CN107995144B - Access control method and device based on security group - Google Patents
Access control method and device based on security group Download PDFInfo
- Publication number
- CN107995144B CN107995144B CN201610944504.8A CN201610944504A CN107995144B CN 107995144 B CN107995144 B CN 107995144B CN 201610944504 A CN201610944504 A CN 201610944504A CN 107995144 B CN107995144 B CN 107995144B
- Authority
- CN
- China
- Prior art keywords
- security group
- target
- virtual machine
- access control
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses an access control method and device based on a security group. The method comprises the following steps: receiving configuration requests for at least two target security groups; determining a target virtual machine; and establishing an access control relation between the target virtual machine and each target security group. By applying the scheme provided by the embodiment of the invention to carry out access control, the communication efficiency between the virtual machines can be improved.
Description
Technical Field
The present invention relates to the field of information security, and in particular, to an access control method and apparatus based on a security group.
Background
The security group is a virtual firewall, is used for setting network access control of one or more virtual machines, is an important network security isolation means, is configured on a host machine, and is used for dividing security domains at a cloud end. By setting access rules among all security groups, a complex multi-layer access control system can be built, and the overall security of the system is achieved. The existing security group can perform access control according to conditions such as security group, IP (Internet Protocol) address, port, communication Protocol, internal and external networks and the like; aiming at different virtual machines, the virtual machines can work in the same security group according to requirements, or not in the same security group, and the virtual machines in the same security group are communicated by default; one security group can correspond to one or more virtual machines, but one virtual machine can only correspond to one security group, that is, one virtual machine can only establish an access control relationship with one security group, that is, one virtual machine can only realize access with other virtual machines according to one security group.
Based on the above, since the virtual machines in the same security group are intercommunicated, two virtual machines in the same security group can directly communicate with each other, while the virtual machines in different security groups cannot directly communicate in the above manner.
In the prior art, communication between virtual machines in different security groups is generally achieved by setting security group access control rules, specifically, rules for virtual machine access control and IP authorization control among security groups are set for each security group, when a first virtual machine in a first security group needs to communicate with a second virtual machine in a second security group, an access control rule corresponding to the first security group may be first matched with an access control rule corresponding to the second security group, and when matching is successful, the first virtual machine and the second virtual machine may be allowed to communicate.
According to the above manner, communication between Virtual machines in the same security group and communication between Virtual machines in different security groups can be achieved, however, one VPC (Virtual Private network) often includes a plurality of hosts, and a plurality of Virtual machines can be deployed on one host.
Disclosure of Invention
Embodiments of the present invention provide an access control method and apparatus based on a security group, so as to improve communication efficiency between virtual machines. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides an access control method based on a security group, which is applied to a host, and the method includes:
receiving configuration requests for at least two target security groups;
determining a target virtual machine;
and establishing an access control relationship between the target virtual machine and each target security group.
Optionally, after the receiving a configuration request for at least two target security groups, further comprising:
obtaining an access control rule for each of the target security groups;
and merging the obtained rules according to the logical relationship among the access control rules of the target security group to generate the target access control rules.
Optionally, the access control method based on the security group provided in the embodiment of the present invention further includes:
receiving a target message;
judging whether a first-class security group and a second-class security group have the same security group, wherein the first-class security group has an access control relationship with a source virtual machine of the target message, and the second-class security group has an access control relationship with a destination virtual machine of the target message;
and if so, sending the target message to the target virtual machine.
Optionally, the access control method based on the security group provided in the embodiment of the present invention further includes:
if the first-class security group and the second-class security group do not have the same security group, performing session matching on the target virtual machine and the source virtual machine;
and if the session matching is successful, executing the step of sending the target message to the target virtual machine.
Optionally, the access control method based on the security group provided in the embodiment of the present invention further includes:
if the session matching fails, performing security group access control rule matching on the source virtual machine and the destination virtual machine according to the first security group and the second security group;
if the security group access control rule fails to match, discarding the target message;
and if the security group access control rule is successfully matched, executing the step of sending the target message to the target virtual machine.
Optionally, after the step of sending the target packet to the destination virtual machine is executed, the method further includes:
and establishing a session between the source virtual machine and the destination virtual machine.
Optionally, the step of determining whether the same security group exists in the first-type security group and the second-type security group includes:
judging whether a sending path of the target message is a first target path, wherein the first target path is sent to a local virtual machine by other host machines except the host machine;
if so, analyzing the target message, obtaining matching result identification information according to an analysis result, judging whether the matching result identification information is a first preset value, if so, judging that the same security group exists in the first security group and the second security group, and if not, judging that the same security group does not exist in the first security group and the second security group.
Optionally, before the step of sending the target packet to the destination virtual machine, the method further includes:
judging whether the sending path of the target message is a second target path, wherein the second target path is sent to other host machines except the host machine by a local virtual machine;
and if so, writing a second preset value into the target message, wherein the second preset value is a value for indicating that the same security group exists in the first security group and the second security group.
In a second aspect, an embodiment of the present invention provides an access control apparatus based on a security group, which is applied to a host, and the apparatus includes:
a configuration request receiving module for receiving configuration requests for at least two target security groups;
the virtual machine determining module is used for determining a target virtual machine;
and the access control relation establishing module is used for establishing an access control relation between the target virtual machine and each target security group.
Optionally, the access control apparatus based on a security group provided in the embodiment of the present invention further includes:
a rule obtaining module, configured to obtain an access control rule of each target security group after the configuration request receiving module receives configuration requests for at least two target security groups;
and the rule generating module is used for merging the obtained rules according to the logic relation among the rules of the target security group to generate the target access control rule.
Optionally, the access control apparatus based on a security group provided in the embodiment of the present invention further includes:
the message receiving module is used for receiving a target message;
a security group determining module, configured to determine whether a first security group and a second security group have a same security group, where an access control relationship exists between the first security group and a source virtual machine of the target packet, and the second security group has an access control relationship with a destination virtual machine of the target packet;
and the message sending module is used for sending the target message to the target virtual machine under the condition that the result of the security group judgment module is yes.
Optionally, the access control apparatus based on a security group provided in the embodiment of the present invention further includes:
the session matching module is used for carrying out session matching on the source virtual machine and the target virtual machine under the condition that the result of the security group judging module is negative; and if the session matching is successful, triggering the message sending module.
Optionally, the access control apparatus based on a security group provided in the embodiment of the present invention further includes:
a rule matching module, configured to, when matching of the session matching module fails, perform security group access control rule matching for the source virtual machine and the destination virtual machine according to the first security group and the second security group; if the security group access control rules are successfully matched, triggering the message sending module; if the matching of the security group access control rules fails, triggering a message discarding module;
the message discarding module is used for discarding the target message.
Optionally, the access control apparatus based on a security group provided in the embodiment of the present invention further includes:
and the session establishing module is used for establishing a session between the source virtual machine and the target virtual machine after the message sending module sends the target message to the target virtual machine.
Optionally, the security group determining module is specifically configured to:
judging whether a sending path of the target message is a first target path, wherein the first target path is sent to a local virtual machine by other host machines except the host machine;
if so, analyzing the target message, obtaining matching result identification information according to an analysis result, judging whether the matching result identification information is a first preset value, if so, judging that the same security group exists in the first security group and the second security group, and if not, judging that the same security group does not exist in the first security group and the second security group.
Optionally, the access control apparatus based on a security group provided in the embodiment of the present invention further includes:
an information writing module, configured to determine whether a sending path of the target packet is a second target path before the packet sending module sends the target packet, where the second target path is sent by a local virtual machine to a host other than the host; and if so, writing a second preset value into the target message, wherein the second preset value is a value for indicating that the same security group exists in the first security group and the second security group.
In the security group-based access control method provided in the embodiment of the present invention, configuration requests for at least two target security groups are received, then, a target virtual machine is determined, and an access control relationship between the target virtual machine and each target security group is established. Therefore, by applying the technical scheme, one virtual machine can refer to a plurality of security groups, so that two virtual machines only need to refer to one same security group, and when the two virtual machines access each other, the two virtual machines can default and communicate with each other without the need of security group rule configuration and matching, thereby rapidly realizing communication between different virtual machines and improving the communication efficiency between the virtual machines.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a first flowchart of a security group-based access control method according to an embodiment of the present invention;
fig. 2 is a second flowchart of a security group-based access control method according to an embodiment of the present invention;
fig. 3 is a third flowchart illustrating a security group-based access control method according to an embodiment of the present invention;
fig. 4 is a fourth flowchart illustrating a security group-based access control method according to an embodiment of the present invention;
fig. 5 is a fifth flowchart illustrating a security group-based access control method according to an embodiment of the present invention;
fig. 6 is a sixth flowchart of an access control method based on security groups according to an embodiment of the present invention;
fig. 7 is a seventh flowchart illustrating a security group-based access control method according to an embodiment of the present invention;
fig. 8 is a first structural diagram of an access control device based on a security group according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a second structure of an access control device based on a security group according to an embodiment of the present invention;
fig. 10 is a schematic diagram illustrating a third structure of an access control device based on a security group according to an embodiment of the present invention;
fig. 11 is a diagram illustrating a fourth structure of an access control device based on a security group according to an embodiment of the present invention;
fig. 12 is a schematic diagram illustrating a fifth configuration of an access control device based on a security group according to an embodiment of the present invention;
fig. 13 is a diagram illustrating a sixth configuration of an access control device based on a security group according to an embodiment of the present invention;
fig. 14 is a schematic diagram of a seventh configuration of an access control device based on a security group according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to improve communication efficiency between virtual machines, embodiments of the present invention provide an access control method and an access control device based on a security group.
First, an access control method based on a security group provided in an embodiment of the present invention is described below.
As shown in fig. 1, an access control method based on a security group provided in an embodiment of the present invention is applied to a host, and includes the following steps:
s101, receiving a configuration request for at least two target security groups.
In practical application, the configuration request may carry information of a target virtual machine to be configured with a plurality of security groups, in addition to information of a target security group; the target security group may be created in real time, or created on the VPC, and is not limited in detail.
And S102, determining a target virtual machine.
It should be noted that the target virtual machine may be determined according to the target virtual machine information carried in the configuration request received in S101; any virtual machine on the host machine which needs to refer to multiple security groups can be directly determined as the target virtual machine, for example, the virtual machine 1 on the host machine needs to refer to multiple security groups, so that the virtual machine 1 can be determined as the target virtual machine by applying the access control method based on the security groups provided by the embodiment of the invention in the process of communicating with other virtual machines.
S103, establishing access control relations between the target virtual machines and each target security group.
It should be noted that, after receiving a configuration request for at least two target security groups and determining a target virtual machine, it is necessary to establish an access control relationship between the target virtual machine and each target security group, that is, to implement reference of the target virtual machine to the at least two target security groups. In practical applications, the target security group may be combined to generate a new security group, and then an access control relationship between the target virtual machine and the new security group is established.
In the security group-based access control method provided by the example shown in fig. 1, configuration requests for at least two target security groups are received, then, target virtual machines are determined, and access control relationships between the target virtual machines and each target security group are established. Therefore, by applying the technical scheme, one virtual machine can refer to a plurality of security groups, so that two virtual machines only refer to one same security group, and when the two virtual machines access each other, the two virtual machines can default to intercommunicate without the need of security group rule configuration and matching, thereby rapidly realizing communication between different virtual machines and improving the communication efficiency between the virtual machines.
For example, in VPC d1, security group 1, security group 2, security group 3, security group 4, security group 5 have been created with IDs (Identification) of 1, 2, 3, 4, 5, respectively.
In the prior art, the virtual machine can only refer to one security group, and for the virtual machine a on the host 1 and the virtual machine B on the host 2 in the VPC d1, it is assumed that the virtual machine a refers to the security group 1 and the virtual machine B refers to the security group 2, where the security group 1 contains 5 access control rules in the out (outbound) direction, the security group 2 contains 6 access control rules in the in (inbound) direction, and the security group 1 does not allow the virtual machine a to send a packet to the virtual machine B, and the security group 2 does not allow the virtual machine B to receive a packet from the virtual machine a, so if a packet P is sent from the virtual machine a to the virtual machine B, it is necessary to add an access control rule in the out direction in the security group 1 first, add an access control rule in the in direction in the security group 2, so that the virtual machine a is allowed to send a packet to the virtual machine B, and received by virtual machine B; in the communication process, after receiving a message P sent by a virtual machine a, a host 1 matches each rule of a security group 1 in an out (outbound) direction to see whether the virtual machine a is allowed to send the message P to a virtual machine B, and sends the message P after matching is successful; after receiving the message P, the host 2 needs to match each rule of the security group 2 in the in (inbound) direction, and after matching is successful, sends the matching result to the virtual machine B.
By applying the technical scheme provided by the embodiment of the invention, the security group 6 can be created in advance, the ID of the security group 6 is 6, and the specific implementation can be as follows: vgwadm sg add 6domain d 1; then, sending configuration requests of the security group 1, the security group 3 and the security group 6 to the host 1, and determining the virtual machine a as a target virtual machine, wherein after the host 1 receives the configuration requests, the host 1 establishes access control relationships between the virtual machine a and the security group 1, the security group 3 and the security group 6 respectively, that is, references of the virtual machine a to the security group 1, the security group 3 and the security group 6 are realized; sending configuration requests of the security group 2 and the security group 6 to the host machine 2, determining the virtual machine B as a target virtual machine, and after receiving the configuration requests, the host machine 2 establishing access control relations between the virtual machine B and the security group 2 and the security group 6 respectively, namely realizing the reference of the virtual machine B to the security group 2 and the security group 6; in an actual application, a specific security group reference implementation method for the virtual machine a and the virtual machine B may be as follows, where the identifier of the virtual machine may be a MAC (media access Control) address, and specifically, assuming that the MAC address of the virtual machine a is fe:17:3e:27:03:22 and the MAC address of the virtual machine B is fe:16:3e:27:9c: 22:
vgwadm sg set 1,3,6domain d1dev fe:17:3e:27:03:22;
vgwadm sg set 2,6domain d1dev fe:16:3e:27:9c:22;
in this way, the security group 6 exists in both the security group referred to by the virtual machine a and the security group referred to by the virtual machine B, and therefore, when the virtual machine a and the virtual machine B communicate with each other, the communication is performed by default without adding or matching the access control rule, and the communication efficiency between the virtual machine a and the virtual machine B is effectively improved.
It should be emphasized that, in practical applications, the virtual machine a may also be configured to refer to the security group 1 and the security group 2, or refer to the security group 1, the security group 2, the security group 3, and the like, which is not limited herein; similarly, the security group referenced by the virtual machine B is not limited to the security group 2 and the security group 6, and only the same security group is required in the security groups referenced by the virtual machine a and the virtual machine B.
Further, on the basis of the embodiment shown in fig. 1, as shown in fig. 2, the access control method based on the security group provided in the embodiment of the present invention is applied to a host, and may further include:
s104, obtaining the access control rule of each target security group.
When the target security group is configured with the access control rule, the access control rule of each security group can be obtained to perform merging processing.
It will be appreciated that the access control rules for security groups generally include rules for the in (inbound) direction and/or the out (outbound) direction of the virtual machine, while different security groups may have different access control rules, which may be created with or added to the security groups that have been created.
And S105, merging the obtained rules according to the logic relation among the access control rules of the target security group to generate the target access control rules.
It should be noted that after the access control rules of each target security group are obtained, the obtained rules may be merged according to the logical relationship between the access control rules to generate the target access control rules, instead of directly superimposing the access control rules of the target security groups, where a specific merging method belongs to the prior art and is not described herein again, and it can be understood that the logical relationship between the rules is related to the policy of the target security group. In this way, the number of access control rules corresponding to the target virtual machine can be reduced with a high probability, so that when the security group access control rules are matched, the matching times are reduced, and the matching speed is increased.
For example, assume that an in-direction access control rule is configured for the security group 1, and all IP addresses are released by default; configuring an access control rule in the in direction for the security group 2, and allowing the IP address 192.168.2.1 to be accessed through an 80 port; an in-direction access control rule is configured for the security group 3, and the IP address 192.168.2.102 is allowed to access through the 80 port, and in practical application, specific implementation may be as follows:
vgwadm sg set 1domain d1rule in 0.0.0.0/0ip;
vgwadm sg set 2domain d1rule in 192.168.2.1/80ip;
vgwadm sg set 3domain d1rule in 192.168.2.102/80ip;
upon receiving the configuration requests for security group 1, security group 2, and security group 3, the merging may be performed according to the logical relationship between the access control rules of security group 1, security group 2, and security group 3, wherein security group 1 is allowed to pass all IP addresses by default and has no port requirement, while security group 2 is allowed to access only IP address 192.168.2.1 through port 80, security group 3 is allowed to access only IP address 192.168.2.102 through port 80, the allowed range of security group 1 includes the allowed range of security group 2 and security group 3, then, in practical application, the union of the three can be taken to merge and generate the target access control rule, which is the same as that of security group 1, that is, the access control rule of the new security group generated by merging the security group 1, the security group 2, and the security group 3 is passed through all IP addresses by default, and the specific configuration method may be as follows:
vgwadm sg set 1,2,3domain d1rule in 0.0.0.0/0ip;
since the rule of the security group 1 in the in direction is to pass all IP addresses by default, and the binding force is low, according to actual requirements, the union of the intersections of the security group 2 and the security group 3 with the security group 1 may also be taken to generate the access control rule of the new security group generated by combining the security group 1, the security group 2, and the security group 3, that is, to allow the IP addresses 192.168.2.1 and 192.168.2.102 to access through the 80 port, and the specific configuration method may be as follows:
vgwadm sg set 1,2,3domain d1rule in 192.168.2.1/80ip;
vgwadm sg set 1,2,3domain d1rule in 192.168.2.102/80ip;
it should be emphasized that the above-described examples are merely two specific examples of the present invention, which should not be taken as limiting the scope of the invention. In practical applications, the policies of the security groups and other factors may be comprehensively considered to perform the merging of the access control rules, and the specific merging method is not limited herein.
On the basis of the embodiment shown in fig. 1, in the access control method based on security groups provided in the embodiment shown in fig. 2, the access control rule of each target security group may also be obtained, and then the obtained rules are merged according to the logical relationship between the access control rules of the target security groups to generate the target access control rule; by applying the technical scheme, the number of the access control rules corresponding to the target virtual machine can be reduced, so that when the access control rules of the security group are matched, the matching times are reduced, the matching speed is increased, and the communication efficiency between the virtual machines is further improved.
Further, on the basis of the embodiment shown in fig. 2, as shown in fig. 3, the access control method based on the security group provided by the embodiment of the present invention is applied to a host, and may further include:
s106, receiving the target message.
The target message is generally a message sent by the local virtual machine or a message sent by a virtual machine on another external host machine, and the message sent by the local virtual machine includes a message sent to the other local virtual machine and a message sent to a virtual machine on another external host machine.
In an implementation manner of the present invention, the messages sent from the other external hosts and the messages sent to the other external hosts may be VXLAN (Virtual eXtensible Local Area Network) messages.
S107, whether the same security group exists in the first-class security group and the second-class security group is judged, and if yes, S108 is executed.
The first-class security group has an access control relationship with a source virtual machine of the target message, and the second-class security group has an access control relationship with a destination virtual machine of the target message.
It should be noted that, by applying the technical solution provided in the embodiment shown in fig. 1, it may be configured that the virtual machine refers to multiple security groups, and the virtual machines in the same security group are intercommunicated, so after the host receives the target packet, it may first determine whether the same security group exists in the first security group referred by the source virtual machine of the target packet and the second security group referred by the destination virtual machine, specifically, it may determine whether there is an equal ID in the IDs of the first security group and the second security group, if so, it may be default that the source virtual machine and the destination virtual machine are intercommunicated, and directly send the target packet to the destination virtual machine, and of course, it may also determine other unique identification information of the security groups, which is not limited herein.
For example, it is assumed that the security group IDs corresponding to the first-type security group are 1, 3, and 4, respectively, and the security group IDs corresponding to the second-type security group are 2, 3, and 5, respectively, where the security group having the ID of 3 exists in both the first-type security group and the second-type security group, and therefore, it may be determined that the same security group exists in the first-type security group and the second-type security group.
The first type of security group can be read from a local security group configuration file; in practical applications, the security group information of the source virtual machine and the security group information of the destination virtual machine may be configured symmetrically in advance and stored in the security group configuration files of the source host and the destination host, respectively, that is, the security group configuration file of the source host also stores the security group information of the destination virtual machine, and the security group configuration file of the destination host also stores the security group information of the source virtual machine, so the second type of security group may also be read from the local security group configuration file, which is not limited herein.
It should be noted that, when the target packet is a packet sent by a virtual machine on another external host, the local host is the destination, and in practical application, in order to reduce the matching times, matching of security groups may be performed only at the source end, that is, it is determined whether the same security group exists in the first security group and the second security group, and a matching result is written in the packet and sent to the destination, which will be described in detail in the following embodiments; after receiving the target packet, the destination, that is, the local host, may directly determine whether the first type of security group and the second type of security group have the same security group according to information carried in the packet, and specifically, the step of determining whether the first type of security group and the second type of security group have the same security group may include:
judging whether a sending path of the target message is a first target path or not;
if the target message is the first type security group, analyzing the target message, obtaining matching result identification information according to an analysis result, judging whether the matching result identification information is a first preset value, if so, judging that the same security group exists in the first type security group and the second type security group, and if not, judging that the same security group does not exist in the first type security group and the second type security group.
The first target path is sent to the local virtual machine by other hosts except the host.
It can be understood that the target message may be a VXLAN message sent by a virtual machine on another external host; when the target message is received, the target message can be analyzed, matching result identification information is obtained according to an analysis result, and whether the matching result identification information is a first preset value or not is further judged, so that whether the same security group exists in the first security group and the second security group or not is judged; the first preset value is a value indicating that the same security group exists in the first security group and the second security group, and may be agreed in advance, and it should be emphasized that the first preset value is a value that does not cause a conflict with other values.
In practical application, a data packet mark skb- > mark can be used for carrying a security GROUP matching result, and when the skb- > mark is VGW _ SEC _ GROUP _ NULL, namely 0, the successful matching of the security GROUP at a source end is indicated; when skb- > mark is VGW _ SEC _ GROUP _ NOT _ MATCH, namely 240, indicating that the matching of the security GROUP at the source end fails; when the source end sends the VXLAN message, the skb- > mark is written into the packet head of the VXLAN message, so that the destination end host can directly obtain the security group matching result when receiving the message. Of course, how to carry the security group matching result in the message is not limited herein.
For example, the local host receives a VXLAN packet a sent by a virtual machine from another host, analyzes the packet, and obtains skb- > mark, and the value of the skb- > mark is 0, which may indicate that the first type of security group and the second type of security group have the same security group.
And S108, sending the target message to the target virtual machine.
If the execution result of S107 is yes, that is, if the same security group exists in the first-type security group and the second-type security group, it may indicate that the source virtual machine and the destination virtual machine are intercommunicated, and then, the target packet may be directly sent to the destination virtual machine.
In addition, it should be emphasized that if the source virtual machine or the destination virtual machine does not refer to the security group, that is, the first type security group or the second type security group is empty, the message is released by default, and the destination message is sent directly to the destination virtual machine.
On the basis of the embodiment shown in fig. 2, by applying the technical solution provided in the embodiment shown in fig. 3, after receiving a target packet, determining whether a first-class security group and a second-class security group have the same security group, and if so, sending the target packet to a destination virtual machine, where the first-class security group has an access control relationship with a source virtual machine of the target packet, and the second-class security group has an access control relationship with the destination virtual machine of the target packet; compared with the prior art, when a large number of virtual machines exist in the VPC network, a large number of access control rules do not need to be configured for the source virtual machine and the destination virtual machine, and when the security groups quoted by the source virtual machine and the destination virtual machine have the same security group, rule matching is not needed in the communication process between the virtual machines, default intercommunication is achieved, and the communication efficiency between the virtual machines is improved.
Further, on the basis of the embodiment shown in fig. 3, as shown in fig. 4, the access control method based on the security group provided by the embodiment of the present invention is applied to a host, and may further include:
and S109, carrying out session matching on the source virtual machine and the destination virtual machine, and executing S108 if matching is successful.
It should be noted that, when the execution result of S107 is negative, that is, when the same security group does not exist in the first-type security group and the second-type security group, session matching may be performed for the source virtual machine and the destination virtual machine, and if the session matching is successful, S108 is executed, that is, the target packet is sent to the destination virtual machine.
The session matching is successful when the session connection exists, which indicates that the source virtual machine and the destination virtual machine are intercommunicated, and the target packet can be sent to the destination virtual machine.
If the session matching fails, on the basis shown in fig. 4 and as shown in fig. 5, the access control method based on the security group provided in the embodiment of the present invention is applied to a host, and may further include:
s110, according to the first-class security group and the second-class security group, aiming at a source virtual machine and a target virtual machine, carrying out security group access control rule matching; if the matching is successful, S108 is performed, and if the matching is failed, S111 is performed.
It should be noted that, when the execution result of S109 is that matching fails, security group access control rule matching may be performed on the source virtual machine and the destination virtual machine according to the first security group and the second security group, and if matching succeeds, the target packet is sent to the destination virtual machine, otherwise, S111 is executed to discard the target packet. The matching of the access control rules of the security groups is performed for the source virtual machine and the destination virtual machine, specifically, the matching is performed for the access control rules generated by merging the security groups respectively corresponding to the source virtual machine and the destination virtual machine, and the specific matching method belongs to the prior art and is not described herein again.
And S111, discarding the target message.
When the execution result of S110 is that matching fails, it indicates that the source virtual machine and the destination virtual machine are not connected, and the packet cannot be sent, so that the destination packet can be discarded.
For example, when the local host receives the message B, the IDs of the security groups referenced by the corresponding source virtual machines are 1, 2, and 3, respectively, and the IDs of the security groups referenced by the destination virtual machine are 4, 5, and 6, respectively, it can be seen that there is no identical security group in the security groups referenced by the source virtual machine and the destination virtual machine, so that session matching is performed, matching is searched for in a related entry of the local host, if session matching fails, access control rule matching is performed, and if rule matching also fails, the message B is discarded.
On the basis of the embodiment shown in fig. 3, in the access control method based on security groups provided in the embodiment of fig. 4, if the first-type security group and the second-type security group do not have the same security group, session matching may also be performed, and if the session matching is successful, the target packet is sent to the destination virtual machine.
Further, on the basis of the embodiment shown in fig. 5, as shown in fig. 6, the access control method based on a security group provided in the embodiment of the present invention is applied to a host, and after S108, the method may further include:
and S112, establishing a session between the source virtual machine and the destination virtual machine.
It should be noted that, after the security group access control rule is successfully matched and a target packet is sent to the destination virtual machine, it indicates that communication is performed between the source virtual machine and the destination virtual machine, that is, the source virtual machine and the destination virtual machine are intercommunicated, and then the communication can be recorded, a session between the source virtual machine and the destination virtual machine is established, the state of the security group is updated and stored locally, and in the next communication, only session matching is required, and no access control rule matching is required.
In practical application, a session between a source virtual machine and a destination virtual machine may be created according to a five-tuple, where the five-tuple includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol, and it may distinguish different sessions, and the corresponding session is unique, and details about how to establish a session according to the five-tuple belong to the prior art, and are not described here again.
On the basis of the embodiment shown in fig. 5, in the access control method based on the security group provided in the embodiment of fig. 6, if the security group access control rule matching is performed on the source virtual machine and the destination virtual machine according to the first security group and the second security group, and the matching is successful, after the target packet is sent to the destination virtual machine, the session between the source virtual machine and the destination virtual machine is established and stored locally, and during subsequent communication, only session matching is performed, and access control rule matching is not required, so that the communication efficiency between the virtual machines is improved.
Further, on the basis of the embodiment shown in fig. 3, as shown in fig. 7, the access control method based on a security group provided in the embodiment of the present invention is applied to a host, and before S108, the method may further include:
and S113, judging whether the sending path of the target message is a second target path or not, and if so, executing S114.
And the second target path is sent to other hosts except the host by the local virtual machine.
It should be noted that, if the sending path of the received target packet is from the local virtual machine to other host machines other than the host machine, it may be indicated that the target packet is a cross-host-machine packet that is reported by the local virtual machine and is to be sent to the virtual machines on other external host machines, and at this time, the local host machine is used as the source host machine; the specific method for determining the message transmission path belongs to the prior art, and is not described herein again.
And S114, writing the second preset value into the target message.
Wherein the second preset value is a value indicating that the same security group exists in the first-type security group and the second-type security group.
It should be noted that, for a message sent by a local virtual machine and sent to other hosts outside, such as a VXLAN message, after determining that the first-type security group and the second-type security group have the same security group, that is, after the security group matching is successful, a second preset value, which is agreed to indicate that the first-type security group and the second-type security group have the same security group, is written in the target message and then sent to the destination virtual machine, so that after receiving the target message, the destination host does not need to perform security group matching, but directly obtains a security group matching result according to the parsed message.
In practical application, a data packet mark skb- > mark can be used to carry a security GROUP matching result, and when the skb- > mark is VGW _ SEC _ GROUP _ NULL, that is, 0, it indicates that the security GROUP matching is successful, and the skb- > mark is written into a packet header of a VXLAN packet and then sent to a destination virtual machine. Of course, how to carry the security group matching result in the message is not limited herein.
It can be understood that, if the execution result of S113 is no, and the local host is the source host, it indicates that the target packet is a packet that is sent by the local virtual machine and sent to other local virtual machines, that is, the source virtual machine and the destination virtual machine belong to the same host, and at this time, the local host is also the destination host, and then, after it is determined that the same security group exists in the security groups respectively referenced by the source virtual machine and the destination virtual machine for the source virtual machine and the destination virtual machine, the target packet is directly sent to the destination virtual machine.
On the basis of the embodiment shown in fig. 3, by applying the technical scheme provided in the embodiment shown in fig. 7, before sending a target message to a destination virtual machine, it may be determined whether the destination virtual machine belongs to the host, and if not, a second preset value for indicating that the same security group exists in the first-type security group and the second-type security group is written in the target message, so that after receiving the message, the destination host directly obtains a result of security group matching according to an analysis result of the message, and thus, security group matching does not need to be performed again, matching times are reduced, and communication efficiency between virtual machines is further improved.
It should be emphasized that, in the access control method based on the security GROUP provided in the embodiments shown in fig. 4 and fig. 5, in order to more accurately deliver the relevant matching result of the source end, before sending the packet to the destination virtual machine, the result of session matching or access control rule matching may also be written into the target packet, specifically, when skb- > mark is used to carry the matching result information, and after the session matching or access control rule matching is successful, skb- > mark is set to VGW _ SEC _ GROUP _ NOT _ MATCH, that is, 240, when the destination end reads 240, it indicates that the matching fails in the security GROUP of the source end, but the session matching or access control rule matching is successful.
Corresponding to the above method embodiment, an embodiment of the present invention provides an access control apparatus based on a security group, as shown in fig. 8, where the apparatus includes:
a configuration request receiving module 801, configured to receive configuration requests for at least two target security groups;
a virtual machine determination module 802, configured to determine a target virtual machine;
an access control relationship establishing module 803, configured to establish an access control relationship between the target virtual machine and each of the target security groups.
In the security group-based access control method provided by the example shown in fig. 8, configuration requests for at least two target security groups are received, then, target virtual machines are determined, and access control relationships between the target virtual machines and each target security group are established. Therefore, by applying the technical scheme, one virtual machine can refer to a plurality of security groups, so that two virtual machines only need to refer to one same security group, and when the two virtual machines access each other, the two virtual machines can default and communicate with each other without the need of security group rule configuration and matching, thereby rapidly realizing communication between different virtual machines and improving the communication efficiency between the virtual machines.
Further, on the basis of the configuration request receiving module 801, the virtual machine determining module 802, and the access control relationship establishing module 803, as shown in fig. 9, an access control apparatus based on a security group according to an embodiment of the present invention may further include:
a rule obtaining module 804, configured to obtain the access control rule of each target security group after the configuration request receiving module 801 receives the configuration request for at least two target security groups;
the rule generating module 805 is configured to perform merging processing on the obtained rules according to the logical relationship between the access control rules of the target security group, so as to generate a target access control rule.
On the basis of the embodiment shown in fig. 8, in the access control method based on security groups provided in the embodiment shown in fig. 9, the access control rule of each target security group may also be obtained, and then the obtained rules are merged according to the logical relationship between the access control rules of the target security groups to generate the target access control rule; by applying the technical scheme, the number of the access control rules corresponding to the target virtual machine can be reduced, so that when the access control rules of the security group are matched, the matching times are reduced, the matching speed is increased, and the communication efficiency between the virtual machines is further improved.
Further, on the basis of the configuration request receiving module 801, the virtual machine determining module 802, the access control relationship establishing module 803, the rule obtaining module 804, and the rule generating module 805, as shown in fig. 10, an access control apparatus based on a security group according to an embodiment of the present invention may further include:
a message receiving module 806, configured to receive a target message;
a security group determining module 807, configured to determine whether a first security group and a second security group have a same security group, where the first security group and a source virtual machine of the target packet have an access control relationship therebetween, and the second security group and a destination virtual machine of the target packet have an access control relationship therebetween;
a message sending module 808, configured to send the target message to the destination virtual machine if the result of the security group determining module 807 is yes.
On the basis of the embodiment shown in fig. 9, by applying the technical solution provided in the embodiment shown in fig. 10, after receiving a target packet, determining whether a first-class security group and a second-class security group have the same security group, and if so, sending the target packet to a destination virtual machine, where the first-class security group has an access control relationship with a source virtual machine of the target packet, and the second-class security group has an access control relationship with the destination virtual machine of the target packet; compared with the prior art, when a large number of virtual machines exist in the VPC network, by applying the technical scheme provided by the embodiment shown in fig. 3, it is not necessary to configure a large number of access control rules for the source virtual machine and the destination virtual machine, and when the security groups quoted by the source virtual machine and the destination virtual machine have the same security group, rule matching is not necessary in the communication process between the virtual machines, and intercommunication is performed by default, thereby improving the communication efficiency between the virtual machines.
The security group determination module 807 may be specifically configured to:
judging whether a sending path of the target message is a first target path, wherein the first target path is sent to a local virtual machine by other host machines except the host machine;
if so, analyzing the target message, obtaining matching result identification information according to an analysis result, judging whether the matching result identification information is a first preset value, if so, judging that the same security group exists in the first security group and the second security group, and if not, judging that the same security group does not exist in the first security group and the second security group.
Further, on the basis of the configuration request receiving module 801, the virtual machine determining module 802, the access control relationship establishing module 803, the rule obtaining module 804, the rule generating module 805, the message receiving module 806, the security group determining module 807 and the message sending module 808, as shown in fig. 11, an access control apparatus based on a security group according to an embodiment of the present invention may further include:
a session matching module 809, configured to perform session matching on the source virtual machine and the destination virtual machine if the determination result of the security group determining module 807 is negative; and if the session matching is successful, triggering the message sending module 808.
On the basis of the embodiment shown in fig. 10, in the access control method based on security groups provided in the embodiment of fig. 11, if the first-type security group and the second-type security group do not have the same security group, session matching may also be performed, and if the session matching is successful, the target packet is sent to the destination virtual machine.
Further, on the basis of the configuration request receiving module 801, the virtual machine determining module 802, the access control relationship establishing module 803, the rule obtaining module 804, the rule generating module 805, the message receiving module 806, the security group determining module 807, the message sending module 808, and the session matching module 809, as shown in fig. 12, the access control apparatus based on a security group according to the embodiment of the present invention may further include:
a rule matching module 810, configured to, when matching fails in the session matching module 809, perform security group access control rule matching for the source virtual machine and the destination virtual machine according to the first security group and the second security group; if the security group access control rule is successfully matched, triggering the message sending module 808; if the security group access control rule fails to match, a message discarding module 811 is triggered;
the message discarding module 811 is configured to discard the target message.
Further, on the basis of the configuration request receiving module 801, the virtual machine determining module 802, the access control relationship establishing module 803, the rule obtaining module 804, the rule generating module 805, the message receiving module 806, the security group determining module 807, the message sending module 808, the session matching module 809, the rule matching module 810, and the message discarding module 811, as shown in fig. 13, the access control apparatus based on the security group according to the embodiment of the present invention may further include:
a session establishing module 812, configured to establish a session between the source virtual machine and the destination virtual machine after the packet sending module 808 sends the target packet to the destination virtual machine.
On the basis of the embodiment shown in fig. 12, by applying the technical solution provided in the embodiment of fig. 13, if the security group access control rule matching is performed on the source virtual machine and the destination virtual machine according to the first security group and the second security group, and the matching is successful, after the target packet is sent to the destination virtual machine, the session between the source virtual machine and the destination virtual machine is established and stored locally, and during subsequent communication, only session matching is performed, and no access control rule matching is performed, so that the communication efficiency between the virtual machines is improved.
Further, on the basis of the configuration request receiving module 801, the virtual machine determining module 802, the access control relationship establishing module 803, the rule obtaining module 804, the rule generating module 805, the message receiving module 806, the security group determining module 807 and the message sending module 808, as shown in fig. 14, an access control apparatus based on a security group according to an embodiment of the present invention may further include:
an information writing module 813, configured to determine whether a sending path of the target packet is a second target path before the packet sending module 808 sends the target packet, where the second target path is sent to a host other than the host by a local virtual machine; and if so, writing a second preset value into the target message, wherein the second preset value is a value for indicating that the same security group exists in the first security group and the second security group.
On the basis of the embodiment shown in fig. 10, by applying the technical solution provided in the embodiment shown in fig. 14, before sending a target message to a destination virtual machine, it may be further determined whether the destination virtual machine belongs to the host, and if not, a second preset value for indicating that the same security group exists in the first-type security group and the second-type security group is written in the target message, so that after receiving the message, the destination host directly obtains a result of security group matching according to an analysis result of the message, and does not need to perform security group matching again, thereby reducing matching times and further improving communication efficiency between virtual machines.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Those skilled in the art will appreciate that all or part of the steps in the above method embodiments may be implemented by a program to instruct relevant hardware to perform the steps, and the program may be stored in a computer-readable storage medium, which is referred to herein as a storage medium, such as: ROM/RAM, magnetic disk, optical disk, etc.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (16)
1. An access control method based on security group, applied to host machine, includes:
receiving configuration requests for at least two target security groups;
determining a target virtual machine;
establishing an access control relationship between the target virtual machine and each target security group;
the establishing of the access control relationship between the target virtual machine and each target security group respectively includes:
and combining the target security groups to generate a new security group, and establishing an access control relationship between the target virtual machine and the new security group.
2. The method of claim 1, further comprising, after the receiving a configuration request for at least two target security groups:
obtaining an access control rule for each of the target security groups;
and merging the obtained rules according to the logical relationship among the access control rules of the target security group to generate the target access control rules.
3. The method of claim 2, further comprising:
receiving a target message;
judging whether a first-class security group and a second-class security group have the same security group, wherein the first-class security group has an access control relationship with a source virtual machine of the target message, and the second-class security group has an access control relationship with a destination virtual machine of the target message;
and if so, sending the target message to the target virtual machine.
4. The method of claim 3, further comprising:
if the first type of security group and the second type of security group do not have the same security group, performing session matching on the source virtual machine and the target virtual machine;
and if the session matching is successful, executing the step of sending the target message to the target virtual machine.
5. The method of claim 4, further comprising:
if the session matching fails, performing security group access control rule matching on the source virtual machine and the destination virtual machine according to the first security group and the second security group;
if the security group access control rule fails to match, discarding the target message;
and if the security group access control rule is successfully matched, executing the step of sending the target message to the target virtual machine.
6. The method of claim 5, wherein after the step of sending the target packet to the destination virtual machine, further comprising:
and establishing a session between the source virtual machine and the destination virtual machine.
7. The method of claim 3, wherein the step of determining whether the same security group exists in the first type of security group and the second type of security group comprises:
judging whether a sending path of the target message is a first target path, wherein the first target path is sent to a local virtual machine by other host machines except the host machine;
if so, analyzing the target message, obtaining matching result identification information according to an analysis result, judging whether the matching result identification information is a first preset value, if so, judging that the same security group exists in the first security group and the second security group, and if not, judging that the same security group does not exist in the first security group and the second security group.
8. The method of claim 3, further comprising, prior to the step of sending the target packet to the destination virtual machine:
judging whether the sending path of the target message is a second target path, wherein the second target path is sent to other host machines except the host machine by a local virtual machine;
and if so, writing a second preset value into the target message, wherein the second preset value is a value for indicating that the same security group exists in the first security group and the second security group.
9. An access control device based on a security group, applied to a host, the device comprising:
a configuration request receiving module for receiving configuration requests for at least two target security groups;
the virtual machine determining module is used for determining a target virtual machine;
the access control relation establishing module is used for establishing an access control relation between the target virtual machine and each target security group;
the access control relationship establishing module is specifically configured to:
and combining the target security groups to generate a new security group, and establishing an access control relationship between the target virtual machine and the new security group.
10. The apparatus of claim 9, further comprising:
a rule obtaining module, configured to obtain an access control rule of each target security group after the configuration request receiving module receives configuration requests for at least two target security groups;
and the rule generating module is used for merging the obtained rules according to the logical relationship among the access control rules of the target security group to generate the target access control rules.
11. The apparatus of claim 10, further comprising:
the message receiving module is used for receiving a target message;
a security group determining module, configured to determine whether a first security group and a second security group have a same security group, where an access control relationship exists between the first security group and a source virtual machine of the target packet, and the second security group has an access control relationship with a destination virtual machine of the target packet;
and the message sending module is used for sending the target message to the target virtual machine under the condition that the result of the security group judgment module is yes.
12. The apparatus of claim 11, further comprising:
the session matching module is used for carrying out session matching on the source virtual machine and the target virtual machine under the condition that the result of the security group judging module is negative; and if the session matching is successful, triggering the message sending module.
13. The apparatus of claim 12, further comprising:
a rule matching module, configured to, when matching of the session matching module fails, perform security group access control rule matching for the source virtual machine and the destination virtual machine according to the first security group and the second security group; if the security group access control rules are successfully matched, triggering the message sending module; if the matching of the security group access control rules fails, triggering a message discarding module;
the message discarding module is used for discarding the target message.
14. The apparatus of claim 13, further comprising:
and the session establishing module is used for establishing a session between the source virtual machine and the target virtual machine after the message sending module sends the target message to the target virtual machine.
15. The apparatus of claim 10, wherein the security group determination module is specifically configured to:
judging whether a sending path of the target message is a first target path, wherein the first target path is sent to a local virtual machine by other host machines except the host machine;
if so, analyzing the target message, obtaining matching result identification information according to an analysis result, judging whether the matching result identification information is a first preset value, if so, judging that the same security group exists in the first security group and the second security group, and if not, judging that the same security group does not exist in the first security group and the second security group.
16. The apparatus of claim 10, further comprising:
an information writing module, configured to determine whether a sending path of the target packet is a second target path before the packet sending module sends the target packet, where the second target path is sent to another host machine other than the host machine by a local virtual machine; and if so, writing a second preset value into the target message, wherein the second preset value is a value for indicating that the same security group exists in the first security group and the second security group.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610944504.8A CN107995144B (en) | 2016-10-26 | 2016-10-26 | Access control method and device based on security group |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610944504.8A CN107995144B (en) | 2016-10-26 | 2016-10-26 | Access control method and device based on security group |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107995144A CN107995144A (en) | 2018-05-04 |
| CN107995144B true CN107995144B (en) | 2020-11-06 |
Family
ID=62029019
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610944504.8A Active CN107995144B (en) | 2016-10-26 | 2016-10-26 | Access control method and device based on security group |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107995144B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108718320B (en) * | 2018-06-14 | 2021-03-30 | 浙江远望信息股份有限公司 | Method for forming data packet communication white list by intersection of compliance data packets of similar same-configuration Internet of things equipment |
| CN111224922A (en) * | 2018-11-26 | 2020-06-02 | 顺丰科技有限公司 | Distributed security group module access control method and system |
| CN111277611B (en) * | 2020-02-25 | 2022-11-22 | 深信服科技股份有限公司 | Virtual machine networking control method and device, electronic equipment and storage medium |
| CN115175194A (en) * | 2021-03-19 | 2022-10-11 | 华为技术有限公司 | Method and apparatus for secure communication |
| CN113810283A (en) * | 2021-09-16 | 2021-12-17 | 中国联合网络通信集团有限公司 | Network security configuration method, device, server and storage medium |
| WO2024037619A1 (en) * | 2022-08-18 | 2024-02-22 | 华为云计算技术有限公司 | Cloud computing technology-based virtual instance creation method and cloud management platform |
| CN115794316A (en) * | 2023-02-03 | 2023-03-14 | 青软创新科技集团股份有限公司 | Method, apparatus, medium, and program product for building a cloud computing experimental environment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103581183A (en) * | 2013-10-30 | 2014-02-12 | 华为技术有限公司 | Virtualization security isolation method and device |
| CN104007997A (en) * | 2013-02-22 | 2014-08-27 | 中兴通讯股份有限公司 | Virtual machine security group configuration method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2958478B1 (en) * | 2010-04-02 | 2012-05-04 | Sergio Loureiro | METHOD OF SECURING DATA AND / OR APPLICATIONS IN A CLOUD COMPUTING ARCHITECTURE |
-
2016
- 2016-10-26 CN CN201610944504.8A patent/CN107995144B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104007997A (en) * | 2013-02-22 | 2014-08-27 | 中兴通讯股份有限公司 | Virtual machine security group configuration method and device |
| CN103581183A (en) * | 2013-10-30 | 2014-02-12 | 华为技术有限公司 | Virtualization security isolation method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107995144A (en) | 2018-05-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107995144B (en) | Access control method and device based on security group | |
| CN109565500B (en) | On-demand security architecture | |
| CN105591973B (en) | Application identification method and device | |
| US7107609B2 (en) | Stateful packet forwarding in a firewall cluster | |
| US20160301603A1 (en) | Integrated routing method based on software-defined network and system thereof | |
| US8060927B2 (en) | Security state aware firewall | |
| US11075980B2 (en) | Method for operating a node cluster system in a network and node cluster system | |
| US20130294449A1 (en) | Efficient application recognition in network traffic | |
| EP2482497B1 (en) | Data forwarding method, data processing method, system and device thereof | |
| US10498618B2 (en) | Attributing network address translation device processed traffic to individual hosts | |
| US20160261638A1 (en) | Network Security Method and Device | |
| US20110173334A1 (en) | Intercepting File Transfers In Multi-Node Topologies | |
| US10375118B2 (en) | Method for attribution security system | |
| CN103763194A (en) | Message forwarding method and device | |
| CN106506515B (en) | Authentication method and device | |
| US10749997B2 (en) | Prefix matching based packet processing method, switching apparatus, and control apparatus | |
| US8082333B2 (en) | DHCP proxy for static host | |
| EP1739921A1 (en) | Progressive wiretap | |
| US10785147B2 (en) | Device and method for controlling route of traffic flow | |
| US7461140B2 (en) | Method and apparatus for identifying IPsec security policy in iSCSI | |
| US9806984B1 (en) | Separating network traffic among virtual servers | |
| US8443359B2 (en) | Method and system for providing a filter for a router | |
| US11665202B2 (en) | Method device and system for policy based packet processing | |
| US8185642B1 (en) | Communication policy enforcement in a data network | |
| CN113518032B (en) | SRv 6-based user credible identification carrying method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |