Creating and sharing knowledge for telecommunications

A framework for enforcing user-based authorization policies on packet filter firewalls

Zúquete, A. ; Correia, P. ; Rocha, M.

A framework for enforcing user-based authorization policies on packet filter firewalls, Proc IFIP TC6 and TC11 Joint IFIP TC6 and TC11 Conf. on Communications and Multimedia Security - CMS, Canterbury, United Kingdom, Vol. LNCS 7394, pp. 204 - 206, September, 2012.

Digital Object Identifier:

Abstract
Packet filter firewalls are fundamental elements to prevent unauthorized traffic to reach protected networks or hosts. However, they have to take decisions about packets based on their contents, and currently packets do not contain any information about the entity responsible for its generation. In this paper we propose a framework that tackle this problem. The framework adds extra information to packets, which enables a firewall to authenticate its origin and to get an identity attribute for discriminating the entity responsible for the packet, upon which an access control policy an be implemented. This framework uses trusted third party services for authenticating people and providing related identity attributes for firewalls. For a proof of concept we implemented a prototype in Linux machines using iptables and personal identity smartcards.