引用本文: |
-
涂碧波,马子轩,张玉琦,张坤,游瑞邦.基于意图的网络安全研究进展[J].信息安全学报,已采用 [点击复制]
- TU Bibo,MA Zixuan,ZHANG Yuqi,ZHANG Kun,You Ruibang.Research Progress on Intent-based Networking Security[J].Journal of Cyber Security,Accept [点击复制]
|
|
摘要: |
现代网络面临着虚拟化、大规模化和融合化特征带来的一系列安全相关问题:网络安全边界与安全策略由静态性向动态性的转变、急剧上升的网络安全运维难度与成本、以及大量新兴网络安全技术应用与安全设备部署的需求。软件定义安全(software-defined security,SDS)被提出以应对上述安全问题,然而,当前SDS的架构与相关实现存在抽象程度低、效率低、便捷性差等缺陷。基于意图的网络(intent-based networking,IBN)提供了高抽象的网络编程接口和自动化的闭环处理流程,能够带来网络部署和管理的自动化与便捷性。将意图转变为安全意图,并将IBN应用于安全以践行SDS,可看作是网络安全管理、安全服务部署与运维的未来方向。首先,本文在业界对IBN相关的定义、项目与研究的基础上,给出IBN的架构与闭环处理流程;其次归纳IBN架构与闭环处理流程中支撑安全意图的关键技术研究进展,包括安全意图的语义表达、安全意图的决策验证与处理、安全意图的实施验证与处理;并根据网络安全管理、安全服务部署与运维的主要需求,归纳IBN在实际安全应用中的研究进展,包括微分段、服务功能链、数据包加密、数据泄露感知、网络安全策略配置和安全设备部署;随后分析当前IBN安全研究面临的挑战,包括IBN安全意图关键技术现有研究的不足、IBN安全应用对于智能化与自动化的需求、IBN自身安全问题,提出IBN安全的未来研究方向,为IBN安全的后续研究提供有益参考;最后从网络安全层面讨论IBN与SDS的关系,总结IBN应用于安全的特点,并针对当前IBN安全研究的挑战,提出一个IBN安全技术方案以供参考。 |
关键词: 基于意图的网络 安全意图 软件定义安全 软件定义网络 |
DOI:10.19363/J.cnki.cn10-1380/tn.2023.09.15 |
投稿时间:2021-09-17修订日期:2021-11-03 |
基金项目:广东省重点领域研发计划项目(No.2019B010137002),国家重点研发计划项目(No.2016YFB0801002) |
|
Research Progress on Intent-based Networking Security |
TU Bibo, MA Zixuan, ZHANG Yuqi, ZHANG Kun, You Ruibang
|
(Institute of Information Engineering,Chinese Academy of Sciences) |
Abstract: |
Modern network is faced with a series of security related problems which are brought about by the characteristics of virtu-alization, large scale and amalgamation: the transformation of network security boundary and security policy from static to dynamic, the sharply rising difficulty and cost of network security operation and maintenance, as well as the applica-tion and deployment requirements of a large number of emerging network security technologies and security devices. Software-Defined Security (SDS) has been proposed to deal with the above security problems. However, the current archi-tecture and related implementation of SDS have some defects such as low abstraction, poor efficiency and poor conven-ience. Intent-based Networking (IBN) provides a highly abstract network programming interface and an automated closed-loop processing process, which can bring the automation and convenience of network deployment and manage-ment. Transforming intent into security intent and then applying IBN to network security to practice SDS is considered to be the future direction of network security management and network security service deployment and operation. Firstly, the architecture and closed-loop processing process of IBN are given based on the related definitions, projects and aca-demic research of IBN from all circles. Secondly, the research progress on key technologies that support security intent in the architecture and closed-loop processing process of IBN is summarized, including semantic representation of security intent, verification and processing on the decision making of security intent, validation and processing on the implementa-tion of security intent. And according to the main requirements of network security management, security service de-ployment and operation, the research progress of IBN in practical security applications is summarized, including micro segmentation, service function chain, packet encryption, awareness of data leakage, configuration of network security policies and deployment of security devices. Thirdly, the current challenges of the research on IBN security are analyzed, including the defects of the current research on key technologies of IBN security intent, the requirements for intelligence and automation of IBN in security applications and the security problems of IBN itself, that propose the future research directions so as to provide a useful reference for the subsequent research on IBN security. Finally, the relationship between IBN and SDS in terms of network security is discussed, and the characteristics of IBN in security applications are summa-rized. Furthermore, to address the current challenges of the research on IBN security, an IBN security technical solution is proposed for reference. |
Key words: intent-based networking security intent software-defined security software-defined networking |