Name-Level approach for egress network access control

Authors:
Shinichi Suzuki;Yasushi Shinjo;Toshio Hirotsu;Kazuhiko Kato;Kozo Itano
Affiliations:
Department of Computer Science, University of Tsukuba, Tsukuba, Ibaraki, Japan;Department of Computer Science, University of Tsukuba, Tsukuba, Ibaraki, Japan;Department of Information and Computer Sciences, Toyohashi University of Technology, Toyohashi, Aichi, Japan;Department of Computer Science, University of Tsukuba, Tsukuba, Ibaraki, Japan;Department of Computer Science, University of Tsukuba, Tsukuba, Ibaraki, Japan
Venue:
ICN'05 Proceedings of the 4th international conference on Networking - Volume Part II
Year:
2005

Citing 3
Cited 0

Role-Based Access Control Models

Computer
PICS: Internet access controls without censorship

Communications of the ACM
Integrating Flexible Support for Security Policies into the Linux Operating System

Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

Conventional egress network access control (NAC) at the network layer has two problems. Firstly, wild card “*” is not allowed for a policy. Secondly, we have to run a Web browser for authentication even if we do not use the Web. To solve these problems, this paper proposes a name-level method for egress NAC. Since it evaluates the policy at the DNS server, this method enables a wild card to be used in the policy. Since each DNS query message carries user identification by using Transaction Signature (TSIG), the authentication for any service is performed without Web browsers. The DNS server configures a packet filter dynamically to pass authorized packets. This paper describes the implementation of the DNS server, the packet filter, and the resolver of the method. Experimental results show that the method scales up to 160 clients with a DNS server and a router.