| 摘要: |
| 第五代移动通信网络5G以融合网络为目标, 其标准不仅覆盖公共通信网络, 也同时应用于下一代垂直行业网络。传统垂直行业网络是以工业自动化和控制系统为主的运营/操作技术(Operational Technology, OT)网络, OT网络采取安全域划分方式, 将大规模复杂系统分为不同安全子区域, 在边界处部署专用安全设备/系统进行安全防护。目前实践中多采用网闸等设备以硬隔离方式阻断恶意流量, 带来的问题是严重影响正常业务的通过。依托5G的网络功能虚拟化(Network Function Virtualization, NFV)技术和软件定义网络(Software Defined Network, SDN), 本文提出了一种面向5G网络的动态安全边界防护机制。该机制构建虚拟化的边界网络安全功能资源池和边界安全服务规则库, 对到达边界的业务流量进行防护等级分析, 并根据规则库中的规则动态生成边界安全服务功能链。机制还具备对边界服务功能链进行优化部署的能力, 通过建模和启发式算法实现满足业务防护等级需求和最小化处理时延的多目标优化部署策略。基于本机制, 我们设计并提出轨交行业5G专网动态安全边界防护机制实例, 旨在为工程实践服务。最后, 我们搭建了基于Mininet+Ryu仿真平台, 模拟轨交行业5G示范网络中的安全域组成和边界安全能力, 并对机制进行实验验证, 结果表明, 该机制能够有效地动态生成边界服务功能链并且达到控制不同防护等级业务流量通过的目标。 |
| 关键词: 5G 动态安全边界防护机制 软件定义网络 网络功能虚拟化 服务功能链 时延 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.09.03 |
| 投稿时间:2023-10-12修订日期:2024-02-28 |
| 基金项目:本课题得到国家重点研发计划项目 (No. 2020YFB1808100); 中国高校产学研创新基金-未来网络创新研究与应用项目(No.2021FNA02004)资助。 |
|
| A Dynamic Security Perimeter Protection Mechanism for 5G Network |
| ZHANG Ying,ZHANG Xu,WANG Dongbin,CAI Changjun,LU Yueming |
| School of Network Education, Beijing University of Posts and Telecommunications, Beijing 100876, China;School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China;National Engineering Research Center for Mobile Internet Security, Beijing 100876, China;School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China;Engineering Research Center of Blockchain and Network Convergence Technology, Ministry of Education, Beijing 100876, China;Guangzhou Metro, Guangzhou 510030, China;School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China;Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education, Beijing 100876, China |
| Abstract: |
| The fifth-generation mobile communication network 5G aims to integrate networks. Its standards not only cover public communication networks, but also are applied to next-generation vertical industry networks. Traditional vertical industry networks are Operational Technology (OT) networks that focus on industrial automation and control systems. OT networks adopt a security domain division method to divide large-scale complex systems into different security sub-domains and deploy dedicated security equipment/systems at the boundaries for security protection. In current practice, gatekeeper and other equipment are often used to block malicious traffic in a hard isolation manner, which causes problems that seriously affect the pass of normal traffics. Relying on 5G's network function virtualization (NFV) technology and software defined network (SDN), this paper proposes a dynamic security perimeter protection mechanism for 5G network. This mechanism builds a virtualized border network security function resource pool and a border security service rule base, analyzes the protection level of traffic arriving at the border, and generates dynamically a border security service function chain based on the rules. The mechanism also has the function of optimizing the deployment of perimeter service function chains, and uses modeling and heuristic algorithms to achieve multi-objective optimal deployment strategies that meet services protection level requirements and minimize processing delays. Based on this mechanism, we design an example case of a dynamic security perimeter protection mechanism for 5G private networks in the subway industry, aiming to serve engineering practice. Finally, we built a simulation platform based on Mininet+Ryu to simulate the security domain composition and boundary security capabilities of the 5G demonstration network in the subway industry, and conducted experimental verification of the mechanism. The results show that the mechanism can generate effectively and dynamically perimeter service function chains and achieve the goal of controlling the passage of different protection level’s traffic. |
| Key words: 5G dynamic security perimeter protection mechanism software defined networking network function virtualization service function chain latency |
