Policy-Based Access Control Framework for Large Networks
DOI:
Author:
Affiliation:

Clc Number:

Fund Project:

  • Article
  • |
  • Figures
  • |
  • Metrics
  • |
  • Reference
  • |
  • Related
  • |
  • Cited by
  • |
  • Materials
  • |
  • Comments
    Abstract:

    Efforts of this paper focus on the issues about the management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of large amount of firewalls distributed in many access points cannot meet the requirements of security management in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in firewall results in decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed in this paper. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDS and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some algorithms for distribution of GACP and enforcement of LACP are described. A hashbased algorithm is proposed for lookup of filtering rules in LACP. PACF largely reduces the management labor of the security administrator for large transit networks. Under the environment with policy requirements described in this paper, the new algorithm reduces the time complexity of lookup from O(N) of traditional sequential algorithm to O(1), which increases largely the throughput of firewalls.

    Reference
    Related
    Cited by
Get Citation

段海新,吴建平,李星.面向大规模网络的基于政策的访问控制框架.软件学报,2001,12(12):1739-1747

Copy
Share
Article Metrics
  • Abstract:
  • PDF:
  • HTML:
  • Cited by:
History
  • Received:April 28,2000
  • Revised:June 13,2001
  • Adopted:
  • Online:
  • Published:
You are the firstVisitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063