By Topic

Policy based access control framework for large networks

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Duan Haixin ; Network Res. Center, Tsinghua Univ., Beijing, China ; Wu Jianping ; Li Xing

This paper focus on the issues of management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of a large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under an environment with policy requirements described in this paper the new algorithm reduces the time complexity of lookup from O(N) of the traditional sequential algorithm to O(1), which therefore increases largely the throughput of firewalls

Published in:

Networks, 2000. (ICON 2000). Proceedings. IEEE International Conference on

Date of Conference:

2000