Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, the related information (including, but not limited to, user equipment information, user personal information, etc.) and data (including, but not limited to, data for presentation, analyzed data, etc.) related to the present invention are information and data authorized by the user or sufficiently authorized by each party. For example, an interface is provided between the system and the relevant user or institution, before acquiring the relevant information, the system needs to send an acquisition request to the user or institution through the interface, and acquire the relevant information after receiving the consent information fed back by the user or institution.
Example 1
In accordance with an embodiment of the present invention, there is provided an embodiment of a secure service chain based flow control method, it being noted that the steps illustrated in the flow diagrams of the figures may be performed in a computer system, such as a set of computer executable instructions, and that although a logical sequence is illustrated in the flow diagrams, in some cases the steps illustrated or described may be performed in a different order than that illustrated herein.
Fig. 1 is a schematic diagram of an alternative flow control method based on a security service chain according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
Step S102, at least one drainage security switch is created based on a security service chain configured by a target user, wherein the security service chain comprises at least one security virtual machine, each drainage security switch is connected with a security virtual machine corresponding to the drainage security switch, the security virtual machine is used for performing security monitoring on service traffic generated when a first service virtual machine and a second service virtual machine perform service interaction, the first service virtual machine is used for processing service data corresponding to the target user, the second service virtual machine is used for processing service data corresponding to other users, the other users are users except the target user, and the drainage security switch is used for controlling the service traffic to flow through the security virtual machine.
Step S104, when the first service virtual machine and the second service virtual machine perform service interaction, the first service virtual machine, at least one drainage security switch and the security virtual machines corresponding to each drainage security switch are connected in series to obtain a flow path of service traffic, wherein each security virtual machine is connected under the trunk network of the drainage security switch corresponding to the security virtual machine, and the trunk network range is the trunk network of all VLANs.
Step S106, based on the flow path, controlling the flow of the service traffic to the second service virtual machine.
Based on the scheme defined in the steps S102 to S106, it can be known that in the embodiment of the present invention, by adopting a manner of serially connecting a first service virtual machine, at least one drainage security switch and a security virtual machine corresponding to each drainage security switch, at least one drainage security switch is first created through a security service chain configured based on a target user, where the security service chain includes at least one security virtual machine, each drainage security switch is connected with the security virtual machine corresponding to the drainage security switch, the security virtual machine is used for performing security monitoring on service traffic generated when the first service virtual machine and the second service virtual machine perform service interaction, the first service virtual machine is used for processing service data corresponding to the target user, the second service virtual machine is used for processing service data corresponding to other users, the other users are users other than the target user, and the drainage security switch is used for controlling the service traffic to flow through the security virtual machine; when a first service virtual machine and a second service virtual machine perform service interaction, the first service virtual machine, at least one drainage security switch and security virtual machines corresponding to each drainage security switch are connected in series to obtain a flow path of service traffic, wherein each security virtual machine is connected under a trunk network of the drainage security switch corresponding to the security virtual machine, and the trunk network range is the trunk network of all VLANs; and finally, controlling the flow of the service traffic to the second service virtual machine based on the flow path.
It is easy to note that in the above process, at least one security virtual machine and a drainage security switch corresponding to each security virtual machine are connected in series with a first service virtual machine corresponding to a target user to obtain a flow path, so that the security service virtual machine does not need to support an additional network protocol, and the service traffic can flow to a second service virtual machine directly through the flow path in series without modifying a message contained in the service traffic, thereby solving the problem that in the prior art, the flow is controlled by a flow classification controller, throughput bottleneck exists because all the drainage traffic needs to modify the message through the flow classification controller, and the transmission efficiency of the service traffic is low in the transmission process.
Therefore, the technical scheme of the invention achieves the aim of controlling the flow of the service flow to the second service virtual machine based on the flow path, thereby realizing the technical effect of improving the transmission efficiency of the service flow generated by the service virtual machine in the service interaction in the transmission process, and further solving the technical problem of low transmission efficiency of the service flow generated by the service virtual machine in the service interaction in the prior art in the transmission process.
In step S102, the security service chain configured by the target user is a service chain formed by a plurality of security virtual machines, and is used for performing security monitoring on service traffic generated when the first service virtual machine processing the service data of the target user and the second service virtual machine processing the service data of the user other than the target user perform service interaction, for example, the enterprise deploys the security service chain formed by the security virtual machines of a plurality of security vendors on its private cloud platform, and performs omnibearing protection on the service traffic of the service virtual machines.
Optionally, in this embodiment, the system creates at least one drainage security switch based on the security service chain configured by the target user, where each security virtual machine is connected to the drainage security switch corresponding to the security virtual machine.
Alternatively, a trunk network ranging from all VLANs, e.g., a trunk type network of fw_ vswitch1_net_trunk_4095, is created on a per-flow security switch basis corresponding to the flow security switch. Optionally, creating based on the corresponding first drainage security switch in the security service chain creates net_3xxx (network with VLAN ID 3 xxx) for drainage, e.g., net_3000. A network card of a service virtual machine is drained, a net_3xx network is created, and VLAN IDs are different.
Further, the system acquires at least one piece of target information, wherein the target information at least comprises the name of the secure virtual machine and the network card information of the secure virtual machine; acquiring at least one security virtual machine based on at least one target information, and accessing the at least one security virtual machine into a security service chain, wherein each security virtual machine corresponds to one target information; at least one drainage security switch is created based on the at least one security virtual machine.
Optionally, the system acquires at least one piece of target information, such as the name of the secure virtual machine and the information of the network card of the exit/entry interface, then acquires the secure virtual machine corresponding to the target information based on each piece of target information, accesses the secure virtual machine corresponding to each piece of target information into a secure service chain, and creates a drainage secure switch corresponding to the secure virtual machine based on each secure virtual machine.
Optionally, when the target user wants to add a new secure virtual machine into the secure service chain, the system only needs to input the name of the secure virtual machine based on the management platform, and the information of what network card the output/input interface is, based on the information, accesses the corresponding secure virtual machine into the service chain and creates a drainage secure switch corresponding to the secure virtual machine.
It should be noted that, by accessing the corresponding secure virtual machine to the service chain and creating the drainage secure switch corresponding to the secure virtual machine based on the information of the network card of the name of the secure virtual machine, the management platform can issue a configuration task through the cloud platform api, and connect the network card of the outlet/inlet interface of the secure virtual machine to the corresponding drainage network, so as to prepare for the subsequent generation of the flow path of the service traffic, thereby improving the accuracy of the flow path of the service traffic.
In step S104, as shown in fig. 2, in the prior art, when the first service virtual machine GVM1 and the second service virtual machine GVM2 perform service interaction, the GVM1 and the GVM2 are in the same VLAN network of the same G-vSwitch service switch, and their VLAN IDs are 10, and the two layers are mutually communicated. GVM1 traffic is transmitted via the uplink of HOST1 (i.e., the internet of things card) to the uplink of HOST2 via the physical switch in between, and then forwarded by HOST2 to GVM2, where each HOST deploys a secure virtual machine SVM of each security vendor, e.g., SVM1, SVM2, SVMn.
In this embodiment, when the system performs service interaction between the first service virtual machine and the second service virtual machine, the system obtains a flow path of the service traffic by serially connecting the first service virtual machine, at least one drainage security switch, the security virtual machine corresponding to each drainage security switch, and the service switch. Optionally, the first service virtual machine and the second service virtual machine are connected under the same VLAN network of the service switch, and the VLAN ID is 10. For example, as shown in fig. 3, when the first service virtual machine GVM1 and the second service virtual machine GVM2 perform service interaction, the GVM1 is connected to the first drainage security switch FW-vSwitch1, a network fw_ vSwitch _net_trunk_4095 (i.e. trunk network in the range of all VLANs) exists on the FW-vSwitch1, then the ingress interface of the first security virtual machine SVM1 is connected to the FW-vSwitch1 and is connected to the fw_ vSwitch _net_trunk_4095 network, the egress interface of the SVM1 is connected to the drainage security switch FW-vSwitch2 corresponding to the second security virtual machine SVM2, then the ingress interface of the second security virtual machine SVM2 is connected to the FW-vswitch_4095 network, and the ingress interface of the second security virtual machine SVM2 is connected to the fw_40, so that the ingress interface of the 57-1 and the ingress interface of the SVMn can flow through the network fw_24_trunk_trunk_4095 of the last security switch SVM2 and the last security switch svm_95.
It should be noted that, by serially connecting at least one secure virtual machine and the drainage secure switch corresponding to each secure virtual machine with the first service virtual machine corresponding to the target user, a flow path is obtained, the secure virtual machine does not need to support an additional network protocol, and the service flow can flow to the second service virtual machine directly through the serial flow path without modifying the message contained in the service flow, so that the problem that in the prior art, the flow is controlled by the flow classification controller, and throughput bottleneck exists because all the drainage flows need to modify the message by the flow classification controller, and the transmission efficiency of the service flow is low in the transmission process is solved.
Further, the system determines initial network information of a network card corresponding to the first service virtual machine based on the first service virtual machine, wherein the initial network information is a virtual local area network identity corresponding to the first service virtual machine; modifying the initial network information into target network information, wherein the target network information is a virtual local area network identity corresponding to a first drainage security switch, and the first drainage security switch is a drainage security switch corresponding to a first security virtual machine through which the service flow flows; and serially connecting the first service virtual machine, at least one drainage security switch and the security virtual machine corresponding to each drainage security switch based on the target network information to obtain a flow path of the service traffic.
Optionally, in this embodiment, the system determines, by using the first service virtual machine, initial network information of a network card corresponding to the first service virtual machine, modifies the initial network information to be target network information of a drainage security switch corresponding to a first security virtual machine through which the service flow flows, for example, VLAN ID in the initial network information of the network card connection of the first service virtual machine GVM1 is 10, VLAN ID in the target network information of the first drainage security switch FW-vSwitch1 is 3700 (VLAN ID is 3700 corresponds to network net_3700), and may connect GVM1 with net_3700 of FW-vSwitch1 to switch the initial network information to the target network information. And then, based on the target network information, serially connecting the first service virtual machine, at least one drainage security switch and the security virtual machine corresponding to each drainage security switch to obtain a flow path of the service flow.
It should be noted that, by modifying the initial network information of the network card to the target network information, the GVM1 and the FW-vSwitch1 can be connected and located in the same network, and a flow path of the service traffic can be generated without supporting an additional network protocol by the secure virtual machine, so that the traffic transmission path is simplified, and the transmission efficiency of the service traffic generated during service interaction of the service virtual machine in the transmission process is improved.
Further, the system acquires a service switch, wherein at least one secure virtual machine is connected under a trunk network of the service switch, the trunk network range is the trunk network of all VLANs, the service switch is connected with a second service virtual machine, and initial network information of a network card corresponding to the second service virtual machine is the same as initial network information of a network card corresponding to the first service virtual machine; and serially connecting the first service virtual machine, at least one drainage security switch, the security virtual machine corresponding to each drainage security switch and the service switch based on the target network information to obtain a flow path of the service flow.
Optionally, the first service virtual machine GVM1 and the second service virtual machine GVM2 are located under the same VLAN network of the same G-vSwitch service switch, the VLAN ID is 10, and the system creates a trunk network with a range of all VLANs under the service switch. The system obtains a flow path of the service flow by determining the service switch, and serially connecting the first service virtual machine, the drainage security switch, the security virtual machine corresponding to each drainage security switch and the service switch based on the target network information.
In step S106, the system controls the service traffic to sequentially pass through each secure virtual machine according to the sequence of the secure virtual machines in the secure service chain through the flow path of the service traffic, and finally flows to the second service virtual machine.
Alternatively, if GVM2 is also added to the security protection, GVM2 is connected to the drainage network net_3701. After the traffic of GVM1 is forwarded to G-vSWitch, the traffic passes through SVM_end, SVMn, SVMn-1, … and SVM1 on the host where GVM2 is located in turn, and finally is forwarded to GVM2.
Further, when the system controls the service flow to flow through the first safety virtual machine based on the flow path, determining target network information corresponding to the communication message contained in the service flow, wherein the first safety virtual machine is the last safety virtual machine through which the service flow flows; restoring the target network information corresponding to the communication message into initial network information; and controlling the flow of the service traffic to the second service virtual machine based on the initial network information.
Optionally, when the flow path control service flow flows through the first secure virtual machine, the system restores the target network information corresponding to the communication packet included in the service flow to the initial network information, for example, the target network information corresponding to the communication packet is VLAN id=3700, the initial network information VLAN id=10, and the VLAN id=3700 is modified to 10 and restored to the initial network information. Because the network information corresponding to the communication message contained in the service flow is the same as the initial network information of the second service virtual machine, the service flow can be controlled to flow to the second service virtual machine. The first secure virtual machine is a secure virtual machine created by the system, and the secure virtual machine has a function of maintaining a corresponding relation between initial network information and target network information, and the target network information corresponding to the communication message can be restored to the initial network information through the first secure virtual machine in the system, for example, the VLAN ID carried by the message is changed from 3700 to 10.
It should be noted that, by controlling the flow of the service traffic to the second service virtual machine based on the initial network information, the target network information corresponding to the communication packet included in the service traffic can be the same as the initial network information of the second service virtual machine, so that the flow of the service traffic to the second service virtual machine can be controlled, the security virtual machine does not need to support an additional network protocol, and the flow path of the service traffic can be generated, thereby simplifying the flow transmission path, and further improving the transmission efficiency of the service traffic generated by the service virtual machine in the service interaction in the transmission process.
In an alternative embodiment, the system monitors the health status of each secure virtual machine; when the second security virtual machine is abnormal, connecting a drainage security switch corresponding to the second security virtual machine with the second drainage security switch based on a preset virtual equipment interface to obtain a first flow path, wherein the second drainage security switch is a drainage security switch corresponding to a third security virtual machine, and the third security virtual machine is a security virtual machine in which service traffic flows after flowing through the second security virtual machine; traffic flow to the second traffic virtual machine is controlled based on the first flow path.
Optionally, the system monitors the health status of each secure virtual machine, for example, monitors the SVM power-down behavior in the cloud platform, when the secure virtual machine is abnormal, connects the drainage secure switch corresponding to the secure virtual machine with the drainage secure switch corresponding to the secure virtual machine to which the service traffic flows after flowing through the second secure virtual machine based on a preset virtual device interface (for example, veth-pair interface), so as to obtain a first flow path, and controls the service traffic to flow to the second service virtual machine based on the first flow path. For example, when SVM2 fails, then traffic is bypassed around SVM2, and the two security switches are connected between FW-vSwitch2 and FW-vSwitch3 by veth-pair.
It should be noted that, by monitoring the health status of each secure virtual machine, when the secure virtual machine is abnormal, the drainage secure switch is connected based on the preset virtual device interface, so that the traffic can continue to perform traffic transmission, thereby improving the transmission efficiency of the traffic in the transmission process.
In another optional embodiment, when the secure virtual machine is a fourth secure virtual machine, the system connects the fourth secure virtual machine with the service switch, where the fourth secure virtual machine is a secure virtual machine accessed in a bypass mode, and the bypass mode is used for performing secure identification on service traffic; and carrying out security detection on the service traffic based on the fourth security virtual machine.
In this embodiment, the system connects the security virtual machine accessed in the bypass mode with the service switch and connects the security virtual machine under a trunk network with a range of all VLANs, so that the security virtual machine can perform security detection on the traffic flowing to the service switch, for example, the fourth security virtual machine tapping_svm1 and tapping_svm2 as shown in fig. 3. Optionally, the bypass mode only carries out safety identification on the message, only receives the message, and does not forward the message.
From the above, it can be seen that, by the flow control method of the security service chain provided by the invention, a user can customize the sequence of the service flow passing through the security service virtual machines without finding additional support by each security manufacturer, so that the flow passes through each security service virtual machine in turn, and the service flow is checked and monitored in all directions, so that the security function of the cloud platform is richer. And the traffic classification controller is not required to be deployed, and the traffic classification controller is used for modifying the messages contained in all the drainage traffic, so that the transmission efficiency of the traffic in the transmission process is improved, and the problem that the transmission efficiency of the traffic for controlling the service interaction of the service virtual machine in the transmission process is low in the prior art is solved.
Example 2
Based on embodiment 1 of the present invention, there is also provided an embodiment of a flow control device based on a security service chain, which performs the flow control method based on the security service chain of embodiment 1 above when running. Wherein fig. 4 is a schematic diagram of an optional network security detecting device of a server according to an embodiment of the present invention, as shown in fig. 4, the device includes: a creation module 401, a connection module 403 and a control module 405.
The creating module 401 is configured to create at least one drainage security switch based on a security service chain configured by a target user, where the security service chain includes at least one security virtual machine, each drainage security switch is connected to a security virtual machine corresponding to the drainage security switch, the security virtual machine is configured to perform security monitoring on a service flow generated when a first service virtual machine and a second service virtual machine perform service interaction, the first service virtual machine is configured to process service data corresponding to the target user, the second service virtual machine is configured to process service data corresponding to other users, the other users are users other than the target user, and the drainage security switch is configured to control the service flow to flow through the security virtual machine.
Optionally, the security service chain configured by the target user is a service chain formed by a plurality of security virtual machines, and is used for performing security monitoring on service traffic generated when the first service virtual machine processing service data of the target user and the second service virtual machine processing service data of the user except the target user perform service interaction, for example, an enterprise deploys a security service chain formed by security virtual machines of a plurality of security manufacturers on a private cloud platform of the enterprise, and performs omnibearing protection on service traffic of the service virtual machines.
Optionally, in this embodiment, the system creates at least one secure virtual machine and a drainage secure switch corresponding to each secure virtual machine based on a secure service chain configured by the target user, where each secure virtual machine is connected to the drainage secure switch corresponding to the secure virtual machine.
Alternatively, a trunk network ranging from all VLANs, e.g., a trunk type network of fw_ vswitch1_net_trunk_4095, is created on a per-flow security switch basis corresponding to the flow security switch. Optionally, net_3xxx (network with VLAN ID 3 xxx) is created for draining based on the corresponding first draining security switch in the security service chain, e.g., net_3000. A network card of a service virtual machine is drained, a net_3xx network is created, and VLAN IDs are different.
Optionally, the creating module further includes: the device comprises an information acquisition unit, a virtual machine acquisition unit and a creation unit; the information acquisition unit is used for acquiring at least one piece of target information, wherein the target information at least comprises the name of the secure virtual machine and the network card information of the secure virtual machine; the virtual machine acquisition unit is used for acquiring at least one safe virtual machine based on at least one target information and accessing the at least one safe virtual machine into a safe service chain, wherein each safe virtual machine corresponds to one target information; the creation unit is used for creating at least one drainage security switch based on at least one security virtual machine.
Optionally, the system acquires at least one piece of target information, such as the name of the secure virtual machine and the information of the network card of the exit/entry interface, then acquires the secure virtual machine corresponding to the target information based on each piece of target information, accesses the secure virtual machine corresponding to each piece of target information into a secure service chain, and creates a drainage secure switch corresponding to the secure virtual machine based on each secure virtual machine.
Optionally, when the target user wants to add a new secure virtual machine into the secure service chain, the system only needs to input the name of the secure virtual machine based on the management platform, and the information of what network card the output/input interface is, based on the information, accesses the corresponding secure virtual machine into the service chain and creates a drainage secure switch corresponding to the secure virtual machine.
It should be noted that, by accessing the corresponding secure virtual machine to the service chain and creating the drainage secure switch corresponding to the secure virtual machine based on the information of the network card of the name of the secure virtual machine, the management platform can issue a configuration task through the cloud platform api, and connect the network card of the outlet/inlet interface of the secure virtual machine to the corresponding drainage network, so as to prepare for the subsequent generation of the flow path of the service traffic, thereby improving the accuracy of the flow path of the service traffic.
And the connection module 403 is configured to connect the first service virtual machine, at least one drainage security switch, and the security virtual machine corresponding to each drainage security switch in series to obtain a flow path of the service traffic when the first service virtual machine and the second service virtual machine perform service interaction, where each security virtual machine is connected under a trunk network of the drainage security switch corresponding to the security virtual machine, and a trunk network range of the trunk network is a trunk network of all VLANs.
Optionally, as shown in fig. 2, in the prior art, when the first service virtual machine GVM1 and the second service virtual machine GVM2 perform service interaction, the GVM1 and the GVM2 are located under the same VLAN network of the same G-vSwitch service switch, and their VLAN IDs are 10, and the two layers are mutually communicated. GVM1 traffic is transmitted via the uplink of HOST1 (i.e., the internet of things card) to the uplink of HOST2 via the physical switch in between, and then forwarded by HOST2 to GVM2, where each HOST deploys a secure virtual machine SVM of each security vendor, e.g., SVM1, SVM2, SVMn.
In this embodiment, when the system performs service interaction between the first service virtual machine and the second service virtual machine, the system obtains a flow path of the service traffic by serially connecting the first service virtual machine, at least one security virtual machine, a drainage security switch corresponding to each security virtual machine, and the service switch. Optionally, the first service virtual machine and the second service virtual machine are connected under the same VLAN network of the service switch, and the VLAN ID is 10. For example, as shown in fig. 3, when the first service virtual machine GVM1 and the second service virtual machine GVM2 perform service interaction, the GVM1 is connected to the first drainage security switch FW-vSwitch1, a network fw_ vSwitch _net_trunk_4095 (i.e. trunk network in the range of all VLANs) exists on the FW-vSwitch1, then the ingress interface of the first security virtual machine SVM1 is connected to the FW-vSwitch1 and is connected to the fw_ vSwitch _net_trunk_4095 network, the egress interface of the SVM1 is connected to the drainage security switch FW-vSwitch2 corresponding to the second security virtual machine SVM2, then the ingress interface of the second security virtual machine SVM2 is connected to the FW-vswitch_4095 network, and the ingress interface of the second security virtual machine SVM2 is connected to the fw_40, so that the ingress interface of the 57-1 and the ingress interface of the SVMn can flow through the network fw_24_trunk_trunk_4095 of the last security switch SVM2 and the last security switch svm_95.
It should be noted that, through serial connection of at least one security virtual machine and a drainage security switch corresponding to each security virtual machine with a first service virtual machine corresponding to a target user, a flow path is obtained, no additional network protocol is required to be supported by the security virtual machine, and no modification is required to be performed on a message contained in the service flow, so that the service flow can flow to a second service virtual machine directly through the flow path in series connection, the problem that in the prior art, flow control is performed through a flow classification controller, throughput bottlenecks exist due to the fact that all drainage flows need to modify the message through the flow classification controller is solved, and the transmission efficiency of the service flow is low in the transmission process.
Optionally, the connection module further includes: a first determination unit, a modification unit, and a connection unit; the first determining unit is used for determining initial network information of a network card corresponding to the first service virtual machine based on the first service virtual machine, wherein the initial network information is a virtual local area network identity corresponding to the first service virtual machine; the modification unit is used for modifying the initial network information into target network information, wherein the target network information is a virtual local area network identity corresponding to a first drainage security switch, and the first drainage security switch is a drainage security switch corresponding to a first security virtual machine through which the service flow flows; the connection unit is used for serially connecting the first service virtual machine, at least one drainage security switch and the security virtual machine corresponding to each drainage security switch based on the target network information to obtain a flow path of the service traffic.
Optionally, in this embodiment, the system determines, by using the first service virtual machine, initial network information of a network card corresponding to the first service virtual machine, modifies the initial network information to be target network information of a drainage security switch corresponding to a first security virtual machine through which the service flow flows, for example, VLAN ID in the initial network information of the network card connection of the first service virtual machine GVM1 is 10, VLAN ID in the target network information of the first drainage security switch FW-vSwitch1 is 3700 (VLAN ID is 3700 corresponds to network net_3700), and may connect GVM1 with net_3700 of FW-vSwitch1 to switch the initial network information to the target network information. And then, based on the target network information, serially connecting the first service virtual machine, at least one drainage security switch and the security virtual machine corresponding to each drainage security switch to obtain a flow path of the service flow.
It should be noted that, by modifying the initial network information of the network card to the target network information, the GVM1 and the FW-vSwitch1 can be connected and located in the same network, and a flow path of the service traffic can be generated without supporting an additional network protocol by the secure virtual machine, so that the traffic transmission path is simplified, and the transmission efficiency of the service traffic generated during service interaction of the service virtual machine in the transmission process is improved.
Optionally, the connection unit further includes: acquisition submodule a connection sub-module; the acquisition sub-module is used for acquiring a service switch, wherein at least one security virtual machine is connected under a trunk network of the service switch, the trunk network range is the trunk network of all VLANs, the service switch is connected with a second service virtual machine, and the initial network information of a network card corresponding to the second service virtual machine is the same as the initial network information of a network card corresponding to the first service virtual machine; the connection submodule is used for serially connecting the first service virtual machine, at least one drainage security switch, the security virtual machine corresponding to each drainage security switch and the service switch based on the target network information to obtain a flow path of the service flow.
Optionally, the first service virtual machine GVM1 and the second service virtual machine GVM2 are located under the same VLAN network of the same G-vSwitch service switch, the VLAN ID is 10, and the system creates a trunk network with a range of all VLANs under the service switch. The system obtains a flow path of the service flow by determining the service switch, and serially connecting the first service virtual machine, the drainage security switch, the security virtual machine corresponding to each drainage security switch and the service switch based on the target network information.
And the control module 405 is configured to control the traffic flow to the second service virtual machine based on the flow path.
Optionally, the system controls the service flow to sequentially pass through each security virtual machine according to the sequence of the security virtual machines in the security service chain through the flow path of the service flow, and finally flows to the second service virtual machine.
Alternatively, if GVM2 is also added to the security protection, GVM2 is connected to the drainage network net_3701. After the traffic of GVM1 is forwarded to G-vSWitch, the traffic passes through SVM_end, SVMn, SVMn-1, … and SVM1 on the host where GVM2 is located in turn, and finally is forwarded to GVM2.
Optionally, the control module preferably includes: a second determination unit, a reduction unit, and a control unit; the second determining unit is used for determining target network information corresponding to a communication message contained in the service flow when the service flow is controlled to flow through the first safety virtual machine based on the flow path, wherein the first safety virtual machine is the last safety virtual machine through which the service flow flows; the restoring unit is used for restoring the target network information corresponding to the communication message into initial network information; the control unit is used for controlling the flow of the service traffic to the second service virtual machine based on the initial network information.
Optionally, when the flow path control service flow flows through the first secure virtual machine, the system restores the target network information corresponding to the communication packet included in the service flow to the initial network information, for example, the target network information corresponding to the communication packet is VLAN id=3700, the initial network information VLAN id=10, and the VLAN id=3700 is modified to 10 and restored to the initial network information. Because the network information corresponding to the communication message contained in the service flow is the same as the initial network information of the second service virtual machine, the service flow can be controlled to flow to the second service virtual machine. The first secure virtual machine is a secure virtual machine created by the system, and the secure virtual machine has a function of maintaining a corresponding relation between initial network information and target network information, and the target network information corresponding to the communication message can be restored to the initial network information through the first secure virtual machine in the system, for example, the VLAN ID carried by the message is changed from 3700 to 10.
It should be noted that, by controlling the flow of the service traffic to the second service virtual machine based on the initial network information, the target network information corresponding to the communication packet included in the service traffic can be the same as the initial network information of the second service virtual machine, so that the flow of the service traffic to the second service virtual machine can be controlled, the security virtual machine does not need to support an additional network protocol, and the flow path of the service traffic can be generated, thereby simplifying the flow transmission path, and further improving the transmission efficiency of the service traffic generated by the service virtual machine in the service interaction in the transmission process.
Optionally, the flow control device based on the security service chain further comprises: the device comprises a monitoring module, a first connecting module and a first control module; the monitoring module is used for monitoring the health state of each safety virtual machine; the first connection module is used for connecting a drainage security switch corresponding to the second security virtual machine with the second drainage security switch based on a preset virtual device interface when the second security virtual machine is abnormal, so as to obtain a first flow path, wherein the second drainage security switch is a drainage security switch corresponding to a third security virtual machine, and the third security virtual machine is a security virtual machine in which service traffic flows after flowing through the second security virtual machine; the first control module is used for controlling the traffic flow to the second service virtual machine based on the first flow path.
Optionally, the system monitors the health status of each secure virtual machine, for example, monitors the SVM power-down behavior in the cloud platform, when the secure virtual machine is abnormal, connects the drainage secure switch corresponding to the secure virtual machine with the drainage secure switch corresponding to the secure virtual machine to which the service traffic flows after flowing through the second secure virtual machine based on a preset virtual device interface (for example, veth-pair interface), so as to obtain a first flow path, and controls the service traffic to flow to the second service virtual machine based on the first flow path. For example, when SVM2 fails, then traffic is bypassed around SVM2, and the two security switches are connected between FW-vSwitch2 and FW-vSwitch3 by veth-pair.
It should be noted that, by monitoring the health status of each secure virtual machine, when the secure virtual machine is abnormal, the drainage secure switch is connected based on the preset virtual device interface, so that the traffic can continue to perform traffic transmission, thereby improving the transmission efficiency of the traffic in the transmission process.
Alternatively, the flow control device based on the security service chain further comprises: the second connecting module and the detecting module; the second connection module is used for connecting the fourth secure virtual machine with the service switch when the secure virtual machine is the fourth secure virtual machine, wherein the fourth secure virtual machine is the secure virtual machine accessed in a bypass mode, and the bypass mode is used for carrying out secure identification on the service flow; the detection module is used for carrying out security detection on the service flow based on the fourth security virtual machine.
In this embodiment, the system connects the security virtual machine accessed in the bypass mode with the service switch and connects the security virtual machine under a trunk network with a range of all VLANs, so that the security virtual machine can perform security detection on the traffic flowing to the service switch, for example, the fourth security virtual machine tapping_svm1 and tapping_svm2 as shown in fig. 3. Optionally, the bypass mode only carries out safety identification on the message, only receives the message, and does not forward the message.
Example 3
According to another aspect of the embodiments of the present invention, there is also provided a computer readable storage medium having a computer program stored therein, wherein the computer program is configured to perform the above-described security service chain based flow control method when run.
Example 4
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, wherein fig. 5 is a schematic diagram of an alternative electronic device according to an embodiment of the present invention, as shown in fig. 5, the electronic device including one or more processors; and a memory for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement a method for running the program, wherein the program is configured to perform the secure service chain based flow control method described above when run.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of units may be a logic function division, and there may be another division manner in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.