Domain and type enforcement firewalls

Internet connected organizations often employ an Internet firewall to mitigate risks of system penetration, data theft, data destruction, and other security breaches. Conventional Internet firewalls, however, impose an overly simple inside vs outside model of security that is incompatible with many business practices that require extending limited trust to external entities. The paper reports on our experience with an enhanced security firewall based on Domain and Type Enforcement (DTE), a strong but flexible form of access control. A DTE firewall provides several benefits. First, it runs application level proxies in restrictive domains, thereby increasing security, and runs network services such as HTTP and FTP under DTE controls, thereby reducing risks that network based attacks will compromise local resources. Second, a DTE firewall coordinates role based security policies that span networks by passing DTE security attributes between DTE clients and servers. These attributes allow security policies at the endpoints to be coordinated; such coordination adds defense in depth to the traditional firewall security perimeter: this permits safe exportation of normally risky services such as NFS. Finally, a DTE firewall interoperates with "non DTE" systems and associates DTE security attributes with these systems so their interaction with DTE clients or servers can be controlled. We describe the design of a prototype DTE firewall system and informally evaluate its security, compatibility, functionality, and performance.