期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

面向大规模网络的基于政策的访问控制框架(英文) 被引量:4

Policy-Based Access Control Framework for Large Networks
下载PDF
导出
摘要 研究防火墙 (或过滤路由器 )应用于传输网络中的管理问题与吞吐量问题 .一方面 ,手工配置分布在各个接入点的大量防火墙 ,无法满足开放的、动态的网络环境的安全管理需求 ;另一方面 ,大量过滤规则的顺序查找导致了防火墙吞吐量下降 .针对一个典型的传输网络和它的安全政策需求 ,提出了一种基于政策的访问控制框架(PACF) ,该框架基于 3个层次的访问控制政策的抽象 :组织访问控制政策 (OACP)、全局访问控制政策 (GACP)和本地访问控制政策 (L ACP) .根据 OACP,GACP从入侵监测系统和搜索引擎产生 ,作为 L ACP自动地、动态地分配到各防火墙中 ,由防火墙实施 LACP.描述了 GACP的分配算法和 LACP的实施算法 ,提出了一种基于散列表的过滤规则查找算法 .PACF能够大量减轻管理员的安全管理工作 ,在描述的安全政策需求下 ,基于散列表的规则查找算法能够将传统顺序查找算法的时间复杂度从 O(N)降低到 O(1) ,从而提高了防火墙的吞吐量 . Efforts of this paper focus on the issues about the management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of large amount of fire-walls distributed in many access points cannot meet the requirements of security management in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in firewall results in the decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDS and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed for lookup of filtering rules in LACP. PACF largely reduces the management labor of the security administrator for large transit networks. Under the environment with policy requirements described, the algorithm reduces the time complexity of lookup from O (N) of traditional sequential algorithm to O (1), which increases largely the throughput of firewalls.
作者 段海新 吴建平 李星
机构地区 清华大学信息网络工程研究中心
出处 《软件学报》 EI CSCD 北大核心 2001年第12期1739-1747,共9页 Journal of Software
基金 国家重点基础研究发展规划 973资助项目~~
关键词 计算机网络 网络安全 访问控制 防火墙 安全政策 散列表 Algorithms Computer networks Control Internet Large scale systems Security of data
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献10

  • 1[1]Braden, R. , Clark, D. Report of IAB Workshop on Security in the Internet Architecture. RFC1636, 1994. URL:http://www. ietf. org/rfc/rfc1636. txt
  • 2[2]Bellovin, S.M., Cheswick, W.R. Network firewalls. IEEE Communications Magazine, 1994,32(9):50~57.
  • 3[3]Schuba, C.L. A reference model for firewall technology. In: Lyles, J.B. ed. Proceedings of the 13th Annual Computer Security Applications Conference. New York: IEEE Computer Society, 1997. 133~145.
  • 4[4]Network associations Corp. The Active Firewall: The End of the Passive Firewall Era, 1999. URL:http://www. nai. com/nai- labs/asp- set/network- security. asp.
  • 5[5]Leech, M. , Ganis, M. SOCKS Protocol Version 5. 1996. URL:ftp://ftp. isi. edu/in-notes/rfc1928. txt.
  • 6[6]Guttman, J.D. Filtering postures: local enforcement for global policies. In: Steve Kent, ed. Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy. New York: IEEE Computer Society, 1997. 120~ 129.
  • 7[7]Oppliger, R. Internet security: firewalls and beyond. Communieations of the ACM, 1997,40(5):92~102.
  • 8[8]Estrin, D. Tsudik, G. Secure control of transit internetwork traffic. Computer Networks and ISDN Systems, 1991,22(5) ,363~382.
  • 9[9]Hares, S. , Katz, D. Administrative domains and routing domains: a model for routing in the internet. RFC1136. 1989. URL :ftp://ftp. isi. edu/in-notes/rfc1136.txt.
  • 10[10]Newman, D. Super firewalls. Data Communications, 1999,28(5):51~61.

同被引文献20

  • 1杨庚,沈剑刚,容淳铭.基于角色的访问控制理论研究[J].南京邮电大学学报(自然科学版),2006,26(3):1-8. 被引量:15
  • 2林闯,封富君,李俊山.新型网络环境下的访问控制技术[J].软件学报,2007,18(4):955-966. 被引量:67
  • 3BELLOVIN S M. Distributed firewall [ C ]//DARPA Information Survivability Conference Ⅱ,2001:37 -39.
  • 4IOANNIDIS S, KEROMYTIS A D, BELLOVIN S M. Implementing a distributed firewall [ C ]//ACM Conference on Computer and Communications Security, Athens, Greece, November 2000:680 -685.
  • 5MCDANIEL P D. Policy management in secure group communication[ D]. Computer Science and Engineering in the University of Michigan, 2001:31 - 34.
  • 6BLAZE M,FEIGENBAUM J, IOANNIDIS J. The KeyNote trustmanagement system[S], version 2, RFC2704, 1999.
  • 7RUBEL P, IHDE M,HARP S, PAYNE C. Generating policies for defense in depth [ C]//Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 2005). IEEE Computer Society, 2005:505 - 514.
  • 8HWANG J J, WU K C, LIU D R: Access control with role attribute certificates [ C ]// Computer Standards & Interfaces, 2000 Elsevier Science B. V. :43 - 53.
  • 9卿斯汉,沈晴霓,刘文清,等.操作系统安全[M].北京:清华大学出版社,2011j.
  • 10Mark E Russinovich, David A Solomon. Windows Internals [ M ]. 5th ed. Microsoft Press, 2009.

引证文献4

二级引证文献10

软件学报
2001年 第12期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部