Research And Implementation Of Security Enhancement Scheme Based On SDN

With the rapid development of the Internet,the quantity and scale of the enterprise network have expanded.Traditional campus networks have encountered difficulties in network management,capacity expansion,and security.The software-defined networking(SDN)is currently recognized as the next generation of intelligent programmable networking architecture.The separation of its control plane and data plane makes network management easy.So more and more campus networks are built based on SDN.However,SDN-based network still has many security issues that need to be solved urgently.First,based on the analysis of the traditional campus network architecture and its security solution,the SDN-based campus network security model(SDN-CNSM)is designed based on the unique advantages of the SDN.SDN-CNSM improves the traditional network security architecture,and the campus network security is divided into two parts,control plane security and data plane security,which are studied in detail.The problem of SDN based campus network without security architecture is solved.Secondly,this paper makes an in-depth study of the most commonly used virtual local area network(VLAN)in the SDN-CNSM security model.We mainly studied the dynamic VLAN assignment based on the user's identity.The scheme assures that the user is dynamically assigned a VLAN based on the user's identity after he logins successfully.For this reason,this paper designs and implements a user identity management and authentication software.In order to make the VLAN module well integrated with other modules,the flow table in the switch is managed in a block-chain way.Each function occupies one flow table block,and all flow table blocks constitute a one-way linked list.With this block-chain structure,it is easy to implement the traditional Port-VLAN,MAC-VLAN,and inter-VLAN communication functions,allowing more options for VLAN configuration.Compared with the traditional VLAN configuration,it solves the problems of user mobility and automatic VLAN configuration.Then,this paper studies and implements a distributed packet filtering firewall.By adding firewall rules to the firewall block of the block-chain structure,each switch becomes a firewall.For a unified management of firewall,it also combines the three-layer topology structure and proposes an approach of managing distributed firewalls in groups.The firewalls are divided into 3 groups,the access group,aggregation group,and core group.In a systematic view,VLAN can isolate users into groups and the function of inter-VLAN communication makes it possible for completely isolated user groups to communicate with each other.Furthermore,the distributed firewall filters packets of users in the same or different VLAN,isolating users in a more refined way.Finally,this paper designs and implements a graphical interface for network management.Administrators can view the current VLAN and firewall status;and also can manage user identity in the web page.We can set the rules of VLAN communication,firewall and firewall groups,and deliver rules of firewall.All configuration data is stored in the database synchronously and automatically delivered by the controller to the switches after the switches restarts.This paper also set up a typical campus network by combining the opensource SDN controller(Ryu)and the topology simulation software(Mininet).All functions designed in this paper have been tested.The tests have reached the expected results,verifying the correctness of the design.