针对操作系统内部安全工具容易被攻击与绕开的问题,提出一种VM外部与内部相结合的网络访问控制机制,并在协作型VMM上进行实现.本机制在外部截获虚拟机的网络访问,内部工具获取发起此次网络访问的进程信息,以实现应用程序级网络访问控制.为提高性能,将网络访问分为连接发起与访问过程两个阶段,并分别对其进行控制.这种内外结合的方式,能够方便获取内部信息,又具有虚拟机外部安全监控的高权限与隐蔽性,并能够在系统受危害时彻底断网,减小可能受到的损失.测试表明该机制能够实现虚拟机网络访问控制功能,引入的网络性能影响较小. Aiming at the problem that the internal security tools in the operating system can be easily attacked and circumvented, this paper proposes a network access control mechanism which combines the external and internal VMs and implements it on the cooperative VMM. This mechanism intercepts the network access of virtual machines externally, Internal tools to get started this network access process information in order to achieve application-level network access control.In order to improve performance, the network access is divided into two stages of connection initiation and access process, and separately to control .This combination of internal and external , Which can easily access internal information, and has the high authority and concealment of the external security monitoring of the virtual machine, and can completely cut off the network when the system is damaged and reduce the possible loss.The test shows that the mechanism can realize the virtual machine network Access control functions, the introduction of the network performance less affected.