The design and implementation of the 4.4BSD operating system
The design and implementation of the 4.4BSD operating system
Implementing internet key exchange (IKE)
ATEC '00 Proceedings of the annual conference on USENIX Annual Technical Conference
Tagging data in the network stack: mbuf_tags
BSDC'03 Proceedings of the BSD Conference 2003 on BSD Conference
Automatic Enforcement of Security in Computer Networks
Proceedings of the 2007 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the sixth SoMeT_07
The stateful cluster security gateway (CSG) architecture for robust switched Linux cluster security
AISC '09 Proceedings of the Seventh Australasian Conference on Information Security - Volume 98
NetBump: user-extensible active queue management with bumps on the wire
Proceedings of the eighth ACM/IEEE symposium on Architectures for networking and communications systems
Hi-index | 0.00 |
Recent work in the area of network security, such as IPsec, provides mechanisms for securing the traffic between any two interconnected hosts. However, it is not always possible, economical, or even practical from an administration and operational point of view to upgrade the software and configuration of all the nodes in a network to support such security protocols. One apparent solution to this problem is the use of security gateways that apply the relevant security protocols on behalf of the protected nodes, under the assumption that the "last hop" between the security gateway and the end node is safe without cryptography. Such a gateway can be set to enforce specific security policies for different types of traffic. While this solution is appealing in static scenarios (such as building so-called "intranets"), the use of Layer-3 (network) routers as security gateways presents some transparency and configuration problems with regards to peer authentication in the automated key management protocol. This paper describes the architecture and implementation of a Layer-2 (link layer) bridge with extensions for offering Layer-3 security services. We extend the OpenBSD ethernet bridge to perform simple IP packet filtering and IPsec processing for incoming and outgoing packets on behalf of a protected node, completely transparently to both the protected and the remote communication endpoint. The same mechanism may be used to construct "virtual local area networks," by establishing IPsec tunnels between OpenBSD bridges connected geographically separated LANs. As our system operates in the link layer, there is no need for software or configuration changes in the protected nodes.