Security Architecture And Practical Model Research In Application Area Boundary

With the constant popularization and deepening of information system, the issue of information security is being paid more and more attention to. But the information security solution adopted is often passive, which means that the security risk or problems have once be found, people only adopt the corresponding security technology to solve. This kind of security solution scheme lacks the whole consideration of the information system. Therefore the domestic and foreign information security experts have put forward new concepts, such as information assurance, information security architecture etc., in order to provide the whole security solution of the information system.The thesis has analyzed the information system according to the technological frames of information assurance, viz., "three horizontal three longitudinal and two centers", which the domestic expert put forward. Based on the analysis and the technological frames the concept of application environment, application area boundary and network transition platform has been explained clearly in this thesis. The research emphasis of the thesis is on application area boundary, and this work has proposed the security architecture of application area boundary. Furthermore under the guidance of the security architecture of application area boundary, a practical model has been set up, so that the whole security frame of information system has been offered based on application layer upon the border. At last the application solution of the architecture has been described, viz., virtual application network (VAN), which can offer the overall, intact information assurance to the integrated information system.The security architecture of application area boundary is constructed and built in application layer of TCP/IP stack. This security architecture is divided into four layers, include separately: application data layer, application protocol layer, securityplug-in layer and session connection control layer. According to session data stream information among application protocol, the security architecture accords with different security plug-in package, control dataflow information into or out to application area boundary, and make the information leaving from the area protected by appropriate security mechanism. Thus the security architecture offers the overall security solution based on application layer for information system. In the description of the security architecture, the information processing relation between every layer have been explained, and the relation between security service, safe plug-in package and different access control with different scales have been described in three-dimensional model.The security architecture of application area boundary is one theoretical frame, whose purpose is to offer method and guidance for boundary protection of application environment. So the thesis structures the practical model on the basis of security architecture. This model has actual practical value, since it is used to protect the application area boundary, offer roughly granular control and finely granular to access the information system, and combine with many kinds of security techniques through the interface and offer customized, uniform, intact security solution for application area boundary. Because this model works in application layer, it meets different security demands for application environment, adapt to various kinds of communication pattern, and offer the advantages with the unified policies management interface, etc.After analyzing the typical session-level proxy protocol SOCKSv5, this paper explains the disadvantage that the redundancy of authentication and it's rougher access control granular. Based on improving redundancy of SOCKSv5, one new session-level proxy protocol - StrSocks is put forward. The characteristic of StrSocks protocol is to verify the first session connection of each process, to grant Token to the process which is authenticated, and make the follow-up connection requests of the process not to perform the redundant authenticati...