基于SDN的接入网安全技术研究

发布时间：2019-01-11 07:45

【摘要】：近年来,通信网络技术正处于高速发展期,基于这些技术的各种业务不断涌现,使得人们对网络带宽及速率提出了更高的要求。接入网位于电信网的边界,其传输数据的速率直接制约着整个网络的传输速率,因此,接入网的发展成为满足人们需求的重要环节。当前,最常用的宽带接入技术包括使用普通市话电缆的铜线接入网(xDSL)技术,混合光纤与同轴电缆的接入技术(HFC),光纤接入PON技术以及无线接入的WLAN技术等。各种接入方式层出不穷,为人们接入网络进行学习、工作和娱乐提供了更多选择。然而,人们在享受其带来的巨大便利的同时,也正遭受着其所带来的新的安全挑战。当前,接入网中存在的安全问题可以分为以下几类：非法用户的接入问题；非法报文和恶意报文传送的问题；以及窃听、伪装、拒绝服务攻击等。为了解决这些问题,人们采用身份认证、数据加密、部署网络安全设备以及VPN等方式对这些问题进行解决。但就目前的一些解决方案来看,仍然存在网络管理和维护成本高、难度大,网络负载不均衡等问题。为了解决这些问题,本文首先对传统接入网中的安全解决方案进行了归纳和总结,详细分析其组网方式、所使用的安全技术及其应用场景,确定各种解决方案能够解决的问题和仍存在的问题。然后,针对这些未解决的问题,结合SDN新型网络架构的特点及其相关技术,从安全组网的角度,使用现有的安全机制,提出新的解决方案。并从设计思想、数据流的处理策略方面对该方案进行详细介绍。最后,针对企业网／校园网的应用场景,对新的解决方案进行实例化,即为基于SDN的IPS部署方案。在对该实例的数据流处理策略和流程进行介绍之后,利用OpenFlow控制器、交换机及入侵防御系统搭建实验环境,验证了该方案的可行性。
[Abstract]:In recent years, the communication network technology is in a period of rapid development, and various services based on these technologies are constantly emerging, which makes people put forward higher requirements for network bandwidth and speed. The access network is located at the boundary of the telecommunication network, and the transmission rate of the data directly restricts the transmission rate of the whole network. Therefore, the development of the access network has become an important link to meet the needs of the people. At present, the most commonly used broadband access technologies include copper wire access network (xDSL) using ordinary local telephone cables, hybrid optical fiber and coaxial cable access technology, (HFC), fiber access PON technology, wireless access WLAN technology and so on. Various access methods emerge in endlessly, providing more choices for people to access the network to study, work and entertainment. However, while enjoying the great convenience, people are also facing new security challenges. At present, the security problems in access network can be divided into the following categories: access problem of illegal users; the problem of illegal message and malicious message transmission; and eavesdropping, camouflage, denial of service attack and so on. In order to solve these problems, identity authentication, data encryption, deployment of network security devices and VPN are used to solve these problems. However, there are still some problems in network management and maintenance, such as high cost, high difficulty and unbalanced network load. In order to solve these problems, the security solutions in traditional access network are summarized and summarized in this paper, and the networking methods, the security technologies used and their application scenarios are analyzed in detail. Identify problems that can be solved and problems that still exist in various solutions. Then, according to these unsolved problems, combined with the characteristics of the new SDN network architecture and its related technologies, from the point of view of secure networking, using the existing security mechanism, a new solution is proposed. And from the design idea, the data stream processing strategy aspect carries on the detailed introduction to this scheme. Finally, the new solution is instantiated for the application scenario of the enterprise network / campus network, that is, the IPS deployment scheme based on SDN. After introducing the data flow processing strategy and flow of this example, the feasibility of the scheme is verified by using OpenFlow controller, switch and intrusion prevention system to build the experimental environment.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TN915.6

【参考文献】