Interposition agents: transparently interposing user code at the system interface
SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
Multiple Bypass: Interposition Agents for Distributed Computing
Cluster Computing
A Transport-Level Proxy for Secure Multimedia Streams
IEEE Internet Computing
Using operating system wrappers to increase the resiliency of commercial firewalls
ACSAC '00 Proceedings of the 16th Annual Computer Security Applications Conference
Recovering Internet Symmetry in Distributed Computing
CCGRID '03 Proceedings of the 3st International Symposium on Cluster Computing and the Grid
A COTS Wrapping Toolkit for Fault Tolerant Applications under Windows NT
IOLTW '00 Proceedings of the 6th IEEE International On-Line Testing Workshop (IOLTW)
A high-level programming environment for packet trace anonymization and transformation
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Grid-Enabled Virtual Organization Based Dynamic Firewall
GRID '04 Proceedings of the 5th IEEE/ACM International Workshop on Grid Computing
Peer-to-peer communication across network address translators
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Mesh: secure, lightweight grid middleware using existing SSH infrastructure
Proceedings of the 12th ACM symposium on Access control models and technologies
Flash: an efficient and portable web server
ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
CODO: firewall traversal by cooperative on-demand opening
HPDC '05 Proceedings of the High Performance Distributed Computing, 2005. HPDC-14. Proceedings. 14th IEEE International Symposium
A scalable aural-visual environment for security event monitoring, analysis, and response
ISVC'07 Proceedings of the 3rd international conference on Advances in visual computing - Volume Part I
| Hi-index | 0.00 |
From a security standpoint, it is preferable to implement least privilege network security policies in which only the bare minimum of TCP/UDP ports on internal hosts are accessible from outside the perimeter. Unfortunately, organizations with such policies can no longer communicate using common multiport protocols that require randomly chosen ports for auxiliary connections. This paper introduces a new approach for maintaining such communication under least privilege while achieving maximum performance. By dynamically modifying perimeter ACLs, inbound auxiliary connections are only allowed through the perimeter at exactly the times required. These modifications are made transparently to external users and with minimal changes to internal configuration. A prototype implementation of the Dynamic Perimeter Enforcement system, called Diaper, has been implemented and tested with several applications.