| Software defined network initially launched by Stanford university research network, with the development of technology, gradually, it is throwed into the actual industry. SDN is a new kind of network architecture, it divides the traditional network architecture into the control layer, data layer and application layer, through the interface for communication between all layers, thus it has strong flexibility, this technology has been researched and applied in routing decisions, network virtualization, wireless access, cloud computing data center network, etc. SDN is becoming a hot spot of the current technology. However, SDN is faced with security threats including controller, south to the security threats of the interface, and north to the security threats of the interface, and so on. So we decided to strengthen safety of SDN,this is our research starting point. According to the problem of potential security threats for SDN controller, we hope to strengthen the in-depth exploration of the safety of the controller and eventually make a more robust better controller product which can become a business application.In this paper, the goal is to realize effective defense to malicious data flow control, mainly aimed at SDN malicious network data flow control technology for further research. And the main research contents of thesis are as follows:(1) Through the method of combining theory and practice, on the basis of environmental foundation of experiment provided by Mininet which can integrate switch and controller together, on the basis of source code foundation of current controller software Floodlight which has been widely accepted by the industry, then analyse existing problems in the SDN controller, through the analysis of the source code, analysis of Floodlight of each module, and then customize our own security module, the security module is to enforce access control list on exchange equipment, which can effectively prevent malicious data, greatly improving the safety performance of the controller, make the enterprise Open Flow controller. The design of security module involes in two aspects, one is the firewall handling of data flow, the other is the matching between access rules and data flow. Security module also provides a REST API for upper and other security application module to invoke.(2) Finally, this paper tests the function, REST API and performance of the malicious data flow control system, function test is to verify that the system such as firewall rules of the correctness of the basic functions such as adding and deleting. The REST API test is to verify whether or not the safety module provides a REST API calls correctly. The performance test is to verify the Floodlight controller after adding malicious data flow control system whether or not impact on the operation efficiency of the original. |
PDF Full Text Request