信息网络安全 ›› 2019, Vol. 19 ›› Issue (10): 1-9.doi: 10.3969/j.issn.1671-1122.2019.10.001

• 等级保护 •    下一篇

面向虚拟化环境的网络访问控制系统

时向泉, 陶静(), 赵宝康   

  1. 国防科技大学计算机学院,湖南长沙 410073
  • 收稿日期:2019-05-10 出版日期:2019-10-10 发布日期:2020-05-11
  • 通讯作者: 陶静 E-mail:ellen5702@aliyun.com
  • 作者简介:

    作者简介:时向泉(1972—),男,天津,副研究员,博士,主要研究方向为云计算数据中心网络、软件定义网络、网络空间安全;陶静(1971—),女,吉林,副研究员,硕士,主要研究方向为软件定义网络、网络空间安全;赵宝康(1981—),男,湖北,副教授,博士,主要研究方向为软件定义网络、天地一体化网络、网络空间安全。

  • 基金资助:
    国家自然科学基金[61601483];国家重点研发计划[2017YFB0802300]

A Network Access Control System in Virtualized Environments

Xiangquan SHI, Jing TAO(), Baokang ZHAO   

  1. College of Computer, National University of Defense Technology, Changsha Hunan 410073, China
  • Received:2019-05-10 Online:2019-10-10 Published:2020-05-11
  • Contact: Jing TAO E-mail:ellen5702@aliyun.com

摘要:

网络访问控制技术是保障网络通信系统安全的主要技术之一,在传统数据中心、园区网和企业网得到普遍应用。虚拟化环境下,传统的基于交换机物理端口的网络访问控制技术很难对虚拟机网络访问进行有效控制。文章全面分析了虚拟化环境下导致传统网络访问控制技术失效的原因,并据此提出了面向虚拟化环境的网络访问控制系统框架VE-NAC,设计了适用于虚拟化环境的网络访问控制流程。该框架与802.1x协议兼容,不需要对认证客户端进行修改。文章在openstack虚拟化环境下对VE-NAC予以实现,并对VE-NAC原型系统进行了功能测试和延迟测试,验证了VE-NAC在虚拟化环境中实施网络访问控制的有效性和可行性。

关键词: 虚拟化环境, SDN, OpenFlow, 网络访问控制

Abstract:

Network access control technology is one of the main technologies to ensure the security of network communication systems. It is widely used in traditional data centers, campus networks and enterprise networks. However, in virtualized environment, traditional port-based network access control (PNAC) is difficult to effectively control virtual machine network access. This paper comprehensively analyzes the reasons of the failure of traditional network access control technology in virtualized environment, develops a network access control framework VE-NAC for virtualized environment, and designs the network access control process suitable for virtualized environment. VE-NAC is compatible with 802.1x protocol and does not need to modify the authentication client. This paper implements VE-NAC in openstack virtualization environment, and tests the functions and delay of VE-NAC prototype system, which verifies the validity and feasibility of VE-NAC implementing network access control in virtualization environment.

Key words: virtualized environment, SDN, OpenFlow, network access control

中图分类号: