Study On Model Of Large Scale Network Unified Access Control

In the modern society, network has engaged in many aspects of people's life. Lots of enterprises depend on network, so the network security draws more and more attention. Network management must satisfy the security need. In daily network management, we need to configure access control frequently. The only defensive remedy we can deploy as soon as the attack was found is access controlling. However, due to large-scale network's complicated topology and varieties of devices, the network manager can not make correct response immediately if the abnormal phenomena were found. It is difficult to keep coherence of Access Control Lists (ACL) on different interfaces of one device or on different devices in the network. The manager can not make sure there is no conflict or duplicate.Policy Based Network Management (PBNM) is the hot point in network management. PBNM can implement QoS and IPSec. Because there are common areas in different fields of network management, we apply philosophy of PBNM to access control. In our policy model, policy is made by policy expert, and stored in the LDAP. The policy can improve the coherence of access control. Once the attack were found, network manager can retrieve the policy directly which can be translate to ACL. According to the ACL, the device can deny packet in the direction of in or out the transport layer port, then the possibility of access control error will go down.Modeling for policy information and mapping it to LDAP directory is main task to the PBNM. The modeling and mapping is based on the standards made by DMTF/IETF. The coherence of policy can benefit from policy expert's knowledge and experience. The action taken by the policy can not induce conflict or duplicate. PBNM is based on (Directory Enabled Network) DEN, so we have to map the model into LDAP so that the model can be stored as available data structure, which enables the network management applications to share the policy model information. About the implement of policy based management, because popular devices do not support Common Open Policy Service (COPS) and can not act as a (Policy Enforcement Point) PEP, we presnet a new architecture of access control policy enforcement. First, we generate available ACL according to the policy. Next we log on the destination device automatically through SSH. At last we deploy the ACL on it. The processes implement the PBNM in the area of access control and improve the coherence of access control.