零信任架构和其他端到端范式解决网络防御冲突

W. Simpson, K. Foltz
{"title":"零信任架构和其他端到端范式解决网络防御冲突","authors":"W. Simpson, K. Foltz","doi":"10.5121/IJNSA.2021.13101","DOIUrl":null,"url":null,"abstract":"Network defense implies a comprehensive set of software tools to preclude malicious entities from conducting activities such as exfiltration of data, theft of credentials, blocking of services and other nefarious activities. For most enterprises at this time, that defense builds upon a clear concept of the fortress approach. Many of the requirements are based on inspection and reporting prior to delivery of the communication to the intended target. These inspections require decryption of packets and this implies that the defensive suite either impersonates the requestor, or has access to the private cryptographic keysof the servers that are the target of communication. This is in contrast to an end-to-end paradigm where known good entities can communicate directly and no other entity has access to the content unless that content is provided to them. There are many new processes that require end-to-end encrypted communication, including distributed computing, endpoint architectures, and zero trust architectures and enterprise level security. In an end-to-end paradigm, the keys used for authentication, confidentiality, and integrity reside only with the endpoints. This paper examines a formulation that allows unbroken communication, while meeting the inspection and reporting requirements of a network defense. This work is part of a broader security architecture termed Enterprise Level Security (ELS)framework.","PeriodicalId":93303,"journal":{"name":"International journal of network security & its applications","volume":"50 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2021-01-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Resolving Network Defense Conflicts with Zero Trust Architectures and Other End-to-End Paradigms\",\"authors\":\"W. Simpson, K. Foltz\",\"doi\":\"10.5121/IJNSA.2021.13101\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Network defense implies a comprehensive set of software tools to preclude malicious entities from conducting activities such as exfiltration of data, theft of credentials, blocking of services and other nefarious activities. For most enterprises at this time, that defense builds upon a clear concept of the fortress approach. Many of the requirements are based on inspection and reporting prior to delivery of the communication to the intended target. These inspections require decryption of packets and this implies that the defensive suite either impersonates the requestor, or has access to the private cryptographic keysof the servers that are the target of communication. This is in contrast to an end-to-end paradigm where known good entities can communicate directly and no other entity has access to the content unless that content is provided to them. There are many new processes that require end-to-end encrypted communication, including distributed computing, endpoint architectures, and zero trust architectures and enterprise level security. In an end-to-end paradigm, the keys used for authentication, confidentiality, and integrity reside only with the endpoints. This paper examines a formulation that allows unbroken communication, while meeting the inspection and reporting requirements of a network defense. This work is part of a broader security architecture termed Enterprise Level Security (ELS)framework.\",\"PeriodicalId\":93303,\"journal\":{\"name\":\"International journal of network security & its applications\",\"volume\":\"50 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-01-31\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International journal of network security & its applications\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.5121/IJNSA.2021.13101\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International journal of network security & its applications","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.5121/IJNSA.2021.13101","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3

摘要

网络防御意味着一套全面的软件工具,以防止恶意实体进行诸如泄露数据、窃取凭证、阻止服务和其他恶意活动等活动。对于此时的大多数企业来说,这种防御建立在堡垒方法的明确概念之上。在将信息传递给预定目标之前,许多需求都是基于检查和报告的。这些检查需要对数据包进行解密,这意味着防御套件要么冒充请求者,要么访问作为通信目标的服务器的私有加密密钥。这与端到端范式相反,在端到端范式中,已知的良好实体可以直接通信,除非向它们提供内容,否则其他实体无法访问内容。有许多新流程需要端到端加密通信,包括分布式计算、端点体系结构、零信任体系结构和企业级安全性。在端到端范例中,用于身份验证、机密性和完整性的密钥仅存在于端点中。本文研究了一种允许不间断通信的公式,同时满足网络防御的检查和报告要求。这项工作是称为企业级安全(ELS)框架的更广泛的安全体系结构的一部分。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Resolving Network Defense Conflicts with Zero Trust Architectures and Other End-to-End Paradigms
Network defense implies a comprehensive set of software tools to preclude malicious entities from conducting activities such as exfiltration of data, theft of credentials, blocking of services and other nefarious activities. For most enterprises at this time, that defense builds upon a clear concept of the fortress approach. Many of the requirements are based on inspection and reporting prior to delivery of the communication to the intended target. These inspections require decryption of packets and this implies that the defensive suite either impersonates the requestor, or has access to the private cryptographic keysof the servers that are the target of communication. This is in contrast to an end-to-end paradigm where known good entities can communicate directly and no other entity has access to the content unless that content is provided to them. There are many new processes that require end-to-end encrypted communication, including distributed computing, endpoint architectures, and zero trust architectures and enterprise level security. In an end-to-end paradigm, the keys used for authentication, confidentiality, and integrity reside only with the endpoints. This paper examines a formulation that allows unbroken communication, while meeting the inspection and reporting requirements of a network defense. This work is part of a broader security architecture termed Enterprise Level Security (ELS)framework.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信