A method and apparatus realizing virtual machine network access control

Abstract

The application relates to the field of computers, and especially relates to a method and apparatus realizing virtual machine network access control in order to realize network access control of any application in a virtual machine. The method comprises the steps of intercepting data packets sent by a local virtual machine through a local virtual Ethernet adapter and analyzing the data packets; determining an application program, which needs to initiate network access, of the virtual machine according to the analysis result of the data packets; according to a network access strategy collection, determining whether to allow the application program to access the network; if the application program is allowed to access the network, continuing to send data packets; otherwise, discarding the data packets. As a result, the method and apparatus have characteristics of fine grains and bypassing preventing, thereby enabling the network access control of the virtual machine to be more flexible and more reliable.

Description

technical field [0001] The present application relates to the field of computers, in particular to a method and device for realizing virtual machine network access control. Background technique [0002] With the advent of the big data era, how to protect data has become more and more important. At the same time, with the development of cloud computing technology, in more and more application scenarios, it is necessary to use a virtual machine to access an application. [0003] Therefore, how to implement flexible and reliable network access control for virtual machines is becoming more and more important for data protection. [0004] In the prior art, there are mainly three methods for network access control of virtual machines: [0005] First, network access control is performed by adding some network access control software to the virtual machine. [0006] Although this method can achieve very fine-grained network access control for virtual machines, for example, for app...

AI Technical Summary

Problems solved by technology

[0009] 1) If the virtual machine accesses the network through Network Address Translation (NAT) on the host machine, the ip of the virtual machine cannot be obtained, and the network access control can only be completed by restricting the ip of the host machine. the granularity will become larger

[0010] 2) If restrictions are made on the gateway and the ip of the virtual machine can be obtained, in this case, network access control can only be performed on the entire virtual machine, and network access control cannot be implemented for one of the applications

[0011] 3) Access control is performed according to the source ip at the application entrance, and the application needs to be modified, which is very inflexible

[0013] This method divides the network for the virtual machine and performs network access control through network isolation. Since this method is aimed at the network where the virtual machine is located, the granularity is too large and inflexible

[0014] Therefore, in the prior art, it is impossible to accurately implement the network access control of an application in the virtual machine, and avoid users from bypassing the

Images