가상화 기반 네트워크 상세 접근 제어를 위한 Parapass-through 드라이버 설계 및 구현
Parapass-through Network Driver Based on Virtualization for Fine-grained Access Control
- 주제(키워드) 시스템 보안 , 가상화 , 보안 모니터
- 발행기관 포항공과대학교 일반대학원
- 지도교수 박찬익
- 발행년도 2015
- 학위수여년월 2015. 2
- 학위명 석사
- 학과 및 전공 일반대학원 창의IT융합공학과
- 세부전공 시스템 소프트웨어
- 원문페이지 29
- 실제URI http://www.dcollection.net/handler/postech/000001914677
- 본문언어 한국어
- 저작권 포항공과대학교 논문은 저작권에 의해 보호받습니다.
초록/요약
Recently, threats to security-sensitive data have become increasingly a serious problem in every company. Most of companies use the network security solution and enforce the standard security policy for enterprise PCs and laptops to solve the problem. One typical solution is the perimeter security, which sets up the thick wall, e.g. network firewall between the external and the internal of an enterprise network. It considers the external network as untrusted, so it monitors all the traffic coming from the outside network to protect the internal network from the malicious accesses. Virtual Private Network (VPN) is one of the popular solutions with firewall in the traditional perimeter security. IPSec VPN and SSL VPN are the most popular VPN solutions, and support the safe remote access from the outside to the inside of network. But, with the advent of mobile devices and cloud-based services, the perimeter is becoming unclear, and the VPN solutions are also neutralized. The perimeter is no longer the physical location of the network, and it expands to the user’s personal identity. So, all access control must be based on the device state and user’s identity regardless of the user’s network location. Due to this reason, fine-grained network access control can be applied to solve the problem. Find-grained network access control identifies the device state and user’s identity, and it applies the network security policy instead of traditional perimeter security, e.g. VPN. In this thesis, we propose a solution for network fine-grained access control in virtualization environment. We designed an architecture that mediates the network I/O events, and enforces the security policies with the user identity and the application informaton. We implemented a prototype of our architecture on the desktop environment, and evaluated the network I/O throughput to measure the overhead of the interception and the enforcement of the security policies. The experimental results showed that the overhead for interception and enforcement of security policies is reasonable. The overall network I/O performance is degraded, but the overhead can be reduced by using other technique.
more목차
I. 서론 1
1.1. 문제 정의 2
1.2. 목적 및 위협모델 3
II. 배경지식 5
2.1. 가상화 기술 5
2.2. 비트바이저 5
2.3. 데이터파이어월 6
III. 시스템 설계 7
3.1. 보안 모니터 8
3.1.1. 메모리 맵 입출력 9
3.1.2. 입출력 이벤트 핸들러 10
3.1.3. 입출력 정보 리퀘스터 11
3.2. 보안 커널 12
3.3. 네트워크 상세 접근 제어 12
IV. 구현 14
4.1. 보안 모니터 14
4.1.1. 이더넷 호스트 컨트롤러 14
4.1.2. 디스크립터 17
4.1.3. 보안 정책 적용 17
4.1.4. 섀도잉 18
4.2. 보안 커널 19
V. 성능 평가 및 검증 21
5.1. 실험 환경 21
5.2. 보안 위협 및 대응 방안 22
5.3. 입출력 성능 측정 22
5.4. 입출력 성능 분석 및 개선점 25
VI. 관련 연구와 비교 27
6.1. VPN 27
6.1.1. IPSec VPN 27
6.1.2. SSL VPN 27
VII. 결론 및 향후 연구 29
REFERENCES 30