- 學位論文
SDN分散式防火牆高效規則部署
Efficient Algorithm for Distributed Firewall Architecture in SDN Environment
本文將於2024/10/09開放下載。若您希望在開放下載時收到通知,可將文章加入收藏。
摘要
為了保護內部服務和主機不受網絡攻擊,防火牆是過濾網路攻擊封包的重要手段。典型的防火牆部署在內網的入口點。但是,隨著越來越多的雲端和物聯網等,網絡環境變得比以往更加靈活和動態。因此,有必要部署分散式防火牆才可以防護內網足夠的安全性。我們提出在軟件定義的網絡環境中分散式防火牆,並將防火牆規則的佈局表示為整數線性編程問題。儘管如此,整數線性規劃的複雜性通常是NP-Complete的。若是有大量規則或復雜的網絡拓撲,解決線性整數規劃將花費大量時間,這對於管理分散式防火牆是不可行的。因此,我們引入了Resource Constraint Splitting演算法以減少時間複雜度。關鍵步驟是將decision variable分離為不相關的子問題後並行解決。這種分散式防火牆在許多方面都是一項重大改進,包括更低的網路延遲和節省內網流量。 Mininet中的OpenFlow控制器的實驗結果表明,該方法在網絡吞吐量和延遲方面表現出比先前研究中的結果,能提供相同的保護與有更好的網絡性能。
並列摘要
To protect internal services and hosts from network attacks, a firewall is an essential component to enforce security policies on Internet connections. A typical firewall is deployed at the entry point of an autonomous system. However, network environments, such as the Cloud and the IoT, have become much more flexible and dynamic than ever. As a result, it is necessary to deploy a distributed firewall. We present a distributed firewall in a software-defined network environment and formulate the placement of firewall rules as an integer linear programming problem. Nonetheless, the complexity of the integer linear programming is usually NP-complete. With a large number of rules and a complex network topology, solving it will take a huge amount of time, which is infeasible for managing a distributed firewall. As a result, we introduce a resource constraint splitting algorithm to reduce the time complexity. The key idea is to separate the decision variables into disjoint subproblems and to solve them in parallel. This distributed firewall is a substantial improvement in many aspects, including higher levels of security, lower latency, and reduced traffic. Experimental results from an OpenFlow controller in Mininet demonstrate that this approach shows better network performance than that shown in previous studies in terms of network throughput and latency.
參考文獻
[1] M. Roesch, “Snort - lightweight intrusion detection for networks,” inProceedings ofthe 13th USENIX Conference on System Administration, LISA ’99, (Berkeley, CA,USA), pp. 229–238, USENIX Association, 1999.
[2] S. Zhang, F. Ivancic, C. Lumezanu, Y. Yuan, A. Gupta, and S. Malik, “An adapt-able rule placement for software-defined networks,” in2014 44th Annual IEEE/IFIPInternational Conference on Dependable Systems and Networks, pp. 88–99, June2014.
[3] T. V. Tran and H. Ahn, “A network topology-aware selectively distributed fire-wall control in sdn,” inInformation and Communication Technology Convergence(ICTC), 2015 International Conference on, pp. 89–94, 2015.
[4] E. Oriwoh, D. Jazani, G. Epiphaniou, and P. Sant, “Internet of things forensics:Challenges and approaches,” in9th IEEE International Conference on Collaborativecomputing: networking, Applications and Worksharing, pp. 608–615, IEEE, 2013.
[5] J. Cropper, J. Ullrich, P. Fr ̈uhwirt, and E. Weippl, “The role and security of firewallsin iaas cloud computing,” in2015 10th International Conference on Availability,Reliability and Security, pp. 70–79, IEEE, 2015.
延伸閱讀
- 陳昭閔(2012)。改善Snort分散式入侵偵測系統於內部網路之防禦策略〔碩士論文,朝陽科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0078-0305201210333713
- 張禾金、黃啟澤、周先進、黃聖閎、周立德(2017)。SDN網路中使用Snort實作偵測系統。載於東海大學(主編),TANET2017 臺灣網際網路研討會(頁277-281)。東海大學。https://doi.org/10.6728/TANET.201710.0050
- 丘文中(2016)。利用軟體定義網路(SDN)搭配資訊安全監控中心(SOC)自動化阻擋惡意活動〔碩士論文,淡江大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0002-1907201618192900
- 陳昱翔、張一正、朱宏茂、王丕中(2016)。Traffic engineering in SDN using minimum bottleneck spanning tree。載於國立東華大學(主編),TANET2016 臺灣網際網路研討會(頁209-214-038)。國立東華大學。https://doi.org/10.6679/TANET.2016.38
- Blyth, A. (2009). An Architecture for an XML Enabled Firewall. International Journal of Network Security, 8(1), 31-36. https://doi.org/10.6633/IJNS.200901.8(1).05