论文信息 - Name-Level Approach for Egress Network Access Control

Name-Level Approach for Egress Network Access Control

Conventional egress network access control (NAC) at the network layer has two problems. Firstly, wild card “*” is not allowed for a policy. Secondly, we have to run a Web browser for authentication even if we do not use the Web. To solve these problems, this paper proposes a name-level method for egress NAC. Since it evaluates the policy at the DNS server, this method enables a wild card to be used in the policy. Since each DNS query message carries user identification by using Transaction Signature (TSIG), the authentication for any service is performed without Web browsers. The DNS server configures a packet filter dynamically to pass authorized packets. This paper describes the implementation of the DNS server, the packet filter, and the resolver of the method. Experimental results show that the method scales up to 160 clients with a DNS server and a router.

[1] Stephen Smalley,et al. Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[2] Paul Resnick,et al. PICS: Internet access controls without censorship , 1996, CACM.

[3] Chris Vance,et al. The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0 , 2003, USENIX Annual Technical Conference, FREENIX Track.

[4] Donald E. Eastlake,et al. DNS Request and Transaction Signatures ( SIG(0)s ) , 2000, RFC.

[5] Levon Esibov,et al. Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG) , 2003, RFC.

[6] Denis Pinkas,et al. The Simple and Protected GSS-API Negotiation Mechanism , 1998, RFC.

[7] Donald E. Eastlake,et al. Domain Name System Security Extensions , 1997, RFC.

[8] Donald E. Eastlake,et al. Secret Key Establishment for DNS (TKEY RR) , 2000, RFC.

[9] Ravi S. Sandhu,et al. Role-Based Access Control Models , 1996, Computer.

[10] D. B. Davis,et al. Sun Microsystems Inc. , 1993 .

[11] Marcus Leech. Username/Password Authentication for SOCKS V5 , 1996, RFC.

[12] Matt Ganis,et al. SOCKS Protocol Version 5 , 1996, RFC.

[13] Kenzi Watanabe,et al. An User Authentication Gateway System with Simple User Interface, Low Administration Cost and Wide Applicability , 2001 .

[14] Brian Wellington,et al. Secret Key Transaction Authentication for DNS (TSIG) , 2000, RFC.