Sfatables: A firewall-like policy engine for federated systems

Sapan Bhatia, Andy Bavier, Larry Lee Peterson, Soner Sevinc

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Recent efforts to federate computation and communication resources across organizational boundaries face a challenge in establishing the policies by which one organization's users can access resources in other organizations. This paper describes an approach to defining, communicating, analyzing, and enforcing resource allocation policies in this new setting. Our approach was designed to address the needs of PlanetLab, but we demonstrate through a range of examples that it is general enough to accommodate a diverse collection of computing facilities. Our policy engine is implemented in a specific tool chain, called sfatables, that is patterned after the iptables mechanism used to define packet processing policies for network traffic. The interface to our policy engine thus uses the familiar paradigm of a firewall and provides a flexible interface for resource owners to specify access policies for their resources. Our implementation makes it possible to precisely document policies, query, and analyze them.

Original languageEnglish (US)
Title of host publicationProceedings - International Conference on Distributed Computing Systems
Pages467-476
Number of pages10
DOIs
StatePublished - 2011
Externally publishedYes
Event31st International Conference on Distributed Computing Systems, ICDCS 2011 - Minneapolis, MN, United States
Duration: Jun 20 2011Jul 24 2011

Other

Other31st International Conference on Distributed Computing Systems, ICDCS 2011
CountryUnited States
CityMinneapolis, MN
Period6/20/117/24/11

Fingerprint

Engines
Resource allocation
Communication
Processing

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Hardware and Architecture
  • Software

Cite this

Bhatia, S., Bavier, A., Peterson, L. L., & Sevinc, S. (2011). Sfatables: A firewall-like policy engine for federated systems. In Proceedings - International Conference on Distributed Computing Systems (pp. 467-476). [5961701] https://doi.org/10.1109/ICDCS.2011.58

Sfatables : A firewall-like policy engine for federated systems. / Bhatia, Sapan; Bavier, Andy; Peterson, Larry Lee; Sevinc, Soner.

Proceedings - International Conference on Distributed Computing Systems. 2011. p. 467-476 5961701.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bhatia, S, Bavier, A, Peterson, LL & Sevinc, S 2011, Sfatables: A firewall-like policy engine for federated systems. in Proceedings - International Conference on Distributed Computing Systems., 5961701, pp. 467-476, 31st International Conference on Distributed Computing Systems, ICDCS 2011, Minneapolis, MN, United States, 6/20/11. https://doi.org/10.1109/ICDCS.2011.58
Bhatia S, Bavier A, Peterson LL, Sevinc S. Sfatables: A firewall-like policy engine for federated systems. In Proceedings - International Conference on Distributed Computing Systems. 2011. p. 467-476. 5961701 https://doi.org/10.1109/ICDCS.2011.58
Bhatia, Sapan ; Bavier, Andy ; Peterson, Larry Lee ; Sevinc, Soner. / Sfatables : A firewall-like policy engine for federated systems. Proceedings - International Conference on Distributed Computing Systems. 2011. pp. 467-476
@inproceedings{541ac5c75b484eb0ad5fab7d13403d07,
title = "Sfatables: A firewall-like policy engine for federated systems",
abstract = "Recent efforts to federate computation and communication resources across organizational boundaries face a challenge in establishing the policies by which one organization's users can access resources in other organizations. This paper describes an approach to defining, communicating, analyzing, and enforcing resource allocation policies in this new setting. Our approach was designed to address the needs of PlanetLab, but we demonstrate through a range of examples that it is general enough to accommodate a diverse collection of computing facilities. Our policy engine is implemented in a specific tool chain, called sfatables, that is patterned after the iptables mechanism used to define packet processing policies for network traffic. The interface to our policy engine thus uses the familiar paradigm of a firewall and provides a flexible interface for resource owners to specify access policies for their resources. Our implementation makes it possible to precisely document policies, query, and analyze them.",
author = "Sapan Bhatia and Andy Bavier and Peterson, {Larry Lee} and Soner Sevinc",
year = "2011",
doi = "10.1109/ICDCS.2011.58",
language = "English (US)",
isbn = "9780769543642",
pages = "467--476",
booktitle = "Proceedings - International Conference on Distributed Computing Systems",

}

TY - GEN

T1 - Sfatables

T2 - A firewall-like policy engine for federated systems

AU - Bhatia, Sapan

AU - Bavier, Andy

AU - Peterson, Larry Lee

AU - Sevinc, Soner

PY - 2011

Y1 - 2011

N2 - Recent efforts to federate computation and communication resources across organizational boundaries face a challenge in establishing the policies by which one organization's users can access resources in other organizations. This paper describes an approach to defining, communicating, analyzing, and enforcing resource allocation policies in this new setting. Our approach was designed to address the needs of PlanetLab, but we demonstrate through a range of examples that it is general enough to accommodate a diverse collection of computing facilities. Our policy engine is implemented in a specific tool chain, called sfatables, that is patterned after the iptables mechanism used to define packet processing policies for network traffic. The interface to our policy engine thus uses the familiar paradigm of a firewall and provides a flexible interface for resource owners to specify access policies for their resources. Our implementation makes it possible to precisely document policies, query, and analyze them.

AB - Recent efforts to federate computation and communication resources across organizational boundaries face a challenge in establishing the policies by which one organization's users can access resources in other organizations. This paper describes an approach to defining, communicating, analyzing, and enforcing resource allocation policies in this new setting. Our approach was designed to address the needs of PlanetLab, but we demonstrate through a range of examples that it is general enough to accommodate a diverse collection of computing facilities. Our policy engine is implemented in a specific tool chain, called sfatables, that is patterned after the iptables mechanism used to define packet processing policies for network traffic. The interface to our policy engine thus uses the familiar paradigm of a firewall and provides a flexible interface for resource owners to specify access policies for their resources. Our implementation makes it possible to precisely document policies, query, and analyze them.

UR - http://www.scopus.com/inward/record.url?scp=80051862473&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80051862473&partnerID=8YFLogxK

U2 - 10.1109/ICDCS.2011.58

DO - 10.1109/ICDCS.2011.58

M3 - Conference contribution

AN - SCOPUS:80051862473

SN - 9780769543642

SP - 467

EP - 476

BT - Proceedings - International Conference on Distributed Computing Systems

ER -