A framework for World Wide Web client-authentication protocols

Existing client-authentication protocols deployed on the World Wide Web today are based on conventional distributed systems and fail to address the problems specific to the application domain. Some of the protocols restrict the mobility of the client by equating user identity to a machine or network address, others depend on sound password management strategies, and yet others compromise the privacy of the user by transmitting personal information for authentication. We introduce a new framework for client-authentication by separating two goals that current protocols achieve simultaneously: 1. Maintain persistent sense of identity across different sessions. 2. Prove facts about the user to the site. These problems are independent, in the sense that any protocol for solving the first problem can be combined with any protocol for solving the second. Separation of the two purposes opens up the possibility of designing systems which balance two conflicting goals, authentication and anonymity. We propose a solution to the first problem, based on the Digital Signature Standard. The implications of this framework from the point of view of user privacy are examined. The paper is concluded with suggestions for integrating the proposed scheme into the existing WWW architecture

Network Security: An Evaluation of Security Policies and Firewall Implementations

This paper begins focusing on network security issues. The areas of physical security, access security, and connection security are explored. Connection security provides the biggest need for improvement in the entire security field. This type of security is managed best with firewall implementations. Various firewall models are discussed. Software evaluations were performed on three different commercial Internet security tools. The software was compared on the basis of ease of installation, functionality, level of security provided, and output available. In summary, the value of the firewall is dependent on the need to implement a firewall in an organization. However, a security policy is necessary to provide direction for configuring the firewall. Further studies into the creation, publication, and enforcement of security policies were conducted. Security policies are currently being created reactively instead of preventatively to manage security breaches as they occur. To better understand how security policies need to be implemented, case studies were conducted in three educational departments and a local Internet service provider. While the case studies were being reviewed, security policies for the study participants came to fruition and the enforcing has finally begun. Conclusions from these case studies are that policies need to be better publicized and increasing manpower is necessary to enforce them. Further work on network security could include creating proactive security policies and how to successfully publicize and implement them. Continual monitoring of security faults and advertising weaknesses will increase interest in security abroad. This will improve the availability of security management systems and assist persuading employers to increase staffing to provide network security personnel positions