Research and Practice of Dynamic Network Security Architecture for IaaS Platforms 被引量：6

Research and Practice of Dynamic Network Security Architecture for IaaS Platforms

导出

摘要 Network security requirements based on virtual network technologies in laaS platforms and corresponding solutions were reviewed. A dynamic network security architecture was proposed, which was built on the technologies of software defined networking, Virtual Machine （VM） traffic redirection, network policy unified management, software defined isolation networks, vulnerability scanning, and software updates. The proposed architecture was able to obtain the capacity for detection and access control for VM traffic by redirecting it to configurable security appliances, and ensured the effectiveness of network policies in the total life cycle of the VM by configuring the policies to the right place at the appropriate time, according to the impacts of VM state transitions. The virtual isolation domains for tenants＇ VMs could be built flexibly based on VLAN policies or Netfilter/Iptables firewall appliances, and vulnerability scanning as a service and software update as a service were both provided as security supports. Through cooperation with IDS appliances and automatic alarm mechanisms, the proposed architecture could dynamically mitigate a wide range of network-based attacks. The experimental results demonstrate the effectiveness of the proposed architecture. Network security requirements based on virtual network technologies in laaS platforms and corresponding solutions were reviewed. A dynamic network security architecture was proposed, which was built on the technologies of software defined networking, Virtual Machine （VM） traffic redirection, network policy unified management, software defined isolation networks, vulnerability scanning, and software updates. The proposed architecture was able to obtain the capacity for detection and access control for VM traffic by redirecting it to configurable security appliances, and ensured the effectiveness of network policies in the total life cycle of the VM by configuring the policies to the right place at the appropriate time, according to the impacts of VM state transitions. The virtual isolation domains for tenants＇ VMs could be built flexibly based on VLAN policies or Netfilter/Iptables firewall appliances, and vulnerability scanning as a service and software update as a service were both provided as security supports. Through cooperation with IDS appliances and automatic alarm mechanisms, the proposed architecture could dynamically mitigate a wide range of network-based attacks. The experimental results demonstrate the effectiveness of the proposed architecture.

作者 Lin Chen Xingshu Chen Junfang Jiang Xueyuan Yin Guolin Shao

机构地区 College of Computer Science

出处《Tsinghua Science and Technology》 SCIE EI CAS 2014年第5期496-507,共12页 清华大学学报（自然科学版（英文版）

基金 supported by the National Natural Science Foundation of China (No. 61272447) the National Key Technology Research and Development Program of China (No. 2012BAH18B05) the National New Generation Broadband Wireless Mobile Communication Network Major Project (03 Project) of China (No. 12H1510)

关键词 cloud computing network security LAAS life cycle network policy cloud computing network security laaS life cycle network policy

分类号 TP393.08 [自动化与计算机技术—计算机应用技术]

引文网络
相关文献

参考文献1

1江国龙,付斌章,陈明宇,张立新.SDN控制器的调研和量化分析[J].计算机科学与探索,2014,8(6):653-664. 被引量：27

二级参考文献15

1Greenberg A, Hjalmtysson G, Maltz D A, et al. A clean slate 4D approach to network control and management[J]. ACM SIGCOMM Computer Communication Review, 2005, 35(5): 41-54.
2Casado M, Freedman M J, Pettit J, et al. Ethane: taking control of the enterprise[C]//Proceedings of the 2007 Conference on Applications, Technologies, Architectures, and Pro- tocols for Computer Communications (SIGCOMM '07), Kyoto, 2007. New York, NY, USA: ACM, 2007: 1-12.
3Mckeown N, Anderson T, Balakrishnan H, et al. OpenFlow: enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(2): 69-74.
4Gude N, Koponen T, Pettit J, et al. NOX: towards an operating system for networks[J]. ACM SIGCOMM Computer Com- munication Review, 2008, 38(3): 105-110.
5Erickson D. The Beacon openflow controller[C]//Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN '13). New York, NY, USA: ACM, 2013: 13-18.
6Tootoonchian A, Ganjali ~. HyperFlow: a distributed con- trol plane for OpenFlow[C]//Proceedings of the 2010 Inter- net Network Management Workshop/Workshop on Research on Enterprise Networking (1NM/WREN '10), San Jose, 2010. Berkeley, CA, USA: USENIX Association, 2010: 3.
7Koponen T, Casado M, Gude N, et al. Onix: a distributed control platform for large-scale production networks[C]// Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI '10), Vancouver, 2010. Berkeley, CA, USA: USENIX Association, 2010: 1-6.
8YeganehS H, Ganjali Y. Kandoo: a framework for efficient and scalable offloading of control applications[C]//Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks (HotSDN '12), Helsinki, 2012. New York, NY, USA: ACM, 2012: 19-24.
9Cai Zheng, Cox A L, Ng T S E. Maestro: a system for scal- able OpenFlow control, TR10-11 [R]. Department of Com- puter Science, Rice University, 2010.
10YaZlCl V, Sunay M O, Ercan A 0. Controlling a software- defined network via distributed controllers[C]//Proceedings of the 2012 NEM Summit, Ozyegin University, [stanbul, Turkey, 2012: 16-20.

共引文献26

1房秉毅,张歌,张云勇,黄韬,谢俊峰.开源SDN控制器发展现状研究[J].邮电设计技术,2014(7):29-36. 被引量：10
2陈仲华,沈成彬,张坚平.SDN技术在电信网络中应用的关键问题探讨[J].电信科学,2014,30(9):133-138. 被引量：4
3解云鹏,雷波,史凡,王波.SDN控制器的测量方法探讨[J].互联网天地,2015(3):57-62.
4楼恒越,窦军.一种针对基于OpenFlow的SDN网络中控制层面的DoS攻击研究[J].计算机科学,2015,42(B11):341-344. 被引量：6
5熊钢,兰巨龙,胡宇翔,刘释然.基于可信度量的网络组件性能评估方法[J].通信学报,2016,37(3):117-128. 被引量：4
6朱华虹,邹洁,曹维华,高敏.面向新IP网络的骨干网网管架构及演进策略研究[J].电信技术,2016(7):43-47.
7王丽冲,姚秀娟,闫毅.一种基于OpenFlow的软件定义卫星网络架构设计方案[J].电子设计工程,2016,24(17):85-89. 被引量：6
8张敏敏,章韵,段元新.基于软件定义网络的多控制器负载均衡架构[J].计算机工程,2016,42(9):26-32. 被引量：8
9邰冬哲,张庭,刘斌.软件定义网络中TCP伪拥塞问题探究[J].计算机研究与发展,2017,54(1):192-201. 被引量：2
10柳林,周建涛.软件定义网络控制平面的研究综述[J].计算机科学,2017,44(2):75-81. 被引量：21

同被引文献30

1吴吉义,沈千里,章剑林,沈忠华,平玲娣.云计算:从云安全到可信云[J].计算机研究与发展,2011,48(S1):229-233. 被引量：54
2肖永康,纪翠玲,谢宝恂,何珺.SELinux的安全机制和安全模型[J].计算机应用,2009,29(B06):66-68. 被引量：12
3冯登国,张敏,张妍,徐震.云计算安全研究[J].软件学报,2011,22(1):71-83. 被引量：1063
4魏辉,吴庆波,谭郁松.基于虚拟机的运行时入侵检测技术研究[J].计算机应用与软件,2011,28(9):52-55. 被引量：2
5池亚平,樊洁,程代伟.基于可信等级的BLP改进模型[J].计算机工程,2012,38(8):117-119. 被引量：8
6秦中元,沈日胜,张群芳,狄予兴.虚拟机系统安全综述[J].计算机应用研究,2012,29(5):1618-1622. 被引量：23
7张大军,李运发,郑周.云计算中数据资源的安全共享机制[J].信息网络安全,2012(8):79-82. 被引量：20
8滕萍.云计算技术发展分析及其应用研究[J].信息网络安全,2012(11):89-91. 被引量：14
9俞能海,郝卓,徐甲甲,张卫明,张驰.云安全研究进展综述[J].电子学报,2013,41(2):371-381. 被引量：111
10林闯,苏文博,孟坤,刘渠,刘卫东.云计算安全:架构、机制与模型评价[J].计算机学报,2013,36(9):1765-1784. 被引量：319

引证文献6

1尹学渊,陈兴蜀,陈林.虚拟化IaaS环境安全域与访问控制模型研究[J].小型微型计算机系统,2019,40(1):111-116. 被引量：13
2Zhang Lei,Chen Xingshu,Liu Liang,Jin Xin.Trusted domain hierarchical model based on noninterference theory[J].The Journal of China Universities of Posts and Telecommunications,2015,22(4):7-16.
3国杰彬,李运发,张大军.云计算中面向数据安全的身份认证策略研究[J].信息网络安全,2017(3):72-77. 被引量：7
4尹学渊,陈兴蜀,李辉,陈林.一种基于虚拟化的文件杀毒实现方法[J].北京邮电大学学报,2018,41(2):50-55. 被引量：1
5池亚平,姜停停,戴楚屏,孙尉.基于BLP的虚拟机多级安全强制访问控制系统设计与实现[J].信息网络安全,2016(10):1-7. 被引量：8
6欧阳雪,徐彦彦.IaaS云安全研究综述[J].信息安全学报,2022,7(5):39-50. 被引量：2

二级引证文献31

1张辉,王伟,郭栋.一种基于微服务范式的桌面云构建框架[J].信息网络安全,2017(2):35-42. 被引量：13
2于伟,魏平.航天器设备接口数据管理系统安全设计及应用实践[J].信息网络安全,2017(9):30-33. 被引量：1
3张健,高铖,宫良一,顾兆军.虚拟机自省技术研究[J].信息网络安全,2017(9):63-68. 被引量：3
4张健,蔡长亮,宫良一,顾兆军.基于KVM虚拟化环境的异常行为检测技术研究[J].信息网络安全,2017(11):1-6. 被引量：2
5刘浩,羊四清,陈志刚.云计算环境中抗欺诈行为的P2P文件共享激励机制研究[J].信息网络安全,2017(11):37-43. 被引量：1
6王健,李昶,韩磊,韩臻.基于桌面云的计算资源控制保护方案[J].信息网络安全,2018,0(2):27-33. 被引量：4
7关兆雄.基于KVM的可信虚拟化平台设计[J].自动化与仪器仪表,2018,0(5):112-115. 被引量：1
8王振铎,王振辉,张娓娓,姚全珠.一种计算机信息安全储存系统的设计[J].信息技术,2018,42(7):11-14. 被引量：2
9董庆贺,何倩,江炳城,刘鹏.面向云数据库的多租户属性基安全隔离与数据保护方案[J].信息网络安全,2018(7):60-68. 被引量：4
10顾春华,高远,田秀霞.安全性优化的RBAC访问控制模型[J].信息网络安全,2017(5):74-79. 被引量：7

1Bing Zhang,Xin-Xin Ma,Zhi-Guang Qin.Security Architecture on the Trusting Internet of Things[J].Journal of Electronic Science and Technology,2011,9(4):364-367. 被引量：2
2YI Ping,HOU Yafei,ZHONG Yiping,ZHANG Shiyong.An Immunity-based Security Architecture for Mobile Ad Hoc Networks[J].通讯和计算机（中英文版）,2005,2(1):34-40. 被引量：1
3Juliana A. Anochi,Haroldo F. Campos Velho,Helaine C.M. Furtado1,Eduardo F.P. Luz.Self-configuring Two Types of Neural Networks by MPCA[J].Journal of Mechanics Engineering and Automation,2015,5(2):112-120.
4HUANG Qiang,SHEN Changxiang,FANG Yanxiang.Security Architecture of Trusted Virtual Machine Monitor for Trusted Computing[J].Wuhan University Journal of Natural Sciences,2007,12(1):13-16. 被引量：2
5菅永超,李芝棠.基于隧道技术和虚拟网卡的SSL VPN研究[J].微处理机,2008,29(4):61-63. 被引量：1
6软件更新[J].电脑爱好者,2007(9):55-55.
7软件更新[J].电脑爱好者,2007(4):50-50.
8软件更新[J].电脑爱好者,2007(5):52-52.
9软件更新[J].电脑爱好者,2007(3):52-52.
10新软物语[J].电脑爱好者,2008,0(1):48-48.

Tsinghua Science and Technology

2014年第5期

浏览历史

内容加载中请稍等...