Access control for inter-organizational computer network environment
The Internet has evolved into an interconnection of networks on an organizational basis from the early stages where the interconnection was primarily on a network basis. The original protocol architecture, which essentially sought ubiquitous connectivity, has little scope for incorporating access control, a feature for which the demand increases with connectivity. In this work, we have taken up this issue. We have examined- how one can provide a transparent network, while preserving security of organizations by implementing and maintaining strict access control using firewalls.
We propose a “User Access Domain (UAD)” to provide user-level grouping, and a „Access Domain Control Layer (ADCL)” to support the user level domain over the organizational networks with firewalls. While the User Access Domain provides the framework for virtual private networks the Access Domain Control Layer provides firewall-transparent TCP/UDP connectivity in what appears to be a seamless logical network spanning the User Access Domain.
Moreover, the access-control policy can be formulated in more relevant terms like user identity, user role, source-destination, service etc. A proof-of-concept prototype is presently operational. The access-control framework is managed and maintained using the SNMP protocol. Appropriate MIBs have been defined and are in the process of being implemented.
Unable to display preview. Download preview PDF.
- 1.W.R. Cheswick, S.M. Bellovin: Firewalls and Internet Security, P.306, Addison-Wesley Publishing (1994)Google Scholar
- 2.Marcus J. Ranum: Thinking about Firewalls, Proceedings of the Second World Conference on Systems and Network Security and Management (1993.4)Google Scholar
- 3.M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, L. Jones: SOCKS Protocol Version 5, p.9, RFC1928 (1996.3)Google Scholar
- 4.Deborah Lynn Estrin: Access to Inter-Organization Computer Networks, MIT (1985)Google Scholar
- 5.J. Postel: Internet Protocol, p.45, RFC791 (1981.9)Google Scholar
- 6.C. Partridge: Mail routing and the domain system, p.7, RFC974 (1986.1)Google Scholar
- 7.Information technology — Open systems interconnection — The directory: Authentication framework, ITU-T X.509 (1993/11)Google Scholar
- 8.DS J. Case, K. McCloghrie, M. Rose, S. Waldbusser: Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2), p.24, RFC1448 (1996.1)Google Scholar