receive configuration information and firewall policy information sent by the firewall controller 20, and detect and filter network traffic in the virtual switch vSwitch running in the kernel of the host virtualization layer according to the configuration information and the firewall policy information.
可选的,在云计算环境中,本发明实施例提供的防火墙模块10设置在主机的虚拟机监视器Hypervisor虚拟化核心层。防火墙模块10设置在虚拟交换机vSwitch的数据接收统一入口处植入钩子函数hook,防火墙模块10设置为通过hook函数抓取运行在主机虚拟化层内核的虚拟交换机vSwitch的所有虚拟网络流量,并对网络流量进行2-7层的统一检测过滤,实现了云计算网络中东西流量的灵活控制。当hook函数对运行在主机虚拟化层内核的虚拟交换机vSwitch的所有虚拟网络流量抓取处理完成后,对于需要vSwitch正常转发的网络流量,仍然在hook抓取出交由vSwtich正常转发处理。Optionally, in the cloud computing environment, the firewall module 10 provided by the embodiment of the present invention is disposed in a virtual machine monitor hypervisor virtualization core layer of the host. The firewall module 10 is configured to embed a hook function hook at the data receiving unified entrance of the virtual switch vSwitch, and the firewall module 10 is configured to capture all virtual network traffic of the virtual switch vSwitch running on the host virtualization layer kernel through the hook function, and the network is The traffic is subjected to unified detection and filtering of 2-7 layers, which realizes flexible control of east-west traffic in the cloud computing network. After the hook function is used to capture all the virtual network traffic of the virtual switch vSwitch running on the core of the host virtualization layer, the network traffic that needs to be forwarded by the vSwitch is still fetched and sent to the vSwtich for normal forwarding.
可选的,本发明实施例中提供的防火墙模块10不仅设置为支持对网络协议报头的处理,也设置为支持根据用户配置的关键字进行处理,以对网络流量内容进行处理并将处理的过程和结果进行记录。Optionally, the firewall module 10 provided in the embodiment of the present invention is not only configured to support processing of a network protocol header, but also configured to support processing according to a keyword configured by a user to process network traffic content and process the same. And the results are recorded.
防火墙控制器20,部署在云计算管理节点上,设置为将配置信息和防火墙策略信息下发给所述防火墙模块10。The firewall controller 20 is deployed on the cloud management node, and is configured to send configuration information and firewall policy information to the firewall module 10.
可选的,实施例中防火墙控制器20设置为通过表述性状态转移Rest API接口或通过代理程序执行命令接口,对防火墙模块10进行配置信息和防火墙策略的下发。其中,防火墙控制器20还设置为接收用户或云计算管理节点的防火墙策略信息,将满足预设条件的所述防火墙策略信息发送给防火墙模块10,即防火墙控制器20设置为将防火墙策略信息与预设的实施性标准进行比较,当防火墙策略信息符合实施性标准时,防火墙控制器20将防火墙策略信息发送给防火墙模块10。实施例中防火墙控制器20设置为优选采用递归树Trie的方式将防火墙策略信息与预设的实施性标准进行比较,对用户配置防火墙策略请求信息的一致性进行检查,防火墙控制器20设置为进行预分析并且得出可实施性结果后,再将该防火墙策略信息发送到与该策略相关的防火 墙模块10,而不是将所有用户配置的防火墙策略信息都发送到所有防火墙模块10,这样就保证了发送到防火墙模块10上的防火墙策略信息的正确性和可实施性,以便防火墙模块10可以按照接收到的防火墙策略信息对网络流量的进行有效的检测过滤。如果用户配置的防火墙策略请求信息没有通过防火墙控制器20预设的实施性标准,那么防火墙控制器20设置为将发送反馈信息给用户,用户可根据反馈信息对防火墙策略请求信息进行修改,以满足防火墙控制器预设的实施性标准。Optionally, in the embodiment, the firewall controller 20 is configured to send the configuration information and the firewall policy to the firewall module 10 by using the expression state transfer Rest API interface or the command execution interface through the agent. The firewall controller 20 is further configured to receive the firewall policy information of the user or the cloud computing management node, and send the firewall policy information that meets the preset condition to the firewall module 10, that is, the firewall controller 20 is configured to set the firewall policy information with The preset implementation criteria are compared. When the firewall policy information meets the implementation criteria, the firewall controller 20 sends the firewall policy information to the firewall module 10. In the embodiment, the firewall controller 20 is configured to compare the firewall policy information with the preset implementation standard by using a recursive tree Trie, and check the consistency of the user configuration firewall policy request information, and the firewall controller 20 is configured to perform After pre-analysing and deriving the enforceability results, the firewall policy information is sent to the fire protection associated with the policy. The wall module 10, instead of sending all user-configured firewall policy information to all firewall modules 10, ensures the correctness and enforceability of the firewall policy information sent to the firewall module 10 so that the firewall module 10 can follow The received firewall policy information effectively detects and filters network traffic. If the firewall policy request information configured by the user does not pass the implementation standard preset by the firewall controller 20, the firewall controller 20 is configured to send feedback information to the user, and the user may modify the firewall policy request information according to the feedback information to satisfy The implementation standard preset by the firewall controller.
可选的,防火墙控制器20与防火墙模块10在功能上和部署上可完全解耦,保证防火墙控制器20与防火墙模块10均可独立运行。并且还可以配置在防火墙模块10和防火墙控制器20间的心跳,防火墙模块10设置为当检测到防火墙控制器20存在或正常工作时,防火墙模块10与防火墙控制器20建立连接,防火墙模块10接收来自防火墙控制器20发送的配置信息和防火墙策略进行网络流量的检测。防火墙模块10设置为当没有检测到防火墙控制器20或检测到防火墙控制器20没有正常工作时,防火墙模块10可以按照自身的配置信息或用户配置的防火墙策略对网络流量进行检测过滤。Optionally, the firewall controller 20 and the firewall module 10 can be completely decoupled in function and deployment, so that the firewall controller 20 and the firewall module 10 can operate independently. And the heartbeat between the firewall module 10 and the firewall controller 20 can also be configured. The firewall module 10 is configured to establish a connection between the firewall module 10 and the firewall controller 20 when the firewall controller 20 is detected to be working or working normally, and the firewall module 10 receives The configuration information and firewall policy sent from the firewall controller 20 are used to detect network traffic. The firewall module 10 is configured to detect and filter network traffic according to its own configuration information or a firewall policy configured by the user, when the firewall controller 20 is not detected or the firewall controller 20 is not working properly.
本发明实施例提供的防火墙控制器20支持双机主备份方式运行,实现了系统的高可用性。The firewall controller 20 provided by the embodiment of the present invention supports dual-master backup mode operation, and achieves high availability of the system.
本发明第二实施例,一种防火墙控制器结构示意图。A second embodiment of the present invention is a schematic structural diagram of a firewall controller.
如图2所示,该防火墙控制器包括信息收集模块和信息发送模块,其中,As shown in FIG. 2, the firewall controller includes an information collecting module and an information sending module, where
所述信息收集模块,设置为收集配置信息和防火墙策略信息;The information collection module is configured to collect configuration information and firewall policy information;
所述信息发送模块,设置为将配置信息和防火墙策略信息下发给所述防火墙模块;The information sending module is configured to send configuration information and firewall policy information to the firewall module;
可选地,所述信息发送模块,设置为通过Rest API接口或代理程序执行命令行接口,将所述配置信息和所述防火墙策略信息下发给所述防火墙模块。Optionally, the information sending module is configured to execute the command line interface by using a Rest API interface or an agent, and send the configuration information and the firewall policy information to the firewall module.
上述实施例中,In the above embodiment,
所述信息收集模块,还设置为接收用户设置的防火墙策略信息;The information collection module is further configured to receive firewall policy information set by the user;
所述信息发送模块,还设置为将满足预设条件的所述防火墙策略信息发 送给所述防火墙模块。The information sending module is further configured to send the firewall policy information that meets a preset condition Send to the firewall module.
可选地,所述信息发送模块,设置为将满足预设条件的所述防火墙策略信息发送给所述防火墙模块,包括:设置为将所述防火墙策略信息与预设的实施性标准进行比较,当所述防火墙策略信息符合所述实施性标准时,将所述防火墙策略信息发送给所述防火墙模块;Optionally, the information sending module is configured to send the firewall policy information that meets the preset condition to the firewall module, and the method includes: setting the firewall policy information to be compared with a preset implementation standard, Sending the firewall policy information to the firewall module when the firewall policy information meets the implementation criteria;
可选地,所述信息发送模块,设置为将所述防火墙策略信息与预设的实施性标准进行比较,包括:设置为采用递归树Trie的方式将所述防火墙策略信息与所述预设的实施性标准进行比较。Optionally, the information sending module is configured to compare the firewall policy information with a preset implementation standard, including: setting the firewall policy information to the preset by using a recursive tree Trie The implementation criteria are compared.
本发明第三实施例,一种云计算中分布式虚拟防火墙方法。A third embodiment of the present invention is a distributed virtual firewall method in cloud computing.
图3为本发明第三实施例中云计算中分布式虚拟防火墙方法的流程图。FIG. 3 is a flowchart of a method for distributed virtual firewall in cloud computing according to a third embodiment of the present invention.
如图3所示,步骤301,防火墙控制器将配置信息和防火墙策略的下发给防火墙模块。As shown in FIG. 3, in step 301, the firewall controller sends the configuration information and the firewall policy to the firewall module.
优选的,本发明实施例提供的云计算中分布式虚拟防火墙运用在云计算环境中。对于云计算环境中的主机集群,每台主机上都部署一个防火墙模块,在主机集群的控制节点上部署防火墙控制器,用于对整个集群环境中所有的防火墙模块进行统一管理和策略配置。Preferably, the distributed virtual firewall in the cloud computing provided by the embodiment of the present invention is used in a cloud computing environment. For a host cluster in a cloud computing environment, a firewall module is deployed on each host. A firewall controller is deployed on the control node of the host cluster to implement unified management and policy configuration for all firewall modules in the entire cluster environment.
实施中优选防火墙控制器通过表述性状态转移Rest API接口或通过代理程序执行命令接口,对防火墙模块进行配置信息和防火墙策略的下发。其中,防火墙控制器还接收用户或云计算管理节点的防火墙策略信息,将满足预设条件的所述防火墙策略信息发送给防火墙模块。防火墙控制器将防火墙策略信息与预设的实施性标准进行比较,当防火墙策略信息符合实施性标准时,防火墙控制器将防火墙策略信息发送给防火墙模块。实施例中防火墙控制器优选采用递归树Trie的方式将防火墙策略信息与预设的实施性标准进行比较,对用户配置防火墙策略请求信息的一致性进行检查,防火墙控制器进行预分析并且得出可实施性结果后,再将该防火墙策略信息发送到与该策略相关的防火墙模块,而不是将所有用户配置的防火墙策略信息都发送到所有防火墙模块,这样就保证了发送到防火墙模块上的防火墙策略信息的正确性和 可实施性,以便防火墙模块可以按照接收到的防火墙策略信息对网络流量的进行有效的检测过滤。如果用户配置的防火墙策略请求信息没有通过防火墙控制器预设的实施性标准,那么防火墙控制器将发送反馈信息给用户,用户可根据反馈信息对防火墙策略请求信息进行修改,以满足防火墙控制器预设的实施性标准。In the implementation, the firewall controller preferably delivers the configuration information and the firewall policy of the firewall module through the expression state transfer Rest API interface or the execution of the command interface through the agent. The firewall controller further receives the firewall policy information of the user or the cloud computing management node, and sends the firewall policy information that meets the preset condition to the firewall module. The firewall controller compares the firewall policy information with the preset implementation criteria. When the firewall policy information meets the implementation criteria, the firewall controller sends the firewall policy information to the firewall module. In the embodiment, the firewall controller preferably compares the firewall policy information with the preset implementation standard by using a recursive tree Trie, and checks the consistency of the user configuration firewall policy request information, and the firewall controller performs pre-analysis and obtains After the implementation result, the firewall policy information is sent to the firewall module related to the policy, instead of sending all the configured firewall policy information to all firewall modules, thus ensuring the firewall policy sent to the firewall module. The correctness of the information and It can be implemented so that the firewall module can effectively detect and filter network traffic according to the received firewall policy information. If the firewall policy request information configured by the user does not pass the implementation standard preset by the firewall controller, the firewall controller sends a feedback message to the user, and the user can modify the firewall policy request information according to the feedback information to meet the firewall controller pre-configuration. Established implementation standards.
步骤302,防火墙模块根据接收到的所述配置信息和所述防火墙策略,对虚拟交换机vSwitch中的网络流量进行检测过滤。Step 302: The firewall module detects and filters the network traffic in the virtual switch vSwitch according to the received configuration information and the firewall policy.
可选的,在云计算环境中,本发明实施例提供的防火墙模块基于主机的虚拟机监视器Hypervisor虚拟化核心层。防火墙模块在虚拟交换机vSwitch的数据接收统一入口处植入钩子函数hook,防火墙模块通过hook函数抓取运行在主机虚拟化层内核的虚拟交换机vSwitch的所有虚拟网络流量,并对网络流量进行2-7层的统一检测过滤,实现云计算网络中东西流量的灵活控制。当hook函数对运行在主机虚拟化层内核的虚拟交换机vSwitch的所有虚拟网络流量抓取处理完成后,对于需要vSwitch正常转发的网络流量,仍然在hook抓取出交由vSwtich正常转发处理。Optionally, in the cloud computing environment, the firewall module provided by the embodiment of the present invention is based on a host virtual machine monitor hypervisor virtualization core layer. The firewall module implants a hook function hook at the data receiving unified entrance of the virtual switch vSwitch. The firewall module captures all virtual network traffic of the virtual switch vSwitch running on the host virtualization layer kernel through the hook function, and performs 2-7 on the network traffic. Uniform detection and filtering of layers to achieve flexible control of east-west traffic in cloud computing networks. After the hook function is used to capture all the virtual network traffic of the virtual switch vSwitch running on the core of the host virtualization layer, the network traffic that needs to be forwarded by the vSwitch is still fetched and sent to the vSwtich for normal forwarding.
可选的,本发明实施例提供的防火墙模块不仅支持对网络协议报头的处理,也支持根据用户配置的关键字进行处理,以对网络流量内容进行处理并将处理结果进行记录。Optionally, the firewall module provided by the embodiment of the present invention not only supports the processing of the network protocol header, but also processes the keyword according to the user configuration to process the network traffic content and record the processing result.
可选的,防火墙控制器与防火墙模块在功能上和部署上可完全解耦,保证防火墙控制器与防火墙模块均可独立运行。并且还可以配置在防火墙模块和防火墙控制器间的心跳,当防火墙模块检测到防火墙控制器存在或正常工作时,防火墙模块与防火墙控制器建立连接,防火墙模块接收来自防火墙控制器发送的配置信息和防火墙策略进行网络流量的检测。当防火墙模块没有检测到防火墙控制器或检测到防火墙控制器没有正常工作时,防火墙模块可以按照自身的配置信息或用户配置的防火墙策略对网络流量进行检测过滤。Optionally, the firewall controller and the firewall module can be completely decoupled in function and deployment, so that the firewall controller and the firewall module can operate independently. And the heartbeat between the firewall module and the firewall controller can be configured. When the firewall module detects that the firewall controller exists or works normally, the firewall module establishes a connection with the firewall controller, and the firewall module receives the configuration information sent by the firewall controller and The firewall policy detects network traffic. When the firewall module does not detect the firewall controller or detects that the firewall controller is not working properly, the firewall module can detect and filter the network traffic according to its own configuration information or the firewall policy configured by the user.
本发明实施例提供的防火墙控制器支持双机主备份方式运行,实现了系统的高可用性。 The firewall controller provided by the embodiment of the invention supports dual-master backup mode operation, and achieves high availability of the system.
本发明第四实施例,防火墙控制方法的流程图。A fourth embodiment of the present invention is a flow chart of a firewall control method.
图4为本发明第四实施例中防火墙控制方法的流程图。4 is a flow chart of a firewall control method in a fourth embodiment of the present invention.
步骤401收集配置信息和防火墙策略信息;Step 401 collects configuration information and firewall policy information.
步骤402将配置信息和防火墙策略信息下发给防火墙模块;Step 402 sends the configuration information and firewall policy information to the firewall module.
可选地,步骤402通过Rest API接口或代理程序执行命令行接口,将所述配置信息和所述防火墙策略信息下发给所述防火墙模块。Optionally, the step 402 sends the configuration information and the firewall policy information to the firewall module by executing a command line interface by using a Rest API interface or an agent.
可选地,步骤401除收集配置信息和防火墙策略信息外,还接收用户设置的防火墙策略信息,并将满足预设条件的所述防火墙策略信息发送给所述防火墙模块。Optionally, in addition to collecting the configuration information and the firewall policy information, the step 401 further receives the firewall policy information set by the user, and sends the firewall policy information that meets the preset condition to the firewall module.
可选地,所述将满足预设条件的所述防火墙策略信息发送给所述防火墙模块,包括:Optionally, the sending the firewall policy information that meets the preset condition to the firewall module includes:
将所述防火墙策略信息与预设的实施性标准进行比较,当所述防火墙策略信息符合所述实施性标准时,将所述防火墙策略信息发送给所述防火墙模块。Comparing the firewall policy information with a preset implementation standard, and sending the firewall policy information to the firewall module when the firewall policy information meets the implementation standard.
可选地,所述将所述防火墙策略信息与预设的实施性标准进行比较,包括:Optionally, comparing the firewall policy information with a preset implementation standard, including:
采用递归树Trie的方式将所述防火墙策略信息与所述预设的实施性标准进行比较。The firewall policy information is compared with the preset implementation criteria by means of a recursive tree Trie.
本发明第五实施例,在系统部署架构和具体实现中的应用。The fifth embodiment of the present invention is applied in a system deployment architecture and a specific implementation.
图5为本发明第五实施例中系统部署架构的应用示意图。FIG. 5 is a schematic diagram of application of a system deployment architecture in a fifth embodiment of the present invention.
如图5所示,实施例中上层表示云计算管理节点,在云计算管理节点上部署防火墙控制器。其中,实施例中采用主备的方式,即采用防火墙控制器主机Control1和防火墙控制器备用机Control2的方式进行,使在防火墙主机出现问题的情况下,可以由防火墙备用机运行,保证了整个系统的正常运行。As shown in FIG. 5, in the embodiment, the upper layer represents a cloud computing management node, and the firewall controller is deployed on the cloud computing management node. In the embodiment, the active/standby mode is adopted, that is, the firewall controller host Control1 and the firewall controller standby device Control2 are used, so that in the case of a problem with the firewall host, the firewall standby machine can be operated to ensure the entire system. The normal operation.
在图5所示中的下层为主机节点,在主机节点上部署防火墙模块,其中防火墙模块与对应的虚拟交换机vSwitch相连接。图中优选给出了三个主机 节点,在其它实施例中可以有多个主机节点,本发明主机节点的个数不限于此。The lower layer in FIG. 5 is a host node, and a firewall module is deployed on the host node, wherein the firewall module is connected to the corresponding virtual switch vSwitch. Three hosts are preferably given in the figure. The node may have multiple host nodes in other embodiments, and the number of host nodes of the present invention is not limited thereto.
如图5中第一个主机节点所示,防火墙模块FW1根据防火墙控制器Control1下发的配置信息和防火墙策略对虚拟交换机vSwitch1进行网络流量监测过滤,并且防火墙模块FW1还可以根据用户配置的防火墙策略请求信息对虚拟交换机vSwitch1进行网络流量检测过滤。其中,用户配置的防火墙策略信息必须通过防火墙控制器的可实施性预分析才能将用户配置的防火墙策略信息发送给防火墙模块FW1,如果用户配置的防火墙策略信息没有通过防火墙控制器预设的实施性标准,那么防火墙控制器将发送反馈信息给用户,用户可根据反馈信息对防火墙策略请求信息进行修改,以便满足防火墙控制器预设的实施性标准。实施例中,对于其他主机节点上的防火墙模块对虚拟交换机vSwitch的网络流量检测过滤控制过程这里不再一一列举。As shown in the first host node in Figure 5, the firewall module FW1 performs network traffic monitoring and filtering on the virtual switch vSwitch1 according to the configuration information and firewall policy issued by the firewall controller Control1, and the firewall module FW1 can also be configured according to the firewall policy configured by the user. The request information performs network traffic detection and filtering on the virtual switch vSwitch1. The firewall policy information configured by the user must be sent to the firewall module FW1 through the pre-analysis of the firewall controller. If the firewall policy information configured by the user does not pass the firewall controller preset implementation. Standard, then the firewall controller will send feedback information to the user, the user can modify the firewall policy request information according to the feedback information, in order to meet the implementation standards preset by the firewall controller. In the embodiment, the network traffic detection filtering control process for the virtual switch vSwitch of the firewall module on other host nodes is not enumerated here.
本发明提供的分布式虚拟防火墙装置、方法及防火墙控制器,防火墙模块根据接收到的配置信息和防火墙策略,可以快速的对虚拟交换机vSwtich上的网络流量进行检测过滤,规避了组网中性能瓶颈,具有配置策略丰富、灵活等特点。The distributed virtual firewall device, the method and the firewall controller provided by the invention can quickly detect and filter the network traffic on the virtual switch vSwtich according to the received configuration information and the firewall policy, and avoid the performance bottleneck in the networking. It has the characteristics of rich and flexible configuration strategy.
通过具体实施方式的说明,应当可对本发明为达成预定目的所采取的技术手段及功效得以更加深入且具体的了解,然而所附图示仅是提供参考与说明之用,并非用来对本发明加以限制。The technical means and functions of the present invention for achieving the intended purpose can be more deeply and specifically understood by the description of the specific embodiments. However, the accompanying drawings are only for the purpose of illustration and description, and are not intended to limit.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或 步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。Optionally, all or part of the steps of the foregoing embodiments may also be implemented by using an integrated circuit, and the steps may be separately fabricated into integrated circuit modules, or multiple modules thereof or The steps are made into a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求所述的保护范围为准。Variations or substitutions are readily conceivable within the scope of the present invention by those skilled in the art and are within the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.
工业实用性Industrial applicability
上述技术方案提供的分布式虚拟防火墙装置、方法及防火墙控制器,通过防火墙模块根据接收到的配置信息和防火墙策略,可以快速的对虚拟交换机vSwtich上的网络流量进行检测过滤,规避了组网中的性能瓶颈,具有配置策略丰富、灵活等特点。 The distributed virtual firewall device, the method, and the firewall controller provided by the foregoing technical solution can quickly detect and filter the network traffic on the virtual switch vSwtich through the firewall module according to the received configuration information and the firewall policy, and avoid the networking. The performance bottleneck is characterized by rich and flexible configuration strategies.

Claims (20)

  1. 一种设置为云计算管理节点上的防火墙控制器,包括信息收集模块和信息发送模块,其中,A firewall controller configured on a cloud computing management node, including an information collecting module and an information sending module, where
    所述信息收集模块,设置为收集配置信息和防火墙策略信息;The information collection module is configured to collect configuration information and firewall policy information;
    所述信息发送模块,设置为将配置信息和防火墙策略信息下发给防火墙模块。The information sending module is configured to send the configuration information and the firewall policy information to the firewall module.
  2. 如权利要求1所述的防火墙控制器,The firewall controller of claim 1
    所述信息收集模块,还设置为接收用户设置的防火墙策略信息;The information collection module is further configured to receive firewall policy information set by the user;
    所述信息发送模块,还设置为将满足预设条件的所述防火墙策略信息发送给所述防火墙模块。The information sending module is further configured to send the firewall policy information that meets a preset condition to the firewall module.
  3. 如权利要求2所述的防火墙控制器,其中,所述信息发送模块是设置为以如下方式将满足预设条件的所述防火墙策略信息发送给所述防火墙模块:The firewall controller according to claim 2, wherein the information sending module is configured to send the firewall policy information that meets a preset condition to the firewall module in the following manner:
    将所述防火墙策略信息与预设的实施性标准进行比较,当所述防火墙策略信息符合所述实施性标准时,将所述防火墙策略信息发送给所述防火墙模块。Comparing the firewall policy information with a preset implementation standard, and sending the firewall policy information to the firewall module when the firewall policy information meets the implementation standard.
  4. 如权利要求3所述的防火墙控制器,其中,所述信息发送模块是设置为以如下方式将所述防火墙策略信息与预设的实施性标准进行比较:The firewall controller of claim 3, wherein the information transmitting module is configured to compare the firewall policy information with a preset implementation standard in the following manner:
    采用递归树Trie的方式将所述防火墙策略信息与所述预设的实施性标准进行比较。The firewall policy information is compared with the preset implementation criteria by means of a recursive tree Trie.
  5. 如权利要求1所述的防火墙控制器,其中,所述信息发送模块是设置为以如下方式将配置信息和防火墙策略信息下发给所述防火墙模块:The firewall controller of claim 1, wherein the information sending module is configured to send configuration information and firewall policy information to the firewall module in the following manner:
    通过Rest API接口或代理程序执行命令行接口,将所述配置信息和所述防火墙策略信息下发给所述防火墙模块。The configuration information and the firewall policy information are sent to the firewall module by executing a command line interface through a Rest API interface or an agent.
  6. 一种分布式虚拟防火墙装置,包括:防火墙控制器和防火墙模块;A distributed virtual firewall device includes: a firewall controller and a firewall module;
    所述防火墙控制器,部署在云计算管理节点上,设置为将配置信息和防火墙策略信息下发给所述防火墙模块; The firewall controller is deployed on the cloud computing management node, and is configured to send configuration information and firewall policy information to the firewall module.
    所述防火墙模块,部署在主机节点上,设置为根据接收到的所述配置信息和所述防火墙策略信息,对虚拟交换机vSwitch中的网络流量进行过滤或转发。The firewall module is deployed on the host node, and is configured to filter or forward network traffic in the virtual switch vSwitch according to the received configuration information and the firewall policy information.
  7. 根据权利要求6所述的分布式虚拟防火墙装置,The distributed virtual firewall device of claim 6
    所述防火墙控制器,还设置为接收用户设置的防火墙策略信息,将满足预设条件的所述防火墙策略信息发送给所述防火墙模块。The firewall controller is further configured to receive the firewall policy information set by the user, and send the firewall policy information that meets the preset condition to the firewall module.
  8. 根据权利要求7所述的分布式虚拟防火墙装置,其中,所述防火墙控制器是设置为以如下方式将满足预设条件的所述防火墙策略信息发送给所述防火墙模块:The distributed virtual firewall device according to claim 7, wherein the firewall controller is configured to send the firewall policy information that meets a preset condition to the firewall module in the following manner:
    将所述防火墙策略信息与预设的实施性标准进行比较,当所述防火墙策略信息符合所述实施性标准时,将所述防火墙策略信息发送给所述防火墙模块。Comparing the firewall policy information with a preset implementation standard, and sending the firewall policy information to the firewall module when the firewall policy information meets the implementation standard.
  9. 根据权利要求8所述的分布式虚拟防火墙装置,其中,所述防火墙控制器是设置为以如下方式将所述防火墙策略信息与预设的实施性标准进行比较:The distributed virtual firewall device of claim 8, wherein the firewall controller is configured to compare the firewall policy information with a preset enforceability criteria in the following manner:
    采用递归树Trie的方式将所述防火墙策略信息与所述预设的实施性标准进行比较。The firewall policy information is compared with the preset implementation criteria by means of a recursive tree Trie.
  10. 根据权利要求6所述的分布式虚拟防火墙装置,其中,A distributed virtual firewall device according to claim 6, wherein
    所述防火墙控制器是设置为以如下方式将配置信息和防火墙策略信息下发给所述防火墙模块:The firewall controller is configured to send configuration information and firewall policy information to the firewall module in the following manner:
    通过Rest API接口或代理程序执行命令行接口,将所述配置信息和所述防火墙策略信息下发给所述防火墙模块;The configuration information and the firewall policy information are sent to the firewall module by executing a command line interface through a Rest API interface or an agent;
    所述防火墙模块是设置为以如下方式对虚拟交换机vSwitch中的网络流量进行过滤或转发:The firewall module is configured to filter or forward network traffic in the virtual switch vSwitch in the following manner:
    通过钩子函数hook抓取所述vSwitch中的网络流量。The network traffic in the vSwitch is captured by a hook function hook.
  11. 一种防火墙控制方法,包括:A firewall control method includes:
    收集配置信息和防火墙策略信息; Collect configuration information and firewall policy information;
    将配置信息和防火墙策略信息下发给防火墙模块。Send the configuration information and firewall policy information to the firewall module.
  12. 如权利要求11所述的方法,还包括:The method of claim 11 further comprising:
    接收用户设置的防火墙策略信息;Receive firewall policy information set by the user;
    将满足预设条件的所述防火墙策略信息发送给所述防火墙模块。Sending the firewall policy information that meets the preset condition to the firewall module.
  13. 如权利要求12所述的方法,其中,所述将满足预设条件的所述防火墙策略信息发送给所述防火墙模块,包括:The method of claim 12, wherein the sending the firewall policy information that meets a preset condition to the firewall module comprises:
    将所述防火墙策略信息与预设的实施性标准进行比较,当所述防火墙策略信息符合所述实施性标准时,将所述防火墙策略信息发送给所述防火墙模块。Comparing the firewall policy information with a preset implementation standard, and sending the firewall policy information to the firewall module when the firewall policy information meets the implementation standard.
  14. 如权利要求13所述的方法,其中,所述将所述防火墙策略信息与预设的实施性标准进行比较,包括:The method of claim 13 wherein said comparing said firewall policy information with a predetermined enforceability criteria comprises:
    采用递归树Trie的方式将所述防火墙策略信息与所述预设的实施性标准进行比较。The firewall policy information is compared with the preset implementation criteria by means of a recursive tree Trie.
  15. 如权利要求11所述的方法,其中,所述将配置信息和防火墙策略信息下发给所述防火墙模块,包括:The method of claim 11, wherein the sending the configuration information and the firewall policy information to the firewall module comprises:
    通过Rest API接口或代理程序执行命令行接口,将所述配置信息和所述防火墙策略信息下发给所述防火墙模块。The configuration information and the firewall policy information are sent to the firewall module by executing a command line interface through a Rest API interface or an agent.
  16. 一种分布式虚拟防火墙方法,包括:A distributed virtual firewall method includes:
    防火墙控制器将配置信息和防火墙策略信息下发给防火墙模块;The firewall controller sends configuration information and firewall policy information to the firewall module.
    防火墙模块根据接收到的所述配置信息和所述防火墙策略信息,对虚拟交换机vSwitch中的网络流量进行检测过滤。The firewall module detects and filters the network traffic in the virtual switch vSwitch according to the received configuration information and the firewall policy information.
  17. 根据权利要求16所述的分布式虚拟防火墙方法,,所述方法还包括:The distributed virtual firewall method of claim 16, further comprising:
    防火墙控制器接收用户设置的防火墙策略信息,将满足预设条件的防火墙策略信息发送给所述防火墙模块。The firewall controller receives the firewall policy information set by the user, and sends firewall policy information that meets the preset condition to the firewall module.
  18. 根据权利要求17所述的分布式虚拟防火墙方法,其中,防火墙控制器将满足预设条件的防火墙策略信息发送给所述防火墙模块,包括:The distributed virtual firewall method according to claim 17, wherein the firewall controller sends the firewall policy information that meets the preset condition to the firewall module, including:
    防火墙控制器将所述防火墙策略信息与预设的实施性标准进行比较,当 所述防火墙策略信息符合所述实施性标准时,将所述防火墙策略信息发送给所述防火墙模块。The firewall controller compares the firewall policy information with a preset implementation standard. When the firewall policy information meets the implementation standard, the firewall policy information is sent to the firewall module.
  19. 根据权利要求18所述的分布式虚拟防火墙方法,其中,防火墙控制器将所述防火墙策略信息与预设的实施性标准进行比较,包括:The distributed virtual firewall method according to claim 18, wherein the firewall controller compares the firewall policy information with a preset implementation standard, including:
    防火墙控制器采用递归树Trie的方式将所述防火墙策略信息与所述预设的实施性标准进行比较。The firewall controller compares the firewall policy information with the preset implementation criteria by means of a recursive tree Trie.
  20. 根据权利要求16所述的分布式虚拟防火墙方法,其中,The distributed virtual firewall method of claim 16 wherein
    防火墙控制器将配置信息和防火墙策略信息下发给防火墙模块,包括:The firewall controller sends configuration information and firewall policy information to the firewall module, including:
    防火墙控制器通过Rest API接口或代理程序执行命令行接口,将所述配置信息和所述防火墙策略信息下发给所述防火墙模块;The firewall controller executes the command line interface through the Rest API interface or the agent, and sends the configuration information and the firewall policy information to the firewall module.
    防火墙模块对虚拟交换机vSwitch中的网络流量进行检测过滤,包括:The firewall module detects and filters the network traffic in the virtual switch vSwitch, including:
    防火墙模块通过钩子函数hook抓取所述vSwitch中的网络流量。 The firewall module captures network traffic in the vSwitch through a hook function hook.
PCT/CN2014/090473 2014-06-09 2014-11-06 Distributed virtual firewall apparatus and method, and firewall controller WO2015188579A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410252561.0 2014-06-09
CN201410252561.0A CN105141571A (en) 2014-06-09 2014-06-09 Distributed virtual firewall device and method

Publications (1)

Publication Number Publication Date
WO2015188579A1 true WO2015188579A1 (en) 2015-12-17

Family

ID=54726780

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/090473 WO2015188579A1 (en) 2014-06-09 2014-11-06 Distributed virtual firewall apparatus and method, and firewall controller

Country Status (2)

Country Link
CN (1) CN105141571A (en)
WO (1) WO2015188579A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765912A (en) * 2021-09-02 2021-12-07 迈迪信息技术有限公司 Distributed firewall device and detection method thereof

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105429811B (en) * 2016-01-11 2018-11-13 刘昱 network management system and method
CN106131020B (en) * 2016-07-17 2020-05-01 合肥赑歌数据科技有限公司 Firewall virtualization module and management method
CN107872443A (en) * 2016-09-28 2018-04-03 深圳市深信服电子科技有限公司 Virtual network security protection system, flow lead method and device
CN106453333B (en) * 2016-10-19 2019-08-30 深信服科技股份有限公司 The firewall rule creation method and device of virtual platform
CN107566359A (en) * 2017-08-25 2018-01-09 郑州云海信息技术有限公司 A kind of intelligent fire-proofing wall system and means of defence
CN108156153B (en) * 2017-12-22 2021-07-30 国家电网公司 Distributed security domain-based differential section protection method
CN108156079B (en) * 2017-12-29 2021-08-13 深信服科技股份有限公司 Data packet forwarding system and method based on cloud service platform
CN107979614A (en) * 2017-12-30 2018-05-01 杭州华为数字技术有限公司 Data packet detection method and device
CN108108210A (en) * 2018-01-11 2018-06-01 上海有云信息技术有限公司 Management method, device, server and the storage medium of safety product
CN109150860A (en) * 2018-08-02 2019-01-04 郑州云海信息技术有限公司 A kind of method and system for realizing the micro- isolation of network under OpenStack environment
CN109450871B (en) * 2018-10-22 2021-02-23 龙岩学院 Distributed virtual firewall device and system deployment method thereof
CN111224922A (en) * 2018-11-26 2020-06-02 顺丰科技有限公司 Distributed security group module access control method and system
CN110505246B (en) * 2019-09-25 2021-10-08 腾讯科技(深圳)有限公司 Client network communication detection method, device and storage medium
CN112532638A (en) * 2020-12-03 2021-03-19 四川师范大学 Distributed content filtering firewall
CN113098851B (en) * 2021-03-25 2023-01-31 广州虎牙科技有限公司 Method, device, system, equipment and medium for implementing virtual firewall
CN115664870B (en) * 2022-12-28 2023-04-07 北京志翔科技股份有限公司 Cross-distributed-node desktop access method, device and system and electronic equipment
CN117596139A (en) * 2024-01-18 2024-02-23 银联数据服务有限公司 Firewall configuration command generation method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977187A (en) * 2010-10-20 2011-02-16 中兴通讯股份有限公司 Firewall policy distribution method, client, access server and system
CN102055735A (en) * 2009-11-04 2011-05-11 中国移动通信集团山东有限公司 Configuration method and device of firewall access control policy
CN103763310A (en) * 2013-12-31 2014-04-30 曙光云计算技术有限公司 Firewall service system and method based on virtual network
US20140137258A1 (en) * 2010-11-22 2014-05-15 International Business Machines Corporation Image vulnerability repair in a networked computing environment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7966654B2 (en) * 2005-11-22 2011-06-21 Fortinet, Inc. Computerized system and method for policy-based content filtering
CN103023707B (en) * 2012-12-28 2016-03-09 华为技术有限公司 Method, management server and network system that a kind of strategy configures
CN103825876A (en) * 2013-11-07 2014-05-28 北京安码科技有限公司 Firewall policy auditing system in complex network environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102055735A (en) * 2009-11-04 2011-05-11 中国移动通信集团山东有限公司 Configuration method and device of firewall access control policy
CN101977187A (en) * 2010-10-20 2011-02-16 中兴通讯股份有限公司 Firewall policy distribution method, client, access server and system
US20140137258A1 (en) * 2010-11-22 2014-05-15 International Business Machines Corporation Image vulnerability repair in a networked computing environment
CN103763310A (en) * 2013-12-31 2014-04-30 曙光云计算技术有限公司 Firewall service system and method based on virtual network

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765912A (en) * 2021-09-02 2021-12-07 迈迪信息技术有限公司 Distributed firewall device and detection method thereof

Also Published As

Publication number Publication date
CN105141571A (en) 2015-12-09

Similar Documents

Publication Publication Date Title
WO2015188579A1 (en) Distributed virtual firewall apparatus and method, and firewall controller
US20150312802A1 (en) Method and system for sideband communication architecture for supporting manageability over wireless lan (wlan)
CN111131379B (en) Distributed flow acquisition system and edge calculation method
US10681046B1 (en) Unauthorized device detection in a heterogeneous network
TWI451245B (en) Virtual machine monitoring method, system and computer readable storage medium for storing thereof
EP2731010A1 (en) Method, device, and system for migrating configuration information during live migration of virtual machine
US11706080B2 (en) Providing dynamic serviceability for software-defined data centers
JP5678723B2 (en) Switch, information processing apparatus and information processing system
WO2016131172A1 (en) Method and device for updating network service descriptor
CN105024855A (en) Distributed cluster management system and method
CN108989352B (en) Firewall implementation method and device, computer equipment and storage medium
US10158705B2 (en) Migration of hosts
CN103763121A (en) Method and device for quickly issuing network configuration information
US20190319923A1 (en) Network data control method, system and security protection device
WO2016107424A1 (en) Link state detection method, apparatus and system
US9754032B2 (en) Distributed multi-system management
US20140006573A1 (en) Storage system management device and method of managing storage system
WO2014056345A1 (en) Management method and apparatus for monitoring task
CN107797859A (en) A kind of dispatching method of timed task and a kind of dispatch server
JP6489239B2 (en) Communication apparatus, system, method, and program
US10721135B1 (en) Edge computing system for monitoring and maintaining data center operations
US20220239551A1 (en) Diagnosing intermediary network nodes
US8918670B2 (en) Active link verification for failover operations in a storage network
CN105871849A (en) Firewall system architecture
JP2003152806A (en) Switch connection control system for communication path

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14894431

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14894431

Country of ref document: EP

Kind code of ref document: A1