基于软件定义边界的服务保护方案

doi:10.3969/j.issn.1671-1122.2023.06.001

摘要/Abstract

摘要：

针对在零信任环境下，基于物理边界防护的传统网络安全架构逐渐被瓦解而导致的服务暴露问题，文章提出一种基于软件定义边界的服务保护方案。通过收集请求终端的用户属性和设备属性以对终端进行授权判定；使用单包授权认证机制进行先认证后连接，实现服务隐藏、身份认证及访问控制等功能；基于零信任持续认证的思想，在操作系统启动前基于固件层对访问终端进行初始度量，在操作系统启动后基于服务进行持续度量；最后，基于AHP设计信任评估算法对终端进行安全评估。从性能与安全性两方面进行分析，结果证明该方案能有效提高通信效率并抵御多种网络安全攻击。

关键词: 零信任, 软件定义边界, 单包授权认证, 设备安全, 层次分析法

Abstract:

Aiming at the issue of service exposure resulting from the gradual collapse of the traditional network security architecture based on physical perimeter protection under a zero-trust environment, this paper proposed a service protection scheme based on software defined perimeter. The terminal was authorized by gathering user and device attributes of the request terminal. The single packet authorization mechanism performed authentication before connection, enabling features such as service hiding, identity authentication, and access control. Based on the concept of zero-trust continuous authentication, this scheme measured the access terminal at the firmware layer before initializing the operating system, and then constantly measured it depending on the service after the operating system was initialized. Finally, a trust evaluation algorithm based on analytic hierarchy process(AHP) was designed to assess terminal security. Results from the analysis of performance and security show that this scheme can effectively improve communication efficiency and withstand a variety of network security attacks.

Key words: zero trust, software defined perimeter, single packet authorization, device security, analytic hierarchy process

中图分类号:

TP309

黄杰, 何城鋆. 基于软件定义边界的服务保护方案[J]. 信息网络安全, 2023, 23(6): 1-10.

HUANG Jie, HE Chengjun. Service Protection Scheme Based on Software Defined Perimeter[J]. Netinfo Security, 2023, 23(6): 1-10.

图/表 12

图1

图2

图3

表1

图4

图5

图6

表2

表3

表4

图7

图8

参考文献 16

[1]	SAMANIEGO M, DETERS R. Zero-Trust Hierarchical Management in IoT[C]// IEEE. 2018 IEEE International Congress on Internet of Things (ICIOT). IEEE, 2018: 88-95.
[2]	ROSE S, BORCHERT O, MITCHELL S, et al. Zero Trust Architecture[EB/OL]. (2020-08-16)[2023-01-30]. https://csrc.nist.gov/publications/detail/sp/800-207/final?ref=hackernoon.com.
[3]	BARTH D, GILMAN E. Zero Trust Networks: Building Trusted Systems in Untrusted Networks[M]. Sebastopol: O’Reilly Media, 2017.
[4]	MOUBAYED A, REFAEY A, SHAMI A. Software-Defined Perimeter (Sdp): State of the Art Secure Solution for Modern Networks[J]. IEEE Network, 2019, 33(5): 226-233. doi: 10.1109/MNET.65 URL
[5]	INDU I, ANAND P, BHASKAR V. Identity and Access Management in Cloud Environment: Mechanisms and Challenges[J]. Engineering Science and Technology, 2018, 21(4): 574-588.
[6]	SHARMA D H, DHOTE C A, POTEY M M. Identity and Access Management As Security-as-a-Service From Clouds[J]. Procedia Computer Science, 2016, 79: 170-174. doi: 10.1016/j.procs.2016.03.117 URL
[7]	SHEIKH N, PAWAR M, LAWRENCE V. Zero Trust Using Network Micro Segmentation[C]// IEEE. IEEE INFOCOM 2021-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). New York: IEEE 2021: 1-6.
[8]	SALLAM A, REFAEY A, SHAMI A. On the Security of SDN: A Completed Secure and Scalable Framework Using the Software-Defined Perimeter[J]. IEEE access, 2019, 7: 146577-146587. doi: 10.1109/Access.6287639 URL
[9]	ZAHEER Z, CHANG H, MUKHERJEE S, et al. Eztrust: Network-Independent Zero-Trust Perimeterization for Microservices[C]// ACM. Proceedings of the 2019 ACM Symposium on SDN Research. New York: ACM, 2019: 49-61.
[10]	WARD R, BEYER B. Beyondcorp: A New Approach to Enterprise Security[EB/OL]. (2014-04-08)[2023-01-30]. https://research.google/pubs/pub43231/.
[11]	DECUSATIS C, LIENGTIRAPHAN P, SAGER A, et al. Implementing Zero Trust Cloud Networks with Transport Access Control and First Packet Authentication[C]// IEEE. 2016 IEEE International Conference on Smart Cloud. New York: IEEE, 2016: 5-10.
[12]	Cloud Security Alliance (CSA). Software-Defined Perimeter (SDP) Specification v2.0[EB/OL]. (2022-10-03)[2023-01-30]. https://cloudsecurityalliance.org/artifacts/software-defined-perimeter-zero-trust-specification-v2/.
[13]	BRICKER G. Unified Extensible Firmware interface (UEFI) and Secure Boot: Promise and Pitfalls[J]. Journal of Computing Sciences in Colleges, 2013, 29(1): 60-63.
[14]	YAO Q, WANG Q, ZHANG X, et al. Dynamic Access Control and Authorization System Based on Zero-Trust Architecture[C]// RIS. Proceedings of the 2020 1st International Conference on Control, Robotics and Intelligent System. New York: RIS, 2020: 123-127.
[15]	SAATY R W. The Analytic Hierarchy Process—What it is and How it is Used[J]. Mathematical Modelling, 1987, 9(3): 161-176. doi: 10.1016/0270-0255(87)90473-8 URL
[16]	WU Kehe, CHENG Rui, JIANG Xiaochen, et al. Security Protection Scheme of Power IoT Based on SDP[J]. Netinfo Security, 2022, 22(2): 32-38.
	吴克河, 程瑞, 姜啸晨, 等. 基于SDP的电力物联网安全防护方案[J]. 信息网络安全, 2022, 22(2): 32-38.

符号	说明
${{H}_{x}}$	哈希数据
$T{{s}_{x}}$	时间戳数据
$Pu{{b}_{c}}$	SDP控制器公钥
$Pr{{i}_{c}}$	SDP控制器私钥
${{P}_{k}}$	会话密钥
$P{{W}_{x}}$	用户口令
$C\_I{{N}_{x}}$	冷插拔设备信息
$H\_I{{N}_{x}}$	热插拔设备信息
$An{{s}_{x}}$	授权判定结果
$St{{d}_{x}}$	冷插拔设备指纹值
$D{{N}_{x}}$	设备标识名
$Toke{{n}_{x}}$	令牌信息
$Verif{{y}_{x}}$	验证码
$Type$	数据类型
$Cer{{t}_{x}}$	设备证书
$SM2$	国密椭圆曲线公钥密码算法
$SM3$	国密密码杂凑算法
$SM4$	国密分组密码算法

条目	值
主要编程语言	Java和C
终端数量	7
判定次数k	50
信任评分范围	0~1
基于历史的信任评分参数	$V\left( {{P}_{his}} \right)$
基于成功率的信任评分参数	$V{{P}_{rs}}$
基于密级的信任评分参数	$V\left( {{P}_{se}} \right)$
基于访问时间的信任评分参数	$V\left( {{P}_{at}} \right)$
基于冷插拔设备的信任评分参数	$V\left( {{P}_{ch}} \right)$
基于热插拔设备的信任评分参数	$V\left( {{P}_{wh}} \right)$

用户	用户密级/总密级	${{T}_{init}}$	$\mu $/h	${{\delta }_{+}}$	${{\delta }_{-}}$	信任阈值
用户1	4/5	0.8	5	0.05	0.1	0.8
用户2	2/5	0.8	5	0.05	0.1	0.8