| In the trend of cloud computing technologybecoming more and more mature,virtual machines' traffic security issueshave become the focus of cloud providers and users.At present,the major cloud solution providers or in their own cloud platform to achieve virtual machine traffic security issues,or cooperation with third-party security vendors to solvethe problems.The traffic securityprotection function of the virtual machine s not implemented in H3C's CAS cloud platform.Therefore,in order to providea safe and reliable environment for users,and improve the competitiveness of CAS cloud platform in the industry,this paper based on CAS cloud platform to achieve virtual machine traffic security protection function.This paper aims at the insufficient function of CAS cloud platform,combined with the needs of users to design and implement virtual machine traffic security protection function.Based on the basic principles and the implementation logical framework of the CAS cloud platform,this paper introduces the related technology of the function design and implementation,analyzes the development process and application requirements,and designs the realization principles and methods for each module.Through two different levels of depth to achieve cloud platform virtual machines traffic security protection,divided into CAS integrated ACL function to achieve virtual machine s traffic simple protection and with a third party virtual firewall to achieve virtual machine traffic depth protection.ACL is mainly according to the Openvswitch's multiple-Tableswhich are generate with the user's configuration to control the virtual machines' traffic forwarding,so as to achieve the virtual machines' traffic control strategy;Redirection is through the control Rules to redirect virtual machines' traffic into a third-party virtual firewall,With the virtual firewall to protect virtual machines' traffic.The core of this functional design is mainly to design and realize multiple-Tables based on Open Flow.The configuration of virtual machines' flow control strategies will eventually be resolved to a multiple-Tables is sent to the bridge where the virtual machines' port corresponding,the flow control of the virtual machine ultimately through the multiple-Tables to control.Based on the logical structure of CAS cloud platform,the function is decomposedto the following modules: designing user configuration based on Libvirt,parsing users' configuration with Libvirt,maintaining users' configuration flow Table with OVS-Agentd,controlingthe traffic forwarding logic with Openvs witch.For the two functions of ACL and redirection,the emphasis of each module is different.The core works of designing multiple-Tables work is to design redirection flow Table because of the complex logic;The core works ofparding users' configuration is ACL due to ACL is complex;The ne w process OVS-Agentd is created as the middle layer of Libvirt and OVS to maintain the multiple-Table,including additions,deletions,changes and checks;Finally,when the virtual machine sending packets,Openvswitch by means of Matching the multiple-Tables to controlvirtual machines' forwarding process.After designing this functionality,deploying this functionality to the CAS cloud platform and configuring the environment.After users configuration thevirtual through the interface,then can view the multiple-Table configured.CAS platform can control the traffic forwarding process of the virtual machine according to the configuration when user s send traffic.Analysis of the test results,the realization of this function can achieve the purpose of controlling the virtual machine traffic forwarding. |
PDF Full Text Request