가상화 기반 네트워크 상세 접근 제어를 위한 Parapass-through 드라이버 설계 및 구현

Abstract

Recently, threats to security-sensitive data have become increasingly a serious problem in every company. Most of companies use the network security solution and enforce the standard security policy for enterprise PCs and laptops to solve the problem. One typical solution is the perimeter security, which sets up the thick wall, e.g. network firewall between the external and the internal of an enterprise network. It considers the external network as untrusted, so it monitors all the traffic coming from the outside network to protect the internal network from the malicious accesses. Virtual Private Network (VPN) is one of the popular solutions with firewall in the traditional perimeter security. IPSec VPN and SSL VPN are the most popular VPN solutions, and support the safe remote access from the outside to the inside of network. But, with the advent of mobile devices and cloud-based services, the perimeter is becoming unclear, and the VPN solutions are also neutralized. The perimeter is no longer the physical location of the network, and it expands to the user’s personal identity. So, all access control must be based on the device state and user’s identity regardless of the user’s network location. Due to this reason, fine-grained network access control can be applied to solve the problem. Find-grained network access control identifies the device state and user’s identity, and it applies the network security policy instead of traditional perimeter security, e.g. VPN. In this thesis, we propose a solution for network fine-grained access control in virtualization environment. We designed an architecture that mediates the network I/O events, and enforces the security policies with the user identity and the application informaton. We implemented a prototype of our architecture on the desktop environment, and evaluated the network I/O throughput to measure the overhead of the interception and the enforcement of the security policies. The experimental results showed that the overhead for interception and enforcement of security policies is reasonable. The overall network I/O performance is degraded, but the overhead can be reduced by using other technique.