DOI QR코드

DOI QR Code

A Convergence Implementation of Realtime Traffic Shaping and IPS on Small Integrated Security Router for IDC

IDC용 소형 통합보안라우터의 실시간 트래픽쉐이핑과 IPS의 융합 구현

  • Received : 2019.04.30
  • Accepted : 2019.05.22
  • Published : 2019.07.31

Abstract

Various server-based services such as big data, IoT and artificial intelligence have been made online. As a result, the demand for IDC to support stable server operation is increasing. IDC is a server-based facility with a stable line and power supply facility that manages 20 to 30 servers in an efficiently separated rack-level subnetwork. Here, we need a way to efficiently manage servers security, firewall, and traffic on a rack-by-rack basis. Including traffic shaping capabilities that control routers, firewalls, IPS, and line speeds, as well as VPN technology, a recent interest. If three or five kinds of commercial equipment are adopted to support this, it may be a great burden to the management cost as well as the introduction cost. Therefore, in this paper, we propose a method to implement the five functions in one rack-unit small integrated security router. In particular, IDC intends to integrate traffic shaping and IPS, which are essential technologies, and to propose the utility accordingly.

최근 들어 빅데이터와 사물인터넷 그리고 인공지능 등 다양한 서버 기반의 서비스가 온라인상에서 이루어지고 있다. 이에 따라 안정적인 서버 운영을 지원하는 IDC(Internet Data Center)의 수요도 커지고 있다. IDC는 안정적인 회선과 전력공급시설을 갖춘 서버 입주시설로써 효율적으로 구분되어진 랙 단위 서브네트워크 상에 서버를 20~30대씩 묶어 관리하는 시설이다. 여기서는 랙 단위로 서버들의 보안, 방화벽, 트래픽 등을 효율적으로 관리해주는 방법이 필요하다. 즉 라우터, 방화벽, IPS 그리고 회선속도를 제어해 주는 트래픽쉐이핑 기능과 최근 관심 분야인 VPN 기술까지 지원해야 한다. 이를 지원하기 위해 3~5종의 상용 장비를 채택할 경우 도입비용은 물론 운용관리에 큰 부담일수 있다. 따라서 본 논문에서는 5가지 기능을 하나의 랙 단위 소형 통합보안라우터에 구현하는 방법을 제시하고, 특히 IDC에서는 필수 기술인 트래픽 쉐이핑과 IPS를 융합 구현하며 이에 따른 효용성도 제시하고자 한다.

Keywords

HOJBC0_2019_v23n7_861_f0001.png 이미지

Fig. 1 Integrated VPN router configuration diagram

HOJBC0_2019_v23n7_861_f0002.png 이미지

Fig. 2 Multiple-Queuing Traffic Shaping

HOJBC0_2019_v23n7_861_f0003.png 이미지

Fig. 3 Routing protocol

HOJBC0_2019_v23n7_861_f0004.png 이미지

Fig. 4 Execution structure of 'zebra'

Table. 1 Hardware / Software Specifications

HOJBC0_2019_v23n7_861_t0001.png 이미지

Table. 2 Invasion technique

HOJBC0_2019_v23n7_861_t0002.png 이미지

Table. 3 False rate Performance analysis

HOJBC0_2019_v23n7_861_t0003.png 이미지

References

  1. S. E. Yang, I. S. Kang, B. O. Go, and H. K. Jung, "A Realtime Traffic Shaping Method for VPN Tunneling on Smart Gateway Supporting IoT," The Journal of Korea Institute of Information and Communication Engineering, vol.21, no.6, pp. 1121-1126, 2017. https://doi.org/10.6109/jkiice.2017.21.6.1121
  2. (2015, May). "OpenWrt Chaos Calmer 15.05," [Internet]. Available:http://www.openwrt.org.
  3. K. Ishiguro. (2017, March). "A routing software package for TCP/IP networks" [Online]. Available:https://www.guagga.net, Ouagga 1.2.0.
  4. T. Jin, "OpenWrt Development Guide," Wireless Networks Lab, CCIS, MEU. Retrieved, Oct. 2013.
  5. Open VPN [Internet]. Available::http://openvpn.net/.
  6. The Linux Foundation. Retrieved. (2014, January). "Introduction to iproute2" [Online]. Available: http://www.linuxfoundation.org.
  7. B. Hubert. (2012, May). "Linux Advanced Routing & Traffic Control HOWTO" [Online]. Available: http://lartc.org/,DocBook Edition.
  8. S. E. Yang, B. O. Hog, J. K. Choi, and H. K. Jung, "Wired/Wireless Gateway System Supporting LAN-to- LAN VPN with Multi-Queuing Realtime Traffic Shaping," Journal of the Korea Institute of Information and Communication Engineering, vol. 19, no. 5, May. 2015.
  9. The Snort Project, (2018, January). "SNORT Users Manual," [Online]. Available: https://www.snort.org, SNORT 2.9.12.
  10. F. Alam. (2015, March). "Intrusion Detection & SNORT," APRICOT2015, [Online]. Available: https://nsrc.org/workshops.

Cited by

  1. 웹 모니터링 기반 암호화 웹트래픽 공격 탐지 시스템 vol.25, pp.3, 2019, https://doi.org/10.6109/jkiice.2021.25.3.449