基于可信接入技术下的策略服务器研发
摘要
近些年,随着网络技术及其应用的飞速发展,互联网逐渐呈现出规模巨大、结构复杂等特点,传统的互联网体系结构在针对层出不穷的新型网络攻击时,日益暴露出性能上的缺陷与不足,导致网络的可用性和安全性难以保证,可以说,互联网络正面临着严峻的安全形势和服务质量保证等重大挑战。上述这些日益突出的网络安全问题对网络系统安全提出了更高的要求,迫切要求当前的网络安全技术得到进一步的发展,挖掘出新的理念和技术来解决已经或即将面对的网络安全和性能问题,以此在保障网络信息机密性、完整性的同时,能够最大限度地提升网络系统的安全性与可控性。
本文介绍了可信计算组织TCG(Trusted Computing Group)为提高网络安全性制定的可信网络连接规范TNC(Trusted Network Connect)的体系结构及其工作原理;并在现有可信网络框架研究的基础上提出一套安全策略和用于执行策略的策略服务器,使得网络运营商能够对不同的接入终端进行可信评估并为符合可信要求的终端授予相应的可信等级和访问权限,使其能顺利接入到可信网络中;然后在上述理论基础上搭建了实验平台,使用现有工具开发相应的功能模块,实现了一个原型系统,最后通过实例测试证明了该策略服务器的安全性和灵活性。
With the rapid expansion of the Internet and the rapid development of network technology, the global information-based has become a major trend, the computer is becoming increasingly important for the people's life and work. However, due to the characteristics of openness and interconnectivity, the Internet is not only changing the way of people’s life and enhancing the productivity of enterprises, but also leaving the dangers of information security. The existence of network insecurity makes people have no confidence in the network, thus limiting the further development of network function.
In recent years, many security protocols have provided a good protective effect on the networks, but neglecting the protection of the access terminal.In totay’s information age, terminal is often the source of creating and storing the important data, malicious code may be parasitic on the client terminal and may well tampered the data before the client requests a network connection, or communicates with the server-side by posing as users after the network connection was extablished. Under such circumstances, to ensure the credibility of terminal is all the more important. Therefore, the original security protocol must be based on more details of safety testing on the terminal.
TCG's TNC group brought forward the "The Integrity Measurement of Access Terminals" thinking and the corresponding norms of the "Trusted Network Connect": assess the credibility of terminals requesting access to the network using pre-established security policy and platform configuration. Terminals that don’t meet the predetermined security policies will be refused access or isolated for repair, which can prevent the terminal lack of credibility from connecting to the network to implement destructive action, and in consequence greatly enhance the network security and credibility.
This paper describes the Trusted Network Connect architecture and its underlying authentication protocol issued by the organization of TCG, and bring forward based on the research into the existing framework of trusted network the concept of policy server and its communication mechanism based on the trusted network connection technology.Policy server is an important component of the framework of trusted network connection, logical entity corresponding to which is PDP in the TNC architecture.Policy server can evaluate different access terminals and grant those that meet the trusted requirement corresponding trusted level and access permission to connect to the trusted network. Moreover, reject or isolate those that do not meet the trusted requirement or have some potential dangers. Finally, test and verify the feasibility and practicality of the policy server using some experimental approaches.
Diameter protocol is the next generation of standard AAA protocol proposed by IETF. The biggest advantage of Diameter is its high expansibility, which can define a new Diameter application protocol based on different networks. To deal with requests for access of terminals, Diameter customers communicate with Diameter server using Diameter basis protocol and Diameter application protocol, such a series of information exchange from launch to termination is called a user session in Diameter protocol.
PANA protocol runs between the PaC and the PAA in order to complete the process of network access services. Though PANA is based on UDP protocol, but has a well-established retransmit mechanism to ensure the reliability of information transmission. PANA protocol contains a series of request and response messages, which is used in end-to-end certification process, and each message is implemented by zero or more AVP load. EAP message is the main load of PANA and is used for creating EAP session between the PaC and the PAA.
This paper combines the PANA protocol and the Diameter protocol to complete the underlying communication process of the TNC architecture. PANA protocol is used for the communication between the PEP and the AR, and that using between PEP and PDP is Diameter protocol. In this way, the use of security mechanisms and re-certification mechanism of Diameter protocol and PANA protocol can not only ensure the security of network effectively, but also request for re-certification on some particulat situation, such as the terminal triggers initiative, network environment changes, request for service arrives. Based on selecting the PANA protocol and the Diameter protocol as load protocols of the bottom layer, we would also have to choose a suitable protocol for the upper layer. Considering that there have more mature realization of the IF-T protocol and IF-TNCCS protocol, and that there is no standard agreement been raised for the IF-M protocol, we choose the original IF-T, IF-TNCCS and self-defined IF-M as load protocol of the upper layer.
The implementation of policy server is compliance with the three-layer structure of the TNC architecture. We divide the policy server into four modules from the perspective of functional, namely: NAA-end module, TNCS-end module, IMV-end module and TLD-end module. NAA-end module:its main function is responsible for the communication between the policy server and the PEP, authentication of identity of the AR, receiving the integrity information from AR and submitting it to upper layer for trusted evaluation, and ultimately return the evaluation result to the AR. TNCS-end module: it is the core module, on the one hand, it links up the NAA-end module and the IMV-end module, transfers the authentication information between AR and IMV-end module; On the other hand, it is "decision maker" of the policy server, it grants ARs corresponding trusted level and access permission after receiving all the evaluation results from the IMV-end module. IMV-end module: its main function is to verify the integrity measurement collected by the IMC-end module of AR, and then sends the verify result to the TNCS-end module for access decision-making. TLD-end module: a small but also important module, its main function is to query the LDAP database to make a trusted level for ARs that passed the verification successfully.
To make choice of the system development environment, considering that the Linux operating system is widely used as a network server platform, as well as a good visual interface, this paper choose Redhat Enterprise Linux Advanced Server 4 as a platform of the policy server for the main programming and testing work. As a result of reusing of OpenDiameter API class library in the implementa tion of the underlying communication, we choose C++ as the programming language so as to bring other modules into correspondence with the underly ing communication.
Due to the constraints of the experiment environment, as well as the realization of the policy server in this paper is the purpose of pre-research prototype system, test cases using in testing process are relatively simple, which still cover every situations or outcome of trusted signature certificate verification and integrity attributes verification. Therefore, the simplificati on of the test case will not affect the validity of test results.
本文介绍了可信计算组织TCG(Trusted Computing Group)为提高网络安全性制定的可信网络连接规范TNC(Trusted Network Connect)的体系结构及其工作原理;并在现有可信网络框架研究的基础上提出一套安全策略和用于执行策略的策略服务器,使得网络运营商能够对不同的接入终端进行可信评估并为符合可信要求的终端授予相应的可信等级和访问权限,使其能顺利接入到可信网络中;然后在上述理论基础上搭建了实验平台,使用现有工具开发相应的功能模块,实现了一个原型系统,最后通过实例测试证明了该策略服务器的安全性和灵活性。
With the rapid expansion of the Internet and the rapid development of network technology, the global information-based has become a major trend, the computer is becoming increasingly important for the people's life and work. However, due to the characteristics of openness and interconnectivity, the Internet is not only changing the way of people’s life and enhancing the productivity of enterprises, but also leaving the dangers of information security. The existence of network insecurity makes people have no confidence in the network, thus limiting the further development of network function.
In recent years, many security protocols have provided a good protective effect on the networks, but neglecting the protection of the access terminal.In totay’s information age, terminal is often the source of creating and storing the important data, malicious code may be parasitic on the client terminal and may well tampered the data before the client requests a network connection, or communicates with the server-side by posing as users after the network connection was extablished. Under such circumstances, to ensure the credibility of terminal is all the more important. Therefore, the original security protocol must be based on more details of safety testing on the terminal.
TCG's TNC group brought forward the "The Integrity Measurement of Access Terminals" thinking and the corresponding norms of the "Trusted Network Connect": assess the credibility of terminals requesting access to the network using pre-established security policy and platform configuration. Terminals that don’t meet the predetermined security policies will be refused access or isolated for repair, which can prevent the terminal lack of credibility from connecting to the network to implement destructive action, and in consequence greatly enhance the network security and credibility.
This paper describes the Trusted Network Connect architecture and its underlying authentication protocol issued by the organization of TCG, and bring forward based on the research into the existing framework of trusted network the concept of policy server and its communication mechanism based on the trusted network connection technology.Policy server is an important component of the framework of trusted network connection, logical entity corresponding to which is PDP in the TNC architecture.Policy server can evaluate different access terminals and grant those that meet the trusted requirement corresponding trusted level and access permission to connect to the trusted network. Moreover, reject or isolate those that do not meet the trusted requirement or have some potential dangers. Finally, test and verify the feasibility and practicality of the policy server using some experimental approaches.
Diameter protocol is the next generation of standard AAA protocol proposed by IETF. The biggest advantage of Diameter is its high expansibility, which can define a new Diameter application protocol based on different networks. To deal with requests for access of terminals, Diameter customers communicate with Diameter server using Diameter basis protocol and Diameter application protocol, such a series of information exchange from launch to termination is called a user session in Diameter protocol.
PANA protocol runs between the PaC and the PAA in order to complete the process of network access services. Though PANA is based on UDP protocol, but has a well-established retransmit mechanism to ensure the reliability of information transmission. PANA protocol contains a series of request and response messages, which is used in end-to-end certification process, and each message is implemented by zero or more AVP load. EAP message is the main load of PANA and is used for creating EAP session between the PaC and the PAA.
This paper combines the PANA protocol and the Diameter protocol to complete the underlying communication process of the TNC architecture. PANA protocol is used for the communication between the PEP and the AR, and that using between PEP and PDP is Diameter protocol. In this way, the use of security mechanisms and re-certification mechanism of Diameter protocol and PANA protocol can not only ensure the security of network effectively, but also request for re-certification on some particulat situation, such as the terminal triggers initiative, network environment changes, request for service arrives. Based on selecting the PANA protocol and the Diameter protocol as load protocols of the bottom layer, we would also have to choose a suitable protocol for the upper layer. Considering that there have more mature realization of the IF-T protocol and IF-TNCCS protocol, and that there is no standard agreement been raised for the IF-M protocol, we choose the original IF-T, IF-TNCCS and self-defined IF-M as load protocol of the upper layer.
The implementation of policy server is compliance with the three-layer structure of the TNC architecture. We divide the policy server into four modules from the perspective of functional, namely: NAA-end module, TNCS-end module, IMV-end module and TLD-end module. NAA-end module:its main function is responsible for the communication between the policy server and the PEP, authentication of identity of the AR, receiving the integrity information from AR and submitting it to upper layer for trusted evaluation, and ultimately return the evaluation result to the AR. TNCS-end module: it is the core module, on the one hand, it links up the NAA-end module and the IMV-end module, transfers the authentication information between AR and IMV-end module; On the other hand, it is "decision maker" of the policy server, it grants ARs corresponding trusted level and access permission after receiving all the evaluation results from the IMV-end module. IMV-end module: its main function is to verify the integrity measurement collected by the IMC-end module of AR, and then sends the verify result to the TNCS-end module for access decision-making. TLD-end module: a small but also important module, its main function is to query the LDAP database to make a trusted level for ARs that passed the verification successfully.
To make choice of the system development environment, considering that the Linux operating system is widely used as a network server platform, as well as a good visual interface, this paper choose Redhat Enterprise Linux Advanced Server 4 as a platform of the policy server for the main programming and testing work. As a result of reusing of OpenDiameter API class library in the implementa tion of the underlying communication, we choose C++ as the programming language so as to bring other modules into correspondence with the underly ing communication.
Due to the constraints of the experiment environment, as well as the realization of the policy server in this paper is the purpose of pre-research prototype system, test cases using in testing process are relatively simple, which still cover every situations or outcome of trusted signature certificate verification and integrity attributes verification. Therefore, the simplificati on of the test case will not affect the validity of test results.
引文
[1] Cisco.Trusted Network Access:Cisco Network Admission Control[EB/OL].[2003]. http://www.infosec.co.uk/ExhibitorLibrary/78/Cisco_NAC.pdf
[2]思科.网络解决方案-网络准入控制[EB/OL] . http://www.cisco.com/web/CN/ products/products_netsol/security/solution/se_ov_nac5_wp.html
[3]李鸿培.可信网络架构概述[J].计算机安全,2005(2).
[4] Microsoft.Network Access Protection Platform Architecture[EB/OL].[2004-06].http:// www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx
[5] Microsoft.Introduction to Network Access Protection[EB/OL].[2004-06].http://www. microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx
[6] Trusted Computing Group.Trusted Network Connect Architecture for Interoperability Specification Version1.1[EB/OL].[2006-05-01].http://www.trustedcomputinggroup.org
[7]张焕国,罗捷,朱智强.国内外可信计算技术发展概况[J].国家信息安全评测认证,2007(1).http://www.itsec.gov.cn/webportal/portal.po?UID=DWV1_WOUID_URL_162922&TOC=COLUMN_162922&OBJ=386161
[8] Blaze M,Feigenbaum J,Lacy J.Decentralized trust management.Proceedings of the 17th Symposium on Security and Privacy,Oakland,CA:IEEE Computer Society Press,1996.
[9] Abdul-Rahman A,Hailes S.A distributed trust model.Proceedings of the 1997 New Security Paradigms Workshop.Cumbria,UK:ACM Press,1998.
[10] Abdul-Rahman A,Hailes S.Using recommendations for managing trust in distributed systems . Proceedings of the IEEE Malaysia International Conference on Communication’97(MICC’97).Kuala Lumpur:IEEE Press,1997.
[11] Yahalom R,Klein B,Beth T.Trust relationships in secure systems -a distributed authentication perspective.Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy:IEEE Press,1993.
[12] Beth T,Borcherding M,Klein B.Valuation of trust in open network.In:Gollmann D,ed.Proceedings of the European Symposium on Research in Security.Brighton:Springer-Verlag,1994.
[13] JC Laprie . Dependable computing and fault tolerance : concepts and terminology[C].Proceedings of the 15th IEEE Int Symposium On Fault-Tolerant Computing(FTCS-15 ),Ann Arbor,Michigan,1985.
[14] Algirdas Avizienis,J C Laprie.Dependable Computing for Critical Applications(Dependable Computing and Fault-Tolerant Systems).Hardcover,1991-04.
[15] The Information Technology Security Evaluation Criteriaversion 1.2,1991.
[16] Trusted Computing Group.TCG Specification Architecture Overview Revision1.2[EB/ OL].[2004-04-30].http://www.trustedcomputinggroup.org/home
[17] Trusted Computing Group.TCG Specification Architecture Overview Version1.2[EB/ OL].[2005-05-03].http://www.trustedcomputinggroup.org/
[18] Trusted Computing Group.TPM Software Stack(TSS) Specifications [EB/OL].[2005]. http://www.trustedcomputinggroup.org/specs/TSS/
[19]林闯,王元卓,田立勤.可信网络的发展及其面对的技术挑战[J].中兴通讯技术,2008,14(1).
[20]张琦.NAC、NAP、TNC可信接入-谁主沉浮[EB/OL].IT168-网络通信分栏,2007- 04.http://net.it168.com/pl/2007-04-16/20070416008601_2.shtml
[21]张涛.可信网络连接(TNC)架构的应用研究[D].成都:四川大学计算机学院,2005.
[22] Trusted Computing Group.TCG Trusted Network Connect TNC IF-IMC,Specification Version1.1[EB/OL].[2006-05-01].
[23] Trusted Computing Group.TCG Trusted Network Connect TNC IF-IMV,Specification Version1.1[EB/OL].[2006-05-01].
[24] Trusted Computing Group . TCG Trusted Network Connect TNC IF-TNCCS ,Specification Version1.1[EB/OL].[2006-05-01].
[25] Trusted Computing Group.TCG Trusted Network Connect TNC IF-T:Protocol Bindings for Tunneled EAP Methods,Specification Version1.0[EB/OL].[2006-05-01].
[26] Trusted Computing Group.TCG Trusted Network Connect TNC IF-PEP:Protocol Bindings for RADIUS,Specification Version1.0[EB/OL].[2006-05-01].
[27] D Forsberg,Y Ohba(Ed.).Protocol for Carrying Authentication for Network Access (PANA).
[28] P Calhoun,J Loughney.Diameter Base Protocol[DB/OL].[2007-03-21].http://www.ietf. org/rfc/rfc3588.txt?number=3588
[29] Wiley.AAA and Network Security for Mobile Access[DB/OL].[2007-04-02].http:// www.image2003.com/book/open.asp?id=9153
[30]赵源超,陈健,李道本.新一代的AAA协议-Diameter分析[J].中国数据通信,2004,6(1).
[31] B Aboba,D Simon.PPP EAP TLS Authentication Protocol[DB/OL].[1999-10].http:// www.ietf.org/rfc/rfc2716.txt?number=2716
[32]乐燕群,刘清.Diameter的两种应用[J].计算机世界报,2003(2).
[33]李晓东.基于Diameter协议的移动IPv6应用扩展的研究与实现[D].长春:吉林大学计算机科学与技术学院,2005.
[34]中国协议分析网.SNMP管理信息库MIB[EB/OL].[2004-08-01].http://www.cnpaf.net/ Class/SNMP/200408/44.html
[35]网络文摘.管理信息结构SMI.http://61.186.252.40/hlwjqyy/coursebase/03/0304/ssjj/08/ hlwjqyy-ssjj-080504.ppt
[2]思科.网络解决方案-网络准入控制[EB/OL] . http://www.cisco.com/web/CN/ products/products_netsol/security/solution/se_ov_nac5_wp.html
[3]李鸿培.可信网络架构概述[J].计算机安全,2005(2).
[4] Microsoft.Network Access Protection Platform Architecture[EB/OL].[2004-06].http:// www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx
[5] Microsoft.Introduction to Network Access Protection[EB/OL].[2004-06].http://www. microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx
[6] Trusted Computing Group.Trusted Network Connect Architecture for Interoperability Specification Version1.1[EB/OL].[2006-05-01].http://www.trustedcomputinggroup.org
[7]张焕国,罗捷,朱智强.国内外可信计算技术发展概况[J].国家信息安全评测认证,2007(1).http://www.itsec.gov.cn/webportal/portal.po?UID=DWV1_WOUID_URL_162922&TOC=COLUMN_162922&OBJ=386161
[8] Blaze M,Feigenbaum J,Lacy J.Decentralized trust management.Proceedings of the 17th Symposium on Security and Privacy,Oakland,CA:IEEE Computer Society Press,1996.
[9] Abdul-Rahman A,Hailes S.A distributed trust model.Proceedings of the 1997 New Security Paradigms Workshop.Cumbria,UK:ACM Press,1998.
[10] Abdul-Rahman A,Hailes S.Using recommendations for managing trust in distributed systems . Proceedings of the IEEE Malaysia International Conference on Communication’97(MICC’97).Kuala Lumpur:IEEE Press,1997.
[11] Yahalom R,Klein B,Beth T.Trust relationships in secure systems -a distributed authentication perspective.Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy:IEEE Press,1993.
[12] Beth T,Borcherding M,Klein B.Valuation of trust in open network.In:Gollmann D,ed.Proceedings of the European Symposium on Research in Security.Brighton:Springer-Verlag,1994.
[13] JC Laprie . Dependable computing and fault tolerance : concepts and terminology[C].Proceedings of the 15th IEEE Int Symposium On Fault-Tolerant Computing(FTCS-15 ),Ann Arbor,Michigan,1985.
[14] Algirdas Avizienis,J C Laprie.Dependable Computing for Critical Applications(Dependable Computing and Fault-Tolerant Systems).Hardcover,1991-04.
[15] The Information Technology Security Evaluation Criteriaversion 1.2,1991.
[16] Trusted Computing Group.TCG Specification Architecture Overview Revision1.2[EB/ OL].[2004-04-30].http://www.trustedcomputinggroup.org/home
[17] Trusted Computing Group.TCG Specification Architecture Overview Version1.2[EB/ OL].[2005-05-03].http://www.trustedcomputinggroup.org/
[18] Trusted Computing Group.TPM Software Stack(TSS) Specifications [EB/OL].[2005]. http://www.trustedcomputinggroup.org/specs/TSS/
[19]林闯,王元卓,田立勤.可信网络的发展及其面对的技术挑战[J].中兴通讯技术,2008,14(1).
[20]张琦.NAC、NAP、TNC可信接入-谁主沉浮[EB/OL].IT168-网络通信分栏,2007- 04.http://net.it168.com/pl/2007-04-16/20070416008601_2.shtml
[21]张涛.可信网络连接(TNC)架构的应用研究[D].成都:四川大学计算机学院,2005.
[22] Trusted Computing Group.TCG Trusted Network Connect TNC IF-IMC,Specification Version1.1[EB/OL].[2006-05-01].
[23] Trusted Computing Group.TCG Trusted Network Connect TNC IF-IMV,Specification Version1.1[EB/OL].[2006-05-01].
[24] Trusted Computing Group . TCG Trusted Network Connect TNC IF-TNCCS ,Specification Version1.1[EB/OL].[2006-05-01].
[25] Trusted Computing Group.TCG Trusted Network Connect TNC IF-T:Protocol Bindings for Tunneled EAP Methods,Specification Version1.0[EB/OL].[2006-05-01].
[26] Trusted Computing Group.TCG Trusted Network Connect TNC IF-PEP:Protocol Bindings for RADIUS,Specification Version1.0[EB/OL].[2006-05-01].
[27] D Forsberg,Y Ohba(Ed.).Protocol for Carrying Authentication for Network Access (PANA).
[28] P Calhoun,J Loughney.Diameter Base Protocol[DB/OL].[2007-03-21].http://www.ietf. org/rfc/rfc3588.txt?number=3588
[29] Wiley.AAA and Network Security for Mobile Access[DB/OL].[2007-04-02].http:// www.image2003.com/book/open.asp?id=9153
[30]赵源超,陈健,李道本.新一代的AAA协议-Diameter分析[J].中国数据通信,2004,6(1).
[31] B Aboba,D Simon.PPP EAP TLS Authentication Protocol[DB/OL].[1999-10].http:// www.ietf.org/rfc/rfc2716.txt?number=2716
[32]乐燕群,刘清.Diameter的两种应用[J].计算机世界报,2003(2).
[33]李晓东.基于Diameter协议的移动IPv6应用扩展的研究与实现[D].长春:吉林大学计算机科学与技术学院,2005.
[34]中国协议分析网.SNMP管理信息库MIB[EB/OL].[2004-08-01].http://www.cnpaf.net/ Class/SNMP/200408/44.html
[35]网络文摘.管理信息结构SMI.http://61.186.252.40/hlwjqyy/coursebase/03/0304/ssjj/08/ hlwjqyy-ssjj-080504.ppt