一种基于零信任的SDN网络访问控制方法  被引量：15

作　　者：吴云坤 姜博 潘瑞萱 刘玉岭 WU Yunkun;JIANG Bo;PAN Ruixuan;LIU Yuling(University of Chinese Academy of Sciences,Beijing 100049,China;China Academy of Information and Communications Technology,Beijing,100191,China;Information Engineering University,Zhengzhou 450004 China;Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100190,China)

机构地区：[1]中国科学院大学,北京100049 [2]中国信息通信研究院,北京100191 [3]信息工程大学,郑州450004 [4]中国科学院信息工程研究所,北京100190

出　　处：《信息网络安全》2020年第8期37-46,共10页Netinfo Security

基　　金：国家自然科学基金[61902427]。

摘　　要：软件定义网络(Software-defined Networking,SDN)是一种逻辑控制与数据转发分离的新型网络体系结构,它能够为互联网提供满足当前及未来需求的平滑演进能力,已成为未来互联网的发展方向,为解决网络安全问题提供了新思路。目前SDN网络缺乏有效的网络动态访问控制机制,为此文章提出了一种基于零信任的SDN网络访问控制方法:首先引入"零信任"的安全概念构建SDN网络下的网络访问控制框架,该框架对用户入网后的行为实现了实时监测与信任度量,并能够根据度量结果动态调整用户资源访问权限;然后设计了一套面向SDN网络的用户行为信任分级度量指标,选取SDN网络中南向协议Openflow支持计量的行为度量指标,使指标结果易于测度;接着设计了基于云理论的用户行为信任度量算法,并提出基于行为的用户信任度动态度量机制和基于流表的SDN网络资源访问控制方法,通过采取"从不信任并始终验证"的立场对用户在网络中的行为进行周期性持续监测,并根据其行为数据度量用户的信任值,当用户的信任等级降到不可信时,通过SDN控制器迅速下发流表以阻止其继续访问网络;最后通过仿真实验验证了文章模型及方法的有效性,结果表明文章方法能实现更细粒度和动态的访问控制。Software defined network(SDN)is a new network architecture which separates logic control and data forwarding.It can provide the Internet with smooth evolution ability to meet the current and future needs.SDN not only becomes a new development direction of future internet,but also gives a new way to solve the problem of network security.At present,SDN network lacks effective network dynamic access control mechanism.Therefore,this paper proposes a zero-trust based access control method for SDN network.Firstly,the security concept of"zero trust"is introduced to construct the network access control framework under SDN network.The proposed framework achieves the real-time monitoring and trust measurement of insider user behaviors.Moreover,it can adjust user resource access privilege according to the measurement results dynamically.Then,the set of user behavior trust metrics for SDN network is designed,and the behavior metrics supported by Openflow in SDN network are selected to make the index results easy to measure.The dynamic measurement mechanism of user trust based on behavior as well as the SDN network resource access control using flow table is proposed.From the viewpoint of"never trust and always verify",the behavior of users in the network is monitored periodically,and the trust value of users is measured according to their behavior data.When the user trust degree drops to an untrusted degree,the flow table is quickly issued to prevent the user from continuing to access the network.Finally,the effectiveness of the proposed model and method is verified by simulations.The experiments show that our method can achieve more fine-grained and dynamic access control.

关 键 词：SDN网络 访问控制 零信任 云理论 信任度量 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]