第五章 結論
5.2 未來研究⽅方向
國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
第五章 第五章 結論
5.1 總結
本論⽂文介紹了SDN軟體定義網路及防⽕火牆的相關技術及現況,並在此基礎上,實作⾃自 動化防⽕火牆。︒利⽤用軟體定義網路的特性,使交換機具有學習的功能,在觀測時間內⾃自 動學習經過的流量特徵,並將其特徵加入交換機規則內,待觀測時間結束後則封鎖其 它流量。︒除此之外,為了加強⾃自動化防⽕火牆的延伸功能,又提出入侵偵測系統及隨需 的註冊機制,利⽤用入侵偵測系統對內部網路進⾏行更嚴密的防護,發現有危害時也能即 時阻擋。︒並利⽤用隨需的註冊機制,提供特定主機供使⽤用者註冊,有效降低⼈人⼯工作業。︒
最後,我們導入負載平衡機制,透過收集交換機上實體埠與flow entry相關資料,依據 實際使⽤用量進⾏行負載平衡,有效提升網路使⽤用率。︒
對於實驗部分,本⽂文也詳細介紹整體的硬體架構及實驗所⽤用到的相關軟體,也詳 細說明安裝與操作步驟。︒最後,經由實作驗證本⽂文中所提出各功能之可能性,包含⾃自 動化防⽕火牆、︑入侵偵測系統以及隨需的註冊機制。︒經由實際的測量結果,在本⽂文所提 出之負載平衡架構下,能有效提⾼高整體網路使⽤用率 ,在最佳情況下,可提升25%平均 頻寬使⽤用率,減少17.5%封包遺失率。︒
5.2 未來研究⽅方向
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
本論⽂文提出了⾃自動化防⽕火牆的架構,但未在效能上多做考量。︒隨著網路環境⽇日益複雜、︑
防⽕火牆規則與⽇日俱增,如何有效管理⾃自動學習規則,避免因持續增長的規則數量,影 響資料流表項的查找時間,是未來可深入研究的⽅方向。︒⽽而在入侵偵測系統部分,誤判
⼀一向是難以完全克服的難題,如何利⽤用SDN所能收集到的網路資訊結合入侵偵測系 統,提供更準確的判斷,避免因誤判所帶來之相關問題,是未來可再深入研究之處。︒
關於負載平衡機制,本⽂文中所採⽤用⽅方法為收集相關資訊,但可以互相備援之線路,均 為⼈人⼯工⼿手動設定,如何有效地發現路由,⾃自動尋找備援路線,是未來可再深入研究的 部分。︒
‧
[1] B. Lantz, B. Heller and N. McKeown, "A network in a laptop: rapid prototyping for software-defined networks," Proc. 9th ACM SIGCOMM Workshop Hot Topics Netw., pp.19:1 -19:6 2010.
[2] C. Monsanto, J. Reich, N. Foster, J. Rexford and D. Walker, "Composing software-defined networks," Proc. 10th USENIX Symp. on Networked Systems Design and Implementation, NSDI., pp.1 -14 2013.
[3] D. Levin, A. Wundsam, B. Heller, N. Handigol and A. Feldmann, "Logically centralized?:
state distribution trade-offs in software defined networks," Proc. 1st workshop on Hot topics in software defined networks, HotSDN., pp.1 -6 2012.
[4] Django, https://www.djangoproject.com, retrieved date:2015/04/13.
[5] Django Wiki, https://zh.wikipedia.org/wiki/Django, retrieved date:2015/04/13.
[6] H. Hu, W. Han, G.-J. Ahn and Z. Zhao, "FLOWGUARD: building robust firewalls for software-defined networks," Proc. 3rd workshop on Hot topics in software defined networks, HotSDN., pp.97 -102 2014.
[7] H. Long, Y. Shen, M. Guo, and F. Tang, "LABERIO: dynamic load-balanced routing in OpenFlow-enabled networks," Proc. 27th Advanced Information Networking and Applications, AINA., pp. 290 -297 2013.
[8] I. F. Akyildiz, A. Lee, P. Wang, M. Luo and W. Chou, "A roadmap for traffic engineering in SDN-OpenFlow networks," Computer Networks, Vol. 71, pp.1-30 2014.
[9] Iperf, https://iperf.fr, retrieved date:2015/06/18.
[10] IDSwakeup, http://www.hsc.fr/ressources/outils/idswakeup/, retrieved date:2014/10/15.
[11] K. Bakshi, "Considerations for software defined networking (SDN): approaches and use cases," Aerospace Conference, pp. 1-9, 2013.
[12] KVM, http://www.linux-kvm.org/, retrieved date:2014/10/12.
‧
[13] L. Yu and D. Pan, "OpenFlow based load balancing for fat-tree networks with multipath support," Proc. 12th IEEE International Conference on Communications, 2013.
[14] M.-K. Shin, K.-H. Nam, and H.-J. Kim, "Software-defined networking (SDN): a reference architecture and open apis," International Conference on ICT Convergence, ICTC., pp.360 -361 2012.
[15] M. Jarschel, T. Zinner, T. Hoßfeld, P. Tran-Gia and W. Kellerer, “Interfaces, attributes, and use cases: a compass for SDN," IEEE Communications Magezine., vol.52, no.6, pp.210 -217 2014.
[16] M. Koerner, O. Kao, "Multiple service load-balancing with OpenFlow," Proc. 13th High Performance Switching and Routing, HPSR., pp. 210-214 2012.
[17] Mininet, http://mininet.org,retrieved date:2014/10/15.
[18] N. Handigol, S. Seetharaman, M. Flajslik, N. McKeown, and R. Jo- hari, "Plug-n-Serve:
load-balancing web traffic using OpenFlow," Proc ACM SIGCOMM (Demo), 2009.
[19] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S.
Shenker and J. Turner, "OpenFlow: enabling innovation in campus networks,"
SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp.69 -74 2008.
[20] OpenFlow Switch Specification 1.3.2, https://www.cs.princeton.edu/courses/archive/
fall13/cos597E/papers/openflow-spec-v1.3.2.pdf, retrieved date:2014/10/21.
[21] Open Network Foundation, https://www.opennetworking.org/, retrieved date:2014/10/
13.
[22] Open vSwitch, http://openvswitch.org/, retrieved date:2014/10/12.
[23] Openflow, https://www.opennetworking.org/sdn-resources/openflow, retrieved date:
2014/10/15.
[24] POX Wiki, https://openflow.stanford.edu/display/ONL/POX+Wiki, retrieved date:2014/11/03.
[25] R. Wang, D. Butnariu and J. Rexford, "OpenFlow-based server load balancing gone wild," Proc. 11th USENIX Conf. Hot Topics Manage. Internet Cloud Enterprise Netw.
Services, pp.12 2011.
‧
[26] SDN architecture ,https://www.opennetworking.org/images/stories/downloads/sdn-resources/technical-reports/TR_SDN_ARCH_1.0_06062014.pdf ,retrieved date:2015/
02/21.
[27] SDN Architecture, https://www.sdxcentral.com/resources/sdn/inside-sdn-architecture/, retrieved date:2014/10/15.
[28] Software-Defined Networking: The New Norm for Networks, https://
www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf ,retrieved date:2014/10/15.
[29] Snort, http://www.snort.org/, retrieved date:2015/04/10.
[30] Unix domain socket, https://en.wikipedia.org/wiki/Unix_domain_socket, retrieved date: 2015/01/08.
[31] Ubuntu, http://www.ubuntu.com/index_roadshow, retrieved date:2014/10/15.
[32] VirtualBox, https://www.virtualbox.org/, retrieved date:2014/10/15.
[33] Z. Qazi, C. Tu, L. Chiang, R. Miao, V. Sekar, and M. Yu, “SIMPLE-fying middlebox policy enforcement using SDN,” Proc. Conf. Appl. Technol. Architect. Protocols Comput.
Commun., pp.27 -38 2013
[34] 簡旭彤,林盈達,SDN 網路安全架構:以防⽕火牆為例,國⽴立交通⼤大學資訊⼯工程系,
September 30,2014. http://speed.cis.nctu.edu.tw/~ydlin/miscpub/indep_HsuTung.pdf, retrieved date:2014/10/15.
[35] 蕭翔之,入侵偵測與預防系統簡介與應⽤用,http://avp.toko.edu.tw/docs/class/3/入侵 偵測與預防系統簡介與應⽤用.pdf,retrieved date:2015/04/15.
[36] 張浩置、︑楊中皇、︑林志鴻,基於規則分類的網路入侵偵測系統之效能分析與改善,
http://security.nknu.edu.tw/psnl/publications/2009IMNT_Snort.pdf, retrieved date:
2014/10/25.
[37] 防⽕火牆 Wiki,https://zh.wikipedia.org/wiki/防⽕火牆,retrieved date:2015/01/08.
[38] 防⽕火牆原理,http://tpc.k12.edu.tw/1001215331/6/0322/網路_防⽕火牆原理.pdf,
retrieved date:2015/01/08.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
[39] PyPy, http://pypy.org, retrieved date:2014/10/15.