CLC number: TP393.02
On-line Access:
Received: 2004-12-23
Revision Accepted: 2005-04-04
Crosschecked: 0000-00-00
Cited: 0
Clicked: 6455
Ouyang Kai, Zhou Jing-li, Xia Tao, Yu Sheng-sheng. An application-layer based centralized information access control for VPN[J]. Journal of Zhejiang University Science A, 2006, 7(2): 240-249.
@article{title="An application-layer based centralized information access control for VPN",
author="Ouyang Kai, Zhou Jing-li, Xia Tao, Yu Sheng-sheng",
journal="Journal of Zhejiang University Science A",
volume="7",
number="2",
pages="240-249",
year="2006",
publisher="Zhejiang University Press & Springer",
doi="10.1631/jzus.2006.A0240"
}
%0 Journal Article
%T An application-layer based centralized information access control for VPN
%A Ouyang Kai
%A Zhou Jing-li
%A Xia Tao
%A Yu Sheng-sheng
%J Journal of Zhejiang University SCIENCE A
%V 7
%N 2
%P 240-249
%@ 1673-565X
%D 2006
%I Zhejiang University Press & Springer
%DOI 10.1631/jzus.2006.A0240
TY - JOUR
T1 - An application-layer based centralized information access control for VPN
A1 - Ouyang Kai
A1 - Zhou Jing-li
A1 - Xia Tao
A1 - Yu Sheng-sheng
J0 - Journal of Zhejiang University Science A
VL - 7
IS - 2
SP - 240
EP - 249
%@ 1673-565X
Y1 - 2006
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/jzus.2006.A0240
Abstract: With the rapid development of virtual private network (VPN), many companies and organizations use VPN to implement their private communication. Traditionally, VPN uses security protocols to protect the confidentiality of data, the message integrity and the endpoint authentication. One core technique of VPN is tunneling, by which clients can access the internal servers traversing VPN. However, the tunneling technique also introduces a concealed security hole. It is possible that if one vicious user can establish tunneling by the VPN server, he can compromise the internal servers behind the VPN server. So this paper presents a novel Application-layer based Centralized Information access control (ACIAC) for VPN to solve this problem. To implement an efficient, flexible and multi-decision access control model, we present two key techniques to ACIAC—the centralized management mechanism and the stream-based access control. Firstly, we implement the information center and the constraints/events center for ACIAC. By the two centers, we can provide an abstract access control mechanism, and the material access control can be decided dynamically by the ACIAC’s constraint/event mechanism. Then we logically classify the VPN communication traffic into the access stream and the data stream so that we can tightly couple the features of VPN communication with the access control model. We also provide the design of our ACIAC prototype in this paper.
[1] Bertino, E., Catania, B., Ferrari, E., Perlasca, P., 2002. A System to Specify and Manage Multipolicy Access Control Models. Policies for Distributed Systems and Networks, p.116-127.
[2] Cohen, R., 2003. On the establishment of an access VPN in broadband access networks. Communications Magazine, IEEE, 41(2):156-163.
[3] Dierks, T., Allen, C., 1999. The TLS Protocol Version 1.0. RFC2246.
[4] Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R., 2001. Proposed NIST standard for role-based access control. ACM Trans. Inform. and System Security, 4(3):224-274.
[5] Guo, X., Yang, K., Galis, A., Cheng, X., Yang B., Liu, D., 2003. A Policy-based Network Management System for IP VPN. Communication Technology Proceedings. ICCT 2003, 2:1630-1633.
[6] Jason, J., Rafalow, L., Vyncke, E., 2003. IPSec Configuration Policy Information Model. RFC3585.
[7] Kent, S., Atkinson, R., 1998. Security Architecture for the Internet Protocol. RFC2401.
[8] Ku, H., Son, H.G., Facsko, J., Tyrrell, J., Haines, A., 2002. Web-based Policy Deployment Management System. Proceedings of Policies for Distributed Systems and Networks, p.240-243.
[9] Moffett, M.D., Sloman, M.S., 1991. Content-dependent access control. ACM SIGOPS Operating Systems Review, 25(2):63-70.
[10] Ryutov, T., Neuman, C., Dongho, K., 2003. Integrated access control and intrusion detection for Web servers. IEEE Trans. on Parallel and Distributed Systems, 14(9):841-850.
[11] Sanchez, L., Condell, M., 2002. Security Policy Specification Language. Internet Draft, http://www.csie.nctu.edu.tw/ ~jkzao/Publication/draft-ietf-ipsec-spsl-01.pdf.
[12] Sandhu, R.S., Coyne, E.J., Feinstein, H., Youman, C., 1996. Role-based access control models. IEEE Computer, 29(2):38-47.
[13] Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J., 1999. The Flask Security Architecture: System Support for Diverse Security Policies. Proceedings of the Eighth Security Symposium, p.123-139.
[14] Steinmuller, B., Safarik, J., 2001. Extending Role-based Access Control Model with States. EUROCON’2001, International Conference on Trends in Communications, 2:398-399.
[15] Verschuren, J., Govaerts, R., Vandewalle, J., 1992. Simultaneous Enforcement of the Bell-LaPadula and the Biba Security Policy Models in an OSI-distributed System. ICCS/ISITA’92, Singapore, p.257-263.
[16] Wang, C., 2000. Policy-based Network Management. Communication Technology Proceedings. ICCT 2000, 1:101-105.
[17] Wolf, R., Keinz, T., Schneider, M., 2003. A Model for Content-dependent Access Control for Web-based Services with Role-based Approach. Database and Expert Systems Applications, Proceedings 14th International Workshop, p.209-214.
[18] Yague, M.I., Mana, A., Lopez, J., Troya, J.M., 2003. Applying the Semantic Web Layers to Access Control. Proceedings of Database and Expert Systems Applications, p.622-626.
Open peer comments: Debate/Discuss/Question/Opinion
<1>