| With the development of virtualization technology,more and more enterprises have changed the deployment strategy of the original hardware server to adopt the data center virtualization solution.Virtualization technology can improve resource utilization and reduce costs,but it also brings some new security issues.For example,isolation problems between virtual machines,east-west traffic detection problems,etc.The traditional security device at the network boundary controls the only channel between the internal network and the external network.The internal is in a trusted state.Once the boundary firewall is compromised,the internal host will be completely exposed to the attacker.The entire internal network is equivalent to complete collapse.Therefore,how to strengthen the security protection of east-west traffic is an urgent problem to be solved in the current network virtualization security field.In response to the above security problems,foreign research scholars have proposed the concept of Micro-segmentation,aiming at fine-grained security protection of the internal and external traffic of the virtual network.Based on the existing Micro-segmentation solution,this thesis studies the Micro-segmentation protection technology based on virtual switch.The main research contents and results include the following aspects:1.Analyze the deficiencies of existing solutions.The drainage method has the problem of bandwidth resource consumption and is easy to become a fault point and a bottleneck restricting network performance;the host agent has the defect of competing with the client program for system resources and having strong dependence on the system.2.A Micro-segmentation technology scheme based on OpenFlow protocol is proposed.Based on the large-layer virtual local area network(which satisfies the virtual machine hot migration).Firstly,through the analysis of persistent flow tables,the connection relationships among virtual hosts are obtained.Secondly,the partition of micro-isolation can be done by using improved MCL algorithm,which leads the same group of virtual machines to the same compute node through hot migration(improving performance).And finally combine the intra-domain host connectivity relationships with the virtual machine predefined service information to derive the Micro-segmentation policy and deploy it to achieve the security protection of east and west traffic and high performance output.3.Build a virtualized management system and implement Micro-segmentation protection by using the Open vSwitch switch,Ryu framework and other technologies.Further,in order to facilitate the test function and performance,a three-tier architecture application scenario similar to the data center business environment is deployed.4.A large number of experimental verifications show that the prototype system built based on this technical solution can solve the problem of excessive and inflexible traditional network isolation granularity,greatly limit the attack surface,and block the horizontal spread of attacks,which is better than the existing solutions.Better overall performance than existing solutions.The Micro-segmentation method and the prototype system proposed in this thesis provide powerful support for the security protection among virtual machines in the existing virtualized network environment. |
PDF Full Text Request