×

An application-layer based centralized information access control for VPN. (English) Zbl 1102.68363

Summary: With the rapid development of Virtual Private Network (VPN), many companies and organizations use VPN to implement their private communication. Traditionally, VPN uses security protocols to protect the confidentiality of data, the message integrity and the endpoint authentication. One core technique of VPN is tunneling, by which clients can access the internal servers traversing VPN. However, the tunneling technique also introduces a concealed security hole. It is possible that if one vicious user can establish tunneling by the VPN server, he can compromise the internal servers behind the VPN server. So this paper presents a novel Application-layer based Centralized Information Access Control (ACIAC) for VPN to solve this problem. To implement an efficient, flexible and multi-decision access control model, we present two key techniques to ACIAC – the centralized management mechanism and the stream-based access control. Firstly, we implement the information center and the constraints/events center for ACIAC. By the two centers, we can provide an abstract access control mechanism, and the material access control can be decided dynamically by the ACIAC’s constraint/event mechanism. Then we logically classify the VPN communication traffic into the access stream and the data stream so that we can tightly couple the features of VPN communication with the access control model. We also provide the design of our ACIAC prototype in this paper.

MSC:

68M10 Network design and communication in computer systems
90B18 Communication networks in operations research
PDFBibTeX XMLCite
Full Text: DOI

References:

[1] Bertino, E., Catania, B., Ferrari, E., Perlasca, P., 2002. A System to Specify and Manage Multipolicy Access Control Models. Policies for Distributed Systems and Networks, p.116-127.
[2] Cohen, R., 2003. On the establishment of an access VPN in broadband access networks. Communications Magazine, IEEE, 41(2):156-163. · doi:10.1109/MCOM.2003.1179565
[3] Dierks, T., Allen, C., 1999. The TLS Protocol Version 1.0. RFC2246.
[4] Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R., 2001. Proposed NIST standard for role-based access control. ACM Trans. Inform. and System Security, 4(3):224-274. [doi:10.1145/501978.501980] · doi:10.1145/501978.501980
[5] Guo, X., Yang, K., Galis, A., Cheng, X., Yang, B., Liu, D., 2003. A Policy-based Network Management System for IP VPN. Communication Technology Proceedings. ICCT 2003, 2: 1630-1633. · doi:10.1109/ICCT.2003.1209840
[6] Jason, J., Rafalow, L., Vyncke, E., 2003. IPSec Configuration Policy Information Model. RFC3585.
[7] Kent, S., Atkinson, R., 1998. Security Architecture for the Internet Protocol. RFC2401.
[8] Ku, H., Son, H.G., Facsko, J., Tyrrell, J., Haines, A., 2002. Web-based Policy Deployment Management System. Proceedings of Policies for Distributed Systems and Networks, p.240-243.
[9] Moffett, M.D., Sloman, M.S., 1991. Content-dependent access control. ACM SIGOPS Operating Systems Review, 25(2):63-70. [doi:10.1145/122120.122125] · doi:10.1145/122120.122125
[10] Ryutov, T., Neuman, C., Dongho, K., 2003. Integrated access control and intrusion detection for Web servers. IEEE Trans. on Parallel and Distributed Systems, 14(9):841-850. [doi:10.1109/TPDS.2003.1233707] · doi:10.1109/TPDS.2003.1233707
[11] Sanchez, L., Condell, M., 2002. Security Policy Specification Language. Internet Draft, http://www.csie.nctu.edu.tw/:_jkzao/Publication/draft-ietf-ipsec-spsl-01.pdf.
[12] Sandhu, R.S., Coyne, E.J., Feinstein, H., Youman, C., 1996. Role-based access control models. IEEE Computer, 29(2):38-47. · doi:10.1109/2.485845
[13] Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J., 1999. The Flask Security Architecture: System Support for Diverse Security Policies. Proceedings of the Eighth Security Symposium, p.123-139.
[14] Steinmuller, B., Safarik, J., 2001. Extending Role-based Access Control Model with States. EUROCON’2001, International Conference on Trends in Communications, 2:398-399. · doi:10.1109/ICC.2001.936970
[15] Verschuren, J., Govaerts, R., Vandewalle, J., 1992. Simultaneous Enforcement of the Bell-LaPadula and the Biba Security Policy Models in an OSI-distributed System. ICCS/ISITA’92, Singapore, p.257-263.
[16] Wang, C., 2000. Policy-based Network Management. Communication Technology Proceedings. ICCT 2000, 1:101-105.
[17] Wolf, R., Keinz, T., Schneider, M., 2003. A Model for Content-dependent Access Control for Web-based Services with Role-based Approach. Database and Expert Systems Applications, Proceedings 14th International Workshop, p.209-214.
[18] Yague, M.I., Mana, A., Lopez, J., Troya, J.M., 2003. Applying the Semantic Web Layers to Access Control. Proceedings of Database and Expert Systems Applications, p.622-626.
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.