基于属性的SASE访问控制及动态路由技术研究

Attribute-Based SASE Access Control and Dynamic Routing Technology

【目的】近年来,传统企业网络结构被颠覆,融合了广域网组网能力与网络安全功能的安全访问服务边缘(SASE)概念被提出。本文面向SASE的访问控制、动态路由等需求进行研究。【方法】通过定义“属性”来描述SASE环境中的实体身份和实时上下文,提出基于属性的动态安全网络访问技术方法。首先,设计基于属性的访问控制技术,以支撑SASE的动态细粒度访问控制功能。然后,设计基于属性的动态路由架构,结合数据包、网络环境、发送方与接收方等实体所携带的属性做出路由决策,为SASE的流量调度和服务编排功能提供了基础。【结果】可行性验证实验结果表明,该技术方法的虚拟网络带宽损失率约为4.04%,虚拟网络抖动峰值为1.534ms,虚拟网络丢包率峰值为0.825%,均处于合理范畴。【结论】本方法在提高网络安全性和动态性的前提下,并未对网络性能产生较大影响,已具备实用价值。

[Objective]In recent years,the traditional enterprise network structure has been completely subverted,and the concept of Secure Access Service Edge(SASE),which integrates the dynamic networking capability of wide area network and comprehensive network security services,has been proposed.In this paper,we focus on the access control and dynamic routing requirements of SASE.[Methods]This paper proposes an attribute-based approach for dynamic secure network access technology by defining“attributes”to describe the entity identity and realtime context in the SASE environment.Firstly,attribute-based access control technology is designed to support the dynamic fine-grained access control function of SASE.Then,an attributebased dynamic routing architecture is designed,which can make dynamic routing decisions by combining the attributes carried by entities such as data packets,network environment,senders and receivers,providing basic support for the traffic scheduling and service orchestration functions of SASE.[Results]Finally,the feasibility validation results demonstrate that the total bandwidth loss rate of the proposed technical approach is about 4.04%,the peak network jitter is 1.534 ms,and the peak packet loss rate is 0.825%,all of which are in the reasonable range.[Conclusions]This technical approach has no significant impact on the network performance while significantly improving the network security and dynamics,and is of practical value.