Attribute-Based SASE Access Control and Dynamic Routing Technology

doi:10.11871/jfdc.issn.2096-742X.2024.06.010

Abstract

Abstract:

[Objective] In recent years, the traditional enterprise network structure has been completely subverted, and the concept of Secure Access Service Edge (SASE), which integrates the dynamic networking capability of wide area network and comprehensive network security services, has been proposed. In this paper, we focus on the access control and dynamic routing requirements of SASE. [Methods] This paper proposes an attribute-based approach for dynamic secure network access technology by defining “attributes” to describe the entity identity and real-time context in the SASE environment. Firstly, attribute-based access control technology is designed to support the dynamic fine-grained access control function of SASE. Then, an attribute-based dynamic routing architecture is designed, which can make dynamic routing decisions by combining the attributes carried by entities such as data packets, network environment, senders and receivers, providing basic support for the traffic scheduling and service orchestration functions of SASE. [Results] Finally, the feasibility validation results demonstrate that the total bandwidth loss rate of the proposed technical approach is about 4.04%, the peak network jitter is 1.534 ms, and the peak packet loss rate is 0.825%, all of which are in the reasonable range. [Conclusions] This technical approach has no significant impact on the network performance while significantly improving the network security and dynamics, and is of practical value.

Key words: secure access service edge, attribute-based access control, attribute-based routing

JIN Shenghao,ZHENG Yu,TU Yu,ZHANG Hui. Attribute-Based SASE Access Control and Dynamic Routing Technology[J]. Frontiers of Data and Computing, 2024, 6(6): 97-108, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2024.06.010.

Figures/Tables 9

Fig.1

Fig.2

Fig.3

Fig.4

Fig.5

Fig.6

Fig.7

Fig.8

Fig.9

References 36

[1]	WEIL T, MURUGESAN S. IT risk and resilience—Cybersecurity response to COVID-19[J]. IT Professional, 2020, 22(3): 4-10.
[2]	MACDONALD N, ORANS L, SKORUPA J. The Future of Network Security Is in the Cloud[R]. Gartner. Viitattu, 2019: 1-26.
[3]	MILLER L, WEBBER-ZVIK E. Secure access service edge (sase) for dummies[R]. Cato Networks, Tech. Rep., 2020: 47-51.
[4]	WOOD M. How SASE is defining the future of network security[J]. Network Security, 2020, 2020(12): 6-8.
[5]	KINDERVAG J. Build security into your network’s dna: The zero trust network architecture[R]. Forrester Research Inc, 2010: 1-25.
[6]	STAFFORD V A. Zero trust architecture[J]. NIST Special Publication, 2020, 800: 207.
[7]	ISLAM M N, COLOMO-PALACIOS R, CHOCKALINGAM S. Secure access service edge: A multivocal literature review[C]// 2021 21st International Conference on Computational Science and Its Applications (ICCSA). IEEE, 2021: 188-194.
[8]	VAN DER WALT S, VENTER H. Research gaps and opportunities for secure access service edge[C]// International Conference on Cyber Warfare and Security. 2022, 17(1): 609-619.
[9]	CHEN R, YUE S, ZHAO W, et al. Overview of the Development of Secure Access Service Edge[C]// International Conference On Signal And Information Processing, Networking And Computers. Singapore: Springer Nature Singapore, 2022: 138-145.
[10]	党小东, 柴瑶琳, 穆琙博, 等. 安全访问服务边缘产业发展现状及未来发展趋势[J]. 信息安全与通信保密, 2023 (9):19-26.
[11]	MEF FORUM. MEF White Paper: MEF SASE Services Framework[R]. MEF Forum, 2020: 2-16.
[12]	YILIYAER S, KIM Y. Secure Access Service Edge: A Zero Trust Based Framework For Accessing Data Securely[C]// 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC). IEEE, 2022: 586-591.
[13]	王茜, 陈晨, 井俊丰, 等. 大型企业SASE解决方案及应用实践[J]. 中兴通讯技术, 2023, 29(1): 45-50.
[14]	DOWNS D D, RUB J R, KUNG K C, et al. Issues in discretionary access control[C]// 1985 IEEE Symposium on Security and Privacy. IEEE, 1985: 208-208.
[15]	BELL D E, LA PADULA L J. Secure Computer System: Unified Exposition and Multics interpretation[R]. MITRE Corporation, 1976.
[16]	FERRAIOLO D, CUGINI J, KUHN D R. Role-based access control (RBAC): Features and motivations[C]// Proceedings of the 11th Annual Computer Security Application Conference. 1995: 241-248.
[17]	SANDHU R S. Role-based access control[M]// Advances in Computers. Elsevier, 1998, 46: 237-286.
[18]	SAUNDERS G, HITCHENS M, VARADHARAJAN V. Role-based access control and the access control matrix[J]. ACM SIGOPS Operating Systems Review, 2001, 35(4): 6-20.
[19]	WANG L, WIJESEKERA D, JAJODIA S. A logic-based framework for attribute based access control[C]// Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering. 2004: 45-55.
[20]	ELLIOTT A, KNIGHT S. Towards managed role explosion[C]// Proceedings of the 2015 New Security Paradigms Workshop. 2015: 100-111.
[21]	YUAN E, TONG J. Attributed based access control (ABAC) for web services[C]// IEEE International Conference on Web Services (ICWS'05). IEEE, 2005: 569-576.
[22]	AMEER S, BENSON J, SANDHU R. Hybrid Approaches (ABAC and RBAC) Toward Secure Access Control in Smart Home IoT[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(5): 4032-4051.
[23]	楚兵. 基于属性的访问控制技术在大型PLC控制器中的应用研究[J]. 工业信息安全, 2023(6): 23-28.
[24]	DJAMA A, DJAMAA B, SENOUCI M R. Information-Centric Networking Solutions for the Internet of Things: A Systematic Mapping Review[J]. Computer Communications, 2020, 159: 37-59.
[25]	AHLGREN B, DANNEWITZ C, IMBRENDA C, et al. A survey of information-centric networking[J]. IEEE Communications Magazine, 2012, 50(7): 26-36.
[26]	CARZANIGA A, WOLF A L. Forwarding in a content-based network[C]// Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. 2003: 163-174.
[27]	CARZANIGA A, RUTHERFORD M J, WOLF A L. A routing scheme for content-based networking[C]// IEEE INFOCOM 2004. IEEE, 2004, 2: 918-928.
[28]	ION M, ZHANG J, SCHOOLER E M. Toward content-centric privacy in ICN: Attribute-based encryption and routing[C]// Proceedings of the 3rd ACM SIGCOMM Workshop on Information-Centric Networking. 2013: 39-40.
[29]	LI B, HUANG D, WANG Z, et al. Attribute-based access control for ICN naming scheme[J]. IEEE Transactions on Dependable and Secure Computing, 2016, 15(2): 194-206.
[30]	EUM S, JIBIKI M, MURATA M, et al. A design of an ICN architecture within the framework of SDN[C]// 2015 Seventh International Conference on Ubiquitous and Future Networks. IEEE, 2015: 141-146.
[31]	VAHLENKAMP M, SCHNEIDER F, KUTSCHER D, et al. Enabling ICN in IP networks using SDN[C]// 2013 21st IEEE International Conference on Network Protocols (ICNP). IEEE, 2013: 1-2.
[32]	LV J, WANG X, HUANG M, et al. RISC: ICN routing mechanism incorporating SDN and community division[J]. Computer Networks, 2017, 123: 88-103.
[33]	YANG Z, CUI Y, LI B, et al. Software-defined wide area network (SD-WAN): Architecture, advances and opportunities[C]// 2019 28th International Conference on Computer Communication and Networks (ICCCN). IEEE, 2019: 1-9.
[34]	SAHAI A, WATERS B. Fuzzy identity-based encryption[C]// Advances in Cryptology-EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings. Springer Berlin Heidelberg, 2005: 457-473.
[35]	GOYAL V, PANDEY O, SAHAI A, et al. Attribute-based encryption for fine-grained access control of encrypted data[C]// Proceedings of the 13th ACM Conference on Computer and Communications Security. 2006: 89-98.
[36]	BETHENCOURT J, SAHAI A, WATERS B. Ciphertext-policy attribute-based encryption[C]// 2007 IEEE Symposium on Security and Privacy (SP'07). IEEE, 2007: 321-334.