Abstract
From a security standpoint, it is preferable to implement least privilege network security policies in which only the bare minimum of TCP/UDP ports on internal hosts are accessible from outside the perimeter. Unfortunately, organizations with such policies can no longer communicate using common multiport protocols that require randomly chosen ports for auxiliary connections. This paper introduces a new approach for maintaining such communication under least privilege while achieving maximum performance. By dynamically modifying perimeter ACLs, inbound auxiliary connections are only allowed through the perimeter at exactly the times required. These modifications are made transparently to external users and with minimal changes to internal configuration. A prototype implementation of the Dynamic Perimeter Enforcement system, called Diaper, has been implemented and tested with several applications.
This work is supported by the NASA Advanced Supercomputing Division under Task Order NNA05AC20T (Contract GS-09F-00282) with Advanced Management Technology Inc.
Chapter PDF
Similar content being viewed by others
References
Baker, M., Ong, H., Smith, G.: A Report on Experiences Operating the Globus Toolkit Through a Firewall (September 2001)
BbFTP, http://doc.in2p3.fr/bbftp
Benso, A., Chiusano, S., Prinetto, P.: A COTS Wrapping Toolkit for Fault Tolerant Applications Under Windows NT. In: 6th IEEE Intl. On-Line Testing Wkshp. (July 2000)
BetaFTPD, http://betaftpd.sourceforge.net
Cisco Systems, Inc.: Cisco IOS Firewall Design Guide (January 2006)
Cisco Systems, Inc.: Lock-and-Key: Dynamic Access Lists (January 2005)
Epstein, J., Thomas, L., Monteith, E.: Using Operating System Wrappers to Increase the Resiliency of Commercial Firewalls. In: 16th Annual Computer Security Appl. Conf. (December 2000)
Force10 Networks, Inc.: Force10 Networks Introduces the Industry’s First Line-Rate 10 Gigabit Intrusion Prevention System to Secure High Perf. Networks. Press release, (April 2006)
Ford, B., Srisuresh, P., Kegel, D.: Peer-to-Peer Communication Across Network Address Translators. In: USENIX Annual Tech. Conf. (April 2005)
Fung, K.P., Chang, R.K.C.: A Transport-Level Proxy for Secure Multimedia Streams. IEEE Internet Computing 4(6) (2000)
Green, M.L., Gallo, S.M., Miller, R.: Grid-Enabled Virtual Organization Based Dynamic Firewall. In: 5th IEEE/ACM Intl. Wkshp. on Grid Computing (November 2004)
Hillier, J.: A “Dynamic” Firewall. In: UK GRID Firewall Wkshp. (December 2002)
Iptables, http://www.netfilter.org
Jones, M.B.: Interposition Agents: Transparently Interposing User Code at the System Interface. In: 14th ACM Symp. on Operating System Principles, ACM Press, New York (1993)
Juniper Networks, Inc.: Juniper Networks Enhances and Extends High-End Security Portfolio. Press release (August 2005)
Juniper Networks, Inc.: Juniper Networks Ships Full-Performance M160 Router with OC-192c/STM-64 Interfaces. Press release (March 2000)
Kewley, J.: Using Condor Effectively in the Presence of Personal Firewalls (October 2004)
Kolano, P.Z.: Mesh: Secure, Lightweight Grid Middleware Using Existing SSH Infrastructure. In: 12th ACM Symp. on Access Control Models and Technologies, ACM Press, New York (2007)
Kuthan, J.: Internet Telephony Traversal Across Decomposed Firewalls and NATs. In: 2nd IP Telephony Wkshp. (April 2001)
Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., Jones, L.: SOCKS Protocol Version 5. IETF Request for Comments 1928 (March 1996)
Martin, C., Johnston, A.: SIP Through NAT Enabled Firewall Call Flows. IETF Internet Draft (August 2001)
Microsoft Corporation: Understanding Universal Plug and Play (June 2000)
Microsoft Corporation: Windows Sockets 2 (March 2005)
Pai, V.S., Druschel, P., Zwaenepoel, W.: Flash: An Efficient and Portable Web Server. In: USENIX Annual Tech. Conf. (June 1999)
Pang, R., Paxson, V.: A High-level Programming Environment for Packet Trace Anonymization and Transformation. In: 2003 ACM SIGCOMM Conf., ACM Press, New York (2003)
Roedig, U., Ackermann, R., Rensing, C., Steinmetz, R.: A Distributed Firewall for Multimedia Applications. In: Wkshp. Sicherheit in Netzen und Medienstromen (September 2000)
Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proc. of the IEEE 63(9) (1975)
Shore, M.: H.323 and Firewalls: Problem Statement and Solution Framework. IETF Internet Draft (February 2000)
Son, S., Allcock, B., Livny, M.: CODO: Firewall Traversal by Cooperative On-Demand Opening. In: 14th IEEE Intl. Symp. on High Performance Distributed Computing (July 2005)
Son, S., Livny, M.: Recovering Internet Symmetry in Distributed Computing. In: 3rd Intl. Symp. on Cluster Computing and the Grid (May 2003)
Stewart, R., Xie, Q., et al.: Stream Control Transmission Protocol. IETF Request for Comments 2960 (October 2000)
Thain, D., Livny, M.: Multiple Bypass: Interposition Agents for Distributed Computing. J. Cluster Computing 4(1) (2001)
Tsunami, http://anml.iu.edu/projects.html
Venkateswaran, R.: Virtual Private Networks. IEEE Potentials 20(1) (2001)
Vsftpd, http://vsftpd.beasts.org
Welch, V.: Globus Toolkit Firewall Requirements (October 2006)
Wzdftpd, http://www.wzdftpd.net
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kolano, P.Z. (2007). Maintaining High Performance Communication Under Least Privilege Using Dynamic Perimeter Control. In: Biskup, J., López, J. (eds) Computer Security – ESORICS 2007. ESORICS 2007. Lecture Notes in Computer Science, vol 4734. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74835-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-540-74835-9_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74834-2
Online ISBN: 978-3-540-74835-9
eBook Packages: Computer ScienceComputer Science (R0)