Firewall services system and method based on virtual networkTechnical field
The present invention relates to field of computer technology, more particularly, to a kind of firewall services system based on virtual networkSystem and a kind of method for realizing virtual network fire wall.
Background technology
The fire wall of legacy network is typically all the border for being deployed in network, and all flows in network can be monitoredLink on.Packet to being sent to internal network is filtered, and with reference to the firewall security policy of setting, to packetForwarding is abandoned.
In environment in virtualization network, physical network resource is that all of virtual network user is shared, but rightFor user, network is exclusive, and is isolated with the network of other users.Each user or business flow network canPossess different network security demands according to the service feature of the network of oneself, have difference to fire wall deployment and security strategyRequirement.Due to the expansible retractility of virtual network, the network boundary of user is uncertain from from the perspective of physical network, thus cannot in the conventional mode dispose fire wall and provide firewall services for each user.Therefore it is traditionalFirewall technology is difficult to meet the demand for security of virtual network user.
For the problem in correlation technique, effective solution is not yet proposed at present.
The content of the invention
For the problem in correlation technique, the present invention propose a kind of firewall services system based on virtual network andA kind of method for realizing virtual network fire wall, using the deployment to firewall services node and distributed management, so as to realizeThe structure of distributed virtual fire wall.
For achieving the above object, on the one hand, the invention provides a kind of firewall services system based on virtual network, bagInclude:Distributed fire wall manager, connects for obtaining all virtual machine networks in user network according to the network identity of userMessage ceases;Corresponding firewall services node is determined according to virtual machine network interface message;And, by the firewall configuration of userInformation and/or firewall security policy are distributed to corresponding firewall services node;Firewall services node, is configured in and is based onOpen the firewall configuration information of the user on the OVS switches of virtual switch standard OVS, receiving for basis and/or preventWall with flues security strategy by the data flow of OVS switches to being managed.
According to the present invention, firewall services system also includes virtual firewall module, for by both firewall operations interfaceThe network identity and corresponding firewall configuration information and/or firewall security policy of user are set;And by the net of userNetwork mark and corresponding firewall configuration information and/or firewall security policy are sent to distributed fire wall manager.
According to the present invention, virtual firewall module is additionally operable to firewall configuration information and/or firewall security as userWhen strategy changes, by the firewall configuration information after change and/or the network identity of firewall security policy and userIt is sent to distributed fire wall manager.
According to the present invention, virtual machine network interface message includes that the OVS switches that virtual machine network interface is connected are managedPort numbering of the position and virtual machine network interface in reason net in OVS switches.
According to the present invention, firewall services node includes policy module, and it is used to issue distributed fire wall managerFirewall security policy be converted into data flow con-trol strategy.
According to the present invention, firewall services node also includes control module, and it is used to monitor distributed fire wall managerThe control information sent, so that operation is controlled to service node or configuration operation is carried out to policy module.
On the other hand, present invention also offers a kind of method for realizing virtual network fire wall, including:Distributed fire wallManager obtains all virtual machine network interface messages in user network according to the network identity of user;Distributed fire wall pipeReason device determines corresponding firewall services node according to virtual machine network interface message;Distributed fire wall manager is by user'sFirewall configuration information and/or firewall security policy are distributed to corresponding firewall services node, wherein, firewall services sectionPoint is configured on the OVS switches based on open virtual switch standard OVS;Firewall services node is according to the user's for receivingFirewall configuration information and/or firewall security policy by the data flow of OVS switches to being managed.
According to the present invention, the method also includes:Virtual firewall module, for arranging user by both firewall operations interfaceNetwork identity and corresponding firewall configuration information and/or firewall security policy;And by the network identity of user withAnd corresponding firewall configuration information and/or firewall security policy are sent to distributed fire wall manager.
According to the present invention, according to the firewall configuration information and/or firewall security policy of the user for receiving to passing throughThe data flow of OVS switches is managed, including:The firewall security policy of user is converted into into data flow con-trol strategy;WithAnd according to data flow con-trol strategy to being managed by the data flow of OVS switches.
Compared with prior art, the beneficial effects of the present invention is:
The present invention carries out distributed management by disposing firewall services node in physical machine to service node,Distributed virtual fire wall is realized so as to build, for each user logically independent virtual firewall equipment is provided.
In addition, the present invention is also capable of achieving the independence of security strategy and user profile, and the security strategy of user will notOthers' network is interfered.Therefore, the present invention is solved cannot be come in virtual network using traditional firewall boxMeet the problem of different user demand for security.
Description of the drawings
Fig. 1 is the structural schematic block diagram of the firewall services system based on virtual network according to an embodiment of the invention;
Fig. 2 is the schematic diagram of the method for realizing virtual network fire wall according to an embodiment of the invention;
Fig. 3 is the schematic diagram of the method for realizing virtual network fire wall according to further embodiment of this invention;
Fig. 4 is the schematic diagram of the method for realizing virtual network fire wall according to another embodiment of the present invention.It is embodied asMode
Below in conjunction with the accompanying drawings the present invention is further illustrated.
As shown in Figure 1, thus it is shown that firewall services system of the present invention based on virtual network, the system includes distributedFirewall manager 10 and firewall services node 20.
Specifically, distributed fire wall manager 10 is used to obtain the institute in user network according to the network identity of userThere is virtual machine network interface message;It can also determine corresponding firewall services node 20 according to virtual machine network interface message;And the firewall configuration information and/or firewall security policy of user are distributed to into corresponding firewall services node 20.
Further, firewall services node 20 is configurable on the OVS switches based on open virtual switch standard OVS,The firewall configuration information and/or firewall security policy of the above-mentioned user received for basis is to by OVS switchesData flow is managed.
In an alternate embodiment of the present invention where, firewall services system can also include virtual firewall module.ShouldVirtual firewall module can be used to arrange the network identity and corresponding firewall configuration of user by both firewall operations interfaceInformation and/or firewall security policy;It can also be by the network identity of above-mentioned user and corresponding firewall configuration informationAnd/or firewall security policy is sent to distributed fire wall manager 10.
Further, in a preferred embodiment of the invention, virtual firewall module can be also used for working as userFirewall configuration information and/or firewall security policy when changing, by the firewall configuration information after change and/or anti-The network identity of wall with flues security strategy and user is sent to distributed fire wall manager 10.
In the another preferred embodiment of the present invention, virtual machine network interface message can include virtual machine network interface instituteThe OVS switches of connection management net in position and virtual machine network interface OVS switches port numbering.
Further, in an alternate embodiment of the present invention where, firewall services node 20 can include:Policy module andControl module.
Specifically, the policy module can be used for the firewall security policy conversion for issuing distributed fire wall manager 10Into data flow con-trol strategy;And aerial module can be used to monitor the control information that distributed fire wall manager 10 is sent, with rightService node is controlled operation or carries out configuration operation to policy module.
On the other hand, as shown in Fig. 2 present invention also offers a kind of method for realizing virtual network fire wall, the methodIncluding:
S101, distributed fire wall manager 10 obtains all virtual machines in user network according to the network identity of userNetwork interface information;
S102, distributed fire wall manager 10 determines corresponding firewall services section according to virtual machine network interface messagePoint 20;
S103, distributed fire wall manager 10 divides the firewall configuration information and/or firewall security policy of userCorresponding firewall services node 20 is dealt into, wherein, firewall services node 20 is configured in based on open virtual switch standard OVSOVS switches on;
S104, firewall configuration information and/or firewall security of the firewall services node 20 according to the user for receivingStrategy by the data flow of OVS switches to being managed.
Preferably, as shown in figure 3, during one embodiment of the method for virtual network fire wall is realized in the present invention, the partyMethod may also include:
S201, virtual firewall module, for arranging the network identity and correspondence of user by both firewall operations interfaceFirewall configuration information and/or firewall security policy;And
S202, the network identity of user and corresponding firewall configuration information and/or firewall security policy are sentTo distributed fire wall manager 10.
Additionally, as shown in figure 4, in the another preferred embodiment of the method for the present invention, according to the anti-of the user for receivingThe step of wall with flues configuration information and/or firewall security policy by the data flow of OVS switches to being managed may include:
S301, by the firewall security policy of user data flow con-trol strategy is converted into;And
S302, according to data flow con-trol strategy to being managed by the data flow of OVS switches.
Specifically, in the present invention, the service node of fire wall is built upon the service module on the basis of OVS.FirstOriginal Linux Bridge modules are instead of using OVS on host, and the use of OVS is the virtual of operation on hostMachine provides two layers of network insertion.OVS carries out the forwarding of high speed to the packet for being sent to virtual machine, and the foundation of forwarding is exactly to flowTable.Wherein, so-called flow table is exactly a kind of the abstract of height of the Openflow switches for forwarding rule, and flow table includes packet headerDomain, counter and action.The content in packet header domain describes the matching strategy for packet, and its content is flowed into including packetPort, source MAC, destination-mac address, source IP address, target ip address, IP agreement, TCP/UDP source ports, TCP/UDPDestination interface.
Specifically, flow table information can be freely set according to demand, turning for packet can be provided as switch with thisSend out strategy.The module of firewall services node 20 is mainly made up of two parts:First is policy module, is saved in policy moduleFrom the firewall security policy that distributed manager is issued, security strategy is converted into into the data flow con-trol strategy of OVS, and willStrategy is stored in the flow table of OVS;Another part is node control module, and a web has been run in node control moduleService, has been issued to service using REST (Representational State Transfer, declarative state transfer) standardThe control interface of node, monitors the order that distributed manager is sent, and to service node operation and firewall policy are controlledConfiguration operation.
For fire wall distributed manager, it is logically independent that the module virtualizes network abstraction one for eachFirewall services.When user configures to the firewall services of oneself, can be by configuration information and the net of userNetwork mark is together sent to distribution manager.Distribution manager can be obtained and use according to the network identity of user from network managementAll of virtual machine network interface message in the network of family, manages including the OVS switches that virtual machine network interface is connectedPort numbering of the position and interface in reason network in OVS switches.Then distribution manager is by matching somebody with somebody the fire wall of userConfidence is ceased according to corresponding firewall services node 20 is distributed to, and by corresponding firewall services node 20 fire wall plan is processedSlightly.
In sum, the present invention in physical machine by disposing firewall services node 20, and service node is carried outDistributed management, so as to build distributed virtual fire wall is realized, for each user logically independent virtual fire prevention is providedWall equipment.
In addition, the present invention is also capable of achieving the independence of security strategy and user profile, and the security strategy of user will notOthers' network is interfered.Therefore, the present invention is solved cannot be come in virtual network using traditional firewall boxMeet the problem of different user demand for security.
Presently preferred embodiments of the present invention is the foregoing is only, not to limit the present invention, all essences in the present inventionWithin god and principle, any modification, equivalent substitution and improvements made etc. should be included within the scope of the present invention.