Packet level access control scheme for internetwork security

Abstract

Increasing user demands to access resources, such as databases and application programmes, beyond those available in a single network has resulted in the introduction of teleprocessing systems and communication services between networks supported by different organisations. Consequently, the sharing of network resources introduces security threats such as unauthorised reading, modifying, adding or deleting of the contents of resources. It is therefore necessary to implement certain access control mechanisms to protect these resources from unauthorised access. In the paper, an internet access control scheme which operates at the network level (or the packet level) is presented. This scheme allows controlled access to the internal resources of a network, and only trusted systems can gain access to external networks. In this scheme, a secure communication link is established between a requesting machine and the requested remote resource at the initiation of an external session. All the entities, the network gateways and the machines at the end points, along this communication path are authenticated during the initiation process. Any subsequent packets transmitted along this path are also authenticated throughout the session to ensure that they originated from the machine initiating the session. The scheme uses the RSA and the DES security algorithms to implement session initiation and packet origin authentication, respectively. A major issue in internet access control is the distribution of packet keys (which are used for packet authentication purposes) to network entities for each communication session. This problem has been overcome in the scheme by deriving the packet authentication key from the RSA private key of each network entity, using a reference key number concept, and allowing a different packet authentication key for each external session between communicating entities. This eliminates the need to distribute the packet authentication keys, which otherwise could be a major threat to the integrity of an access control scheme. The overheads incurred due to the extra access control procedures have been quantified and are presented in the paper. It was found that the overheads of this scheme are smaller in comparison with the visa scheme [1].