Mike Chen, Barbara Hohlt, Tal Lavian, December 2000.

We are facing a trend towards ubiquitous connectivity where users demand access at anytime, anywhere. This has lead to the deployment of public network ports and wireless networks. Current solutions to network access control are inflexible and only provide all-or-nothing access.

It is also increasing important to protect Intranet hosts from other mobile and static hosts on the same Intranet, in order to contain damages in the case that a host gets compromised.

We present an architecture that addresses these issues by using a programmable router to provide dynamic fine-grained network access control. The Javaenabled router dynamically generates and enforces access control rules using policies and user profiles as input, reducing administrative overhead. Our modular design integrates well with existing authentication and directory servers, further reducing admininstrative costs. Our prototype is implemented using Nortel’s Accelar router and moves users to VLANs with the appropriate access privilege.