基于混合式体系结构的高速边缘路由器安全数据库的研究与实现

随着计算机网络技术的发展,对网络系统的高可靠性和高可用性提出了较高的要求,并使得网络核心设备的安全研究成为网络技术发展的热点。路由器作为网络传输的重要设备,是网络安全设计和实施的重点。高速边缘路由器作为骨干网和互联网/内部网之间的高速接入设备,在网络安全的研究中具有重要的意义。高速边缘路由器中的安全数据库管理包含了对安全策略的管理和对安全关联的管理,它的体系结构的合理性和高效性是制约高速边缘路由器系统性能的重要因素。目前,安全数据库系统普遍采用集中式体系结构完成对安全策略和安全关联数据的管理,在系统的并行性、灵活性和访问效率方面都存在着较大的缺陷;分布式管理则由于各分布子系统间的一致性维护问题在高速边缘路由器中被充分放大而无法满足高速边缘路由器的设计要求。论文基于ForCES协议框架提出了一种高速边缘路由器的体系结构CeDita,并详细分析了基于该体系结构的安全数据库混合式管理模型SDM。该模型综合了集中式管理的视图统一、操作简单等特点以及分布式管理的本地访问特点,具有较强的并行性、可扩展性和高效性,是一种适于路由器实现的高效的数据库管理模型。

Study and Implementation on the Security Database of High Speed Boundary Router Based on Hybrid Architecture

With the ever increasing of the network security systems applied in wide range of critical domains,the requirement of high reliability and high availability of these systems tends to be more and more urgent ,which leads to the emergence of the routers executing security protocols(i.e,IPSec)and the tendency of these routers used as the boundary equipments between the backbone and Intranet/Internet.The security database management of these routers includes the management of the security policies and security associations of the routers.The complexity of this management requires a flexible,scalable and efficient architecture.Centralized architecture can't meet this challenge due to the long access time and the poor parallelism.Neither can distributed architecture do because that the management of the security database is complex enough to maintain the consistencies between the multiple executors.This paper prompts an architecture called CeDita in the framework of the ForCES,and analyzs the hybrid architecture of the security database management which maintains a short access time and keeps the system flexible and scalable.Furthermore,detailed studies on the key implementation technologies of this architecture are presented in the paper as well.