Research on network security service chain technology of data center in coal mine enterprise
-
摘要: 目前,煤矿企业生产网络和数据中心之间的网络安全设备大多采用串行部署方式,存在单点故障、链路瓶颈、运维耦合等问题。针对上述问题,研究了基于软件定义网络(SDN)的煤矿企业数据中心网络安全服务链技术。设计了煤矿企业数据中心安全设备并行部署方式,在物理拓扑上串入1台服务功能链(SFC)交换机,将各安全设备接入SFC交换机,通过SDN控制器控制安全设备及经过SFC交换机的流量,通过SFC交换机定期向安全设备发送检测报文来实现安全设备健康状况检测,并根据配置实现安全设备故障、升级、增加情况下的SDN安全服务链,保障安全设备无感知上下线。测试结果表明,该技术支持安全服务资源的可视化灵活调度,可按需启用/停用服务链上安全服务或配置不同优先级的服务链,在安全设备故障情况下可自动更新安全服务路径,且丢包率低,实现了无感知切换。Abstract: At present, most of the network security equipment between the production network and data center of coal mine enterprises are deployed in serial mode. This mode has the problems of single point of failure, link bottleneck, and operation and maintenance coupling. In order to solve the above problems, the network security service chain technology of data center in coal mine enterprise based on software defined network (SDN) is studied. The parallel deployment mode of the security equipment of the data center in coal mine enterprise is designed as follows. A service function chain (SFC) switch is connected in series on the physical topology. All security equipment is connected to the SFC switch. The SDN controller is used to control security equipment and flow through the SFC switch. The SFC switch regularly sends detection messages to the security equipment to detect the health status of the security equipment. According to the configuration, the SDN security service chain in the case of security equipment failure, upgrade or increase is realized. This chain ensures that the security equipment is not aware of online and offline. The test results show that the technology supports the visual and flexible scheduling of security service resources. The technology can enable/disable security services on service chains or configure service chains with different priorities according to needs. The technology can automatically update security service paths in the case of security equipment failure. The technology has low packet loss rate and realizes unaware switching.
-
图 1 煤矿企业数据中心网络安全设备串行部署方式
Figure 1. Serial deployment mode of network security equipment of data center in coal mine enterprise
图 2 煤矿企业数据中心网络安全设备并行部署方式
Figure 2. Parallel deployment mode of network security equipment of data center in coal mine enterprise
图 3 SDN安全服务链测试环境
Figure 3. Test environment for software defined network(SDN) security service chain
图 4 SFC交换机定义及设备连线
Figure 4. Definition of service function chaining(SFC) switch and equipment connection
图 9 FW[1]异常时左安全服务链流量处理过程
Figure 9. Traffic processing process of left security service chain when FW[1] is abnormal
图 10 WAF[2]异常时右安全服务链流量处理过程
Figure 10. Traffic processing process of right security service chain when WAF[2] is abnormal
-
[1] 王国法,任怀伟,赵国瑞,等. 煤矿智能化十大“痛点”解析及对策[J]. 工矿自动化,2021,47(6):1-11.WANG Guofa,REN Huaiwei,ZHAO Guorui,et al. Analysis and countermeasures of ten 'pain points' of intelligent coal mine[J]. Industry and Mine Automation,2021,47(6):1-11. [2] 张林杰,李倩,贾哲,等. 基于SDN/NFV的安全服务链构建技术[J]. 无线电工程,2018,48(11):938-943. doi: 10.3969/j.issn.1003-3106.2018.11.06ZHANG Linjie,LI Qian,JIA Zhe,et al. Technology of security service chain construction based on SDN/NFV[J]. Radio Engineering,2018,48(11):938-943. doi: 10.3969/j.issn.1003-3106.2018.11.06 [3] 张奇. 基于SDN/NFV的安全服务链自动编排部署框架[J]. 计算机系统应用,2018,27(3):198-204. doi: 10.15888/j.cnki.csa.006090ZHANG Qi. Automatic scheduling deployment framework for security service chain based on SDN/NFV[J]. Computer Systems & Applications,2018,27(3):198-204. doi: 10.15888/j.cnki.csa.006090 [4] 周凯. 基于SDN安全服务链的研究与设计[J]. 网络安全技术与应用,2020(7):13-14. doi: 10.3969/j.issn.1009-6833.2020.07.010ZHOU Kai. Research and design of security service chain based on SDN[J]. Network Security Technology & Application,2020(7):13-14. doi: 10.3969/j.issn.1009-6833.2020.07.010 [5] 裘国星. 基于SDN服务链的云技术数据中心安全防护[J]. 科学技术创新,2020(16):76-77. doi: 10.3969/j.issn.1673-1328.2020.16.041QIU Guoxing. Security protection of cloud technology data center based on SDN service chain[J]. Scientific and Technological Innovation,2020(16):76-77. doi: 10.3969/j.issn.1673-1328.2020.16.041 [6] 陈子建. 软件定义光网络及OpenFlow扩展研究[D]. 南京: 南京邮电大学, 2019.CHEN Zijian. Research on software defined optical network and OpenFlow extension[D]. Nanjing: Nanjing University of Posts and Telecommunications, 2019. [7] 刘艺. 面向SDN网络的安全服务链映射与调整方法研究[D]. 郑州: 中国人民解放军战略支援部队信息工程大学, 2019.LIU Yi. Research on security service chain embedding and adjusting methods oriented to SDN network[D]. Zhengzhou: Information Engineering University, 2019. [8] 团哲恒. 基于FPGA的SDN交换机设计实现[D]. 南京: 东南大学, 2019.TUAN Zheheng. Design and implementation of SDN switch based on FPGA[D]. Nanjing: Southeast University, 2019. [9] 孟庆月. SDN网络南向安全防护系统研究与实现[D]. 北京: 北京邮电大学, 2019.MENG Qingyue. Research and implementation of SDN southbound security protection system[D]. Beijing: Beijing University of Posts and Telecommunications, 2019. [10] 常甫. OpenFlow交换机的远程配置与管理系统设计与实现[D]. 北京: 北京邮电大学, 2019.CHANG Fu. The design and implementation of a remote configuration and management system for OpenFlow switches[D]. Beijing: Beijing University of Posts and Telecommunications, 2019. [11] 徐俭. 基于SDN服务链的云平台数据中心安全技术探究[C]//第17届全国互联网与音视频广播发展研讨会暨第26届中国数字广播电视与网络发展年会论文集, 济南, 2018: 153-159.XU Jian. Research on security technology of cloud platform data center based on SDN service chain[C]//The 17th National Symposium on the Development of Internet and Audio and Video Broadcasting and the 26th China Digital Radio, Television and Network Development Annual Conference, Jinan, 2018: 153-159. [12] 蒋华,闫一凡,鞠磊. 可信服务链安全架构研究[J]. 计算机应用研究,2018,35(4):1159-1164. doi: 10.3969/j.issn.1001-3695.2018.04.042JIANG Hua,YAN Yifan,JU Lei. Research on secure framework for trusted service chain[J]. Application Research of Computers,2018,35(4):1159-1164. doi: 10.3969/j.issn.1001-3695.2018.04.042 -
下载:
点击查看大图
计量
- 文章访问数: 157
- HTML全文浏览量: 26
- PDF下载量: 19
- 被引次数: 0
