基于SDN/NFV的安全服务链构建技术
|
摘要
传统的安全服务设备与网络拓扑紧密耦合,部署位置固定,管理配置复杂,安全服务升级困难、扩展难,无法随网络应用安全需求变化而变化。基于SDN的安全服务链(SSC)可实现安全服务动态部署以及按需编排。介绍了SSC的概念和分类,阐述了SSC的体系架构,介绍了SSC的创建方法,并对构建的SSC进行了试验验证。试验结果表明,利用提出的SSC构建方法可实现防火墙、入侵检测以及深度包检测等功能,并能够借助流量牵引模块按需编排安全服务,形成SSC。
The traditional security service devices are tightly coupled with the network topology,so they have such characteristics as fix deployment position,complex management configuration,difficult security service upgrade and extension,incapable of changing according to network application security requirements.The security service chain( SSC) based on software-defined network( SDN) can be used to implement the dynamical deployment and on-demand arrangement of security services. This paper introduces the concept,classification and architecture,and describes the construction method of SSC. The constructed security service chain is tested and verified.The test results show that this construction method of SSC can implement such functions as firewall,intrusion detection and deep packet inspection,etc.,arrange on demand the security service by the aid of traffic steering module to form the security service chain.
The traditional security service devices are tightly coupled with the network topology,so they have such characteristics as fix deployment position,complex management configuration,difficult security service upgrade and extension,incapable of changing according to network application security requirements.The security service chain( SSC) based on software-defined network( SDN) can be used to implement the dynamical deployment and on-demand arrangement of security services. This paper introduces the concept,classification and architecture,and describes the construction method of SSC. The constructed security service chain is tested and verified.The test results show that this construction method of SSC can implement such functions as firewall,intrusion detection and deep packet inspection,etc.,arrange on demand the security service by the aid of traffic steering module to form the security service chain.
引文
[1] Open Networking Foundation. Software-defined Networking:The New Norm for Networks[R],2012.
[2] LI Ning,YANG Hongwei,LI Yan,et al. The Simulation Research Based on Open Flow[J]. Radio Engineering,2017,47(8):1-4.
[3] YAN Siyu,YANG Fan,HUANG Tao.SDN-based MANET Architecture Design and Implementation Based on Extended Open v Switch[J].Radio Communications Technology,2016,42(4):69-74.
[4] CARAPINHA J,FEIL P,WEISSMANN P,et al. Network Virtualization——Opportunities and Challenges for Operators[C]∥In Future Internet-FIS 2010,Springer Berlin Heidelberg,2010:138-147.
[5] IETF SAAG. SecurityRequirements for Software Defined Networks[EB/OL]. https:∥www. ietf. org/proceedi ngs/85/slides/slides-85-saag-4.
[6] SHIN S,PORRAS P,YEGNESWARAN V,et al.FRESCO:Modular Composable Security Services for Software-defined Networks[C]∥Proceedings of the 20th Annual Network and Distributed System Security Symposium(NDSS),San Diego,CA,USA,2013:1-16.
[7] QAZI Z,TU C C,CHIANG L.SIMPLE-fying Middle Box Policy Enforcement Using SDN[C]∥Proceedings of the ACMSIGCOMM’13,Hong Kong,China,2013:27-38.
[8] LEE W,CHOI Y H,KIM N. Study on Virtual Service Chain for Secure Software Defined Networking[J].Advanced Science and Technology Letters,2013,29(13):177-180.
[9] GUSHCHIN A,WALID A,TANG A.Scalable Routing in SDN-enabled Networks with Consolidated Middle Boxes[C]∥Proceedings of the Hot Middlebos’15,London,United Kingdom,2015:55-60.
[10] MARTINI B,PAGANELLI F,MOHAMMED A A,et al.SDN Controller for Context-aware Data Delivery in Dynamic Service Chaining[C]∥Proceedings 1st IEEE Conference on Network Softwarization(Net Soft),London,UK,2015:1-5.
[11] GIOTIS K,KRYFTIS Y,MAGLARIS V. 5 Policy-based Orchestration of NFV Services in Software-defined Networks[C]∥Proceedings of the 1st IEEE Conference on Network Softwarization,London,UK,2015:1-5.
[12] SOARES J,GOEALVES C,PARREIRA B,et al.Toward a ELCO Cloud Environment for Service Functions[J].IEEE Communications Magazine,2015,53(2):98-106.
[13] CLAYMAN S,MAINI E,CALIS A,et al. The Dynamic Placement of Virtual Network Functions[C]∥Proc of IEEE/IFIP Network Operations and Management Symposium,2014:1-9.
[14] LOMBARDO A,MANZALINI A,SCHEMBRA G,et al.An Open Framework to enable Net FATE(Network Functions at the Edge)[C]∥Proc of the 1st IEEE Conference on Network Sofawarization,2015:1-6.
[15]刘鎏,虞红芳.基于资源拆分的虚拟网络功能服务链映射算法[J].计算机应用研究,2016,33(8):2440-2445.
[16] HALPERN J,PIGNATARO C. Service Function Chaining(SFC)Architecture[S].IETF RFC 7665,2015.
[17] ITU SG17-TD1095,Security Guideline of Service Function Chain Based on Software Defined Network[S],2018.
[18] ITU SG17-TD1053,Security Service Chain(SSC)Architecture[S],2018.
[2] LI Ning,YANG Hongwei,LI Yan,et al. The Simulation Research Based on Open Flow[J]. Radio Engineering,2017,47(8):1-4.
[3] YAN Siyu,YANG Fan,HUANG Tao.SDN-based MANET Architecture Design and Implementation Based on Extended Open v Switch[J].Radio Communications Technology,2016,42(4):69-74.
[4] CARAPINHA J,FEIL P,WEISSMANN P,et al. Network Virtualization——Opportunities and Challenges for Operators[C]∥In Future Internet-FIS 2010,Springer Berlin Heidelberg,2010:138-147.
[5] IETF SAAG. SecurityRequirements for Software Defined Networks[EB/OL]. https:∥www. ietf. org/proceedi ngs/85/slides/slides-85-saag-4.
[6] SHIN S,PORRAS P,YEGNESWARAN V,et al.FRESCO:Modular Composable Security Services for Software-defined Networks[C]∥Proceedings of the 20th Annual Network and Distributed System Security Symposium(NDSS),San Diego,CA,USA,2013:1-16.
[7] QAZI Z,TU C C,CHIANG L.SIMPLE-fying Middle Box Policy Enforcement Using SDN[C]∥Proceedings of the ACMSIGCOMM’13,Hong Kong,China,2013:27-38.
[8] LEE W,CHOI Y H,KIM N. Study on Virtual Service Chain for Secure Software Defined Networking[J].Advanced Science and Technology Letters,2013,29(13):177-180.
[9] GUSHCHIN A,WALID A,TANG A.Scalable Routing in SDN-enabled Networks with Consolidated Middle Boxes[C]∥Proceedings of the Hot Middlebos’15,London,United Kingdom,2015:55-60.
[10] MARTINI B,PAGANELLI F,MOHAMMED A A,et al.SDN Controller for Context-aware Data Delivery in Dynamic Service Chaining[C]∥Proceedings 1st IEEE Conference on Network Softwarization(Net Soft),London,UK,2015:1-5.
[11] GIOTIS K,KRYFTIS Y,MAGLARIS V. 5 Policy-based Orchestration of NFV Services in Software-defined Networks[C]∥Proceedings of the 1st IEEE Conference on Network Softwarization,London,UK,2015:1-5.
[12] SOARES J,GOEALVES C,PARREIRA B,et al.Toward a ELCO Cloud Environment for Service Functions[J].IEEE Communications Magazine,2015,53(2):98-106.
[13] CLAYMAN S,MAINI E,CALIS A,et al. The Dynamic Placement of Virtual Network Functions[C]∥Proc of IEEE/IFIP Network Operations and Management Symposium,2014:1-9.
[14] LOMBARDO A,MANZALINI A,SCHEMBRA G,et al.An Open Framework to enable Net FATE(Network Functions at the Edge)[C]∥Proc of the 1st IEEE Conference on Network Sofawarization,2015:1-6.
[15]刘鎏,虞红芳.基于资源拆分的虚拟网络功能服务链映射算法[J].计算机应用研究,2016,33(8):2440-2445.
[16] HALPERN J,PIGNATARO C. Service Function Chaining(SFC)Architecture[S].IETF RFC 7665,2015.
[17] ITU SG17-TD1095,Security Guideline of Service Function Chain Based on Software Defined Network[S],2018.
[18] ITU SG17-TD1053,Security Service Chain(SSC)Architecture[S],2018.