CN108462633B - Network security routing scheduling method and system based on SDN - Google Patents

Abstract

The invention discloses a network security routing scheduling method and a system based on an SDN, wherein the method comprises the following steps: sending a data flow safety detection request through an entrance node, identifying the safety type of data flow to be detected by a safety service dispatching center, determining required network safety equipment according to the safety type, searching a transmission detection path of the data flow from a network topological structure according to the required network safety equipment and a preset algorithm, generating a corresponding data flow direction table according to the transmission detection path and sending the data flow direction table to the entrance node, and after receiving the data flow and the data flow direction table, each node on the transmission detection path forwards the data flow or carries out safety detection and forwarding until the data flow is blocked or reaches the target node, therefore, the problem that the network security equipment is limited on a fixed path and cannot perform security detection on all data flows is solved, and the applicability of the network security equipment is improved.

Description

Network security routing scheduling method and system based on SDN

Technical Field

The invention relates to the technical field of mobile communication, in particular to a network security routing scheduling method and system based on an SDN.

Background

Whether a traditional network or a new network is adopted, various security threats can be met, such as worm virus, hacking attack, personal privacy invasion, and public legitimate rights and interests damage. In order to improve the robustness and security of the network, some security middleware boxes or security devices may be added to the network to provide security services such as a firewall (Fire Wall, FW), an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS), and access control. The security middleware box is a middleware box capable of providing a network security function, the middleware box is a network device providing various application services, such as a firewall, a routing device, a load balancing device, a cache device and the like, and the middleware box has a very wide application space because network function virtualization can provide brand-new network functions and various application scenes for the network device.

Currently, there are generally two deployment modes for these security devices or middleware boxes: one is embedded (or online) deployment, that is, the security device is connected in series between two nodes, receives and forwards an original data packet, and performs flow audit, application identification and application blocking on the forwarded data packet; the other is bypass (or passive) deployment, that is, the security device is deployed on the interface of the switch or router node, the data packet is forwarded or mirrored to the security device, and the security device can detect and identify the received data packet.

However, the above-mentioned security device or middleware box is generally disposed on a fixed path, only the data packets transmitted through the fixed path can be security-checked by the security device or middleware box, and other data packets cannot be security-checked by the security device or middleware box, which results in poor applicability of the security device or middleware box.

Disclosure of Invention

The invention aims to provide a network security routing scheduling method and system based on an SDN (software defined network), which are used for solving the technical problems that in the prior art, network security equipment is fixed in position and only certain data traffic can be subjected to security detection, and improving the applicability of the network security equipment.

In order to achieve the above object, the present invention provides a network security routing scheduling method based on SDN, which is applied to a network security routing scheduling system based on SDN, and is used for performing security detection on data traffic sent by a data sending node to a target node, where the network security routing scheduling system based on SDN includes: the network security service dispatching center, a plurality of Open Flow type routers and a plurality of network security devices, wherein the routers and the network security devices form a network topology structure, and one router in the network topology structure is used as an entry node, and the method comprises the following steps:

when the data traffic entering the network topology structure needs to be subjected to security detection, the entry node sends a data traffic security detection request to the network security service scheduling center;

the security service scheduling center identifies the security type of the data traffic to be detected;

determining the required network security equipment according to the security type;

searching a transmission detection path of the data traffic from the network topology structure according to the required network security equipment and a preset algorithm;

generating a corresponding data flow direction table according to the transmission detection path, wherein the data flow direction table comprises a plurality of routers with a sequence and the required network security equipment, and each router and each network security equipment are a node on the transmission detection path;

and issuing the data flow direction table to the entry node, wherein after receiving the data traffic and the data flow direction table, each node on the transmission detection path forwards the data traffic or performs security detection and forwarding until the data traffic is blocked or reaches the target node.

Further, when the required network security device is a bypass network security device, the step of searching the transmission detection path of the data traffic from the network topology according to the required network security device and a preset algorithm specifically includes:

searching the shortest path between the data sending node and the target node from the network topology structure, searching the shortest path between the data sending node and the required network safety equipment, and taking the combination of the two shortest paths as the transmission detection path; or

Searching a shortest path between the data sending node and a required first network safety device from the network topology structure, searching a required shortest path between each network safety device, searching a required shortest path between a final network safety device and the target node, and sequentially connecting the three shortest paths end to serve as the transmission detection path; or

And searching the shortest path between the data sending node and the target node from the network topological structure, searching the shortest path and the required shortest path between the network safety equipment, and taking the combination of the two shortest paths as the transmission detection path.

Further, when the required network security device is an embedded network security device, the searching for the transmission detection path of the data traffic from the network topology structure according to the required network security device and a preset algorithm specifically includes:

searching the shortest path between the data sending node and the required first network safety equipment from the network topological structure;

sequentially searching the shortest path between the required network safety devices;

searching the shortest path between the required last network security device and the target node;

and sequentially connecting the searched shortest paths end to serve as the transmission detection path.

Further, when the required network security device includes an embedded network security device and a bypass network security device, the searching for the transmission detection path of the data traffic from the network topology according to the required network security device and a preset algorithm specifically includes:

searching the shortest path between the data sending node and the required embedded network security equipment from the network topological structure;

searching the shortest path between the shortest path and the required bypass type network safety equipment;

searching a shortest path between the bypass type network safety equipment and the target node;

and sequentially connecting the searched shortest paths end to serve as the transmission detection path.

Further, before the step of searching the transmission detection path of the data traffic from the network topology according to the required network security device and the preset algorithm, the method further includes:

and judging whether the required network security equipment is in an idle state or not, and executing the calculation of the transmission detection path on the network security equipment in the idle state.

The invention also discloses a network security routing scheduling system based on SDN, which is used for carrying out security detection on the data flow sent by the data sending node to the target node, and the network security routing scheduling system based on SDN comprises: the network security service dispatching center comprises a network security service dispatching center, a plurality of Open Flow type routers and a plurality of network security devices, wherein the routers and the network security devices form a network topology structure, and one router in the network topology structure is used as an entrance node;

the entry node is configured to receive the data traffic sent by the data sending node, send a data traffic security detection request to the network security service scheduling center, receive a data flow direction table issued by the security service scheduling center, and forward the received data traffic and the received data flow direction table to a next node on a transmission detection path according to the data flow direction table;

the network security service dispatch center comprises:

the receiving module is used for receiving the data flow safety detection request;

the identification module is used for identifying the security type of the data traffic to be detected and determining the required network security equipment according to the security type;

the path calculation module is used for searching a transmission detection path of the data traffic from the network topology structure according to the required network security equipment and a preset algorithm;

a data flow direction table generating module, configured to generate a corresponding data flow direction table according to the transmission detection path, where the data flow direction table includes a plurality of routers in sequence and the required network security devices, and each router and each network security device are a node on the transmission detection path; and

and the control issuing module is used for issuing the data flow direction table to the entrance node, and after receiving the data traffic and the data flow direction table, each node on the transmission detection path forwards the data traffic or performs safety detection and forwarding until the data traffic is blocked or reaches the target node.

Further, when the required network security device is a bypass network security device, the path calculation module is specifically configured to:

searching the shortest path between the data sending node and the target node from the network topology structure, searching the shortest path between the data sending node and the required network safety equipment, and taking the combination of the two shortest paths as the transmission detection path; or

Searching a shortest path between the data sending node and a required first network safety device from the network topology structure, searching a required shortest path between each network safety device, searching a required shortest path between a final network safety device and the target node, and sequentially connecting the three shortest paths end to serve as the transmission detection path; or

And searching the shortest path between the data sending node and the target node from the network topological structure, searching the shortest path and the required shortest path between the network safety equipment, and taking the combination of the two shortest paths as the transmission detection path.

Further, when the required network security device is an embedded network security device, the path calculation module is specifically configured to:

searching the shortest path between the data sending node and the required first network safety equipment from the network topological structure;

sequentially searching the shortest path between the required network safety devices;

searching the shortest path between the required last network security device and the target node;

and sequentially connecting the searched shortest paths end to serve as the transmission detection path.

Further, when the required network security device includes an embedded network security device and a bypass network security device, the path computation module is specifically configured to:

searching the shortest path between the data sending node and the required embedded network security equipment from the network topological structure;

searching the shortest path between the shortest path and the required bypass type network safety equipment;

searching a shortest path between the bypass type network safety equipment and the target node;

and sequentially connecting the searched shortest paths end to serve as the transmission detection path.

Further, the security service dispatch center further includes:

and the judging module is used for judging whether the required network security equipment is in an idle state or not and executing the calculation of the transmission detection path on the network security equipment in the idle state.

Compared with the prior art, the network security routing scheduling method based on the SDN of the invention sends a data traffic security detection request to the network security service scheduling center through an entry node when the data traffic entering a network topology structure needs to be detected safely, then the security service scheduling center identifies the security type of the data traffic to be detected, determines the required network security equipment according to the security type, searches a transmission detection path of the data traffic from the network topology structure according to the required network security equipment and a preset algorithm, generates a corresponding data flow direction table according to the transmission detection path and sends the data flow direction table to the entry node, wherein each node on the transmission detection path forwards the data traffic or carries out security detection and forwarding until the data traffic is blocked or reaches the target node after receiving the data traffic and the data flow direction table, therefore, the transmission detection path is searched for the data traffic to be detected through the security service dispatching center, the data traffic is subjected to security detection through the network security equipment in the process of sending the data traffic to the target node, the problem that the network security equipment is limited on the fixed path and cannot perform security detection on all the data traffic is solved, and the applicability of the network security equipment is improved.

Drawings

Fig. 1 is a schematic flowchart of an embodiment of a network security routing scheduling method based on an SDN according to the present invention;

fig. 2 is a schematic diagram of an embodiment of a transmission detection path search performed by a first predetermined algorithm when the required network security device is the bypass network security device C1;

fig. 3 is a schematic diagram of another embodiment of the transmission detection path search performed by the first predetermined algorithm when the required network security device is the bypass network security device C1;

fig. 4 is a schematic diagram of another embodiment of the transmission detection path search performed by the first predetermined algorithm when the required network security device is the bypass network security device C1;

fig. 5 is a schematic diagram of an embodiment of performing transmission detection path search by using a second predetermined algorithm when the required network security device is an embedded network security device D1;

fig. 6 is a schematic diagram of an embodiment of performing transmission detection path search by a third predetermined algorithm when the required network security devices are the bypass network security device C1 or C2 and the embedded network security device D1 or D2 in sequence;

FIG. 7 is a diagram illustrating an embodiment of a third predetermined algorithm for transmission detection path lookup when the required network security devices are IDS, IPS and security audit in this order;

fig. 8 is a flowchart illustrating another embodiment of a network security routing scheduling method based on SDN according to the present invention;

fig. 9 is a schematic structural diagram of an embodiment of the SDN-based network security routing scheduling system according to the present invention.

The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for facilitating the explanation of the present invention, and have no specific meaning in themselves. Thus, "module" and "component" may be used in a mixture.

Referring to fig. 1, fig. 1 is a schematic flowchart of an embodiment of a network security routing scheduling method based on an SDN according to the present invention, where the network security service scheduling method is applied to a network security routing scheduling system based on an SDN, and is used for performing security detection on data traffic through the network security service scheduling system when a data sending node sends the data traffic to a target node. The network security routing scheduling system based on the SDN comprises a network security service scheduling center, a plurality of Open Flow type routers (switches) and a plurality of network security devices, wherein the routers and the network security devices form a network topology structure, one of the routers serves as an inlet node of the network security service scheduling system, the other router serves as an outlet node of the network security service scheduling system, data traffic sent by a data sending node enters the network topology structure through the inlet node, and the outlet node is used for enabling the data traffic flowing out of the network topology structure to reach a target node. In the invention, the types of the network security devices include embedded network security devices (such as a firewall) and bypass network security devices (such as an IDS), and in an SDN-based network security routing scheduling system, the network security device may only include one or more embedded network security devices, may also include only one or more bypass network security devices, or include one or more embedded network security devices and bypass network security devices at the same time.

As shown in fig. 1, the SDN-based network security routing scheduling method of the present invention includes the following steps:

step S101, when the data traffic entering the network topology structure needs to be detected safely, the entry node sends a data traffic safety detection request to the network safety service dispatching center. Specifically, the data sending node sends the data traffic to the network topology structure through the ingress node, when the data traffic of a certain service sent to the network topology structure by the data sending node needs to be subjected to security detection, the ingress node sends a data traffic security detection request to the network security service scheduling center, and the network security service scheduling center starts a network security detection mechanism after receiving the security detection request. If the data sending node S sends the data traffic to be detected to the target node E through the network, the ingress node R1 sends a data traffic security detection request to the network security service scheduling center. The security service dispatch center is a module providing basic communication and management functions for the whole system, the core component of the security service dispatch center is an SDN controller, such as flodlight, POX, NOX, and the like, and the component interface mainly includes: 1) a northbound interface for communicating customization parameters; 2) a data packet interface for transmitting packet-in or packet-out messages; 3) a flow table interface for issuing a flow table or forwarding the flow table; and 4) a topology interface for obtaining a network topology. The main functional modules of the security service dispatching center comprise a network topology identification module, a flow security type sensing module, a transmission detection path calculation module and the like.

And S102, the security service dispatching center identifies the security type of the data traffic to be detected and determines the required network security equipment according to the security type. Specifically, after the network security service dispatching center starts a network security detection mechanism, the entry node mirrors the data traffic to be detected to the security service dispatching center, and then the security service dispatching center identifies the security type of the data traffic to be detected and determines the required network security equipment according to the security type. The principle of mirroring the data traffic to be detected to the security service dispatching center is as follows: in order to facilitate analysis of traffic of one or more network interfaces (such as IDS products, network analyzers, etc.), monitoring of a network may be implemented by configuring a switch or a router to forward data of one or more ports (VLANs) to a certain port, i.e., a port mirror; the invention enables the Open Flow switch to mirror the data Flow from the data sending node to the security service dispatching center by configuring the Open Flow switch. And the security service scheduling center identifies the security type of the data traffic to be detected, and the identification is realized through a traffic security type sensing module, wherein the traffic security type sensing module consists of the existing DPI detection method or a big data analysis system, and can be used for pre-judging the type of the data traffic and the possible security type, and determining which network security equipment is adopted to process the data traffic according to the pre-judging result. The type of the required network security device is determined according to the security type of the data traffic, and the type of the required network security device has three situations that only a bypass network security device is required, only an embedded network security device is required, or the embedded network security device and the bypass network security device are required to perform security detection on the data traffic at the same time.

Step S103, the security service dispatching center searches a transmission detection path of the data traffic from the network topology structure according to the required network security equipment and a preset algorithm, and generates a corresponding data flow direction table according to the transmission detection path, wherein the data flow direction table comprises a plurality of routers and network security equipment with a sequence, each router or each network security equipment is a node on the transmission detection path, the transmission detection path is composed of a plurality of nodes with directions, and the data traffic is transmitted from a first node on the transmission detection path to a next node in sequence. It should be noted that, before step S103 is executed, the security service dispatching center first needs to acquire a network topology, and this process is implemented by a network topology identification module in the security service dispatching center. When different types of network security devices are required, the preset algorithms for calculating the transmission detection path are also different, such as: when the data traffic is only required to be safely detected by the bypass network security equipment, the transmission detection path can be calculated through a first preset algorithm; when only embedded network security equipment is needed to perform security detection on data traffic, a transmission detection path can be calculated through a second preset algorithm; when the embedded network security device and the bypass network security device are required to simultaneously perform security detection on data traffic, a transmission detection path can be calculated through a third preset algorithm.

Step S104, the security service dispatching center issues the data flow direction table to the ingress node, the ingress node forwards the received data traffic and the data flow direction table to a next node on the transmission detection path according to the data flow direction table, and each node on the transmission detection path forwards the data traffic or performs security detection and forwards the data traffic after receiving the data traffic and the data flow direction table until the data traffic is blocked or the data traffic reaches the target node. And the network security equipment through which the data traffic passes is used for carrying out security detection on the data traffic.

Compared with the prior art, the network security routing scheduling method based on the SDN of the invention sends a data traffic security detection request to the network security service scheduling center through an entry node when the data traffic entering a network topology structure needs to be detected safely, then the security service scheduling center identifies the security type of the data traffic to be detected, determines the required network security equipment according to the security type, searches a transmission detection path of the data traffic from the network topology structure according to the required network security equipment and a preset algorithm, generates a corresponding data flow direction table according to the transmission detection path and sends the data flow direction table to the entry node, wherein each node on the transmission detection path forwards the data traffic or carries out security detection and forwarding until the data traffic is blocked or reaches the target node after receiving the data traffic and the data flow direction table, therefore, the transmission detection path is searched for the data traffic to be detected through the security service dispatching center, the data traffic is subjected to security detection through the network security equipment in the process of sending the data traffic to the target node, the problem that the network security equipment is limited on the fixed path and cannot perform security detection on all the data traffic is solved, and the applicability of the network security equipment is improved.

The specific implementation manners of the first preset algorithm, the second preset algorithm and the third preset algorithm are described in detail below with reference to fig. 2 to 7.

Specifically, when the transmission detection path is searched according to the preset algorithm, the shortest path is calculated through the SPF algorithm. In practical applications, there are multiple implementation manners of the first preset algorithm, and in a first embodiment, the first preset algorithm includes the steps of: (1) searching the shortest path between the data sending node and the target node from the network topological structure; (2) simultaneously searching the shortest path between the data sending node and the required network safety equipment; (3) and taking the combination of the two shortest paths as the transmission detection path. It should be noted that the present embodiment is a calculation method that only considers the bypass network security device, and does not consider the location of the network security device.

Fig. 2 is a schematic diagram of an embodiment of the SDN-based network security routing scheduling system according to the present invention, where, as shown in fig. 2, the SDN-based network security routing scheduling system in this embodiment includes a network security service scheduling center (not shown in the figure), a plurality of Open Flow type routers R1, R2, R3, R4, R5, R6 … …, Rn, and a bypass network security device C1, which is used for performing security detection on data traffic sent by a data sending node S to a target node E, where each of the routers R1, R2, R3, R4, R5, R6 … …, Rn and the bypass network security device C1 form a network topology, and the router R1 is an ingress node of the network topology, and the router R6 is an egress node of the network topology. It should be noted that the network topology in fig. 2 only schematically shows a partial structure of the network topology when the required network security device is determined to be the bypass network security device C1 according to the data traffic, and in practice, the network topology may further include more routers, more bypass network security devices, and multiple embedded network security devices, and other structures are not shown in the figure for describing the implementation process of the first preset algorithm. Based on the network security service scheduling system shown in fig. 2, when searching for a transmission detection path from a network topology according to a first preset algorithm, first, a shortest path between a data transmission node S and a target node E is searched for, and a search result can be obtained as follows: s → R1 → R5 → R6 → E; then, the shortest path between the data sending node S and the bypass network security device C1 is searched, and since the bypass network security device C1 is mounted on the router R4, the shortest path between the data sending node S and the router R4 is searched, and the search result is: s → R1 → R2 → R3 → R4, and then the combination of the two shortest paths found is taken as a transmission detection path: (S → R1 → R5 → R6 → E, S → R1 → R2 → R3 → R4), wherein each router or each network security device on the transmission detection path constitutes a node on the transmission detection path. Then, under the control of the network security service scheduling center, the data sending node S sends data traffic to the two shortest paths at the same time, that is, there are two transmission paths for the data traffic. For the found transmission detection path, the corresponding data flow direction table includes information of the two shortest paths, for example, the corresponding data flow direction table includes a plurality of routers and network security devices having a precedence order, where the precedence order of the routers or the network security devices is used to indicate a transmission direction when data traffic is transmitted.

In a second embodiment, the first preset algorithm comprises the steps of: (1) searching the shortest path between the data sending node and the required network safety equipment from the network topological structure; (2) searching the shortest path between the required network safety devices; (3) searching the shortest path between the required last network security device and the target node; (4) and sequentially connecting the three shortest paths end to serve as the transmission detection path. Wherein, for step (2), it embodies that when a plurality of bypass network security devices are required to perform security detection on data traffic, the shortest path between each network security device needs to be searched, and when only one bypass network security device is required to perform security detection on data traffic, the search result of step (2) is not executed or is empty. It should be noted that the present embodiment is a calculation method when only bypass network security devices are considered and the shortest path is considered.

The implementation process of the second embodiment of the first preset algorithm is described below with reference to fig. 3, and based on the network security service scheduling system shown in fig. 2, when searching for a transmission detection path from a network topology according to the first preset algorithm, first, a shortest path between the data sending node S and the required bypass network security device C1 is searched, where the search result is: s → R1 → R2 → R3 → R4; then, the shortest path between the required network security devices is searched, since only one bypass network security device C1 is needed to perform security detection on the data traffic in this embodiment, the bypass network security device C1 is both the first network security device and the last network security device, and thus the search result in this step is null; and then searching the shortest path between the required last network security device and the target node E, wherein the searching result is as follows: r4 → R6 → E, and then connecting the calculated shortest paths end to end as transmission detection paths: s → R1 → R2 → R3 → R4 → R6 → E. Of course, if the number of bypass network security devices required is multiple, such as 3: c1, C2, C3, then the shortest path between the network security devices needed to be searched is: finding the shortest path between the router corresponding to C1 and the routers corresponding to C2 and C3 as the starting point, if the finally found transmission detection path is: s → R1 → R2 → R3 → R4 → … → Rm → … → Rn → … → E, wherein C2 is mounted on router Rm, C3 is mounted on router Rn, the omission contents of R4 to Rm represents the shortest path from R4 to Rm, the omission contents of Rm to Rn represents the shortest path from Rm to Rn, and the omission contents of Rn to E represent the shortest path from Rn to destination node E, and the searching process thereof will not be described in detail here.

In a third embodiment, the first preset algorithm comprises the steps of: (1) searching the shortest path between the data sending node and the target node from the network topological structure; (2) searching the shortest path from the required network security equipment to the shortest path; (3) and taking the combination of the two shortest paths as the transmission detection path.

The implementation process of the third embodiment of the first preset algorithm is described below with reference to fig. 4, and based on the network security service scheduling system shown in fig. 4, when a transmission detection path is searched from a network topology structure according to the first preset algorithm, the shortest path between the data sending node S and the target node E is first searched, where the search result is: s → R1 → R5 → R6 → E; and then searching the shortest path from the required bypass type network safety equipment C1 to the shortest path (S → R1 → R5 → R6 → E), wherein the searching result is as follows: r6 → R4 → C1, that is, searching the shortest distance between the bypass network security device C1 and the shortest path (S, E) that has been found, that is, searching the node closest to the shortest path (S, E); and finally, taking the combination of the two searched shortest paths as a transmission detection path, namely the transmission detection path is as follows: (S → R1 → R5 → R6 → E, R6 → R4 → C).

In the above, with reference to fig. 2 to fig. 4, three implementation manners of obtaining the first preset algorithm of the transmission detection path when the bypass network security device C1 is only required to perform security detection on the data traffic are described, of course, the first preset algorithm may be in other forms, and the other forms also belong to the protection scope of the present invention.

Specifically, the second preset algorithm includes the steps of: (1) searching the shortest path between the data sending node and the required first network safety equipment from the network topological structure; (2) sequentially searching the shortest path between the required network safety devices; (3) searching the shortest path between the required last network security device and the target node; (4) and sequentially connecting the searched shortest paths end to serve as the transmission detection path.

Fig. 5 is a schematic diagram of an embodiment of the SDN-based network security routing scheduling system according to the present invention, and as shown in fig. 5, the SDN-based network security routing scheduling system in this embodiment includes a network security service scheduling center (not shown in the figure), a plurality of Open Flow type routers R1, R2, R3, R4, R5, R6 … …. Rn, and an embedded network security device D1, which are used for performing security detection on data traffic sent by a data sending node S to a target node E, where each router R1, R2, R3, R4, R5, R6 … …. Rn and the embedded network security device D1 form a network topology, and the router R1 is an ingress node of the network topology, and the router R6 is an egress node of the network topology. It should be noted that the network topology in fig. 5 only schematically shows a partial structure of the network topology when the required network security device is determined to be the embedded network security device D1 according to the data traffic, and in practice, the network topology may further include more routers, more bypass network security devices, and multiple embedded network security devices, and other structures are not shown in the figure for describing the implementation process of the second preset algorithm. Based on the network security service scheduling system shown in fig. 5, when searching for a transmission detection path from a network topology according to a second preset algorithm, first, a shortest path between a data sending node S and a required first network security device D1 is searched, and a search result may be obtained as follows: s → R1 → R2 → R3 → D1; then, the shortest path between the required network security devices is sequentially searched, and since only one embedded network security device D1 is required to perform security detection on the data traffic in this embodiment, the embedded network security device D1 is both the first required network security device and the last required network security device, and thus the search result in this step is empty; then searching the shortest path between the required last network security device and the target node E, wherein the searching result is D1 → R4 → R6 → E; (4) and sequentially connecting the searched shortest paths end to serve as the transmission detection path: s → R1 → R2 → R3 → D1 → R4 → R6 → E. Of course, if the number of the required embedded network security devices is multiple, such as 3: d1, D2, D3, then the shortest path between the network security devices needed to be searched is: the shortest path between D2 and D3 is found from D1, and the transmission detection path found finally is: s → R1 → R2 → R3 → D1 → … → D2 → … → D3 → … → E, wherein the omitted content of D1 to D2 represents the shortest path from D1 to D2, the omitted content of D2 to D3 represents the shortest path from D2 to D3, and the omitted content of D3 to E represents the shortest path from D3 to the target node E, and the searching process is not described in detail herein.

Currently, security threats against networks may include a variety of forms, such as: (1) DoS/DDoS attacks against important servers (www/DNS, etc.); (2) stealing or tampering sensitive information (such as information of a user account) on an important server; (3) any access to illegal or bad websites; (4) and spreading junk information or unhealthy information. Therefore, as the depth of the network increases, the network security problem to be handled increases, and the types of the network security devices involved are wider, such as firewall, IDS, IPS, etc., that is, for the same data traffic, it may be necessary to perform security detection on both the embedded network security device and the bypass network security device. When the embedded network security device and the bypass network security device are required to perform security detection on data traffic at the same time, a transmission detection path needs to be calculated by a third preset algorithm, in the first embodiment, the third preset algorithm includes the steps of: (1) searching the shortest path between the data sending node and the required embedded network security equipment from the network topological structure; (2) searching the shortest path between the shortest path and the required bypass type network safety equipment; (3) searching a shortest path between the bypass type network safety equipment and the target node; (4) and sequentially connecting the searched shortest paths end to serve as the transmission detection path. It should be noted that, in the third preset algorithm, the shortest path between the data sending node and the embedded network security device may be searched first, or the shortest path between the data sending node and the bypass network security device may be searched first, and the sequence of the shortest paths is determined according to the detection requirement of the data traffic, for example, in the second embodiment, the third preset algorithm may further be: searching the shortest path between the data sending node and the required bypass type network safety equipment from the network topological structure; (2) searching the shortest path between the shortest path and the required embedded network security equipment; (3) searching a shortest path between the embedded network security equipment and the target node; (4) and sequentially connecting the searched shortest paths end to serve as the transmission detection path.

Referring to fig. 6, an implementation procedure of a third preset algorithm is described below, fig. 6 is a schematic diagram of an embodiment of the SDN-based network security routing scheduling system of the present invention, and as shown in fig. 6, the network security service scheduling system in this embodiment includes a network security service scheduling center (not shown in the figure), a plurality of Open Flow type routers R1, R2, R3, R4, R5, R6, R7 … …. Rn, embedded network security devices D1, D2, and bypass type network security devices C1, C2, which are used for performing security detection on data traffic sent by a data sending node S to a target node E, where each router R1, R2, R3, R4, R5, R6, R7 … …. Rn, embedded network security devices D1, D2, and bypass type network security devices C1, C2 form a network topology structure, and the router R1 is an ingress node of the network topology structure, the router Rn is an egress node of the network topology. It should be noted that the network topology in fig. 6 only schematically shows a partial structure of the network topology when the required network security devices are determined to be the embedded network security devices D1 or D2 and the bypass network security devices C1 or C2 according to the data traffic, and in practice, the network topology may further include more routers, more bypass network security devices and more embedded network security devices, and other structures are not shown in the figure for describing the implementation process of the third preset algorithm. Based on the network security service scheduling system shown in fig. 6, assuming that data traffic sent from a data sending node S to a network sequentially needs C1, C2, D1, or D2 to perform security detection on the data traffic according to a processing sequence, when a transmission detection path is searched from a network topology according to a third preset algorithm, first, a shortest path between the data sending node S and the required bypass network security device C1 or C2 is searched from the network topology, and a search result is: s → R1 → R2, in this step, since only one of the two bypass network security devices is needed, firstly, the bypass network security device (C1 in this embodiment) closest to the data sending node S is determined, and then the shortest path from the data sending node S to the closest bypass network security device is calculated; (2) and searching the shortest path between the shortest path and the required embedded network security equipment, wherein the searching result is as follows: r2 → R5 → R6 → D2, in this step, since only one of the two embedded network security devices needs to be selected for use, the embedded network security device (D2 in this embodiment, as can be seen from fig. 6) closest to the router R2 in the S → E direction (i.e. the direction from the sending node S to the destination node E) is first determined, and then the shortest path from the router R2 to the closest embedded network security device is calculated, i.e. R2 → R5 → R6 → D2; (3) searching the shortest path between the embedded network security equipment and the target node, wherein the searching result is as follows: d2 → R7 → Rn → E; (4) and sequentially connecting the searched shortest paths end to serve as the transmission detection path: s → R1 → R2 → R5 → R6 → D2 → R7 → Rn → E.

Fig. 7 is a schematic diagram of an embodiment of a network security routing scheduling system based on an SDN according to the present invention, and specifically, when a transmission detection Path is calculated by using the first embodiment of the third preset algorithm, a Shortest Path that traverses all required embedded security devices needs to be calculated by using an embedded Shortest Path algorithm for all embedded security devices, which may be referred to as an embedded Shortest secure Path (short Safe Path Inline, SSPI for short); then, for all bypass security devices, a multipath shortest path algorithm is used to calculate the shortest path from each bypass security node to the node nearest to the SSPI, and if this node is found, the node is required to send a packet to multiple output ports: one is the port connected to the next node in the SSPI and the other is the port connected to the security node. Thus, the shortest path that invokes all required security devices in the network consists of the SSPI and the shortest paths from all the bypassed security nodes to the SSPI, which may be referred to as the shortest security path. As shown in fig. 7, assuming that a transmission detection path from the attack node a to the victim host is calculated, a user requires the use of three types of network security devices: the IDS, the IPS and the security audit are carried out by firstly selecting the shortest path for an embedded network security device, namely the IDS, and adopting an improved embedded shortest path algorithm during calculation to obtain SSPI: (a2 → a4 → c2 → c1 → c6 → d7 → d6 → d3 → d 10); then finding the nearest node of the SSPI, namely node d7 and node d3, for the bypass network security device security audit and IPS, respectively, the shortest path from the bypass network security device to the SSPI is (d7 → d8, d3 → d 2); finally, the combination of all shortest paths is the transmission detection path to be searched: (a2 → a4 → c2 → c1 → c6 → d7 → d6 → d3 → d10, d7 → d8, d3 → d 2).

It should be noted that the network security devices required in the transmission detection paths described in the embodiments shown in fig. 2 to 7 are assumed to be in an idle state. When searching for a transmission detection path according to a preset algorithm, firstly, the working state of the network security equipment is inquired, and the network security equipment in an idle state is added into the calculation process of the transmission detection path. And the network safety equipment in the busy state is not selected, and the idle network safety equipment is inquired again.

Referring to fig. 8, fig. 8 is a flowchart illustrating a network security routing scheduling method based on SDN according to a second embodiment of the present invention. As shown in fig. 8, the method comprises the steps of:

step S201, when the data traffic entering the network topology needs to be detected, the ingress node sends a data traffic safety detection request to the network safety service scheduling center.

Step S202, the security service dispatching center identifies the security type of the data traffic to be detected and determines the required network security equipment according to the security type;

step S203, the security service scheduling center searches a transmission detection path of the data traffic from the network topology according to the required network security device and a preset algorithm, and generates a corresponding data flow direction table according to the transmission detection path.

Step S204, the security service dispatching center issues the data flow direction table to the ingress node, and the ingress node forwards the received data traffic and data flow direction table to the next node on the transmission detection path according to the data flow direction table.

Step S205 determines whether the current node is an egress node, if so, step S206 is executed, otherwise, step S207, step S208, or step S209 is executed.

Step S206, forwarding the data traffic to the target node.

Step S207, if the current node is a router and the bypass network security device is not mounted on the router, the current node continues to forward the data traffic table and the data traffic to the next node.

Step S208, if the current node is a router and the router is provided with a required bypass network security device, the current node forwards the data traffic to the bypass network security device to perform security detection on the data traffic through the bypass network security device, and forwards the data traffic table and the data traffic to a next node or blocks the data traffic after the security detection.

Step S209, if the current node is an embedded network security device, performing security detection on the data traffic, and forwarding the data traffic table and the data traffic to a next node or blocking the data traffic according to a detection result.

Meanwhile, the present invention also provides a network security routing scheduling system based on SDN, configured to perform security detection on data traffic sent by a data sending node to a target node, as shown in fig. 9, the network security routing scheduling system 100 based on SDN of the present invention includes: the network security system comprises a network security service dispatching center 11, a plurality of Open Flow type routers 12 and a plurality of network security devices 13, wherein the routers 12 and the network security devices 13 form a network topology structure, one router in the network topology structure is used as an entrance node, and the other router is used as an exit node.

Specifically, the entry node is configured to receive the data traffic sent by the data sending node, send a data traffic security detection request to the network security service scheduling center, receive a data flow direction table issued by the security service scheduling center, and forward the received data traffic and the received data flow direction table to a next node on the transmission detection path according to the data flow direction table.

As shown in fig. 9, the network security service dispatch center 11 includes: the device comprises a receiving module 111, an identifying module 112, a path calculating module 113, a data flow table generating module 114 and a control issuing module 115. The receiving module 111 is configured to receive the data traffic safety detection request; the identification module 112 is configured to identify a security type of the data traffic to be detected, and determine a required network security device according to the security type; the path calculation module 113 is configured to search a transmission detection path of the data traffic from the network topology according to a required network security device and a preset algorithm; the data flow direction table generating module 114 is configured to generate a corresponding data flow direction table according to the transmission detection path, where the data flow direction table includes a plurality of routers in sequence and the required network security devices, and each router and each network security device are a node on the transmission detection path; the control issuing module 115 is configured to issue the data flow direction table to the entry node, and after receiving the data traffic and the data flow direction table, each node on the transmission detection path forwards the data traffic or performs security detection and forwarding until the data traffic is blocked or the target node is reached.

Compared with the prior art, the network security routing scheduling system based on the SDN of the present invention sends a data traffic security detection request to the network security service scheduling center through an ingress node when data traffic entering a network topology structure needs to be security-detected, then the security service scheduling center identifies the security type of the data traffic to be detected, determines a required network security device according to the security type, searches a transmission detection path of the data traffic from the network topology structure according to the required network security device and a preset algorithm, generates a corresponding data flow direction table according to the transmission detection path, and issues the data flow direction table to the ingress node, wherein each node on the transmission detection path forwards the data traffic or performs security detection and forwarding until the data traffic is blocked or reaches the target node after receiving the data traffic and the data flow direction table, therefore, the transmission detection path is searched for the data traffic to be detected through the security service dispatching center, the data traffic is subjected to security detection through the network security equipment in the process of sending the data traffic to the target node, the problem that the network security equipment is limited on the fixed path and cannot perform security detection on all the data traffic is solved, and the applicability of the network security equipment is improved.

Specifically, the types of the network security device in the present invention include a bypass network security device and an embedded network security device, and when the required network security device is the bypass network security device, the path calculation module is specifically configured to: searching the shortest path between the data sending node and the target node from the network topology structure, searching the shortest path between the data sending node and the required network safety equipment, and taking the combination of the two shortest paths as the transmission detection path; or searching the shortest path between the data sending node and the required first network safety device, searching the required shortest path between the network safety devices, searching the required shortest path between the final network safety device and the target node, and sequentially connecting the three shortest paths end to serve as the transmission detection path; or searching the shortest path between the data sending node and the target node from the network topology structure, searching the shortest path between the shortest path and the required network safety equipment, and using the combination of the two shortest paths as the transmission detection path. When the required network security device is an embedded network security device, the path calculation module is specifically configured to: searching the shortest path between the data sending node and the required first network safety equipment from the network topological structure; sequentially searching the shortest path between the required network safety devices; searching the shortest path between the required last network security device and the target node; and sequentially connecting the searched shortest paths end to serve as the transmission detection path. When the required network security device includes an embedded network security device and a bypass network security device, the path calculation module is specifically configured to: searching the shortest path between the data sending node and the required embedded network security equipment from the network topological structure; searching the shortest path between the shortest path and the required bypass type network safety equipment; searching a shortest path between the bypass type network safety equipment and the target node; and sequentially connecting the searched shortest paths end to serve as the transmission detection path.

In addition, in a preferred embodiment, the network security service scheduling center further includes a determining module, configured to determine whether the required network security device is in an idle state, and perform the calculation of the transmission detection path on the network security device in the idle state.

It should be noted that, when the network security routing scheduling system based on the SDN performs security detection on data traffic to be detected, the network security service scheduling method adopted by the network security routing scheduling system based on the SDN of the present invention may refer to the embodiments shown in fig. 1 to 8, and is not described in detail here.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (8)

1. A network security routing scheduling method based on SDN is suitable for a network security routing scheduling system based on SDN and used for carrying out security detection on data traffic sent by a data sending node to a target node, and the network security routing scheduling system based on SDN comprises the following steps: the network security service dispatching center, a plurality of Open Flow type routers and a plurality of network security devices, wherein the routers and the network security devices form a network topology structure, and one router in the network topology structure is used as an entry node, and the method comprises the following steps:

when the data traffic entering the network topology structure needs to be subjected to security detection, the entry node sends a data traffic security detection request to the network security service scheduling center;

the security service scheduling center identifies the security type of the data traffic to be detected;

determining the required network security equipment according to the security type;

searching a transmission detection path of the data traffic from the network topology structure according to the required network security equipment and a preset algorithm;

generating a corresponding data flow direction table according to the transmission detection path, wherein the data flow direction table comprises a plurality of routers with a sequence and the required network security equipment, and each router and each network security equipment are a node on the transmission detection path;

the data flow direction table is sent to the entrance node, wherein after receiving the data traffic and the data flow direction table, each node on the transmission detection path forwards the data traffic or performs security detection and forwarding until the data traffic is blocked or reaches the target node;

when the required network security device is a bypass network security device, the step of searching the transmission detection path of the data traffic from the network topology structure according to the required network security device and a preset algorithm specifically includes:

searching the shortest path between the data sending node and the target node from the network topology structure, searching the shortest path between the data sending node and the required network safety equipment, and taking the combination of the two shortest paths as the transmission detection path; or

Searching a shortest path between the data sending node and a required first network safety device from the network topology structure, searching a required shortest path between each network safety device, searching a required shortest path between a final network safety device and the target node, and sequentially connecting the three shortest paths end to serve as the transmission detection path; or

And searching the shortest path between the data sending node and the target node from the network topological structure, searching the shortest path and the required shortest path between the network safety equipment, and taking the combination of the two shortest paths as the transmission detection path.

2. The SDN-based network security routing scheduling method of claim 1, wherein, when the required network security device is an embedded network security device, the searching for the transmission detection path of the data traffic from the network topology according to the required network security device and a preset algorithm specifically includes:

searching the shortest path between the data sending node and the required first network safety equipment from the network topological structure;

sequentially searching the shortest path between the required network safety devices;

searching the shortest path between the required last network security device and the target node;

and sequentially connecting the searched shortest paths end to serve as the transmission detection path.

3. The SDN-based network security routing scheduling method of claim 1, wherein when the required network security device includes an embedded network security device and a bypass network security device, the finding the transmission detection path of the data traffic from the network topology according to the required network security device and a preset algorithm specifically includes:

searching the shortest path between the data sending node and the required embedded network security equipment from the network topological structure;

searching the shortest path between the shortest path and the required bypass type network safety equipment;

searching a shortest path between the bypass type network safety equipment and the target node;

and sequentially connecting the searched shortest paths end to serve as the transmission detection path.

4. The SDN-based network security routing scheduling method of any one of claims 1 to 3, wherein the step of finding the transmission detection path of the data traffic from the network topology according to the required network security device and a preset algorithm is preceded by the step of:

and judging whether the required network security equipment is in an idle state or not, and executing the calculation of the transmission detection path on the network security equipment in the idle state.

5. An SDN-based network security routing scheduling system, configured to perform security detection on data traffic sent by a data sending node to a target node, the SDN-based network security routing scheduling system comprising: the network security service dispatching center comprises a network security service dispatching center, a plurality of Open Flow type routers and a plurality of network security devices, wherein the routers and the network security devices form a network topology structure, and one router in the network topology structure is used as an entrance node;

the entry node is configured to receive the data traffic sent by the data sending node, send a data traffic security detection request to the network security service scheduling center, receive a data flow direction table issued by the security service scheduling center, and forward the received data traffic and the received data flow direction table to a next node on a transmission detection path according to the data flow direction table;

the network security service dispatch center comprises:

the receiving module is used for receiving the data flow safety detection request;

the identification module is used for identifying the security type of the data traffic to be detected and determining the required network security equipment according to the security type;

the path calculation module is used for searching a transmission detection path of the data traffic from the network topology structure according to the required network security equipment and a preset algorithm;

a data flow direction table generating module, configured to generate a corresponding data flow direction table according to the transmission detection path, where the data flow direction table includes a plurality of routers in sequence and the required network security devices, and each router and each network security device are a node on the transmission detection path; and

the control issuing module is used for issuing the data flow direction table to the entrance node, and after receiving the data traffic and the data flow direction table, each node on the transmission detection path forwards the data traffic or performs safety detection and forwarding until the data traffic is blocked or reaches the target node;

wherein, when the required network security device is a bypass network security device, the path calculation module is specifically configured to:

searching the shortest path between the data sending node and the target node from the network topology structure, searching the shortest path between the data sending node and the required network safety equipment, and taking the combination of the two shortest paths as the transmission detection path; or

Searching a shortest path between the data sending node and a required first network safety device from the network topology structure, searching a required shortest path between each network safety device, searching a required shortest path between a final network safety device and the target node, and sequentially connecting the three shortest paths end to serve as the transmission detection path; or

And searching the shortest path between the data sending node and the target node from the network topological structure, searching the shortest path and the required shortest path between the network safety equipment, and taking the combination of the two shortest paths as the transmission detection path.

6. The SDN-based network security routing scheduling system of claim 5, wherein when the required network security device is an embedded network security device, the path computation module is specifically configured to:

searching the shortest path between the data sending node and the required first network safety equipment from the network topological structure;

sequentially searching the shortest path between the required network safety devices;

searching the shortest path between the required last network security device and the target node;

and sequentially connecting the searched shortest paths end to serve as the transmission detection path.

7. The SDN-based network security routing scheduling system of claim 5, wherein when the required network security devices include embedded network security devices and bypass network security devices, the path computation module is specifically configured to:

searching the shortest path between the data sending node and the required embedded network security equipment from the network topological structure;

searching the shortest path between the shortest path and the required bypass type network safety equipment;

searching a shortest path between the bypass type network safety equipment and the target node;

and sequentially connecting the searched shortest paths end to serve as the transmission detection path.

8. The SDN-based network security routing scheduling system of any one of claims 5 to 7, wherein the security service scheduling center further comprises:

and the judging module is used for judging whether the required network security equipment is in an idle state or not and executing the calculation of the transmission detection path on the network security equipment in the idle state.

Images