Research On Security In Role-based Policy Communication Mechanism Based Embedded Firewall

This thesis researches on the existing problems of Network security and its performance when it comes to manage to control all distributed client network interface cards which work as individual firewalls in a whole Embedded Firewall environment. Manual configuration of large amount of distributed firewalls, as the access control enforcement points, can not meet the global security requirements in the open and dynamic environment, and make such burden to the administrator; a variety of multiple clients may need different restricted access rules according to their requirements of quite different security levels, and these rules need to be generated centralized. There is great relationship between network throughput and the efficiency of enforcing access control in every client firewall NIC. A new security problem comes out when policy communication mechanism appears in such embedded firewall environment, namely how to assure the security during the distribution of policy which lead to veracity of policy enforcement in Embedded Firewall, like how to ensure the authenticity of applicants and the server and avoid senders to deny their services for the users within the policy communication between policy server and client NICs, and how to achieve the confidentiality and integrity of the policy during the process. All of these issues are solved in the thesis, including how to generate secure access policy rules centralized and how to enforce secure policy distribution efficiently.This thesis proposes a role-based access control policy frame. A policy server creates security policy for every client in the system, and distributes it using a new kind of X.509 attribute certificates with policy rule set item in it. The definitions of policies, the algorithms for generating role policies and for distributing each user role policy, a hash-based algorithm for lookup of filtering rules, and design of policy attribute certificate are described later, which figure the entirety of policy framework and its enforcement.In addition, a security model with embedded authentication and role-based access control is proposed in this paper to solve these problems. This model is based on an embedded PKI which achieves NIC device-level security authentication that is irrelative to hosts, and role-based PMI to take charge for role-based access control.