Transparent identity-based firewall transition for eScience

As new concepts for eSciene like Grid computing and Cloud computing tend to leave the research phase and develop towards production quality, the security eventually moves into focus. Up to now research in the security area concentrates on authentication and authorization on the resources themselves, but to enhance network security more generally, access control must be pushed back to the entry point of the resource providers' network. In this paper TCP-AuthN is presented, an approach for dynamic firewall operation, which uses the TCP three-way handshake to transport users' authentication information for dynamic firewall operation. The authentication information enables firewalls to authorize each connection establishment individually, based on the user's proven identity. To prevent man-in-the-middle attacks and replay attacks, a challenge-response procedure must be accomplished before the connection is finally allowed. To distinguish the authentication information from application level data, a new TCP option tcpauthn was designed. The presented approach is intended to withdraw the initial authorization decision from the resources and therefore from the internal network and move this decision to firewalls, which are employed to protect networks and services.

[1]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[2]  Russ Miller,et al.  Grid-enabled virtual organization based dynamic firewall , 2004, Fifth IEEE/ACM International Workshop on Grid Computing.

[3]  Jon Postel,et al.  Transmission Control Protocol , 1981, RFC.

[4]  Miron Livny,et al.  Recovering internet symmetry in distributed computing , 2003, CCGrid 2003. 3rd IEEE/ACM International Symposium on Cluster Computing and the Grid, 2003. Proceedings..

[5]  Von Welch Globus Toolkit Firewall Requirements , 2003 .

[6]  Marian Bubak,et al.  A novel approach to protect Grids with firewalls A System for Distributed Computing Based on H2O and JXTA , 2004 .

[7]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[8]  Christian Grimm,et al.  TCP-AuthN: An Approach to Dynamic Firewall Operation in Grid Environments , 2009, 2009 Fifth International Conference on Networking and Services.

[9]  David Abramson,et al.  Bridging organizational network boundaries on the grid , 2005, The 6th IEEE/ACM International Workshop on Grid Computing, 2005..

[10]  Steven Tuecke,et al.  Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile , 2004, RFC.

[11]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[12]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[13]  Miron Livny,et al.  CODO: firewall traversal by cooperative on-demand opening , 2005, HPDC-14. Proceedings. 14th IEEE International Symposium on High Performance Distributed Computing, 2005..