• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Adaptive Network Defense

Dynamic Virtual Private Network

A Virtual Private Network (VPN) is an encrypted tunnel between a pair of network components that provides secure communications across a public network like the Internet. VPNs are often used between geographically separated firewalls to allow the hosts behind the firewalls to communicate seamlessly as if they were part of the same local area network.

SPARTA's Gauntlet Global Virtual Private Network (GVPN) software provides powerful VPN capabilities using IPSec and IKE, the latest industry encryption standards. A limitation in VPN products like GVPN is that certain kinds of VPN configurations require manual administration of VPN parameters for each pair of firewalls in a VPN community. As the size of a community grows, so does the administrative burden of adding or deleting firewalls. Adding the tenth firewall to a community requires manually adding new configuration information for each of the nine previous firewalls. These administrative costs pose an obstacle for large, dynamic VPN communities.

Under DARPA funding, SPARTA's SPARTA ISSO has constructed a Dynamic VPN prototype to support large, dynamic VPN communities such as multinational coalitions of agencies and armed services responding to an international military crisis or disaster relief efforts. The prototype is based on the establishment of a Community Manager (CM) that is responsible for maintaining a list of all firewalls that are currently part of the community. The CM is appointed when the community is formed. All member organizations must agree to recognize the CM as the authoritative source of membership information.

Approach
In the Dynamic VPN prototype, the CM publishes community membership information as a signed DNS zone, stored on a server that implements DNS Security Extensions (DNSSEC). DNSSEC is an IETF standard that allows clients to verify the authenticity of DNS information via digital signatures. The CM acts as the master DNS server for this zone. The CM also acts as the certificate authority for the X.509 V3 public key certificates that firewalls in the community use to authenticate each other when establishing pairwise VPN links. The Dynamic VPN prototype extends Gauntlet GVPN so that each firewall in the community automatically changes its VPN configuration whenever the CM's membership list changes, adding or dropping VPN links as needed. Whenever a membership change occurs, the CM's DNSSEC server notifies secondary DNSSEC servers running on each member firewall. These secondary servers retrieve the updated zone information through standard DNS zone transfers, and Dynamic VPN agents on each firewall then observe the changes and modify the firewall's VPN configuration accordingly. As a result, a single CM can control the VPN configurations for an entire community of firewalls by manipulating a centralized membership list. Moreover, the administrative cost of adding or deleting firewalls from a community remains constant even as the size of the community grows: the administrative cost of adding the one hundredth firewall is the same as that of adding the second. An initial Dynamic VPN prototype with the capabilities described above was demonstrated in spring 1998. In late 1999 and early 2000, we developed a new prototype that exhibits faster response to community membership changes and interacts with other components of the Cyber Command System (CCS), an experimental security management facility developed by other DARPA researchers. A number of additional enhancements may be investigated in the future, including support for communities with different levels of trust, multiple overlapping communities, secure community update acknowledgements, and single-host community members.

Research Focus

Dynamic VPN Prototype
We see Dynamic VPN technology as potentially applicable to a wide range of problems in both the government and private sectors. Whenever there are geographically separated organizations that form and dissolve relationships dynamically, there will be a need to temporarily link those organizations' information systems and networks together across the Internet and unlink them later. This linking of networks must occur rapidly, securely, and in a way that provides seamless sharing of information resources and scalability. Similarly, unlinking must be fast and easy. In such volatile environments, Dynamic VPN technology can help manage the required connectivity and security. Areas of potential applicability include rapidly emerging business partnerships; disaster relief efforts involving the National Guard, FEMA, the Red Cross, and other agencies; multinational military coalitions; and distributed health care involving physicians, specialists, laboratories, and treatment centers that are brought together on a patient-by-patient basis.

Additional Information
For additional information contact Dan Sterne (dan.sterne@SPARTA.com) at 443-430-8000.