T. Jaeger, Dave King, Kevin R. B. Butler, Serge E. Hallyn, Joy Latten, Xiaolan Zhang
{"title":"利用IPsec进行强制逐包访问控制","authors":"T. Jaeger, Dave King, Kevin R. B. Butler, Serge E. Hallyn, Joy Latten, Xiaolan Zhang","doi":"10.1109/SECCOMW.2006.359530","DOIUrl":null,"url":null,"abstract":"Mandatory access control (MAC) enforcement is becoming available for commercial environments. For example, Linux 2.6 includes the Linux security modules (LSM) framework that enables the enforcement of MAC policies (e.g., type enforcement or multi-level security) for individual systems. While this is a start, we envision that MAC enforcement should span multiple machines. The goal is to be able to control interaction between applications on different machines based on MAC policy. In this paper, we describe a recent extension of the LSM framework that enables labeled network communication via IPsec that is now available in mainline Linux as of version 2.6.16. This functionality enables machines to control communication with processes on other machines based on the security label assigned to an IPsec security association. We outline a security architecture based on labeled IPsec to enable distributed MAC authorization. In particular, we examine the construction of a xinetd service that uses labeled IPsec to limit client access on Linux 2.6.16 systems. We also discuss the application of labeled IPsec to distributed storage and virtual machine access control","PeriodicalId":156828,"journal":{"name":"2006 Securecomm and Workshops","volume":"37 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"16","resultStr":"{\"title\":\"Leveraging IPsec for Mandatory Per-Packet Access Control\",\"authors\":\"T. Jaeger, Dave King, Kevin R. B. Butler, Serge E. Hallyn, Joy Latten, Xiaolan Zhang\",\"doi\":\"10.1109/SECCOMW.2006.359530\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Mandatory access control (MAC) enforcement is becoming available for commercial environments. For example, Linux 2.6 includes the Linux security modules (LSM) framework that enables the enforcement of MAC policies (e.g., type enforcement or multi-level security) for individual systems. While this is a start, we envision that MAC enforcement should span multiple machines. The goal is to be able to control interaction between applications on different machines based on MAC policy. In this paper, we describe a recent extension of the LSM framework that enables labeled network communication via IPsec that is now available in mainline Linux as of version 2.6.16. This functionality enables machines to control communication with processes on other machines based on the security label assigned to an IPsec security association. We outline a security architecture based on labeled IPsec to enable distributed MAC authorization. In particular, we examine the construction of a xinetd service that uses labeled IPsec to limit client access on Linux 2.6.16 systems. We also discuss the application of labeled IPsec to distributed storage and virtual machine access control\",\"PeriodicalId\":156828,\"journal\":{\"name\":\"2006 Securecomm and Workshops\",\"volume\":\"37 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2006-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"16\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2006 Securecomm and Workshops\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SECCOMW.2006.359530\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2006 Securecomm and Workshops","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SECCOMW.2006.359530","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Leveraging IPsec for Mandatory Per-Packet Access Control
Mandatory access control (MAC) enforcement is becoming available for commercial environments. For example, Linux 2.6 includes the Linux security modules (LSM) framework that enables the enforcement of MAC policies (e.g., type enforcement or multi-level security) for individual systems. While this is a start, we envision that MAC enforcement should span multiple machines. The goal is to be able to control interaction between applications on different machines based on MAC policy. In this paper, we describe a recent extension of the LSM framework that enables labeled network communication via IPsec that is now available in mainline Linux as of version 2.6.16. This functionality enables machines to control communication with processes on other machines based on the security label assigned to an IPsec security association. We outline a security architecture based on labeled IPsec to enable distributed MAC authorization. In particular, we examine the construction of a xinetd service that uses labeled IPsec to limit client access on Linux 2.6.16 systems. We also discuss the application of labeled IPsec to distributed storage and virtual machine access control
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
