摘要
提出了一种基于OpenFlow的状态检测防火墙系统,该方案通过在SDN控制器和交换机中添加状态表和变换流表,并根据包的类型分别制定相应的状态转换规则,实现对SDN网络状态的监测。最后,在开源控制器Floodlight和Open vSwitch上实现了一个基于状态检测的防火墙系统,并对该防火墙的性能进行了评估,结果表明基于OpenFlow的SDN状态检测防火墙能够识别不同类型的包并实现现有SDN防火墙不能实现的基于状态的细粒度访问控制。
A new SDN state inspection firewall system on OpenFlow protocol is proposed.In this scheme,state tables and shifted flow tables are added into SDN controller and switch,and corresponding state transition rules are also formulated on the basis of packet type,so firewall is able to inspect SDN network state.SDN state inspection firewall is implemented on opensource controller Floodlight and Open vSwitch.The performance evaluation result shows that the SDN state inspection firewall can recognize the type of packets,moreover,it achieves the fine-grained access control which present SDN firewall cannot offer.
作者
王鹃
刘世辉
文茹
洪智
王江
樊成阳
张浩喆
WANG Juan;LIU Shihui;WEN Ru;HONG Zhi;WANG Jiang;FAN Chengyang;ZHANG Haozhe(State Key Laboratory of Software Engineering,Wuhan 430072,China;Key Laboratory of Aerospace Information Security and Trust Computing,Ministry of Education,Wuhan 430072,China;Computer School of Wuhan University,Wuhan 430072,China;Department of Computer Science and Technology,Tsinghua University,Beijing 100084,China)
出处
《计算机工程与应用》
CSCD
北大核心
2018年第15期84-90,共7页
Computer Engineering and Applications
基金
国家自然科学基金重点项目(No.61402342
No.61173138
No.61103628)
国家重点基础研究发展规划(973)(No.2014CB340600)