Abstract
Controlling access to enterprise resources is of outmost importance for effective and secure functioning of an enterprise. Access control is provided in terms of authentication and authorization. The former verifies a user or an entity’s identity and credentials when access is attempted, whereas the latter deals with what actions are allowed on the resources to which access has been granted. A modern enterprise has to provide resource access control (RAC) to wide varieties of resources, from (ISO/OSI) layer 1 to layer 7 (L1–L7) resources. Typically, accesses to application, server, and storage (or L7) level resources are controlled by an application RAC (ARAC) system and that of network resources controlled by a network RAC (NRAC) system.
In an enterprise, ARAC and NRAC are performed separately. As a result, frameworks or systems to manage them are separate, which hinders enhanced security and effectiveness of RAC. Hence integration or interoperation of ARAC and NRAC is needed.
Accesses to resources are controlled via policies managed by policy management frameworks (PMF) or systems. The policies are specified via a policy specification language (PSL), where the policy elements can be a subject attempting access, resource to which access is requested by the subject, an action a subject wants to perform on the resource, a policy rule condition to be satisfied, etc. Integration or interoperation of ARAC and NRAC requires enhanced model of PSL, in particular extended definition of subject, resource, and policy rule. Two of the major components of a PMF are policy decision point (PDP) and policy enforcement point (PEP). While the former typically resides outside of the resources being access controlled, the latter resides embedded within the resource concerned. The PDP manages enterprise-wide centralized policies, whereas the PEP manages and enforces policies locally on the resource. A request by a subject to access a resource is intercepted by the PEP, which then may forward the request to a PDP for (centralized) policy decision. In an integrated or interoperated ARAC and NRAC (IA/NRAC), PDP or PEP components of them interact with each other, improving security and effectiveness of enterprise-wide RAC. In addition, in an IA/NRAC, an ARAC PEP may be embedded within the network (network device or OS).
Employing detail use cases (involving policy specification and interaction between PDP, PEP, and other components or entities), we discuss in this chapter the following: functioning of ARAC and NRAC, integration and interoperation of them, enhanced definition of policy specification elements providing a common model for ARAC and NRAC policy specification, network-based or network-embedded ARAC (application PEP), and possible use cases of IA/NRAC in a Cloud environment.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We refer to a framework to cover the following: software, hardware components (resource embedded or not), and systems, including operations support and management systems, protocols, and messaging formats. A proper framework is needed to support a particular feature (which in this case is A/NRAC).
- 2.
Note that “centralized” does not preclude use of distributed or clustered architecture.
- 3.
A NAD is an access switch or a wireless access point.
- 4.
A supplicant is a component of IEEE 802.1x that resides in an end device that attempts access to an enterprise network. An authenticator (a PEP) of IEEE 802.1x resides in an NAD that intercepts frames from the supplicant (subject) and forwards it to a PDP (a RADIUS sever) using the RADIUS protocol [4]. The authenticator then enforces PEP policies based on the decision from the PDP. This is a simplified description; details are outside the scope.
References
IEEE 802.1x. http://www.ieee802.org/1/pages/802.1x.html
XACML (eXtensible access control markup language). http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Cisco common classification policy language. http://www.cisco.com/en/US/docs/routers/access/cisco_router_and_security_device_manager/24/software/user/guide/C3PL.html
Remote Authentication Dial In User Service (RADIUS), RFC 2865. http://tools.ietf.org/html/rfc2865
MySQL protocol. http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol
Configuration guidelines for DiffServ service classes, RFC 4594. http://tools.ietf.org/html/rfc4594
MPLS VPN VRF. http://en.wikipedia.org/wiki/VRF
NIST definition of cloud. http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf
Hasan MZ et al (2011) Seamless cloud abstraction, models and interfaces. In: Proceedings of the ITU/IEEE Kaleidoscope conference, Cape Town
Hasan MZ et al (2011) Network abstraction for enterprise and SP class cloud: seamless cloud abstraction and interfaces, IETF draft. http://trac.tools.ietf.org/area/app/trac/attachment/wiki/Clouds/draft-rfc-seamless-Cloud-masum-01.txt
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this chapter
Cite this chapter
Hasan, M.Z. (2013). Application and Network Resource Access Control. In: Clemm, A., Wolter, R. (eds) Network-Embedded Management and Applications. Springer, New York, NY. https://doi.org/10.1007/978-1-4419-6769-5_12
Download citation
DOI: https://doi.org/10.1007/978-1-4419-6769-5_12
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4419-6768-8
Online ISBN: 978-1-4419-6769-5
eBook Packages: EngineeringEngineering (R0)