Transparent identity-based firewall transition for eScience

As new concepts for eSciene like Grid computing and Cloud computing tend to leave the research phase and develop towards production quality, the security eventually moves into focus. Up to now research in the security area concentrates on authentication and authorization on the resources themselves, but to enhance network security more generally, access control must be pushed back to the entry point of the resource providers' network. In this paper TCP-AuthN is presented, an approach for dynamic firewall operation, which uses the TCP three-way handshake to transport users' authentication information for dynamic firewall operation. The authentication information enables firewalls to authorize each connection establishment individually, based on the user's proven identity. To prevent man-in-the-middle attacks and replay attacks, a challenge-response procedure must be accomplished before the connection is finally allowed. To distinguish the authentication information from application level data, a new TCP option tcpauthn was designed. The presented approach is intended to withdraw the initial authorization decision from the resources and therefore from the internal network and move this decision to firewalls, which are employed to protect networks and services.