Name-Level Approach for Egress Network Access Control

• Published in: Lecture notes in computer science pp. 284 - 296
• Main Authors: Suzuki, Shinichi, Shinjo, Yasushi, Hirotsu, Toshio, Kato, Kazuhiko, Itano, Kozo
• Format: Book Chapter Conference Proceeding
• Language: English
• Published: Berlin, Heidelberg Springer Berlin Heidelberg 2005; Springer
• Series: Lecture Notes in Computer Science
• Subjects: Access Control Policy; Applied sciences; Computer science; control theory; systems; Computer systems and distributed systems. User interface; Exact sciences and technology; External Server; Port Number; Software; Transaction Signature; Wild Card; Access control; Brain; Database query; Web service; Router; Distributed system; Transaction processing; Communication network; Information browsing; Filter; Authentication; World wide web; Internet; Artificial intelligence
• ISBN: 3540253386; 9783540253389; 3540253394; 9783540253396
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-540-31957-3_35

Conventional egress network access control (NAC) at the network layer has two problems. Firstly, wild card “*” is not allowed for a policy. Secondly, we have to run a Web browser for authentication even if we do not use the Web. To solve these problems, this paper proposes a name-level method for egress NAC. Since it evaluates the policy at the DNS server, this method enables a wild card to be used in the policy. Since each DNS query message carries user identification by using Transaction Signature (TSIG), the authentication for any service is performed without Web browsers. The DNS server configures a packet filter dynamically to pass authorized packets. This paper describes the implementation of the DNS server, the packet filter, and the resolver of the method. Experimental results show that the method scales up to 160 clients with a DNS server and a router.