A controllable and accountable state-oriented Card-Aided Firewall

Abstract

This paper proposes a new approach, named Card-Aided Firewall (CAF) that combines the simplified firewall and the state-oriented smart card technologies to construct a controllable and accountable Internet access framework. The idea suggests that a client computer, protected by a light-weight firewall, could establish diversified authenticated communication channels, controlled and accounted by “legal” states of the smart card. The program of a smart card is state-oriented or a state machine, which defines a chain of events involving various state transitions. The “legal” states of a smart card program are defined to be legal to communicate with surfing targets. A predefined Access Control List (ACL), stored in the same card, is necessary. An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols. The proposed firewall decides acceptance or rejection messages by matching the current state of the card program and the ACL. In addition, a complete surfing account for tracing back is recorded. It is a by-product of the smart card authentication. The proposed Card-Aided Firewall framework is implemented to demonstrate its effectiveness. The implementation is done at the driver level. It keeps up with the high line speed. The driver takes 39K bytes and works well with other firewalls. The average packet processing time of the CAF driver is 31.74 μs. On the premise of secure authentication within the smart card, the Card-Aided Firewall would facilitate various rapidly growing applications in campus cards, family cards, and employee cards, etc. that require accurate controllability and accountability in the surfing boundary.