作 者:
吴泉峰;陈鸣;邢长友;张国敏;许博;文艾
关键词:
软件定义网络;接入控制;安全审计;Open Flow;Hadoop
摘 要:
为创建防范攻击和流监测功能为一体的网络安全环境,基于软件定义网络(SDN)分离网络数据平面和控制平面的天然特性,利用Open Flow协议以流集中管控网络的方式综合接入控制和网络审计2种网络安全技术,提出了一种基于SDN的流接入安全系统(SDN-FASS).设计了SDNFASS体系结构,讨论了它提供接入控制和审计功能的工作过程,并研究了接入控制的安全策略及网络审计的流日志提取与分析几个关键技术.为测试SDN-FASS的接入控制和网络安全审计特性,搭建了一个原型系统,并进行了多维控制和流日志回溯分析的试验.结果表明,该系统具有灵活定义网络接入控制安全策略;在线高效获取流记录以及以毫秒级速度快速搜索海量流日志;不仅能够用于防范网络外部的攻击,而且能够用于监测网络内部的非法操作.
译 名:
Design and implementation of a flow access security system based on SDN
作 者:
WU Quanfeng;CHEN Ming;XING Changyou;ZHANG Guomin;XU Bo;WEN Ai;College of Command Information Systems,PLA University of Science and Technology;
关键词:
software defined networking;;access control;;security audit;;Open Flow;;Hadoop
摘 要:
To create a network security environment to prevent attacks and monitor flows,based on the software defined networking( SDN) with network data plane and control plane,the Open Flow protocol flow-controller was used to integrate two network security technologies of access control and network audit. A SDN based flow access security system( SDN-FASS) was proposed. The architecture of SDNFASS was designed to discuss the working process of access control and audit function,and the security policy of access control and the flow log extraction and analysis were studied. To test the access control and network security audit characteristics of SDN-FASS,a prototype system was built to conduct the test of multi-dimensional control and flow-log trace back analysis. The results show that the system has flexible definition of network access control security policy,high online efficient access to stream record and fast searching for mass flow-log. The proposed system can prevent network attacks and monitor illegal operation of network.
