| VPN is implemented to achieve confidentiality of data, integrity of information and end-point authentication by the means of security protocol and tunneling technology, and enables users to access VPN's internal service groups from anywhere on the Internet. However, the tunneling technology would expose the internal service groups to the Internet through VPN gateway. Some vicious users may attack the internal service groups through the remote client terminal being used. As a result, providing network security framework for VPN becomes the key to realization of highly secure VPN network. And the design of network security framework for VPN must be based on a perfectly control model, and be integrated with VPN's communication features and network security technology.For the variety and universality of its network application environment, VPN must adopt access control models that are constructed based on various control requirements and strategic irrelevance. At present, the most widely applied access control model is RBAC. In order for a better combination of RBAC's control mechanism and VPN's network communication features to form a perfect network security framework, RBAC model must be extended. Therefore, SCIAC model based on stream is proposed.To improve the management flexibility of access control model, the term, latent role, is proposed, which presents complete semantic and functional norms/criteria in the form of mathematic description. To implement the control for VPN's communication content, definitions of unit stream, data intervals, control intervals and streaming dialogues, and a set of control mechanism based on streams are introduced. To implement the timeliness of control rules, the term of conditional cycle based on cycle theory and tense RBAC are proposed, and we have defined role restriction, operating request and trigger in the form of conditional cycle expression. According to the principle of neutral strategy, service resources and roles'access strategies are managed in the form of strategic rules, and the formulation is provided.On the other hand, according to network security topology study, a highly secure VPN network environment must be established by the cooperation of client terminals, firewall, IDS, VPN gateway, and internal application service to form a multiple layer protection. SCIAC model integrated diverse security control mechanisms in the network topology and components, through three correlated ways: terminal extension, IDS extension, and application engine, into a self-contained functioning entity.The implementation of both SCIAC model and VPN is closely related since SCIAC model covers the entire VPN communication management control. SCIAC model system prototype is implemented on the basis of independently developed SSL VPN framework, and virtual service based SSL VPN (VSB-SSL VPN) is introduced. The core of SSL VPN is described as the following: when the user accesses VPN, he dynamically sets up VS through browser so as to enable conventional client software to safely access internal service groups. The multi-tunnel reuse technique of secure tunnel is finally introduced so as to reduce overhead and delay when SSL link is done, and to enhance its performance.
|
PDF Full Text Request