The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
방화벽 시스템, IDS/IPS(침입탐지시스템/침입방지시스템) 등의 보안시설은 사이버 위협에 대한 근본적인 솔루션이 되었습니다. 사이버 공격 전술이 급격하게 변화함에 따라 수신 트래픽에 대한 DPI(Deep Packet Inspection), SPI(Stateful Packet Inspection)와 같은 세부 조사가 필요해지고, 이로 인해 네트워크 처리량이 감소하게 됩니다. 본 논문에서는 이러한 문제를 해결하기 위해 도메인 이름 확인과 협력하여 SDN(Software Defined Network) 기반의 사전 예방적 방화벽 시스템을 제안한다. 시스템은 두 개의 방화벽 장치(경량 및 일반)로 구성되며 SDN 컨트롤러와 내부 권한 있는 DNS 서버의 협력을 통해 클라이언트의 들어오는 트래픽을 확인하기 위해 적절한 장치가 할당됩니다. 내부 권한 있는 DNS 서버는 이름 확인 단계에서 외부 DNS 전체 확인자로부터 EDNS(Extension Mechanisms for DNS) 클라이언트 서브넷 옵션을 사용하여 클라이언트 IP 주소를 획득하고 클라이언트 IP 주소를 SDN 컨트롤러에 알립니다. SDN 컨트롤러는 화이트리스트와 블랙리스트의 클라이언트 IP 주소를 확인하여 클라이언트에서 들어오는 트래픽을 조사하기 위한 적절한 방화벽 장치를 할당합니다. 결과적으로 신뢰할 수 있는 클라이언트에서 들어오는 트래픽은 경량 방화벽 장치로 전달되고 다른 클라이언트에서는 일반 방화벽 장치로 전달됩니다. 결과적으로 들어오는 트래픽을 방화벽 장치에 적절하게 분배하고 혼잡을 완화할 수 있습니다. 우리는 프로토타입 시스템을 구현하고 로컬 실험 네트워크에서 성능을 평가했습니다. 결과를 바탕으로 프로토타입 시스템이 Flooding 공격이 없을 때 기대되는 기능과 허용 가능한 성능을 제공하는 것을 확인했습니다. 또한 ICMP 플러딩 공격 시 프로토타입 시스템이 기존 방화벽 시스템보다 더 나은 성능을 보이는 것을 확인했다.
Hiroya IKARASHI
Tokyo University of Agriculture and Technology
Yong JIN
Tokyo Institute of Technology
Nariyoshi YAMAI
Tokyo University of Agriculture and Technology
Naoya KITAGAWA
Tokyo University of Agriculture and Technology
Kiyohiko OKAYAMA
Okayama University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
부
Hiroya IKARASHI, Yong JIN, Nariyoshi YAMAI, Naoya KITAGAWA, Kiyohiko OKAYAMA, "Design and Implementation of SDN-Based Proactive Firewall System in Collaboration with Domain Name Resolution" in IEICE TRANSACTIONS on Information,
vol. E101-D, no. 11, pp. 2633-2643, November 2018, doi: 10.1587/transinf.2017ICP0014.
Abstract: Security facilities such as firewall system and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) have become fundamental solutions against cyber threats. With the rapid change of cyber attack tactics, detail investigations like DPI (Deep Packet Inspection) and SPI (Stateful Packet Inspection) for incoming traffic become necessary while they also cause the decrease of network throughput. In this paper, we propose an SDN (Software Defined Network) - based proactive firewall system in collaboration with domain name resolution to solve the problem. The system consists of two firewall units (lightweight and normal) and a proper one will be assigned for checking the client of incoming traffic by the collaboration of SDN controller and internal authoritative DNS server. The internal authoritative DNS server obtains the client IP address using EDNS (Extension Mechanisms for DNS) Client Subnet Option from the external DNS full resolver during the name resolution stage and notifies the client IP address to the SDN controller. By checking the client IP address on the whitelist and blacklist, the SDN controller assigns a proper firewall unit for investigating the incoming traffic from the client. Consequently, the incoming traffic from a trusted client will be directed to the lightweight firewall unit while from others to the normal firewall unit. As a result, the incoming traffic can be distributed properly to the firewall units and the congestion can be mitigated. We implemented a prototype system and evaluated its performance in a local experimental network. Based on the results, we confirmed that the prototype system presented expected features and acceptable performance when there was no flooding attack. We also confirmed that the prototype system showed better performance than conventional firewall system under ICMP flooding attack.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2017ICP0014/_p
부
@ARTICLE{e101-d_11_2633,
author={Hiroya IKARASHI, Yong JIN, Nariyoshi YAMAI, Naoya KITAGAWA, Kiyohiko OKAYAMA, },
journal={IEICE TRANSACTIONS on Information},
title={Design and Implementation of SDN-Based Proactive Firewall System in Collaboration with Domain Name Resolution},
year={2018},
volume={E101-D},
number={11},
pages={2633-2643},
abstract={Security facilities such as firewall system and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) have become fundamental solutions against cyber threats. With the rapid change of cyber attack tactics, detail investigations like DPI (Deep Packet Inspection) and SPI (Stateful Packet Inspection) for incoming traffic become necessary while they also cause the decrease of network throughput. In this paper, we propose an SDN (Software Defined Network) - based proactive firewall system in collaboration with domain name resolution to solve the problem. The system consists of two firewall units (lightweight and normal) and a proper one will be assigned for checking the client of incoming traffic by the collaboration of SDN controller and internal authoritative DNS server. The internal authoritative DNS server obtains the client IP address using EDNS (Extension Mechanisms for DNS) Client Subnet Option from the external DNS full resolver during the name resolution stage and notifies the client IP address to the SDN controller. By checking the client IP address on the whitelist and blacklist, the SDN controller assigns a proper firewall unit for investigating the incoming traffic from the client. Consequently, the incoming traffic from a trusted client will be directed to the lightweight firewall unit while from others to the normal firewall unit. As a result, the incoming traffic can be distributed properly to the firewall units and the congestion can be mitigated. We implemented a prototype system and evaluated its performance in a local experimental network. Based on the results, we confirmed that the prototype system presented expected features and acceptable performance when there was no flooding attack. We also confirmed that the prototype system showed better performance than conventional firewall system under ICMP flooding attack.},
keywords={},
doi={10.1587/transinf.2017ICP0014},
ISSN={1745-1361},
month={November},}
부
TY - JOUR
TI - Design and Implementation of SDN-Based Proactive Firewall System in Collaboration with Domain Name Resolution
T2 - IEICE TRANSACTIONS on Information
SP - 2633
EP - 2643
AU - Hiroya IKARASHI
AU - Yong JIN
AU - Nariyoshi YAMAI
AU - Naoya KITAGAWA
AU - Kiyohiko OKAYAMA
PY - 2018
DO - 10.1587/transinf.2017ICP0014
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E101-D
IS - 11
JA - IEICE TRANSACTIONS on Information
Y1 - November 2018
AB - Security facilities such as firewall system and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) have become fundamental solutions against cyber threats. With the rapid change of cyber attack tactics, detail investigations like DPI (Deep Packet Inspection) and SPI (Stateful Packet Inspection) for incoming traffic become necessary while they also cause the decrease of network throughput. In this paper, we propose an SDN (Software Defined Network) - based proactive firewall system in collaboration with domain name resolution to solve the problem. The system consists of two firewall units (lightweight and normal) and a proper one will be assigned for checking the client of incoming traffic by the collaboration of SDN controller and internal authoritative DNS server. The internal authoritative DNS server obtains the client IP address using EDNS (Extension Mechanisms for DNS) Client Subnet Option from the external DNS full resolver during the name resolution stage and notifies the client IP address to the SDN controller. By checking the client IP address on the whitelist and blacklist, the SDN controller assigns a proper firewall unit for investigating the incoming traffic from the client. Consequently, the incoming traffic from a trusted client will be directed to the lightweight firewall unit while from others to the normal firewall unit. As a result, the incoming traffic can be distributed properly to the firewall units and the congestion can be mitigated. We implemented a prototype system and evaluated its performance in a local experimental network. Based on the results, we confirmed that the prototype system presented expected features and acceptable performance when there was no flooding attack. We also confirmed that the prototype system showed better performance than conventional firewall system under ICMP flooding attack.
ER -