J. Wiebelitz, S. Piger, Christopher Kunz, C. Grimm
{"title":"eScience透明的基于身份的防火墙转换","authors":"J. Wiebelitz, S. Piger, Christopher Kunz, C. Grimm","doi":"10.1109/ESCIW.2009.5407985","DOIUrl":null,"url":null,"abstract":"As new concepts for eSciene like Grid computing and Cloud computing tend to leave the research phase and develop towards production quality, the security eventually moves into focus. Up to now research in the security area concentrates on authentication and authorization on the resources themselves, but to enhance network security more generally, access control must be pushed back to the entry point of the resource providers' network. In this paper TCP-AuthN is presented, an approach for dynamic firewall operation, which uses the TCP three-way handshake to transport users' authentication information for dynamic firewall operation. The authentication information enables firewalls to authorize each connection establishment individually, based on the user's proven identity. To prevent man-in-the-middle attacks and replay attacks, a challenge-response procedure must be accomplished before the connection is finally allowed. To distinguish the authentication information from application level data, a new TCP option tcpauthn was designed. The presented approach is intended to withdraw the initial authorization decision from the resources and therefore from the internal network and move this decision to firewalls, which are employed to protect networks and services.","PeriodicalId":416133,"journal":{"name":"2009 5th IEEE International Conference on E-Science Workshops","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Transparent identity-based firewall transition for eScience\",\"authors\":\"J. Wiebelitz, S. Piger, Christopher Kunz, C. Grimm\",\"doi\":\"10.1109/ESCIW.2009.5407985\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"As new concepts for eSciene like Grid computing and Cloud computing tend to leave the research phase and develop towards production quality, the security eventually moves into focus. Up to now research in the security area concentrates on authentication and authorization on the resources themselves, but to enhance network security more generally, access control must be pushed back to the entry point of the resource providers' network. In this paper TCP-AuthN is presented, an approach for dynamic firewall operation, which uses the TCP three-way handshake to transport users' authentication information for dynamic firewall operation. The authentication information enables firewalls to authorize each connection establishment individually, based on the user's proven identity. To prevent man-in-the-middle attacks and replay attacks, a challenge-response procedure must be accomplished before the connection is finally allowed. To distinguish the authentication information from application level data, a new TCP option tcpauthn was designed. The presented approach is intended to withdraw the initial authorization decision from the resources and therefore from the internal network and move this decision to firewalls, which are employed to protect networks and services.\",\"PeriodicalId\":416133,\"journal\":{\"name\":\"2009 5th IEEE International Conference on E-Science Workshops\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2009-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2009 5th IEEE International Conference on E-Science Workshops\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ESCIW.2009.5407985\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 5th IEEE International Conference on E-Science Workshops","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ESCIW.2009.5407985","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Transparent identity-based firewall transition for eScience
As new concepts for eSciene like Grid computing and Cloud computing tend to leave the research phase and develop towards production quality, the security eventually moves into focus. Up to now research in the security area concentrates on authentication and authorization on the resources themselves, but to enhance network security more generally, access control must be pushed back to the entry point of the resource providers' network. In this paper TCP-AuthN is presented, an approach for dynamic firewall operation, which uses the TCP three-way handshake to transport users' authentication information for dynamic firewall operation. The authentication information enables firewalls to authorize each connection establishment individually, based on the user's proven identity. To prevent man-in-the-middle attacks and replay attacks, a challenge-response procedure must be accomplished before the connection is finally allowed. To distinguish the authentication information from application level data, a new TCP option tcpauthn was designed. The presented approach is intended to withdraw the initial authorization decision from the resources and therefore from the internal network and move this decision to firewalls, which are employed to protect networks and services.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
