基于属性的SASE访问控制及动态路由技术研究

doi:10.11871/jfdc.issn.2096-742X.2024.06.010

数据与计算发展前沿 ›› 2024, Vol. 6 ›› Issue (6): 97-108.

CSTR: 32002.14.jfdc.CN10-1649/TP.2024.06.010

doi: 10.11871/jfdc.issn.2096-742X.2024.06.010

基于属性的SASE访问控制及动态路由技术研究

金盛豪(),郑宇,涂昱,张辉^*()

北京航空航天大学复杂关键软件环境全国重点实验室，北京 100191

收稿日期:2024-03-28 出版日期:2024-12-20 发布日期:2024-12-20
通讯作者: 张辉
作者简介:金盛豪，北京航空航天大学计算机学院，博士研究生，CCF学生会员（T7826G），主要研究方向为计算机网络与人工智能。
本文中负责基于属性的SASE访问控制及动态路由关键技术研究。
JIN Shenghao, is a Ph.D. candidate at the School of Computer Science and Engineering, Beihang University. He is a student member of CCF(No.T7826G). His main research interests include computer networks and artificial intelligence.
In this paper, he is responsible for the research on key technologies of attribute-based SASE access control and dynamic routing.
E-mail: sh@buaa.edu.cn|张辉，博士，北京航空航天大学计算机学院，教授，博士生导师，现兼任国家科技资源共享服务工程技术研究中心副主任，主要研究领域包括计算机网络、网络与信息安全、人工智能、大数据管理与挖掘等。
本文中负责确定研究内容，制定论文框架，以及论文的修改、审定。
ZHANG Hui, Ph.D., professor and doctoral supervisor at the School of Computer Science and Engineering, Beihang University. He concurrently serves as the deputy director of the National Science and Technology Resource Sharing Service Engineering Technology Research Center. His main research interests include computer networks, network and information security, artificial intelligence, big data management and mining, etc.
In this paper, he is responsible for determining the research content, developing the framework of the paper, as well as revising and finalizing the paper.
E-mail: hzhang@buaa.edu.cn
基金资助:
复杂关键软件环境全国重点实验室资助项目(SKLSDE-2023ZX-07)

Attribute-Based SASE Access Control and Dynamic Routing Technology

JIN Shenghao(),ZHENG Yu,TU Yu,ZHANG Hui^*()

State Key Laboratory of Complex & Critical Software Environment, Beihang University, Beijing 100191, China

Received:2024-03-28 Online:2024-12-20 Published:2024-12-20
Contact: ZHANG Hui

摘要/Abstract

摘要：

【目的】近年来，传统企业网络结构被颠覆，融合了广域网组网能力与网络安全功能的安全访问服务边缘（SASE）概念被提出。本文面向SASE的访问控制、动态路由等需求进行研究。【方法】通过定义“属性”来描述SASE环境中的实体身份和实时上下文，提出基于属性的动态安全网络访问技术方法。首先，设计基于属性的访问控制技术，以支撑SASE的动态细粒度访问控制功能。然后，设计基于属性的动态路由架构，结合数据包、网络环境、发送方与接收方等实体所携带的属性做出路由决策，为SASE的流量调度和服务编排功能提供了基础。【结果】可行性验证实验结果表明，该技术方法的虚拟网络带宽损失率约为4.04%，虚拟网络抖动峰值为1.534 ms，虚拟网络丢包率峰值为0.825%，均处于合理范畴。【结论】本方法在提高网络安全性和动态性的前提下，并未对网络性能产生较大影响,已具备实用价值。

关键词: 安全访问服务边缘, 基于属性的访问控制, 基于属性的路由

Abstract:

[Objective] In recent years, the traditional enterprise network structure has been completely subverted, and the concept of Secure Access Service Edge (SASE), which integrates the dynamic networking capability of wide area network and comprehensive network security services, has been proposed. In this paper, we focus on the access control and dynamic routing requirements of SASE. [Methods] This paper proposes an attribute-based approach for dynamic secure network access technology by defining “attributes” to describe the entity identity and real-time context in the SASE environment. Firstly, attribute-based access control technology is designed to support the dynamic fine-grained access control function of SASE. Then, an attribute-based dynamic routing architecture is designed, which can make dynamic routing decisions by combining the attributes carried by entities such as data packets, network environment, senders and receivers, providing basic support for the traffic scheduling and service orchestration functions of SASE. [Results] Finally, the feasibility validation results demonstrate that the total bandwidth loss rate of the proposed technical approach is about 4.04%, the peak network jitter is 1.534 ms, and the peak packet loss rate is 0.825%, all of which are in the reasonable range. [Conclusions] This technical approach has no significant impact on the network performance while significantly improving the network security and dynamics, and is of practical value.

Key words: secure access service edge, attribute-based access control, attribute-based routing

金盛豪,郑宇,涂昱,张辉. 基于属性的SASE访问控制及动态路由技术研究[J]. 数据与计算发展前沿, 2024, 6(6): 97-108.

JIN Shenghao,ZHENG Yu,TU Yu,ZHANG Hui. Attribute-Based SASE Access Control and Dynamic Routing Technology[J]. Frontiers of Data and Computing, 2024, 6(6): 97-108, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2024.06.010.

图/表 9

图1

图2

图3

图4

图5

图6

图7

图8

图9

参考文献 36

[1]	WEIL T, MURUGESAN S. IT risk and resilience—Cybersecurity response to COVID-19[J]. IT Professional, 2020, 22(3): 4-10.
[2]	MACDONALD N, ORANS L, SKORUPA J. The Future of Network Security Is in the Cloud[R]. Gartner. Viitattu, 2019: 1-26.
[3]	MILLER L, WEBBER-ZVIK E. Secure access service edge (sase) for dummies[R]. Cato Networks, Tech. Rep., 2020: 47-51.
[4]	WOOD M. How SASE is defining the future of network security[J]. Network Security, 2020, 2020(12): 6-8.
[5]	KINDERVAG J. Build security into your network’s dna: The zero trust network architecture[R]. Forrester Research Inc, 2010: 1-25.
[6]	STAFFORD V A. Zero trust architecture[J]. NIST Special Publication, 2020, 800: 207.
[7]	ISLAM M N, COLOMO-PALACIOS R, CHOCKALINGAM S. Secure access service edge: A multivocal literature review[C]// 2021 21st International Conference on Computational Science and Its Applications (ICCSA). IEEE, 2021: 188-194.
[8]	VAN DER WALT S, VENTER H. Research gaps and opportunities for secure access service edge[C]// International Conference on Cyber Warfare and Security. 2022, 17(1): 609-619.
[9]	CHEN R, YUE S, ZHAO W, et al. Overview of the Development of Secure Access Service Edge[C]// International Conference On Signal And Information Processing, Networking And Computers. Singapore: Springer Nature Singapore, 2022: 138-145.
[10]	党小东, 柴瑶琳, 穆琙博, 等. 安全访问服务边缘产业发展现状及未来发展趋势[J]. 信息安全与通信保密, 2023 (9):19-26.
[11]	MEF FORUM. MEF White Paper: MEF SASE Services Framework[R]. MEF Forum, 2020: 2-16.
[12]	YILIYAER S, KIM Y. Secure Access Service Edge: A Zero Trust Based Framework For Accessing Data Securely[C]// 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC). IEEE, 2022: 586-591.
[13]	王茜, 陈晨, 井俊丰, 等. 大型企业SASE解决方案及应用实践[J]. 中兴通讯技术, 2023, 29(1): 45-50.
[14]	DOWNS D D, RUB J R, KUNG K C, et al. Issues in discretionary access control[C]// 1985 IEEE Symposium on Security and Privacy. IEEE, 1985: 208-208.
[15]	BELL D E, LA PADULA L J. Secure Computer System: Unified Exposition and Multics interpretation[R]. MITRE Corporation, 1976.
[16]	FERRAIOLO D, CUGINI J, KUHN D R. Role-based access control (RBAC): Features and motivations[C]// Proceedings of the 11th Annual Computer Security Application Conference. 1995: 241-248.
[17]	SANDHU R S. Role-based access control[M]// Advances in Computers. Elsevier, 1998, 46: 237-286.
[18]	SAUNDERS G, HITCHENS M, VARADHARAJAN V. Role-based access control and the access control matrix[J]. ACM SIGOPS Operating Systems Review, 2001, 35(4): 6-20.
[19]	WANG L, WIJESEKERA D, JAJODIA S. A logic-based framework for attribute based access control[C]// Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering. 2004: 45-55.
[20]	ELLIOTT A, KNIGHT S. Towards managed role explosion[C]// Proceedings of the 2015 New Security Paradigms Workshop. 2015: 100-111.
[21]	YUAN E, TONG J. Attributed based access control (ABAC) for web services[C]// IEEE International Conference on Web Services (ICWS'05). IEEE, 2005: 569-576.
[22]	AMEER S, BENSON J, SANDHU R. Hybrid Approaches (ABAC and RBAC) Toward Secure Access Control in Smart Home IoT[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(5): 4032-4051.
[23]	楚兵. 基于属性的访问控制技术在大型PLC控制器中的应用研究[J]. 工业信息安全, 2023(6): 23-28.
[24]	DJAMA A, DJAMAA B, SENOUCI M R. Information-Centric Networking Solutions for the Internet of Things: A Systematic Mapping Review[J]. Computer Communications, 2020, 159: 37-59.
[25]	AHLGREN B, DANNEWITZ C, IMBRENDA C, et al. A survey of information-centric networking[J]. IEEE Communications Magazine, 2012, 50(7): 26-36.
[26]	CARZANIGA A, WOLF A L. Forwarding in a content-based network[C]// Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. 2003: 163-174.
[27]	CARZANIGA A, RUTHERFORD M J, WOLF A L. A routing scheme for content-based networking[C]// IEEE INFOCOM 2004. IEEE, 2004, 2: 918-928.
[28]	ION M, ZHANG J, SCHOOLER E M. Toward content-centric privacy in ICN: Attribute-based encryption and routing[C]// Proceedings of the 3rd ACM SIGCOMM Workshop on Information-Centric Networking. 2013: 39-40.
[29]	LI B, HUANG D, WANG Z, et al. Attribute-based access control for ICN naming scheme[J]. IEEE Transactions on Dependable and Secure Computing, 2016, 15(2): 194-206.
[30]	EUM S, JIBIKI M, MURATA M, et al. A design of an ICN architecture within the framework of SDN[C]// 2015 Seventh International Conference on Ubiquitous and Future Networks. IEEE, 2015: 141-146.
[31]	VAHLENKAMP M, SCHNEIDER F, KUTSCHER D, et al. Enabling ICN in IP networks using SDN[C]// 2013 21st IEEE International Conference on Network Protocols (ICNP). IEEE, 2013: 1-2.
[32]	LV J, WANG X, HUANG M, et al. RISC: ICN routing mechanism incorporating SDN and community division[J]. Computer Networks, 2017, 123: 88-103.
[33]	YANG Z, CUI Y, LI B, et al. Software-defined wide area network (SD-WAN): Architecture, advances and opportunities[C]// 2019 28th International Conference on Computer Communication and Networks (ICCCN). IEEE, 2019: 1-9.
[34]	SAHAI A, WATERS B. Fuzzy identity-based encryption[C]// Advances in Cryptology-EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings. Springer Berlin Heidelberg, 2005: 457-473.
[35]	GOYAL V, PANDEY O, SAHAI A, et al. Attribute-based encryption for fine-grained access control of encrypted data[C]// Proceedings of the 13th ACM Conference on Computer and Communications Security. 2006: 89-98.
[36]	BETHENCOURT J, SAHAI A, WATERS B. Ciphertext-policy attribute-based encryption[C]// 2007 IEEE Symposium on Security and Privacy (SP'07). IEEE, 2007: 321-334.

基于属性的SASE访问控制及动态路由技术研究

Attribute-Based SASE Access Control and Dynamic Routing Technology

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 36

相关文章 0

编辑推荐

Metrics

本文评价