Application Of PMI In The Distributed Firewall

With the development of the computer network technology, no matter government , organization or family , individual can get resources and share information through Internet, so the problem of network and information security also becomes increasingly outstanding. Conventional firewalls rely on the notions of restricted topology and controlled entry points to function. More precisely, they rely on the assumption that everyone on one side of the entry point-the firewall-is to be trusted, and that anyone on the other side is, at least potentially, an enemy. In order to eliminate the shortcomings of the conventional firewalls, the concept of the distributed firewalls is proposed. In the distributed firewalls, security policy is still centrally defined, but enforcement is left up to the individual endpoints. The distributed firewall solves many problems of the conventional firewalls and meets the need of network development.This thesis first introduces the notation of distributed firewalls, then describe the basic theory of distributed firewalls such as fundamental, essential characteristic and architecture. After that we analyze the distributed firewalls which rely on KeyNote. KeyNote trust management model uses a user's public key as it's identity, and users acquire policy according to it's identity certificate. Policy is generated aiming at one or a set of user's public key, once the authorization of a user alters, all policies related to this user need to be modified, so that it makes policy management complex. The problem could be solved when policy is generated aiming at the role of a user, and users acquire policies according to attribute certificate. If user is related to its role and role to policy, then it needn't modify the policy but just make a new attribute certificate when the authorization of user alters.PMI (Privilege Management Infrastructure) has been designed as a universal authorization management and service platform for different access control policies and mechanisms. It utilizes attribute certificate to represent and contain subject's privileges. It manages privileges by issuing, updating attribute certificates. Such mechanism is independent of particular applications. PMI will be suitable for authorization management in variant access control systems. Thus we can import PMI into distributed firewalls to make policy and issue attribute certificate for every user. The host makes judgment of whether accept the visitor according to the information included in the attribute certificate.This thesis proposes a model of distributed firewall using PMI, and gives a realization of host and privilege management infrastructure. The host-based access control model is that by changing the layered network protocol stack of host, a security access control layer is inbuilt between the datalink layer and IP layer, so as to control all the packets which go through the host's protocol stack, including the incoming and outgoing packets. For the purpose of security data control, the privilege management infrastructure is used.