期刊文献+

一种基于OpenFlow的SDN访问控制策略实时冲突检测与解决方法 被引量:31

A Method of OpenFlow-Based Real-Time Conflict Detection and Resolution for SDN Access Control Policies
下载PDF
导出
摘要 软件定义网络SDN(Software-Defined Networking)是由美国斯坦福大学Clean Slate研究组提出的一种新型网络创新架构,可通过软件编程的形式定义和控制网络,其控制平面和转发平面分离及开放性可编程的特点,为新型互联网体系结构研究提供了新的实验途径,也极大地推动了下一代互联网的发展.OpenFlow是SDN的主要协议,定义了SDN控制器与交换机之间的通信标准.目前,很多基于OpenFlow的SDN设备已经在实际中得到了部署.但是,基于OpenFlow的SDN却面临很多安全挑战.其中一个重要的挑战是如何建立一个安全可靠的SDN防火墙应用.由于OpenFlow协议的无状态性,现有的SDN防火墙可以被通过改写交换机中的流表项轻松绕过.针对这一安全威胁,作者提出了基于Flowpath的实时动态策略冲突检测与解决方法.通过获取实时的SDN网络状态,能够准确地检测防火墙策略的直接和间接违反,并且一旦发现冲突,可以基于Flowpath进行自动化和细粒度的冲突解决.最后,作者在开源控制器Floodlight上实现了一个安全增强的防火墙应用FlowVerifier,并基于Mininet对FlowVerifier的性能进行了评估.结果表明FlowVerifier能够检测和自动化地解决SDN网络中由于流表改写而引入的策略冲突及其带来的安全威胁. Software-Defined Networking (SDN) is an innovational network framework introduced by Clean Slate at Stanford University. It enables programmers to control and define the networks by software programming. Additionally, SDN separates data plane and control plane in the networks, and it provides open API and programmability. All of these features provide a new way for the study of new Internet architecture, and have greatly promoted the development of Internet. OpenFlow is a standard protocol of SDN, which defines the communication protocol between SDN controllers and switches. Nowadays, many SDN devices based on OpenFlow have been deployed. However, it is faced with many security challenges and one of the most critical challenges is how to implement a secure and reliable SDN firewall application. Due to the statelessness of OpenFlow protocol, the existing firewall security policy for SDN could be easily bypassed by rewriting the flow entries in the switches. To address such a threat, we present a novel approach for real-time policy conflict detection and resolution based on Flowpath. Our approach can accurately detect and effectively resolve policy conflicts through acquiring the network state of SDN in real time. In addition, we present FlowVerifier architecture and implement the SDN firewall application based on our proposed approach in Floodlight. We also evaluate the performance and effectiveness of FlowVerifier in Mininet. Our evaluation results demonstrate that FlowVerifier can automatically detect and resolve the threats of policy conflicts induced by rewriting flow entries.
出处 《计算机学报》 EI CSCD 北大核心 2015年第4期872-883,共12页 Chinese Journal of Computers
基金 国家"九七三"重点基础研究发展规划项目基金(2014CB340600) 国家自然科学基金(61173138 61402342 61003628)资助~~
关键词 软件定义网络 OpenFlow 策略 冲突检测与解决 访问控制 software-defined networking OpenFlow policy conflict detection and resolution access control
  • 相关文献

参考文献11

  • 1Wen Xitao, Chen Yan, Hu Chengchen, Shi Chao. Towards a secure controller platform for OpenFlow applications//Proceedings of the ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN13). Hong Kong, China, 2013:171-172. 被引量:1
  • 2Kreutz D, Ramos F, Verissimo P. Towards secure and dependable software-defined networks//Proceedings of the ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN13). Hong Kong, China, 2013:55-60. 被引量:1
  • 3Kazemian P, Varghese G, McKeown N. Header space analysis: Static checking for networks//Proceedings of the 9th USENIX Symposium on Network Systems Design and Imple- mentation (NSDI). San Jose, USA, 2012:3-5. 被引量:1
  • 4Kazemian P, Chang M, Zeng Hongyi. Real time network policy checking using header space analysis//Proceedings of the 9th USENIX Symposium on Network Systems Design and Implementation (NSDI). Lombard, USA, 2013.. 4-6. 被引量:1
  • 5Porras P, Shin S, Yegneswaran V, Fong M. A security enforcement kernel for OpenFlow networks//Proceedings of the ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN2012). New York, USA, 2012:123-125. 被引量:1
  • 6Sherwood R, Gibb G, Yap K K, et al. FlowVisor: A network virtualization layer. OpenFlow Switch Consortium, CA, USA: OPENFLOW-TR-2009-1, 2009. 被引量:1
  • 7Son S, Shin S, Yegneswaran V, Porras P. Model checking invariant security properties in OpenF|ow//Vroceedings of the IEEE International Conference on Communications (ICC' 2013). Budapest, Hungary, 2013:2-6. 被引量:1
  • 8Monsanto C, Reich J, Foster N, Rexford J, Walker D. Composing software defined networks//Proceedings of the 10th USENIX Conference on Networked Systems Design and Implementation. Berkeley, USA, 2013:1-14. 被引量:1
  • 9Mai H, Khurshid A, Agarwal R, et al. Debugging the data plane with anteater. ACM SIGCOMM Computer Communi- cation Review, 2011, 41(4): 290-301. 被引量:1
  • 10A1-Shaer E, A1-Haj S. FlowCheeker: Configuration analysis and verification of federated OpenFlow infrastructures// Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration. Chicago, USA, 2010: 37-44. 被引量:1

同被引文献164

引证文献31

二级引证文献213

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部