《電子技術(shù)應(yīng)用》
您所在的位置:首頁 > 通信與網(wǎng)絡(luò) > 設(shè)計應(yīng)用 > 基于雙模單包授權(quán)的公路零信任安全應(yīng)用研究*
基于雙模單包授權(quán)的公路零信任安全應(yīng)用研究*
網(wǎng)絡(luò)安全與數(shù)據(jù)治理 10期
陳 瑜,殷 浩,姚 蕾,馮 鼎,管浩杰,嚴 浩
(1.南通市公路事業(yè)發(fā)展中心, 江蘇南通226006;2.東南大學(xué)網(wǎng)絡(luò)空間安全學(xué)院, 江蘇南京211100; 3.深信服科技股份有限公司, 廣東深圳518055)
摘要: 針對交通信息系統(tǒng)工程具有接入范圍復(fù)雜、網(wǎng)絡(luò)安全風(fēng)險大的特點,提出了公路全面零信任系統(tǒng)架構(gòu)。該架構(gòu)主要由網(wǎng)關(guān)管理平臺、可信身份管控平臺等6個平臺組成。重點研究了基于網(wǎng)關(guān)管理平臺的安全交互過程,一是實現(xiàn)多物理環(huán)境下自動路由策略;二是研究雙模SPA敲門機制,重點分析UDP認證和TCP敲門數(shù)據(jù)訪問。依托智慧農(nóng)路系統(tǒng)工程,評估了應(yīng)用前后安全訪問的效果和效率。研究結(jié)果表明,公路零信任系統(tǒng)可在國產(chǎn)芯片Loongson3A4000上運行;雙模單包授權(quán)SPA技術(shù)在UDP SPA基礎(chǔ)上拓展了TCP SPA能力,比單模SPA訪問速率快50%;在滿足三級等保控制點的基礎(chǔ)上可實現(xiàn)網(wǎng)絡(luò)隱身。
中圖分類號:U495;TP393.08
文獻標(biāo)識碼:A
DOI:10.19358/j.issn.2097-1788.2023.10.014
引用格式:陳瑜,殷浩,姚蕾,等.基于雙模單包授權(quán)的公路零信任安全應(yīng)用研究 [J].網(wǎng)絡(luò)安全與數(shù)據(jù)治理,2023,42(10):87-93.
Research on the application of road zero trust security based on dual mode single packet authorization
Chen Yu1,Yin Hao2,Yao Lei1,F(xiàn)eng Ding3,Guan Haojie1,Yan Hao3
(1.Nantong Road Development Authority, Nantong 226006, China;2.School of Cyberspace Security, Southeast University, Nanjing 211100, China;3.Sangfor Technologies Inc., Shenzhen 518055, China)
Abstract: According to the characteristics of complex access range and high risks of network security in traffic information system engineering, this research proposes a comprehensive zerotrust system architecture for highways. This architecture mainly consists of six platforms, including a gateway management platform and a trusted identity control platform and other platforms. The research mainly focuses on security interaction based on the gateway management platform. Firstly, it can implement automatic routing strategies under multiple physical environments. Secondly, this research studies the dual mode Single Packet Authorization (SPA) knocking mechanism, with a particular analysis of UDP authentication and TCP knocking data access. Relied on the Smart Agricultural Road System Engineering, this research evaluates effectiveness and efficiency of secure access before and after application implementation. The results indicate that the system can run on domestic Loongson3A4000 chips. The access rate of dual mode SPA technology, combining UDP SPA with TCP SPA capabilities, has a 50% increase when compared to singlemode SPA. Based on meeting the requirements of threelevel Equal Protection, network invisibility can be achieved.
Key words : traffic network security; information system engineering; zero trust architecture; dual mode single packet authorization; software defined perimeter

0    引言

進入“十四五”以來,國家加快推動普通公路新型基礎(chǔ)設(shè)施建設(shè),數(shù)字化、網(wǎng)絡(luò)化、智能化外場設(shè)施快速增長,在提升行業(yè)高質(zhì)量發(fā)展水平的同時,大量與行業(yè)專網(wǎng)互聯(lián)互通的外場智能設(shè)施、多物理隔離下的交通信息系統(tǒng)工程也逐步成為網(wǎng)絡(luò)安全防護的薄弱環(huán)節(jié)和監(jiān)管難點,網(wǎng)絡(luò)安全風(fēng)險及威脅也日益復(fù)雜,身份假冒、APT攻擊、內(nèi)部威脅等新型網(wǎng)絡(luò)攻擊手段層出不窮,給數(shù)字交通時代網(wǎng)絡(luò)安全帶來了嚴峻的挑戰(zhàn)。2010年,F(xiàn)orrest咨詢公司首次提出“零信任網(wǎng)絡(luò)”(Zero Trust Networks, ZTN)的概念,力求通過去中心化安全架構(gòu)來打破傳統(tǒng)的安全模式,實現(xiàn)對用戶、終端設(shè)備、操作系統(tǒng)和應(yīng)用程序的全面、智能管控,建立一個全生命周期的安全防護體系。近年來,零信任在國內(nèi)逐步引起了重視,在2019年9月發(fā)布的《關(guān)于促進網(wǎng)絡(luò)安全產(chǎn)業(yè)發(fā)展的指導(dǎo)意見》中,“零信任安全”被列為當(dāng)前網(wǎng)絡(luò)安全領(lǐng)域亟需攻克的一項重要技術(shù)。



本文詳細內(nèi)容請下載:http://ihrv.cn/resource/share/2000005744




作者信息:

陳瑜1,殷浩2,姚蕾1,馮鼎3,管浩杰1,嚴浩3

(1.南通市公路事業(yè)發(fā)展中心, 江蘇南通226006;2.東南大學(xué)網(wǎng)絡(luò)空間安全學(xué)院, 江蘇南京211100;3.深信服科技股份有限公司, 廣東深圳518055) 


微信圖片_20210517164139.jpg

此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。