Certificate-based distributed firewalls for secure e-commerce transactions

Conventional firewalls rely on restricted topology and controlled entry points to regulate the flow of information into and out from an organisation. This paper describes a novel distributed firewall architecture combined with a secure communication mechanism, where one or more administration facilities control many concurrent distributed firewall instantiations localised to individual host terminals, be it a personal computer or mobile communications device. Each host instantiation enables its client user(s) to be members of one or more closed user groups (CUGs) for the purpose of business transactions. All hosts then become part of a large distributed firewall providing all the features offered by a traditional flrewall choke point with improved security and better scalability, and avoiding topological restrictions. To prevent the inadvertent passage of data to the wrong groups, either within or without an organisation, the distributed firewall is augmented by a mechanism of certification that governs the firewall behaviour. Data is typically encrypted by the application/firewall using certified keys such that only members of the same CUG can decrypt the data. Policy control and certificate distribution is handled by selected administration nodes; however, once formed, peer-to-peer CUG communication can take place directly.