Academic Commons

Articles

Path-based Access Control for Enterprise Networks

Burnside, Matthew Spindel; Keromytis, Angelos D.

Enterprise networks are ubiquitious and increasingly complex. The mechanisms for defining security policies in these networks have not kept up with the advancements in networking technology. In most cases, system administrators define policies on a per-application basis, and subsequently, these policies do not interact. For example, there is no mechanism that allows a web server to communicate decisions based on its ruleset to a firewall in front of it, even though decisions being made at the web server may be relevant to decisions at the firewall. In this paper, we describe a path-based access control system for service-oriented architecture (SOA)-style networks which allows services to pass access-control-related information to neighboring services, as the services process requests from outsiders and from each other. Path-based access control defends networks against a class of attacks wherein individual services make correct access control decisions but the resulting global network behavior is incorrect. We demonstrate the system in two forms, using graph-based policies and by leveraging the KeyNote trust management system.

Subjects

Files

Also Published In

Title
Information security: 11th international conference, ISC 2008, Taipei, Taiwan, September 15-18, 2008: proceedings
DOI
https://doi.org/10.1007/978-3-540-85886-7_13

More About This Work

Academic Units
Computer Science
Publisher
Springer
Series
Lecture Notes in Computer Science, 5222
Published Here
March 9, 2012
Academic Commons provides global access to research and scholarship produced at Columbia University, Barnard College, Teachers College, Union Theological Seminary and Jewish Theological Seminary. Academic Commons is managed by the Columbia University Libraries.