引用本文
  • 涂碧波,孙瑞娜,游瑞邦,程杰,陶小结,张坤.云虚拟网络安全研究[J].信息安全学报,已采用    [点击复制]
  • TU Bibo,SUN Ruina,YOU Ruibang,CHENG Jie,TAO Xiaojie,ZHANG Kun.Research on Cloud Virtual Network Security[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 612次   下载 0  
云虚拟网络安全研究
0
(中国科学院信息工程研究所)
摘要:
云计算以虚拟化技术为基础,提供了一种按需、灵活分配资源的网络计算模式。在网络虚拟化技术的推动下,用户的网络变为云服务提供商根据用户需求,在物理网络之上为其分配的逻辑上相互隔离的虚拟网络。虚拟网络带来了网络架构的动态性,呈现出网络边界动态模糊、共享底层资源及流量以内部“东西”向交互为主的新特性,不仅加剧了传统网络固有的攻击威胁(如ARP攻击、DoS攻击等),还引入了新的安全威胁:虚拟网络边界防护失效、信息泄露及篡改、流量监控存在盲点等。因此,虚拟网络的安全问题成为工业界和学术界关注的热点。本文对虚拟网络环境中存在的安全问题进行了归纳,分析产生的原因,给出了云虚拟网络的威胁模型;并针对这些安全问题,从基于虚拟防火墙、基于安全服务动态部署、基于虚拟网络嵌入、基于虚拟网络隔离强化、基于深度流量监测、基于流量动态控制等类别分别对近年国内外相关防御机制进行了分析和比较,并指出了当前仍存在的问题;最后对虚拟网络安全未来研究方向进行了探讨,给出了基于软件定义边界(SDP)动态防御体系框架。
关键词:  网络安全  云虚拟网络  软件定义网络  软件定义边界
DOI:
投稿时间:2020-09-29修订日期:2020-12-22
基金项目:中国科学院重点资助项目
Research on Cloud Virtual Network Security
TU Bibo1, SUN Ruina1, YOU Ruibang1, CHENG Jie1, TAO Xiaojie1, ZHANG Kun2
(1.Institute of Information Engineering,Chinese Academy of Sciences;2.Institute of Information Engineering, Chinese Academy of Sciences)
Abstract:
Cloud computing, with virtualization technology as its base, provides a network computing model that allocates resources flexibly on demand. Driven by network virtualization, the traditional user network is transformed into logically isolated virtual networks, which are allocated by cloud vendors on the physical network according to users’ needs. The virtual network brings the dynamic and flexible nature of the network architecture, and presents the new characteristics of dynamic blurring boundary, sharing underlying resources and traffic based on internal "east-west" interaction. But it aggravates the inherent attack threats of traditional network, such as ARP attack, DoS attack, etc. Also, new security threats are introduced: virtual network perimeter protection failure, information leakage and tampering, blind spots in traffic monitoring and so on. Therefore, the security of virtual network has become a hot spot in industry and academia. This paper summarizes the security problems in virtual network environment, analyzes the causes, and gives the threat model of the cloud virtual network. In response to these security issues, this paper analyzes and compares the defense mechanisms at home and abroad from categories based on virtual firewall, security service dynamic deployment, virtual network embedding, virtual network isolation enhancement, deep traffic monitoring, traffic dynamic control, and etc. We also point out the existing problems of these schemes. Finally, we discuss the future research direction of virtual network security, and propose the framework of a dynamic defense system based on Software Defined Perimeter (SDP).
Key words:  network security  cloud virtual network  software defined networking (SDN)  software defined perimeter (SDP)