Testing method for network isolation of cloud platform tenants

Abstract

The invention discloses a testing method for network isolation of cloud platform tenants and belongs to the technical field of computer cloud security testing. The method comprises the following steps: establishing an expectant cloud platform tenant network isolation matrix; acquiring basic information of all tenant networks on tenant control nodes and all computing nodes; acquiring isolation information of networks with three layers or above of all tenant networks on the network nodes; acquiring second-layer isolation information of tenant sub-networks on the network nodes and the computing nodes; acquiring network access information of the tenants and the tenant sub-networks on the computing nodes to generate an actual cloud platform tenant network isolation matrix Ma; comparing the generated cloud platform tenant network isolation matrix Ma with the expectant cloud platform tenant network isolation matrix. The isolating conditions of the tenant networks in the operation environmentare acquired from a bottom layer of the cloud platform network, whether the isolation of the current cloud platform network is abnormal or not is detected in real time, a visual network isolation report is provided for a cloud auditor, and an accountability path is provided for possible security problems of network services of the cloud tenants.

Description

Technical field [0001] The method relates to cloud security testing, in particular to a tenant network isolation testing method based on a cloud platform, and belongs to the field of computer technology. Background technique [0002] With the continuous maturity of cloud computing technology, more and more enterprises and individuals choose to deploy their systems on cloud platforms. However, cloud platforms are equivalent to "black boxes" for cloud tenants. Cloud providers cannot answer cloud tenants’ inquiries about security issues, nor can they provide tenants with isolated reports on cloud platform multi-tenant networks. The tenant cannot fully understand the cloud platform environment, and cannot find out whether the data in the tenant network is safe in time, so that the tenant cannot fully trust the cloud platform environment. [0003] The existing cloud platform management software mainly includes Openstack, CloudStack, Eucalyptus, etc., all of which include basic manageme...

AI Technical Summary

Problems solved by technology

Yan Liyu et al. proposed to distribute the virtual routers / firewalls originally concentrated on the Openstack network nodes to each computing node to isolate tenant virtual machines. However, if the virtual router / firewall policy changes, it is easy to isolate the virtual machines of the same tenant on different nodes. The problem of inconsistency; the metering component Ceilometer proposed by Openstack collects cloud platform network data for traffic analysis, and can find abnormal traffic according to some known traffic rules, but it cannot quickly locate the abnormal problem; Yang Xu proposes A method for checking the consistency of the network status of each layer of the control node and the host terminal, but it does not fully cover all the network devices in the cloud platform, resulting in the inability to fully test whether the isolation is broken. If the tenant network access is not considered Equipment status test, etc.

[0005] The above solution has studied tenant network isolation and testing issues to a certain extent, but there are still problems such as inability to effectively locate isolation failure points and insufficient testing, which will make it difficult for cloud internal auditors or third-party auditors to intuitively understand the cloud platform Whether the isolation strategy and mechanism of the multi-tenant network is damaged, which is not conducive to the safe operation of the cloud platform and accountability

Images