Mirror network traffic control protocol in virtual network environment

Abstract

The invention discloses a mirror network traffic control protocol based on software definition in a virtual network environment. The protocol is applicable to a functionally decoupled and distributedly deployed mirror traffic collection, mirror traffic distribution and mirror traffic control system structure. A mirror traffic collector node/virtual machine is deployed in a business network environment of a user and has a main function of capturing mirror traffic in a virtual environment and carrying out forwarding according to purposes appointed by the protocol. A mirror traffic distributor isdeployed in a non-business network environment, so influences of network loads on normal network communication of the business network environment of the user do not need to be taken into consideration. The mirror traffic distributor has the main function of copying and distributing traffic according to a multi-purpose traffic analysis device appointed by the protocol. A mirror traffic central controller uniformly controls forwarding logic of the whole mirror network traffic and provides a software defined interface.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a control scheme and a control protocol for mirrored network traffic in a virtualized network environment. Background technique [0002] In a virtualized network environment, the virtual network boundary is composed of virtual machines and isolation solutions such as VLAN or VXLAN, while the physical network boundary is still composed of traditional physical network switches and network links. This makes the virtual network boundary of a network composed of virtual machines inconsistent with the physical network boundary. When a traditional physical security device mirrors network traffic from the physical network boundary (uplink port of a physical switch), it cannot obtain the network traffic corresponding to a complete virtual network boundary. Virtual machines can communicate directly through virtual switches without forwarding traffic to physical network links,...

AI Technical Summary

Problems solved by technology

[0005] The image diversion scheme that captures the data packets on the virtual switch through the security virtual machine and exports them to the specified network device has the following problems: 1) Computing resource problem: the security virtual machine needs to be deployed in the user's business environment In order to capture mirrored packets from the virtual switch

A certain amount of computing resources (IO and interrupts) have been occupied from data packet capture to export. If it is necessary to perform complex deep packet inspection on each data packet, it will greatly occupy the computing resources of the user's business environment, making the solution unacceptable

2) Network resource issues: In a real business environment, virtual machines are usually deployed on blade servers, which makes the traffic from the security virtual machine usually occupy the physical link of the business network. Exporting after any optimization will double the network bandwidth usage, and optimization means that more computing resources need to be analyzed for data packets

3) Deduplication of mirroring traffic: the communication traffic between virtual machines on two different physical devices will be captured by different security virtual machines, that is, one copy of traffic is captured twice, while the traffic between security virtual machines is not communicated. In this case, it is difficult to judge whether there is repeated traffic. At this time, all export will bring additional load pressure on network resources and security devices, and it is a waste of resources.

4) Multi-purpose diversion problem: Security detection and auditing are not just the work of one device of the intrusion detection system, but often require a variety of special detection and auditing devices to cooperate, such as network auditing, database auditing, intrusion detection, application performance management The system uses more and more devices such as situational awareness and data analysis based on big data

However, when the mirroring traffic of a virtual machine is guided from one physical machine to multiple physical devices at the same time, the work of copying data packets and exporting network flows will seriously occupy the computing resources and network resources of the business physical machine, which is almost Become a task that cannot be realized in the current stage of virtualized network environment

Moreover, different types of detection and audit equipment have different requirements for network traffic. For example, database audit only needs database access traffic, intrusion detection systems focus on in-depth data packet information, and situational awareness needs more basic information on network flows. 5) Scalability issues: the introduction of concepts such as agility and linkage makes network security needs to support more complex policies, implement security monitoring policies on demand, and modify security policies in real time through software definition, etc.

However, this architecture alone cannot constitute a complete and implementable solution. A mirror flow control protocol that can support this architecture is also required. Through this protocol, the software-defined and decoupled control and forwarding separation structures can be connected in series to be able to Constitute a complete and available mirror traffic monitoring and management solution