Parallel and Distributed Computing, International Symposium on (2009)
June 30, 2009 to July 4, 2009
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ISPDC.2009.29
To secure communication in Grids many efforts have been made regarding authentication and authorization. Due to some application requirements it is up to now recommended to open wide port ranges on firewalls. This configuration is commonly accepted as insecure. We present an approach to enhance the security of firewalled Grid components by a new method to dynamically authorize TCP connections on firewalls. The authorization decision relies on the authenticated identity of users or conveyed attribute assertions. Authentication information is transferred within the TCP three-way-handshake. To distinguish the authentication information from application data a new TCP option tcpauthn is introduced. The new method TCP-AuthN leads to a new paradigm in firewall operation as the firewall comes to the final decision to allow or reject/deny a connection after the third segment of the TCP three-way-handshake is verified. The firewall denies/rejects each connection on an individual basis depending on the user's proven identity.
Firewall, Grid, Security, Authentication
J. Wiebelitz, C. Grimm, S. Piger and C. Kunz, "TCP-AuthN: TCP Inline Authentication to Enhance Network Security in Grid Environments," 2009 Eighth International Symposium on Parallel and Distributed Computing (ISPDC), Lisbon, 2009, pp. 237-240.