Abstract
Conventional egress network access control (NAC) at the network layer has two problems. Firstly, wild card “*” is not allowed for a policy. Secondly, we have to run a Web browser for authentication even if we do not use the Web. To solve these problems, this paper proposes a name-level method for egress NAC. Since it evaluates the policy at the DNS server, this method enables a wild card to be used in the policy. Since each DNS query message carries user identification by using Transaction Signature (TSIG), the authentication for any service is performed without Web browsers. The DNS server configures a packet filter dynamically to pass authorized packets. This paper describes the implementation of the DNS server, the packet filter, and the resolver of the method. Experimental results show that the method scales up to 160 clients with a DNS server and a router.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aladdin Knowledge Systems. eSafe 4 implementation guide (July 2003), http://www.eAladdin.com
Baize, E., Pinkas, D.: The simple and protected GSS-API negotiation mechanism. RFC2478 (December 1998)
Cisco Systems Inc. Service selection gateway (October 2003)
Eastlake, D.: Domain name system security extensions. RFC2535 (March 1999)
Eastlake, D.: DNS request and transaction signatures (SIG(0)s). RFC2931 (September 2000)
Eastlake, D.: Secret key establishment for DNS (TKEY RR). RFC 2930 (September 2000)
Internet System Consortium. BIND 9., http://www.isc.org
Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J., Hall, R.: Generic security service algorithm for secret key transaction authentication for DNS (GSS-TSIG). RFC3645 (October 2003)
Leech, M.: Username/password authentication for SOCKS V5. RFC1929 (March 1996)
Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., Jones, L.: SOCKS protocol version 5. RFC1928 (March 1996)
Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the Linux operating system. 2001 USENIX Annual Technical Conference FREENIX (June 2001)
Resnick, P., Miller, J.: PICS: Internet access controls without censorship. Communications of the ACM 39(10), 87–93 (1996)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Sun Microsystems Inc. System administration guide: Security services (2004), http://docs.sun.com/db/doc/816-4557
Symantec Corporation. Symantec gateway security 5400 series refernece guide (September 2003), http://www.symantec.com
Vixie, P., Gudmundsson, O., Eastlake, D., Wellington, B.: Secret key transaction authentication for DNS (TSIG). RFC2845 (May 2000)
Watanabe, Y., Watanabe, K., Eto, H., Tadaki, S.: An user authentication gateway system with simple user interface, low administrarion cost and wide applicability. IPSJ Journal 42(12), 2802–2809 (2001)
Watson, R., Morrison, W., Vance, C., Feldman, B.: The TrustedBSD MAC framework: Extensible kernel access control for FreeBSD 5.0. USENIX Annual Technical Conference, San Antonio, TX (June 2003)
Zorn, N.: Authentication gateway howto (November 2002), http://www.itlab.musc.edu/~nathan/authentication_gateway
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Suzuki, S., Shinjo, Y., Hirotsu, T., Kato, K., Itano, K. (2005). Name-Level Approach for Egress Network Access Control. In: Lorenz, P., Dini, P. (eds) Networking - ICN 2005. ICN 2005. Lecture Notes in Computer Science, vol 3421. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31957-3_35
Download citation
DOI: https://doi.org/10.1007/978-3-540-31957-3_35
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25338-9
Online ISBN: 978-3-540-31957-3
eBook Packages: Computer ScienceComputer Science (R0)