校园网流量监测系统的设计与实现
|
摘要
随着校园网络应用的日益复杂及网络规模的不断扩大,对网络的管理提出了更高的要求。一方面,校园网用户对网络性能要求不断增加;另一方面,校园网中的安全威胁(如DDoS、蠕虫、恶意代码等)也越来越多。校园网管理人员需要全面地了解一个网络的情况,从而合理分配带宽资源,让关键业务得以正常运行;同时及时定位引起网络异常情况的事件源,有效地控制异常流量的蔓延。现有的网络管理软件都是针对一般的网络来设计的,虽然可以满足一些有限的要求,然而却缺乏更进一步的网络管理支持。流量监测是网络管理的基础。国际标准化组织所规定的网络管理五大功能模块的实现都或多或少的依赖于网络流量监测。因此,有必要在现有的校园网络管理基础上实现对全网的流量监测和控制,从而更好地管理及优化网络。
本文根据我校校园网的管理需求,在研究当前相关理论及技术的基础上,提出了一个分布式流量监测系统的详细设计,并实现了一个流量监测Web管理系统。具体工作如下:使用交换机(或路由器)上配置NetFlow的方式,设计了多层次、多采集点的分布式流量采集架构:将各个站点的功能封装为Web服务来实现站点间的交互;针对异常流量的控制,设计了一个基于策略的异常流量联动控制框架;以及以VS.Net为平台、SQL Server数据库为核心实现了流量监测管理系统,用于流量采集、分析、告警显示等功能。
首先,为了全面、高效地采集到所需的流量信息,本文设计了一个基于NetFlow的分布式流量采集架构的设计方案。采用分布式采集架构将全网流量的采集任务分布至校园网的各个区域,采集点被设计在核心层和汇聚层,分别用来监测出口流量和网内各区域的流量。通过这种方式,能获得校园网出口以及网内各区域的全面流量信息。
第二,将系统的整体架构设计为二级监控的模式,分为监控中心及子站点,并采用Web服务实现各个站点间的交互。子站点的流量信息查询及监控中心的注册等功能被封装为Web服务在网上发布。增加了系统的灵活性和可扩展性。在数据库的设计中,流量信息的存储设置在各个子站点,减轻了监控中心的存储负担。
第三,针对异常流量的控制,设计了一个基于策略的异常流量联动控制框架。包括策略的描述、存储、转化、下发等子模块。该框架的特点是集中式管理、分布式执行。在每个采集点,设置异常流量监测引擎,当有异常情况发生,通知中心策略服务器,由其进行策略的判决及下发。文中以系统的异常流量监测模块与防火墙的联动为例,对整个策略联动控制流程进行了说明。
第四,文章介绍了在VS.Net平台下系统主要模块的实现过程。系统在校园网的主干网络交换机上进行了安装和测试,实现效果良好。
本论文开发完成了以我校校园网为背景的流量监测管理系统。在系统设计中,将流量监测与基于策略的联动结合起来,具有一定的创新性。同时,该系统有效地解决了对校园网全网流量的监测问题,能在采集分析流量的基础上,将网络流量以图表等方式表现出来,同时在异常流量发生的时候能够给予及时的告警和基于策略的控制,减轻了管理员的工作负担,具有一定的实用价值。
With the increasing complexity of the network application and the expansion of network size of campus network, the network management is becoming more and more difficult. On one hand, the requirement of network performance of the campus users is increasing. On the other hand, the security threat (e.g. DDoS, worm, malicious codes, etc.) is emerging from time to time. The network administrators should get a global view of the network to allocate the bandwidth properly and to locate the source of the network traffic anomaly in time to prevent the spreading of the anomaly traffic effectively. The current network management software is aimed at the usual network, meeting with the limited requirements without the further support of the management. Traffic monitoring is the basis of the network management. The International Standard Organization (ISO) specifies five basic functions of the network management, the implementation of them are mostly based on the traffic monitoring. Therefore, it's necessary to develop a traffic monitoring system to achieve the global control of the current campus network management to fulfill the better management and optimization of the network.
In this paper, according to the management requirements of our campus network, after studying on the current related techniques, a detailed design of a distributed traffic monitoring system is proposed, and a Web based traffic monitoring system is implemented at last. The work of this paper in detail is as following, based on the NetFlow collecting technique of the switch (or router), we propose a distributed traffic collecting infrastructure of multi-tier and multiple collecting points; Encapsulating the site functions as Web Service to implement the interaction of the sites; Aimed at the controlling of the anomaly traffic, we design a anomaly traffic corporation control structure based on the policy structure; Implement a Web-based Traffic Monitoring Management System, which is developed at the VS.Net platform and SQL Server database.
Firstly, to collect the traffic information comprehensively and effectively, we design a distributed traffic-collecting infrastructure based on NetFlow. We distribute our collecting tasks to every area of our campus network. And the collecting points are designed to locate in the core and pool layer to achieve the in/out and inner traffic of the network. Through this method, we can get the entire traffic information of the network.
Secondly, the system is designed as two-level monitoring pattern, i.e. monitoring center and sub sites, and using Web Service to implement the interaction between these sites. The functions of the system, such as the query of the sub site and the registration of the monitoring center, are encapsulated as Web Services, and are published in the Web, which enlarge the flexibility and scalability of the system. In the design of the database, the traffic information is dispersed in each sub site, which alleviates the storage burden of the system.
Thirdly, aimed at the control of the anomaly, we design a corporation control structure based on policy, which includes description, storage, exchange and delivering of policies. The feature of the structure is central management and distributed execution. In each collecting point, an anomaly traffic detection engine is set up. Once an anomaly occurs, the engine will inform the central policy server to determine and deliver the policy. In this paper, we use an example of the corporation between traffic monitoring system and firewall to illustrate the controlling procedure.
Fourthly, we describe the implementation procedure of the system in the VS.Net platform. The system is installed and tested in the backbone switch of our campus network. The results show the feasibility and good effect of our system.
In brief, this paper has developed a traffic monitoring management system based on our campus network. In the design of the system, we combine traffic monitoring with the policy-based corporation, which is a new idea in this field. And the implemented system effectively solves the. monitoring problem in the entire scope of our campus network. It can illustrate the traffic information in the kind of graphs and tables based on the collected information. And once the anomaly traffic occurs, it can show the alert on web page and control it based on predefined policies. In all, it can alleviate the burden of the network administrator and has the practial values.
本文根据我校校园网的管理需求,在研究当前相关理论及技术的基础上,提出了一个分布式流量监测系统的详细设计,并实现了一个流量监测Web管理系统。具体工作如下:使用交换机(或路由器)上配置NetFlow的方式,设计了多层次、多采集点的分布式流量采集架构:将各个站点的功能封装为Web服务来实现站点间的交互;针对异常流量的控制,设计了一个基于策略的异常流量联动控制框架;以及以VS.Net为平台、SQL Server数据库为核心实现了流量监测管理系统,用于流量采集、分析、告警显示等功能。
首先,为了全面、高效地采集到所需的流量信息,本文设计了一个基于NetFlow的分布式流量采集架构的设计方案。采用分布式采集架构将全网流量的采集任务分布至校园网的各个区域,采集点被设计在核心层和汇聚层,分别用来监测出口流量和网内各区域的流量。通过这种方式,能获得校园网出口以及网内各区域的全面流量信息。
第二,将系统的整体架构设计为二级监控的模式,分为监控中心及子站点,并采用Web服务实现各个站点间的交互。子站点的流量信息查询及监控中心的注册等功能被封装为Web服务在网上发布。增加了系统的灵活性和可扩展性。在数据库的设计中,流量信息的存储设置在各个子站点,减轻了监控中心的存储负担。
第三,针对异常流量的控制,设计了一个基于策略的异常流量联动控制框架。包括策略的描述、存储、转化、下发等子模块。该框架的特点是集中式管理、分布式执行。在每个采集点,设置异常流量监测引擎,当有异常情况发生,通知中心策略服务器,由其进行策略的判决及下发。文中以系统的异常流量监测模块与防火墙的联动为例,对整个策略联动控制流程进行了说明。
第四,文章介绍了在VS.Net平台下系统主要模块的实现过程。系统在校园网的主干网络交换机上进行了安装和测试,实现效果良好。
本论文开发完成了以我校校园网为背景的流量监测管理系统。在系统设计中,将流量监测与基于策略的联动结合起来,具有一定的创新性。同时,该系统有效地解决了对校园网全网流量的监测问题,能在采集分析流量的基础上,将网络流量以图表等方式表现出来,同时在异常流量发生的时候能够给予及时的告警和基于策略的控制,减轻了管理员的工作负担,具有一定的实用价值。
With the increasing complexity of the network application and the expansion of network size of campus network, the network management is becoming more and more difficult. On one hand, the requirement of network performance of the campus users is increasing. On the other hand, the security threat (e.g. DDoS, worm, malicious codes, etc.) is emerging from time to time. The network administrators should get a global view of the network to allocate the bandwidth properly and to locate the source of the network traffic anomaly in time to prevent the spreading of the anomaly traffic effectively. The current network management software is aimed at the usual network, meeting with the limited requirements without the further support of the management. Traffic monitoring is the basis of the network management. The International Standard Organization (ISO) specifies five basic functions of the network management, the implementation of them are mostly based on the traffic monitoring. Therefore, it's necessary to develop a traffic monitoring system to achieve the global control of the current campus network management to fulfill the better management and optimization of the network.
In this paper, according to the management requirements of our campus network, after studying on the current related techniques, a detailed design of a distributed traffic monitoring system is proposed, and a Web based traffic monitoring system is implemented at last. The work of this paper in detail is as following, based on the NetFlow collecting technique of the switch (or router), we propose a distributed traffic collecting infrastructure of multi-tier and multiple collecting points; Encapsulating the site functions as Web Service to implement the interaction of the sites; Aimed at the controlling of the anomaly traffic, we design a anomaly traffic corporation control structure based on the policy structure; Implement a Web-based Traffic Monitoring Management System, which is developed at the VS.Net platform and SQL Server database.
Firstly, to collect the traffic information comprehensively and effectively, we design a distributed traffic-collecting infrastructure based on NetFlow. We distribute our collecting tasks to every area of our campus network. And the collecting points are designed to locate in the core and pool layer to achieve the in/out and inner traffic of the network. Through this method, we can get the entire traffic information of the network.
Secondly, the system is designed as two-level monitoring pattern, i.e. monitoring center and sub sites, and using Web Service to implement the interaction between these sites. The functions of the system, such as the query of the sub site and the registration of the monitoring center, are encapsulated as Web Services, and are published in the Web, which enlarge the flexibility and scalability of the system. In the design of the database, the traffic information is dispersed in each sub site, which alleviates the storage burden of the system.
Thirdly, aimed at the control of the anomaly, we design a corporation control structure based on policy, which includes description, storage, exchange and delivering of policies. The feature of the structure is central management and distributed execution. In each collecting point, an anomaly traffic detection engine is set up. Once an anomaly occurs, the engine will inform the central policy server to determine and deliver the policy. In this paper, we use an example of the corporation between traffic monitoring system and firewall to illustrate the controlling procedure.
Fourthly, we describe the implementation procedure of the system in the VS.Net platform. The system is installed and tested in the backbone switch of our campus network. The results show the feasibility and good effect of our system.
In brief, this paper has developed a traffic monitoring management system based on our campus network. In the design of the system, we combine traffic monitoring with the policy-based corporation, which is a new idea in this field. And the implemented system effectively solves the. monitoring problem in the entire scope of our campus network. It can illustrate the traffic information in the kind of graphs and tables based on the collected information. And once the anomaly traffic occurs, it can show the alert on web page and control it based on predefined policies. In all, it can alleviate the burden of the network administrator and has the practial values.
引文
[1] Barden, Robert A. Current Trends in Campus-Wide Network Implementations[A]. Proceedings of the Annual Conference of the Association for Computing Machinery [C]. 1985: 346-348
[2] J.Case, M.Fedor, M.Schoffstall and J.Davin. A Simple Network Management Protocol (SNMP), 1990
[3] William Stallings.SNMP网络管理.北京:中国电力出版社,2001
[4] RFC 1757-Remote Network Monitoring Management Information Base.(http://www.faqs.org/rfcs/rfc1757.html)
[5] RFC 2021-Remote Network Monitoring Management Information Base Version 2 using SMIv2. (http://www.faqs.org/rfcs/rfc2021.html)
[6] Introduction to Cisco IOS@NetFlow: A Technical Overview (http://www.cisco.com/)
[7] 雷雪梅主编.现代网络管理.北京:国防工业出版社,2005.8
[8] 郝昱文,李怀诚.网络流量分析系统的设计与实现.[学位论文],北京,北京邮电大学,2005.2
[9] S.Saroiu, K. Gummadi, R. Dunn, S. Gribble, and H.Levy. An analysis of internet content delivery systems. In Proceedings of OSDI, 2002
[10] 薛晋康,许士博,吴兴龙.基于流量分析的网络隐蔽通道检测模型.计算机工程,2002,28(12):46-48
[11] MOORE D, PAXSON V, SAVAGE S, el al. Inside the slammer worm [J]. IEEE Magazine of Security and Privacy, 2003, 1(4): 33-39
[12] Yiming Gong. Detecting Worms and Abnormal Activities with NetFlow (http://www.securityfocus.com/infocus/1796)
[13] Yiming Gong. Identifying P2P users using traffic analysis (http://www.securityfocus.com/infocus/1843/2)
[14] 杨嵘,张国清,韦卫等.基于NetFlow流量分析的网络攻击行为发现.计算机工程,2005.7,31(13):137-139
[15] 夏海涛,詹志强编著.新一代网络管理技术,北京:北京邮电大学出版社,2002,131-141
[16] 卢世凤,刘学敏,刘淘英,王沁.基于策略的管理综述.计算机工程与应用,2004,40(9):85-89
[17] Nicodemos Damianou, Naranker Dulay, Emil Lupu, Morris Sloman. Ponder: A Language for Specifying Security and Management Policies for Distributed Systems, The Language Specification, Version 2.3. Imperial College OF SCIENCE, TECHNOLOGY AND MEDICINE
[18] 谢喜秋,梁洁,彭巍等.网络流量采集工具的分析和比较.电信科学,2002,18(4)
[19] Cisco System. NetFlow Services Solutions Guide[EB/OL](http://www.cisco.com/en/US/customer/products/sw/netmgtsw/ps1964/products_implementation_design_guideO9186a008OOd6all.html)
[20] Cisco System. NetFlow Export Datagram Format[EB/OL](http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_installation_guide_chapterO9186aOO800ed343.html)
[21] Extreme Ware Software User Guide, Software Version 7.3.0. Extreme Networks, Inc.
[22] OMG. The Common Object Request Broker: Architecture and Specification[S]. Rev.2.4, Oct 2000
[23] 龚新浩,熊齐邦.基于Web Service的网络管理.计算机应用,2003,12(10):78-81
[24] 龚新浩,熊齐邦.基于Web Service的分布式网络管理,[学位论文],上海,同济大学,2004
[25] 柴晓路,梁宇奇.Web Services技术、架构和应用.北京:电子工业出版社,2003.1
[26] IBM developerWorks. Web services 专区[Z], (http://www-900.ibm.com/developerWorks/cn/webservices/index.shtml)
[27] 何海涛,罗笑南,郭清顺.Netflow在边界网流量测量中的应用研究. 计算机工程与应用,2004.11
[28] 晏家豪、马睿、吴一波.互联网业务流量监测技术的应用和设计.数据通信,电子产品世界,2006.4
[29] K.-S. Lira and R. Stadler. Real-time Views of Network Traffic using Decentralized Management. 9th IFIP/IEEE International Symposium on Integrated Network Management (IM 2005), 2005.5 16-19
[30] 张兴东,胡华平,况晓辉.防火墙与入侵检测系统联动的研究与实现.计算机工程与科学,2004.26:22-26
[31] 俞飞,郭义喜.基于移动Agent的安全联动模型研究,[学位论文],中国人民解放军信息工程大学电子技术学院,2005
[32] 何恩,李毅.一种基于策略的网络安全联动框架.学术研究,信息安全与通信保密,2005.7
[33] 黎连业,张维,向东明.防火墙及其应用技术.北京:清华大学出版社,2004
[34] 孙永强,杨丽坤.Visual C#.NET中文版Web服务开发基础.北京:清华大学出版社,2002
[35] 黄嘉辉.C#.NET网络程序设计.北京:科学出版社,2004
[36] 胡泽林,李森,张建.基于Web的海量数据库系统研究与应用.计算机应用,2006,6(26):70-72
[37] 萨师煊等.数据库系统概论.北京:高等教育出版社,1997
[38] 韩中,汪伟.海量数据的查询优化.科技咨询,2006,14
[39] 陆昆仑,李旭东,吴媛静.Web服务编程——用C#.NET开发网络服务.北京:北京希望电子出版社,2003.4
[40] (美)沃尔,(美)莱德著,康博译.构建Web服务和.NET应用程序.北京:清华大学出版社,2002
[41] Traffic Monitoring using sFlow (http://www.sflow.org)
[42] Emil C Lupu, Morris Sloman. Conflicts in Policy-Based Distributed Systems Management [J]. IEEE Transactions on Software Engineering, 1999, 25(6): 852-869
[2] J.Case, M.Fedor, M.Schoffstall and J.Davin. A Simple Network Management Protocol (SNMP), 1990
[3] William Stallings.SNMP网络管理.北京:中国电力出版社,2001
[4] RFC 1757-Remote Network Monitoring Management Information Base.(http://www.faqs.org/rfcs/rfc1757.html)
[5] RFC 2021-Remote Network Monitoring Management Information Base Version 2 using SMIv2. (http://www.faqs.org/rfcs/rfc2021.html)
[6] Introduction to Cisco IOS@NetFlow: A Technical Overview (http://www.cisco.com/)
[7] 雷雪梅主编.现代网络管理.北京:国防工业出版社,2005.8
[8] 郝昱文,李怀诚.网络流量分析系统的设计与实现.[学位论文],北京,北京邮电大学,2005.2
[9] S.Saroiu, K. Gummadi, R. Dunn, S. Gribble, and H.Levy. An analysis of internet content delivery systems. In Proceedings of OSDI, 2002
[10] 薛晋康,许士博,吴兴龙.基于流量分析的网络隐蔽通道检测模型.计算机工程,2002,28(12):46-48
[11] MOORE D, PAXSON V, SAVAGE S, el al. Inside the slammer worm [J]. IEEE Magazine of Security and Privacy, 2003, 1(4): 33-39
[12] Yiming Gong. Detecting Worms and Abnormal Activities with NetFlow (http://www.securityfocus.com/infocus/1796)
[13] Yiming Gong. Identifying P2P users using traffic analysis (http://www.securityfocus.com/infocus/1843/2)
[14] 杨嵘,张国清,韦卫等.基于NetFlow流量分析的网络攻击行为发现.计算机工程,2005.7,31(13):137-139
[15] 夏海涛,詹志强编著.新一代网络管理技术,北京:北京邮电大学出版社,2002,131-141
[16] 卢世凤,刘学敏,刘淘英,王沁.基于策略的管理综述.计算机工程与应用,2004,40(9):85-89
[17] Nicodemos Damianou, Naranker Dulay, Emil Lupu, Morris Sloman. Ponder: A Language for Specifying Security and Management Policies for Distributed Systems, The Language Specification, Version 2.3. Imperial College OF SCIENCE, TECHNOLOGY AND MEDICINE
[18] 谢喜秋,梁洁,彭巍等.网络流量采集工具的分析和比较.电信科学,2002,18(4)
[19] Cisco System. NetFlow Services Solutions Guide[EB/OL](http://www.cisco.com/en/US/customer/products/sw/netmgtsw/ps1964/products_implementation_design_guideO9186a008OOd6all.html)
[20] Cisco System. NetFlow Export Datagram Format[EB/OL](http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_installation_guide_chapterO9186aOO800ed343.html)
[21] Extreme Ware Software User Guide, Software Version 7.3.0. Extreme Networks, Inc.
[22] OMG. The Common Object Request Broker: Architecture and Specification[S]. Rev.2.4, Oct 2000
[23] 龚新浩,熊齐邦.基于Web Service的网络管理.计算机应用,2003,12(10):78-81
[24] 龚新浩,熊齐邦.基于Web Service的分布式网络管理,[学位论文],上海,同济大学,2004
[25] 柴晓路,梁宇奇.Web Services技术、架构和应用.北京:电子工业出版社,2003.1
[26] IBM developerWorks. Web services 专区[Z], (http://www-900.ibm.com/developerWorks/cn/webservices/index.shtml)
[27] 何海涛,罗笑南,郭清顺.Netflow在边界网流量测量中的应用研究. 计算机工程与应用,2004.11
[28] 晏家豪、马睿、吴一波.互联网业务流量监测技术的应用和设计.数据通信,电子产品世界,2006.4
[29] K.-S. Lira and R. Stadler. Real-time Views of Network Traffic using Decentralized Management. 9th IFIP/IEEE International Symposium on Integrated Network Management (IM 2005), 2005.5 16-19
[30] 张兴东,胡华平,况晓辉.防火墙与入侵检测系统联动的研究与实现.计算机工程与科学,2004.26:22-26
[31] 俞飞,郭义喜.基于移动Agent的安全联动模型研究,[学位论文],中国人民解放军信息工程大学电子技术学院,2005
[32] 何恩,李毅.一种基于策略的网络安全联动框架.学术研究,信息安全与通信保密,2005.7
[33] 黎连业,张维,向东明.防火墙及其应用技术.北京:清华大学出版社,2004
[34] 孙永强,杨丽坤.Visual C#.NET中文版Web服务开发基础.北京:清华大学出版社,2002
[35] 黄嘉辉.C#.NET网络程序设计.北京:科学出版社,2004
[36] 胡泽林,李森,张建.基于Web的海量数据库系统研究与应用.计算机应用,2006,6(26):70-72
[37] 萨师煊等.数据库系统概论.北京:高等教育出版社,1997
[38] 韩中,汪伟.海量数据的查询优化.科技咨询,2006,14
[39] 陆昆仑,李旭东,吴媛静.Web服务编程——用C#.NET开发网络服务.北京:北京希望电子出版社,2003.4
[40] (美)沃尔,(美)莱德著,康博译.构建Web服务和.NET应用程序.北京:清华大学出版社,2002
[41] Traffic Monitoring using sFlow (http://www.sflow.org)
[42] Emil C Lupu, Morris Sloman. Conflicts in Policy-Based Distributed Systems Management [J]. IEEE Transactions on Software Engineering, 1999, 25(6): 852-869