Abstract
With the rapid development of Virtual Private Network (VPN), many companies and organizations use VPN to implement their private communication. Traditionally, VPN uses security protocols to protect the confidentiality of data, the message integrity and the endpoint authentication. One core technique of VPN is tunneling, by which clients can access the internal servers traversing VPN. However, the tunneling technique also introduces a concealed security hole. It is possible that if one vicious user can establish tunneling by the VPN server, he can compromise the internal servers behind the VPN server. So this paper presents a novel Application-layer based Centralized Information Access Control (ACIAC) for VPN to solve this problem. To implement an efficient, flexible and multi-decision access control model, we present two key techniques to ACIAC—the centralized management mechanism and the stream-based access control. Firstly, we implement the information center and the constraints/events center for ACIAC. By the two centers, we can provide an abstract access control mechanism, and the material access control can be decided dynamically by the ACIAC’s constraint/event mechanism. Then we logically classify the VPN communication traffic into the access stream and the data stream so that we can tightly couple the features of VPN communication with the access control model. We also provide the design of our ACIAC prototype in this paper.
Similar content being viewed by others
References
Bertino, E., Catania, B., Ferrari, E., Perlasca, P., 2002. A System to Specify and Manage Multipolicy Access Control Models. Policies for Distributed Systems and Networks, p.116–127.
Cohen, R., 2003. On the establishment of an access VPN in broadband access networks. Communications Magazine, IEEE, 41(2):156–163.
Dierks, T., Allen, C., 1999. The TLS Protocol Version 1.0. RFC2246.
Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R., 2001. Proposed NIST standard for role-based access control. ACM Trans. Inform. and System Security, 4(3):224–274. [doi:10.1145/501978.501980]
Guo, X., Yang, K., Galis, A., Cheng, X., Yang, B., Liu, D., 2003. A Policy-based Network Management System for IP VPN. Communication Technology Proceedings. ICCT 2003, 2: 1630–1633.
Jason, J., Rafalow, L., Vyncke, E., 2003. IPSec Configuration Policy Information Model. RFC3585.
Kent, S., Atkinson, R., 1998. Security Architecture for the Internet Protocol. RFC2401.
Ku, H., Son, H.G., Facsko, J., Tyrrell, J., Haines, A., 2002. Web-based Policy Deployment Management System. Proceedings of Policies for Distributed Systems and Networks, p.240–243.
Moffett, M.D., Sloman, M.S., 1991. Content-dependent access control. ACM SIGOPS Operating Systems Review, 25(2):63–70. [doi:10.1145/122120.122125]
Ryutov, T., Neuman, C., Dongho, K., 2003. Integrated access control and intrusion detection for Web servers. IEEE Trans. on Parallel and Distributed Systems, 14(9):841–850. [doi:10.1109/TPDS.2003.1233707]
Sanchez, L., Condell, M., 2002. Security Policy Specification Language. Internet Draft, http://www.csie.nctu.edu.tw/:_jkzao/Publication/draft-ietf-ipsec-spsl-01.pdf.
Sandhu, R.S., Coyne, E.J., Feinstein, H., Youman, C., 1996. Role-based access control models. IEEE Computer, 29(2):38–47.
Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J., 1999. The Flask Security Architecture: System Support for Diverse Security Policies. Proceedings of the Eighth Security Symposium, p.123–139.
Steinmuller, B., Safarik, J., 2001. Extending Role-based Access Control Model with States. EUROCON’2001, International Conference on Trends in Communications, 2:398–399.
Verschuren, J., Govaerts, R., Vandewalle, J., 1992. Simultaneous Enforcement of the Bell-LaPadula and the Biba Security Policy Models in an OSI-distributed System. ICCS/ISITA’92, Singapore, p.257–263.
Wang, C., 2000. Policy-based Network Management. Communication Technology Proceedings. ICCT 2000, 1:101–105.
Wolf, R., Keinz, T., Schneider, M., 2003. A Model for Content-dependent Access Control for Web-based Services with Role-based Approach. Database and Expert Systems Applications, Proceedings 14th International Workshop, p.209-214.
Yague, M.I., Mana, A., Lopez, J., Troya, J.M., 2003. Applying the Semantic Web Layers to Access Control. Proceedings of Database and Expert Systems Applications, p.622-626.
Author information
Authors and Affiliations
Additional information
Project (No. 60373088) supported by the National Natural Science Foundation of China
Rights and permissions
About this article
Cite this article
Ouyang, K., Zhou, Jl., Xia, T. et al. An application-layer based centralized information access control for VPN. J. Zhejiang Univ. - Sci. A 7, 240–249 (2006). https://doi.org/10.1631/jzus.2006.A0240
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1631/jzus.2006.A0240