当前位置:
X-MOL 学术
›
IEEE Trans. Dependable Secure Comput.
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Leveraging Network Functions Virtualization Orchestrators to Achieve Software-Defined Access Control in the Clouds
IEEE Transactions on Dependable and Secure Computing ( IF 7.0 ) Pub Date : 2021-01-01 , DOI: 10.1109/tdsc.2018.2889709 MONTIDA PATTARANANTAKUL , Ruan He , Zonghua Zhang , Ahmed Meddahi , Ping Wang
IEEE Transactions on Dependable and Secure Computing ( IF 7.0 ) Pub Date : 2021-01-01 , DOI: 10.1109/tdsc.2018.2889709 MONTIDA PATTARANANTAKUL , Ruan He , Zonghua Zhang , Ahmed Meddahi , Ping Wang
Network Functions Virtualization (NFV) has been widely recognized as an effective way to implement and consolidate hardware-based network functions by using software-based approaches, with a potential to significantly reducing CAPEX and OPEX. In particular, NFV orchestrators (e.g., Tacker, Cloudify, and ONAP) play a vital role in managing and orchestrating various virtualized network resources (e.g., VMs, Virtualized Network Functions), and TOSCA is one of the standard data models to fulfil such a role. However, it remains unclear how the security mechanisms can be seamlessly integrated into the entire lifecycle of those virtualized network assets. Starting with a comparative analysis on the available NFV orchestrators, we extend the TOSCA model to incorporate security attributes of interest, and leverage the extended model to create access control policies at cloud scale. Specifically, a security orchestrator is developed, which contains a TOSCA-parser and a novel tenant-specific access control paradigm. One of the salient features of our security orchestrator is that it allows to dynamically generate access control models and policies for different tenant domains, resulting in a flexible and scalable protection coverage that is across different NFV layers and multiple data centers. To validate its feasibility and effectiveness, we develop a security orchestrator prototype and test its performance with respect to throughput, scalability, and adaptability. The experimental results demonstrate that all the desirable properties can be achieved, and the throughput of our security orchestrator can be maintained at a satisfactory level regardless of the varying number of tenants, users, or objects that are deployed in the cloud.
中文翻译:
利用网络功能虚拟化协调器在云中实现软件定义的访问控制
网络功能虚拟化 (NFV) 已被广泛认为是通过使用基于软件的方法来实施和整合基于硬件的网络功能的有效方式,具有显着降低 CAPEX 和 OPEX 的潜力。尤其是 NFV 编排器(例如 Tacker、Cloudify 和 ONAP)在管理和编排各种虚拟化网络资源(例如 VM、虚拟化网络功能)方面发挥着至关重要的作用,而 TOSCA 是满足这种需求的标准数据模型之一。角色。然而,目前尚不清楚如何将安全机制无缝集成到这些虚拟化网络资产的整个生命周期中。从对可用 NFV 编排器的比较分析开始,我们扩展了 TOSCA 模型以包含感兴趣的安全属性,并利用扩展模型创建云规模的访问控制策略。具体来说,开发了一个安全协调器,它包含一个 TOSCA 解析器和一个新的特定于租户的访问控制范例。我们的安全编排器的显着特点之一是它允许为不同的租户域动态生成访问控制模型和策略,从而实现跨不同 NFV 层和多个数据中心的灵活且可扩展的保护范围。为了验证其可行性和有效性,我们开发了一个安全协调器原型并测试其在吞吐量、可扩展性和适应性方面的性能。实验结果表明,可以实现所有理想的性能,
更新日期:2021-01-01
中文翻译:
利用网络功能虚拟化协调器在云中实现软件定义的访问控制
网络功能虚拟化 (NFV) 已被广泛认为是通过使用基于软件的方法来实施和整合基于硬件的网络功能的有效方式,具有显着降低 CAPEX 和 OPEX 的潜力。尤其是 NFV 编排器(例如 Tacker、Cloudify 和 ONAP)在管理和编排各种虚拟化网络资源(例如 VM、虚拟化网络功能)方面发挥着至关重要的作用,而 TOSCA 是满足这种需求的标准数据模型之一。角色。然而,目前尚不清楚如何将安全机制无缝集成到这些虚拟化网络资产的整个生命周期中。从对可用 NFV 编排器的比较分析开始,我们扩展了 TOSCA 模型以包含感兴趣的安全属性,并利用扩展模型创建云规模的访问控制策略。具体来说,开发了一个安全协调器,它包含一个 TOSCA 解析器和一个新的特定于租户的访问控制范例。我们的安全编排器的显着特点之一是它允许为不同的租户域动态生成访问控制模型和策略,从而实现跨不同 NFV 层和多个数据中心的灵活且可扩展的保护范围。为了验证其可行性和有效性,我们开发了一个安全协调器原型并测试其在吞吐量、可扩展性和适应性方面的性能。实验结果表明,可以实现所有理想的性能,
京公网安备 11010802027423号