CN114024747A - Security service chain arranging and deploying method and system based on software defined network virtualization (NFV) - Google Patents

Security service chain arranging and deploying method and system based on software defined network virtualization (NFV) Download PDF

Info

Publication number
CN114024747A
CN114024747A CN202111301566.4A CN202111301566A CN114024747A CN 114024747 A CN114024747 A CN 114024747A CN 202111301566 A CN202111301566 A CN 202111301566A CN 114024747 A CN114024747 A CN 114024747A
Authority
CN
China
Prior art keywords
security service
service chain
security
network flow
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111301566.4A
Other languages
Chinese (zh)
Inventor
朱胜
李伟伟
杨文�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Global Energy Interconnection Research Institute
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Global Energy Interconnection Research Institute
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Global Energy Interconnection Research Institute, Electric Power Research Institute of State Grid Henan Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202111301566.4A priority Critical patent/CN114024747A/en
Publication of CN114024747A publication Critical patent/CN114024747A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention provides a security service chain arranging and deploying method and system based on software defined NFV, wherein the method comprises the following steps: acquiring the safety service requirement of a user; constructing a security service chain strategy according to the security service requirement of a user; dynamically arranging the virtual security equipment according to the priority; network flow scheduling is carried out according to the virtual safety equipment instance load and the real-time link transmission delay, and an optimal network flow scheduling route is evaluated; analyzing the network flow dispatching route, generating a flow instruction and issuing the flow instruction to the switch, redirecting the network flow, sequentially towing the network flow to pass through the corresponding virtual safety equipment for safety protection processing, and deploying the safety service chain framework. By implementing the invention, deep safety protection can be flexibly and rapidly provided according to the safety requirements of user application, and meanwhile, the efficiency of the virtual safety equipment and the bottom infrastructure is improved.

Description

Security service chain arranging and deploying method and system based on software defined network virtualization (NFV)
Technical Field
The invention relates to the field of information security, in particular to a security service chain arranging and deploying method and system based on software defined network virtualization (NFV).
Background
Service Chain (SC) of the conventional network draws a network data stream satisfying a specific attribute through a Service sequence composed of a plurality of Service function Service nodes, and provides a means for preventing and controlling malicious attacks for the conventional network. A Software Defined Security (SDS) architecture decouples a control plane and a data plane of a network Security device, a bottom layer abstracts resources in a secure resource pool, and a top layer flexibly arranges Security services in a Software Defined manner to achieve flexible Security protection.
However, with the rapid development of cloud computing and Software Defined Networking (SDN), how to rapidly reconstruct a security solution of a conventional network, thereby improving the flexibility and efficiency of network security protection, and a problem to be solved urgently is presented.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to overcome the defect in the prior art that it is difficult to improve the flexibility and efficiency of network security protection, thereby providing a method and a system for arranging and deploying a security service chain based on software defined NFV.
In a first aspect, an embodiment of the present invention provides a security service chain orchestration and deployment method based on software defined NFV, including: acquiring the safety service requirement of a user; constructing a security service chain strategy according to the user security service requirement; dynamically arranging the virtual security equipment according to the priority; network flow scheduling is carried out according to the virtual safety equipment instance load and the real-time link transmission delay, and an optimal network flow scheduling route is evaluated; analyzing the network flow dispatching route, generating a flow instruction and issuing the flow instruction to the switch, redirecting the network flow, sequentially towing the network flow to pass through the corresponding virtual safety equipment for safety protection processing, and deploying the safety service chain framework.
Optionally, the dynamically orchestrating virtual security devices according to priority includes: retrieving the currently executed flow rules containing the network flows corresponding to the 12 tuples in the newly constructed security service chain strategy on all the switches in the network; deleting the flow rule to trigger a Packet-in message; monitoring all Packet-in messages; and reconstructing corresponding security service chain strategies for all network flows described by the Packet-in message in sequence.
Optionally, the reconstructing the corresponding security service chain policy for all network flows described by the Packet-in message in sequence includes: when the Packet-in message is contained in a certain security service chain strategy, directly reconstructing a corresponding security service chain strategy for all network flows described by the Packet-in message; when the Packet-in message is contained in a plurality of security service chain policies at the same time, adding the policies into a policy set, and reconstructing the security service chain policies for all network flows described by the Packet-in message based on all the policies in the policy set.
Optionally, the virtual security device is flexibly deployed by using a virtualization technology, and the virtual security device is dynamically selected to complete network flow scheduling routing selection optimization of the security service chain according to the security device requirement, the virtual security device load and the real-time link state.
Optionally, the security service chain pulls the network flow through a particular sequence of security service nodes with a preset delay time.
Optionally, the preset delay time includes a link transmission delay and a service node processing delay.
In a second aspect, an embodiment of the present invention provides a security service chaining deployment system based on software defined NFV, including: the acquisition module is used for acquiring the safety service requirements of the user; the construction module is used for constructing a security service chain strategy according to the user security service requirement; the arranging module is used for dynamically arranging the virtual safety equipment according to the priority; the analysis module is used for scheduling the network flow according to the virtual safety equipment instance load and the real-time link transmission delay and evaluating the optimal network flow scheduling route; and the processing module is used for analyzing the network flow scheduling route, generating a flow instruction and issuing the flow instruction to the switch, redirecting the network flow, sequentially towing the network flow through the corresponding virtual safety equipment to perform safety protection processing, and deploying a safety service chain framework.
In a third aspect, an embodiment of the present invention provides a computer-readable storage medium, where the computer-readable storage medium stores computer instructions, and the computer instructions are configured to cause the computer to execute the software defined NFV-based security service chain orchestration deployment method according to the first aspect of the embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention provides a computer device, including: the storage and the processor are communicatively connected with each other, the storage stores computer instructions, and the processor executes the computer instructions to execute the software defined NFV-based security service chaining deployment and deployment method according to the first aspect of the embodiment of the present invention.
The technical scheme of the invention has the following advantages:
the invention provides a security service chain arranging and deploying method based on software defined network virtualization (NFV), which comprises the following steps: acquiring the safety service requirement of a user; constructing a security service chain strategy according to the user security service requirement; dynamically arranging the virtual security equipment according to the priority; network flow scheduling is carried out according to the virtual safety equipment instance load and the real-time link transmission delay, and an optimal network flow scheduling route is evaluated; analyzing the network flow dispatching route, generating a flow instruction and issuing the flow instruction to the switch, redirecting the network flow, sequentially towing the network flow to pass through the corresponding virtual safety equipment for safety protection processing, and deploying the safety service chain framework. The deployment framework of the automatic orchestration of the security service chain is provided based on the technical idea of Network Function Virtualization (NFV). A security service chain is established under the framework according to a strategy, which classes of virtual security devices in a security resource pool need to be used are determined according to priorities, the sequence of the virtual security device sequences (VSA sequences) is determined to arrange the virtual security device sequences, then virtual security device instances (VSA instances) with optimal load and real-time link transmission delay are selected to be added into the security service chain to form the security service chain aiming at the security requirement strategy, and network service flows are sequentially pulled to pass through the required virtual security device instances through an SDN network flow table mechanism to be detected and protected.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a specific example of a security service chaining deployment method based on software defined NFV in an embodiment of the present invention;
FIG. 2 is a security service chaining deployment framework in an embodiment of the invention;
FIG. 3 is a policy syntax tree in an embodiment of the present invention;
FIG. 4 is a flow chart of security service chain policy reconfiguration in an embodiment of the present invention;
FIG. 5 is a schematic block diagram of a security service chaining deployment system based on NFV in the embodiment of the present invention;
fig. 6 is a composition diagram of a specific example of a computer device according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; the two elements may be directly connected or indirectly connected through an intermediate medium, or may be communicated with each other inside the two elements, or may be wirelessly connected or wired connected. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In addition, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The embodiment of the invention provides a security service chain arranging and deploying method based on software defined NFV (network function virtualization), which comprises the following steps as shown in figure 1:
step S1: and acquiring the safety service requirement of the user.
Step S2: and constructing a security service chain strategy according to the security service requirements of the user.
Step S3: and dynamically arranging the virtual safety equipment according to the priority.
Step S4: and carrying out network flow scheduling according to the virtual safety equipment instance load and the real-time link transmission delay, and evaluating the optimal network flow scheduling route.
Step S5: analyzing the network flow dispatching route, generating a flow instruction and issuing the flow instruction to the switch, redirecting the network flow, sequentially towing the network flow to pass through the corresponding virtual safety equipment for safety protection processing, and deploying the safety service chain framework.
In a specific embodiment, the security service chain automatic deployment framework comprises a policy conflict decision node, a network flow scheduling node, and an SDN controller, as specifically shown in fig. 2.
The policy conflict decision node receives a user security service requirement through an open northbound interface, if security protection is provided for a Web server, a security service chain policy consisting of an intrusion detection WAF and a traffic cleaning ADS device needs to be constructed for the Web server, and access data streams are sequentially pulled through a VSA (virtual security appliance) sequence of the policy to be filtered. Because fine-grained access control and network flow attributes are complex, strategies describing different security service requirements may relate to the same network flow, so that action conflicts exist between successively issued strategies. And the strategy conflict decision node completes the correct arrangement of the VSA sequence of the specific attribute network flow through the priority, ensures that no conflict exists in the network, and sends the strategy decision result to the network flow scheduling node.
The network flow scheduling node is mainly responsible for managing VSA instances of a security resource pool, monitoring load information (CPU utilization rate and memory utilization rate) of the VSA instances, configuring protection strategies of the VSA instances, analyzing the types of security equipment in a VSA sequence according to strategy decision results, evaluating an optimal network flow scheduling route by combining real-time link state information, selecting a proper VSA instance, adding the information into the strategy, and sending the information to an SDN controller to process and complete flow redirection.
The SDN controller performs centralized control and management on network resources and has the capabilities of global network topology monitoring and stream instruction issuing. And when a routing result of the network flow scheduling node is received, the SDN controller analyzes the routing result, generates a flow instruction and issues the flow instruction to the switch, redirects the network flow and sequentially pulls the network flow to pass through the corresponding VSA examples to perform safety protection processing, and completes the automatic deployment of the whole safety service chain framework. Conversely, the SDN controller may also delete the switch flow instruction that has been issued before according to the information such as the network flow scheduling route.
The invention provides a security service chain arranging and deploying method based on software defined network virtualization (NFV), which comprises the following steps: acquiring the safety service requirement of a user; constructing a security service chain strategy according to the user security service requirement; dynamically arranging the virtual security equipment according to the priority; network flow scheduling is carried out according to the virtual safety equipment instance load and the real-time link transmission delay, and an optimal network flow scheduling route is evaluated; analyzing the network flow dispatching route, generating a flow instruction and issuing the flow instruction to the switch, redirecting the network flow, sequentially towing the network flow to pass through the corresponding virtual safety equipment for safety protection processing, and deploying the safety service chain framework. The deployment framework of the automatic orchestration of the security service chain is provided based on the technical idea of Network Function Virtualization (NFV). A security service chain is established under the framework according to a strategy, which classes of virtual security devices in a security resource pool need to be used are determined according to priorities, the sequence of the virtual security device sequences (VSA sequences) is determined to arrange the virtual security device sequences, then virtual security device instances (VSA instances) with optimal load and real-time link transmission delay are selected to be added into the security service chain to form the security service chain aiming at the security requirement strategy, and network service flows are sequentially pulled to pass through the required virtual security device instances through an SDN network flow table mechanism to be detected and protected.
In one embodiment, dynamically orchestrating virtual security devices according to priority comprises the steps of:
step S31: and searching the flow rules which are currently executed on all the switches in the network and contain the network flows corresponding to the 12 tuples in the newly constructed security service chain strategy.
Step S32: the flow rule is deleted to trigger a Packet-in message.
Step S33: all Packet-in messages are listened to.
Step S34: and reconstructing corresponding security service chain strategies for all network flows described by the Packet-in message in sequence.
In one embodiment, the description of the security requirements is the basis and premise for automatically orchestrating and deploying a chain of security services. The attribute-based access control model provides dynamic privilege assignment and more fine-grained access control in complex information systems. The patent describes Security requirements of an upper-layer application in an SDN network by extending an ABAC Policy (Attribute-based access Control Policy model), constructs a Security service chain Policy, where each Policy can be analyzed as a Subject, an Object, and a right of the Security service chain Policy, and a VSA (virtual Security equipment) Priority can be expressed as Policy (Object, Permission, Priority), and a Policy syntax tree is shown in fig. 3.
(1) And the object is an executor of the strategy and comprises a strategy conflict decision node, a network flow scheduling node or an SDN controller.
(2) Object-the network flow satisfying a specific attribute is a 12-tuple attribute field conforming to the packet header field of the OpenFlow protocol.
(3) Permission, network flow redirection operation, pulling network flow according to VSA _ type. The Instance _ Info passes through the VSA ordered sequence corresponding to the strategy, and the security devices of the same type in the VSA sequence only appear once. The types of the safety equipment in the safety resource pool are used, and the plurality of types of safety equipment form a VSA sequence. Information about the VSA instance for that type, such as access switch, port, etc. for that instance.
(4) Priority is used to resolve conflicts in policy action permissions. A user can set priorities for various types of VSAs respectively, the VSA sequences are arranged according to the priorities, network flows are sequentially pulled according to the VSA priorities from large to small, and the strategy is guaranteed to be executed correctly. Prioritype is the priority corresponding to this type of VSA, and a larger value indicates a higher priority.
In order to ensure that all security service chain policies are correctly implemented, so that a network flow is correctly protected by a VSA sequence corresponding to the security service chain policy, a complete policy conflict decision mechanism needs to be established. For this purpose, the VSA sequence in the security service chain policy is dynamically and reasonably arranged with priority to resolve policy conflicts. After the policy conflict decision node constructs a security service chain policy for the security service requirement of a user, the SDN controller searches a flow rule currently executed on all switches in the network and containing a network flow corresponding to a 12-tuple in the newly constructed security service chain policy, and deletes the flow rule to trigger Packet-in information. Then, the policy conflict decision node monitors all Packet-in messages and reconstructs corresponding security service chain policies for all network flows described by the messages in sequence (the policies are reconstructed by the security service chain policies issued by the user, and are deleted after being processed in sequence by the network flow scheduling node and the SDN controller and converted into flow rules), so as to solve the policy conflicts, and a specific process will be introduced below.
(1) Packet-in message triggering
In an SDN network, a network flow generally consists of a plurality of data packets, and when there is no flow forwarding rule for the network flow, a switch will encapsulate a first data Packet of the network flow as a Packet-in message and send the Packet-in message to an SDN controller to request for issuing a flow rule, and then forward subsequent data packets according to the flow rule. Therefore, in order to ensure correct implementation of the security service chain policy, when the security service chain framework constructs a new security service chain policy for the security service requirement of the user, the flow rules of all switches in the network are retrieved, whether the 12-tuple matching domain of the flow rule Packet header domain is included in the object attribute domain of the policy is judged according to the 12-tuple matching domain structure of the OpenFlow protocol, if yes, it is indicated that the flow rules for the 12-tuple network flow in the network are executed, and then the flow rules are deleted to trigger Packet-in messages.
(2) Secure service chain policy reconfiguration
The strategy conflict decision node monitors and analyzes Packet-in messages uploaded by the switch by expanding the SDN controller, sequentially detects data Packet information encapsulated by the Packet-in messages and all safety service chain strategies issued by a user one by one, and judges whether a 12-tuple matching domain of the data Packet is contained in an object attribute domain of the strategies; if the data packet is not included in a certain security service chain policy, the data packet is directly handed to a Forwarding module Forwarding of the SDN controller, and the module establishes a Forwarding route for the data packet so that a network flow to which the data packet belongs reaches a destination host; otherwise, reconstructing the security service chain policy for the data packet, wherein the specific process is as follows:
1) and if the data packet is contained in a certain security service chain strategy, directly reconstructing a corresponding security service chain strategy for the data packet, wherein the strategy object attribute field is 12-tuple matching field information of the data packet, and the action authority and the VSA priority are the VSA sequence and the VSA priority information of the matched security service chain strategy. In a security service chain framework, in order to ensure the ordered arrangement of virtual security devices, priorities with equal numerical values are not allowed to exist in the same strategy; in order to ensure the reconstruction of the security service chain strategy, whether the strategy conflicts with the existing strategy is detected when a user issues the security service chain strategy. If yes, detecting whether the newly added strategy has a priority with a value equal to that of the existing strategy, if yes, not executing the strategy and feeding back to the user; in the process of policy reconstruction, if the same type of VSA exists in the VSA sequences of the multiple security service chain policies and the priority values of the VSA sequences are different, the VSA priority of the latest security service chain policy is used for covering the VSA priorities of other security service chain policies so as to meet the service requirement of a user for updating the VSA priorities.
2) If the data packet is included in multiple security service chain policies at the same time, the policies are added to the policy set policylist, and a corresponding security service chain policy policyn is reconstructed for the data packet based on all the policies in policylist, as shown in fig. 4.
In an embodiment, a virtualization technology is adopted to realize flexible deployment of virtual security equipment, and the virtual security equipment is dynamically selected to complete network flow scheduling routing selection optimization of a security service chain according to security equipment requirements, virtual security equipment loads and real-time link states.
In a specific embodiment, in order to improve the utilization rate of the VSA and the network flow scheduling efficiency, the utilization rate of the load-bearing physical server is further improved. The flexible deployment of the virtual safety equipment is realized by adopting virtualization technologies such as Qemu or Kvm, and the VSA instance is dynamically selected according to the safety equipment requirement, the VSA instance load and the real-time link state to complete the network flow scheduling routing selection optimization of the safety service chain.
The SDN network topology may be represented as G (V; E), where E is a set of edges connected to an switch, V ═ S ═ H ═ D, S is a set of switches, H is a set of hosts, and D is a set of virtual security devices (security resource pool), then the security resource pool is specifically as follows:
(1) secure resource poolThe system has a plurality of types of security devices, and can provide a plurality of different security capabilities, such as intrusion detection ADS, webpage protection WAF, firewall FW and the like. The secure resource pool with p-type security devices is denoted as D ═ D1,D2,D3,…DpWhere p is a positive integer.
(2) Multiple VSA instances, D, may exist for the same type of security devicep={dp1,dp2,dp3,…dpqWherein q is a positive integer and refers to the number of instances. And the idle degree of the memory utilization rate and the CPU utilization rate of any one instance object is respectively as follows:
Figure BDA0003338596840000121
Figure BDA0003338596840000122
uti, thr respectively represent the current utilization and the utilization threshold, which is determined by the VS instance task requirements.
(3) If the idle degree of the CPU or memory utilization of a certain VSA instance is less than zero, the instance is considered to be overloaded, and a new instance needs to be initialized and accessed into the network.
In one embodiment, the security service chain pulls the network flow through a particular sequence of security service nodes with a predetermined delay time.
In one embodiment, the predetermined delay time includes link transmission delay and serving node processing delay.
In the embodiment of the present invention, the security service chain pulls the network flow to pass through the security service nodes in a specific sequence, and the influence of the link transmission delay on the data transmission performance needs to be considered. The time delay in the security service chain is divided into two types, namely link transmission time delay and service node processing time delay. The service node processing time delay is the sum of the time delays of the safety service nodes, after the data packet enters the virtual safety equipment, the data packet is correspondingly detected and analyzed, and because the sequence and the type of the internal virtual safety equipment of the same service chain are fixed, the time delay difference is not large, the data packet is ignored. Taking the average of the random measured t times of time delay, the link time delay can be expressed as:
Figure BDA0003338596840000131
the security service chain is described by policies, each of which may be resolved into a security service chain. If a user needs to construct a policy scheduling network flow to sequentially pass through a Web protection device WAF and a traffic cleaning device ADS to form fine-grained security protection when defending DDoS attacks, a security service chain corresponding to the policy can be expressed as:
ServiceChain={(Src,D1,D2,Dst)},D1∈D,D2∈D(4)
and can be decomposed into
Figure BDA0003338596840000132
Three Path subunits
Figure BDA0003338596840000133
Wherein, Path schedules routes for the type of the security devices of the current security service chain, the routes are generated from small to large according to the VSA priority, and the scheduling routes are arranged between the adjacent virtual security devices
Figure BDA0003338596840000134
Network flow scheduling node sends policynAnd resolving into a corresponding safety service chain.
In one embodiment, the experimental environment herein is built on a 64-bit Ubuntu server. A policy conflict decision and network flow scheduling mechanism is realized through an expanded switch controller FloodLight, two virtual switches (OpenVSwitch, OVS) are started to be connected to a controller, and a Web application firewall WAF (serial deployment mode), a flow cleaning device ADS (bypass deployment mode) and a flow generator Tester of a safety device are deployed in a network. Simulating a visitor (normal data stream and attack data stream, IP address is 3.3.3.1) and an interviewee (Web server, IP address is 6.6.6.5) through a traffic generator,
based on the above environment, a distributed denial of Service (DDoS) experiment is implemented and tested through a northbound interface opened by a security Service chain framework, and the security requirement of an application layer is to perform security protection on a Web server deployed on 6.6.6.5. The user constructs two security service chains, and the strategy is described as that a strategy 1 redirects an access data flow to a WAF detection abnormal data flow, and the VSA priority is 10; policy 2 redirects the access data stream to the ADS flush exception data stream with a VSA priority of 20. Can be expressed as policy 1 (policy conflict decision node, access data flow, WAF, 10), respectively; policy 2 (policy conflict decision node, access data flow, ADS, 20). And after the strategy 1 is automatically arranged and deployed, the access data flow is dragged to the WAF for abnormal detection. When a DDoS attack data flow (SYN _ FLOOD) is mixed in a data flow accessing a Web server, a user detects a WAF log and finds an abnormal flow attack, and triggers a policy 2 to issue. Because the VSA priority of policy 2 is greater than policy 1, a policy conflict decision algorithm is executed to generate a sub-policy (policy conflict decision node, access data stream, ADS → WFA, 20 → 10) instead of issued policy 1 and newly added policy 2. The network flow scheduling algorithm analyzes the editing result, selects a proper VSA instance, configures a protection strategy of the VSA instance, updates a strategy executor, writes ADS and WAF information, sends the VSA instance to an SDN controller to generate a flow instruction and issues a switch, firstly pulls a data flow to the ADS to clean an attack flow, injects a normal data flow to a network and continuously sends the normal data flow to WAF detection, and no abnormal attack flow is found at the moment.
In order to measure the time performance of the framework, the time difference between the receipt of each security service chain policy by the controller FloodLight and the completion of the issuing of the OpenFlow flow table is further counted, and each policy is repeated for multiple times and the average value of the policies is taken.
The experimental result shows that the automatic arranging and deploying framework of the security service chain can accurately carry out policy correlation detection, process policy conflict, select VSA (virtual switch architecture) instances, configure protection policies, generate and issue switch flow tables, and realize the automatic arranging and deploying of the security service chain in a virtualization environment. Meanwhile, the framework has millisecond-level response speed, although conflict exists between strategy 2 and the existing strategy 1 when the strategy is issued, the conflict detection and processing increase time consumption but are not obvious, the safety service chain strategy of the user in the actual network should avoid too many complex associations, and compared with the manual deployment of safety equipment and the configuration protection strategy of the traditional network, the framework has good time performance, the manual deployment and operation and maintenance cost is greatly reduced, and the safety protection efficiency in the virtual network is improved.
The method designs a policy conflict decision algorithm and a network flow scheduling algorithm, solves policy conflicts through priority to ensure the correct arrangement of VSA sequences, takes VSA instance load and real-time link transmission delay as network flow scheduling basis, and provides an elastic and dynamic security service chain automatic arrangement and deployment framework based on SDN/NFV. In a virtualized network such as cloud computing, a security service chain framework can be deployed at a network boundary position to serve as a boundary gateway to realize protection of network flow in the north-south direction, can also be deployed between VMs in tenants to realize protection of network flow in the east-west direction, can flexibly and quickly provide deep security protection according to security requirements of user application, and simultaneously improves the efficiency of virtual security equipment and underlying infrastructure.
An embodiment of the present invention provides a security service chain arrangement and deployment system based on software defined NFV, as shown in fig. 5, including:
and the acquisition module 1 is used for acquiring the safety service requirements of the user. For details, refer to the related description of step S1 in the above method embodiment, and are not described herein again.
And the construction module 2 is used for constructing a security service chain strategy according to the security service requirements of the user. For details, refer to the related description of step S2 in the above method embodiment, and are not described herein again.
And the arranging module 3 is used for dynamically arranging the virtual safety equipment according to the priority. For details, refer to the related description of step S3 in the above method embodiment, and are not described herein again.
And the analysis module 4 is used for scheduling the network flow according to the virtual security device instance load and the real-time link transmission delay, and evaluating an optimal network flow scheduling route. For details, refer to the related description of step S4 in the above method embodiment, and are not described herein again.
And the processing module 5 is used for analyzing the network flow scheduling route, generating a flow instruction and issuing the flow instruction to the switch, redirecting the network flow, sequentially towing the network flow through the corresponding virtual safety equipment to perform safety protection processing, and deploying a safety service chain framework. For details, refer to the related description of step S5 in the above method embodiment, and are not described herein again.
An embodiment of the present invention provides a computer device, as shown in fig. 6, the device may include a processor 81 and a memory 82, where the processor 81 and the memory 82 may be connected by a bus or by other means, and fig. 6 takes the connection by the bus as an example.
Processor 81 may be a Central Processing Unit (CPU). The Processor 81 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 82, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as the corresponding program instructions/modules in embodiments of the present invention. The processor 81 executes various functional applications and data processing of the processor by running non-transitory software programs, instructions and modules stored in the memory 82, that is, the security service chaining deployment method based on the software defined NFV in the above method embodiment is implemented.
The memory 82 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 81, and the like. Further, the memory 82 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 82 may optionally include memory located remotely from the processor 81, which may be connected to the processor 81 via a network. Examples of such networks include, but are not limited to, the internet, intranets, mobile communication networks, and combinations thereof.
One or more modules are stored in memory 82 and, when executed by processor 81, perform the software defined NFV based security service chaining deployment method of the embodiments shown in fig. 1-4.
The details of the computer device can be understood by referring to the corresponding descriptions and effects in the embodiments shown in fig. 1-4, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program that can be stored in a computer-readable storage medium and that when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD) or a Solid State Drive (SSD), etc.; the storage medium may also comprise a combination of memories of the kind described above.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications of the invention may be made without departing from the spirit or scope of the invention.

Claims (9)

1. A security service chain arranging and deploying method based on software defined NFV is characterized by comprising the following steps:
acquiring the safety service requirement of a user;
constructing a security service chain strategy according to the user security service requirement;
dynamically arranging the virtual security equipment according to the priority;
network flow scheduling is carried out according to the virtual safety equipment instance load and the real-time link transmission delay, and an optimal network flow scheduling route is evaluated;
analyzing the network flow dispatching route, generating a flow instruction and issuing the flow instruction to the switch, redirecting the network flow, sequentially towing the network flow to pass through the corresponding virtual safety equipment for safety protection processing, and deploying the safety service chain framework.
2. The method according to claim 1, wherein the dynamically orchestrating virtual security devices according to priority comprises:
retrieving the currently executed flow rules containing the network flows corresponding to the 12 tuples in the newly constructed security service chain strategy on all the switches in the network;
deleting the flow rule to trigger a Packet-in message;
monitoring all Packet-in messages;
and reconstructing corresponding security service chain strategies for all network flows described by the Packet-in message in sequence.
3. The security service chain orchestration and deployment method based on software defined NFV according to claim 2, wherein reconstructing the corresponding security service chain policies for all network flows described by the Packet-in message in sequence comprises:
when the Packet-in message is contained in a certain security service chain strategy, directly reconstructing a corresponding security service chain strategy for all network flows described by the Packet-in message;
when the Packet-in message is contained in a plurality of security service chain policies at the same time, adding the policies into a policy set, and reconstructing the security service chain policies for all network flows described by the Packet-in message based on all the policies in the policy set.
4. The method for orchestration and deployment of security service chains based on software defined NFV according to claim 1, wherein a virtualization technology is used to implement flexible deployment of virtual security devices, and a virtual security device is dynamically selected to complete network flow scheduling routing optimization of a security service chain according to security device requirements, virtual security device load, and real-time link state.
5. The deployment method of security service chain orchestration based on software defined NFV according to claim 2, wherein the security service chain pulls the network flow through a specific sequence of security service nodes with a preset delay time.
6. The software defined NFV-based security service chain orchestration and deployment method of claim 5, wherein the preset latency time comprises a link transmission latency and a service node processing latency.
7. A system for deployment of security service chaining based on software defined NFV, comprising:
the acquisition module is used for acquiring the safety service requirements of the user;
the construction module is used for constructing a security service chain strategy according to the user security service requirement;
the arranging module is used for dynamically arranging the virtual safety equipment according to the priority;
the analysis module is used for scheduling the network flow according to the virtual safety equipment instance load and the real-time link transmission delay and evaluating the optimal network flow scheduling route;
and the processing module is used for analyzing the network flow scheduling route, generating a flow instruction and issuing the flow instruction to the switch, redirecting the network flow, sequentially towing the network flow through the corresponding virtual safety equipment to perform safety protection processing, and deploying a safety service chain framework.
8. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer instructions for causing the computer to execute the software defined NFV based security service chaining deployment method according to any of claims 1-6.
9. A computer device, comprising: a memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing computer instructions, and the processor executing the computer instructions to perform the software defined NFV based security services chaining deployment method according to any of claims 1-6.
CN202111301566.4A 2021-11-04 2021-11-04 Security service chain arranging and deploying method and system based on software defined network virtualization (NFV) Pending CN114024747A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111301566.4A CN114024747A (en) 2021-11-04 2021-11-04 Security service chain arranging and deploying method and system based on software defined network virtualization (NFV)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111301566.4A CN114024747A (en) 2021-11-04 2021-11-04 Security service chain arranging and deploying method and system based on software defined network virtualization (NFV)

Publications (1)

Publication Number Publication Date
CN114024747A true CN114024747A (en) 2022-02-08

Family

ID=80060895

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111301566.4A Pending CN114024747A (en) 2021-11-04 2021-11-04 Security service chain arranging and deploying method and system based on software defined network virtualization (NFV)

Country Status (1)

Country Link
CN (1) CN114024747A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785548A (en) * 2022-03-23 2022-07-22 中国人民解放军战略支援部队信息工程大学 Virtual flow anomaly detection method and system based on weighted adaptive ensemble learning and intelligent flow monitoring platform
CN116015936A (en) * 2022-12-30 2023-04-25 中国联合网络通信集团有限公司 Security capability arrangement method and device and computer readable storage medium
CN114785548B (en) * 2022-03-23 2024-04-30 中国人民解放军战略支援部队信息工程大学 Intelligent flow monitoring platform

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140115578A1 (en) * 2012-10-21 2014-04-24 Geoffrey Howard Cooper Providing a virtual security appliance architecture to a virtual cloud infrastructure
CN108881207A (en) * 2018-06-11 2018-11-23 中国人民解放军战略支援部队信息工程大学 Network safety service framework and its implementation based on security service chain
CN111026525A (en) * 2019-10-30 2020-04-17 哈尔滨安天科技集团股份有限公司 Scheduling method and device of cloud platform virtual diversion technology
CN111683074A (en) * 2020-05-29 2020-09-18 国网江苏省电力有限公司信息通信分公司 NFV-based secure network architecture and network security management method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140115578A1 (en) * 2012-10-21 2014-04-24 Geoffrey Howard Cooper Providing a virtual security appliance architecture to a virtual cloud infrastructure
CN108881207A (en) * 2018-06-11 2018-11-23 中国人民解放军战略支援部队信息工程大学 Network safety service framework and its implementation based on security service chain
CN111026525A (en) * 2019-10-30 2020-04-17 哈尔滨安天科技集团股份有限公司 Scheduling method and device of cloud platform virtual diversion technology
CN111683074A (en) * 2020-05-29 2020-09-18 国网江苏省电力有限公司信息通信分公司 NFV-based secure network architecture and network security management method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张奇: "基于SDN/NFV 的安全服务链自动编排部署框架", 《计算机系统应用》, pages 2 - 3 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785548A (en) * 2022-03-23 2022-07-22 中国人民解放军战略支援部队信息工程大学 Virtual flow anomaly detection method and system based on weighted adaptive ensemble learning and intelligent flow monitoring platform
CN114785548B (en) * 2022-03-23 2024-04-30 中国人民解放军战略支援部队信息工程大学 Intelligent flow monitoring platform
CN116015936A (en) * 2022-12-30 2023-04-25 中国联合网络通信集团有限公司 Security capability arrangement method and device and computer readable storage medium
CN116015936B (en) * 2022-12-30 2024-05-03 中国联合网络通信集团有限公司 Security capability arrangement method and device and computer readable storage medium

Similar Documents

Publication Publication Date Title
US11088929B2 (en) Predicting application and network performance
Zhu et al. SDN controllers: A comprehensive analysis and performance evaluation study
US20210377135A1 (en) Anomaly detection and reporting in a network assurance appliance
CN104363159B (en) A kind of opening virtual network constructing system and method based on software defined network
Huang et al. Service chaining for hybrid network function
CN104092565B (en) A kind of multi-tenant policy-driven type software defined network method towards cloud data center
CN110378103A (en) A kind of micro- isolating and protecting method and system based on OpenFlow agreement
CN105791151B (en) A kind of dynamic flow control method and device
Chen et al. Deterministic quality of service guarantee for dynamic service chaining in software defined networking
CN108011894A (en) Botnet detecting system and method under a kind of software defined network
Shirmarz et al. Automatic software defined network (SDN) performance management using TOPSIS decision-making algorithm
CN109639488A (en) A kind of more outer nets shunt accelerated method and system
CN114827002B (en) Multi-domain network security path calculation method, system, device, medium and terminal
Preamthaisong et al. Enhanced DDoS detection using hybrid genetic algorithm and decision tree for SDN
Mohammadi et al. Taxonomy of traffic engineering mechanisms in software-defined networks: a survey
Liu et al. An enhanced scheduling mechanism for elephant flows in SDN-based data center
CN114024747A (en) Security service chain arranging and deploying method and system based on software defined network virtualization (NFV)
CN116016213A (en) Traffic arrangement method, device, system and equipment based on network target range
US11050640B1 (en) Network throughput assurance, anomaly detection and mitigation in service chain
CN114039764A (en) Safety service function chain design method and system based on software definition safety
Cao et al. A study on application-towards bandwidth guarantee based on SDN
Taher Testing of floodlight controller with mininet in sdn topology
Chen et al. A dynamic security traversal mechanism for providing deterministic delay guarantee in SDN
Ashouri et al. Enhancing the performance and stability of sdn architecture with a fat-tree based algorithm
Ordabayeva et al. Analysis of network security organization based on SD-WAN technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination