跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.86) 您好!臺灣時間:2025/02/20 06:13
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:鍾銘煌
研究生(外文):Ming-Huang Chung
論文名稱:以SDN為基礎之網路邊界存取控制系統實作
論文名稱(外文):Implementation of Network Boundary Access Control System based on SDN
指導教授:高勝助高勝助引用關係
口試委員:廖宜恩張阜民
口試日期:2017-06-28
學位類別:碩士
校院名稱:國立中興大學
系所名稱:資訊工程學系所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2017
畢業學年度:105
語文別:中文
論文頁數:46
中文關鍵詞:軟體定義網路OpenFlow網路邊界存取控制
外文關鍵詞:SDNOpenFlowNetwork Boundary Access Control
相關次數:
  • 被引用被引用:0
  • 點閱點閱:639
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
近年來物聯網及無線網路WIFI、3G、4G等上網技術應用發展迅速,各式有線、無線上網裝置充斥於區域網路境中,於是企業區域網路環境中伴隨而來的是複雜終端設備網路管理的問題。特別是在內部對內部、內部對外部的網路安全管理,在技術上拙於應付,在傳統網路所面臨資安挑戰將日益嚴苛。為了有效提升區域網路資訊安全,本論文基於SDN OpenFlow協定,我們提出了網路邊界存取控制系統(Network Boundary Access Control System,NBACS)。本系統包含了設備驗證、存取控制串列管理、時間管理等功能模組的開發實作。藉由SDN網路技術,採取集中控制與分散管制的策略,從網路邊界就開始管理區域內網合法及非法設備的存取權限。
本系統的功能面,在設備驗證部分透過IP、MAC作為識別合法設備之依據,當非法設備入侵內網,此系統模組有能力阻擋並紀錄該入侵設備位置、時間等相關資訊;在存取控制串列管理功能部分,針對合法設備預先制定內部對內部、內部對外部的存取管控策略,其資訊存放於NBACS資料庫中,同時將這些存取控制列表(Access Control List,ACL)規則,佈置於各邊界交換器之中,以達到合法設備的網路安全控制之目的;在時間管理模組部分,主要目的是掌控區域內網設備的連網時間,我們應用Open Flow的Hard Timeout欄位,實作出上網設備時間管控機制,能訂定某個區段時間內限制終端設備的網路使用權。在本系統中控制面是由NBACS控制器以集中化方式來管理網路中的SDN交換器及終端設備,而在資料傳送面,這些終端設備之間網路封包傳遞行為,其存取管制功能,則由網路中各邊界交換器以分散式管制模式控管之,藉此得以提升區域網路的安全管理控措施,讓區域內網存取管理更加嚴謹。
More and more next-generation network technologies and devices have been developed and deployed in enterprise LAN, such as IOT, WIFI, 3G, 4G etc.. The enterprise area network environment is accompanied with the problem of complex terminal equipment network management. Especially,
we are now facing many new security challenges with traditional network management system. In this study, based on Software-defined networking (SDN) and OpenFlow protocol, We develop a Network Boundary Access Control System (NBACS). NBACS consists of Device Authentication module, Network Access Control List Management module and Time Management module. By adopting SDN technology and applying central control as well as distribution policy filters, we are able to effectively manage network devices access from network boundary.
With the core NBACS modules, the Device Authentication Management module, we make use of IP and MAC to identify legal devices. When an illegal device enters the internal network, the system can detect, stop, and record its position and timestamp. The Access Control List Management module predefines both internal to internal and internal to external access control rules and setups the rules in all SDN switches to for the purpose of security control. The Time Management module, is responsible we accomplish the time management by waiting to manage the connection duration of internal devices. Hard Timeout data field in Open Flow for instance, we can easily restrict connection time interval of a terminal device. The control plane of NBACS has a controller, and in data forwarding plane, NBACS applies distributed policies to boundary switches to control network packets among network devices. NBACS enhances LAN security management control measurement and strengthens network access management.
目次
摘要 i
Abstract ii
目次 iv
圖目錄 vi
表目錄 vii
第一章 緒論 1
1.1 研究背景與動機 1
1.2 論文貢獻 3
1.3 論文架構 3
第二章 相關研究 5
2.1 Software-Define Networking (SDN) 7
2.2 OpenFlow 協定 8
2.2.1 Flow Table簡介 10
2.2.2 Multi Flow Table應用介紹 11
2.3 控制器(Controller) 12
2.4 Open vSwitch 13
第三章 系統架構與設計 14
3.1NBACS系統架構與功能流程 15
3.1存取串列管理(ACL Management)功能 18
3.2時間管理(Time Management)功能 18
3.3設備驗證(Device Authentication)功能 19
第四章 系統實作與分析 21
4.1 實驗環境建置 22
4.1.1 安裝Mininet及Open vSwitch 23
4.1.2 安裝Ryu Controller 25
4.2 實驗架構拓樸 25
4.3存取串列管理(ACL Management)功能驗證 26
4.4時間管理(Time Management)功能驗證 29
4.5 設備認證(Device Authentication)功能驗證 32
4.6 NBACS系統效能測試 36
4.6.1 延遲時間測試 37
4.6.2 傳輸效能測試 39
第五章 結論與未來展望 43
參考文獻 45
[1]趨勢科技,2016年十大重大資安事件,[cited 2017 March];Available from: https://blog.trendmicro.com.tw/?p=45442
[2]K. Greene,“Software defined networking,” Technology review-the 10 emerging technologies of 2009, Mar. 2009.
[3]W. Stallings, “Software-Defined Networks and OpenFlow,” The Internet Protocol Journal, vol. 16, no. 1, pp. 2-14, Mar. 2013.
[4]N. Mckeown, T. Anderson, H. Balakrishnan, G. Parulkar, L.Peterson, J. Rexford, S. Shenker, and J. Turner, “Openflow:Enabling Innovation in Campus Networks,”ACM SIGCOMM Computer Communication Review,vol.38,issue 2, pp.69-74, Apr. 2008.
[5]Network Access Control (NAC), [cited 2017 March]; Available from:
http://searchnetworking.techtarget.com/definition/network-access-control
[6]I-Cheng Hunag “Implementation of Network Access Control for International Companies: A Case Study of A High-tech Company,”Master’s thesis, National Chung Cheng University, Jul. 2015.
[7]802.1X: Port-Based Authentication Standard for Network Access Control (NAC), Juniper Networks.[cited 2017 March] ; Available from:
http://www.juniper.net/us/en/products-services/what-is/802-1x-nac/
[8]DMZ, Demilitarized Zone, [cited 2017 March] ; Available from:https://zh.wikipedia.org/wiki/DMZ
[9]Y. Yamasaki, Y. Miyamoto, J. Yamato, H. Goto, and H. Sone, “Flexible Access Management System for Campus VLAN Based on OpenFlow,”2011 IEEE/IPSJ 11th International Symposium on Applications and the Internet (SAINT),pp. 347-351,Jul. 2011.
[10]Javid, Tariq, Tehseen Riaz, and Asad Rasheed,“A layer 2 firewall for software defined network,” 2014 Conference on In Information Assurance and Cyber Security (CIACS),pp. 39-42,Jun. 2014.
[11]Karamjeet Kau, Krishan Kumar, Japinder Singh, Navtej Singh Ghumman, “Programmable firewall using Software Defined Networking,” 2015 2nd International Conference on Computing for Sustainable Global Development(INDIACom),pp.2125-2129,Mar. 2015.
[12]Cho, H., Kang, S., & Lee, Y. “Centralized ARP proxy server over SDN controller to cut down ARP broadcast in large-scale data center networks,”2015 International Conference on Information Networking (ICOIN),pp.301-306,Jan. 2015.
[13]Mowla, N. I., Doh, I., & Chae, K. “An efficient defense mechanism for spoofed IP attack in SDN based CDNi,”2015 International Conference on Information Networking (ICOIN),pp.92-97,Jan. 2015.
[14]Open Networking Foundation,Software-Defined Networking: The New Norm for Networks. ONF White Paper,Apr. 2012. [cited 2017 March] ; Available from: https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf
[15]Ryu SDN Framwork, [cited 2017 March] ; Available from:http://osrg.github.io/ryu
[16]Ryu,OpenFlow v1.5 Messages and Structures Controller-to-Switch Messages. [cited 2017 March] ; Available from: http://ryu.readthedocs.io/en/latest/ofproto_v1_5_ref.html
[17]Open vSwitch, [cited 2017 March] ; Available from:
http://openvswitch.org
[18]Open Networking Foundation,OpenFlow Switch Specification Version 1.5.1 ( Protocol version 0x06), Mar. 2015. [cited 2017 March] ; Available from: https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.5.1.pdf
[19]Oracle Virtual Box, [cited 2017 March] ; Available from:https://www.virtualbox.org
[20]Mininet, [cited 2017 March] ; Available from: http://mininet.org
[21]ITU-T Y.1540, [cited 2017 April] ; Available from: http://www.itu.int/rec/T-REC-Y.1540-201607-I
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊