| 摘要: |
| 云计算以虚拟化技术为基础,提供了一种按需、灵活分配资源的网络计算模式。在网络虚拟化技术的推动下,用户的网络变为云服务提供商根据用户需求,在物理网络之上为其分配的逻辑上相互隔离的虚拟网络。虚拟网络带来了网络架构的动态性,呈现出网络边界动态模糊、共享底层资源及流量以内部“东西”向交互为主的新特性,不仅加剧了传统网络固有的攻击威胁(如ARP攻击、DoS攻击等),还引入了新的安全威胁:虚拟网络边界防护失效、信息泄露及篡改、流量监控存在盲点等。因此,虚拟网络的安全问题成为工业界和学术界关注的热点。本文对虚拟网络环境中存在的安全问题进行了归纳,分析产生的原因,给出了云虚拟网络的威胁模型;并针对这些安全问题,从基于虚拟防火墙、基于安全服务动态部署、基于虚拟网络嵌入、基于虚拟网络隔离强化、基于深度流量监测、基于流量动态控制等类别分别对近年国内外相关防御机制进行了分析和比较,并指出了当前仍存在的问题;最后对虚拟网络安全未来研究方向进行了探讨,给出了基于软件定义边界的动态防御框架。 |
| 关键词: 网络安全 云虚拟网络 软件定义网络 软件定义边界 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.03.13 |
| 投稿时间:2020-09-29修订日期:2020-12-22 |
| 基金项目:本论文得到国家重点研发计划课题(No. 2016YFB0801002)和中国科学院先导科技专项(C 类)课题(No. XDC02010900)资助。 |
|
| Research on Cloud Virtual Network Security |
| TU Bibo,SUN Ruina,YOU Ruibang,CHENG Jie,TAO Xiaojie,ZHANG Kun |
| Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;School of Information Management, Xinjiang University of Finance and Economics, Urumqi 830012, China |
| Abstract: |
| Cloud computing, with virtualization technology as its base, provides a network computing model that allocates resources flexibly on demand. Driven by network virtualization, the traditional user network is transformed into logically isolated virtual networks, which are allocated by cloud vendors on the physical network according to users’ needs. The virtual network brings the dynamic and flexible nature of the network architecture, and presents the new characteristics of dynamic blurring boundary, sharing underlying resources and traffic based on internal “east-west” interaction. But it aggravates the inherent attack threats of traditional network, such as ARP attack, DoS attack, etc. Also, new security threats are introduced: virtual network perimeter protection failure, information leakage and tampering, blind spots in traffic monitoring and so on. Therefore, the security of virtual network has become a hot spot in industry and academia. This paper summarizes the security problems in virtual network environment, analyzes the causes, and gives the threat model of the cloud virtual network. In response to these security issues, this paper analyzes and compares the defense mechanisms at home and abroad from categories based on virtual firewall, security service dynamic deployment, virtual network embedding, virtual network isolation enhancement, deep traffic monitoring, traffic dynamic control, and etc. We also point out the existing problems of these schemes. Finally, we discuss the future research direction of virtual network security, and propose the framework of a dynamic defense based on Software Defined Perimeter. |
| Key words: network security cloud virtual network software defined networking(SDN) software defined perimeter(SDP) |
