Abstract
Enterprise firewalls can be easily circumvented, e.g. by attack agents aboard infected mobile computers or telecommuters’ computers, or by attackers exploiting rogue access points or modems. Techniques that prevent connection to enterprise networks of nodes whose configuration does not conform to enterprise policies could greatly reduce such vulnerabilities. Network Admission Control (NAC) and Network Access Protection (NAP) are recent industrial initiatives to achieve such policy enforcement. However, as currently specified, NAC and NAP assume that users are not malicious. We propose novel techniques using secure coprocessors to protect access to enterprise networks. Experiments demonstrate that the proposed techniques are effective against malicious users and have acceptable overhead.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Cisco: Network Admission Control [Online], http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html
Dierks, T., Allen, C.: The TLS Protocol Version 1.0. IETF, RFC 2246 (January 1999) [Online], ftp://ftp.rfc-editor.org/in-notes/rfc2246.txt
Diffie, W., Hellman, M.: New Directions in Cryptography. Transactions on Information Theory 22, 644–654 (1976)
Felten, E.: Understanding Trusted Computing. Security and Privacy, 60–62. IEEE (May/June 2003), http://www.princeton.edu/~echi/ele572/Felten%20-%20Understanding%20trusted%20computing.pdf
FreeRADIUS: Homepage [Online], http://www.freeradius.org/
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A Virtual Machine-Based Platform for Trusted Computing. In: Proc. 19th Symposium on Operating System Principles, ACM, New York (2003) [Online], http://www.stanford.edu/
IEEE: Port-Based Network Access Control. 802.1x Std. (2001) [Online], http://standards.ieee.org/getieee802/download/802.1X-2001.pdf
Marchesini, J., Smith, S., Wild, O., Stabiner, J., Barsamian, A.: Open-Source Applications of TCPA Hardware. In: Proc. 20th Annual Computer Security Applications Conference, ACSAC (December 2004) [Online], http://www.cs.dartmouth.edu/~carlo/research/bearapps/bearapps.pdf
Microsoft: Network Access Protection [Online], http://www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx
Microsoft: Next Generation Secure Computing Base – Technical FAQ (July 2003) [Online], http://www.microsoft.com/technet/security/news/ngscb.mspx
NIST: Secure Hash Standard. Federal Information Processing Standards Pub. 180-1 (April 1995) [Online], http://www.itl.nist.gov/fipspubs/fip180-1.htm
Open1x: Homepage [Online], http://www.open1x.org/
Palekar, A., Simon, D., Salowey, J., Zhou, H., Zorn, G., Josefsson, S.: Protected EAP Protocol (PEAP) Version 2. IETF. Internet Draft (October 2004) [Online], ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-josefsson-pppext-eap-tls-eap-10.txt
Pearson, S. (ed.): Trusted Computing Platforms – TCPA Technology in Context. Prentice Hall, Englewood Cliffs (2003)
Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and Implementation of a TCG-based Integrity Measurement Architecture. In: Proc. Security Symposium, USENIX (August 2004) [Online], http://www.usenix.org/publications/library/proceedings/sec04/
Sailer, R., Jaeger, T., Zhang, X., van Doorn, L.: Attestation-based Policy Enforcement for Remote Access. In: Proc. 11th Conference on Computer and Communications Security (CCS). ACM, New York (2004), http://portal.acm.org/citation.cfm?id=1030083.1030125
Tripwire.org: Homepage [Online], http://www.tripwire.org/
Trusted Computing Group: Homepage [Online], https://www.trustedcomputinggroup.org/home
Trusted Computing Group: Trusted Computing Platform Alliance (TCPA) Main Specification Version 1.1b [Online], https://www.trustedcomputinggroup.org/downloads/Main_TCG_Architecture_v1_1b.zip
Trusted Computing Group: Work Group Charter Summary (2004) [Online], https://www.trustedcomputinggroup.org/downloads/Work_Group_Charters_Summary.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Xia, H., Kanchana, J., Brustoloni, J.C. (2005). Using Secure Coprocessors to Protect Access to Enterprise Networks. In: Boutaba, R., Almeroth, K., Puigjaner, R., Shen, S., Black, J.P. (eds) NETWORKING 2005. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems. NETWORKING 2005. Lecture Notes in Computer Science, vol 3462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11422778_13
Download citation
DOI: https://doi.org/10.1007/11422778_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25809-4
Online ISBN: 978-3-540-32017-3
eBook Packages: Computer ScienceComputer Science (R0)