Virtualization is one of the hot technologies nowadays. It has been widely used in cloud computing platforms, virtual storages, virtual operating systems, virtual desktops, and virtual terminals. The current virtual security isolation technologies are achieved mainly by dividing different virtual switch (vSwitch) networks, and configuring access control lists (ACLs) on network isolation components provided by virtual software vendors, such as VShield components provided by VMWARE.
As virtual machines have different security levels, and the virtual machines with different security levels may visit each other, there are security risks that virtual machines may attack each other. To eliminate these security risks, traditional virtual security isolation technologies usually divide a vSwitch network into multiple virtual local area networks (virtual LANs, or VLANs). The virtual machines with a same security level are located at a same VLAN, and the security isolation among VLANs is thus achieved.
However, the security isolation among the virtual machines within a VLAN could not be achieved. If a virtual machine in a VLAN has a security risk, the proliferation of the security risk inside the VLAN could not be prevented. For example, in a VLAN with three virtual machines VM1, VM2 and VM3, if the virtual machine VM1 is hacked, the hacker may use the virtual machine VM1 to scan the virtual machines VM2 and VM3. In this case, a traditional virtual security isolation method could not prevent the scanning behavior of the virtual machine VM1.
The disclosed methods and apparatuses are directed to solve one or more problems set forth above and other problems in the art.