{"title":"软件定义的边界:改进单包授权和用户认证的安全性","authors":"Everson L. Rosa Lucion, Raul Ceretta Nunes","doi":"10.1109/CLEI.2018.00090","DOIUrl":null,"url":null,"abstract":"Traditional perimeter defense is typically being performed through dedicated firewall-based devices. However, it becomes necessary to decrease the surface and exposure to cyber attacks by hiding the infrastructure, applications and access controls, as well as increasing security levels. Software Defined Perimeter (SDP) brings new perimeter functionality and Single Packet Authorization (SPA) is the first step. Through the analysis of the SDP protocol there were security issues that need to be improved or addressed. This work proposes adaptations in the SDP architecture and definition of a new pattern of creation and sending of the SPA. It was designed under modular aspects that are incorporated into the model. A secure way to establish mutual TLS for initial user authentication has also been developed. The results demonstrate that building security solutions in modules greatly increases the degree of difficulty in detecting, replicating or reading data. Through the experiments it was demonstrated that the increase of the processing time of the SPA does not compromise the proposed solution and is justified by the gains in the levels of protection. The definition of a new SPA submission architecture and establishment of mutual TLS provided the concealment, scalability and redundancy desired. The proposed solutions thus contribute to increasing the levels of resilience and protection of the SDP reference standard.","PeriodicalId":379986,"journal":{"name":"2018 XLIV Latin American Computer Conference (CLEI)","volume":"14 10","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"Software Defined Perimeter: Improvements in the Security of Single Packet Authorization and user Authentication\",\"authors\":\"Everson L. Rosa Lucion, Raul Ceretta Nunes\",\"doi\":\"10.1109/CLEI.2018.00090\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Traditional perimeter defense is typically being performed through dedicated firewall-based devices. However, it becomes necessary to decrease the surface and exposure to cyber attacks by hiding the infrastructure, applications and access controls, as well as increasing security levels. Software Defined Perimeter (SDP) brings new perimeter functionality and Single Packet Authorization (SPA) is the first step. Through the analysis of the SDP protocol there were security issues that need to be improved or addressed. This work proposes adaptations in the SDP architecture and definition of a new pattern of creation and sending of the SPA. It was designed under modular aspects that are incorporated into the model. A secure way to establish mutual TLS for initial user authentication has also been developed. The results demonstrate that building security solutions in modules greatly increases the degree of difficulty in detecting, replicating or reading data. Through the experiments it was demonstrated that the increase of the processing time of the SPA does not compromise the proposed solution and is justified by the gains in the levels of protection. The definition of a new SPA submission architecture and establishment of mutual TLS provided the concealment, scalability and redundancy desired. The proposed solutions thus contribute to increasing the levels of resilience and protection of the SDP reference standard.\",\"PeriodicalId\":379986,\"journal\":{\"name\":\"2018 XLIV Latin American Computer Conference (CLEI)\",\"volume\":\"14 10\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 XLIV Latin American Computer Conference (CLEI)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CLEI.2018.00090\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 XLIV Latin American Computer Conference (CLEI)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CLEI.2018.00090","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Software Defined Perimeter: Improvements in the Security of Single Packet Authorization and user Authentication
Traditional perimeter defense is typically being performed through dedicated firewall-based devices. However, it becomes necessary to decrease the surface and exposure to cyber attacks by hiding the infrastructure, applications and access controls, as well as increasing security levels. Software Defined Perimeter (SDP) brings new perimeter functionality and Single Packet Authorization (SPA) is the first step. Through the analysis of the SDP protocol there were security issues that need to be improved or addressed. This work proposes adaptations in the SDP architecture and definition of a new pattern of creation and sending of the SPA. It was designed under modular aspects that are incorporated into the model. A secure way to establish mutual TLS for initial user authentication has also been developed. The results demonstrate that building security solutions in modules greatly increases the degree of difficulty in detecting, replicating or reading data. Through the experiments it was demonstrated that the increase of the processing time of the SPA does not compromise the proposed solution and is justified by the gains in the levels of protection. The definition of a new SPA submission architecture and establishment of mutual TLS provided the concealment, scalability and redundancy desired. The proposed solutions thus contribute to increasing the levels of resilience and protection of the SDP reference standard.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
