English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  Items with full text/Total items : 92416/122720 (75%)
Visitors : 26255990      Online Users : 118
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    Please use this identifier to cite or link to this item: http://nccur.lib.nccu.edu.tw/handle/140.119/109685


    Title: 軟體定義網路之調適性防火牆規則自動產生機制
    Authors: 張宏慶
    Contributors: 資科系
    Keywords: 軟體定義網路;調適性防火牆;規則自動產生機制;負載平衡;多路頻寬負載平衡器
    Software Defined Networking;Adaptive firewall;Automatic rule generation;Load Balance;Multi-WAN Load Balancer
    Date: 2016
    Issue Date: 2017-05-17 15:25:49 (UTC+8)
    Abstract: 本研究計畫的研究成果包括兩部分:(1) 軟體定義網路之調適性防火牆規則自動產生機制 (2) 軟體定義網路為基礎之多路頻寬負載平衡器。在「軟體定義網路之調適性防火牆規則自動產生機制」部分,我們提出對傳統上依賴人工逐一設定防火牆規則所需龐大工作量問題的解決方法。我們藉助軟體定義網路(Software Defined Networking,SDN)技術,結合入侵偵測系統(Intrusion Detection System,IDS),分析網路流量記錄檔,並將分析結果彙總以自動產生防火牆規則,有效降低相關人工設定以提升網路管理效率並提高網路安全性。我們也特別考量在實際應用上常有某些服務需要短時間開啟防火牆,允許特定資料流(data flow)通行。對於這些特殊服務需求,我們基於隨需(on demand)概念,當該服務需要通過防火牆時,可先向網路中可信賴的節點(SDN雲端伺服器)即時註冊相關服務及需求。此時系統端將動態調整防火牆規則,以允許該特定資料流通行,當使用完畢後則封鎖該服務。我們期待所提出的「軟體定義網路之調適性防火牆規則自動產生機制」能達到接近百分百完全自動化產生防火牆規則的目的,以提升網路管理效率並強化網路安全性。最後,我們也以實驗方式,架設伺服器場(server farm)、
    SDN交換器、SDN控制器、SDN雲端伺服器、IDS伺服器等實際情境,驗證本研究所提出之法的有效性。在「軟體定義網路為基礎之多路頻寬負載平衡器」部分,我們討論在企業在連外網路部分,常利用多條線路進行備援,並透過多路頻寬負載平衡器(Multi-WAN load balancer)增加頻寬的使用率。然而,在線路數量上卻仍受限於廠商所制定的規格,無法彈性調整。在負載平衡演算法方面,也只能根據網路特徵(如IP位置)、權重比(weight)或輪詢機制(round robin)設計,無法依據當下網路狀況做最佳判斷。為改善此問題,本研究提出在軟體定義網路環境下,利用交換機(switch)具有多個實體通訊埠的概念,依需求自由調整對外及對內線路數量,不再受限於廠商規格,以取代傳統多路寬頻負載平衡器,建構更彈性的網路架構。透過收集交換機上實體埠與資料流表(flow table)的資訊,即時評估網路狀況,最佳化負載平衡的效益。我們以Linux伺服器架設KVM、OpenvSwitch及POX控制器(controller)實際建構SDN網路環境,驗證本研究所提出之方法的有效性。實驗結果顯示,本研究所提出之用於多路寬頻負載平衡器的負載平衡演算法與Round Robin負載平衡演算法相較之下,在最佳情況下,能有效提升約
    25%的平均頻寬使用率,並降低約17.5%的封包遺失率。
    The results of the research project consist of two parts (a) “SDN Adaptive Firewall Automatic Rules Generation”and (b) “SDN based Multi-WAN Load Balancer”. As to the“SDN Adaptive Firewall Automatic Rules Generation”, we proposed a SDN Adaptive Firewall Automatic Rules Generation Mechanism to deal with the problem of traditional inefficient manual based firewall rules setting approach. We employed SDN together with Intrusion Detection System (IDS) to analyze packet flow log, and then generate
    firewall rules automatically. This approach is able to replace manual setting approach and enhance network management efficiency and network security. In the real world, sometimes we need to admit some specific traffic flow by turning on firewall for that service for a set time. We use the concept of on-demand, if some specific service needs to pass through a firewall, it sends its request to the Internet trusted node (e,g, SDN cloud server) for registration. If the request is accepted, the system then turns on the firewall for this service to allow specific traffic passing through for a set time. The service will then be blocked once time expires. The aim of this mechanism is to achieve close to 100% automatic firewall rules setting to enhance network management efficiency. The proposed method is verified by experiments of a server farm, SDN switches, a SDN controller, a SDN cloud server, and IDS server environment. As to the “SDN based Multi-WAN Load Balancer”, since many enterprises use multiple links to access external network to assure fault tolerance and use multi-WAN load balancer to manage those links to enhance bandwidth utilization. However, the number
    of links is fixed and the load balancing algorithm is hard coded by manufacturer. The algorithm is usually not able to adapt to network traffic condition to optimize load balance among physical links. With the advance of network function virtualization, we proposed a virtualized multi-WAN load balancer, named SDAW (Software Defined Adaptive WAN), based on SDN. Each SDN switch is equipped with multiple physical ports, SDAW is able to dynamically configure the number of virtualized multi-WAN and multi-LAN links to adapt to traffic demands. SDAW is no longer limited to the hard coded specification and is able to optimize the effectiveness of load balancing.
    Relation: MOST 104-2221-E-004-003
    Data Type: report
    Appears in Collections:[資訊科學系] 國科會研究計畫

    Files in This Item:

    File Description SizeFormat
    104-2221-E-004-003.pdf4485KbAdobe PDF409View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback