Implementing a Distributed Firewall

Short Description
distributed firewall using the KeyNote trust management system …. To implement a distributed firewall, three components are neces- …

Website: www1.cs.columbia.edu | Filesize: 94kb

Content
Implementing a Distributed Firewall..
Sotiris Ioannidis
Univ. of Pennsylvania
sotiris@dsl.cis.upenn.edu
Angelos D. Keromytis
Univ. of Pennsylvania
adk@adk.gr
Steve M. Bellovin
AT&T Labs - Research
smb@research.att.com
Jonathan M. Smith
Univ. of Pennsylvania
jms@cis.upenn.edu
ABSTRACT
Conventional firewalls rely on topology restrictions and controlled
network entry points to enforce traffic filtering. Furthermore, a
firewall cannot filter traffic it does not see, so, effectively, everyone
on the protected side is trusted. While this model has worked
well for small to medium size networks, networking trends such as
increased connectivity, higher line speeds, extranets, and telecommuting
threaten to make it obsolete.
To address the shortcomings of traditional firewalls, the concept
of a “distributed firewall” has been proposed. In this scheme, security
policy is still centrally defined, but enforcement is left up to the
individual endpoints. IPsec may be used to distribute credentials
that express parts of the overall network policy. Alternately, these
credentials may be obtained through out-of-band means.
In this paper, we present the design and implementation of a
distributed firewall using the KeyNote trust management system
to specify, distribute, and resolve policy, and OpenBSD, an open…