SDN分散式防火牆高效規則部署

Yu-Wei Chang; 張育維

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/74053

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	林宗男
dc.contributor.author	Yu-Wei Chang	en
dc.contributor.author	張育維	zh_TW
dc.date.accessioned	2021-06-17T08:18:10Z	-
dc.date.available	2024-10-09
dc.date.copyright	2019-10-09
dc.date.issued	2019
dc.date.submitted	2019-08-14
dc.identifier.citation	[1] M. Roesch, “Snort - lightweight intrusion detection for networks,” inProceedings ofthe 13th USENIX Conference on System Administration, LISA ’99, (Berkeley, CA,USA), pp. 229–238, USENIX Association, 1999. [2] S. Zhang, F. Ivancic, C. Lumezanu, Y. Yuan, A. Gupta, and S. Malik, “An adapt-able rule placement for software-defined networks,” in2014 44th Annual IEEE/IFIPInternational Conference on Dependable Systems and Networks, pp. 88–99, June2014. [3] T. V. Tran and H. Ahn, “A network topology-aware selectively distributed fire-wall control in sdn,” inInformation and Communication Technology Convergence(ICTC), 2015 International Conference on, pp. 89–94, 2015. [4] E. Oriwoh, D. Jazani, G. Epiphaniou, and P. Sant, “Internet of things forensics:Challenges and approaches,” in9th IEEE International Conference on Collaborativecomputing: networking, Applications and Worksharing, pp. 608–615, IEEE, 2013. [5] J. Cropper, J. Ullrich, P. Fr ̈uhwirt, and E. Weippl, “The role and security of firewallsin iaas cloud computing,” in2015 10th International Conference on Availability,Reliability and Security, pp. 70–79, IEEE, 2015. [6] M. B. Yassein, S. Aljawarneh, and W. Al-Sarayrah, “Mobility management of inter-net of things: Protocols, challenges and open issues,” in2017 International Confer-ence on Engineering & MIS (ICEMIS), pp. 1–8, IEEE, 2017. [7] E. Al-Shaer, H. Hamed, R. Boutaba, and M. Hasan, “Conflict classification andanalysis of distributed firewall policies,”IEEE journal on selected areas in commu-nications, vol. 23, no. 10, pp. 2069–2084, 2005. [8] A. Marsico, R. Doriguzzi-Corin, and D. Siracusa, “Overcoming the memory limitsof network devices in sdn-enabled data centers,” in2017 IFIP/IEEE Symposium onIntegrated Network and Service Management (IM), pp. 897–898, May 2017.35 [9] P. G. Kannan, M. C. Chan, R. T. B. Ma, and E. Chang, “Raptor: Scalable rule place-ment over multiple path in software defined networks,” in2017 IFIP NetworkingConference (IFIP Networking) and Workshops, pp. 1–9, June 2017. [10] J. Erickson, “Integer programming reduction,” 2015. [11] M. Abedin, S. Nessa, L. Khan, and B. Thuraisingham, “Detection and resolution ofanomalies in firewall policy rules,” inIFIP Annual Conference on Data and Appli-cations Security and Privacy, pp. 15–29, Springer, 2006. [12] M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromytis, “The keynote trust-management system version 2,” 1999. [13] S. Ioannidis, A. D. Keromytis, S. M. Bellovin, and J. M. Smith, “Implementing adistributed firewall,” inProceedings of the 7th ACM Conference on Computer andCommunications Security, CCS ’00, (New York, NY, USA), pp. 190–199, ACM,2000. [14] T. Markham and C. Payne, “Security at the network edge: a distributed firewallarchitecture,” inDARPA Information Survivability Conference amp; Exposition II,2001. DISCEX ’01. Proceedings, vol. 1, pp. 279–286 vol.1, 2001. [15] F. Xian, H. Jin, K. Liu, and Z. Han, “A mobile-agent based distributed dynamicmu;firewall architecture,” inNinth International Conference on Parallel and Dis-tributed Systems, 2002. Proceedings., pp. 431–436, Dec 2002. [16] T. Dimitrakos, I. Djordjevic, B. Matthews, J. Bicarregui, and C. Phillips, “Policy-driven access control over a distributed firewall architecture,” inProceedings ThirdInternational Workshop on Policies for Distributed Systems and Networks, pp. 228–231, 2002. [17] M. Suh, S. H. Park, B. Lee, and S. Yang, “Building firewall over the software-definednetwork controller,” in16th International Conference on Advanced CommunicationTechnology, pp. 744–748, Feb 2014. [18] D. Kreutz, F. M. V. Ramos, P. E. Ver ́ıssimo, C. E. Rothenberg, S. Azodolmolky, andS. Uhlig, “Software-defined networking: A comprehensive survey,”Proceedings ofthe IEEE, vol. 103, pp. 14–76, Jan 2015. [19] H. Hu, W. Han, G.-J. Ahn, and Z. Zhao, “Flowguard: Building robust firewalls forsoftware-defined networks,” inProceedings of the Third Workshop on Hot Topicsin Software Defined Networking, HotSDN ’14, (New York, NY, USA), pp. 97–102,ACM, 2014.36 [20] T. Javid, T. Riaz, and A. Rasheed, “A layer2 firewall for software defined network,”inInformation Assurance and Cyber Security (CIACS), 2014 Conference on, pp. 39–42, 2014. [21] K. Kaur, K. Kumar, J. Singh, and G. Navtej Singh, “Programmable firewall usingsoftware defined networking,” inComputing for Sustainable Global Development(INDIACom), 2015 2nd International Conference on, pp. 2125–2129, 2015. [22] J. G. V. Pena and W. E. Yu, “Development of a distributed firewall using softwaredefined networking technology,” in2014 4th IEEE International Conference on In-formation Science and Technology, pp. 449–452, April 2014. [23] E. S. Al-Shaer and H. H. Hamed,Firewall Policy Advisor for Anomaly Discoveryand Rule Editing, pp. 17–30. Boston, MA: Springer US, 2003. [24] N. Katta, O. Alipourfard, J. Rexford, and D. Walker, “Infinite cacheflow in software-defined networks,” inProceedings of the Third Workshop on Hot Topics in SoftwareDefined Networking, HotSDN ’14, (New York, NY, USA), pp. 175–180, ACM,2014. [25] Y. Chang and T. Lin, “Cloud-clustered firewall with distributed sdn devices,” in2018 IEEE Wireless Communications and Networking Conference (WCNC), pp. 1–5, April 2018. [26] R. Hatamia, H. Bahramgiria, and A. Khonsari, “High performance architecture forflow-table lookup in SDN on FPGA,”CoRR, vol. abs/1801.00840, 2018. [27] B. Stephens, A. Cox, W. Felter, C. Dixon, and J. Carter, “Past: Scalable ethernetfor data centers,” inProceedings of the 8th International Conference on EmergingNetworking Experiments and Technologies, CoNEXT ’12, (New York, NY, USA),pp. 49–60, ACM, 2012. [28] A. Bianco, R. Birke, L. Giraudo, and M. Palacin, “Openflow switching: Data planeperformance,” in2010 IEEE International Conference on Communications, pp. 1–5,May 2010. [29] P. M. Pardalos,Complexity in numerical optimization. World Scientific, 1993. [30] F. Glover and E. Woolsey, “Converting the 0-1 polynomial programming problemto a 0-1 linear program,”Operations research, vol. 22, no. 1, pp. 180–182, 1974. [31] L. Wader, “Reduction of integer polynominal pro gramming problems to zero-onelinear problems,”Ope. Res, vol. 15, p. 1171, 1967.37 [32] S. Mitchell, M. O’Sullivan, and I. Dunning, “Pulp : A linear programming toolkitfor python,” 2011. [33] R. Lougee-Heimer, “The common optimization interface for operations research,”January 2003. [34] B. Lantz, B. Heller, and N. McKeown, “A network in a laptop: Rapid prototypingfor software-defined networks,” inProceedings of the 9th ACM SIGCOMM Work-shop on Hot Topics in Networks, Hotnets-IX, (New York, NY, USA), pp. 19:1–19:6,ACM, 2010. [35] Ryu, “Framework,”URL https://osrg.github.io/ryu/, 2016. [36] O. S. Specification, “1.3.0 (june),”URL https://www.opennetworking.org/images/stories/downloads/sdn-resources/onfspecifications/openflow/openflow-spec-v1, vol. 3, 2012. [37] S. Knight, H. Nguyen, N. Falkner, R. Bowden, and M. Roughan, “The internet topol-ogy zoo,”Selected Areas in Communications, IEEE Journal on, vol. 29, pp. 1765–1775, october 2011. [38] J. G. V. Pena and W. E. Yu, “Development of a distributed firewall using softwaredefined networking technology,” inInformation Science and Technology (ICIST),2014 4th IEEE International Conference on, pp. 449–452, IEEE, 2014.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/74053	-
dc.description.abstract	為了保護內部服務和主機不受網絡攻擊，防火牆是過濾網路攻擊封包的重要手段。典型的防火牆部署在內網的入口點。但是，隨著越來越多的雲端和物聯網等，網絡環境變得比以往更加靈活和動態。因此，有必要部署分散式防火牆才可以防護內網足夠的安全性。我們提出在軟件定義的網絡環境中分散式防火牆，並將防火牆規則的佈局表示為整數線性編程問題。儘管如此，整數線性規劃的複雜性通常是NP-Complete的。若是有大量規則或復雜的網絡拓撲，解決線性整數規劃將花費大量時間，這對於管理分散式防火牆是不可行的。因此，我們引入了Resource Constraint Splitting演算法以減少時間複雜度。關鍵步驟是將decision variable分離為不相關的子問題後並行解決。這種分散式防火牆在許多方面都是一項重大改進，包括更低的網路延遲和節省內網流量。 Mininet中的OpenFlow控制器的實驗結果表明，該方法在網絡吞吐量和延遲方面表現出比先前研究中的結果，能提供相同的保護與有更好的網絡性能。	zh_TW
dc.description.abstract	To protect internal services and hosts from network attacks, a firewall is an essential component to enforce security policies on Internet connections. A typical firewall is deployed at the entry point of an autonomous system. However, network environments, such as the Cloud and the IoT, have become much more flexible and dynamic than ever. As a result, it is necessary to deploy a distributed firewall. We present a distributed firewall in a software-defined network environment and formulate the placement of firewall rules as an integer linear programming problem. Nonetheless, the complexity of the integer linear programming is usually NP-complete. With a large number of rules and a complex network topology, solving it will take a huge amount of time, which is infeasible for managing a distributed firewall. As a result, we introduce a resource constraint splitting algorithm to reduce the time complexity. The key idea is to separate the decision variables into disjoint subproblems and to solve them in parallel. This distributed firewall is a substantial improvement in many aspects, including higher levels of security, lower latency, and reduced traffic. Experimental results from an OpenFlow controller in Mininet demonstrate that this approach shows better network performance than that shown in previous studies in terms of network throughput and latency.	en
dc.description.provenance	Made available in DSpace on 2021-06-17T08:18:10Z (GMT). No. of bitstreams: 1 ntu-108-R06942066-1.pdf: 1161354 bytes, checksum: 2842470c83ae2e20944c813edd07f78f (MD5) Previous issue date: 2019	en
dc.description.tableofcontents	中文摘要 i Abstract iii 1 Introduction 1 2 Related Work 3 3 Method 5 3.1 Problem Formulation 5 3.2 Effectiveness of firewall rule placement 6 3.3 Efficiency of firewall rule placement 8 3.4 ILP Formulation 10 3.4.1 Rule Protection Constraint 11 3.4.2 TCAM Limit Constraint 11 3.4.3 Objective Function 12 3.4.4 Changing a Polynomial Constraint to a Linear One 13 3.4.5 Modified Objective Function 14 3.5 Canonical Form of ILP for Firewall Rule Placement 15 3.5.1 Complexity 16 3.6 Resource Constraint Splitting 16 3.6.1 Firewall Rule Splitting 17 3.6.2 TCAM Assignment 17 3.6.3 Formulation of Multiple ILPs 22 3.6.4 Complexity 23 4 Result and Discussion 25 4.1 Network performance 26 4.2 Computation Time 30 5 Conclusion 33 Bibliography 35 Appendices 39 .1 Proof of the Properties of the Conversion of a Quadratic Function to aLinear One with Additional Constraints 41 .2 Proof of the Properties of the Conversion of a Polynomial Function to aLinear One with Additional Constraints 41 .3 Proof of the Equivalence of the Number of Rule Placements of the Com-plete ILP with That of RCS 41
dc.language.iso	en
dc.subject	線性整數規劃	zh_TW
dc.subject	網路	zh_TW
dc.subject	網路通訊協定	zh_TW
dc.subject	防火牆	zh_TW
dc.subject	軟體定義網路	zh_TW
dc.subject	Software-Defined Network	en
dc.subject	Firewall	en
dc.subject	Internet	en
dc.subject	OpenFlow	en
dc.subject	Integer Linear Programming	en
dc.title	SDN分散式防火牆高效規則部署	zh_TW
dc.title	Efficient Algorithm for Distributed Firewall Architecture in SDN Environment	en
dc.type	Thesis
dc.date.schoolyear	107-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	陳俊良,鄧惟中,蔡子傑
dc.subject.keyword	軟體定義網路,防火牆,網路,網路通訊協定,線性整數規劃,	zh_TW
dc.subject.keyword	Software-Defined Network,Firewall,Internet,OpenFlow,Integer Linear Programming,	en
dc.relation.page	42
dc.identifier.doi	10.6342/NTU201902946
dc.rights.note	有償授權
dc.date.accepted	2019-08-14
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電信工程學研究所	zh_TW
顯示於系所單位：	電信工程學研究所

文件中的檔案：

檔案	大小	格式
ntu-108-1.pdf 未授權公開取用	1.13 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。