Finished Projects
Network Security
Secure Active Network Prototypes
2000 DARPA/ITO Project Summary
| Title: | Secure Active Network Prototypes |
| ARPA Order Number: | G796 |
| Principle Investigator: | Sandra Murphy |
| Contractor: | Network Associates Labs at Network Associates 3060 Washington Road (Rt. 97) Glenwood, MD 21738 Phone: 443-259-2300 Fax: 301-854-4731 Email: Sandra.Murphy@SPARTA.com |
Objective:
Current Active Network research efforts propose to make the network
packets themselves an active and dynamic part of the network, so the
services offered by the network evolve as the packets travel through the
network. The dynamic and proactive nature of an active network increases
the security risks of unauthorized or destructive modification of the
overall network behavior. It is important that security issues be
considered now, as active network efforts progress, rather than being
retrofitted after active network designs have solidified. Although each
of the current active network efforts has stated its recognition of the
importance of security, none has as yet addressed security in full.
Network Associates Labs will investigate the security issues applicable
in an active network, define security requirements, develop mechanisms
to meet the requirements and develop prototypes that demonstrate
security solutions.
Approach:
An active packet injects new functionality or services into the network
as it passes through the network by modifying each network node's state
and behavior, either temporarily or permanently. Network Associates Labs
is defining the security requirements of active networks and developing
mechanisms governing the authorization for modification of an individual
node and access to its resources. This project addresses such problems
as authorization of the packet's ability to inject new functionality and
authorization of the packet to access state shared with other active
packet streams.
The starting point for the Network Associates Labs series of prototypes was an active network operating in a single administrative domain with the injected feature deployed inside the packet itself. All authorizations in this environment were based on attributes represented in the packet container. Network Associates Labs developed the security requirements needed in this scenario and the attributes needed as a basis for enforcement of the requirements. Network Associates Labs designed and implemented prototypes of mechanisms to provide enforcement of those security requirements. Work on subsequent prototypes involves iteratively relaxing the assumptions to make the security issues more complex, e.g., multiple security and administrative domains, authorization that is distributed, etc. Network Associates Labs is designing and implementing prototypes of the richer scenarios as well.
Network Associates Labs has extended the security protection offered in the first prototype developed under this contract so that it now supports wide area network environments. The first prototype assumed that principal identities and their authorizations were widely and commonly known, as is appropriate for enterprise networks. These assumptions are not applicable to a wide area network. For security in a wide area active networks, Network Associates Labs has redefined the active network packet to include credentials representing the end source principal's authorizations. Credentials are identified by globally known references in the form of fully qualified domain names. The approach uses DNSSEC to provide a secure network-wide distributed authentication infrastructure for the storage and retrieval of credentials. Credentials are carried in X.509v3 certificates, where extensions are used to carry aggregate security attributes, such as "roles". Credential validation is implemented through the chain of issuers in the X.509v3 certificate format. KeyNote, a DARPA funded trust management system, is used both as a policy language and as the enforcement engine. The enforcement engine, which is implemented in the active node operating system layer, performs all authorization and access control checking. The enforcement engine integrates the KeyNote assertion checking with the Java 2 security architecture. To support end source authentication, static payload data must be separated from the payload data modified during the active packet's path through the network. This requires a change in the active packet format, which Network Associates Labs is recommending to the research community as necessary for adequate security protection of the network. The Network Associates Labs implementation supports source authentication and authorization based on this packet format.
A secure shared data storage capability is needed to support the needs of active applications. In order to provide end source authorization of access to this shared data, the authorization policy is distributed within the active code that creates the shared data. This, combined with our distributed mechanism for identification and authentication, permits the end source to control access to its shared data anywhere and everywhere in the active network. The use of a ubiquitous policy language and policy engine ensures that end source authorization policies can be enforced throughout the active network.
End source authorization policies governing access to its shared data may be more lenient than local node policy. The authorization enforcement mechanism design recognizes the two sources of policy and ensures mandatory access control, so that local node policy regarding access to shared data can override the policy established by the end source.
Recent Accomplishments:
- Network Associates Labs participated in the joint Active Network team demonstrations in September of 1999, demonstrating the secure construction of quality of service routes among multiple administrative domains.
- Network Associates Labs completed a second Secure Active Network prototype. The prototype implemented end source authentication based on strong cryptography as well as authorization of access to both active network node operating system services and the active node execution environment services.
- Network Associates Labs implemented global and flexible mechanisms that allow the Active Network end user to control authorization of access to its shared data in the network.
- Network Associates Labs implemented an active network authorization enforcement mechanism that has the power to enforce mandatory access control between node policy and end source policies. An active network node can permit the sharing of resources and still retain the ability to enforce its own local policies and protect its local resources, even in the face of more lenient end source authorization of access to shared resources.
- Network Associates Labs extended the Active Network Security Architecture to include support for strong end source authentication and authorization that can be appended at domain boundaries.
- Network Associates Labs designed a policy structure that supports the dynamic composition of multiple authorization policies as stipulated by disparate sources.
Current Plan:
- Network Associates Labs will continue to develop prototypes for secure active networks. Topics to be addressed in the remaining time for the project include investigation of the effective distribution of dynamic policies, the effect of distributed authorization and hierarchies on policies, and the composition of policies stipulated by disparate sources.
- Network Associates Labs will participate in the demonstration of the Intrusion Detection team of security related projects in the Active Network program. This demonstration will be focussed on security aspects of intrusion detection and response. Our prototype will ensure that intrusion detection and response tools are employed only by authorized principals and only where authorized by the local node. Network Associates Labs will also be participating in the Distributed Simulation demonstration in a more reduced role.
- Network Associates Labs will provide a final report on this project at project completion in the coming year.
Technology Transition:
- The Network Associates Labs Active Network prototypes have provided worked examples of a secure active network in an enclave, i.e., a single administrative domain, and in a wide area network, i.e., multiple administrative domains. The prototypes are extensions of the ANTS active network package and are available to any other Active Network researcher who is using ANTS and wishes to use a security enhanced version or who wishes to study an example implementation of security in a active network enterprise.
- The SANP prototype has been chosen by the Active Intrusion Detection and Response project as a secure platform for development of their technology.
- The Network Associates Labs SANP project will be using the existing connection to the DARPA CAIRN research network to serve as a testbed for further prototypes and to interact with other Active Network researchers who are also connected to the CAIRN as part of the Active Network backbone (ABONE) network.
- As an extension of the ANTS package, the Network Associates Labs prototypes run on any system supporting the Java Virtual Machine and Java 2 platforms, including Win32 operating systems. Solaris 2.5.1, and Redhat Linux 5.2. The prototypes were developed on a Sparc Ultra with 128MB RAM and have been run on Pentium platforms from 133MHz processors and 64MB RAM to 400MHz platforms with 128MB RAM. For information, contact anets@tis.com.