Topic
Context-based access control
About: Context-based access control is a research topic. Over the lifetime, 771 publications have been published within this topic receiving 19232 citations. The topic is also known as: CBAC.
Papers published on a yearly basis
Papers
Patent•
6 Nov 2003
TL;DR: In this paper, the authors proposed a firewall that achieves maximum network security and maximum user convenience by employing envoys that exhibit the security robustness of prior-art proxies and the transparency and ease-of-use of packet filters, combining the best of both worlds.
Abstract: The present invention provides a firewall that achieves maximum network security and maximum user convenience. The firewall employs “envoys” that exhibit the security robustness of prior-art proxies and the transparency and ease-of-use of prior-art packet filters, combining the best of both worlds. No traffic can pass through the firewall unless the firewall has established an envoy for that traffic. Both connection-oriented (e.g., TCP) and connectionless (e.g., UDP-based) services may be handled using envoys. Establishment of an envoy may be subjected to a myriad of tests to “qualify” the user, the requested communication, or both. Therefore, a high level of security may be achieved. The usual added burden of prior-art proxy systems is avoided in such a way as to achieve fall transparency-the user can use standard applications and need not even know of the existence of the firewall. To achieve full transparency, the firewall is configured as two or more sets of virtual hosts. The firewall is, therefore, “multi-homed,” each home being independently configurable. One set of hosts responds to addresses on a first network interface of the firewall. Another set of hosts responds to addresses on a second network interface of the firewall. In one aspect, programmable transparency is achieved by establishing DNS mappings between remote hosts to be accessed through one of the network interfaces and respective virtual hosts on that interface. In another aspect, automatic transparency may be achieved using code for dynamically mapping remote hosts to virtual hosts in accordance with a technique referred to herein as dynamic DNS, or DDNS.
751 citations
Patent•
28 May 1998TL;DR: In this article, a pervasive, multilayer firewall includes a policy definition component that accepts policy data that define how the firewall should behave, and a collection of network devices that are used to enforce the defined policy.
Abstract: A system provides for establishing security in a network (10) that includes nodes having security functions operating in multiple protocol layers. Multiple network devices, such as remote access equipment (13), routers (14), switches (12), repeaters (16) and network cards (15) having security functions are configured to contribute to implementation of distributed firewall functions in the network. By distributing firewall functionality throughout many layers of the network in a variety of network devices, a pervasive firewall is implemented. The pervasive, multilayer firewall includes a policy definition component (11) that accepts policy data that define how the firewall should behave. The multilayer firewall also includes a collection of network devices that are used to enforce the defined policy. The security functions operating in this collection of network devices across multiple protocol layers are coordinated by the policy definition component so that particular devices enforce that part of the policy pertinent to their part of the network.
633 citations
1 Nov 2000
TL;DR: This paper presents the design and implementation of a distributed rewall using the KeyNote trust management system to specify, distribute, and resolve policy, and OpenBSD, an open source UNIX operating system.
Abstract: Conventional rewalls rely on topology restrictions and controlled network entry points to enforce traAEc ltering. Furthermore, a rewall cannot lter traAEc it does not see, so, e ectively, everyone on the protected side is trusted. While this model has worked well for small to medium size networks, networking trends such as increased connectivity, higher line speeds, extranets, and telecommuting threaten to make it obsolete. To address the shortcomings of traditional rewalls, the concept of a \distributed rewall" has been proposed. In this scheme, security policy is still centrally de ned, but enforcement is left up to the individual endpoints. IPsec may be used to distribute credentials that express parts of the overall network policy. Alternately, these credentials may be obtained through out-of-band means. In this paper, we present the design and implementation of a distributed rewall using the KeyNote trust management system to specify, distribute, and resolve policy, and OpenBSD, an open source UNIX operating system.
596 citations
Patent•
19 Oct 1998
TL;DR: In this paper, the authors propose a firewall for isolating network elements from a publicly accessible network to which such network elements are attached by assigning a variety of proxy agents that are specifically assigned to an incoming request in accordance with the service protocol (i.e., port number) indicated in the incoming access request.
Abstract: Providing a firewall for isolating network elements from a publicly accessible network to which such network elements are attached. The firewall operates on a stand alone computer connected between the public network and the network elements to be protected such that all access to the protected network elements must go through the firewall. The firewall application running on the stand alone computer is preferably the only application running on that machine. The application includes a variety of proxy agents that are specifically assigned to an incoming request in accordance with the service protocol (i.e., port number) indicated in the incoming access request. An assigned proxy agent verifies the authority of an incoming request to access a network element indicated in the request. Once verified, the proxy agent completes the connection to the protected network element on behalf of the source of the incoming request.
508 citations
7 Mar 2004
TL;DR: A set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed legacy firewalls are presented, implemented in a software tool called the "Firewall Policy Advisor" that simplifies the management of filtering rules and maintains the security of next-generationFirewalls.
Abstract: Firewalls are core elements in network security. However, managing firewall rules, particularly in multi-firewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intra- and inter-firewall analysis to determine the proper rule placement and ordering in the firewalls. We identify all anomalies that could exist in a single- or multi-firewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed legacy firewalls. These techniques are implemented in a software tool called the "Firewall Policy Advisor" that simplifies the management of filtering rules and maintains the security of next-generation firewalls.
454 citations
Related Topics (5)
Performance Metrics
| Year | Papers |
|---|---|
| 2025 | 2 |
| 2024 | 4 |
| 2023 | 12 |
| 2022 | 19 |
| 2021 | 1 |
| 2020 | 5 |