The Dynamic Endpoint-Based Access Control Model on VPN

摘要

Today more and more organizations use Virtual Private Network (VPN) to implement their private communication. By tunneling, a dynamic virtual topology is constituted. Users can access various resources far and near through VPN. Sophisticated environments and behaviors bring the new challenge to access control for VPN. Traditionally access control models for VPN focus on the content of workflow, ignoring the outside environment factors. When locating different environments, client could have dissimilar security status, but it is hard for common VPN to sense these varieties. Thereby, some hidden troubles may exist. To address this problem, this paper presents a novel Dynamic Endpoint-Based Access Control (DEBAC) approach based on Role Based Access Control (RBAC). Because of the endpoint model introduced, DEBAC extends traditional RBAC to include the notion of both environments and behaviors and tries to implement a more flexible and comprehensive protection mechanism. The framework and prototype of DEBAC is interpreted and detailed in this paper. Finally, we give the analysis about an instance of our prototype and discuss an experiment about the DEBAC model.