Working set-based access control for network file systems
Proceedings of the 14th ACM symposium on Access control models and technologies
| Hi-index | 0.01 |
Access control in network file systems relies on primitive mechanisms like Access Control Lists and permission bits, which are not enough when operating in a hostile network environment. Network middleboxes, e.g., firewalls, completely ignore file system semantics when defining policies. Therefore, implementing simple context-aware access policies requires modifications to file servers and/or clients, which is impractical. We present FileWall, a network middlebox that allows administrators to define context-aware access policies for file systems using both the network context and the file system context. FileWall interposes on the client-server network path and implements administrator defined policies through message transformation without modifying either clients or servers. In this paper, we present the design and implementation of FileWall for the NFS protocol. Our evaluation demonstrates that FileWall imposes minimal overheads for common file system operations, even under heavy loads.