Journal of Computer Applications ›› 2023, Vol. 43 ›› Issue (4): 1142-1150.DOI: 10.11772/j.issn.1001-9081.2022030453
• Cyber security • Previous Articles Next Articles
Qun WANG1, Quan YUAN2, Fujuan LI1(), Lingling XIA1
Received:
2022-04-08
Revised:
2022-06-13
Accepted:
2022-06-15
Online:
2023-04-11
Published:
2023-04-10
Contact:
Fujuan LI
About author:
WANG Qun, born in 1971, Ph. D., professor. His research interests include cyberspace security, network architecture and protocol.Supported by:
通讯作者:
李馥娟
作者简介:
王群(1971—),男,甘肃天水人,教授,博士,CCF会员,主要研究方向:网络空间安全、网络体系结构与协议;基金资助:
CLC Number:
Qun WANG, Quan YUAN, Fujuan LI, Lingling XIA. Review of zero trust network and its key technologies[J]. Journal of Computer Applications, 2023, 43(4): 1142-1150.
王群, 袁泉, 李馥娟, 夏玲玲. 零信任网络及其关键技术综述[J]. 《计算机应用》唯一官方网站, 2023, 43(4): 1142-1150.
Add to citation manager EndNote|Ris|BibTeX
URL: https://www.joca.cn/EN/10.11772/j.issn.1001-9081.2022030453
模型 | 实现思路 | 实现方式 | 信任建立关系 | 资源标识 | 认证与授权对象 | 认证方式 | 模型建立依据 | 缺点 |
---|---|---|---|---|---|---|---|---|
边界 安全模型 | 在可信资源与 不可信资源间 建立安全墙 | 管理员 人工配置 | 内网的主机之间 相互信任,内、外网 不信任 | 网络地址或 物理位置 | 用户名称或 设备名称 | 先接入, 再认证 | 边界安全设备 规则库 | 缺乏全面性防护和 安全策略强制执行 |
零信任 安全模型 | 让任一个资源都具有自我保护能力 | 智能化 自动处理 | 信任的建立与位置无关,主机之间不存在信任关系 | 对流量标识 (强加密处理) | 用户、设备、系统、 应用和流量等 组成的综合体 | 先认证, 后连接 | 由控制平面 通知数据平面 接受/拒绝请求 | 不是产品,而是一组基于网络安全需求和约束的架构理念与原则 |
Tab. 1 Comparison between perimeter-based security model and zero trust model
模型 | 实现思路 | 实现方式 | 信任建立关系 | 资源标识 | 认证与授权对象 | 认证方式 | 模型建立依据 | 缺点 |
---|---|---|---|---|---|---|---|---|
边界 安全模型 | 在可信资源与 不可信资源间 建立安全墙 | 管理员 人工配置 | 内网的主机之间 相互信任,内、外网 不信任 | 网络地址或 物理位置 | 用户名称或 设备名称 | 先接入, 再认证 | 边界安全设备 规则库 | 缺乏全面性防护和 安全策略强制执行 |
零信任 安全模型 | 让任一个资源都具有自我保护能力 | 智能化 自动处理 | 信任的建立与位置无关,主机之间不存在信任关系 | 对流量标识 (强加密处理) | 用户、设备、系统、 应用和流量等 组成的综合体 | 先认证, 后连接 | 由控制平面 通知数据平面 接受/拒绝请求 | 不是产品,而是一组基于网络安全需求和约束的架构理念与原则 |
访问控制技术 | 主要优点 | 主要缺点 |
---|---|---|
RBAC | 简化了用户权限管理过程,减少了系统开销,利于实现 | 复杂环境下角色设计存在较大挑战,难以实现细粒度动态授权 |
ABAC | 克服了角色与身份之间的关联限制,可以实现最小权限管理 | 实体属性难以详细设置,策略配置复杂 |
TBAC | 绑定访问权限和任务,任务结束则权限消失, 访问过程具有时间窗口,可实现细粒度管理 | 任务的随机分解困难,访问主体的控制难度较大 |
Tab. 2 Comparison of RBAC, ABAC and TBAC applications in zero trust network
访问控制技术 | 主要优点 | 主要缺点 |
---|---|---|
RBAC | 简化了用户权限管理过程,减少了系统开销,利于实现 | 复杂环境下角色设计存在较大挑战,难以实现细粒度动态授权 |
ABAC | 克服了角色与身份之间的关联限制,可以实现最小权限管理 | 实体属性难以详细设置,策略配置复杂 |
TBAC | 绑定访问权限和任务,任务结束则权限消失, 访问过程具有时间窗口,可实现细粒度管理 | 任务的随机分解困难,访问主体的控制难度较大 |
实现方法 | 安全控制方法 | 策略执行依据 | 环境依赖性 |
---|---|---|---|
物理安全设备 | 建立物理边界 | 报文头部、内容和行为 | 不存在 |
主机代理 | 安装代理软件 | 进、出流量,主机应用,主机配置信息等 | 依赖主机操作系统 |
软交换 | 基于交换技术(如VLAN、ACL等) | 网卡(包括虚拟网卡)的报文识别和控制 | 依赖软交换技术的实现 |
虚拟机监视器 | 虚拟机上的安全软件 | 虚拟网卡实现对主机标识、报文和内容识别 | 依赖虚拟机的API |
Tab. 3 Comparison of main implementation methods of micro segmentation technology
实现方法 | 安全控制方法 | 策略执行依据 | 环境依赖性 |
---|---|---|---|
物理安全设备 | 建立物理边界 | 报文头部、内容和行为 | 不存在 |
主机代理 | 安装代理软件 | 进、出流量,主机应用,主机配置信息等 | 依赖主机操作系统 |
软交换 | 基于交换技术(如VLAN、ACL等) | 网卡(包括虚拟网卡)的报文识别和控制 | 依赖软交换技术的实现 |
虚拟机监视器 | 虚拟机上的安全软件 | 虚拟网卡实现对主机标识、报文和内容识别 | 依赖虚拟机的API |
1 | KINDERVAG J. Build security into your network’s DNA: the zero trust network architecture[R/OL]. (2010-11-05) [2022-01-05].. |
2 | WARD R, BEYER B. BeyondCorp: a new approach to enterprise security[J]. ;login:, 2014, 39(6):6-11. |
3 | Cloud Security Alliance (CSA). SDP Specification v 1.0[EB/OL]. (2014-04-30) [2022-01-03].. |
4 | LEFEBVRE M, NAIR S, ENGELS D W, et al. Building a Software Defined Perimeter (SDP) for network introspection[C]// Proceedings of the 2021 IEEE Conference on Network Function Virtualization and Software Defined Networks. Piscataway: IEEE, 2021:91-95. 10.1109/nfv-sdn53031.2021.9665152 |
5 | 工业和信息化部. 关于促进网络安全产业发展的指导意见(征求意见稿)[EB/OL]. (2019-09-27) [2022-01-05].. 10.3724/sp.j.1224.2017.00019 |
Ministry of Industry and Information Technology of the People’s Republic of China. Guidelines on promoting the development of cyber security industry (draft for comments)[EB/OL]. (2019-09-27) [2022-01-05].. 10.3724/sp.j.1224.2017.00019 | |
6 | National Institute of Standards and Technology (NIST). Zero trust architecture: draft NIST SP 800-207 available for comment[EB/OL]. (2019-09-23) [2022-01-05].. |
7 | National Security Agency (NSA). NSA releases guidance on zero trust security model[EB/OL]. (2021-02-26) [2022-01-06].. 10.4135/9781412952446.n397 |
8 | International Telecommunication Union’s Telecommunication Standardization Sector (ITU-T). X.1011: guidelines for continuous protection of the service access process[EB/OL]. (2021-10-29) [2022-01-06].. |
9 | CHEN Z Y, YAN L C, LÜ Z T, et al. Research on zero-trust security protection technology of power IoT based on blockchain[J]. Journal of Physics: Conference Series, 2021, 1769: No.012039. 10.1088/1742-6596/1769/1/012039 |
10 | 冯景瑜,于婷婷,王梓莹,等. 电力物联场景下抗失陷终端威胁的边缘零信任模型[J]. 计算机研究与发展, 2022, 59(5):1120-1132. 10.7544/issn1000-1239.20211129 |
FENG J Y, YU T T, WANG Z Y, et al. An edge zero-trust model against compromised terminals threats in power IoT environments[J]. Journal of Computer Research and Development, 2022, 59(5):1120- 1132. 10.7544/issn1000-1239.20211129 | |
11 | 刘远,孙晨,张嫣玲. 基于Overlay技术的零信任网络研究[J]. 信息网络安全, 2020, 20(10):83-91. 10.3969/j.issn.1671-1122.2020.10.011 |
LIU Y, SUN C, ZHANG Y L. A zero trust network research based on overlay technology[J]. Netinfo Security, 2020, 20(10): 83-91. 10.3969/j.issn.1671-1122.2020.10.011 | |
12 | SELLITTO G P, ARANHA H, MASI M, et al. Enabling a zero trust architecture in smart grids through a digital twin[C]// Proceedings of the 2021 European Dependable Computing Conference, CCIS 1462. Cham: Springer, 2021:73-81. |
13 | NEALE C, KENNEDY I, PRICE B, et al. The case for Zero Trust Digital Forensics[J]. Forensic Science International: Digital Investigation, 2022, 40: No.301352. 10.1016/j.fsidi.2022.301352 |
14 | HADDON D A E. 9 - Zero trust networks, the concepts, the strategies and the reality[M]// JAHANKHANI H, O’DELL L M, BOWEN G, et al. Strategy, Leadership, and AI in the Cyber Ecosystem: The Role of Digital Societies in Information Governance and Decision Making. London: Academic Press, 2021:195-216. 10.1016/b978-0-12-821442-8.00001-x |
15 | INDU I, RUBESH ANAND P M, BHASKAR V. Identity and access management in cloud environment: mechanisms and challenges[J]. Engineering Science and Technology, an International Journal, 2018, 21(4):574-588. 10.1016/j.jestch.2018.05.010 |
16 | SHEIKH N, PAWAR M, LAWRENCE V. Zero trust using Network Micro Segmentation[C]// Proceedings of the 2021 IEEE Conference on Computer Communications Workshops. Piscataway: IEEE, 2021:1-6. 10.1109/infocomwkshps51825.2021.9484645 |
17 | SANCHO J, GARCÍA J, ALESANCO Á. Oblivious inspection: on the confrontation between system security and data privacy at domain boundaries[J]. Security and Communication Networks, 2020, 2020: No.8856379. 10.1155/2020/8856379 |
18 | BARTWAL U, MUKHOPADHYAY S, NEGI R, et al. Security orchestration, automation, and response engine for deployment of behavioural honeypots[C]// Proceedings of the 2022 IEEE Conference on Dependable and Secure Computing. Piscataway: IEEE, 2022:1-8. 10.1109/dsc54232.2022.9888808 |
19 | Deloitte. Zero trust: a revolutionary approach to cyber or just another buzz word?[R/OL]. (2021) [2022-04-25].. |
20 | GBUR K Y, TSCHORSCH F. A QUIC(K) way through your firewall?[EB/OL]. (2021-07-13) [2022-04-25].. |
21 | SIMPSON W R, FOLTZ K E. Resolving network defense conflicts with zero trust architectures and other end-to-end paradigms[J]. International Journal of Network Security and Its Applications, 2021, 13(1): No.13101. 10.5121/ijnsa.2021.13101 |
22 | PAPAKONSTANTINOU N, D L van BOSSUYT, LINNOSMAA J, et al. A zero trust hybrid security and safety risk analysis method[J]. Journal of Computing and Information Science in Engineering, 2021, 21(5): No.050907. 10.1115/1.4050685 |
23 | 埃文·吉尔曼,道格·巴斯. 零信任网络:在不可信网络中构建安全系统[M]. 奇安信身份安全实验室,译. 北京:人民邮电出版社, 2019: 1-12. |
GILMAN E, BARTH D. Zero Trust Networks: Building Security System in Untrusted Network[M]. Chianxin Identity Security Lab, translated. Beijing: Posts and Telecom Press, 2019:1-12. | |
24 | ELIYAN L F, DI PIETRO R. DoS and DDoS attacks in Software Defined Networks: a survey of existing solutions and research challenges[J]. Future Generation Computer Systems, 2021, 122:149-171. 10.1016/j.future.2021.03.011 |
25 | DESHPANDE A. Analyzing the deployment of zero trust network architecture in enterprise networks[J]. GIS Science Journal, 2021, 8(5):1586-1594. |
26 | KREUTZ D, RAMOS F M V, VERÍSSIMO P E, et al. Software-defined networking: a comprehensive survey[J]. Proceedings of the IEEE, 2015, 103(1):14-76. 10.1109/jproc.2014.2371999 |
27 | RIVERA J. Gartner identifies the top 10 strategic technology trends for 2015[EB/OL]. (2014-10-08) [2022-02-06].. 10.1038/nmeth.3592 |
28 | ALBUALI A, MENGISTU T, CHE D R. ZTIMM: a zero-trust-based identity management model for volunteer cloud computing[C]// Proceedings of the 2020 International Conference on Cloud Computing, LNCS 12403. Cham: Springer, 2020:287-294. |
29 | 田洪亮,王佳玥,李晨曦. 基于混合算法区块链和节点身份认证的数据存储方案[J]. 计算机应用, 2022, 42(8):2481-2486. 10.11772/j.issn.1001-9081.2021061127 |
TIAN H L, WANG J Y, LI C X. Data storage scheme based on hybrid algorithm blockchain and node identity authentication[J]. Journal of Computer Applications, 2022, 42(8):2481-2486. 10.11772/j.issn.1001-9081.2021061127 | |
30 | LIU A D, DU X H, WANG N. Access control role evolution mechanism for open computing environment[J]. Electronics, 2020, 9(3): No.517. 10.3390/electronics9030517 |
31 | HU V C, KUHN D R, FERRAIOLO D F, et al. Attribute-based access control[J]. Computer, 2015, 48(2):85-88. 10.1109/mc.2015.33 |
32 | 邓集波,洪帆. 基于任务的访问控制模型[J]. 软件学报, 2003, 14(1):76- 82. |
DENG J B, HONG F. Task-based access control model[J]. Journal of Software, 2003, 14(1):76-82. | |
33 | BAYKARA M, DAS R. SoftSwitch: a centralized honeypot-based security approach using software-defined switching for secure management of VLAN networks[J]. Turkish Journal of Electrical Engineering and Computer Sciences, 2019, 27(5):3309-3325 (No.4). 10.3906/elk-1812-86 |
34 | CHANDRAMOULI R. Security recommendations for server-based hypervisor platforms: NIST Special Publication 800-125A Revision 1[EB/OL]. (2018-06-01) [2022-02-10].. 10.6028/nist.sp.800-125ar1 |
35 | ZHU H, GEHRMANN C. AppArmor profile generator as a cloud service[C]// Proceedings of the 11th International Conference on Cloud Computing and Services Science. Setúbal: SciTePress, 2021:45-55. 10.5220/0010434100450055 |
36 | RUUSKANEN J, PENG H R, ÅKESSON A, et al. FedApp: a research sandbox for application orchestration in federated clouds using OpenStack[EB/OL]. (2021-09-03) [2022-04-25].. |
37 | KEERIYATTIL S. Zero Trust Networks with VMware NSX: Build Highly Secure Network Architectures for Your Data Centers[M]. Berkeley: Apress, 2019:1-10. 10.1007/978-1-4842-5431-8 |
38 | VMware. The four barriers to micro-segmentation[R/OL]. (2020-03) [2021-02-06].. |
39 | KINKELIN H, HAUNER V, NIEDERMAYER H, et al. Trustworthy configuration management for networked devices using distributed ledgers[C]// Proceedings of the 2018 IEEE/IFIP Network Operations and Management Symposium. Piscataway: IEEE, 2018:1-5. 10.1109/noms.2018.8406324 |
40 | PANG L, YANG C G, CHEN D Y, et al. A survey on intent-driven networks[J], IEEE Access, 2020, 8:22862-22873. 10.1109/access.2020.2969208 |
41 | BERTINO E. Zero trust architecture: does it help?[J]. IEEE Security and Privacy, 2021, 19(5):95-96. 10.1109/msec.2021.3091195 |
42 | TEERAKANOK S, UEHARA T, INOMATA A. Migrating to zero trust architecture: reviews and challenges[J]. Security and Communication Networks, 2021, 2021: No.9947347. 10.1155/2021/9947347 |
43 | RAMEZANPOUR K, JAGANNATH J. Intelligent zero trust architecture for 5G/6G networks: principles, challenges, and the role of machine learning in the context of O-RAN[J]. Computer Networks, 2022, 217: No. 109358. 10.1016/j.comnet.2022.109358 |
44 | SIMPSON W R, FOLTZ K E. Maintaining zero trust with federation[J]. International Journal of Emerging Technology and Advanced Engineering, 2021, 11(5):17-32. 10.46338/ijetae0521_03 |
45 | MIR A H, RASHID I, KUMAR K R RAM. An augmented smart grid based SCADA Security Management System (SSMS) based on zero-trust architecture[C]// Proceedings of the 2nd International Conference on ICT for Digital, Smart, and Sustainable Development. (2021-03-11) [2022-04-04].. 10.4108/eai.27-2-2020.2303258 |
46 | ARABI A A M, OGUNDIJO A D, NYAMASVISVA T E. A zero-trust model-based framework for managing of academic dishonesty in institutes of higher learning[J]. Turkish Journal of Computer and Mathematics Education, 2021, 12(6):5381-5389. |
47 | SHAH S W, SYED N F, SHAGHAGHI A, et al. LCDA: lightweight continuous device-to-device authentication for a Zero Trust Architecture (ZTA)[J]. Computers and Security, 2021, 108: No.102351. 10.1016/j.cose.2021.102351 |
[1] | Zhongdai WU, Dezhi HAN, Haibao JIANG, Cheng FENG, Bing HAN, Chongqing CHEN. Review of marine ship communication cybersecurity [J]. Journal of Computer Applications, 2024, 44(7): 2123-2136. |
[2] | Bona XUAN, Jin LI, Yafei SONG, Zexuan MA. Malicious code classification method based on improved MobileNetV2 [J]. Journal of Computer Applications, 2023, 43(7): 2217-2225. |
[3] | Wenshuai SONG, Miaolei DENG, Mimi MA, Haochen LI. Research progress in public-key encryption with keyword search [J]. Journal of Computer Applications, 2023, 43(3): 794-803. |
[4] | WANG Yue, JIANG Yiming, LAN Julong. Intrusion detection based on improved triplet network and K-nearest neighbor algorithm [J]. Journal of Computer Applications, 2021, 41(7): 1996-2002. |
[5] | ZHANG Quanlong, WANG Huaibin. Intrusion detection model based on combination of dilated convolution and gated recurrent unit [J]. Journal of Computer Applications, 2021, 41(5): 1372-1377. |
[6] | TANG Yanqiang, LI Chenghai, SONG Yafei. Network security situation prediction based on improved particle swarm optimization and extreme learning machine [J]. Journal of Computer Applications, 2021, 41(3): 768-773. |
[7] | HANG Mengxin, CHEN Wei, ZHANG Renjie. Abnormal flow detection based on improved one-dimensional convolutional neural network [J]. Journal of Computer Applications, 2021, 41(2): 433-440. |
[8] | CHENG Xiaohui, NIU Tong, WANG Yanjun. Wireless sensor network intrusion detection system based on sequence model [J]. Journal of Computer Applications, 2020, 40(6): 1680-1684. |
[9] | CHI Yaping, MO Chongwei, YANG Yintan, CHEN Chunxia. Design and implementation of intrusion detection model for software defined network architecture [J]. Journal of Computer Applications, 2020, 40(1): 116-122. |
[10] | WANG Jiaxin, FENG Yi, YOU Rui. Network security measurment based on dependency relationship graph and common vulnerability scoring system [J]. Journal of Computer Applications, 2019, 39(6): 1719-1727. |
[11] | DU Junxiong, CHEN Wei, LI Xueyan. Contextual authentication method based on device fingerprint of Internet of Things [J]. Journal of Computer Applications, 2019, 39(2): 464-469. |
[12] | XU Han, LUO Liang, SUN Peng, MENG Sa. Cloud system security and performance modeling based on Markov model [J]. Journal of Computer Applications, 2019, 39(11): 3304-3309. |
[13] | GUO Fangfang, CHAO Luomeng, ZHU Jianwen. Multi-source data parallel preprocessing method based on similar connection [J]. Journal of Computer Applications, 2019, 39(1): 57-60. |
[14] | XIE Lixia, WANG Zhihua. Network security situation assessment method based on cuckoo search optimized back propagation neural network [J]. Journal of Computer Applications, 2017, 37(7): 1926-1930. |
[15] | LI Fangwei, LI Qi, ZHU Jiang. Improved method of situation assessment method based on hidden Markov model [J]. Journal of Computer Applications, 2017, 37(5): 1331-1334. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||