基于软件定义网络的IaaS虚拟机通信访问控制方法

doi:10.11772/j.issn.1001-9081.2015.05.1262

计算机应用 ›› 2015, Vol. 35 ›› Issue (5): 1262-1266.DOI: 10.11772/j.issn.1001-9081.2015.05.1262

基于软件定义网络的IaaS虚拟机通信访问控制方法

韩贞阳, 陈兴蜀, 胡亮, 陈林

四川大学计算机学院, 成都 610065

收稿日期:2014-11-24 修回日期:2015-01-08 出版日期:2015-05-10 发布日期:2015-05-14
通讯作者: 陈兴蜀
作者简介:韩贞阳(1988-),男,河南商丘人,硕士研究生,主要研究方向:云计算网络; 陈兴蜀(1968-),女,四川成都人,教授,博士生导师,博士,主要研究方向:信息安全、计算机网络、云计算; 胡亮(1990-),男,四川成都人,硕士研究生,主要研究方向:云计算安全; 陈林(1983-),男,四川宜宾人,博士研究生,主要研究方向:云计算安全.
基金资助:
国家科技支撑计划项目(2012BAH18B05).

Communication access control method based on software defined networking for virtual machines in IaaS platforms

HAN Zhenyang, CHEN Xingshu, HU Liang, CHEN Lin

College of Computer Science, Sichuan University, Chengdu Sichuan 610065, China

Received:2014-11-24 Revised:2015-01-08 Online:2015-05-10 Published:2015-05-14

摘要/Abstract

摘要：

针对云计算基础设施即服务(IaaS)平台所面临的虚拟机网络通信访问控制问题,提出了一种可适于IaaS平台的虚拟机通信访问控制方法.该通信访问控制方法基于软件定义网络(SDN),实现针对虚拟机通信的L2~L4层访问控制.实验结果表明:该通信访问控制方法能够有效实现对租户虚拟机通信的灵活访问控制,保障IaaS平台中租户网络的安全.

关键词: 软件定义网络, 访问控制, 云计算, 基础设施即服务, 防火墙

Abstract:

Concerning the problem that the network access control of Virtual Machines (VM) in the cloud computing Infrastructure as a Service (IaaS) platforms, a method of communication access control for VM in IaaS platforms was proposed. The method based on Software Defined Networking (SDN) was realized to customize the communication access control rules from Layer 2 to Layer 4. The experimental results show that the method can manage communication access permissions of tenants' VM flexibly, and ensure the security of tenants' network.

Key words: Software Defined Networking (SDN), access control, cloud computing, Infrastructure as a Service (IaaS), firewall

中图分类号:

TP393.02

韩贞阳, 陈兴蜀, 胡亮, 陈林. 基于软件定义网络的IaaS虚拟机通信访问控制方法[J]. 计算机应用, 2015, 35(5): 1262-1266.

HAN Zhenyang, CHEN Xingshu, HU Liang, CHEN Lin. Communication access control method based on software defined networking for virtual machines in IaaS platforms[J]. Journal of Computer Applications, 2015, 35(5): 1262-1266.

参考文献

[1] MELL P, GRANCE T. The NIST definition of cloud computing, NIST SP 800-145[R]. Gaithersburg: National Institute of Standards and Technology, 2011: 1-7.
[2] ONF Market Education Committee. Software-defined networking: the new norm for networks[M]. Palo Alto, California: Open Networking Foundation, 2012:1-12.
[3] ETSI. Network function virtualization introductory white paper [EB/OL]. [2014-08-10]. http://portal.etsi.org/nfv/nfv_white_paper.pdf.
[4] JANSEN W, GRANCE T. Guidelines on security and privacy in public cloud computing, NIST SP 800-144[J]. Gaithersburg: National Institute of Standards and Technology, 2011:23-24.
[5] ARCHER J, BOEHM A. Security guidance for critical areas of focus in cloud computing v3.0[R/OL].[2014-06-20].https://cloudsecurityalliance.org/csaguide.pdf.
[6] CATTEDDU D, HOGBEN G. Cloud computing: information assurance framework[C/OL] .[2014-06-20].http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework.
[7] VMware, Inc. Next generation security with VMware NSX and Palo Alto networks VM-series [EB/OL]. [2014-09-20]. http://www.vmware.com/files/pdf/products/nsx/NSX-Palo-Alto-Networks-WP.pdf.
[8] Internetworking task groups of IEEE 802.1. 802.1Qbg-edge virtual bridging [EB/OL]. [2014-12-31].http://www.ieee802.org/1/pages/ 802.1bg.html.
[9] Internetworking task groups of IEEE 802.1. 802. 1BR-bridge port extension [EB/OL]. [2014-12-31].http://www.ieee802.org/1/ pages/802.1br.html.
[10] TANG H, WANG J. Access control method: China, 103701822A[P] . 2014-04-02.(唐焕焕, 王军林. 访问控制方法: 中国, 103701822A[P] . 2014-04-02) .
[11] Open Netwroking Foundation. OpenFlow switch specification 1.3.1[EB/OL]. [2014-08-01].https://www.opennetworking.org/images/stories/downloads/specification/openflow-spec-v1.3.1.pdf.
[12] MAHALINGAM M, DUTT D, DUDA K, et al. VxLAN: a framework for overlaying virtualized layer 2 networks over layer 3 networks[EB/OL]. [2014-08-01]. http://tools.ietf.org/html/draft-mahalingam-dutt-dcops-vxlan-04.
[13] SRIDHARAN M, WANG Y, GRAG P, et al. NVGRE: network virtualization using generic routing encapsulation [EB/OL]. [2014-08-01]. http://tools.ietf.org/html/draft-sridharan-virtualization-nvgre-03.
[14] DAVIE B. STT: a stateless transport tunneling protocol for network virtualization[EB/OL]. [2014-08-15]. http://tools.ietf.org/html/draft-davie-stt-03.
[15] CHEN L, CHEN X, JIANG J, et al. The research and practice of dynamic network security architecture for IaaS platform[J]. Tsinghua Science and Technology, 2014, 19(5):496-507.
[16] THAMES J L, ABLER R, KEELING D. A distributed firewall and active response architecture providing preemptive protection[C]// Proceedings of the 46th Annual Southeast Regional Conference on XX. New York: ACM, 2008: 220-225.

基于软件定义网络的IaaS虚拟机通信访问控制方法

Communication access control method based on software defined networking for virtual machines in IaaS platforms

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	葛纪红, 沈韬. 基于区块链的能源数据访问控制方法[J]. 计算机应用, 2021, 41(9): 2615-2622.
[2]	杜心雨, 王化群. LTE-A网络中基于动态组的有效的身份认证和密钥协商方案[J]. 计算机应用, 2021, 41(6): 1715-1722.
[3]	陈家豪, 殷新春. 基于云雾计算的可追踪可撤销密文策略属性基加密方案[J]. 计算机应用, 2021, 41(6): 1611-1620.
[4]	葛丽娜, 胡雨谷, 张桂芬, 陈园园. 云计算环境基于客体属性匹配的逆向混合访问控制方案[J]. 计算机应用, 2021, 41(6): 1604-1610.
[5]	许红亮, 杨桂芹, 蒋占军. 基于软件定义网络的数据中心自适应多路径负载均衡算法[J]. 计算机应用, 2021, 41(4): 1160-1164.
[6]	杨翎, 姜春茂. 基于三支决策的虚拟机节能迁移策略[J]. 计算机应用, 2021, 41(4): 990-998.
[7]	包玉龙, 朱雪阳, 张文辉, 孙鹏飞, 赵颖琪. 物联网应用中访问控制智能合约的形式化验证[J]. 计算机应用, 2021, 41(4): 930-938.
[8]	孙晓玲, 杨光, 沈焱萍, 杨秋格, 陈涛. 基于可拆分倒排索引的可搜索加密方案[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3288-3294.
[9]	陈港, 孟相如, 康巧燕, 阳勇. 基于拓扑分割与聚类分析的虚拟软件定义网络映射算法[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3309-3318.
[10]	李莉, 杨鸿飞, 董秀则. 基于身份多条件代理重加密的文件分级访问控制方案[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3251-3256.
[11]	吕佳玉, 竺智荣, 姚志强. 云计算环境下的双通道数据动态加密策略[J]. 计算机应用, 2020, 40(8): 2268-2273.
[12]	王海勇, 潘启青, 郭凯璇. 基于区块链和用户信用度的访问控制模型[J]. 计算机应用, 2020, 40(6): 1674-1679.
[13]	朱梦迪, 束永安. 软件定义网络中控制数据平面一致性的验证[J]. 计算机应用, 2020, 40(6): 1751-1754.
[14]	陈程军, 毛莺池, 王绎超. 基于激活-熵的分层迭代剪枝策略的CNN模型压缩[J]. 计算机应用, 2020, 40(5): 1260-1265.
[15]	郭曙杰, 李志华, 蔺凯青. 云环境下基于模糊隶属度的虚拟机放置算法[J]. 计算机应用, 2020, 40(5): 1374-1381.