Multi-domain Network Access Control Model And Its Security Policy Management

With the development of network technology and society,collaboration between multiple fields and departments have increased dramatically. Security problems brought about by resource sharing and security interoperability between domains have captured people's attention. Access control technology can effectively prevent unauthorized users to use the system and the legitimate users to go beyond his permissions, guaranteeing maximum resource sharing and information exchange between domains while ensuring system security. Compared with Discretionary Access Control(DAC) and Mandatory Access Control(MAC),Role-based access control (RBAC) with Role Hierarchy, Least Privilege, Separation of Duty and other important characteristics,is more suitable for access control applications in multi-domain environment. Therefore, establishment of a multi-domain network access control model based on RBAC and its security policy management mechanism meets multi-level security access needs and security guarantees among multi-domains, in order that it can improve security collaboration between multi-domain systems to provide strong support for system security and efficiency.In this paper,we propose a multi-domain RBAC access control model . The model combines advantages of static Policies Integration and dynamic Permission Query , takes Secure Interoperation between domains and formulation of Security Policy into fully consideration, adopts specific Access Control Policy in allusion to different network backgrounds. Comparing to relevant models, this model expands system application scope and improves system's safety and flexibility of execution.Then,We propose an authorization search algorithm for multi-domain environment based on hierarchical RBAC policy,which employs permissions-driven authorization between domains. The algorithm establishes security interoperation dynamically and overcomes the limitations caused by using static role mapping policies to enforcing access control.We analyze security policy management model of the multi-domain system and discuss its policy composition, policy description and policy storage. Then, we present an algorithm for policy conflict detection which is based on Directed-graph.We abstract the Role System into Directed-graph and take advantage of mature theory of graph to design policy conflict algorithm.We classify policy conflicts and assign specific algorithm to dispose them automatically.Finally, we implement a network access control system for multi-domain and its policy configuration & management platform based on Security Label and hierarchical RBAC policy.Security Labels carry security attributes of host and guest,which act as criterion for system Decision Making. We mainly analyse design methodology,Transmission strategy and Access Control logic of Security Label.Then we present the design and implementation of Policy Configuration and Management platform.The system extends host-based access control policy to multi-domain environment and implements policies of Address Filtering,Multi-Level Security and Multi-Domain access control.Compared to traditional access control system.It possesses characteristics of fine grit access control and high security, satisfying needs of multilevel access control.The prototype system of this access control model has been implemented in our lab platform.Experiment results show the feasibility and effectiveness of this access control system.