基于OpenDaylight防火墙的研究与实现
|
摘要
随着网络规模的持续发展,传统的分布式网络已经不能满足网络配置和管理的要求,软件定义网络作为一种全新的网络架构给网络安全研究提供了新的方向。该架构将数据转发层和控制层相分离,并且在控制层之上开放了应用程序编程接口。在深入分析软件定义网络的系统原理和架构设计的基础上,提出了基于OpenDaylight平台的软件定义网络防火墙的实现方案FireClient,并借助软件项目管理和依赖分析工具Maven和数据建模语言Yang,开发了上层应用调用模块。FireClient允许用户灵活修改策略,其在不同场景中的实际测试结果表明,使用基于软件定义网络的防火墙可以更为灵活的布置策略和快速实施。相比传统网络的配置和部署,软件定义网络使得第三方的快速应用开发成为可能,从而极大地推动了网络新业务的部署和拓展。
With the continuous growth of network scale,the traditional distributed network can no longer meet the requirements of network configuration and management. As an evolutionary network framework,software defined networking(SDN) provides a new direction for network security research. This new framework separates the data forwarding plane from the control plane and also provides application programming interfaces on top of the control plane. Based on the in-depth analysis of the system principle and architecture design of SDN,we propose the implementation scheme FireClient of SDN firewall based on OpenDaylight platform,and with the help of Maven,a software project management and dependency analysis tool,and Yang,a data modeling language,we develop the upper application call module. The users can modify policies flexibly with FireClient,and its test in different scenarios shows that the use of firewalls based on SDN can arrange policies flexibly and implement quickly. Compared with the traditional network configuration and deployment,SDN makes it possible for the rapid application development of the third party,thus greatly promoting the deployment and expansion of new network services.
With the continuous growth of network scale,the traditional distributed network can no longer meet the requirements of network configuration and management. As an evolutionary network framework,software defined networking(SDN) provides a new direction for network security research. This new framework separates the data forwarding plane from the control plane and also provides application programming interfaces on top of the control plane. Based on the in-depth analysis of the system principle and architecture design of SDN,we propose the implementation scheme FireClient of SDN firewall based on OpenDaylight platform,and with the help of Maven,a software project management and dependency analysis tool,and Yang,a data modeling language,we develop the upper application call module. The users can modify policies flexibly with FireClient,and its test in different scenarios shows that the use of firewalls based on SDN can arrange policies flexibly and implement quickly. Compared with the traditional network configuration and deployment,SDN makes it possible for the rapid application development of the third party,thus greatly promoting the deployment and expansion of new network services.
引文
[1] 戴彬,王航远,徐冠,等.SDN安全探讨:机遇与威胁并存[J].计算机应用研究,2014,31(8):2254-2262.
[2] 刘文懋,裘晓峰,陈鹏程,等.面向SDN环境的软件定义安全架构[J].计算机科学与探索,2015,9(1):63-70.
[3] MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[4] 王淑玲,李济汉,张云勇,等.SDN架构及安全性研究[J].电信科学,2013,29(3):117-122.
[5] GREENE K.TR10:software-defined networking[N].MIT Technology Review,2011-10-07.
[6] 王雪梅.基于OpenDavlight架构的路由组件的研究与实现[D].北京:北京邮电大学,2016.
[7] RADDA P.Brocade leads OpenFlow adoption to accelerate network virtualization and cloud application development[N].Reuters,2011-11-29.
[8] 文旭韬.SDN安全控制器的优化设计与实现[D].北京:北京邮电大学,2015.
[9] 费宁,陈春玲,毛燕琴.ASIC芯片OpenFlow交换机设计与实现[J].北京邮电大学学报,2016,39(6):93-98.
[10] 许晓斌.Maven实战[M].北京:机械工业出版社,2010:67-78.
[11] 钱言佳.基于Maven的CWAP框架基础单元层和基础服务层的设计与实现[D].南京:南京大学,2016.
[12] 常亚楠.基于YANG语言的NETCONF网络管理数据建模的研究与实现[D].武汉:华中师范大学,2009.
[13] 文俊浩,杨小义,谢军.扩展UML活动图在工作流建模中的应用[J].计算机应用研究,2007,24(12):244-245.
[14] MANNING J,BUTTFIELD-ADDISON P,NUGENT T.Swift development with Cocoa developing for the Mac and iOS App stores[M].北京:人民邮电出版社,2015.
[15] DOVEY J,FURROW A.Objective-C开发经典教程[M].北京:清华大学出版社,2014.
[2] 刘文懋,裘晓峰,陈鹏程,等.面向SDN环境的软件定义安全架构[J].计算机科学与探索,2015,9(1):63-70.
[3] MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[4] 王淑玲,李济汉,张云勇,等.SDN架构及安全性研究[J].电信科学,2013,29(3):117-122.
[5] GREENE K.TR10:software-defined networking[N].MIT Technology Review,2011-10-07.
[6] 王雪梅.基于OpenDavlight架构的路由组件的研究与实现[D].北京:北京邮电大学,2016.
[7] RADDA P.Brocade leads OpenFlow adoption to accelerate network virtualization and cloud application development[N].Reuters,2011-11-29.
[8] 文旭韬.SDN安全控制器的优化设计与实现[D].北京:北京邮电大学,2015.
[9] 费宁,陈春玲,毛燕琴.ASIC芯片OpenFlow交换机设计与实现[J].北京邮电大学学报,2016,39(6):93-98.
[10] 许晓斌.Maven实战[M].北京:机械工业出版社,2010:67-78.
[11] 钱言佳.基于Maven的CWAP框架基础单元层和基础服务层的设计与实现[D].南京:南京大学,2016.
[12] 常亚楠.基于YANG语言的NETCONF网络管理数据建模的研究与实现[D].武汉:华中师范大学,2009.
[13] 文俊浩,杨小义,谢军.扩展UML活动图在工作流建模中的应用[J].计算机应用研究,2007,24(12):244-245.
[14] MANNING J,BUTTFIELD-ADDISON P,NUGENT T.Swift development with Cocoa developing for the Mac and iOS App stores[M].北京:人民邮电出版社,2015.
[15] DOVEY J,FURROW A.Objective-C开发经典教程[M].北京:清华大学出版社,2014.