Sfatables: A firewall-like policy engine for federated systems

Sapan Bhatia; Andy Bavier; Larry Peterson; Soner Sevinc

doi:10.1109/ICDCS.2011.58

Sfatables: A firewall-like policy engine for federated systems

Sapan Bhatia, Andy Bavier, Larry Peterson, Soner Sevinc

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Scopus citations

Abstract

Recent efforts to federate computation and communication resources across organizational boundaries face a challenge in establishing the policies by which one organization's users can access resources in other organizations. This paper describes an approach to defining, communicating, analyzing, and enforcing resource allocation policies in this new setting. Our approach was designed to address the needs of PlanetLab, but we demonstrate through a range of examples that it is general enough to accommodate a diverse collection of computing facilities. Our policy engine is implemented in a specific tool chain, called sfatables, that is patterned after the iptables mechanism used to define packet processing policies for network traffic. The interface to our policy engine thus uses the familiar paradigm of a firewall and provides a flexible interface for resource owners to specify access policies for their resources. Our implementation makes it possible to precisely document policies, query, and analyze them.

Original language	English (US)
Title of host publication	Proceedings - 31st International Conference on Distributed Computing Systems, ICDCS 2011
Pages	467-476
Number of pages	10
DOIs	https://doi.org/10.1109/ICDCS.2011.58
State	Published - 2011
Externally published	Yes
Event	31st International Conference on Distributed Computing Systems, ICDCS 2011 - Minneapolis, MN, United States Duration: Jun 20 2011 → Jul 24 2011

Publication series

Name	Proceedings - International Conference on Distributed Computing Systems

Other

Other	31st International Conference on Distributed Computing Systems, ICDCS 2011
Country/Territory	United States
City	Minneapolis, MN
Period	6/20/11 → 7/24/11

ASJC Scopus subject areas

Software
Hardware and Architecture
Computer Networks and Communications

Access to Document

10.1109/ICDCS.2011.58

Cite this

Sfatables: A firewall-like policy engine for federated systems. / Bhatia, Sapan; Bavier, Andy; Peterson, Larry et al.
Proceedings - 31st International Conference on Distributed Computing Systems, ICDCS 2011. 2011. p. 467-476 5961701 (Proceedings - International Conference on Distributed Computing Systems).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Bhatia, S, Bavier, A, Peterson, L & Sevinc, S 2011, Sfatables: A firewall-like policy engine for federated systems. in Proceedings - 31st International Conference on Distributed Computing Systems, ICDCS 2011., 5961701, Proceedings - International Conference on Distributed Computing Systems, pp. 467-476, 31st International Conference on Distributed Computing Systems, ICDCS 2011, Minneapolis, MN, United States, 6/20/11. https://doi.org/10.1109/ICDCS.2011.58

@inproceedings{541ac5c75b484eb0ad5fab7d13403d07,

title = "Sfatables: A firewall-like policy engine for federated systems",

abstract = "Recent efforts to federate computation and communication resources across organizational boundaries face a challenge in establishing the policies by which one organization's users can access resources in other organizations. This paper describes an approach to defining, communicating, analyzing, and enforcing resource allocation policies in this new setting. Our approach was designed to address the needs of PlanetLab, but we demonstrate through a range of examples that it is general enough to accommodate a diverse collection of computing facilities. Our policy engine is implemented in a specific tool chain, called sfatables, that is patterned after the iptables mechanism used to define packet processing policies for network traffic. The interface to our policy engine thus uses the familiar paradigm of a firewall and provides a flexible interface for resource owners to specify access policies for their resources. Our implementation makes it possible to precisely document policies, query, and analyze them.",

author = "Sapan Bhatia and Andy Bavier and Larry Peterson and Soner Sevinc",

year = "2011",

doi = "10.1109/ICDCS.2011.58",

language = "English (US)",

isbn = "9780769543642",

series = "Proceedings - International Conference on Distributed Computing Systems",

pages = "467--476",

booktitle = "Proceedings - 31st International Conference on Distributed Computing Systems, ICDCS 2011",

note = "31st International Conference on Distributed Computing Systems, ICDCS 2011 ; Conference date: 20-06-2011 Through 24-07-2011",

}

TY - GEN

T1 - Sfatables

T2 - 31st International Conference on Distributed Computing Systems, ICDCS 2011

AU - Bhatia, Sapan

AU - Bavier, Andy

AU - Peterson, Larry

AU - Sevinc, Soner

PY - 2011

Y1 - 2011

N2 - Recent efforts to federate computation and communication resources across organizational boundaries face a challenge in establishing the policies by which one organization's users can access resources in other organizations. This paper describes an approach to defining, communicating, analyzing, and enforcing resource allocation policies in this new setting. Our approach was designed to address the needs of PlanetLab, but we demonstrate through a range of examples that it is general enough to accommodate a diverse collection of computing facilities. Our policy engine is implemented in a specific tool chain, called sfatables, that is patterned after the iptables mechanism used to define packet processing policies for network traffic. The interface to our policy engine thus uses the familiar paradigm of a firewall and provides a flexible interface for resource owners to specify access policies for their resources. Our implementation makes it possible to precisely document policies, query, and analyze them.

AB - Recent efforts to federate computation and communication resources across organizational boundaries face a challenge in establishing the policies by which one organization's users can access resources in other organizations. This paper describes an approach to defining, communicating, analyzing, and enforcing resource allocation policies in this new setting. Our approach was designed to address the needs of PlanetLab, but we demonstrate through a range of examples that it is general enough to accommodate a diverse collection of computing facilities. Our policy engine is implemented in a specific tool chain, called sfatables, that is patterned after the iptables mechanism used to define packet processing policies for network traffic. The interface to our policy engine thus uses the familiar paradigm of a firewall and provides a flexible interface for resource owners to specify access policies for their resources. Our implementation makes it possible to precisely document policies, query, and analyze them.

UR - http://www.scopus.com/inward/record.url?scp=80051862473&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80051862473&partnerID=8YFLogxK

U2 - 10.1109/ICDCS.2011.58

DO - 10.1109/ICDCS.2011.58

M3 - Conference contribution

AN - SCOPUS:80051862473

SN - 9780769543642

T3 - Proceedings - International Conference on Distributed Computing Systems

SP - 467

EP - 476

BT - Proceedings - 31st International Conference on Distributed Computing Systems, ICDCS 2011

Y2 - 20 June 2011 through 24 July 2011

ER -

Sfatables: A firewall-like policy engine for federated systems

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this