共查询到19条相似文献,搜索用时 187 毫秒
1.
IPsec体系结构及其策略管理机制的研究 总被引:2,自引:0,他引:2
随着网络安全性的要求越来越高,IPsec已经成为Internet安全体系结构的基石,如果得到正确的实现,IPsec对那些不支持它的主机和网络不会产生负面影响。本文首先对IPsec的体系结构进行了描述和分析,然后针对目前通信中存在的不足对策略管理部分进行研究,并以Windows2000为环境探讨了基于SPS的IPSec策略管理机制。 相似文献
2.
3.
4.
当前IPsec的策略系统的策略设置方式很可能引起策略冲突。在分析和比较现有策略生成算法的基础上,提出了右对齐策略生成算法,在有效解决策略冲突,获得最少生成策略数的基础上,进一步降低了满足所有需求保护的通信过程所需的策略数。 相似文献
5.
本文论述了基于策略管理的体系结构,并对实现基于策略管理的策略通信、传输协议、互操作性和可扩展性进行了分析。 相似文献
6.
7.
策略翻译是目前策略管理研究的难点之一.针对以数据结构表示的策略,提出策略结构五元组概念,增设可扩展的词库,采用XML语言统一描述策略结构,设计通用的脚本分析模块,支持不同设备类型的策略结构,实现透明的策略翻译,提高了策略管理的伸缩性、统一性和透明性. 相似文献
8.
9.
本文论述了基于策略管理的体系结构,并对实现基于策略管理的策略通信、传输协议、互操作性和可扩展性进行了分析。 相似文献
10.
下一代互联网将是基于IPv6的,IPv6的实现必须支持IPsec,IPsec提供了两种安全机制:加密和认证。本文重点对IPsec协议安全体系结构、各部分功能及其相互间关系进行了深入分析研究,并对IPsec协议在IPv6中工作原理、实施应用问题等提出新的见解。最后总结了IPsec在基于IPv6的下一代互联网带来的安全特性和将面对的挑战。 相似文献
11.
We discuss the strengths and weaknesses of existing tools with respect to the Internet Protocol security (IPsec) name mapping problem: how to ensure a correct mapping between application-layer target names and network-layer target names. We show that DNSSEC is neither necessary nor sufficient for solving the IPsec name mapping problem. We describe design and implementation results for new techniques that are applicable to legacy applications to partially or completely solve the IPsec name mapping problem. As a corollary, we obtain programming recommendations that make it easier to apply these techniques. We show how the set of current IPsec policy parameters can usefully be expanded. We give a prototype of a modified lookup API and argue that the modified API is the preferred long-term solution to the IPsec name mapping problem. We also cover the implications for IPsec key management. Finally, we summarize the environments where IPsec is being used today and discuss which IPsec name mapping techniques are most appropriate for these environments. 相似文献
12.
基于Policy的网络管理模型的研究与实现 总被引:7,自引:0,他引:7
基于policy的网络管理支持管理系统动态扩充,得到越来越多的研究与应用,首先给出了基于policy的网络管理模型,然后定义policy服务器的体系结构和支持协同的基于policy的网络管理框架,管理框架支持管理人员对任务进行分解,用ploicy描述子任务,然后将ploicy分发到policy服务器,由policy服务器解释执行,多个域的ploicy服务器之间可以发送和接收消息以协调地运行,完成全局的管理任务,管理人员可以动态地对ploicy进行修改以适应系统的变化。 相似文献
13.
计算机网络的一实体安全体系结构 总被引:12,自引:0,他引:12
提出了计算机网络的一种实体安全体系结构(ESA)。文中描述了计算机网络的组成实体,并讨论了各实体的安全功能分配。基于ESA,提出了基于政策的安全管理(PBSM)的概念,其中包括三层安全政策的定义:组织抽象安全政策、全局自动完全政策、局部可执行安全政策,并提出了PBSM的三个管理环节:制定、实施与验证,把网络作为一个整体来管理,实现安全管理的系统化和自动化。应用实体安全体系结构,分析了现有网络安全服务的不足和安全管理中存在的问题,指出了实现ESA的进一步研究工作。 相似文献
14.
王峰 《计算机工程与应用》2007,43(1):6-8,23
策略冲突的解决是基于策略的网络管理系统正常运行的前提之一。论文提出了一种基于网元的策略冲突解决方法,以网元为单位构造策略优先级关系矩阵,用以解决与该网元相关的策略冲突问题。该方法避免了大矩阵的计算处理,从而减少了基于策略的网络管理系统的计算成本。经实验验证,该方法可以有效地解决基于策略的网络管理系统中存在的策略冲突问题。 相似文献
15.
Policy driven management for distributed systems 总被引:22,自引:0,他引:22
Morris Sloman 《Journal of Network and Systems Management》1994,2(4):333-360
Separating management policy from the automated managers which interpret the policy facilitates the dynamic change of behavior of a distributed management system. This permits it to adapt to evolutionary changes in the system being managed and to new application requirements. Changing the behavior of automated managers can be achieved by changing the policy without having to reimplement them—this permits the reuse of the managers in different environments. It is also useful to have a clear specification of the policy applying to human managers in an enterprise. This paper describes the work on policy which has come out of two related ESPRIT funded projects, SysMan and IDSM. Two classes of policy are elaborated—authorization policies define what a manager is permitted to do and obligation policies define what a manager must do. Policies are specified as objects which define a relationship between subjects (managers) and targets (managed objects). Domains are used to group the objects to which a policy applies. Policy objects also have attributes specifying the action to be performed and constraints limiting the applicability of the policy. We show how a number of example policies can be modeled using these objects and briefly mention issues relating to policy hierarchy and conflicts between overlapping policies. 相似文献
16.
Leonidas Lymberopoulos Emil Lupu Morris Sloman 《Journal of Network and Systems Management》2003,11(3):277-303
This paper presents a framework for specifying policies for the management of network services. Although policy-based management has been the subject of considerable research, proposed solutions are often restricted to condition-action rules, where conditions are matched against incoming traffic flows. This results in static policy configurations where manual intervention is required to cater for configuration changes and to enable policy deployment. The framework presented in this paper supports automated policy deployment and flexible event triggers to permit dynamic policy configuration. While current research focuses mostly on rules for low-level device configuration, significant challenges remain to be addressed in order to:a) provide policy specification and adaptation across different abstraction layers; and, b) provide tools and services for the engineering of policy-driven systems. In particular, this paper focuses on solutions for dynamic adaptation of policies in response to changes within the managed environment. Policy adaptation includes both dynamically changing policy parameters and reconfiguring the policy objects. Access control for network services is also discussed. 相似文献
17.
面向IPsec安全策略的VPN性能评估模型 总被引:4,自引:0,他引:4
IPsec安全策略复杂的语义增加了IPsec VPN性能分析的难度,为了解决IPsec VPN性能分析过程中缺乏框架结构而无法保证评估有效性的问题,提出了基于IPsec安全策略的VPN性能评估模型。模型构建了可扩展的虚拟VPN环境,通过维护IPsec安全策略提高VPN性能的可控性,利用多线程并发控制实现数据的并行统计。最后通过实验验证了模型在VPN性能评估中的可靠性和可用性。 相似文献
18.