SDN分散式防火牆高效規則部署

Abstract

為了保護內部服務和主機不受網絡攻擊，防火牆是過濾網路攻擊封包的重要手段。典型的防火牆部署在內網的入口點。但是，隨著越來越多的雲端和物聯網等，網絡環境變得比以往更加靈活和動態。因此，有必要部署分散式防火牆才可以防護內網足夠的安全性。我們提出在軟件定義的網絡環境中分散式防火牆，並將防火牆規則的佈局表示為整數線性編程問題。儘管如此，整數線性規劃的複雜性通常是NP-Complete的。若是有大量規則或復雜的網絡拓撲，解決線性整數規劃將花費大量時間，這對於管理分散式防火牆是不可行的。因此，我們引入了Resource Constraint Splitting演算法以減少時間複雜度。關鍵步驟是將decision variable分離為不相關的子問題後並行解決。這種分散式防火牆在許多方面都是一項重大改進，包括更低的網路延遲和節省內網流量。 Mininet中的OpenFlow控制器的實驗結果表明，該方法在網絡吞吐量和延遲方面表現出比先前研究中的結果，能提供相同的保護與有更好的網絡性能。

To protect internal services and hosts from network attacks, a firewall is an essential component to enforce security policies on Internet connections. A typical firewall is deployed at the entry point of an autonomous system. However, network environments, such as the Cloud and the IoT, have become much more flexible and dynamic than ever. As a result, it is necessary to deploy a distributed firewall. We present a distributed firewall in a software-defined network environment and formulate the placement of firewall rules as an integer linear programming problem. Nonetheless, the complexity of the integer linear programming is usually NP-complete. With a large number of rules and a complex network topology, solving it will take a huge amount of time, which is infeasible for managing a distributed firewall. As a result, we introduce a resource constraint splitting algorithm to reduce the time complexity. The key idea is to separate the decision variables into disjoint subproblems and to solve them in parallel. This distributed firewall is a substantial improvement in many aspects, including higher levels of security, lower latency, and reduced traffic. Experimental results from an OpenFlow controller in Mininet demonstrate that this approach shows better network performance than that shown in previous studies in terms of network throughput and latency.