FileWall: Implementing File Access Policies using Dynamic Access Context

FileWall is a file access control framework that allows file system administrators to enforce file access policies based on dynamic access context such as access history, environment, etc. Similar to a firewall, which interposes on a network path and operates on packets to enforce network access policies, FileWall interposes on a client-server path and operates on network file system messages to enforce file access policies. FileWall does not require any modification to either the file system client or the file server, while minimizing the non-recoverable state. FileWall provides the administrator with the ability to protect file systems, provide quality of service, perform forensic analysis, and other file access policies. A FileWall prototype has been implemented using the Click modular router and the SFS file system toolkit. This prototype is evaluated by interposing between NFS clients and servers. Performance evaluation shows that FileWall introduces minimal interposition overhead and maintains close to 90% throughput compared to NFS. Two real world case studies demonstrate that FileWall can perform effective flash crowd mitigation on a web server, and provide QoS to clients by prioritizing file system requests and responses.