Design and Implementation of Secure Subnet Inside of Data Sensitive Network ()
Abstract
Sensitive data leak can cause significant loss for some organizations, especially for technology intensive companies and country security departments. Traditional mandatory access control (MAC) can only control whether the user can access the sensitive data or not, and cannot prevent the user to leak or spread the data. So even designed impeccable access control policies, we still cannot prevent inside leak. A nature solution is using physical isolation to prevent sensitive data from being leaked outside network; however inside the physical isolated network, data still can be spread from one subnet to another. We present Secure Subnet System, a BLP model base security system that can provide more strong access control, which is called mandatory action control. In our system after a user read sensitive data, system will dynamically change security policies to prevent the user to leak these data or spread the data outside to another subnet. We use a state machine model to describe our system, and use secure transfer equations to dynamically calculate the system policies for each new state. Our model can be proved to be secure by formal methods. We implemented a demon of our system. In this paper we also show the design details of the demon and evaluate the demon both from security and performance. The evaluation results show that the output of the security tests case are under expected; and the performance test case show that, for the 64KB IO chunk size, IO read loss can be improved to 6.6%, IO write loss can be improved to 1.2% after optimization.
Share and Cite:
H. Xue, Y. Zhang, Z. Guo and Y. Dai, "Design and Implementation of Secure Subnet Inside of Data Sensitive Network,"
Journal of Software Engineering and Applications, Vol. 6 No. 3B, 2013, pp. 51-57. doi:
10.4236/jsea.2013.63B012.
Conflicts of Interest
The authors declare no conflicts of interest.
References
|
[1]
|
Jack Brassil, “Physical Layer Network Isolation in Mul-ti-tenant Clouds”, IEEE 30th International Conference on Distributed Computing Systems Workshops 2010.
|
|
[2]
|
Charles J. Trantanella, “A novel power di-vider with enhanced physical and electrical port isola-tion”, Microwave Symposium Digest (MTT), 2010 IEEE MTT-S International;
|
|
[3]
|
Wan Guoping, “Network isolation and NetGap”, China machine press.
|
|
[4]
|
RS Sandhu, EJ Coyne, HL Feinstein, CE Youman; Role-based access control models; IEEE Comput., Vo-lume (29), Page(s): 38 - 47, Feb 1996.
|
|
[5]
|
Haiwei Xue, Yiqi Dai; A privacy protection model for transparent computing system; International Journal of Cloud Com-puting, Volume 1, Pages 367-384.
|
|
[6]
|
Haiwei Xue, Xiong Liu, Yiqi Dai, “A privacy protection model on internal networks”, 13th IEEE Joint International Com-puter Science and Information Technology Conference 2011.
|
|
[7]
|
Intel Corporation, “Preboot Execution Envi-ronment (PXE) Specification”, technical document of Intel Corporation 1999.
|
|
[8]
|
Bell D E, LaPadula L J., “Secure Computer System: Unified Exposition and MULTICS Interpretation[R]”, Bedford, MA: The MI-TRE Corporation, 1976.
|
|
[9]
|
Sitian Ge, Raoxue Zhang, YiqiDai, “L-BLP Security Model in Local Area Network”, Chinese of Journal Electrics, vol. 35. Pp. 1005-1008.
|
|
[10]
|
http://en.wikipedia.org/wiki/Software-defined_networking
|
|
[11]
|
http://en.wikipedia.org/wiki/Command-line_interface
|