您的位置:山东大学 -> 科技期刊社 -> 《山东大学学报(理学版)》

山东大学学报(理学版) ›› 2016, Vol. 51 ›› Issue (3): 98-103.doi: 10.6040/j.issn.1671-9352.2.2015.325

• • 上一篇    下一篇

一种高效虚拟化多级网络安全互联机制

吴欢1,詹静1,2,3*,赵勇1,2,3,陶政1,杨静1   

  1. 1. 北京工业大学计算机学院, 北京 100124;2. 可信计算北京市重点实验室, 北京 100124;3. 信息安全等级保护关键技术国家工程实验室, 北京 100124
  • 收稿日期:2015-08-17 出版日期:2016-03-20 发布日期:2016-04-07
  • 通讯作者: 詹静(1982— ),女,博士,讲师,研究方向为网络安全. E-mail:zhanjing@bjut.edu.cn E-mail:851471784@qq.com
  • 作者简介:吴欢(1990— ),男,硕士研究生,研究方向为网络安全、工业控制安全. E-mail:851471784@qq.com
  • 基金资助:
    高等学校博士学科点专项科研基金(20131103120001)

An efficient multilevel interconnection network security mechanism based on virtualization

WU Huan1, ZHAN Jing1,2,3*, ZHAO Yong1,2,3, TAO Zheng1, YANG Jing1   

  1. 1. College of Computer Science, Beijing University of Technology, Beijing 100124, China;
    2. Beijing Key Laboratory of Trusted Computing, Beijing 100124, China;
    3. National Engineering Laboratory for Critical Technologies of Information Security Classified Protection, Beijing 100124, China
  • Received:2015-08-17 Online:2016-03-20 Published:2016-04-07

PDF (PC)

1034

摘要: 面向工业控制网络环境的高安全级别信息系统网络,结合物理网闸和虚拟防火墙的思想,提出一种基于Xen共享内存的高效虚拟化多级网络安全互联机制,依照信息系统安全需求与不同的应用业务需求,企业可以使用不同安全策略的虚拟机模版,利用虚拟机间共享内存机制模拟物理网闸的专用传输介质,从而提升安全隔离性能,并能够保证较高的安全性。为网闸的发展提供了新的思路。

关键词: 多级网络安全互联, Xen共享内存, 工业控制网络, 网闸, 流量过滤

Abstract: For high security level information system, such as industrial control environment draws from GAP and virtual firewall, a new multilevel interconnection network security mechanism based on Xen shared memory technology was proposed. According to the security needs of information systems and different business needs, enterprises could apply different VM templates which had their own security policies, and shared memory was used to simulate the dedicated transmission medium of GAP to enhance the performance of security isolation with high security, which provided a new idea for the development of GAP.

Key words: multistage interconnection network security, GAP, traffic filtering, industrial control network, Xen shared memory

中图分类号: 

  • TP393.1
[1] 林龙成, 陈波, 郭向民. 传统网络安全防御面临的新威胁:APT攻击[J]. 信息安全与技术, 2013(3):20-25. LIN Longcheng, CHEN Bo, GUO Xiangmin. The new threat to traditional network security defense: APT attack[J]. Information Security and Technology, 2013(3):20-25.
[2] Chen T M, ABU-NIMEH S. Lessons from Stuxnet[J]. Computer, 2011, 44(4):91-93.
[3] 肖新光. 管中窥豹——Stuxnet、Duqu和Flame的分析碎片与反思[J]. 信息安全与通信保密, 2012(7):18-19. XIAO Xinguang. Benevolence-Stuxnet, Duqu and Flame debris analysis and reflections[J]. Information Security and Communications Privacy, 2012(7):18-19.
[4] 魏钦志. 工业控制系统安全现状及安全策略分析[J]. 信息安全与技术, 2013(2):23-26. WEI Qinzhi. Industrial control system security situation and safety strategy analysis[J].Information Security and Technology, 2013(2):23-26.
[5] 缪学勤. Industry 4.0新工业革命与工业自动化转型升级[J]. 石油化工自动化, 2014,50(1):1-5. MIAO Xueqin. Industry 4.0 new industrial revolution and automation updating[J]. Automation in Petro-Chemical Industry, 2014, 50(1):1-5.
[6] 王珺,李立新,李福林. 物理隔离和网闸的技术原理浅析[J]. 微计算机信息, 2007, 23(24):53-55. WANG Jun, LI Lixin, LI Fulin. Research on data exchange and air gap of GAP technoloy[J]. Microcomputer Information, 2007, 23(24):53-55.
[7] 王博.基于物理隔离技术的网闸系统的设计与实现[D].西安:西安电子科技大学,2014. WANG Bo. Design and implementation of net gap system for physical isolation[D]. Xian: Xidian University, 2014.
[8] 王勇强. 基于PCI总线的网闸数据交换系统的设计与实现[D]. 西安:西安电子科技大学,2012. WANG Yongqiang. Design and implement of data swapping system for PCI-based GAP[D]. Xian: Xidian University, 2012.
[9] JEKESE G, SUBBURAJ R, HWATA C. Virtual firewall security on virtual machines in cloud environment[J]. International Journal of Scientific& Engineering Research, 2015, 6(2):990-995.
[10] 王景学. 云计算虚拟机防护系统设计与实现[D]. 西安:西安电子科技大学, 2014. WANG Jingxue. Design and implement of virtual machine protection system in cloud computing[D].Xian:Xidian University, 2014.
[11] 章志华,李建俊. 烟草工业生产区与管理区的多级安全互联模型浅析[J].浙江烟草, 2013(2):85-89. ZHANG Zhihua, LI Jianjun. Multi-level security network model tobacco industry production area and administrative area [J]. Zhejiang Tobacco, 2013(2):85-89.
[12] CHOIS S, CHANG Y, YUN J H. Multivariate statistic approach to field specifications of binary protocols in SCADA system[J]. Lecture Notes in Computer Science, 2014, 8909:345-357.
[13] ZHANG D G, WU Y, ZHANG W B. The design of a physical network isolation system[J]. Applied Mechanics & Materials, 2014:687-691.
[14] 赵小刚, 王创科. 物理隔离网闸系统设计浅析[J]. 科技与创新, 2014(18):133-134. ZHAO Xiaogang, WANG Chuangke. The design of physical gatekeeper system analysis[J] ,Science and Technology & Innovation, 2014(18):133-134.
[15] 石磊. Xen虚拟化技术[M]. 武汉:华中科技大学出版社, 2009.
[16] 朱团结, 艾丽蓉. 基于共享内存的Xen虚拟机间通信的研究[J]. 计算机技术与发展, 2011, 21(7):5-8. ZHU Tuanjie, AI Lirong. Research on Xen inter domain communication based on shared memory[J].Computer Technology and Development, 2011, 21(7):5-8.
[17] 左青云, 陈鸣, 赵广松. 基于OpenFlow的SDN技术研究[J]. 软件学报, 2013,24(5):1078-1097. ZUO Qingyun, CHEN Ming, ZHAO Guangsong. Research on OpenFlow-based SDN technologies[J].Journal of Software, 2013, 24(5):1078-1097.
[18] 赵祎,罗俊,陈玺,等. 基于OpenvSwitch的OpenFlow实践[EB/OL].(2014-01-03)[2014-08-15]. http://www.ibm.com/developerworks/cn/cloud/library/1401-zhao-yi-openswitch.
[19] 陈佳.应用层协议快速识别的研究与实现[D].北京:北京邮电大学,2010. CHEN Jia. Research and implementation of quick identification for application layer protocols[D]. Beijing:Beijing University of Posts and Telecommunications, 2010.
[20] 吴欢, 宋力, 刘遇哲. 基于HTTP协议特征字的识别研究[J]. 计算机与网络, 2015(9):32-35. WU Huan, SONG Li, LIU Yuzhe. Research on feature character recognition based on HTTP protocol[J].Computer & Network, 2015(9):32-35.
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
版权所有 © 2018 《山东大学学报(理学版)》编辑部 
地址: 山东省济南市山大南路27号山东大学中心校区(250100) 电话: +86-0531-88366917 E-mail: xblxb@sdu.edu.cn
本系统由北京玛格泰克科技发展有限公司设计开发