《電子技術(shù)應(yīng)用》
您所在的位置:首頁 > 通信与网络 > 设计应用 > 基于双模单包授权的公路零信任安全应用研究*
基于双模单包授权的公路零信任安全应用研究*
网络安全与数据治理 10期
陈 瑜,殷 浩,姚 蕾,冯 鼎,管浩杰,严 浩
(1.南通市公路事业发展中心, 江苏南通226006;2.东南大学网络空间安全学院, 江苏南京211100; 3.深信服科技股份有限公司, 广东深圳518055)
摘要: 针对交通信息系统工程具有接入范围复杂、网络安全风险大的特点,提出了公路全面零信任系统架构。该架构主要由网关管理平台、可信身份管控平台等6个平台组成。重点研究了基于网关管理平台的安全交互过程,一是实现多物理环境下自动路由策略;二是研究双模SPA敲门机制,重点分析UDP认证和TCP敲门数据访问。依托智慧农路系统工程,评估了应用前后安全访问的效果和效率。研究结果表明,公路零信任系统可在国产芯片Loongson3A4000上运行;双模单包授权SPA技术在UDP SPA基础上拓展了TCP SPA能力,比单模SPA访问速率快50%;在满足三级等保控制点的基础上可实现网络隐身。
中圖分類號:U495;TP393.08
文獻(xiàn)標(biāo)識碼:A
DOI:10.19358/j.issn.2097-1788.2023.10.014
引用格式:陳瑜,殷浩,姚蕾,等.基于雙模單包授權(quán)的公路零信任安全應(yīng)用研究 [J].網(wǎng)絡(luò)安全與數(shù)據(jù)治理,2023,42(10):87-93.
Research on the application of road zero trust security based on dual mode single packet authorization
Chen Yu1,Yin Hao2,Yao Lei1,Feng Ding3,Guan Haojie1,Yan Hao3
(1.Nantong Road Development Authority, Nantong 226006, China;2.School of Cyberspace Security, Southeast University, Nanjing 211100, China;3.Sangfor Technologies Inc., Shenzhen 518055, China)
Abstract: According to the characteristics of complex access range and high risks of network security in traffic information system engineering, this research proposes a comprehensive zerotrust system architecture for highways. This architecture mainly consists of six platforms, including a gateway management platform and a trusted identity control platform and other platforms. The research mainly focuses on security interaction based on the gateway management platform. Firstly, it can implement automatic routing strategies under multiple physical environments. Secondly, this research studies the dual mode Single Packet Authorization (SPA) knocking mechanism, with a particular analysis of UDP authentication and TCP knocking data access. Relied on the Smart Agricultural Road System Engineering, this research evaluates effectiveness and efficiency of secure access before and after application implementation. The results indicate that the system can run on domestic Loongson3A4000 chips. The access rate of dual mode SPA technology, combining UDP SPA with TCP SPA capabilities, has a 50% increase when compared to singlemode SPA. Based on meeting the requirements of threelevel Equal Protection, network invisibility can be achieved.
Key words : traffic network security; information system engineering; zero trust architecture; dual mode single packet authorization; software defined perimeter

0    引言

進(jìn)入“十四五”以來,國家加快推動普通公路新型基礎(chǔ)設(shè)施建設(shè),數(shù)字化、網(wǎng)絡(luò)化、智能化外場設(shè)施快速增長,在提升行業(yè)高質(zhì)量發(fā)展水平的同時(shí),大量與行業(yè)專網(wǎng)互聯(lián)互通的外場智能設(shè)施、多物理隔離下的交通信息系統(tǒng)工程也逐步成為網(wǎng)絡(luò)安全防護(hù)的薄弱環(huán)節(jié)和監(jiān)管難點(diǎn),網(wǎng)絡(luò)安全風(fēng)險(xiǎn)及威脅也日益復(fù)雜,身份假冒、APT攻擊、內(nèi)部威脅等新型網(wǎng)絡(luò)攻擊手段層出不窮,給數(shù)字交通時(shí)代網(wǎng)絡(luò)安全帶來了嚴(yán)峻的挑戰(zhàn)。2010年,F(xiàn)orrest咨詢公司首次提出“零信任網(wǎng)絡(luò)”(Zero Trust Networks, ZTN)的概念,力求通過去中心化安全架構(gòu)來打破傳統(tǒng)的安全模式,實(shí)現(xiàn)對用戶、終端設(shè)備、操作系統(tǒng)和應(yīng)用程序的全面、智能管控,建立一個(gè)全生命周期的安全防護(hù)體系。近年來,零信任在國內(nèi)逐步引起了重視,在2019年9月發(fā)布的《關(guān)于促進(jìn)網(wǎng)絡(luò)安全產(chǎn)業(yè)發(fā)展的指導(dǎo)意見》中,“零信任安全”被列為當(dāng)前網(wǎng)絡(luò)安全領(lǐng)域亟需攻克的一項(xiàng)重要技術(shù)。



本文詳細(xì)內(nèi)容請下載:http://ihrv.cn/resource/share/2000005744




作者信息:

陳瑜1,殷浩2,姚蕾1,馮鼎3,管浩杰1,嚴(yán)浩3

(1.南通市公路事業(yè)發(fā)展中心, 江蘇南通226006;2.東南大學(xué)網(wǎng)絡(luò)空間安全學(xué)院, 江蘇南京211100;3.深信服科技股份有限公司, 廣東深圳518055) 


微信圖片_20210517164139.jpg

此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。

相關(guān)內(nèi)容