Service Protection Scheme Based on Software Defined Perimeter

doi:10.3969/j.issn.1671-1122.2023.06.001

Abstract

Abstract:

Aiming at the issue of service exposure resulting from the gradual collapse of the traditional network security architecture based on physical perimeter protection under a zero-trust environment, this paper proposed a service protection scheme based on software defined perimeter. The terminal was authorized by gathering user and device attributes of the request terminal. The single packet authorization mechanism performed authentication before connection, enabling features such as service hiding, identity authentication, and access control. Based on the concept of zero-trust continuous authentication, this scheme measured the access terminal at the firmware layer before initializing the operating system, and then constantly measured it depending on the service after the operating system was initialized. Finally, a trust evaluation algorithm based on analytic hierarchy process(AHP) was designed to assess terminal security. Results from the analysis of performance and security show that this scheme can effectively improve communication efficiency and withstand a variety of network security attacks.

Key words: zero trust, software defined perimeter, single packet authorization, device security, analytic hierarchy process

CLC Number:

TP309

HUANG Jie, HE Chengjun. Service Protection Scheme Based on Software Defined Perimeter[J]. Netinfo Security, 2023, 23(6): 1-10.

Figures/Tables 12

References 16

[1]	SAMANIEGO M, DETERS R. Zero-Trust Hierarchical Management in IoT[C]// IEEE. 2018 IEEE International Congress on Internet of Things (ICIOT). IEEE, 2018: 88-95.
[2]	ROSE S, BORCHERT O, MITCHELL S, et al. Zero Trust Architecture[EB/OL]. (2020-08-16)[2023-01-30]. https://csrc.nist.gov/publications/detail/sp/800-207/final?ref=hackernoon.com.
[3]	BARTH D, GILMAN E. Zero Trust Networks: Building Trusted Systems in Untrusted Networks[M]. Sebastopol: O’Reilly Media, 2017.
[4]	MOUBAYED A, REFAEY A, SHAMI A. Software-Defined Perimeter (Sdp): State of the Art Secure Solution for Modern Networks[J]. IEEE Network, 2019, 33(5): 226-233. doi: 10.1109/MNET.65 URL
[5]	INDU I, ANAND P, BHASKAR V. Identity and Access Management in Cloud Environment: Mechanisms and Challenges[J]. Engineering Science and Technology, 2018, 21(4): 574-588.
[6]	SHARMA D H, DHOTE C A, POTEY M M. Identity and Access Management As Security-as-a-Service From Clouds[J]. Procedia Computer Science, 2016, 79: 170-174. doi: 10.1016/j.procs.2016.03.117 URL
[7]	SHEIKH N, PAWAR M, LAWRENCE V. Zero Trust Using Network Micro Segmentation[C]// IEEE. IEEE INFOCOM 2021-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). New York: IEEE 2021: 1-6.
[8]	SALLAM A, REFAEY A, SHAMI A. On the Security of SDN: A Completed Secure and Scalable Framework Using the Software-Defined Perimeter[J]. IEEE access, 2019, 7: 146577-146587. doi: 10.1109/Access.6287639 URL
[9]	ZAHEER Z, CHANG H, MUKHERJEE S, et al. Eztrust: Network-Independent Zero-Trust Perimeterization for Microservices[C]// ACM. Proceedings of the 2019 ACM Symposium on SDN Research. New York: ACM, 2019: 49-61.
[10]	WARD R, BEYER B. Beyondcorp: A New Approach to Enterprise Security[EB/OL]. (2014-04-08)[2023-01-30]. https://research.google/pubs/pub43231/.
[11]	DECUSATIS C, LIENGTIRAPHAN P, SAGER A, et al. Implementing Zero Trust Cloud Networks with Transport Access Control and First Packet Authentication[C]// IEEE. 2016 IEEE International Conference on Smart Cloud. New York: IEEE, 2016: 5-10.
[12]	Cloud Security Alliance (CSA). Software-Defined Perimeter (SDP) Specification v2.0[EB/OL]. (2022-10-03)[2023-01-30]. https://cloudsecurityalliance.org/artifacts/software-defined-perimeter-zero-trust-specification-v2/.
[13]	BRICKER G. Unified Extensible Firmware interface (UEFI) and Secure Boot: Promise and Pitfalls[J]. Journal of Computing Sciences in Colleges, 2013, 29(1): 60-63.
[14]	YAO Q, WANG Q, ZHANG X, et al. Dynamic Access Control and Authorization System Based on Zero-Trust Architecture[C]// RIS. Proceedings of the 2020 1st International Conference on Control, Robotics and Intelligent System. New York: RIS, 2020: 123-127.
[15]	SAATY R W. The Analytic Hierarchy Process—What it is and How it is Used[J]. Mathematical Modelling, 1987, 9(3): 161-176. doi: 10.1016/0270-0255(87)90473-8 URL
[16]	WU Kehe, CHENG Rui, JIANG Xiaochen, et al. Security Protection Scheme of Power IoT Based on SDP[J]. Netinfo Security, 2022, 22(2): 32-38.
	吴克河, 程瑞, 姜啸晨, 等. 基于SDP的电力物联网安全防护方案[J]. 信息网络安全, 2022, 22(2): 32-38.

符号	说明
${{H}_{x}}$	哈希数据
$T{{s}_{x}}$	时间戳数据
$Pu{{b}_{c}}$	SDP控制器公钥
$Pr{{i}_{c}}$	SDP控制器私钥
${{P}_{k}}$	会话密钥
$P{{W}_{x}}$	用户口令
$C\_I{{N}_{x}}$	冷插拔设备信息
$H\_I{{N}_{x}}$	热插拔设备信息
$An{{s}_{x}}$	授权判定结果
$St{{d}_{x}}$	冷插拔设备指纹值
$D{{N}_{x}}$	设备标识名
$Toke{{n}_{x}}$	令牌信息
$Verif{{y}_{x}}$	验证码
$Type$	数据类型
$Cer{{t}_{x}}$	设备证书
$SM2$	国密椭圆曲线公钥密码算法
$SM3$	国密密码杂凑算法
$SM4$	国密分组密码算法

条目	值
主要编程语言	Java和C
终端数量	7
判定次数k	50
信任评分范围	0~1
基于历史的信任评分参数	$V\left( {{P}_{his}} \right)$
基于成功率的信任评分参数	$V{{P}_{rs}}$
基于密级的信任评分参数	$V\left( {{P}_{se}} \right)$
基于访问时间的信任评分参数	$V\left( {{P}_{at}} \right)$
基于冷插拔设备的信任评分参数	$V\left( {{P}_{ch}} \right)$
基于热插拔设备的信任评分参数	$V\left( {{P}_{wh}} \right)$

用户	用户密级/总密级	${{T}_{init}}$	$\mu $/h	${{\delta }_{+}}$	${{\delta }_{-}}$	信任阈值
用户1	4/5	0.8	5	0.05	0.1	0.8
用户2	2/5	0.8	5	0.05	0.1	0.8