Research On Trusted Policy Storage In The Trusted Network Based On Trusted Level Decision

With the rapid expansion of the Internet and the fast development of network technology, the global informationization has already become a main trend of human development, the computer becomes more and more crucial to people's life and work. However, due on the opening and interconnected characteristics of Internet, life style has been changed and the productivity has been promoted, whereas the hidden danger of the information security has also been left such as: Junk email, computer virus, denial of service attacks, etc. The existence of network insecurity makes people lose faith in the network, which limits the further development of network function.In recent years, the production of safety protocols like SSL/TSL and SSH, etc. have given rather good protections of server and network, but unfortunately negligences of the protection of terminals, has offered hackers openings to attack and exploit. Terminal is the source of establishing and preserving data, the malicious codes may have a parasitic life in the client terminal, and therefore the data has been tampered with or a communication between a fake client and the server-side early before requests for network connections in all likelihood. In this way, apparently, to ensure the credibility of terminal is getting increasingly important. So, on the basis of original safety, it is imperative to call for more details regarding measured terminally safely.Trusted Computing Group's TNC GROUP has proposaled a theory of "measure of the integrity of access terminal", as well as the relevant Trusted Network Connect specification as follows: With a series of initialize security tactics and platforms, assessing the credibility of attempts to connect to the network terminal, the customers who cannot satisfy the resembling patch rank, anti-virus software or operating system security policy configuration, will be refused to access or isolated for repair, thereby prohibiting insincere terminal device to connect to network and incur further damages With on doubt, it will improve security and credibility of the whole network system greatly.Solution to credible network requests that before accessing network into the terminal, an authentication of terminal identity must be first made, and then measure the integrity state, afterwards compare the results with the local security policy, which the network operator provides. The integrity of measurement is to measure the hardware, firmware, OS and integrity of application software of the terminals. That is, the integrality of configuration and normal operation and so on. Local Security Policy refers to the restrictions set by the network operators in security and defense capacity for accessing the end-users. For example, a comprehensive library of virus in the terminal system, the version of firewall and system patches. Give network access permissions to the terminals which in line with the security policy, isolate and refuse the terminals which do not meet security policies to the network. And then give them proper repair when conditions permit or be guaranteed. Access permissions of the network credibility will be given to end-users when the integrity and other operators of the restored terminals satisfy security policy requirements of the operators.The message which to verify the integrity for end-user platform and determine the credibility of end-usersis is called a trusted attribute. Each entity (application program, operating system, firmware, etc.) of terminal platform associates with numerous attributes .The credibility of each entity attribute can be roughly divided into two aspects: one is for verifying the integrity of the credibility of its properties, including the configuration files, executable files and so on. Additionally the credibility of such attributes is a hash value, which authenticates by comparing with the original hash value to determine whether the integrity of the entity. The other is about entity's own information, such as size of the space of the application, version, upgrade dates and so on. This kind of attribute value is not a calculated hash value but a specific value. The credibility of such attributes can not only help verify the integrity of the supporting information, but also be used to the grading of the terminals.After studying the solution to network insertion which published by Trusted Computing Group, this article put forward an idea that using OpenLDAP directory server to storage trusted policy of strategy classification in the trusted network based on trusted level decision to bring the LDAP database to extract data into full play, and make sure the system will make a fast policy decision on the requirement.Finally, this article tries to put up an experiment platform on the basis of theory described above, use the existing tools to develop the corresponding function module, which have realized a prototype system called "strategy classification management system". The system provides a flexible policy management application environment, by which the system administrator can adjust the relevant credibility to meet the purpose of strategy. After applying the tactics, the system can classify the customers depended on different software and hardware without administers invovled, in order to make an assurance for offering manifold service qualities in the trusted network scene getting involved, the well running of the "Classification strategy management system" successes in verifying the feasibility and applicability in the trusted policy storage in the trusted network based on trusted level decision.