PhD Theses at KOM

Eine policybasierte Zugriffskontrollarchitektur für das Multi Service Internet

Christoph Rensing

Tuesday July 15, 2003

English abstract:

Commercial providers of Internet services must be able to adapt their business plans in order to react immediately to market changes and to quickly implement new services. They therefore require a flexibly configurable generic system that can be used for the controlling and for the billing/charging of various services. The AX called Access Control Architecture developed in this dissertation provides the basis for such a generic system. In this study, the requirements relating to authentication and authorization as sub-functions of access control have been investigated. Such requirements result from the design of a business plan as a provider's top-level policy. A policy model has been developed which describes the relationships between various aspects of the business plan and the functions of access control and billing/charging from both systematic and operative perspectives. A special policy language serves to specify the policies to be used for the configuration of both the access control and the billing/charging systems within the AX-architecture. Three existing concepts were combined to produce the architectural design: - Control of access and billing/charging were treated as unique support services and were separated from the end user services. The generic mode of operation of this Ax-server is independent of the services to be controlled. Thus, with the help of an Ax-server, it was possible to control both access to Internet logins as well as access to contents and Internet-based applications. - Via the definition of a policy, the service provider decides how the access control and billing/charging are to be executed relative to the end user service. The paradigm of policy-based management is implemented in the access control system. - The functions of access control and billing/charging are modularised and executed within the architecture by means of independent policy enforcement points. The stringent modularisation makes possible, amongst other things, an exchange of processes that guarantee safety. The three concepts that were employed specify the abstract representation of the AX-architecture and its overall functionality. The research reported here provides a more concrete representation. The individual components of the architecture, as well as their respective functions, were defined and the realization of the most important components was studied in detail. The system's interfaces and the data objects and categories of messages to be exchanged between the systems and/or components of the systems were defined. Message sequence diagrams were used to provide an exact description of the mode of operation of an Ax-system. Various organizational models that can be realized in the AX-architecture describe access control for mobile service users. In order to evaluate the architecture, various typical cases of application were analysed and, for each case, the deployment of an Ax-system was compared with the use of existing systems. At present, service providers who want to realize access control and billing/charging have to use some of those systems presented in realistic applications scenarios at the start of this paper. They can all be replaced by uniform Ax-systems, whereby only minimal losses of performance occur. The Ax-systems also allow access control and billing/charging for new services as well as consideration of the various business plans offered by their providers.

BibTeX entry

Link to online publication

PhD Theses