學術產出-國科會研究計畫
文章檢視/開啟
書目匯出
-
題名 軟體定義網路之調適性防火牆規則自動產生機制 作者 張宏慶 貢獻者 資科系 關鍵詞 軟體定義網路; 調適性防火牆; 規則自動產生機制; 負載平衡; 多路頻寬負載平衡器
Software Defined Networking; Adaptive firewall; Automatic rule generation; Load Balance; Multi-WAN Load Balancer日期 2016 上傳時間 17-五月-2017 15:25:49 (UTC+8) 摘要 本研究計畫的研究成果包括兩部分:(1) 軟體定義網路之調適性防火牆規則自動產生機制 (2) 軟體定義網路為基礎之多路頻寬負載平衡器。在「軟體定義網路之調適性防火牆規則自動產生機制」部分,我們提出對傳統上依賴人工逐一設定防火牆規則所需龐大工作量問題的解決方法。我們藉助軟體定義網路(Software Defined Networking,SDN)技術,結合入侵偵測系統(Intrusion Detection System,IDS),分析網路流量記錄檔,並將分析結果彙總以自動產生防火牆規則,有效降低相關人工設定以提升網路管理效率並提高網路安全性。我們也特別考量在實際應用上常有某些服務需要短時間開啟防火牆,允許特定資料流(data flow)通行。對於這些特殊服務需求,我們基於隨需(on demand)概念,當該服務需要通過防火牆時,可先向網路中可信賴的節點(SDN雲端伺服器)即時註冊相關服務及需求。此時系統端將動態調整防火牆規則,以允許該特定資料流通行,當使用完畢後則封鎖該服務。我們期待所提出的「軟體定義網路之調適性防火牆規則自動產生機制」能達到接近百分百完全自動化產生防火牆規則的目的,以提升網路管理效率並強化網路安全性。最後,我們也以實驗方式,架設伺服器場(server farm)、SDN交換器、SDN控制器、SDN雲端伺服器、IDS伺服器等實際情境,驗證本研究所提出之法的有效性。在「軟體定義網路為基礎之多路頻寬負載平衡器」部分,我們討論在企業在連外網路部分,常利用多條線路進行備援,並透過多路頻寬負載平衡器(Multi-WAN load balancer)增加頻寬的使用率。然而,在線路數量上卻仍受限於廠商所制定的規格,無法彈性調整。在負載平衡演算法方面,也只能根據網路特徵(如IP位置)、權重比(weight)或輪詢機制(round robin)設計,無法依據當下網路狀況做最佳判斷。為改善此問題,本研究提出在軟體定義網路環境下,利用交換機(switch)具有多個實體通訊埠的概念,依需求自由調整對外及對內線路數量,不再受限於廠商規格,以取代傳統多路寬頻負載平衡器,建構更彈性的網路架構。透過收集交換機上實體埠與資料流表(flow table)的資訊,即時評估網路狀況,最佳化負載平衡的效益。我們以Linux伺服器架設KVM、OpenvSwitch及POX控制器(controller)實際建構SDN網路環境,驗證本研究所提出之方法的有效性。實驗結果顯示,本研究所提出之用於多路寬頻負載平衡器的負載平衡演算法與Round Robin負載平衡演算法相較之下,在最佳情況下,能有效提升約25%的平均頻寬使用率,並降低約17.5%的封包遺失率。
The results of the research project consist of two parts (a) “SDN Adaptive Firewall Automatic Rules Generation”and (b) “SDN based Multi-WAN Load Balancer”. As to the“SDN Adaptive Firewall Automatic Rules Generation”, we proposed a SDN Adaptive Firewall Automatic Rules Generation Mechanism to deal with the problem of traditional inefficient manual based firewall rules setting approach. We employed SDN together with Intrusion Detection System (IDS) to analyze packet flow log, and then generatefirewall rules automatically. This approach is able to replace manual setting approach and enhance network management efficiency and network security. In the real world, sometimes we need to admit some specific traffic flow by turning on firewall for that service for a set time. We use the concept of on-demand, if some specific service needs to pass through a firewall, it sends its request to the Internet trusted node (e,g, SDN cloud server) for registration. If the request is accepted, the system then turns on the firewall for this service to allow specific traffic passing through for a set time. The service will then be blocked once time expires. The aim of this mechanism is to achieve close to 100% automatic firewall rules setting to enhance network management efficiency. The proposed method is verified by experiments of a server farm, SDN switches, a SDN controller, a SDN cloud server, and IDS server environment. As to the “SDN based Multi-WAN Load Balancer”, since many enterprises use multiple links to access external network to assure fault tolerance and use multi-WAN load balancer to manage those links to enhance bandwidth utilization. However, the numberof links is fixed and the load balancing algorithm is hard coded by manufacturer. The algorithm is usually not able to adapt to network traffic condition to optimize load balance among physical links. With the advance of network function virtualization, we proposed a virtualized multi-WAN load balancer, named SDAW (Software Defined Adaptive WAN), based on SDN. Each SDN switch is equipped with multiple physical ports, SDAW is able to dynamically configure the number of virtualized multi-WAN and multi-LAN links to adapt to traffic demands. SDAW is no longer limited to the hard coded specification and is able to optimize the effectiveness of load balancing.關聯 MOST 104-2221-E-004-003 資料類型 report dc.contributor 資科系 dc.creator (作者) 張宏慶 zh_TW dc.date (日期) 2016 dc.date.accessioned 17-五月-2017 15:25:49 (UTC+8) - dc.date.available 17-五月-2017 15:25:49 (UTC+8) - dc.date.issued (上傳時間) 17-五月-2017 15:25:49 (UTC+8) - dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/109685 - dc.description.abstract (摘要) 本研究計畫的研究成果包括兩部分:(1) 軟體定義網路之調適性防火牆規則自動產生機制 (2) 軟體定義網路為基礎之多路頻寬負載平衡器。在「軟體定義網路之調適性防火牆規則自動產生機制」部分,我們提出對傳統上依賴人工逐一設定防火牆規則所需龐大工作量問題的解決方法。我們藉助軟體定義網路(Software Defined Networking,SDN)技術,結合入侵偵測系統(Intrusion Detection System,IDS),分析網路流量記錄檔,並將分析結果彙總以自動產生防火牆規則,有效降低相關人工設定以提升網路管理效率並提高網路安全性。我們也特別考量在實際應用上常有某些服務需要短時間開啟防火牆,允許特定資料流(data flow)通行。對於這些特殊服務需求,我們基於隨需(on demand)概念,當該服務需要通過防火牆時,可先向網路中可信賴的節點(SDN雲端伺服器)即時註冊相關服務及需求。此時系統端將動態調整防火牆規則,以允許該特定資料流通行,當使用完畢後則封鎖該服務。我們期待所提出的「軟體定義網路之調適性防火牆規則自動產生機制」能達到接近百分百完全自動化產生防火牆規則的目的,以提升網路管理效率並強化網路安全性。最後,我們也以實驗方式,架設伺服器場(server farm)、SDN交換器、SDN控制器、SDN雲端伺服器、IDS伺服器等實際情境,驗證本研究所提出之法的有效性。在「軟體定義網路為基礎之多路頻寬負載平衡器」部分,我們討論在企業在連外網路部分,常利用多條線路進行備援,並透過多路頻寬負載平衡器(Multi-WAN load balancer)增加頻寬的使用率。然而,在線路數量上卻仍受限於廠商所制定的規格,無法彈性調整。在負載平衡演算法方面,也只能根據網路特徵(如IP位置)、權重比(weight)或輪詢機制(round robin)設計,無法依據當下網路狀況做最佳判斷。為改善此問題,本研究提出在軟體定義網路環境下,利用交換機(switch)具有多個實體通訊埠的概念,依需求自由調整對外及對內線路數量,不再受限於廠商規格,以取代傳統多路寬頻負載平衡器,建構更彈性的網路架構。透過收集交換機上實體埠與資料流表(flow table)的資訊,即時評估網路狀況,最佳化負載平衡的效益。我們以Linux伺服器架設KVM、OpenvSwitch及POX控制器(controller)實際建構SDN網路環境,驗證本研究所提出之方法的有效性。實驗結果顯示,本研究所提出之用於多路寬頻負載平衡器的負載平衡演算法與Round Robin負載平衡演算法相較之下,在最佳情況下,能有效提升約25%的平均頻寬使用率,並降低約17.5%的封包遺失率。 dc.description.abstract (摘要) The results of the research project consist of two parts (a) “SDN Adaptive Firewall Automatic Rules Generation”and (b) “SDN based Multi-WAN Load Balancer”. As to the“SDN Adaptive Firewall Automatic Rules Generation”, we proposed a SDN Adaptive Firewall Automatic Rules Generation Mechanism to deal with the problem of traditional inefficient manual based firewall rules setting approach. We employed SDN together with Intrusion Detection System (IDS) to analyze packet flow log, and then generatefirewall rules automatically. This approach is able to replace manual setting approach and enhance network management efficiency and network security. In the real world, sometimes we need to admit some specific traffic flow by turning on firewall for that service for a set time. We use the concept of on-demand, if some specific service needs to pass through a firewall, it sends its request to the Internet trusted node (e,g, SDN cloud server) for registration. If the request is accepted, the system then turns on the firewall for this service to allow specific traffic passing through for a set time. The service will then be blocked once time expires. The aim of this mechanism is to achieve close to 100% automatic firewall rules setting to enhance network management efficiency. The proposed method is verified by experiments of a server farm, SDN switches, a SDN controller, a SDN cloud server, and IDS server environment. As to the “SDN based Multi-WAN Load Balancer”, since many enterprises use multiple links to access external network to assure fault tolerance and use multi-WAN load balancer to manage those links to enhance bandwidth utilization. However, the numberof links is fixed and the load balancing algorithm is hard coded by manufacturer. The algorithm is usually not able to adapt to network traffic condition to optimize load balance among physical links. With the advance of network function virtualization, we proposed a virtualized multi-WAN load balancer, named SDAW (Software Defined Adaptive WAN), based on SDN. Each SDN switch is equipped with multiple physical ports, SDAW is able to dynamically configure the number of virtualized multi-WAN and multi-LAN links to adapt to traffic demands. SDAW is no longer limited to the hard coded specification and is able to optimize the effectiveness of load balancing. dc.format.extent 4593371 bytes - dc.format.mimetype application/pdf - dc.relation (關聯) MOST 104-2221-E-004-003 dc.subject (關鍵詞) 軟體定義網路; 調適性防火牆; 規則自動產生機制; 負載平衡; 多路頻寬負載平衡器 dc.subject (關鍵詞) Software Defined Networking; Adaptive firewall; Automatic rule generation; Load Balance; Multi-WAN Load Balancer dc.title (題名) 軟體定義網路之調適性防火牆規則自動產生機制 zh_TW dc.type (資料類型) report