- 學位論文
以OpenFlow交換器建構網路安全防禦系統 之研究與實現
Research and Simulation of Defense DoS Subsystem on OpenFlow Switch Platform
摘要
隨著電腦普及化的運用與網際網路的蓬勃發展,網路已經成為日常生活的一部分,同時,網路也成為惡意攻擊下手的新目標,導致網路安全問題也越來越複雜多樣性。網路攻擊手法演變迅速,一旦攻擊成功就容易造成大量個資外洩與龐大的金錢損失,進而影響使用者使用服務的意願,因此網路安全和攻擊事件的分析與處理對於一般使用者與提供服務的網路平台來說已經變成不可忽視的一部分。 在本論文中運用OpenFlow平台進行安全管理與防護,並提供一個整合型安全防護機制以提高網路安全。系統使用入侵偵測系統來監測網路情況,並建立安全政策決策系統以對攻擊事件進行分析與決策。而OpenFlow 交換器、控制器負責依決策結果進行防禦動作。以防禦DoS攻擊進行實例說明,並且透過OpenFlow模擬進行測試,透過OpenFlow Controller 和OpenFlow Switch快速檢查出封包是否符合防禦規則,進而達到有效控制封包的流動,安全政策決策系統會進行決策分析以訂定出防禦規則,阻擋DoS SYN Flood攻擊,達到自動防禦的目的。
並列摘要
As the development of the network technology, the network has become a part of everyday life. At the same time,Internet has become the new target for malicious attacks which raise network security problems more complexly and diversity. Once the attacks are successful, it will cause a lot of information leakage and the big amount of money lost that thereby affecting the users' will to use the service. Therefore, network security and attack analysis can not be ignored. This paper provides an integrated security mechanisms to improve network security by OpenFlow platform for security management and protection. On the other hand, we also use intrusion detection systems to monitor network conditions and establish Security Policy Decision Server. The OpenFlow switches and controllers are responsible for making the defense action according to our research results. In this study, we used the defend against DoS attacks for real cases described,and tested through simulation of OpenFlow. The OpenFlow Controller and OpenFlow Switch can quickly check a packet defense rules, and thus achieve effective control of the flow of packets. Security Policy Decision Server will do the policy analysis and set the defense rules to block DoS SYN Flood attacks in order to achieve the automatic defense purpose.