Capability-based egress network access control by using DNS server

نویسندگان

  • Shinichi Suzuki
  • Yasushi Shinjo
  • Toshio Hirotsu
  • Kozo Itano
  • Kazuhiko Kato
چکیده

In conventional egress network access control (NAC) based on access control lists (ACLs), modifying the ACLs is a heavy task for administrators. To enable configuration without a large amount of administrators’ effort, we introduce capabilities to egress NAC. In our method, a user can transfer his/her access rights (capabilities) to other persons without asking administrators. To realize our method, we use a DNS cache server and a router. A resolver of the client sends the user name, domain name, and service name to the DNS cache server. The DNS server issues capabilities according to a policy and sends them to the client. The client puts these capabilities into the IP options of packets and sends them to the router. The router verifies the capabilities, and determines whether to pass or block the packets. In this paper, we describe the design and implementation of our method in detail. Experimental results show that our method does not reduce the router’s performance.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Applying decentralized trust management to DNS dynamic updates

DNS dynamic updates can be used to modify the data of a DNS zone. This can be used to update DNS records of hosts with dynamic IP addresses, for example. DNS dynamic updates can be authenticated using the DNSSEC transaction signatures or the TSIG mechanism. While there are existing mechanisms for authenticating the source of update requests, mechanisms for authorization, i.e. specifying who is ...

متن کامل

Unifying Access and Resource Usage Control over Standard Client-Server Interactions

We propose a novel framework for integrated access and resource usage control over standard client server interactions. Historically, access control has been developed without considering resource usage. Resource control has thus developed as an ad hoc server-centric set of mechanisms (e.g., file system quota, network bandwidth quote, etc.). We believe that resource usage control is strongly re...

متن کامل

DNS Resolvers and their Clients

The Domain Name System (DNS) performs an essential Internet duty: the translation of host names, which are convenient for humans, into IP addresses, which are used to route packets. To do so, an application on an end-user’s system must contact a DNS resolver to perform these translations. While the user’s system may run a DNS resolver locally, many use an ISP resolver (sometimes called a DNS ca...

متن کامل

On the Effectiveness of DNS-based Server Selection

The rapid growth of the Internet in users and content has fueled extensive efforts to improve the user’s overall Internet experience. A growing number of providers deliver content from multiple servers or proxies to reduce response time by moving content closer to end users. An increasingly popular mechanism to direct clients to the closest point of service is DNS-based redirection, due to its ...

متن کامل

SCALABLE TECHNIQUES FOR ANOMALY DETECTION A Dissertation by SANDEEP YADAV

Computer networks are constantly being attacked by malicious entities for various reasons. Network based attacks include but are not limited to, Distributed Denial of Service (DDoS), DNS based attacks, Cross-site Scripting (XSS) etc. Such attacks have exploited either the network protocol or the end-host software vulnerabilities for perpetration. Current network traffic analysis techniques empl...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • J. Network and Computer Applications

دوره 30  شماره 

صفحات  -

تاریخ انتشار 2007