基于多形式安全策略的网络可达性建模、查询及优化技术研究

The rational configuration of the security policy in network is crucial as maintaining proper reachability not only ensure normal operation, but also block unnecessary communication. With the increase of quantity and variety of network security devices, quantifying network reachability under constraints of various security policies becomes a hotspot. Researchers have made great effort on this difficulty, but there are still some challenging issues. Firstly, existing researches only cover security policies in the form of ACL, which are widely implemented in the firewalls and routers, but in fact, there are other security policies which are not in form of ACL, these policies are also widely implemented in network systems such as NAT, PAT, and IPS etc.. Without comprehensive consideration of all forms of policies, current network reachability model can't reveal all factors effecting network reachability in actual network. Secondly, due to lack of unified query language, it is hard to translate user's query request into formal search in the network reachability model, besides, the query process is not efficient yet. Thirdly, exiting optimization of network reachability is not a global optimal solution. In this project, we address these issues on the foundation of our preliminary study. Firstly, we propose a network reachability model based on multi-source and multi-form security policies to achieve a comprehensive and accurate description of network reachability. Secondly, we define a structured reachability query language, design efficient query processing algorithm and reachability fault location algorithm to provide practical and efficient reachability query mechanism. Thirdly, we carefully study the mutual constraints between security policies and systematically analyze the chain effect on reachability when security policy changes. And then we design the network reachability global optimization algorithms and security policy deployment algorithm to reduce redundant traffic while ensuring moderate reachability. Our project will provide efficient, practical technology solutions for security policy deployment and network device configuration.

合理配置安全策略使网络具有适量可达性，既保证了正常业务运行，又可避免不必要的通信。随着网络安全设备部署的数量、种类增多，研究安全策略限制下的网络可达性成为热点和难点。但现有研究主要以防火墙、路由器等设备中ACL形式的安全策略为对象，建模针对的安全策略形式单一，难以统一描述用户查询请求，缺乏高效的查询方法，未考虑网络可达性的全局优化。本项目基于项目组前期研究成果，拟结合NAT、PAT和IPS等系统中的非ACL形式安全策略，提出基于多来源、多形式安全策略的可达性模型，更全面、准确地描述网络可达性；研究结构化可达性查询语言，提出高效的查询处理算法及可达性故障定位算法，提供高效实用的可达性查询机制；研究安全策略之间的相互制约因素，分析安全策略变化时的交叉影响，提出网络可达性全局优化算法和安全策略部署算法，保障网络适度可达并降低冗余流量，并为安全策略部署和网络设备配置提供高效、可行的技术方案。

随着网络设备不断增加，网络规模不断扩大，对整个网络进行可达性建模量化，成为研究热点和难点。通过高效的网络可达性查询来验证网络可达性，并根据查询结果来智能定位安全策略配置中的缺陷，进而优化安全策略配置和网络性能，具有重要的理论价值和应用前景。.基于项目组前期研究成果，结合NAT、PAT、入侵保护和流量监测服务等非ACL形式安全策略，提出基于多形式安全策略的网络可达性模型，可较全面、准确地描述网络可达性；研究结构化可达性查询语言，提出高效的查询处理算法、故障定位算法和可达性查询机制；研究安全策略之间的相互制约因素，分析安全策略变化时的交叉影响，提出网络可达性全局优化算法和安全策略部署算法，保障网络适度可达并降低冗余流量。.现已完成了项目计划书要求的研究内容和技术指标，突破了若干关键技术，取得了预期研究成果。在网络可达性建模和量化方面，提出了一个新的数据结构和高效的冗余策略切割算法SPRR；在网络可达性查询方面，提出了一个快速和可伸缩的IP查找引擎和高效查询算法等；在网络可达性优化方面，提出了一种高吞吐量协作防火墙的双向去除ACL冗余规则的方法、一种新的安全策略压缩方法Diplomat和一种新的安全策略放置策略等。.在该项目资助下，项目组成员发表或录用论文45篇，其中23篇SCI检索，36篇EI检索（源）；申请发明专利8项，授权2项，软件著作权登记4项。项目组有4人出国合作交流，邀请了美国、澳大利亚、日本等各国9位学者到湖南大学进行学术交流。有4位项目组成员通过了博士学位论文答辩，有10位学生通过了硕士研究生答辩。.本项目基于网络中存在的多形式的网络安全策略，对网络可达性进行建模、量化、查询及优化研究，屏蔽了因网络延时、丢包等因素对网络可达性的影响，能反映网络实际情况。研究成果为网络可达性提供了量化、查询与优化的完整解决方案，为网络管理、优化提供了新的解决思路和方法。