Capability-based egress network access control by using DNS server |
| |
| Authors: | Shinichi Suzuki Yasushi Shinjo Toshio Hirotsu Kozo Itano Kazuhiko Kato |
| |
| Affiliation: | aDepartment of Computer Science, University of Tsukuba, Tsukuba, Ibaraki 305-8573, Japan;bDepartment of Information and Computer Sciences, Toyohashi University of Technology, Toyohashi, Aichi 441-8580, Japan |
| |
| Abstract: | In conventional egress network access control (NAC) based on access control lists (ACLs), modifying the ACLs is a heavy task for administrators. To enable configuration without a large amount of administrators’ effort, we introduce capabilities to egress NAC. In our method, a user can transfer his/her access rights (capabilities) to other persons without asking administrators. To realize our method, we use a DNS cache server and a router. A resolver of the client sends the user name, domain name, and service name to the DNS cache server. The DNS server issues capabilities according to a policy and sends them to the client. The client puts these capabilities into the IP options of packets and sends them to the router. The router verifies the capabilities, and determines whether to pass or block the packets. In this paper, we describe the design and implementation of our method in detail. Experimental results show that our method does not reduce the router's performance. |
| |
| Keywords: | Access control Capabilities Network security Egress filters DNS |
| 本文献已被 ScienceDirect 等数据库收录! |
|
