115 results about "Virtual firewall" patented technology

A firewall apparatus including plural virtual firewalls, each virtual firewall including a dependent firewall policy, is disclosed. The firewall apparatus includes: a distribution management table for managing a user name and a virtual firewall ID; a part configured to receive authentication information for network connection from a user terminal, and hold a user name included in the authentication information; a part configured to report the authentication information to the authentication server; and a part configured to receive an authentication response from the authentication server, and hold a user ID, included in the authentication response, to be provided to the user terminal. The firewall apparatus registers the user ID in the distribution management table associating the user ID with the user name.

The present invention discloses a virtual flow monitoring method based on a cloud platform and a device thereof, relates to the field of network safety and aims to solve the problem that virtual machine flow safety can not be effectively monitored. The method comprises a step of deploying a virtual firewall at the middle of a host machine, a step of monitoring the data flow generated by a source virtual machine through virtual switching equipment and drawing the data flow monitored into the virtual firewall according to the draw strategy issued by the cloud platform, a step of cleaning the data flow through the virtual firewall and obtain safety data flow, and a step of forwarding the safety data flow to the corresponding target virtual machine. The method and the device are mainly applied to the virtual flow monitoring process in a web application environment.

A virtual firewall (VFW) notifies a virtual switch (vSwitch) to establish a flow directing policy according to a security policy configured for the VFW. The vSwitch directs a received packet matching the flow directing policy to the VFW according to the flow directing policy. When receiving the packet forwarded from the vSwitch, the VFW performs security processing for the packet according to the security policy, and forwards the processed packet satisfying the security policy to a target virtual machine (VM). The VFW and the vSwitch are established in a same physical machine based on a virtual platform.

The invention discloses a method for transmitting data by spanning a virtual fireproof wall. The virtual fireproof wall has a corresponding security tunnel which has a protected field. When the data is transmitted, in a first virtual fireproof wall a security policy between the protected fields of a safety zone where data entrance port is and the security tunnel of the first virtual fireproof wall filters the data safety, transmits the safely filtered data to the security tunnel of the first virtual fireproof wall for encryption, and transmits the encrypted data through a second virtual fireproof wall. The method for transmitting data by spanning the virtual fireproof wall of the invention simplifies field relation management between the safe fields in the multiple different virtual fireproof walls, effectively implements repeated use of the virtual fireproof port and saves resource.

The invention discloses a method for realizing network access control and a firewall device thereof. The firewall device is arranged between a first network and a second network and the device comprises a plurality of virtual firewalls divided in logic. Each virtual firewall is provided with a safety strategy. The control method comprises the following steps: the first network send a network packet which accesses the second network; the firewall device, according to the contained information in the network packet, respectively sends the network packet to the corresponding virtual firewalls; the virtual firewall carries out a safety detection to the network packet; if the network conforms to the safety strategy of the virtual firewall, the network packet is allowed to pass through the firewall device; if the network fails to conform to the safety strategy of the virtual firewall, the network packet is prohibited from passing through the firewall device. As the network flow enters the firewall device, the network is divided and then is sent to the corresponding virtual firewall. Therefore, only the safety strategy in the corresponding virtual firewall is needed to look for, thus increasing working efficiency.

The invention provides a firewall service system based on a virtual network. The firewall service system based on the virtual network comprises a distributed type firewall manager and firewall service nodes, wherein the distributed type firewall manager is used for obtaining information of all virtual machine network interfaces in a user network according to the network identity of a user, determining the corresponding firewall service nodes according to the information of the virtual machine network interfaces, and distributing firewall configuration information and/or firewall security strategies of the user to the corresponding firework service nodes; the firewall service nodes are configured on an OVS switch based on OVS and are used for managing data flow passing through the OVS switch according to the received firewall configuration information and/or the received firewall security strategies of the user. The invention further provides a method for obtaining a virtual network firewall. By the adoption of the firewall service system based on the virtual network and the method for obtaining the virtual network firewall, through the deployment and the distributed management of the firewall service nodes, establishment of the distributed virtual network firewall is achieved.

The present invention provides a firewall device that is divided into several virtual firewalls. The users in the Intranet are divided into several user groups based on different security policy demands. Each virtual firewall is equipped with the security policy of the corresponding user group. Each firewall manages one user group in the Intranet. Thus, the present invention reduces the complex of the firewall management, reduces the extra cost of adding more firewalls and makes the management easier.

Embodiments of the invention provide a method and a device for realizing a virtual firewall in an SDN (Software Defined Network). The method is suitable for a first virtual switch, and a first virtual firewall is suspended under the first virtual switch. The method comprises the following steps of sending a port of the first virtual firewall to an SDN controller; and receiving a first flow table sent by the SDN controller, wherein the first flow table is used for indicating to send data to the port of the first virtual firewall to execute security auditing through the first virtual firewall, and the traffic is not received by the port of the first virtual firewall, and the target address or the source address of the data is an appointed virtual machine.

Provided is a design of a virtual firewall assembly acting on a cloud computing data center security domain. The invention relates to Web direction network security production, and particular relates to a network security technology under a cloud computing environment. The technical scheme is that the firewall assembly is operated via a distributed deployment security gateway so that customized and distributed security protection of the overall data center is completed. A new firewall system structure comprises the following parts: the unified security gateway, the network firewall assembly and central management. The firewall assembly based on a data packet filtering technology is realized. The assembly operates in the unified security gateway. Network traffic is controlled by using the data packet filtering technology, distributed deployment is used and customized security protection of the overall data center is completed.

The embodiment of the invention relates to the field of network security, and particularly relates to a method and apparatus for realizing high availability. The method and apparatus is used for realizing the high availability of a plurality of network security devices. The method comprises the following steps: a first monitoring unit acquires state change information of a first monitored object and receives the state change information of a second monitored object sent by a second monitoring unit, wherein the second monitored object is a master device or a slave device of the first monitored object; the first monitoring unit updates an active/standby state of the first monitored object when the state change information of the first monitored object and the state change information of the second monitored object satisfy a preset active/standby switching condition; a next generation firewall/ intrusion prevention system and an ATCA distributed firewall and virtual firewall under the ''parallel forwarding engine'' architecture are compatible at the same time; and when the network security device needs to be changed, the device or the system of the device does not need to be changed or replaced, thereby reducing the operation cost and improving the working efficiency.

The invention discloses an Openflow based virtual firewall transmission control method and system. The Openflow based virtual firewall transmission control method comprises the steps of after a data packet is sent from a host, extracting key information of the data packet by a firewall core module through a virtual network card configured on a virtual firewall, and performing basic mapping for the key information of the data packet by the virtual firewall through a firewall definition rule; and after a rule document is filtered by the firewall and the data packet reaches to a port, intercepting the data packet and performing grammatical analysis for the packet header, and extracting a packaging protocol, an IP source address, an IP destination address, an Mac address, and information of a packet input port and a packet output port; and forwarding and matching. According to the Openflow based virtual firewall transmission control method and system, flexibility and controllability of a network are improved, the bottleneck problems of high implementation cost and low processing efficiency of massive data are solved, safety of an internal network and a terminal is guaranteed, scanning and monitoring for transmission data of multiple networks, monitoring management of a specific service port and access control of a special website are realized, and the whole network can be protected.

An agentless intrusion detection and prevention digital processing system and environment, or virtual firewall is disclosed. The agentless, virtual firewall monitors and controls digital data communications between a digital communications network and one or more virtual digital processing machines. The virtual digital processing machines, or virtual machines (VMs), are operative on a host digital processor under the supervision of a hypervisor software module. The agentless, virtual firewall is implemented as part of a virtual switch filtering extension to an extensible virtual switch running in a kernel mode as part of the hypervisor software module.

An embodiment of the invention discloses a resource management optimization processing method and a resource management optimization processing device for virtual firewalls. The resource management optimization processing method includes acquiring resource information of integral physical firewall equipment; respectively acquiring a performance state of each virtual firewall on the physical firewall equipment; dynamically distributing CPU (central processing unit) and memory resources between the various virtual firewalls on the physical firewall equipment according to the performance state of each virtual firewall. The resource information includes information of the CPU and memory resources. The resource management optimization processing method and the resource management optimization processing device in the embodiment of the invention have the advantages that the resources can be reasonably distributed for the various virtual firewalls in a single physical firewall, and accordingly the safety and the stability of the integral physical firewall can be effectively guaranteed.

The invention relates to a vulnerability detection method and device, computer equipment and a memory medium. The method comprises the steps of receiving application data access requests sent by terminals, wherein the application data access requests carry application identities; carrying out basic detection on the application data access requests through utilization of a first virtual firewall located in an infrastructure layer and marking the application data access requests with vulnerabilities; selecting third virtual firewalls corresponding to the application identities from second virtual firewalls located in a software operation layer; carrying out advanced detection on the application data access requests detected by the first virtual firewall through utilization of the selected third virtual firewalls; and intercepting the marked application data access requests in which the vulnerabilities exist when the third virtual firewalls detect that the vulnerabilities exist in the marked application data access requests, wherein the application data access requests are the requests detected by the third virtual firewalls. According to the method, the security of application servers can be improved.

The invention relates to a message forwarding method and device, a memory medium and an electronic device. A default identity of a virtual firewall is preset. A true identity of the virtual firewall corresponding to a message sent from local is stored to a session table, and shared memory design is employed for the session table. The method comprises the steps of extracting a quintuple in the message sent from the local if the message sent from the local does not carry the true identity of the virtual firewall, and searching the session table corresponding to the message sent from the local ina hash table through utilization of the quintuple and the default identity of the virtual firewall; accessing the session table to obtain the true identity of the virtual firewall corresponding to the message sent from the local if the session table is searched in the hash table; and sending the message sent from the local to a user mode, thereby sending the message sent from the local through adoption of a network card corresponding to the virtual firewall with the true identity according to a forwarding policy in the session table. The improvement of the performance of the message forwarding realized based on the virtual firewall can be facilitated.

The invention discloses a virtual firewall configuration method based a OVS. The method comprises the following steps: enabling all virtual machines under each physical host to be isolated or connected in pairs, and writing a MAC address of a virtual machine into an openflow table; establishing a white list flow table rule or a blacklist flow table rule according to the MAC address, issuing the white list flow table rule or the blacklist flow table rule to the OVS of the homed physical host; judging whether the attribute of a data packet flowing through the OVS is matched with the white list flow table rule with the highest priority; if the attribute of the data packet flowing through the OVS is matched with the white list flow table rule with the highest priority, enabling the data packetto pass through a bridge on the physical host OVS; or abandoning the data packet. The function of the virtual firewall can be realized by configuring a network traffic filtering rule based on the openflow table of the OVS, the situation that the traditional virtual firewall configuration needs a firewall controller or firewall software is avoided, thereby achieving the aim of evading the defectsof the traditional virtual firewall, and the configuration policy is abundant and flexible.

The invention discloses a virtual firewall partitioning method and equipment. The virtual firewall partitioning method includes steps of adding many virtual firewalls into a cloud network and setting identifiable message types and identifiable network identifiers ID of the virtual firewalls; judging whether types of messages are identifiable message types or not when detecting that the equipment of the cloud network receives the messages, if yes, judging whether the network identifiers ID carried by the messages are the identifiable network identifiers ID or not; removing the network identifiers ID if the network identifiers ID carried in the messages are the identifiable network identifiers ID, and transmitting inner messages of the messages to the corresponding virtual firewalls; subjecting the inner messages to service processing by the virtual firewalls, adding the corresponding original network identifiers into the inner messages after processing to be packaged into processed messages and transmitting the processed messages. By the virtual firewalls, safety services are isolated, hardware configuration cost is reduced and the requirements of the large cloud network are met.