PLoP2004_ndelessygassant0_0.doc

Moreover traditional network firewalls application

Info icon This preview shows pages 4–7. Sign up to view the full content.

View Full Document Right Arrow Icon
Moreover, traditional network firewalls (application layer firewalls or packet filters), do not make it possible to define high level rules (role-based or individual-based rules) that could make the implementation of business security policies easier and simpler. Forces There may be many users (subjects) that need to access an application in different ways; the firewall must adapt to this variety. There are many ways to filter application inputs, we need to separate the filtering code from the application code. There may be numerous applications that may require different levels of security. We need to define appropriate policies for each application. The business policies are constantly changing and they need to be constantly updated; hence it should be easy to change the firewall filtering configuration. The number of users and applications may increase significantly; adding more users or applications should be done transparently and at proper cost. Network firewalls cannot understand the semantics of applications and are unable to filter out potentially harmful messages. Solution Interpose a firewall that can analyze incoming requests for application services and check them for authorization. A client can access a service of an application only if a specific policy authorizes it to do so. Policies for each application are centralized within the Application Firewall, and they are accessed through a PolicyAuthorizationPoint. Each application is accessed by a client through a PolicyEnforcementPoint that enforces access control by looking for a matching policy in the PolicyBase. This enforcement may include authenticating the client through its identity data stored in the IdentityBase. Class diagram Figure 2 shows the class diagram for the Application Firewall. Classes Client and Service have the usual meaning. A Client accesses a service provided by an application. The access requests are controlled by authorization rules (denoted here as policies to 4
Image of page 4

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
follow the usual industrial notation), and represented by class Policy . Policies are collected in a policy base ( PolicyBase) . The firewall consists of one PolicyAuthorizationPoint which centralizes the definition of the policies and identities throughout the institution, and several PolicyEnforcementPoints, which are intended to actually check the accesses to the applications. 5
Image of page 5
Figure 2: Class diagram for the Application Firewall (case when the policies are described through roles) The enterprise applications are represented by the class Application that is made up of Service s. A service is identified by a serviceId, which is usually and URI or an URL. 6 checkAccess 1 1 * * * communicatesThrough Application * Service serviceId executeService() Client id credentials PolicyAuthorizationPoint authenticate() grantAccess() log() definePolicy() defineUser() defineRole() removeUser() removeRole() PolicyBase IdentityBase PoliciesEnforcementPoint interceptMessage() controlAccess(url, id, credentials) Identity id credentials roles Policy serviceId role
Image of page 6

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 7
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern