面向虚拟化环境的网络访问控制系统

doi:10.3969/j.issn.1671-1122.2019.10.001

信息网络安全 ›› 2019, Vol. 19 ›› Issue (10): 1-9.doi: 10.3969/j.issn.1671-1122.2019.10.001

• 等级保护 • 下一篇

面向虚拟化环境的网络访问控制系统

时向泉, 陶静(), 赵宝康

国防科技大学计算机学院,湖南长沙 410073

收稿日期:2019-05-10 出版日期:2019-10-10 发布日期:2020-05-11
通讯作者: 陶静 E-mail:ellen5702@aliyun.com
作者简介:
作者简介：时向泉（1972—）,男,天津,副研究员,博士,主要研究方向为云计算数据中心网络、软件定义网络、网络空间安全;陶静（1971—）,女,吉林,副研究员,硕士,主要研究方向为软件定义网络、网络空间安全;赵宝康（1981—）,男,湖北,副教授,博士,主要研究方向为软件定义网络、天地一体化网络、网络空间安全。
基金资助:
国家自然科学基金[61601483];国家重点研发计划[2017YFB0802300]

A Network Access Control System in Virtualized Environments

Xiangquan SHI, Jing TAO(), Baokang ZHAO

College of Computer, National University of Defense Technology, Changsha Hunan 410073, China

Received:2019-05-10 Online:2019-10-10 Published:2020-05-11
Contact: Jing TAO E-mail:ellen5702@aliyun.com

摘要/Abstract

摘要：

网络访问控制技术是保障网络通信系统安全的主要技术之一,在传统数据中心、园区网和企业网得到普遍应用。虚拟化环境下,传统的基于交换机物理端口的网络访问控制技术很难对虚拟机网络访问进行有效控制。文章全面分析了虚拟化环境下导致传统网络访问控制技术失效的原因,并据此提出了面向虚拟化环境的网络访问控制系统框架VE-NAC,设计了适用于虚拟化环境的网络访问控制流程。该框架与802.1x协议兼容,不需要对认证客户端进行修改。文章在openstack虚拟化环境下对VE-NAC予以实现,并对VE-NAC原型系统进行了功能测试和延迟测试,验证了VE-NAC在虚拟化环境中实施网络访问控制的有效性和可行性。

关键词: 虚拟化环境, SDN, OpenFlow, 网络访问控制

Abstract:

Network access control technology is one of the main technologies to ensure the security of network communication systems. It is widely used in traditional data centers, campus networks and enterprise networks. However, in virtualized environment, traditional port-based network access control (PNAC) is difficult to effectively control virtual machine network access. This paper comprehensively analyzes the reasons of the failure of traditional network access control technology in virtualized environment, develops a network access control framework VE-NAC for virtualized environment, and designs the network access control process suitable for virtualized environment. VE-NAC is compatible with 802.1x protocol and does not need to modify the authentication client. This paper implements VE-NAC in openstack virtualization environment, and tests the functions and delay of VE-NAC prototype system, which verifies the validity and feasibility of VE-NAC implementing network access control in virtualization environment.

Key words: virtualized environment, SDN, OpenFlow, network access control

中图分类号:

TP309

时向泉, 陶静, 赵宝康. 面向虚拟化环境的网络访问控制系统[J]. 信息网络安全, 2019, 19(10): 1-9.

Xiangquan SHI, Jing TAO, Baokang ZHAO. A Network Access Control System in Virtualized Environments[J]. Netinfo Security, 2019, 19(10): 1-9.

图/表 8

图1

图2

图3

图4

图5

表1

表2

表3

参考文献 13

[1]	FENG Dengguo, ZHANG Min, ZHANG Yan, et al.Study on Cloud Computing Security[J]. Journal of Software, 2011, 22(1): 71-83.
	冯登国,张敏,张妍,等.云计算安全研究[J].软件学报,2011,22(1):71-83.
[2]	LIN Chuang, SU Wenbo, MENG Kun, et al.Cloud Computing Security: Architecture,Mechanism and Modeling[J]. Chinese Journal of Computers, 2013,36(9):1765-1784.
	林闯,苏文博,孟坤,等.云计算安全:架构、机制与模型评价[J].计算机学报,2013,36(9):1765-1784.
[3]	INDU I, RUBESH ANAND P M, BHASKAR V. Identity and Access Management in Cloud Environment: Mechanisms and Challenges[J].Engineering Science and Technology, 2018,21(4):574-588.
[4]	BENTON K, CAMP L J, SMALL C.OpenFlow Vulnerability Assessment[C]//ACM.2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, August 16, 2013,HongKong, China. New York: ACM, 2013: 151-152.
[5]	DANGOVAS V, KULIESIUS F. SDN-DrivenAuthentication and Access Control System[EB/OL]. , 2017-12-23.
[6]	DARGAHI T, CAPONI A, AMBROSIN M, et al.A Survey on the Security of Stateful SDN Data Planes[J]. IEEE Communications Surveys & Tutorials, 2017, 19(3): 1701-1725.
[7]	NAYAK A K, REIMERS A, FEAMSTER N, et al.Resonance: Dynamic Access Control for Enterprise Networks[C]//ACM. The 1st ACM Workshop on Research on Enterprise Networking, August 21, 2009, Barcelona, Spain. New York: ACM, 2009: 11-18.
[8]	MATTOS D M F, DUARTE O C M B. AuthFlow: Authentication and Access Control Mechanism for Software Defined Networking[J].Annals of Telecommunications, 2016, 71(11-12): 607-615.
[9]	MATIAS J, GARAY J, MENDIOLA A, et al.FlowNAC: Flow-based Network Access Control[C]//IEEE. 2014 Third European Workshop on Software Defined Networks, September 1-3, 2014, London, UK.NJ: IEEE, 2014: 79-84.
[10]	YAKASAI S T, GUY C G.FlowIdentity: Software-Defined Network Access Control[C]//IEEE. 2015 IEEE Conference on Network Function Virtualization and Software Defined Network, November 18-21, 2015, San Francisco, CA, USA.NJ: IEEE, 2015: 115-120.
[11]	HAUSER F, SCHMIDT M, MENTH M.Establishing A Session Database for SDN Using 802.1X and Multiple Authentication Resources[C]//IEEE. 2017 IEEE International Conference on Communications, May 21-25, 2017, Paris, France.NJ:IEEE,2017: 1-7.
[12]	SHIN J W, LEE H Y, LEE W J, et al.Access Control with ONOS Controller in the SDN based WLAN Testbed[C]//IEEE. 2016 Eighth International Conference on Ubiquitous and Future Networks, July 5-8, 2016, Vienna, Austria.NJ:IEEE, 2016::656-660.
[13]	NIFE F, KOTULSKI Z.New SDN-Oriented Authentication and Access Control Mechanism[M]//Springer. International Conference on Computer Networks. Cham: Springer, Cham, 2018: 74-88.

虚拟机个数/个	虚拟机认证和授权延迟/ms
1	719.62
5	741.81
10	782.73
20	814.83

迁移虚拟机个数/个	虚拟机迁移认证和授权延迟/ms
1	189.32
5	190.57
10	191.23
20	194.43

重启虚拟机个数/个	重启虚拟机认证和授权延迟/ms
1	45.89
5	47.15
10	47.86
20	48.59

面向虚拟化环境的网络访问控制系统

A Network Access Control System in Virtualized Environments

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 13

相关文章 12

编辑推荐

Metrics

本文评价

[1]	董庆贺, 何倩, 江炳城, 刘鹏. 面向云数据库的多租户属性基安全隔离与数据保护方案[J]. 信息网络安全, 2018, 18(7): 60-68.
[2]	朱维军, 樊永文, 班绍桓. 动态虚拟MSISDN的拟态自动机模型与安全性验证方法[J]. 信息网络安全, 2018, 18(4): 15-22.
[3]	魏占祯, 王守融, 李兆斌, 李伟隆. 基于OpenFlow的SDN终端接入控制研究[J]. 信息网络安全, 2018, 18(4): 23-31.
[4]	门红, 姚顺利. 安全监控虚拟云安全网络架构研究[J]. 信息网络安全, 2017, 17(3): 14-20.
[5]	梁昊鸣, 陈春林, 刘锡, 刘志鹏. 基于OpenFlow的恶意网站防范模型设计与研究[J]. 信息网络安全, 2017, 17(1): 77-83.
[6]	左青云, 张海粟. 基于OpenFlow的SDN网络安全分析与研究[J]. 信息网络安全, 2015, 15(2): 26-32.
[7]	王鑫，高能，马存庆，薛聪. 分布式SDN控制器的规则冲突解决方案[J]. 信息网络安全, 2014, 14(9): 6-6.
[8]	薛聪，马存庆，刘宗斌，章庆隆. 一种安全SDN控制器架构设计[J]. 信息网络安全, 2014, 14(9): 34-38.
[9]	王一飞. 陌生网络边界防火墙规则配置方法研究[J]. 信息网络安全, 2014, 14(9): 161-164.
[10]	胡章丰;郭春梅;毕学尧. 云计算及SDN与安全技术研究[J]. , 2013, 13(10): 0-0.
[11]	郭春梅;张如辉;毕学尧. SDN网络技术及其安全性研究[J]. , 2012, 12(8): 0-0.
[12]	陈震;邓法超;黄石海;彭雪海;李国栋;姜欣;罗安安;彭冬生;张英;张闰华. TCG-TNC可信网络连接系统设计与实现[J]. , 2009, 9(7): 0-0.