Enterprise Network Packet Filtering for Mobile Cryptographic Identities

Firewalls are an essential component of the Internet and enterprise network security policy enforcement today. The configurations of enterprise firewalls are typically rather static. Even if client's IP addresses can be dynamically added to the packet filtering rules, the services allowed through the firewall are commonly still fixed. In this paper, we present a transparent firewall configuration solution based on mobile cryptographic identifiers of Host Identity Protocol HIP. HIP allows a client to protect the data transfer with IPsec ESP, and supports dynamic address changes for mobile clients. The HIP-based firewall learns the identity of a client when it communicates with the server over HIP. The firewall configures the necessary rules based on HIP control messages passing through the firewall. The solution is secure and flexible, and introduces only minimal latency to the initial HIP connection establishment.

[1]  Cedric Aoun,et al.  NAT/Firewall NSIS Signaling Layer Protocol (NSLP) , 2010, RFC.

[2]  Pekka Nikander,et al.  Host Identity Protocol (HIP) Domain Name System (DNS) Extensions , 2008, RFC.

[3]  Catharina. Candolin An Implementation of HIP for Linux , 2010 .

[4]  Michael Walfish,et al.  Middleboxes No Longer Considered Harmful , 2004, OSDI.

[5]  Andrei V. Gurtov,et al.  Traversing Middleboxes with the Host Identity Protocol , 2005, ACISP.

[6]  David Taniar,et al.  International Journal of Mobile Computing and Multimedia Communications , 2010 .

[7]  P. Nikander,et al.  Host Identity Protocol : Achieving IPv 4 IPv 6 handovers without tunneling , 2003 .

[8]  Pekka Nikander,et al.  Integrating Security, Mobility and Multi-Homing in a HIP Way , 2003, NDSS.

[9]  Janne Lindqvist,et al.  Privacy management for secure mobility , 2006, WPES '06.

[10]  Brighten Godfrey,et al.  OpenDHT: a public DHT service and its uses , 2005, SIGCOMM '05.

[11]  Cryptographic Identities Enterprise Network Packet Filtering for Mobile , 2010 .

[12]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[13]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[14]  Matt Ganis,et al.  SOCKS Protocol Version 5 , 1996, RFC.

[15]  Hannes Tschofenig,et al.  SPINAT: Integrating IPsec into Overlay Routing , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[16]  Miika Komu,et al.  Basic Socket Interface Extensions for the Host Identity Protocol (HIP) , 2011, RFC.

[17]  Angelos D. Keromytis,et al.  EasyVPN: IPsec Remote Access Made Easy , 2003, LISA.

[18]  Pekka Nikander,et al.  Host Identity Protocol , 2005 .

[19]  Klaus Wehrle,et al.  End-Host Authentication and Authorization for Middleboxes Based on a Cryptographic Namespace , 2009, 2009 IEEE International Conference on Communications.

[20]  Tuomas Aura,et al.  Experiences with Host-to-Host IPsec , 2005, Security Protocols Workshop.

[21]  Ari Keränen,et al.  Basic HIP Extensions for Traversal of Network Address Translators , 2010 .

[22]  Pekka Nikander,et al.  End-Host Mobility and Multi-Homing with Host Identity Protocol , 2004 .

[23]  Fayez Al-Shraideh,et al.  Host Identity Protocol , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).