A Network Access Control System in Virtualized Environments

doi:10.3969/j.issn.1671-1122.2019.10.001

Abstract

Abstract:

Network access control technology is one of the main technologies to ensure the security of network communication systems. It is widely used in traditional data centers, campus networks and enterprise networks. However, in virtualized environment, traditional port-based network access control (PNAC) is difficult to effectively control virtual machine network access. This paper comprehensively analyzes the reasons of the failure of traditional network access control technology in virtualized environment, develops a network access control framework VE-NAC for virtualized environment, and designs the network access control process suitable for virtualized environment. VE-NAC is compatible with 802.1x protocol and does not need to modify the authentication client. This paper implements VE-NAC in openstack virtualization environment, and tests the functions and delay of VE-NAC prototype system, which verifies the validity and feasibility of VE-NAC implementing network access control in virtualization environment.

Key words: virtualized environment, SDN, OpenFlow, network access control

CLC Number:

TP309

Xiangquan SHI, Jing TAO, Baokang ZHAO. A Network Access Control System in Virtualized Environments[J]. Netinfo Security, 2019, 19(10): 1-9.

Figures/Tables 8

References 13

[1]	FENG Dengguo, ZHANG Min, ZHANG Yan, et al.Study on Cloud Computing Security[J]. Journal of Software, 2011, 22(1): 71-83.
	冯登国,张敏,张妍,等.云计算安全研究[J].软件学报,2011,22(1):71-83.
[2]	LIN Chuang, SU Wenbo, MENG Kun, et al.Cloud Computing Security: Architecture,Mechanism and Modeling[J]. Chinese Journal of Computers, 2013,36(9):1765-1784.
	林闯,苏文博,孟坤,等.云计算安全:架构、机制与模型评价[J].计算机学报,2013,36(9):1765-1784.
[3]	INDU I, RUBESH ANAND P M, BHASKAR V. Identity and Access Management in Cloud Environment: Mechanisms and Challenges[J].Engineering Science and Technology, 2018,21(4):574-588.
[4]	BENTON K, CAMP L J, SMALL C.OpenFlow Vulnerability Assessment[C]//ACM.2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, August 16, 2013,HongKong, China. New York: ACM, 2013: 151-152.
[5]	DANGOVAS V, KULIESIUS F. SDN-DrivenAuthentication and Access Control System[EB/OL]. , 2017-12-23.
[6]	DARGAHI T, CAPONI A, AMBROSIN M, et al.A Survey on the Security of Stateful SDN Data Planes[J]. IEEE Communications Surveys & Tutorials, 2017, 19(3): 1701-1725.
[7]	NAYAK A K, REIMERS A, FEAMSTER N, et al.Resonance: Dynamic Access Control for Enterprise Networks[C]//ACM. The 1st ACM Workshop on Research on Enterprise Networking, August 21, 2009, Barcelona, Spain. New York: ACM, 2009: 11-18.
[8]	MATTOS D M F, DUARTE O C M B. AuthFlow: Authentication and Access Control Mechanism for Software Defined Networking[J].Annals of Telecommunications, 2016, 71(11-12): 607-615.
[9]	MATIAS J, GARAY J, MENDIOLA A, et al.FlowNAC: Flow-based Network Access Control[C]//IEEE. 2014 Third European Workshop on Software Defined Networks, September 1-3, 2014, London, UK.NJ: IEEE, 2014: 79-84.
[10]	YAKASAI S T, GUY C G.FlowIdentity: Software-Defined Network Access Control[C]//IEEE. 2015 IEEE Conference on Network Function Virtualization and Software Defined Network, November 18-21, 2015, San Francisco, CA, USA.NJ: IEEE, 2015: 115-120.
[11]	HAUSER F, SCHMIDT M, MENTH M.Establishing A Session Database for SDN Using 802.1X and Multiple Authentication Resources[C]//IEEE. 2017 IEEE International Conference on Communications, May 21-25, 2017, Paris, France.NJ:IEEE,2017: 1-7.
[12]	SHIN J W, LEE H Y, LEE W J, et al.Access Control with ONOS Controller in the SDN based WLAN Testbed[C]//IEEE. 2016 Eighth International Conference on Ubiquitous and Future Networks, July 5-8, 2016, Vienna, Austria.NJ:IEEE, 2016::656-660.
[13]	NIFE F, KOTULSKI Z.New SDN-Oriented Authentication and Access Control Mechanism[M]//Springer. International Conference on Computer Networks. Cham: Springer, Cham, 2018: 74-88.

虚拟机个数/个	虚拟机认证和授权延迟/ms
1	719.62
5	741.81
10	782.73
20	814.83

迁移虚拟机个数/个	虚拟机迁移认证和授权延迟/ms
1	189.32
5	190.57
10	191.23
20	194.43

重启虚拟机个数/个	重启虚拟机认证和授权延迟/ms
1	45.89
5	47.15
10	47.86
20	48.59

[1]	LAI Chengzhe, WANG Wenjuan. Secure Mobility Management Framework with Privacy Preservation for Vehicle Platoon [J]. 信息网络安全, 2018, 18(7): 36-46.
[2]	DONG Qinghe, HE Qian, JIANG Bingcheng, LIU Peng. Scheme of Cloud Database Oriented Multi-tenant Attribute-based Security Isolation and Data Protection [J]. 信息网络安全, 2018, 18(7): 60-68.
[3]	ZHU Weijun, FAN Yongwen, BAN Shaohuan. A Mimic-automaton-based Model for the MSISDN Virtualization and Its Method for Verifying the Security [J]. 信息网络安全, 2018, 18(4): 15-22.
[4]	WEI Zhanzhen, WANG Shourong, LI Zhaobin, LI Weilong. Research on SDN Terminal Access Control Based on OpenFlow [J]. 信息网络安全, 2018, 18(4): 23-31.
[5]	LI Jianfeng, LIU Yuan, ZHANG Hao, WANG Xiaofeng. Research and Implementation of Routing Performance Optimization for IaaS Cloud Platform [J]. 信息网络安全, 2017, 17(9): 10-15.
[6]	MEN Hong, YAO Shunli. Research on a Framework Based on Virtual Cloud Network for Monitoring Safe Production [J]. 信息网络安全, 2017, 17(3): 14-20.
[7]	XU Yang, CHEN Yi, HE Rui, XIE Xiaoyao. Research of DDoS Detection and Multi-layer Defense in SDN [J]. 信息网络安全, 2017, 17(12): 22-28.
[8]	LIANG Haoming, CHEN Chunlin, LIU Xi, LIU Zhipeng. Design and Research on Malicious Web Sites Prevention Model Based on OpenFlow [J]. 信息网络安全, 2017, 17(1): 77-83.
[9]	QI Yu. Research on the Security of SDN [J]. 信息网络安全, 2016, 16(9): 69-72.
[10]	CHEN Yingcong, CHEN Guangqing, CHEN Zhiming, WAN Neng. A Binary Code Analysis of Vulnerability Scanning Method for SDN Smart Power Grid [J]. 信息网络安全, 2016, 16(7): 35-39.
[11]	WU Zehui, WEI Qiang. A Secure Fault Recovery Approach Using OwnShip-Proof Model for Controller Cluster of Software Defined Networks [J]. 信息网络安全, 2016, 16(12): 13-18.
[12]	WANG Gang. Research on Multi-zone Secure Cloud Computing Fabrics Based on SDN Technology [J]. 信息网络安全, 2015, 15(9): 20-24.
[13]	ZUO Qing-yun, ZHANG Hai-su. Analysis and Research on Network Security for OpenFlow-based SDN [J]. 信息网络安全, 2015, 15(2): 26-32.
[14]	WANG Xin, GAO Neng, MA Cun-qing, XUE Cong. Solution for Rule Conflict under Distributed SDN Controller System [J]. 信息网络安全, 2014, 14(9): 6-6.
[15]	XUE Cong, MA Cun-qing, LIU Zong-bin, ZHANG Qing-long. Design of Secure SDN Controller Architecture [J]. 信息网络安全, 2014, 14(9): 34-38.