Cooperative On-Demand Opening (CODO)

Authors: S. Son, B. Allcock, M. Livny

Affiliations: University of Wisconsin, Argonne National Laboratory

CODO is an extension of the Netfilter iptables software capable of configuring new filtering rules in response to valid requests from users' applications. Its main distinctive features are:

• The use of SSL for the signaling channel.
• The use of an memory table to register applications authorized to traverse the firewall.
• The ability to control both incoming and outgoing connections.

The existing network firewall must be integrated with a CODO Firewall Agent. The firewall initially presents only three open ports. The CODO agent uses these ports to listen for signaling messages: one port is used by internal applications to register themselves as available destination entities; another port is used by external applications to request connections to internal destination entities; the third port is used by internal applications to request connections to external destination entities.

All signaling messages are exchanged over an SSL channel enforcing mutual authentication with X.509 digital certificates. The CODO agent defines in its configuration parameters a list of trusted Certification Authorities. Requests coming from external applications are allowed only if the destination entities are already registered in the memory table. If all controls are successfully passed the CODO agent adds a new filtering rule into the iptables firewall. This rule allows access to the destination host and port number only from the IP address and port number indicated in the connection request.