《電子技術(shù)應(yīng)用》
您所在的位置:首頁(yè) > 通信與網(wǎng)絡(luò) > 設(shè)計(jì)應(yīng)用 > 基于雙模單包授權(quán)的公路零信任安全應(yīng)用研究*
基于雙模單包授權(quán)的公路零信任安全應(yīng)用研究*
網(wǎng)絡(luò)安全與數(shù)據(jù)治理 10期
陳 瑜,殷 浩,姚 蕾,馮 鼎,管浩杰,嚴(yán) 浩
(1.南通市公路事業(yè)發(fā)展中心, 江蘇南通226006;2.東南大學(xué)網(wǎng)絡(luò)空間安全學(xué)院, 江蘇南京211100; 3.深信服科技股份有限公司, 廣東深圳518055)
摘要: 針對(duì)交通信息系統(tǒng)工程具有接入范圍復(fù)雜、網(wǎng)絡(luò)安全風(fēng)險(xiǎn)大的特點(diǎn),提出了公路全面零信任系統(tǒng)架構(gòu)。該架構(gòu)主要由網(wǎng)關(guān)管理平臺(tái)、可信身份管控平臺(tái)等6個(gè)平臺(tái)組成。重點(diǎn)研究了基于網(wǎng)關(guān)管理平臺(tái)的安全交互過程,一是實(shí)現(xiàn)多物理環(huán)境下自動(dòng)路由策略;二是研究雙模SPA敲門機(jī)制,重點(diǎn)分析UDP認(rèn)證和TCP敲門數(shù)據(jù)訪問。依托智慧農(nóng)路系統(tǒng)工程,評(píng)估了應(yīng)用前后安全訪問的效果和效率。研究結(jié)果表明,公路零信任系統(tǒng)可在國(guó)產(chǎn)芯片Loongson3A4000上運(yùn)行;雙模單包授權(quán)SPA技術(shù)在UDP SPA基礎(chǔ)上拓展了TCP SPA能力,比單模SPA訪問速率快50%;在滿足三級(jí)等??刂泣c(diǎn)的基礎(chǔ)上可實(shí)現(xiàn)網(wǎng)絡(luò)隱身。
中圖分類號(hào):U495;TP393.08
文獻(xiàn)標(biāo)識(shí)碼:A
DOI:10.19358/j.issn.2097-1788.2023.10.014
引用格式:陳瑜,殷浩,姚蕾,等.基于雙模單包授權(quán)的公路零信任安全應(yīng)用研究 [J].網(wǎng)絡(luò)安全與數(shù)據(jù)治理,2023,42(10):87-93.
Research on the application of road zero trust security based on dual mode single packet authorization
Chen Yu1,Yin Hao2,Yao Lei1,F(xiàn)eng Ding3,Guan Haojie1,Yan Hao3
(1.Nantong Road Development Authority, Nantong 226006, China;2.School of Cyberspace Security, Southeast University, Nanjing 211100, China;3.Sangfor Technologies Inc., Shenzhen 518055, China)
Abstract: According to the characteristics of complex access range and high risks of network security in traffic information system engineering, this research proposes a comprehensive zerotrust system architecture for highways. This architecture mainly consists of six platforms, including a gateway management platform and a trusted identity control platform and other platforms. The research mainly focuses on security interaction based on the gateway management platform. Firstly, it can implement automatic routing strategies under multiple physical environments. Secondly, this research studies the dual mode Single Packet Authorization (SPA) knocking mechanism, with a particular analysis of UDP authentication and TCP knocking data access. Relied on the Smart Agricultural Road System Engineering, this research evaluates effectiveness and efficiency of secure access before and after application implementation. The results indicate that the system can run on domestic Loongson3A4000 chips. The access rate of dual mode SPA technology, combining UDP SPA with TCP SPA capabilities, has a 50% increase when compared to singlemode SPA. Based on meeting the requirements of threelevel Equal Protection, network invisibility can be achieved.
Key words : traffic network security; information system engineering; zero trust architecture; dual mode single packet authorization; software defined perimeter

0    引言

進(jìn)入“十四五”以來(lái),國(guó)家加快推動(dòng)普通公路新型基礎(chǔ)設(shè)施建設(shè),數(shù)字化、網(wǎng)絡(luò)化、智能化外場(chǎng)設(shè)施快速增長(zhǎng),在提升行業(yè)高質(zhì)量發(fā)展水平的同時(shí),大量與行業(yè)專網(wǎng)互聯(lián)互通的外場(chǎng)智能設(shè)施、多物理隔離下的交通信息系統(tǒng)工程也逐步成為網(wǎng)絡(luò)安全防護(hù)的薄弱環(huán)節(jié)和監(jiān)管難點(diǎn),網(wǎng)絡(luò)安全風(fēng)險(xiǎn)及威脅也日益復(fù)雜,身份假冒、APT攻擊、內(nèi)部威脅等新型網(wǎng)絡(luò)攻擊手段層出不窮,給數(shù)字交通時(shí)代網(wǎng)絡(luò)安全帶來(lái)了嚴(yán)峻的挑戰(zhàn)。2010年,F(xiàn)orrest咨詢公司首次提出“零信任網(wǎng)絡(luò)”(Zero Trust Networks, ZTN)的概念,力求通過去中心化安全架構(gòu)來(lái)打破傳統(tǒng)的安全模式,實(shí)現(xiàn)對(duì)用戶、終端設(shè)備、操作系統(tǒng)和應(yīng)用程序的全面、智能管控,建立一個(gè)全生命周期的安全防護(hù)體系。近年來(lái),零信任在國(guó)內(nèi)逐步引起了重視,在2019年9月發(fā)布的《關(guān)于促進(jìn)網(wǎng)絡(luò)安全產(chǎn)業(yè)發(fā)展的指導(dǎo)意見》中,“零信任安全”被列為當(dāng)前網(wǎng)絡(luò)安全領(lǐng)域亟需攻克的一項(xiàng)重要技術(shù)。



本文詳細(xì)內(nèi)容請(qǐng)下載:http://ihrv.cn/resource/share/2000005744




作者信息:

陳瑜1,殷浩2,姚蕾1,馮鼎3,管浩杰1,嚴(yán)浩3

(1.南通市公路事業(yè)發(fā)展中心, 江蘇南通226006;2.東南大學(xué)網(wǎng)絡(luò)空間安全學(xué)院, 江蘇南京211100;3.深信服科技股份有限公司, 廣東深圳518055) 


微信圖片_20210517164139.jpg

此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。