Shulou(Shulou.com)06/03 Report--

The firewall is a barrier between the intranet and the extranet, which controls the entry and exit of data packets according to the rules pre-defined by the system administrator. It is the first line of defense of the system, and its function is to prevent the entry of illegal users. Virtual firewall can logically divide a firewall into multiple virtual firewalls, and each virtual firewall system can be regarded as a completely independent firewall device. it can have independent system resources, administrator, security policy, user authentication database and so on.

The firewall described above is generally used between the internal network and the external network of the data center, while the virtual firewall described by Yun Hongjun is different. it is used for network communication between virtual machines and virtual machines, virtual machines and physical machines in the internal network of the data center, and is a network flow control firewall solution for virtual networks.

The traditional virtual firewall solution is generally based on the firewall implementation of reference physical machine.

The traditional virtual firewall solution is generally based on the firewall implementation of the physical machine, and running the virtual machine firewall software in the virtual machine can be regarded as a more complete implementation of the virtual policy.

In order to facilitate the regulation of virtual firewall policy and configuration, each physical machine needs to deploy a firewall module to receive configuration information sent from the firewall controller and firewall policies for network traffic detection. The firewall controller is deployed on the control node of the host cluster, which is used for unified management and policy configuration of all firewall modules in the whole cluster environment. The firewall policy information of the user or cloud computing management node is sent to the firewall controller to realize the regulation of the virtual firewall.

In other words, the firewall controller needs to establish a connection, and the firewall policy information configured by the user must pass the enforceability pre-analysis of the firewall controller in order to send the firewall policy information configured by the user to the firewall module. Once the connection is disconnected, the user needs to modify it according to the feedback from the controller. In addition, using virtual firewall software to install firewalls, it is usually necessary to install other irrelevant modules, even if in fact only firewall modules can be used. And some firewall software filtering rules to filter network traffic one by one, the performance is poor.

Yunhong CNware virtual firewall adopts openflow flow table based on OpenvSwitch (OVS).

In order to effectively solve the disadvantages of the traditional scheme, Yunhong CNware virtual firewall adopts openflow flow table based on OpenvSwitch (OVS for short) and configures network traffic filtering rules to realize the virtual firewall function. CNware virtualized hosts use OVS as the network management stack by default. The virtual machine network communication under the physical host will pass through the bridge,bridge under the OVS, which is the virtual switch. By setting openflow flow table rules on bridge, we can control the passage of network traffic and realize the function of virtual firewall.

Yunhong CNware virtual firewall sends user-defined rules to openflow through the program, which enables network traffic to be filtered by openflow. The rule information sent includes physical host, source type, source object value, protocol, port number, target object value, one-way and two-way information of the firewall rule. Packets that comply with the rules can go through the virtual switch (whitelist), and vice versa (blacklist).

Compared with the traditional scheme, Yunhong CNware virtual firewall does not need firewall controller module, avoids the connection problem controlled by firewall, and the hierarchical structure is more concise and the performance is more efficient. In addition, the solution uses a variety of configuration rules, such as IP, IP segment, MAC and so on, which makes the configuration policy richer and more flexible.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.