| Software defined network (SDN) has reconstructed the existing network in the form of network. The features of centralized control, decoupling of control and data plane and programmability will have a far-reaching impact on the future development of network technology. From the security point of view, some key features of SDN such as centralized control and the openness of APIs has brought in significant challenges while providing highly flexible mechanisms including centralized monitoring, analysis and response, which brings in new ideas to traditional security applications.With the idea of data-control decoupling in security, the project team of "Research of SDN Network Security" has designed and implemented a software-defined security infrastructure. The core of the infrastructure is the Security Controller orchestrating with various components in SDN network to provide coordinating protection. Though the original system has implemented a variety functions of SDN security scenarios, its architecture, functions and performance cannot fully reach the needs of software-defined security.By investigating into the demands of SDN security, this paper has summarized:the adaption of distribution is efficient in easing performance bottleneck caused by centralized control; intrusion detection and traffic monitoring mechanisms based on OpenFlow can make advantage of SDN to archive an improvement of algorithm and performance; it is recommended to use flexible and open ways to provide application interfaces in order to meet the various need of SDN security thus proposing "Security as a Service".With the research results above, this paper designed the optimization design on the aspect of architecture, performance and functions for the original Security Controller system:implemented distributed transformation based on message-oriented middleware to achieved the scalability and decoupled feature; solved the performance bottleneck when processing large-scaled data in real-time scenario by introducing Storm, a stream computing framework; improved the mechanism of detecting rules for security application, making the interfaces for security applications more flexible; implemented an optimized DDoS detection algorithm based on the adaption and a port scan detection mechanism based on statistical characteristics of OpenFlow. Finally, by a variety of comparison experiments, we proved that the distributed modification and the optimizations of function brings considerable performance improvement to the original system, and that the intrusion detection mechanism based on OpenFlow flow statistics has advantages over traditional IDS. |
PDF Full Text Request