您所在的位置:首页 > 通信与网络 > 设计应用 > 基于双模单包授权的公路零信任安全应用研究*
网络安全与数据治理 10期
陈 瑜,殷 浩,姚 蕾,冯 鼎,管浩杰,严 浩
(1.南通市公路事业发展中心, 江苏南通226006;2.东南大学网络空间安全学院, 江苏南京211100; 3.深信服科技股份有限公司, 广东深圳518055)
摘要: 针对交通信息系统工程具有接入范围复杂、网络安全风险大的特点,提出了公路全面零信任系统架构。该架构主要由网关管理平台、可信身份管控平台等6个平台组成。重点研究了基于网关管理平台的安全交互过程,一是实现多物理环境下自动路由策略;二是研究双模SPA敲门机制,重点分析UDP认证和TCP敲门数据访问。依托智慧农路系统工程,评估了应用前后安全访问的效果和效率。研究结果表明,公路零信任系统可在国产芯片Loongson3A4000上运行;双模单包授权SPA技术在UDP SPA基础上拓展了TCP SPA能力,比单模SPA访问速率快50%;在满足三级等保控制点的基础上可实现网络隐身。
引用格式:陈瑜,殷浩,姚蕾,等.基于双模单包授权的公路零信任安全应用研究 [J].网络安全与数据治理,2023,42(10):87-93.
Research on the application of road zero trust security based on dual mode single packet authorization
Chen Yu1,Yin Hao2,Yao Lei1,Feng Ding3,Guan Haojie1,Yan Hao3
(1.Nantong Road Development Authority, Nantong 226006, China;2.School of Cyberspace Security, Southeast University, Nanjing 211100, China;3.Sangfor Technologies Inc., Shenzhen 518055, China)
Abstract: According to the characteristics of complex access range and high risks of network security in traffic information system engineering, this research proposes a comprehensive zerotrust system architecture for highways. This architecture mainly consists of six platforms, including a gateway management platform and a trusted identity control platform and other platforms. The research mainly focuses on security interaction based on the gateway management platform. Firstly, it can implement automatic routing strategies under multiple physical environments. Secondly, this research studies the dual mode Single Packet Authorization (SPA) knocking mechanism, with a particular analysis of UDP authentication and TCP knocking data access. Relied on the Smart Agricultural Road System Engineering, this research evaluates effectiveness and efficiency of secure access before and after application implementation. The results indicate that the system can run on domestic Loongson3A4000 chips. The access rate of dual mode SPA technology, combining UDP SPA with TCP SPA capabilities, has a 50% increase when compared to singlemode SPA. Based on meeting the requirements of threelevel Equal Protection, network invisibility can be achieved.
Key words : traffic network security; information system engineering; zero trust architecture; dual mode single packet authorization; software defined perimeter

0    引言

进入“十四五”以来,国家加快推动普通公路新型基础设施建设,数字化、网络化、智能化外场设施快速增长,在提升行业高质量发展水平的同时,大量与行业专网互联互通的外场智能设施、多物理隔离下的交通信息系统工程也逐步成为网络安全防护的薄弱环节和监管难点,网络安全风险及威胁也日益复杂,身份假冒、APT攻击、内部威胁等新型网络攻击手段层出不穷,给数字交通时代网络安全带来了严峻的挑战。2010年,Forrest咨询公司首次提出“零信任网络”(Zero Trust Networks, ZTN)的概念,力求通过去中心化安全架构来打破传统的安全模式,实现对用户、终端设备、操作系统和应用程序的全面、智能管控,建立一个全生命周期的安全防护体系。近年来,零信任在国内逐步引起了重视,在2019年9月发布的《关于促进网络安全产业发展的指导意见》中,“零信任安全”被列为当前网络安全领域亟需攻克的一项重要技术。




