Gregor R. Krmelj, M. Pancur, M. Grohar, M. Ciglarič
{"title":"OpenSPA——一个开放和可扩展的单包授权协议","authors":"Gregor R. Krmelj, M. Pancur, M. Grohar, M. Ciglarič","doi":"10.1145/3277570.3277574","DOIUrl":null,"url":null,"abstract":"Applications are vulnerable. Opening such applications to the Internet creates a big attack surface for potential exploit. The use of common network defenses such as firewalls helps mitigate the risks, however possibility of a secure scalable system that assigns network access to a service purely by identifying a device by a static IP address is a delusion. Firewalls need to improve to support dynamic allocation of device access. Such a technique would allow services to be hidden to the general public, unauthorized to access them, but would at the same time allow authorized users global connectivity. Single Packet Authorization (SPA) is an approach, building on firewall functionality which hides services from unauthorized users and helps mitigate common network attacks such as Distributed Denial of Service (DDoS) attacks by stopping them earlier in the network stack. In this paper we introduce OpenSPA, a SPA protocol suitable for deployment in various complex networking environments and enabling flexibility to support different network policies. With support for IPv6 as well as extensible support for custom user programmable authentication, authorization and firewall logic.","PeriodicalId":164597,"journal":{"name":"Proceedings of the Central European Cybersecurity Conference 2018","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"OpenSPA - An Open and Extensible Protocol for Single Packet Authorization\",\"authors\":\"Gregor R. Krmelj, M. Pancur, M. Grohar, M. Ciglarič\",\"doi\":\"10.1145/3277570.3277574\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Applications are vulnerable. Opening such applications to the Internet creates a big attack surface for potential exploit. The use of common network defenses such as firewalls helps mitigate the risks, however possibility of a secure scalable system that assigns network access to a service purely by identifying a device by a static IP address is a delusion. Firewalls need to improve to support dynamic allocation of device access. Such a technique would allow services to be hidden to the general public, unauthorized to access them, but would at the same time allow authorized users global connectivity. Single Packet Authorization (SPA) is an approach, building on firewall functionality which hides services from unauthorized users and helps mitigate common network attacks such as Distributed Denial of Service (DDoS) attacks by stopping them earlier in the network stack. In this paper we introduce OpenSPA, a SPA protocol suitable for deployment in various complex networking environments and enabling flexibility to support different network policies. With support for IPv6 as well as extensible support for custom user programmable authentication, authorization and firewall logic.\",\"PeriodicalId\":164597,\"journal\":{\"name\":\"Proceedings of the Central European Cybersecurity Conference 2018\",\"volume\":\"25 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-11-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the Central European Cybersecurity Conference 2018\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3277570.3277574\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Central European Cybersecurity Conference 2018","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3277570.3277574","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
OpenSPA - An Open and Extensible Protocol for Single Packet Authorization
Applications are vulnerable. Opening such applications to the Internet creates a big attack surface for potential exploit. The use of common network defenses such as firewalls helps mitigate the risks, however possibility of a secure scalable system that assigns network access to a service purely by identifying a device by a static IP address is a delusion. Firewalls need to improve to support dynamic allocation of device access. Such a technique would allow services to be hidden to the general public, unauthorized to access them, but would at the same time allow authorized users global connectivity. Single Packet Authorization (SPA) is an approach, building on firewall functionality which hides services from unauthorized users and helps mitigate common network attacks such as Distributed Denial of Service (DDoS) attacks by stopping them earlier in the network stack. In this paper we introduce OpenSPA, a SPA protocol suitable for deployment in various complex networking environments and enabling flexibility to support different network policies. With support for IPv6 as well as extensible support for custom user programmable authentication, authorization and firewall logic.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
