赋予网络安全与可编程交换机:一个全面的调查

IF 34.4 1区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Communications Surveys and Tutorials Pub Date : 2023-04-10 DOI:10.1109/COMST.2023.3265984

Xiang Chen;Chunming Wu;Xuan Liu;Qun Huang;Dong Zhang;Haifeng Zhou;Qiang Yang;Muhammad Khurram Khan

{"title":"赋予网络安全与可编程交换机:一个全面的调查","authors":"Xiang Chen;Chunming Wu;Xuan Liu;Qun Huang;Dong Zhang;Haifeng Zhou;Qiang Yang;Muhammad Khurram Khan","doi":"10.1109/COMST.2023.3265984","DOIUrl":null,"url":null,"abstract":"With the growth of network applications such as 5G and artificial intelligence, network security techniques, i.e., the techniques that detect various attacks (e.g., well-known denial-of-service (DDoS) attacks) and prevent production networks (e.g., data center networks) from being attacked, become increasingly essential for network management and have gained great popularity in the networking community. Generally, these techniques are built on proprietary hardware appliances, i.e., middleboxes, or the paradigm that combines both software-defined networking (SDN) and network function virtualization (NFV) to implement security functions. However, the techniques built on middleboxes are proven to be hard-to-manage, costly, and inflexible, thereby making them an out-of-date choice in network security. For the techniques built on SDN and NFV, they virtualize and softwarize security functions on commodity servers, leading to non-trivial performance degradation. Fortunately, the recent emergence of programmable switches brings new opportunities of empowering network security techniques with the characteristics of easy-to-manage, low cost, high flexibility, and Tbps-level performance. In this survey, we focus on this promising trend in network security. More precisely, this survey first presents the preliminaries of programmable switches, which are the primary driver of next-generation network security techniques. Next, we comprehensively review existing techniques built on programmable switches, classify these techniques, and discuss their background, motivation, design, implementation, and limitations case-by-case. Finally, we summarize open issues and future research directions in this promising research topic of network security.","PeriodicalId":55029,"journal":{"name":"IEEE Communications Surveys and Tutorials","volume":"25 3","pages":"1653-1704"},"PeriodicalIF":34.4000,"publicationDate":"2023-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Empowering Network Security With Programmable Switches: A Comprehensive Survey\",\"authors\":\"Xiang Chen;Chunming Wu;Xuan Liu;Qun Huang;Dong Zhang;Haifeng Zhou;Qiang Yang;Muhammad Khurram Khan\",\"doi\":\"10.1109/COMST.2023.3265984\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"With the growth of network applications such as 5G and artificial intelligence, network security techniques, i.e., the techniques that detect various attacks (e.g., well-known denial-of-service (DDoS) attacks) and prevent production networks (e.g., data center networks) from being attacked, become increasingly essential for network management and have gained great popularity in the networking community. Generally, these techniques are built on proprietary hardware appliances, i.e., middleboxes, or the paradigm that combines both software-defined networking (SDN) and network function virtualization (NFV) to implement security functions. However, the techniques built on middleboxes are proven to be hard-to-manage, costly, and inflexible, thereby making them an out-of-date choice in network security. For the techniques built on SDN and NFV, they virtualize and softwarize security functions on commodity servers, leading to non-trivial performance degradation. Fortunately, the recent emergence of programmable switches brings new opportunities of empowering network security techniques with the characteristics of easy-to-manage, low cost, high flexibility, and Tbps-level performance. In this survey, we focus on this promising trend in network security. More precisely, this survey first presents the preliminaries of programmable switches, which are the primary driver of next-generation network security techniques. Next, we comprehensively review existing techniques built on programmable switches, classify these techniques, and discuss their background, motivation, design, implementation, and limitations case-by-case. Finally, we summarize open issues and future research directions in this promising research topic of network security.\",\"PeriodicalId\":55029,\"journal\":{\"name\":\"IEEE Communications Surveys and Tutorials\",\"volume\":\"25 3\",\"pages\":\"1653-1704\"},\"PeriodicalIF\":34.4000,\"publicationDate\":\"2023-04-10\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Communications Surveys and Tutorials\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10098550/\",\"RegionNum\":1,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Communications Surveys and Tutorials","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10098550/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 1

摘要

随着5G和人工智能等网络应用的发展，网络安全技术，即检测各种攻击（如众所周知的拒绝服务（DDoS）攻击）和防止生产网络（如数据中心网络）受到攻击的技术，变得对网络管理越来越重要，并且在网络社区中获得了极大的流行。通常，这些技术建立在专有硬件设备上，即中间盒，或结合软件定义网络（SDN）和网络功能虚拟化（NFV）来实现安全功能的范例。然而，基于中盒的技术已被证明难以管理、成本高昂且不灵活，从而使其成为网络安全领域的过时选择。对于建立在SDN和NFV上的技术，它们将商品服务器上的安全功能虚拟化和软件化，从而导致非微不足道的性能下降。幸运的是，最近出现的可编程交换机带来了新的机会，使网络安全技术具有易于管理、低成本、高灵活性和Tbps级性能的特点。在这项调查中，我们关注的是网络安全的这一充满希望的趋势。更准确地说，这项调查首先介绍了可编程交换机的初步情况，可编程交换机是下一代网络安全技术的主要驱动因素。接下来，我们将全面回顾基于可编程交换机的现有技术，对这些技术进行分类，并逐一讨论它们的背景、动机、设计、实现和局限性。最后，我们总结了这一有前景的网络安全研究课题中存在的问题和未来的研究方向。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Empowering Network Security With Programmable Switches: A Comprehensive Survey

With the growth of network applications such as 5G and artificial intelligence, network security techniques, i.e., the techniques that detect various attacks (e.g., well-known denial-of-service (DDoS) attacks) and prevent production networks (e.g., data center networks) from being attacked, become increasingly essential for network management and have gained great popularity in the networking community. Generally, these techniques are built on proprietary hardware appliances, i.e., middleboxes, or the paradigm that combines both software-defined networking (SDN) and network function virtualization (NFV) to implement security functions. However, the techniques built on middleboxes are proven to be hard-to-manage, costly, and inflexible, thereby making them an out-of-date choice in network security. For the techniques built on SDN and NFV, they virtualize and softwarize security functions on commodity servers, leading to non-trivial performance degradation. Fortunately, the recent emergence of programmable switches brings new opportunities of empowering network security techniques with the characteristics of easy-to-manage, low cost, high flexibility, and Tbps-level performance. In this survey, we focus on this promising trend in network security. More precisely, this survey first presents the preliminaries of programmable switches, which are the primary driver of next-generation network security techniques. Next, we comprehensively review existing techniques built on programmable switches, classify these techniques, and discuss their background, motivation, design, implementation, and limitations case-by-case. Finally, we summarize open issues and future research directions in this promising research topic of network security.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE Communications Surveys and Tutorials COMPUTER SCIENCE, INFORMATION SYSTEMS-TELECOMMUNICATIONS

CiteScore

80.20

自引率

2.50%

发文量

审稿时长

6 months

期刊介绍： IEEE Communications Surveys & Tutorials is an online journal published by the IEEE Communications Society for tutorials and surveys covering all aspects of the communications field. Telecommunications technology is progressing at a rapid pace, and the IEEE Communications Society is committed to providing researchers and other professionals the information and tools to stay abreast. IEEE Communications Surveys and Tutorials focuses on integrating and adding understanding to the existing literature on communications, putting results in context. Whether searching for in-depth information about a familiar area or an introduction into a new area, IEEE Communications Surveys & Tutorials aims to be the premier source of peer-reviewed, comprehensive tutorials and surveys, and pointers to further sources. IEEE Communications Surveys & Tutorials publishes only articles exclusively written for IEEE Communications Surveys & Tutorials and go through a rigorous review process before their publication in the quarterly issues. A tutorial article in the IEEE Communications Surveys & Tutorials should be designed to help the reader to become familiar with and learn something specific about a chosen topic. In contrast, the term survey, as applied here, is defined to mean a survey of the literature. A survey article in IEEE Communications Surveys & Tutorials should provide a comprehensive review of developments in a selected area, covering its development from its inception to its current state and beyond, and illustrating its development through liberal citations from the literature. Both tutorials and surveys should be tutorial in nature and should be written in a style comprehensible to readers outside the specialty of the article.