Home > other >  Cloud grand forum | flexible lightweight YunHong CNware virtual firewall
Cloud grand forum | flexible lightweight YunHong CNware virtual firewall

Time:09-17

Firewall is a barrier between Intranet and extranet, according to the system administrator predefined rules to control packets in and out of, is the first line of defense system, its role is to prevent the illegal user to enter, virtual firewall is a firewall can be logically divided into more than one virtual firewall, each virtual firewall system can be seen as a completely independent firewall device, can have an independent system resources, administrators, security policy, user authentication database, such as



Described above firewall between internal network and external network is generally used in the data center, and YunHongJun next describe virtual firewall is different, it is used for data center virtual machine in the internal network and virtual machine, virtual machine and the network communication between physical machine, is a kind of virtual network firewall solutions, network traffic control



Traditional virtual firewall solutions is generally refer to the physical machine firewall implementation



Traditional virtual firewall solutions in general is a reference firewall implementation of physical machine, axial-flow compressor.in order within the virtual machine to run the virtual firewall software, a more fully, the principle of virtual



To facilitate the control strategy of the virtual firewall and configuration, each physical machine need to deploy a firewall module, to receive configuration information from the controller sends a firewall and the firewall policy for network traffic detection, the control node deployment of firewall cluster on the main controller, for the whole cluster environment all firewall module for unified management and policy configuration, user or cloud computing management node firewall policy information sent to the controller, firewall implementation of virtual firewall regulation,



Firewall controller, in other words, need to establish a connection, the user configuration of the firewall policy information must be through a firewall controller practical analysis, to get users to configure the firewall policy information sent to the firewall module, once the connection is broken, you need to users according to the feedback controller is modified, in addition, using the virtual firewall software install firewall, often need to install the other irrelevant modules, even if in fact only use firewall module, and some firewall software filtering rules to filter network traffic, a detailed performance is poorer,



YunHong CNware virtual firewall adopted based on OpenvSwitch openflow flow table (OVS)



In order to effectively solve the disadvantages of traditional schemes, YunHong CNware virtual firewall adopted based on OpenvSwitch (OVS) openflow flow table, the configuration of the network traffic filtering rules to realize virtual firewall functions, CNware virtualization host default stack using OVS as network management, network communication under the physical host virtual machine will be through OVS below the bridge, bridge, the role of virtual switches, on the bridge, by setting the rule of openflow flow table, can control the network traffic through, can realize the function of virtual firewall,



YunHong CNware virtual firewall issued by the program to openflow user-defined rules, can make the network traffic to openflow filtering, issued including physical host firewall rules belongs to, the rules of the information source type, the source object values, protocol, port number, the target type, the target value, to information, such as single and double packet conform to the rules can be through a virtual switch (white list), the opposite doesn't pass (blacklist),



Compared with the traditional scheme, YunHong CNware virtual firewall don't need a firewall controller module, avoid firewall control connection problem, and hierarchical structure more compact, more efficient performance, in addition, the solution using IP, IP and MAC and so on the many kinds of configuration rules, allocation strategy is more rich, more flexible,
  • Related