基于多形式安全策略的网络可达性建模、查询及优化技术研究

项目名称： 基于多形式安全策略的网络可达性建模、查询及优化技术研究

项目编号： No.61272546

项目类型： 面上项目

立项/批准年度： 2013

项目学科： 自动化技术、计算机技术

项目作者： 秦拯

作者单位： 湖南大学

项目金额： 82万元

中文摘要： 合理配置安全策略使网络具有适量可达性，既保证了正常业务运行，又可避免不必要的通信。随着网络安全设备部署的数量、种类增多，研究安全策略限制下的网络可达性成为热点和难点。但现有研究主要以防火墙、路由器等设备中ACL形式的安全策略为对象，建模针对的安全策略形式单一，难以统一描述用户查询请求，缺乏高效的查询方法，未考虑网络可达性的全局优化。本项目基于项目组前期研究成果，拟结合NAT、PAT和IPS等系统中的非ACL形式安全策略，提出基于多来源、多形式安全策略的可达性模型，更全面、准确地描述网络可达性；研究结构化可达性查询语言，提出高效的查询处理算法及可达性故障定位算法，提供高效实用的可达性查询机制；研究安全策略之间的相互制约因素，分析安全策略变化时的交叉影响，提出网络可达性全局优化算法和安全策略部署算法，保障网络适度可达并降低冗余流量，并为安全策略部署和网络设备配置提供高效、可行的技术方案。

中文关键词： 网络可达性；安全策略压缩；安全策略放置；防火墙；

英文摘要： The rational configuration of the security policy in network is crucial as maintaining proper reachability not only ensure normal operation, but also block unnecessary communication. With the increase of quantity and variety of network security devices, quantifying network reachability under constraints of various security policies becomes a hotspot. Researchers have made great effort on this difficulty, but there are still some challenging issues. Firstly, existing researches only cover security policies in the form of ACL, which are widely implemented in the firewalls and routers, but in fact, there are other security policies which are not in form of ACL, these policies are also widely implemented in network systems such as NAT, PAT, and IPS etc.. Without comprehensive consideration of all forms of policies, current network reachability model can't reveal all factors effecting network reachability in actual network. Secondly, due to lack of unified query language, it is hard to translate user's query request into formal search in the network reachability model, besides, the query process is not efficient yet. Thirdly, exiting optimization of network reachability is not a global optimal solution. In this project, we address these issues on the foundation of our preliminary study. Firstly, we propose a network

英文关键词： network reachability；security policy compression；security policy placement；firewall；