一种改进的基于Docker的网络安全实验平台构建方法
|
摘要
针对现有基于Docker的网络安全实验平台隔离性较差以及未建立数据采集安全通道,导致平台安全性较低的问题,提出一种改进的基于Docker的网络安全实验平台构建方法,该方法采用多安全域的思路,将网络安全实验平台划分为基础资源域、实验数据域、业务管理域、实验场景域四个域,对基础实验设施、业务镜像等基础资源采用网络虚拟化的技术手段进行安全隔离保护,建立基于两级防火墙数据采集安全通道对数据域进行安全防护,通过动态创建与删除的方式消除业务管理域和实验场景域存在的安全隐患。通过分析表明,提出的改进构建方法极大的提高了网络安全实验平台的安全性。
Aiming at the problem that the existing Docker-based network security experimental platform is poor in isolation and has no establishment of data collection security channel, thus resulting in low platform security, a modified construction method of Docker-based network security experiment platform is proposed.The method adopts the idea of multiple security domains, and divides the network security experimental platform into four domains of basic resource,experimental data, service management, and experimental scenario. And for the basic resources involving basic experimental facilities and service mirrors, the network virtualization technology is used to implement security isolation protection, and by establishing the two-tier firewall data collection security channel, the security protection of data domain is realized. Through dynamic creation and deletion, security risks in service management domain and experimental scenario domain are eliminated. The experimental analysis indicates that thismodified construction method could greatly improve the security of network security experimental platform.
Aiming at the problem that the existing Docker-based network security experimental platform is poor in isolation and has no establishment of data collection security channel, thus resulting in low platform security, a modified construction method of Docker-based network security experiment platform is proposed.The method adopts the idea of multiple security domains, and divides the network security experimental platform into four domains of basic resource,experimental data, service management, and experimental scenario. And for the basic resources involving basic experimental facilities and service mirrors, the network virtualization technology is used to implement security isolation protection, and by establishing the two-tier firewall data collection security channel, the security protection of data domain is realized. Through dynamic creation and deletion, security risks in service management domain and experimental scenario domain are eliminated. The experimental analysis indicates that thismodified construction method could greatly improve the security of network security experimental platform.
引文
[1]韩挺,李鑫,韩耀明.网络空间安全靶场设计研究[J]信息安全研究,2018,4(05):430-432.HAN Ting,LI Xin,HAN Yao-ming.Research on the Design of Cyber Space Security Range[J].Journal of Information Security Research,2018,4(05):430-432.
[2]刘智国,于增明,王建等.面向未来的网络靶场体系架构研究[J].网络与信息安全,2018,37(06)41-46.LIU Zhi-guo,YU Zeng-ming,WANG Jian,et al.Research on Future Architecture of Network Range[J].Network and Information Security,2018,37(06):41-46.
[3]盛威.国外网络靶场现状与趋势分析[J].网信军民融合,2017(04):68-72.SHENG Wei.Analysis of the Status Quo and Trend of Foreign Network Shooting Ranges[J].Civil-Military Integration on Cyberspace,2017(04):68-72.
[4]吴怡晨,王轶骏,薛质.面向网络空间的攻防靶场设计[J].通信技术,2017,50(10):2349-2356.WU Yi-chen,WANG Yi-jun,XUE Zhi.Design and Research on Construction of Cyber Range[J].Communications Technology,2017,50(10):2349-2356.
[5]方滨兴,贾焰,李爱平等.网络空间靶场技术研究[J]信息安全学报,2016,1(03):1-9.FANG Bin-xing,JIA Yan,LI Ai-ping,et al.Cyber Ranges:State-of-the-art and Research Challenges[J].Journal of Cyber Security,2016,1(03):1-9.
[6]李大伟.基于Iaa S的网络靶场试验系统设计与实现[J].指挥信息系统与技术,2015,6(05):1-6.LI Da-wei.Design and Implementation of Iaa S-Based Experimental System for Network Range[J].Command Information System and Technology,2015,6(05):1-6.
[7]叶建锋,张平安,高月芳.基于Openstack的网络攻防实训平台设计与构建[J].实验技术与管理,2016,33(03):86-89,95.YE Jian-feng,ZHANG Ping-an,GAO Yue-fang.Design and Construction of A Network Attack And Defense Combat Training Platform Based on Openstack[J].Experimental Technology and Management,2016,33(03)86-89,95.
[8]陈鸣,陶小妹,胡超等.基于网络功能虚拟化的网络试验平台的设计与实现[J].计算机学报,2018,41(09):2016-2028.CHEN Ming,TAO Xiao-Mei,HU Chao,et al.Design and Implementation of Network Testing Platform Based on Network Function Virtualization[J].Chinese Journal of Co mputers,2018,41(09):2016-2028.
[9]思博伦通信.解析网络靶场的构成和运作--网络靶场的构成、仿真和真实性[J].电信网技术,2014(11):65-69.Spirent Communications.Analyze the Composition and Operation of Network Shooting Ranges-Composition[J]Simulation and Authenticity of Network Shooting Ranges[J].Communications,Telecommunications Network Technology,2014(11):65-69.
[10]马永,王萍,管建超.基于Docker的应用资源池技术研究[J].电力信息与通信技术,2018,16(08)49-52.MA Yong,WANG Ping,GUAN Jian-chao,Research on Application Resource Pool Technology Based on Docker[J].Electric Power Information and Communication Technology,2018,16(08):49-52.
[11]陈一鸣,寇小强,王永利.基于Docker的漏洞验证框架的设计与实现[J].电子技术应用,2018,44(11):99-101,106.CHEN Yi-ming,KOU Xiao-qiang,WANG Yong-li.Design and Implementation of Vulnerability Verification Framework Based on Docker[J].Application of Electronic Technique,2018,44(11):99-101,106.
[12]谢睿,段盛,于芳.基于Docker的课程实验平台设计与实现[J].邵阳学院学报(自然科学版),2018,15(04):38-42.XIE Rui,DUAN Sheng,YU Fang.Design and Implementation of a Course Experiment Platform Based on Docker[J].Journal of Shaoyang University(Natural Science Edition),2018,15(04):38-42.
[13]徐锦韬.虚拟机、容器与Docker技术对比[J].科学与财富,2016,8(04):364-364.XU Jin-tao.Virtual Machine,Container And Docker Technology Comparison[J].Science and Wealth,2016,8(04):364-364.
[14]孙震.高效能网络靶场的设计与实现[J].电信网技术,2014(11):78-83.SUN Zhen.Design and Implementation of High-Performance Network Shooting Range[J].Telecommunications Network Technology,2014(11):78-83.
[2]刘智国,于增明,王建等.面向未来的网络靶场体系架构研究[J].网络与信息安全,2018,37(06)41-46.LIU Zhi-guo,YU Zeng-ming,WANG Jian,et al.Research on Future Architecture of Network Range[J].Network and Information Security,2018,37(06):41-46.
[3]盛威.国外网络靶场现状与趋势分析[J].网信军民融合,2017(04):68-72.SHENG Wei.Analysis of the Status Quo and Trend of Foreign Network Shooting Ranges[J].Civil-Military Integration on Cyberspace,2017(04):68-72.
[4]吴怡晨,王轶骏,薛质.面向网络空间的攻防靶场设计[J].通信技术,2017,50(10):2349-2356.WU Yi-chen,WANG Yi-jun,XUE Zhi.Design and Research on Construction of Cyber Range[J].Communications Technology,2017,50(10):2349-2356.
[5]方滨兴,贾焰,李爱平等.网络空间靶场技术研究[J]信息安全学报,2016,1(03):1-9.FANG Bin-xing,JIA Yan,LI Ai-ping,et al.Cyber Ranges:State-of-the-art and Research Challenges[J].Journal of Cyber Security,2016,1(03):1-9.
[6]李大伟.基于Iaa S的网络靶场试验系统设计与实现[J].指挥信息系统与技术,2015,6(05):1-6.LI Da-wei.Design and Implementation of Iaa S-Based Experimental System for Network Range[J].Command Information System and Technology,2015,6(05):1-6.
[7]叶建锋,张平安,高月芳.基于Openstack的网络攻防实训平台设计与构建[J].实验技术与管理,2016,33(03):86-89,95.YE Jian-feng,ZHANG Ping-an,GAO Yue-fang.Design and Construction of A Network Attack And Defense Combat Training Platform Based on Openstack[J].Experimental Technology and Management,2016,33(03)86-89,95.
[8]陈鸣,陶小妹,胡超等.基于网络功能虚拟化的网络试验平台的设计与实现[J].计算机学报,2018,41(09):2016-2028.CHEN Ming,TAO Xiao-Mei,HU Chao,et al.Design and Implementation of Network Testing Platform Based on Network Function Virtualization[J].Chinese Journal of Co mputers,2018,41(09):2016-2028.
[9]思博伦通信.解析网络靶场的构成和运作--网络靶场的构成、仿真和真实性[J].电信网技术,2014(11):65-69.Spirent Communications.Analyze the Composition and Operation of Network Shooting Ranges-Composition[J]Simulation and Authenticity of Network Shooting Ranges[J].Communications,Telecommunications Network Technology,2014(11):65-69.
[10]马永,王萍,管建超.基于Docker的应用资源池技术研究[J].电力信息与通信技术,2018,16(08)49-52.MA Yong,WANG Ping,GUAN Jian-chao,Research on Application Resource Pool Technology Based on Docker[J].Electric Power Information and Communication Technology,2018,16(08):49-52.
[11]陈一鸣,寇小强,王永利.基于Docker的漏洞验证框架的设计与实现[J].电子技术应用,2018,44(11):99-101,106.CHEN Yi-ming,KOU Xiao-qiang,WANG Yong-li.Design and Implementation of Vulnerability Verification Framework Based on Docker[J].Application of Electronic Technique,2018,44(11):99-101,106.
[12]谢睿,段盛,于芳.基于Docker的课程实验平台设计与实现[J].邵阳学院学报(自然科学版),2018,15(04):38-42.XIE Rui,DUAN Sheng,YU Fang.Design and Implementation of a Course Experiment Platform Based on Docker[J].Journal of Shaoyang University(Natural Science Edition),2018,15(04):38-42.
[13]徐锦韬.虚拟机、容器与Docker技术对比[J].科学与财富,2016,8(04):364-364.XU Jin-tao.Virtual Machine,Container And Docker Technology Comparison[J].Science and Wealth,2016,8(04):364-364.
[14]孙震.高效能网络靶场的设计与实现[J].电信网技术,2014(11):78-83.SUN Zhen.Design and Implementation of High-Performance Network Shooting Range[J].Telecommunications Network Technology,2014(11):78-83.