Evaluation of Authentication and User Identification on Simultaneous Session Limitation Mechanism

Responsiveness of Web servers is lowered when they are overloaded caused by a lot of requests from clients. Moreover, Web servers are required to be not only available but also stable responsiveness especially for interactive Web applications. In this paper, a mechanism which limits the number of simultaneous sessions using firewall is proposed in order to provide stable Web services. The mechanism consists of authentication server, firewall and user identification server. Authentication server authenticates user and registers IP address of his machine with firewall when the number of current simultaneous sessions is less than the specified number. After this, authenticated users can access Web server via firewall and user identification server. By using firewall, it is possible to not only limit the number of simultaneous sessions but also block malicious attacks such as DoS attack. Unauthenticated users, however, can access the Web server without authentication when they use same NAT environment or proxy server as authenticated users. User identification server detects access from unauthenticated users and blocks them. Moreover, it limits the number of accesses per unit time in order to prevent attacks from authenticated malicious users. This paper describes evaluation of user authentication server and user identification server. From results of evaluations, we confirm that user authentication server can authenticate and has enough capacity, and user identification server has tolerance of attack with unauthenticated users and can limit the number of accesses per unit time.