Virtualization network boundary data flow gathering method and apparatus

A technology for virtualizing networks and network boundaries, applied in the field of network data flow monitoring, it can solve problems such as infeasibility and high computing load, and achieve the effects of improving flexibility, improving platform adaptability, and improving detection efficiency.

Active Publication Date: 2013-10-16
BEIJING VENUS INFORMATION TECH +1
View PDF7 Cites 31 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Since security virtual machines usually have high computing loads, it is not feasible to simply deploy multiple security virtual machines in an actual production environment

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Virtualization network boundary data flow gathering method and apparatus
  • Virtualization network boundary data flow gathering method and apparatus
  • Virtualization network boundary data flow gathering method and apparatus

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0035] In a virtualized network, due to the disappearance of network physical boundaries, a physical server connected by a single link is virtualized into a group of virtual machine servers distributed on different physical hosts. Because the communication between two virtual machines on the same physical machine may not forward the data to the physical switch, but directly forwards the data internally by the virtual switch, which makes it impossible for the IDS connected to the physical server to monitor the data sent by the virtual switch. Internally forwarded traffic, in order to solve this problem, it is necessary to deploy a virtual IDS on each virtual switch, monitor the traffic on the virtual switch through the virtual network card on it, and ensure that all traffic of the monitored virtual machine can be monitored, but if There are multiple monitoring objects of different tenants and different security levels on a physical machine, and multiple virtual IDSs need to be d...

Embodiment 2

[0046] This embodiment provides a virtualized network boundary data flow aggregation method, including the following operations:

[0047] The virtualized network boundary data flow convergence device listens to the network data flow on the virtual switch according to the network boundary security policies of different tenants, captures the data packets of the network interface specified by the network boundary security policy, and passes the captured data packets through the pre-established The data packet is filtered according to the tenant's filter, and the filtered network data flow belonging to the security domain boundary of the corresponding tenant is encapsulated, and sent to the network security product corresponding to the corresponding tenant for detection and analysis.

[0048] In the above method, the network border security policy includes at least a virtual network security domain border network data flow aggregation policy and a virtual machine network data flow ...

Embodiment 3

[0055] In this embodiment, as figure 2 The system architecture shown is taken as an example to introduce the working principle of a virtualized network border data flow aggregation device.

[0056] First introduce the working process of the whole system.

[0057] First, the physical IDS engine registers with the tenant security policy management portal

[0058]Then, through the tenant security policy management portal, according to the actual virtual network security domain information of the tenant, the administrator configures the security domain information managed by the IDS and the detection and audit policies of the security domain.

[0059] Next, issue a network border security policy (here, a global policy) to the virtualized network border data flow convergence device on all virtualized servers, and update the network border security policy in the virtualized network border data flow convergence device.

[0060] The working process of the device for converging data...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a virtualization network boundary data flow gathering method and apparatus and relates to the technical field of information safety. The apparatus disclosed by the invention comprises: a safety strategy module for maintaining and managing network boundary safety strategies of different tenants, a virtualization network data flow capturing module for monitoring a network data flow on a virtual switch and capturing the data packets of network interfaces specified by the safety strategies, and a network boundary data flow filter screen module for establishing, according to the network boundary safety strategies of the different tenants, filter screens based on network data flow filtering for the tenants respectively, filtering the captured network data packets through the filter screens of the corresponding tenants, encapsulating the network data flows which are obtained after filtering and belong to the safety domain boundaries of the tenants, and sending corresponding network safety products to the tenants. The invention also discloses the virtualization network boundary data flow gathering method. The technical scheme of the application effectively solves problems of gathering virtualization network safety domain boundary network data flows in a multi-tenant environment.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a solution for network data flow monitoring in a virtualized network. Background technique [0002] Cloud computing is another new revolution in computers and the Internet. It transfers computing and storage to the cloud, and users can use lightweight portable terminals to perform complex calculations and large-capacity storage. From a technical point of view, cloud computing is not just a new concept, parallel computing and virtualization are the main technical means to realize cloud computing applications. Due to the rapid development of hardware technology, the performance of an ordinary physical server far exceeds the hardware performance requirements of an ordinary single user. Therefore, virtualizing a physical server into multiple virtual machines and providing virtualization services through virtualization has become the technical basis for building public c...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L12/891H04L12/46H04L29/06H04L47/41
Inventor 李陟刘新刚叶润国汪宏
Owner BEIJING VENUS INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap