How to make all types of users in the cloud use the network as safely as possible, how to let users seamlessly access and use cloud computing services, how to improve the flexibility and scalability of data center network construction through virtualized network technology Good network security issues have become a problem that must be solved to build a cloud computing data center using virtualization technology. Currently, mainstream vendors have network security technologies such as VLAN security zoneization and firewall virtualization to protect virtualized networks used in cloud computing data centers, but still fail to solve the trustworthiness of user access and the confidentiality of data interaction. Control and other issues.
Based on the typical architecture and access application mode of cloud computing data center based on virtualized network, this paper analyzes the security requirements of data center virtualization network from the aspects of user security access, communication isolation and confidentiality protection, and proposes virtualization. The network security technology framework focuses on the security of virtualized networks based on cryptography, and the security mechanisms such as communication protection, information isolation and security exchange between virtual machines are analyzed and designed. A solution for reference is proposed.
1. Cloud computing virtualization network technology and security needs analysis
1.1 Cloud computing virtualized network typical structure and access application mode
The cloud computing infrastructure consists primarily of computing (server), networking, and storage. For the network, from the entire ecological environment of cloud computing, it can be divided into three levels, data center network, cross-data center network and ubiquitous cloud access network.
The data center network includes a data center LAN that connects computing hosts, storage, and Layer 4 to 7 servers (such as firewalls, load balancing, application servers, IDS/IPS, etc.), and edge virtual networks, that is, after host virtualization, virtual machines. Multiple virtual network switching networks, including distributed virtual switches, virtual bridging, and I/O virtualization; cross-data center networks mainly solve network connections between data centers, enabling data backup, data migration, and multi-data between data centers. Resource optimization between centers and provision of mixed services in multiple data centers; ubiquitous cloud access networks are used to interconnect data centers with end users to provide cloud services to public or enterprise users.
Here, we mainly discuss the data center network technology architecture and access application methods implemented by using virtualized network technology. Because the large number of virtual machines in the data center access the security and controllable computing resources through the virtualized network is the key to solving the cloud computing virtual network security problem. Data center networks include core layer switches, access layer switches, and virtual switches. After using cloud computing, the data center network needs to solve the problem of large data flow, large backup traffic, and large virtual machine migration in the data center. Therefore, the core layer network requires ultra-large-scale data exchange capability and sufficient 10,000. Mega access capability. Access layer switches are required to support a variety of flexible deployment methods and new Ethernet technologies, including lossless Ethernet technology.
The virtual switch virtualizes the corresponding switch and network card functions through the virtual machine manager (Hypervisor) layer and implements management. It provides interconnection of multiple virtual host virtual network cards (vNICs) in the server and traffic for different virtual network cards. Set different VLAN tag functions, so that there is a switch inside the server, which can easily connect different network cards to different ports. The Hypervisor creates one or more vNICs for each VM (virtual host) and connects to the virtual switches in the hypervisor to support communication between VMs. Hypervisor also allows communication between virtual switches and physical network interfaces, as well as efficient communication with external networks, such as the open source OpenvSwitch.
Taking the more mature Ctrix Xen-based virtualization system as the research object (different from other VMwareESX, KVM, Hyper-V, etc., can refer to the idea), analyze the user connection virtualized user terminal, and further access the data center calculation A typical framework for resources is shown in Figure 2.
First, the remote user accesses the user virtual terminal on the data center server based on the thin client and based on the remote desktop protocol (Vmware PCoIP) such as ICA. The ICA protocol is a proprietary protocol based on Xen's Ctrix virtualization system. It interacts with the display, keyboard, and mouse operation information and the server-side management domain. It can create and suspend the corresponding virtualized terminal system on the hypervisor to obtain and localize the computer terminal. Operate the same experience. At the same time, the actual driver of all peripherals is also run on the management domain OS, and the front-end driver module interacts with the front-end driver module running on the virtual machine OS of the series client terminal to realize the support for the virtual machine device driver of each client terminal.
Secondly, the virtual network card and the virtualized switch (including the distributed virtualized switch across the physical server) between the user virtual terminals realize high-speed network data interaction between the virtual terminals and between the user virtual terminal and the virtual application server. Virtualized data-based applications, access to various application servers, or migration of user virtual machines. The distributed virtual switch adopts a method of making the underlying server architecture more transparent, and supports cross-server bridging of virtual switches on different physical servers, so that the virtual switches in one server can transparently connect with the virtual switches in other servers, so that the servers ( VM migration with their virtual interfaces is simpler.
1.2 Virtualization Network Security Requirements
The virtualized terminal application mode implements data centralized application and provides data isolation between users, and at the same time realizes data interaction between users by using virtual switches. Like a physical switch, a virtual switch provides mechanisms for traffic policy management and QoS for VLan, ACL, and virtual machine ports. According to the above-mentioned cloud computing user using the virtualized terminal of the data center and the typical mode description of the application access through the virtualized network, the requirements of the cloud computing virtualized network security are analyzed and summarized as follows:
1) Network security requirements for user access. Virtualized users should be guaranteed to be able to access the corresponding terminal virtual machine system in a trusted, controllable, and secure manner. The authentication and access control of users accessing the data center should be strengthened, and the confidentiality protection of remote desktop protocols such as ICA should be provided.
2) Network security requirements between virtual machines. Different from the traditional security protection, in the virtual machine environment, after the same physical server is virtualized into multiple VMs, the traffic exchange between the VMs is exchanged based on the virtual switch. The administrator can neither control nor see the traffic, but the actual According to the needs, different VMs need to be divided into different security domains for isolation and access control. A confidentiality protection mechanism for ensuring data exchange between virtual machines should be provided to avoid listening to the promiscuous mode port mapping mechanism of the virtual switch. Communication data between virtual machines of all different user groups.
In addition, you should provide a secure data transmission channel for virtual machine migration, avoiding user data leakage during the migration process (often across physical servers and even across data centers).
3) Network security requirements between data centers. There are migration or scheduling of computing or storage resources between data centers. For large-scale cluster computing, a large-scale Layer 2 internetwork (including distributed virtual switches across data centers) is generally used for multiple virtual data centers. Provide cloud computing services to build a routing network (three-tier) connection. It is necessary to perform regular network security protection such as firewall and intrusion detection on the data center network boundary, and at the same time, confidentiality protection of data exchanged across data centers.
SDL16 series 16mm installation Pushbutton Switch refers to an electronic component that can open a circuit, interrupt current, or flow it to other circuits.We also called it for LA137-H series Pushbutton Switch,can be designed according to customer's needs.
The push button series are used in controlling circuit of AC voltage up to 660V/AC 50Hz~60Hz,and DC voltage below 400V.It is used for controlling signal and interlocking purposes.
They adopting the non-contacting accessories,self-locked contacting type,safe and reliable,and separate conveniently.Its shape is handsome, specially designed for industrial equipment, have firm fabrics, and have very good quality and very competitive prices. The switches have full and different kinds for different functions, like spring return type,self-locked type,with lamp type,mushroom head type,selector type,with key type and emergency stop type,etc.
SDL16 Plastic Pushbutton Switch
SDL16 Series Pushbutton Switch,Push Button Light Switch,Mushroom Push Button Switch,Red Mushroom Head Pushbutton Switch
Ningbo Bond Industrial Electric Co., Ltd. , https://www.bondelectro.com