云数据中心网络纵深防御研究
|
摘要
纵深防御是网络安全的经典思想。然而,该思想在应用到云数据中心时存在一些挑战。一方面,攻击者和用户虚拟机共处同一云平台上,可以从数据中心内部发起攻击。另一方面,虚拟机之间攻击通信流不出物理服务器或物理网络边界,也就无法被传统防护措施所感知。为此,本文首先分析了传统纵深防御模型的不足,然后提出了一个支持虚拟网络的主动型纵深防御模型,进而基于该模型设计了一个云数据中心纵深防御架构,最后从合理性、实用性、先进性三个方面进行了评价。
Defense in depth is a classic idea of network security. However, there are some challenges in applying this idea to cloud data center. On the one hand, attacker and user virtual machines coexist on the same cloud platform and can launch attacks from within the data center. On the other hand, network attack traffic between virtual machines does not reach the physical server or physical network boundary, and cannot be monitored by traditional protection measures. Therefore, this paper firstly analyses the shortcomings of traditional defense in depth model, then proposes a defense model supporting active defense, and then designs a defense architecture based on this model. Finally, it evaluates its rationality, practicability and advancement.
Defense in depth is a classic idea of network security. However, there are some challenges in applying this idea to cloud data center. On the one hand, attacker and user virtual machines coexist on the same cloud platform and can launch attacks from within the data center. On the other hand, network attack traffic between virtual machines does not reach the physical server or physical network boundary, and cannot be monitored by traditional protection measures. Therefore, this paper firstly analyses the shortcomings of traditional defense in depth model, then proposes a defense model supporting active defense, and then designs a defense architecture based on this model. Finally, it evaluates its rationality, practicability and advancement.
引文
[1]Cloud Security Alliance,Top Threats Working Group.“The notorious nine:cloud computing top threats in 2013”.February 2013.
[2]Fernandes D A B,Soares L F B,Gomes J V,et al.Security issues in cloud environments:a survey[J].International Journal of Information Security,2014,13(2):113-170.
[3]美国国家安全局.信息保障技术框架[M].北京:北京中软电子出版社,2002.
[4]荆宜青.云计算环境下的网络安全问题及应对措施探讨[J].网络安全技术与应用,2015(9):75-76.
[5]周靖哲,陈长松.云计算架构的网络信息安全对策分析[J].信息网络安全,2017(11)74-79.
[6]Erick,Bauman,Gbadebo Ayoade,Zhiqiang Lin.A Survey on Hypervisor-Based Monitoring Approaches,Applications and Evolutions[J]ACM computing Surveys,2015,48(1):1-33.
[7]赵振凯,秦波.云存储中的数据安全技术[J]信息安全与通信保密,2018(2):75-82.
[8]Santos N,Gummadi K P,Rodrigues R.Towards trusted cloud computing[C]//Conference on Hot Topics in Cloud Computing.USENIXAssociation,2009.3-3.
[9]赵波,严飞,张立强,等.可信云计算环境的构建[J].中国计算机学会通讯.2012,8(7):28-34.
[10]丁滟,王怀民,史佩昌,等.可信云服务[J].计算机学报,2015,38(1):133-149.
[2]Fernandes D A B,Soares L F B,Gomes J V,et al.Security issues in cloud environments:a survey[J].International Journal of Information Security,2014,13(2):113-170.
[3]美国国家安全局.信息保障技术框架[M].北京:北京中软电子出版社,2002.
[4]荆宜青.云计算环境下的网络安全问题及应对措施探讨[J].网络安全技术与应用,2015(9):75-76.
[5]周靖哲,陈长松.云计算架构的网络信息安全对策分析[J].信息网络安全,2017(11)74-79.
[6]Erick,Bauman,Gbadebo Ayoade,Zhiqiang Lin.A Survey on Hypervisor-Based Monitoring Approaches,Applications and Evolutions[J]ACM computing Surveys,2015,48(1):1-33.
[7]赵振凯,秦波.云存储中的数据安全技术[J]信息安全与通信保密,2018(2):75-82.
[8]Santos N,Gummadi K P,Rodrigues R.Towards trusted cloud computing[C]//Conference on Hot Topics in Cloud Computing.USENIXAssociation,2009.3-3.
[9]赵波,严飞,张立强,等.可信云计算环境的构建[J].中国计算机学会通讯.2012,8(7):28-34.
[10]丁滟,王怀民,史佩昌,等.可信云服务[J].计算机学报,2015,38(1):133-149.