基于雙模單包授權的公路零信任安全應用研究*
網絡安全與數據治理 10期
陳 瑜,殷 浩,姚 蕾,馮 鼎,管浩杰,嚴 浩
(1.南通市公路事業發展中心, 江蘇南通226006;2.東南大學網絡空間安全學院, 江蘇南京211100; 3.深信服科技股份有限公司, 廣東深圳518055)
摘要: 針對交通信息系統工程具有接入范圍復雜、網絡安全風險大的特點,提出了公路全面零信任系統架構。該架構主要由網關管理平臺、可信身份管控平臺等6個平臺組成。重點研究了基于網關管理平臺的安全交互過程,一是實現多物理環境下自動路由策略;二是研究雙模SPA敲門機制,重點分析UDP認證和TCP敲門數據訪問。依托智慧農路系統工程,評估了應用前后安全訪問的效果和效率。研究結果表明,公路零信任系統可在國產芯片Loongson3A4000上運行;雙模單包授權SPA技術在UDP SPA基礎上拓展了TCP SPA能力,比單模SPA訪問速率快50%;在滿足三級等保控制點的基礎上可實現網絡隱身。
中圖分類號:U495;TP393.08
文獻標識碼:A
DOI:10.19358/j.issn.2097-1788.2023.10.014
引用格式:陳瑜,殷浩,姚蕾,等.基于雙模單包授權的公路零信任安全應用研究 [J].網絡安全與數據治理,2023,42(10):87-93.
文獻標識碼:A
DOI:10.19358/j.issn.2097-1788.2023.10.014
引用格式:陳瑜,殷浩,姚蕾,等.基于雙模單包授權的公路零信任安全應用研究 [J].網絡安全與數據治理,2023,42(10):87-93.
Research on the application of road zero trust security based on dual mode single packet authorization
Chen Yu1,Yin Hao2,Yao Lei1,Feng Ding3,Guan Haojie1,Yan Hao3
(1.Nantong Road Development Authority, Nantong 226006, China;2.School of Cyberspace Security, Southeast University, Nanjing 211100, China;3.Sangfor Technologies Inc., Shenzhen 518055, China)
Abstract: According to the characteristics of complex access range and high risks of network security in traffic information system engineering, this research proposes a comprehensive zerotrust system architecture for highways. This architecture mainly consists of six platforms, including a gateway management platform and a trusted identity control platform and other platforms. The research mainly focuses on security interaction based on the gateway management platform. Firstly, it can implement automatic routing strategies under multiple physical environments. Secondly, this research studies the dual mode Single Packet Authorization (SPA) knocking mechanism, with a particular analysis of UDP authentication and TCP knocking data access. Relied on the Smart Agricultural Road System Engineering, this research evaluates effectiveness and efficiency of secure access before and after application implementation. The results indicate that the system can run on domestic Loongson3A4000 chips. The access rate of dual mode SPA technology, combining UDP SPA with TCP SPA capabilities, has a 50% increase when compared to singlemode SPA. Based on meeting the requirements of threelevel Equal Protection, network invisibility can be achieved.
Key words : traffic network security; information system engineering; zero trust architecture; dual mode single packet authorization; software defined perimeter
0 引言
進入“十四五”以來,國家加快推動普通公路新型基礎設施建設,數字化、網絡化、智能化外場設施快速增長,在提升行業高質量發展水平的同時,大量與行業專網互聯互通的外場智能設施、多物理隔離下的交通信息系統工程也逐步成為網絡安全防護的薄弱環節和監管難點,網絡安全風險及威脅也日益復雜,身份假冒、APT攻擊、內部威脅等新型網絡攻擊手段層出不窮,給數字交通時代網絡安全帶來了嚴峻的挑戰。2010年,Forrest咨詢公司首次提出“零信任網絡”(Zero Trust Networks, ZTN)的概念,力求通過去中心化安全架構來打破傳統的安全模式,實現對用戶、終端設備、操作系統和應用程序的全面、智能管控,建立一個全生命周期的安全防護體系。近年來,零信任在國內逐步引起了重視,在2019年9月發布的《關于促進網絡安全產業發展的指導意見》中,“零信任安全”被列為當前網絡安全領域亟需攻克的一項重要技術。
本文詳細內容請下載:http://www.jysgc.com/resource/share/2000005744
作者信息:
陳瑜1,殷浩2,姚蕾1,馮鼎3,管浩杰1,嚴浩3
(1.南通市公路事業發展中心, 江蘇南通226006;2.東南大學網絡空間安全學院, 江蘇南京211100;3.深信服科技股份有限公司, 廣東深圳518055)
此內容為AET網站原創,未經授權禁止轉載。