面向大规模网络的基于政策的访问控制框架
DOI:
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

基金项目:

Supported by the National Grand Fundamental Research 973 Program of China under Grant No. G1999035810(国家重点基础研究发展规划973资助项目)


Policy-Based Access Control Framework for Large Networks
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    研究防火墙(或过滤路由器)应用于传输网络中的管理问题与吞吐量问题.一方面,手工配置分布在各个接入点的大量防火墙,无法满足开放的、动态的网络环境的安全管理需求;另一方面,大量过滤规则的顺序查找导致了防火墙吞吐量下降.针对一个典型的传输网络和它的安全政策需求,提出了一种基于政策的访问控制框架(PACF),该框架基于3个层次的访问控制政策的抽象:组织访问控制政策(OACP)、全局访问控制政策(GACP)和本地访问控制政策(LACP).根据OACP,GACP从入侵监测系统和搜索引擎产生,作为LACP自动地、动态地分配到各防火墙中,由防火墙实施LACP.描述了GACP的分配算法和LACP的实施算法,提出了一种基于散列表的过滤规则查找算法.PACF能够大量减轻管理员的安全管理工作,在描述的安全政策需求下,基于散列表的规则查找算法能够将传统顺序查找算法的时间复杂度从O(N)降低到O(1),从而提高了防火墙的吞吐量.

    Abstract:

    Efforts of this paper focus on the issues about the management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of large amount of firewalls distributed in many access points cannot meet the requirements of security management in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in firewall results in decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed in this paper. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDS and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some algorithms for distribution of GACP and enforcement of LACP are described. A hashbased algorithm is proposed for lookup of filtering rules in LACP. PACF largely reduces the management labor of the security administrator for large transit networks. Under the environment with policy requirements described in this paper, the new algorithm reduces the time complexity of lookup from O(N) of traditional sequential algorithm to O(1), which increases largely the throughput of firewalls.

    参考文献
    相似文献
    引证文献
引用本文

段海新,吴建平,李星.面向大规模网络的基于政策的访问控制框架.软件学报,2001,12(12):1739-1747

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2000-04-28
  • 最后修改日期:2001-06-13
  • 录用日期:
  • 在线发布日期:
  • 出版日期:
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号