PACS-based network-layer Access Control

The network of information enables the staff to search, use, and maintain various information on the network, improving the daily office efficiency. At the same time, it also poses an increasingly serious challenge to information security. Due to business needs, on the one hand, people hope that the network can be fully connected and their terminals can access all the resources they care about. On the other hand, people require the network to be able to control access to networks of different sources and roles to protect their resources from unauthorized access and tampering. With the in-depth development of the network, the conflict between network connectivity and security has increasingly become the focus of network users and network technicians.
To ensure network connectivity and information security at the same time, network technology has produced many network security measures and technologies at different levels. Based on a brief analysis of the advantages and disadvantages of these technologies, this paper proposes a PACS-based solution.
I. Status Quo of network access control technology
1) MAC address filtering technology
MAC address physical address) is used to directly identify a network device, which is the basis for current network data exchange. Currently, most L2 switches support configuring MAC address filtering tables based on physical ports. This table is used to limit that only packets from some network devices specified in the MAC address filtering table can be transmitted through this port. The MAC address Filtering Technology ensures that only authorized MAC addresses can access network resources.
Because MAC address filtering is unique Based on the ID of the network device, you can fundamentally restrict the users of network resources. On the one hand, the MAC address filtering technology does not have high requirements on switching devices, and has little impact on the performance of network devices. The configuration is relatively simple and suitable for small networks. On the other hand, the MAC address filtering technology requires the Administrator to specify the MAC address of each network device in the network and configure the filter tables for each port as needed, in addition, when the network adapter or physical location of a network device changes, the system must be reconfigured. Therefore, the MAC address filtering technology is adopted, which is very heavy for network administrators, with the increasing number of network devices, the maintenance workload also increases.
MAC address filtering technology poses a security risk-MAC address "spoofing", that is, many NICs now support MAC address reconfiguration, illegal users can tamper the MAC address of their network devices with the MAC address of a valid user, and then access network resources illegally by checking the switch device.
2) VLAN Isolation Technology
VLAN (Virtual LAN) isolation technology is one of the ways to avoid a large number of broadcast packets consuming a large amount of network bandwidth when the number of devices in a network system increases to a certain scale, this affects the transmission of valid data. On the other hand, it ensures that some of the security-sensitive departments are not randomly accessed and browsed. Currently, access control methods based on VLAN isolation technology are widely used in small and medium-sized enterprises and campus networks.
Through VLAN isolation technology, you can divide a large number of network devices in a network system into several virtual working groups. network devices between groups are isolated on the second layer, form different broadcast domains and limit broadcast traffic to different broadcast domains. Because VLAN technology is based on isolation between Layer 2 and Layer 3, you can group different network users and network resources, and isolate the data exchange between network devices in different groups through switches that support VLAN technology to achieve network security. This method allows users on the same VLAN to communicate with each other. Users on different VLANs are disconnected on the data link layer and can only access the data through a layer-3 router.

The use of VLAN isolation technology also has an obvious drawback, that is, the network administrator must specify the MAC address or IP address of the device connected to each physical port of the switch, divide different working groups as needed and configure switches. When the NIC, IP address, or physical location of a network terminal changes, you need to reconfigure multiple related network devices in the network system, which increases the maintenance workload of the network administrator, therefore, it is only applicable to small networks.
In terms of security, VLAN isolation technology can ensure the isolation between physical devices. However, for the same server, it can only be fully open to multiple VLAN groups at the same time or only open to a VLAN group, but not individual users. In practical applications, a server plays multiple server roles and provides different services for users in multiple VLAN groups, which brings security risks. For example, an e-commerce server in the marketing department stores customer data. It is also a Finance Department database server that stores financial data. In this way, the server must be opened to market personnel and financial personnel at the same time, simply using VLAN technology cannot prevent market personnel from viewing financial data. Of course, this risk can be solved by other auxiliary means ).
3) Access Control List ACL Technology
ACL is widely used in Routers. It is a packet filter-based traffic control technology. The standard access control list uses the source address, destination address, and port number as the basic element of packet inspection, and can specify whether packets that meet the conditions are allowed to pass. ACL is usually applied to the egress control of an enterprise. You can implement the ACL to effectively deploy the outbound network policy of an enterprise. With the increase of network resources in the LAN, some enterprises have begun to use ACL to control access to resources in the LAN, so as to ensure the security of these resources.
The ACL technology can effectively control network users' access to network resources on the layer-3. It can be used for network applications between two network devices, A wide range of access control management can also be performed according to the network segment, providing an effective security means for network applications.
On the one hand, using ACL technology, the network administrator needs to identify the IP subnet of each host and workstation and confirm the access relationship between them, which is suitable for networks with a limited number of network terminals. For large networks, You have to waste a lot of IP Address resources to complete some access control. At the same time, the huge number of network terminals also increases the complexity and difficulty of management. On the other hand, the maintenance of the ACL is not only time-consuming, but also increases the router overhead to a large extent. The access control list is very strategic and involves the overall planning of the network. Its use requires a high level of technical quality for staff who develop policies and network planning. Therefore, whether or not the ACL technology is used and to what extent it is used is a trade-off between management benefits and network security.
4) Firewall Control Technology
Firewall technology first divides the network into Intranet and Internet. By analyzing the Protocol composition of each Intranet and Internet communication application, it obtains the Host IP address and the upstream IP port number, to plan and control the business flow.
On the one hand, the firewall technology limits the access permissions of the source IP address, destination IP address, source row port number, and destination uplink port number to the maximum extent, thus limiting the interruption of each business flow. It requires the network administrator to specify the source address and destination address of each service, as well as the Protocol or even upstream port of the service. At the same time, to build an effective firewall system, the management personnel must have a considerable level of technical skills and workload; on the other hand, if the firewall equipment needs to achieve a high data throughput, the cost of the device is also high. In practical applications, it is usually used for egress security of the entire system, and is rarely used for security protection of internal networks.
By setting firewall packet filtering rules, the firewall can provide authorized access to network resources for local or remote users. The packet filtering Firewall set is composed of several rules. It covers the processing methods of all incoming and outgoing firewall data packets. There is a default Processing Method for unclearly defined data packets ). Filter rules are easy to understand, edit, and modify. They also have a consistency detection mechanism to prevent conflicts.
IP packet filtering is based on the source address and destination address of the IP packet header. For example, the Protocol field encapsulation protocol in the IP header is ICMP, TCP, or UDP, filter the data based on the ICMP header information type and code value), TCP header information source port and destination port), or UDP header information source port and destination port. Application layer protocol filtering mainly includes FTP filtering, RPC-based application service filtering, UDP-based application service filtering, and dynamic packet overhead technology.
2. PACS Solution
Through the previous analysis, management methods such as MAC address filtering all need to fix the network attributes of the managed object, such as MAC address and VLAN tag, however, these tasks require network administrators to register and set up a series of network devices, such as switches, servers, and PCs, without the flexibility and mobility of the network.
To address this problem, we urgently need a method that can make full use of the IEEE 802 LAN technology, which is simple, cost-effective, and can verify the access legality of network users or network devices, you can distinguish between their permissions to use network services and network resources, and monitor their network activities throughout the process.
PACSPolicy-based Access Control System) solutions form a user-oriented policy management System from the perspective of users, it can be used independently or in concert with existing network security technologies to form an organic whole. It can effectively protect network services and network resources. PACS no longer relies on the physical characteristics of networks or devices, but controls their permissions based on the identity and password of network visitors to achieve dynamic network control, it provides effective technical guarantee for strategic management of network systems.
1) PACS Structure Level
Policy-based Access Control System PACS organically integrates network user authentication technology, dynamic access control technology, and dynamic network bandwidth allocation technology, it broke the deadlock between management efficiency and network security in LAN construction and maintenance. This ensures that network resources are effectively protected and used efficiently. PACS abandons the static dependency of the original Access Control Technology on one or more network features, dynamically establishes the association between the user name and password and the user terminal, and then controls the user's network behavior. It breaks the original network device management mode and adopts the concept of pre-design policies, real-time automatic configuration, and dynamic access control to solve the overhead caused by network users moving to security management.
In terms of hierarchy, PACS can be divided into four layers: network user layer, access layer, core layer, and resource provision layer. A "Pyramid" structure is formed from the bottom up. Among them: the network user layer is a large number of terminals or workstations in the network; the access layer refers to the connection with the terminal or workstation in the network user layer, A collection of network devices that interconnect these terminals or workstations, such as secondary switches and hubs). The core layer refers to the collection of network devices on the access layer to form a collection of network devices on the entire network, such as servers, routers, and firewalls ).
2) function structure of PACS
The focus of LAN information security is to effectively protect the security of the resource provision layer, and ensure that these limited resources are provided to the users of the LAN reasonably and efficiently. On the one hand, the closer the core means of network security are to the resource provision layer, the stronger the protection capability. On the other hand, the fewer devices at the core layer, the device cost and management cost of providing security protection measures for network resources on these limited devices are also less. Therefore, providing information security protection at the core layer is the most cost-effective solution.