ISSN : 1796-203X
Volume : 1    Issue : 1    Date : April 2006

Using Firewalls to Enforce Enterprise-wide Policies over Standard Client-Server Interactions
Tuan Phan, Zhijun He and Thu D. Nguyen
Page(s): 1-13
Full Text:
PDF (399 KB)

We propose and evaluate a novel framework for enforcing global coordination and control policies
over message passing software components in enterprise computing environments. This
framework combines the use of firewalls, both per-node software and dedicated firewalls, with an
existing coordination and control system to enforce policies that, among other properties, are
stateful and communal. The firewalls act as a set of distributed reference monitors that filter
messages exchanged between the interacting software components. The coordination and control
system coordinates the firewalls to enforce a specific set of policies, passing only messages
allowed by these policies. Filtering decisions may be based on credentials presented to the
coordination and control system as well as system state accumulated over time. This filtering
approach decouples coordination and control from application implementation, allowing the
coordination and control mechanism and application implementations to evolve independently of
each other. We demonstrate the power of our framework by using it to specify and enforce an RBAC
policy with delegation, revocation, and separation-of-duty over accesses to a cluster of NFS and
SMB file servers without changing any client or server implementations. Measurements show that
our framework imposes acceptable overheads when enforcing this policy.

Index Terms
coordination and control, access control, reference monitor, firewall, communal policies, stateful