作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程

• 安全技术 • 上一篇    下一篇

基于SR-IOV的虚拟机防火墙设计与实现

荀仲恺1a,1b,黄 皓1a,1b,金胤丞2   

  1. (1. 南京大学 a. 计算机软件新技术国家重点实验室;b. 计算机科学与技术系,南京 210046;2. 中国电子科技集团公司第三十二研究所,上海 200233)
  • 收稿日期:2013-04-10 出版日期:2014-05-15 发布日期:2014-05-14
  • 作者简介:荀仲恺(1987-),男,硕士,主研方向:操作系统安全,虚拟化技术;黄 皓,教授、博士生导师;金胤丞,硕士。
  • 基金资助:
    国家“863”计划基金资助项目(2011AA01A202);江苏省“六大人才高峰”高层次人才基金资助项目(2011-DZXX-035);江苏省高校自然科学研究基金资助项目(12KJB520001)。

Design and Implementation of Virtual Machine Firewall Based on SR-IOV

XUN Zhong-kai  1a,1b, HUANG Hao  1a,1b, JIN Yin-cheng  2   

  1. (1a. State Key Laboratory for Novel Software Technology; 1b. Department of Computer Science and Technology, Nanjing University, Nanjing 210046, China; 2. The 32nd Research Institute of China Electronics Technology Group Corporation, Shanghai 200233, China)
  • Received:2013-04-10 Online:2014-05-15 Published:2014-05-14

摘要: 由于虚拟网络数据传输时,用户态与核心态之间频繁切换,导致虚拟域间多次数据拷贝严重影响网络I/O性能。为此,提出一种高性能的虚拟机防火墙设计方案。利用SR-IOV规范的高性能数据传输特性和对接收数据包的过滤功能,使虚拟域直接与真实网卡交互。针对低特权级的虚拟域中防火墙容易受到攻击的问题,通过在高特权级的Xen中部署监控模块,对虚拟域中的防火墙进行实时监控。实验结果表明,应用SR-IOV网卡可使虚拟机的网络I/O性能相对于Xen传统网络访问模式平均提高1倍以上,并且具有监控模块的Xen能防止防火墙被非法访问和恶意篡改,保证防火墙的安全。

关键词: 虚拟化, Xen虚拟机管理器, SR-IOV规范, 防火墙, 高性能, 监控

Abstract: Aiming at the problem of low performance caused by frequent switching between user mode and kernel mode, multiple copies of data between the virtual domains through virtual network data transmission, this paper proposes a high performance virtual machine firewall, and it adopts the network packet filtering and high performance of SR-IOV to make virtual domain directly interact with the real network card. Aiming at the problem of vulnerable attack for a lower privilege level virtual domain firewall, it takes higher privilege level of Xen to real-time monitor the virtual machine firewall module and protect it from illegally accessing. Experimental results show that the deployment of SR-IOV network card in the virtual machine firewall makes the network I/O performance increase by 1 time compared with the Xen network I/O assess mode. The deployment of the monitor module in Xen can successfully prevent the firewall from unauthorized access and malicious tampering, and ensure the safety of the firewall.

Key words: virtualization, Xen Virtual Machine Manager(VMM), SR-IOV specification, firewall, high-performance, monitoring

中图分类号: