3GVSA系统的研究与实现
|
摘要
本课题系国家科技重大专项项目"TD-SCDMA行业信息化应用方案开发与产业化”。
随着3G技术的不断成熟,3G视频应用变得越来越广泛。但是由于无线网络的开放性,给信息安全以及内网安全带来了潜在的安全隐患。同时3G视频的高实时性以及高带宽要求,对系统处理效率提出更高的要求。另外,由于3G视频业务的多样性,如何对视频访问进行统一的管理也是开发人员研究的重点。
针对上述的问题,本文提出了一套全新的3GVSA(3GVSA,3G Video Access Security).该系统是基于用户身份信息,采用业务相关、属地化、角色管理的“白名单”机制,通过代理模式、报警阻断等手段,提供无法旁路的应用访问接口,通过身份认证后的用户只能进行授权范围内的操作,禁止非授权访问资源及系统操作,对视频内容进行识别,实现移动3G视频应用模式的统一访问控制。
本文首先研究了系统实现使用的主要技术。详细分析和介绍了VPN技术、Netfilter/iptables框架以及iproute2技术的主要功能、实现原理以及应用场景,并针对Netfilte/iptables、 netlink进行了结合性应用研究。
其次,从安全体系的角度,研究和分析了3GVSA的安全需求;在网络层、应用层等多层次安全需求的基础上,结合实际的应用需求,通过3GVSA的功能要求、整体架构、业务流程以及网络架构的具体设计,满足用户认证以及资源统一访问控制。
最后,重点分析和研究了安全接入网关和视频接入网关的设计与实现。重点分析安全接入网关的用户认证、内存池管理、多进程、Qos控制等机制,同时也着重介绍和研究了视频接入网关的用户策略缓存、视频过滤以及视频传输通道的实现原理。
This topic is of major projects of national science and technology project "TD-SCDMA industry, information technology applications development and industrialization."
As3G technology continues to mature,3G video applications become more and more widely. However, due to the openness of wireless networks, the potential security risks to information security and internal network security.3G video real-time and high bandwidth requirements, and higher demands on system processing efficiency. In addition, due to the diversity of3G video services, how to carry out unified management is the focus of developers of the video access.
To address the above issues, this paper proposes a new3G video security access system (3GVSA,3G Video the Access Security). The system is based on user identity information, the use of business-related localization of the "white list" of role management mechanism through a proxy mode, alarm blocking means can not bypass application access interface, only through the user authentication within the mandate of the operation, to prohibit unauthorized access to resources and system operation, and to identify the video content, unified access control model to mobile3G video applications.
This paper studies the system. Detailed analysis and the VPN technology in the iptables, Netfilter/frameworks, and the iproute2the main function of the technology to achieve the principles and scenarios, and a combination of applied research for Netfilte/iptables, netlink.
Secondly, from the perspective of the security system, research and analysis of the security needs of the3GVSA: on the basis of the network layer, application layer, multi-level security requirements, combined with the actual application requirements, functional requirements through3GVSA the overall architecture, business processes and the specific design of the network architecture to meet the user authentication and resources unified access control.
Finally, the focus of analysis and research design and implementation of a secure access gateway and video access gateway.Focus on analysis of the Secure Access Gateway, user authentication, management of the memory pool, multi-process, udp multicast mechanism, but also highlights and Video Access Gateway user policy cache, video filtering and video transmission channel principle.
随着3G技术的不断成熟,3G视频应用变得越来越广泛。但是由于无线网络的开放性,给信息安全以及内网安全带来了潜在的安全隐患。同时3G视频的高实时性以及高带宽要求,对系统处理效率提出更高的要求。另外,由于3G视频业务的多样性,如何对视频访问进行统一的管理也是开发人员研究的重点。
针对上述的问题,本文提出了一套全新的3GVSA(3GVSA,3G Video Access Security).该系统是基于用户身份信息,采用业务相关、属地化、角色管理的“白名单”机制,通过代理模式、报警阻断等手段,提供无法旁路的应用访问接口,通过身份认证后的用户只能进行授权范围内的操作,禁止非授权访问资源及系统操作,对视频内容进行识别,实现移动3G视频应用模式的统一访问控制。
本文首先研究了系统实现使用的主要技术。详细分析和介绍了VPN技术、Netfilter/iptables框架以及iproute2技术的主要功能、实现原理以及应用场景,并针对Netfilte/iptables、 netlink进行了结合性应用研究。
其次,从安全体系的角度,研究和分析了3GVSA的安全需求;在网络层、应用层等多层次安全需求的基础上,结合实际的应用需求,通过3GVSA的功能要求、整体架构、业务流程以及网络架构的具体设计,满足用户认证以及资源统一访问控制。
最后,重点分析和研究了安全接入网关和视频接入网关的设计与实现。重点分析安全接入网关的用户认证、内存池管理、多进程、Qos控制等机制,同时也着重介绍和研究了视频接入网关的用户策略缓存、视频过滤以及视频传输通道的实现原理。
This topic is of major projects of national science and technology project "TD-SCDMA industry, information technology applications development and industrialization."
As3G technology continues to mature,3G video applications become more and more widely. However, due to the openness of wireless networks, the potential security risks to information security and internal network security.3G video real-time and high bandwidth requirements, and higher demands on system processing efficiency. In addition, due to the diversity of3G video services, how to carry out unified management is the focus of developers of the video access.
To address the above issues, this paper proposes a new3G video security access system (3GVSA,3G Video the Access Security). The system is based on user identity information, the use of business-related localization of the "white list" of role management mechanism through a proxy mode, alarm blocking means can not bypass application access interface, only through the user authentication within the mandate of the operation, to prohibit unauthorized access to resources and system operation, and to identify the video content, unified access control model to mobile3G video applications.
This paper studies the system. Detailed analysis and the VPN technology in the iptables, Netfilter/frameworks, and the iproute2the main function of the technology to achieve the principles and scenarios, and a combination of applied research for Netfilte/iptables, netlink.
Secondly, from the perspective of the security system, research and analysis of the security needs of the3GVSA: on the basis of the network layer, application layer, multi-level security requirements, combined with the actual application requirements, functional requirements through3GVSA the overall architecture, business processes and the specific design of the network architecture to meet the user authentication and resources unified access control.
Finally, the focus of analysis and research design and implementation of a secure access gateway and video access gateway.Focus on analysis of the Secure Access Gateway, user authentication, management of the memory pool, multi-process, udp multicast mechanism, but also highlights and Video Access Gateway user policy cache, video filtering and video transmission channel principle.
引文
[1]卢志培,姚国祥,罗伟其.基于802.1x的NAC模型的设计与实现[J].计算机工程,2010(07)
[2]Trusted Computing Group.TCG Trusted Network Connection TNC IF-T: Binding to TLSspecification1.0[EB/OL].2010-3-9
[3]微软NAP集成双因素认证[J].每周电脑报,2006(12)
[4]TCGTrusted Network Connect TNC Architecture for Interoper-ability.2004-2007
[5]韩丽,谢强.基于TNC安全接入系统的设计与实现[j].微计算机信息,2010,第26卷:74-76.
[6]陈磊.可信网络连接TNC的程序行为检测研究[D].太原:太原理工大学,2010
[7]TCG Trusted Network Connect TNC IF-TNCCS Specification Version 1.1. Revision 1.00. 2007-2-5
[8]Cisco.Cisco Network Admission Control [EB/OL].2003
[9]张焕国,陈璐,张立强.可信网络连接研究[J].计算机学报,2010(04)
[10]Microsoft.Network Access Protection Platform Architecture [EB/OL].2004,6
[11]Brickell E,Camenisch J,Chen L.Direct Anonymous Attestation.2004
[12]陈天华.信息网络的安全技术[J].信息安全与通信保密,2002(01)
[13]Andrew Harding.SSL Virtual Private Networks[J]. Computers and Security,2003
[14]H.Krawczyk.SKEME:A Versatile Secure Key Exchange Mechanism for Internet[A].1996
[15]Jalal Raissi.Net Security:IpSec vs. SSL.2004
[16]A.Conry-Murray.SSL VPNs:remote access for the masses.2003
[17]C. J. Adams,P. Sylvester,M. Zolotarev,and R. Zuccherato.Internet X.509 public keyinfrastructure data validation and certification server protocols.2001
[18]Yun-he Zhang,Zhi-tang Li,Mei-zhen Wang,Ling Xiao. A Multi-Link Aggregate IPSec Model. 2009
[19]韩儒博,邬钧霆,徐孟春.虚拟专用网络及其隧道实现技术[J].微计算机信息,2005(14)
[20]廖光忠,胡静.基于PPTP协议和混沌理论认证的VPN的实现[J].计算机工程与设计,2007(14)
[21]Townsley W,Valencia A,Rubens A,et al.Layer two tun-neling protocol"L2TP".1999
[22]王昱白,汪海航,谭成翔.基于IPSec的VPN密钥交换(IKE)协议的分析与实现[J].计算机工程,2003(01)
[23]吕华锋,吴秋峰IPSec网络安全与虚拟专用网的基础[J].计算机工程与应用,2001(02)
[24]Christian Benvenuti.Understanding Linux Network Inter-nals[M].2005
[25]droplet_at_kernelchina.org.Linux 2.4.x 网络安全框架[EB/OL].2003-03-01
[26]吴结,高随祥Netfilter的实现分析与网络数据包的捕获[J].计算机系统应用,2006(06)
[27]Salzman P J,Pomerantz O.The Linux Kernel Module Programming Guide.1999
[28]Ivan Pronchev."Packet Capturing Using the Linux Netfilter Framework,".2006
[29]Ashish Chaurasia."Network packet capturing for Linux".2004
[30]Christian Benvenuti."Understanding Linux Network Internals,".2006
[31]Rusty Russell.Linux Netfilter Hacking HOWTO[EB/OL].2002-07-02
[32]OskarAndreasson.Iptables Tutorial 1.2.2[EB/OL].2006-11-19
[33]Klaus Wehrle,Frank Pahlke,Hartmut Ritter,Daniel Muller,Marc Bechler.The Linux
[34]Networking Architecture: Design and Implementation of Network Protocols in the Linux Kernel.2004
[35]Bert Huber.Linux Advanced Routing & Traffic Control HOWTO[EB/OL].
[36]MIRKOVIC J,DIETRICH S,DITTRICH D,et al.Internet denial ofservice:attack and defense mechanisms [M].2004
[37]KENVEN He. Why and how to use netlink socket[J/OL].
[38]SALIM J,KHOSRAVI H,KLEEN A.RFC3549:Linux Netlink as an IP Service Protocol[S]. 2003-06-01
[39]Feng Yanjun,Ye Runguo,Song Chuck,et al.Load Balance and Fault Tolerance in NAT-PT[J]. IEEE ACM Transactions on Networking.2003
[40]HORMAN N.Understanding and programming with netlink sock-ets[EB/OL]..
[41]Adrian Ban.Linux IMQ-Intermediate Queueing Device[EB/OL].2010
[42]Thomas Karagiannis,Andre Broido,Michalis Faloutsos,et al.Transport layer identification of p2p traffic.2004
[43]S.Sen,O.Spatscheck,D.Wang Accurate.scalable in-network identification of p2pIn-Network Identification of P2P Traffic Using Application Signatures [C].2004
[44]Sen S,Spatscheck O,Wang D,et al.Accurate,scalable in-network identification of p2p traffic using application signatures.2004
[45]黄敏,张卫东.基于策略路由的网络设计与实践[J].计算机应用,2002(05)
[46]黄文焱,褚伟.网络流量控制系统在开源路由器上的实现[J].计算机技术与发展,2010(08)
[2]Trusted Computing Group.TCG Trusted Network Connection TNC IF-T: Binding to TLSspecification1.0[EB/OL].2010-3-9
[3]微软NAP集成双因素认证[J].每周电脑报,2006(12)
[4]TCGTrusted Network Connect TNC Architecture for Interoper-ability.2004-2007
[5]韩丽,谢强.基于TNC安全接入系统的设计与实现[j].微计算机信息,2010,第26卷:74-76.
[6]陈磊.可信网络连接TNC的程序行为检测研究[D].太原:太原理工大学,2010
[7]TCG Trusted Network Connect TNC IF-TNCCS Specification Version 1.1. Revision 1.00. 2007-2-5
[8]Cisco.Cisco Network Admission Control [EB/OL].2003
[9]张焕国,陈璐,张立强.可信网络连接研究[J].计算机学报,2010(04)
[10]Microsoft.Network Access Protection Platform Architecture [EB/OL].2004,6
[11]Brickell E,Camenisch J,Chen L.Direct Anonymous Attestation.2004
[12]陈天华.信息网络的安全技术[J].信息安全与通信保密,2002(01)
[13]Andrew Harding.SSL Virtual Private Networks[J]. Computers and Security,2003
[14]H.Krawczyk.SKEME:A Versatile Secure Key Exchange Mechanism for Internet[A].1996
[15]Jalal Raissi.Net Security:IpSec vs. SSL.2004
[16]A.Conry-Murray.SSL VPNs:remote access for the masses.2003
[17]C. J. Adams,P. Sylvester,M. Zolotarev,and R. Zuccherato.Internet X.509 public keyinfrastructure data validation and certification server protocols.2001
[18]Yun-he Zhang,Zhi-tang Li,Mei-zhen Wang,Ling Xiao. A Multi-Link Aggregate IPSec Model. 2009
[19]韩儒博,邬钧霆,徐孟春.虚拟专用网络及其隧道实现技术[J].微计算机信息,2005(14)
[20]廖光忠,胡静.基于PPTP协议和混沌理论认证的VPN的实现[J].计算机工程与设计,2007(14)
[21]Townsley W,Valencia A,Rubens A,et al.Layer two tun-neling protocol"L2TP".1999
[22]王昱白,汪海航,谭成翔.基于IPSec的VPN密钥交换(IKE)协议的分析与实现[J].计算机工程,2003(01)
[23]吕华锋,吴秋峰IPSec网络安全与虚拟专用网的基础[J].计算机工程与应用,2001(02)
[24]Christian Benvenuti.Understanding Linux Network Inter-nals[M].2005
[25]droplet_at_kernelchina.org.Linux 2.4.x 网络安全框架[EB/OL].2003-03-01
[26]吴结,高随祥Netfilter的实现分析与网络数据包的捕获[J].计算机系统应用,2006(06)
[27]Salzman P J,Pomerantz O.The Linux Kernel Module Programming Guide.1999
[28]Ivan Pronchev."Packet Capturing Using the Linux Netfilter Framework,".2006
[29]Ashish Chaurasia."Network packet capturing for Linux".2004
[30]Christian Benvenuti."Understanding Linux Network Internals,".2006
[31]Rusty Russell.Linux Netfilter Hacking HOWTO[EB/OL].2002-07-02
[32]OskarAndreasson.Iptables Tutorial 1.2.2[EB/OL].2006-11-19
[33]Klaus Wehrle,Frank Pahlke,Hartmut Ritter,Daniel Muller,Marc Bechler.The Linux
[34]Networking Architecture: Design and Implementation of Network Protocols in the Linux Kernel.2004
[35]Bert Huber.Linux Advanced Routing & Traffic Control HOWTO[EB/OL].
[36]MIRKOVIC J,DIETRICH S,DITTRICH D,et al.Internet denial ofservice:attack and defense mechanisms [M].2004
[37]KENVEN He. Why and how to use netlink socket[J/OL].
[38]SALIM J,KHOSRAVI H,KLEEN A.RFC3549:Linux Netlink as an IP Service Protocol[S]. 2003-06-01
[39]Feng Yanjun,Ye Runguo,Song Chuck,et al.Load Balance and Fault Tolerance in NAT-PT[J]. IEEE ACM Transactions on Networking.2003
[40]HORMAN N.Understanding and programming with netlink sock-ets[EB/OL]..
[41]Adrian Ban.Linux IMQ-Intermediate Queueing Device[EB/OL].2010
[42]Thomas Karagiannis,Andre Broido,Michalis Faloutsos,et al.Transport layer identification of p2p traffic.2004
[43]S.Sen,O.Spatscheck,D.Wang Accurate.scalable in-network identification of p2pIn-Network Identification of P2P Traffic Using Application Signatures [C].2004
[44]Sen S,Spatscheck O,Wang D,et al.Accurate,scalable in-network identification of p2p traffic using application signatures.2004
[45]黄敏,张卫东.基于策略路由的网络设计与实践[J].计算机应用,2002(05)
[46]黄文焱,褚伟.网络流量控制系统在开源路由器上的实现[J].计算机技术与发展,2010(08)