虚拟机防火墙系统的设计与实现

发布时间：2018-09-05 10:14

【摘要】：虚拟化技术是云计算的关键技术。虚拟化技术支持多个虚拟的计算机系统运行在同一台物理主机之上,各个虚拟系统之间互不干扰,实现了对CPU、内存、I/O设备等物理资源的共享。Xen是一款主流的虚拟机管理器。Xen作为位于操作系统和计算机硬件之间的软件层,通过软件方式实现对整个物理平台的虚拟化。Xen为虚拟机提供虚拟硬件资源,使得在Xen之上运行的操作系统拥有一个独立的执行环境,实现虚拟机之间的隔离。随着云计算在科学和工业领域的发展,Xen虚拟化技术在网络I/O性能和网络安全方面的问题变得越来越突出,具有高性能网络I/O的虚拟机防火墙需求越来越明显。为虚拟机提供合理高效的防火墙,提高虚拟域的网络I/O性能具有重要意义。本文分析了影响Xen虚拟化技术网络I/O性能的原因,利用SR-IOV规范下网卡的高性能,提出了一种具有网络I/O高性能的、受保护的虚拟机防火墙方案。本文的主要贡献和创新如下：(1)分析了虚拟机防火墙系统的相关工作,总结了目前存在的解决方案的优缺点。虚拟机网络I/O性能方面,分析了Xen网络I/O模式,总结了影响网络I/O性能的主要原因。虚拟机防火墙方面,归纳了已有的解决方案。提出了虚拟机防火墙系统的意义和目标。(2)提出了一种高性能虚拟机防火墙方案。针对接收数据包,应用SR-IOV网卡中的PF对虚拟机的接收数据包进行基于五元组的过滤。同时,虚拟机具有数据传输时的高性能特征。针对发送数据包,在DomainU中部署防火墙,发送数据包经过SR-IOV网卡发出,具有较高的数据传输性能。(3)提出了一种增强虚拟机防火墙保护性的方案。由于防火墙部署在运行于非Root模式的DomainU操作系统中,容易受到内核层恶意软件的攻击。通过在运行于Root模式的Xen中部署监控模块,实时监控DomainU中的防火墙模块,增强了虚拟机防火墙的保护性。
[Abstract]:Virtualization is the key technology of cloud computing. Virtualization technology supports multiple virtual computer systems running on the same physical host, and each virtual system does not interfere with each other. The sharing of physical resources such as CPU, memory / I / O devices. Xen is a mainstream virtual machine manager. Xen acts as the software layer between operating system and computer hardware. The virtualization of the whole physical platform. Xen provides virtual hardware resources for the virtual machine through software, which makes the operating system running on the Xen have an independent execution environment, and realizes the isolation between the virtual machines. With the development of cloud computing in the field of science and industry, the problems of network I / O performance and network security become more and more prominent, and the demand of virtual machine firewall with high performance network I / O becomes more and more obvious. It is of great significance to provide a reasonable and efficient firewall for virtual machine and to improve the performance of virtual domain's I / O network. This paper analyzes the reasons that affect the performance of network I / O in Xen virtualization technology. Using the high performance of network card under SR-IOV specification, a protected virtual machine firewall with high performance of network I / O is proposed. The main contributions and innovations of this paper are as follows: (1) the related work of virtual machine firewall system is analyzed, and the advantages and disadvantages of the existing solutions are summarized. In terms of the performance of virtual machine network I / O, I / O mode of Xen network is analyzed, and the main reasons that affect the performance of network I / O are summarized. Virtual machine firewall, summarized the existing solutions. The significance and goal of virtual machine firewall system are presented. (2) A high performance virtual machine firewall scheme is proposed. For receiving data packet, PF in SR-IOV network card is used to filter the received packet of virtual machine based on quaternion. At the same time, the virtual machine has the characteristics of high performance in data transmission. A firewall is deployed in DomainU for sending data packets, which is sent out by SR-IOV network card. (3) A scheme to enhance the protection of virtual machine firewall is proposed. Since firewall is deployed in DomainU operating system running in non-Root mode, it is vulnerable to attack by kernel malicious software. The protection of virtual machine firewall is enhanced by deploying monitoring module in Xen running in Root mode and monitoring firewall module in DomainU in real time.
【学位授予单位】：南京大学
【学位级别】：硕士
【学位授予年份】：2013
【分类号】：TP393.08;TP302

【参考文献】