A cost-effective add-on-value card-assisted firewall over Taiwan's NHI VPN framework.

Besides the overall budget for building the infrastructure of a healthcare-service-based virtual private network (VPN) in Taiwan, two issues were considered critical for its acceptance by the country's 17,000 plus medical institutions. One was who was to pay for the network (ADSL or modem) connection fee; the other was who was to pay for the firewall/anti-virus software. This paper addresses the second issue by proposing an efficient freeware firewall, named card-assisted firewall (CAF), for NHI VPN edge-hosts, which is also an add-on-value application of the National Healthcare IC card that every insurant and medical professional has. The innovative concept is that any NHI VPN site (edge-host) can establish diversified secure-authenticated connections with other sites only by an authentication mechanism, which requires a NHI Java card state machine and the Access Control List of the host. It is different from two-factor authentication cards in four ways: (1) a PIN code is not a must; (2) it requires authentication with the remote IC card Data Centre; (3) the NHI cards are already available, no modification is needed, and there is no further cost for the deployment of the cards; (4) although the cards are in the reader, the communication cannot start unless the cards are in the corresponding states; i.e. the states allow communication. An implementation, on a Microsoft Windows XP platform, demonstrated the system's feasibility over an emulation of the NHI VPN framework. It maintained a high line speed, the driver took up 39 KB of disk space, installation was simple, not requiring any extra hardware or software, and the average packet processing time of the CAF driver measured was 0.3084 ms. The average overhead in comparing the Access Control List predefined routing in card, in an FTP testing experiment, was 5.7 micros (receiving) and 8 micros (sending).