Codo has several desirable characteristics quality

Info icon This preview shows pages 4–6. Sign up to view the full content.

View Full Document Right Arrow Icon
CODO has several desirable characteristics: Quality owner test . Through the exchange of information about firewalls and applications, the FA and the CL have up-to-date and sufficient knowledge to avoid owner test errors. Since the FA knows what (IP, port) pairs an authorized application is using at any given moment, it knows the exact binding between an (IP, port) and the application using the endpoint address. Therefore, CODO can avoid owner test errors caused by the errors in binding from (IP, port) pairs to owner applications. Also, the CL’s knowledge about the firewall enables it to refresh or recreate firewall’s state appropriately. This helps avoid false negative owner tests caused when the firewall flushes states for connections inactive for a while. Narrow and short opening . The FA adds firewall rules with no wildcard. In other words, rules are specified with a specific (protocol, source IP, source port, destination IP, destination port). This means that (1) a rule is added to the firewall only when there is an authorized pair of client and server and (2) only the intended client and server can traverse the firewall using the rule. In addition, to limit the duration of firewall rules as much as possible, the FA deletes the rules it adds as soon as the stateful firewall creates the necessary states (i.e. stateful rules) to allow subsequent packets to traverse. Therefore, with CODO, firewall openings are as narrow and short as possible. Flexible control . CODO uses X.509 certificates to authenticate and authorize applications. This means that CODO is very flexible and can enforce various security policies. For example, CODO can differentiate versions or implementations of an application. If a vendor’s implementation of an application turns out to be vulnerable to a dangerous attack, then it can be given a different certificate from other implementations and disallowed from communicating with the world. Inbound & outbound control . CODO controls outbound communications as well as inbound. With CODO, only authorized clients and servers can communicate with the world. Easy deployment . CL interface is almost the same as the Berkeley socket API. In fact, CODO functions have the same arguments as their Berkeley socket counterparts. This allows for easy integration of applications with CODO. 4. Connection procedure With CODO, applications call CODO functions. The call sequence is the same as with a Berkeley socket. For instance, a server creates a TCP socket, binds it to an address, makes it passive, and accepts connections from clients. A client creates a TCP socket,
Image of page 4

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Figure   3:   Firewall-to-firewall   connection.   Both networks allow neither inbound nor outbound communications. The client and server FA add firewall rules for outbound and inbound communications, respectively.
Image of page 5
Image of page 6
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern