信息网络安全 ›› 2020, Vol. 20 ›› Issue (8): 37-46.doi: 10.3969/j.issn.1671-1122.2020.08.005

• 技术研究 • 上一篇    下一篇

一种基于零信任的SDN网络访问控制方法

吴云坤1(), 姜博2, 潘瑞萱3, 刘玉岭4   

  1. 1.中国科学院大学,北京100049
    2.中国信息通信研究院,北京 100191
    3.信息工程大学,郑州 450004
    4.中国科学院信息工程研究所,北京 100190
  • 收稿日期:2020-06-08 出版日期:2020-08-10 发布日期:2020-10-20
  • 通讯作者: 吴云坤 E-mail:wuyunkun@qianxin.com
  • 作者简介:吴云坤(1975—),男,江苏,高级工程师,硕士,主要研究方向为大数据安全、态势感知、身份安全、工业互联网安全等|姜博(1987—),男,北京,工程师,硕士,主要研究方向为软件定义网络、数据分析、无线电管理信息化|潘瑞萱(1995—),女,陕西,硕士研究生,主要研究方向为网络访问控制|刘玉岭(1982—),男,山东,副教授,博士,主要研究方向为网络安全测评和等级保护。
  • 基金资助:
    国家自然科学基金(61902427)

A SDN Access Control Mechanism Based on Zero Trust

WU Yunkun1(), JIANG Bo2, PAN Ruixuan3, LIU Yuling4   

  1. 1. University of Chinese Academy of Sciences, Beijing 100049, China
    2. China Academy of Information and Communications Technology, Beijing, 100191, China
    3. Information Engineering University, Zhengzhou 450004, China
    4. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100190, China
  • Received:2020-06-08 Online:2020-08-10 Published:2020-10-20
  • Contact: WU Yunkun E-mail:wuyunkun@qianxin.com

摘要:

软件定义网络(Software-defined Networking,SDN)是一种逻辑控制与数据转发分离的新型网络体系结构,它能够为互联网提供满足当前及未来需求的平滑演进能力,已成为未来互联网的发展方向,为解决网络安全问题提供了新思路。目前SDN网络缺乏有效的网络动态访问控制机制,为此文章提出了一种基于零信任的SDN网络访问控制方法:首先引入“零信任”的安全概念构建SDN网络下的网络访问控制框架,该框架对用户入网后的行为实现了实时监测与信任度量,并能够根据度量结果动态调整用户资源访问权限;然后设计了一套面向SDN网络的用户行为信任分级度量指标,选取SDN网络中南向协议Openflow支持计量的行为度量指标,使指标结果易于测度;接着设计了基于云理论的用户行为信任度量算法,并提出基于行为的用户信任度动态度量机制和基于流表的SDN网络资源访问控制方法,通过采取“从不信任并始终验证”的立场对用户在网络中的行为进行周期性持续监测,并根据其行为数据度量用户的信任值,当用户的信任等级降到不可信时,通过SDN控制器迅速下发流表以阻止其继续访问网络;最后通过仿真实验验证了文章模型及方法的有效性,结果表明文章方法能实现更细粒度和动态的访问控制。

关键词: SDN网络, 访问控制, 零信任, 云理论, 信任度量

Abstract:

Software defined network (SDN) is a new network architecture which separates logic control and data forwarding. It can provide the Internet with smooth evolution ability to meet the current and future needs.SDN not only becomes a new development direction of future internet, but also gives a new way to solve the problem of network security. At present, SDN network lacks effective network dynamic access control mechanism. Therefore, this paper proposes a zero-trust based access control method for SDN network. Firstly, the security concept of "zero trust" is introduced to construct the network access control framework under SDN network. The proposed framework achieves the real-time monitoring and trust measurement of insider user behaviors. Moreover, it can adjust user resource access privilege according to the measurement results dynamically. Then, the set of user behavior trust metrics for SDN network is designed, and the behavior metrics supported by Openflow in SDN network are selected to make the index results easy to measure. The dynamic measurement mechanism of user trust based on behavior as well as the SDN network resource access control using flow table is proposed. From the viewpoint of "never trust and always verify", the behavior of users in the network is monitored periodically, and the trust value of users is measured according to their behavior data. When the user trust degree drops to an untrusted degree, the flow table is quickly issued to prevent the user from continuing to access the network. Finally, the effectiveness of the proposed model and method is verified by simulations. The experiments show that our method can achieve more fine-grained and dynamic access control.

Key words: SDN network, access control, zero trust, cloud theory, credible measurement

中图分类号: