专用网络中终端安全接入系统的设计与实现

发布时间：2018-11-19 20:44

【摘要】：伴随网络和计算机技术的飞速发展,新的安全挑战不断涌现,而传统安全防护机制将防护重点放在网络和服务器上,忽略了接入终端自身的安全问题,较难达到理想的防护效果。可信计算组织TCG为从安全威胁产生的源头解决网络安全问题,提出可信网络连接TNC体系,通过验证入网终端的完整性状态实现可信的网络接入,已成为网络安全与可信的研究热点。论文在对现有成熟接入认证体系、协议以及可信网络相关理论进行研究的基础上,为实现终端可信状态的量化评估,参考EAP可扩展认证协议和802.1X体系,设计了基于可信度的网络接入补救机制。本文完成的主要工作包括:首先提出一种加强和改进的可信网络接入方案,即基于可信度的网络接入补救机制,包括框架、协议、流程和策略的设计;然后提出可信度相关概念并详细阐述其算法;接着形式化分析了可信接入机制的健壮性和正确性;最后设计了接入补救系统并进行了应用分析和应用试验,证明接入补救机制的实用性。论文的创新点为:提出了用于分析终端可信赖程度的可信度的概念并设计其详细算法;设计了可信接入及补救的实现机制,包括框架体系、协议封装、实现流程和策略制定;设计了可信接入补救应用系统的实体功能模块,有助于进一步验证接入补救机制的实用性。专用网络中,终端安全接入系统是确保内部网络的安全运行,是减少安全事件发生的重要手段。在各种安全事件中由于非法终端接入网络后产生的安全事件占了很大比例,因此,对局域网内主机终端的接入认证和授权就显得十分必要。基于可信度的网络接入补救机制可以实现入网终端可信程度的量化评估,并结合终端身份信息实施不同的接入补救策略,阻止不符合接入策略要求的终端接入网络,允许具备合法身份权限的终端通过补救操作实现自身的可信增强以满足接入要求,既保证了网络的安全性,也提高了网络的实用性。
[Abstract]:With the rapid development of network and computer technology, new security challenges emerge constantly, while the traditional security protection mechanism focuses on the network and server, neglecting the security problems of the access terminal itself. It is difficult to achieve ideal protective effect. In order to solve the network security problem from the source of the security threat, TCG, a trusted computing organization, proposes a trusted network connection TNC system, which can realize trusted network access by verifying the integrity of the network access terminal. It has become the research hotspot of network security and trustworthiness. Based on the research of the existing mature access authentication system, protocols and related theories of trusted network, in order to realize the quantitative evaluation of terminal trusted state, the paper refers to EAP extensible authentication protocol and 802.1X system. A network access remedy mechanism based on credibility is designed. The main work of this paper is as follows: firstly, we propose an enhanced and improved trusted network access scheme, that is, the credit-based network access remedy mechanism, including framework, protocol, process and policy design; Secondly, the concept of credibility is proposed and its algorithm is described in detail, and then the robustness and correctness of trusted access mechanism are formalized. Finally, the access remedy system is designed, and the application analysis and application experiment are carried out to prove the practicability of the access remedy mechanism. The innovations of this paper are as follows: the concept of reliability of terminal reliability is proposed and its detailed algorithm is designed, and the implementation mechanism of trusted access and remedy is designed, including framework architecture, protocol encapsulation, implementation process and policy formulation. The entity function module of trusted access remedy application system is designed, which is helpful to verify the practicability of the access remedy mechanism. In the private network, the terminal security access system is an important means to ensure the safe operation of the internal network and to reduce the occurrence of security incidents. In all kinds of security incidents, the security incidents caused by the illegal terminal access to the network account for a large proportion. Therefore, it is necessary to authenticate and authorize the access of the host terminal in the LAN. The network access remedy mechanism based on credibility can realize the quantitative evaluation of the trust degree of the terminal entering the network, and combine with the terminal identity information to implement different access remediation strategies to prevent the terminal from accessing the network which does not meet the requirements of the access policy. Allowing terminals with legitimate identity rights to achieve their own trusted enhancement through remedial operations to meet the access requirements not only ensures the security of the network but also improves the practicability of the network.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】