Domain and type enforcement firewalls

K.A. Oostendorp; W.G. Morrison; M.J. Petkac; L. Badger; C.D. Vance; D.L. Sherman; D.F. Sterne

doi:10.1109/CSAC.1997.646182

A
ACSAC
1997
13th Annual Computer Security Applications Conference (ACSAC '97)
Abstract - Domain and type enforcement firewalls

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by K.A. Oostendorp Articles by L. Badger Articles by C.D. Vance Articles by W.G. Morrison Articles by M.J. Petkac Articles by D.L. Sherman Articles by D.F. Sterne

13th Annual Computer Security Applications Conference (ACSAC '97)

Domain and type enforcement firewalls

San Diego, CA

December 08-December 12

ISBN: 0-8186-8274-4

	ASCII Text	x
	K.A. Oostendorp, L. Badger, C.D. Vance, W.G. Morrison, M.J. Petkac, D.L. Sherman, D.F. Sterne, "Domain and type enforcement firewalls," Computer Security Applications Conference, Annual, pp. 122, 13th Annual Computer Security Applications Conference (ACSAC '97), 1997.

	BibTex	x
	@article{ 10.1109/CSAC.1997.646182, author = {K.A. Oostendorp and L. Badger and C.D. Vance and W.G. Morrison and M.J. Petkac and D.L. Sherman and D.F. Sterne}, title = {Domain and type enforcement firewalls}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {1997}, isbn = {0-8186-8274-4}, pages = {122}, doi = {http://doi.ieeecomputersociety.org/10.1109/CSAC.1997.646182}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - Domain and type enforcement firewalls SN - 0-8186-8274-4 SP EP A1 - K.A. Oostendorp, A1 - L. Badger, A1 - C.D. Vance, A1 - W.G. Morrison, A1 - M.J. Petkac, A1 - D.L. Sherman, A1 - D.F. Sterne, PY - 1997 KW - Internet; type enforcement firewalls; Internet connected organizations; Internet firewall; system penetration; security breaches; business practices; external entities; Domain and Type Enforcement; access control; DTE firewall; application level proxies; restrictive domains; network services; HTTP; FTP; network based attacks; local resources; role based security policies; DTE security attributes; DTE clients; servers; security policies VL - 0 JA - Computer Security Applications Conference, Annual ER -

K.A. Oostendorp, Trusted Inf. Syst. Inc., Glenwood, MD, USA

L. Badger, Trusted Inf. Syst. Inc., Glenwood, MD, USA

C.D. Vance, Trusted Inf. Syst. Inc., Glenwood, MD, USA

W.G. Morrison, Trusted Inf. Syst. Inc., Glenwood, MD, USA

M.J. Petkac, Trusted Inf. Syst. Inc., Glenwood, MD, USA

D.L. Sherman, Trusted Inf. Syst. Inc., Glenwood, MD, USA

D.F. Sterne, Trusted Inf. Syst. Inc., Glenwood, MD, USA

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/CSAC.1997.646182

Internet connected organizations often employ an Internet firewall to mitigate risks of system penetration, data theft, data destruction, and other security breaches. Conventional Internet firewalls, however, impose an overly simple inside vs outside model of security that is incompatible with many business practices that require extending limited trust to external entities. The paper reports on our experience with an enhanced security firewall based on Domain and Type Enforcement (DTE), a strong but flexible form of access control. A DTE firewall provides several benefits. First, it runs application level proxies in restrictive domains, thereby increasing security, and runs network services such as HTTP and FTP under DTE controls, thereby reducing risks that network based attacks will compromise local resources. Second, a DTE firewall coordinates role based security policies that span networks by passing DTE security attributes between DTE clients and servers. These attributes allow security policies at the endpoints to be coordinated; such coordination adds defense in depth to the traditional firewall security perimeter: this permits safe exportation of normally risky services such as NFS. Finally, a DTE firewall interoperates with "non DTE" systems and associates DTE security attributes with these systems so their interaction with DTE clients or servers can be controlled. We describe the design of a prototype DTE firewall system and informally evaluate its security, compatibility, functionality, and performance.

Index Terms:

Internet; type enforcement firewalls; Internet connected organizations; Internet firewall; system penetration; security breaches; business practices; external entities; Domain and Type Enforcement; access control; DTE firewall; application level proxies; restrictive domains; network services; HTTP; FTP; network based attacks; local resources; role based security policies; DTE security attributes; DTE clients; servers; security policies

Citation:

K.A. Oostendorp, L. Badger, C.D. Vance, W.G. Morrison, M.J. Petkac, D.L. Sherman, D.F. Sterne, "Domain and type enforcement firewalls," acsac, pp.122, 13th Annual Computer Security Applications Conference (ACSAC '97), 1997

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.