| Cloud computing as a new technology trend,has the characteristics of flexibility and scalability,which undertakethe data storage,computing,application and many other important tasks.With the rapid development of cloud computing,various network attacks become more advanced and more fast attack speed,traditional security solutions can not adapt to the new network attacks,which brings great challenges of cloud computing and other virtual network environment.With the rapid development of software defined network and network function virtualization,how to combine the two to reconcile the traditional network security solution to achieve better security protection and to improve the flexibility and efficiency of security protection,has become an urgent problem.Based on the concept of service chain of traditional network and software defined security network architecture,this paper studies the strategy of dynamically arranging virtual security service nodes in virtualized network environment,extends the attribute-based access control strategy to describes the data flow and virtual security appliance in the network,and dynamically constructs the mapping relationship between the network flow and the virtual security device according to the security requirements of users to form a personalized security service chain.To this end,this paper proposes an automatic scheduling and deployment framework of the security service chain based on SDN/NFV.The framework constructs the security service chain according to the strategy,arranges virtualized security appliances according to the VSA priority to solve the policy conflicts,and choices the mininal CPU usage and memory usage of the same type of virtual security appliances to dispatch security resources to balance the load of the same type of virtual security devices in the security resources pool.Finally,the network traffic flow is redirected and traversed through the required virtual security appliances instances to achieve a process of building a security service chain dynamically and automatically according to security requirements.In order to verify the feasibility and validity of the framework,the framework is designed and implemented based on the open source controller FloodLight,and then the Mininet simulation tool is used to create the virtualized network environment based on the FloodLight controller and the virtual security device.The experimental results show that compared with the existing security service chain mechanism,the mechanism proposed in this paper can effectively solve the strategy conflict decision to ensure the correct arrangement of the security service nodes.At the same time,it can also balance the load of the same type of virtual security devices to improve security resources scheduling efficiency.Finally,we present the practical value and significance of the research in this paper through the Web protection solution based on the security service chain framework. |
PDF Full Text Request