1、1Policy-Driven Network Access ControlConfiguration Management using XACMLAbstract. Each security developer claims that their access control scheme supports the integration of configuration file of other products. But in fact different NAC scheme define their access control policy on its own policy s
2、yntax. In this paper, we use TM model and XACML to present the definition of the policies for authorization scenario, specifically definition policy for delegation authority in network access control .We present the XACML documents representing those policies and the implemented issue involved in pr
3、ototype system developing. Key words: Security, Network Access Control, Trust Management, XML, Policy 1 Introduction Network Access Controls (NAC) policy constraints the access permission of certain services and the permitted action on that service. The NAC configuration policies management becomes
4、a significant issue. The classical NAC model 1 manages the NAC policy based on centralized authorization center. However, this 2mechanism is limited to use in nowadays distributed environment, where policies existed in different domain and by independent authorized centers. Therefore, it needs mecha
5、nism to describe dynamic authorization relationship and context information in distributed network. Trust Management(TM) model 2 uses identity-based or credential-based network token express NAC policy. Therefore, this kind of policy can easily represent trust association among principals and contex
6、t information in network environment. Several policy languages are design to describe TM model, such as Keynote 3, SPKI/SDSI 4, Compare to other TM system, XACML (extensible Access Control Markup Language) 5 develops based on Extensible Markup Language (XML).It use the extensible quality of XML book
7、mark to definite policy for different NAC requirements .Since Lorch 6 presented early experience using XACML in distributed systems, more and more research focus on how to use XACML to resolve distributed network problem. In 7, a data integration system provides authorization services that use XACML
8、 policies to define access controls. In 8, XACML is extended to ontology-based language, P3P base data schema, builds a semantic relationship diagram about attributes in XACML policy. 9 describes how RM policies can be implemented 3in terms of XACML policies. The latest work research the delegation
9、mechanism has been done in 1013. However, little work has been done on using XACML to manage NAC policies in distributed network.Our work use XACML-based policy and TM model to help NAC policy management. Furthermore, we will also discuss how to define XACML-based policies to express delegation auth
10、ority in network access control. The paper is organized as follows. Section 2 introduces XACML policy language and the workflow of XACML specification. Section 3 outlines the XACML-based TM model for NAC configuration management.The definition of each XACML formed management policies are described i
11、n Section 4. Finally in section 5, we discuss some details in prototype agent implementation and evaluate the agent performance. 2 XACML: Policy-based Access Control XACML is a general purpose policy system, developed by OASIS for most authorization systems. It is based on XML-format and includes tw
12、o different specifications: the first one is an access control policy language, which defines the set of subjects that can perform particular actions on a subset of resources; the second one is a representation format to encode a particular access should be allowed and the related answers. 4XACML de
13、fine two standard interfaces as core to process access control request and response: The Policy Decision Point (PDP) that presents standard behavior when processing policy, and the Policy Enforcement Point (PEP) that issues requests and handle responses. A XACML policy comprises one or several Rules
14、, each restricted by specified Resources, Subjects and Actions Conditions elements. The outcome or Effect of a policy evaluation may be Permit, Deny, Not Applicable or Indeterminate. The XACML policy format can also specify actions that must be taken on positive or negative PDP decisions in the form
15、 of an optional Obligation element. This functionality is important for express potential delegation or inheritance relationship in network access control. A decision request sent in a Request message provides context for the policy-based decision. The policy applicable to a particular decision requ
16、est may be composed of a number of individual rules or policies. Few policies may be combined to form a single policy that is applicable to the request. XACML specifies a number of policy and rule combination algorithms. The Response message may contain multiple Result elements, which are related to
17、 individual Resources. 53 A Trust Management Architecture for NAC Configuration This section describes the main policies involved in general scenarios: TCP-Wrapper Access Policy, Delegation Access Policy and Management Policy, and requirements and the relationships among them. TCP-Wrapper Access Pol
18、icy is the policy defined to protect the target network services. When a user wants to get access to a modify a network service in Tcp-wrapper rule, he has to present his credentials to the entity evaluating that modification request, the Policy Decision Point (PDP) that work for controlling rule me
19、dication in TCP-wrapper file. The TCP-Wrapper Access Policy decides not only whether the users IP involve in the permission domain to access to requested service, but also, whether the user from his home domain has the permission to execute the requested action over that desired service. These two c
20、onditions are specified by two different policy files, the original TCP-wrapper file, which defines the access domain of a certain rule, and the TCP-Wrapper Access Policy, which further define the modified authority of each attribute in a TCP-wrapper rule. Figure 1a) shows how this policy interacts
21、with the rest of components. Delegation Access Policy used in dynamic authorization 6scenarios where the users access privilege based on a different authorization scheme to proposed TCP-wrapper rule. Therefore, it needs to translate authorization credentials. This policy, generated by the Rule Engin
22、e, contains information about delegatees name, delegaters name, authorized service and granted action. For example, while a user Clare dose not gets the add privilege to modify impad service, a user Bob with the permitted privilege can granted her the right through assigning delegation certification
23、. A Delegation Access Policy generated from delegation certification including the granted access privilege that Bob grants to Clare. Figure 1b) shows a high level view of this policy. Therefore, PDP need to process the policy evaluation according to both TCP-Wrapper Access Policy and Delegation Acc
24、ess Policy of users. The Management Policy set root privilege of system to certain users. It defined by administrator of the system and control by the PAP component using for system start or reset. 4 XACML-based TCP-Wrapper Policies This section defines the way of using XACML policy to satisfy the r
25、equirements scenario in TM system. It includes the XACML format policy definition of a TCP-Wrapper Access Policy and a Delegation Access Policy. Due to the limited space, we do 7not provide the policy fragment of a Delegation Access Policy. TCP-Wrapper Access Policy, as we commented before, is manag
26、ed by PAP, decides which kind of action or attributes the user can execute on desired service. A TCP-wrapper ruletelneted: 143.239.212.071: allow specifies that only use with IP address 143.239.211.071 is permitted to connect to telneted service. Therefore, for the aim to further restrict this rule,
27、 the TCP-Wrapper Access Policy comprises a set of target access elements. Each of them grants a specified set of user the permission to carry out the specified actions on the specified list of services, but only if the conditions specified are true. Every element of this policy is composed by the fo
28、llowing set of objects: Subject: One or more identifiers specifying valid home domains. It is represented as user name. Resources: Set of services of a tcp-wrapper rule that allowed been modified by specified set of user. If null, it means the user has permission to modify any services on this rule.
29、 Actions: Set of allowed actions to execute on the service. If null, it means the user has permission to perform any action on certain service, including new IP added, existed IP deleted or IP value modified. 8 Conditions: Users holding some of permissions to execute some actions on the specified se
30、rvice only if the conditions are fulfilled. Otherwise, the permission will be denied. In this policy, the conditions contain certain constraints on IP range. Figure 3 shows an example of this policy. As we can see, the subjects specified by users home domain can able to modify the rule of telnetd se
31、rvice, with the permitted action attribute add, but only allowed to change the IP address of the rule to his own IP. 5 Implementation and Evaluation The prototype agent has been developed under the J2SE platform. It uses Suns XACML 2.0 tool to implement the XACML framework and DOM interface to parse
32、 XACML policies. Some issues need to discuss for fulfilling implementation. 5.1 Request Access Control It need to involved context attributes of request during the TCP-Wrapper Access Policy evaluation process, when the PDP is used to grant or deny the access to the desired services. Push and pull mo
33、dels are provide to support this requirement. But the pull model needs to add specified algorithm on PDP component to describe how to retrieve context attributes of 9tcp-wrapper rule. It needs to change the algorithm when the NAC configuration file the agent managed from tcp-wrapper NAC policy to ot
34、hers. Therefore, we choose the push model to find the context attributes ,that is extend the PEP component of Suns XACML implementation to fulfill the function of Context Handler element. After receiving users original request, the agent PEP component search and integrate context attributes into a X
35、ACML format Request. For the scenario of users access control request, the PEP embeds the tcp-wrapper context attributes into the element of XACML format request. For the delegated access request, the PEP integrates the new generated Delegation Access Policy in the same element of XACML request. And
36、 the PDP component needs to desperate the Delegation Access Policy and uses request before processing evaluation. In the scenario of users access control request, the Policy Decision Point (PDP) need to decide grant or deny the access based on the TCP-Wrapper Access Policy and tcp-wrapper configurat
37、ion file. However, the NAC of tcp-wrapper is relative to the rule sequence in its configuration file. For example, the user with IP 143.239.212.071 will be rejected by the tcp-wrapper rule set” telneted:143.239.212.071:deny; telneted:143.239.212.071,143.239.212.072:allow”,but he will be 10accepted b
38、y the rule set” telneted:143.239.212.071,143.239.212.072:allow; telneted:143.239.212.071:deny”.Because the tcp-wrapper is effect on the first matching rule. In order to maintain the same logic in request evaluation process, we add extra judgment logic in PDP component according to the matching rule
39、of tcp-wrapper tool. 5.2 Experiment result All the experiments are conducted on the Core2 DuoT7100, 1.8GHz PC with 1024MB RAM. The request is random generated by different PC in lab domain. The result is show in Tab1. The results show that the execute time is linear related to the request number and
40、 delegation depth. Because influence by request concurrency, the evaluating correction rate decrease when the system receiving a lot of requests at the same time. 6 Discussions and Conclusion This paper identifies the set of policies required in a network access control configuration management. We
41、use tcp-wrapper configuration file as sample, describing policies which control the users access control configuration scenario and users delegation access configuration scenario. The policies presented have been described through XACML, which has been designed to be a standard way to express network
