n South African Computer Journal - Semantics, implementation and performance of dynamic access lists for TCP/IP packet filtering : research article
|Article Title||Semantics, implementation and performance of dynamic access lists for TCP/IP packet filtering : research article|
|© Publisher:||South African Computer Society (SAICSIT)|
|Journal||South African Computer Journal|
|Publication Date||Dec 2004|
|Pages||38 - 51|
|Keyword(s)||Dynamic rules, Firewalls and TCP/IP filtering|
The use of IP filtering to improve system security is well established, and although limited in what it can achieve has proved to be efficient and effective. In the design of a security policy there is always a trade-off between usability and security. Static access lists make finding a balance particularly stark. Dynamic access lists would allow the rules to change for short periods of time, and to allow local changes by non-experts. The network administrator can set basic security guide-lines which allow certain basic services only. All other services are restricted, but users are able to request temporary exceptions in order to allow additional access to the network. These exceptions are granted depending on the privileges of the user. The paper presents and justifies a semantics for dynamic access lists. An efficient method of implementing the dynamic semantics is proposed and experimentally validated. The experiments show that a useful dynamic semantics can be implemented with small memory costs and modest time costs.
Article metrics loading...