Finished Projects
Network Security
Secure Active Network Prototypes
2001 DARPA/ITO Project Summary
| Title: | Secure Active Network Prototypes |
| ARPA Order Number: | G796 |
| Principle Investigator: | Sandra Murphy |
| Contractor: | Network Associates Labs at Network Associates 3060 Washington Road (Rt. 97) Glenwood, MD 21738 Phone: 443-259-2300 Fax: 301-854-4731 Email: Sandra.Murphy@SPARTA.com |
Objective:
Current Active Network research efforts propose to make the network
packets themselves an active and dynamic part of the network, so the
services offered by the network evolve as the packets travel through the
network. The dynamic and pro-active nature of an active network
increases the security risks of unauthorized or destructive modification
of the overall network behavior. It is important that security issues be
considered now, as active network efforts progress, rather than being
retro-fitted after active network designs have solidified. Although each
of the current active network efforts has stated its recognition of the
importance of security, none has as yet addressed security in full.
Network Associates Labs will investigate the security issues applicable
in an active network, define security requirements, develop mechanisms
to meet the requirements and develop prototypes that demonstrate
security solutions.
Approach:
An active packet injects new functionality or services into the network
as it passes through the network by modifying each network node's state
and behavior, either temporarily or permanently. Network Associates Labs
is defining the security requirements of active networks and developing
mechanisms governing the authorization for modification of an individual
node and access to its resources. This project addresses such problems
as authorization of the packet's ability to inject new functionality and
authorization of the packet to access state shared with other active
packet streams.
The starting point for the Network Associates Labs series of prototypes was an active network operating in a single administrative domain with the injected feature deployed inside the packet itself. All authorizations in this environment were based on attributes represented in the packet container. Network Associates Labs developed the security requirements needed in this scenario and the attributes needed as a basis for enforcement of the requirements. Network Associates Labs designed and implemented prototypes of mechanisms to provide enforcement of those security requirements. Work on subsequent prototypes involves iteratively relaxing the assumptions to make the security issues more complex, e.g., multiple security and administrative domains, authorization that is distributed, etc. Network Associates Labs is designing and implementing prototypes of the richer scenarios as well.
Network Associates Labs has extended the security protection offered in the first prototype developed under this contract so that it now supports wide area network environments. The first prototype assumed that principal identities and their authorizations were widely and commonly known, as is appropriate for enterprise networks. These assumptions are not applicable to a wide area network. For security in a wide area active networks, Network Associates Labs has redefined the active network packet to include credentials representing the end source principal's authorizations. Credentials are identified by globally known references in the form of fully qualified domain names. The approach uses DNSSEC to provide a secure network-wide distributed authentication infrastructure for the storage and retrieval of credentials. Credentials are carried in X.509v3 certificates, where extensions are used to carry aggregate security attributes, such as "roles". Credential validation is implemented through the chain of issuers in the X.509v3 certificate format. KeyNote, a DARPA funded trust management system, is used both as a policy language and as the enforcement engine. The enforcement engine, which is implemented in the active node operating system layer, performs all authorization and access control checking. The enforcement engine integrates the KeyNote assertion checking with the Java 2 security architecture. To support end source authentication, static payload data must be separated from the payload data modified during the active packet's path through the network. This requires a change in the active packet format, which Network Associates Labs is recommending to the research community as necessary for adequate security protection of the network. The Network Associates Labs implementation supports source authentication and authorization based on this packet format.
A secure shared data storage capability is needed to support the needs of active applications. In order to provide end source authorization of access to this shared data, the authorization policy is distributed within the active code that creates the shared data. This, combined with our distributed mechanism for identification and authentication, permits the end source to control access to its shared data anywhere and everywhere in the active network. The use of a ubiquitous policy language and policy engine ensures that end source authorization policies can be enforced throughout the active network.
End source authorization policies governing access to its shared data may be more lenient than local node policy. The authorization enforcement mechanism design recognizes the two sources of policy and ensures mandatory access control, so that local node policy regarding access to shared data can override the policy established by the end source.
Recent Accomplishments:
- Network Associates Labs participated in the joint Active Network team demonstrations in December of 2000, as part of the team demonstrations of both of DARPA's challenge problems to the Active Networks program. Our prototypes made strong authentication and authorization possible in both the Distributed Simulation and the Active Intrusion Detection and Response demonstrations.
- Network Associates Labs completed a third Secure Active Network prototype. The prototype implements end source authentication based on strong cryptography as well as authorization of access to active network node operating system services, to the active node execution environment services, and to persistent created state in the network owned by the end source.
- The Network Associates Labs third prototype includes a policy system that made it possible to securely retrieve and distribute fine-grained policy elements over an Active Network, in real time. Policy changes take effect immediately upon the next authorization check. The ability to access and modify policy is itself subject to authorization policy control.
- Network Associates Labs implemented a policy management tool that allows authorized network managers to retrieve policy remotely from any node and dynamically update that policy from any remote management station.
- Network Associates Labs published a revised security architecture to the Active Network program community, in order to incorporate comments received from the community, implementation experience and features implemented in other program projects. The security architecture focuses on authorization policy enforcement and strong end to end authentication.
- Network Associates Labs produced the final reports for this project.
Current Plan:
- Project complete, no plans in place.
Technology Transition:
- The Network Associates Labs Active Network prototypes have provided worked examples of a secure active network in an enclave, i.e., a single administrative domain, and in a wide area network, i.e., multiple administrative domains. The prototypes are extensions of the ANTS active network package and are available to any other Active Network researcher who is using ANTS and wishes to use a security enhanced version or who wishes to study an example implementation of security in a active network enterprise.
- The SANP prototype has been chosen by the DARPA-sponsored Active Intrusion Detection and Response project as a secure platform for development of their technology.
- Network Associates Labs presented a paper entitled "Strong Security for Active Networks" on April 27, 2001 at the OpenArch 2001 conference. This conference is attended by researchers in industry and academia who are exploring open and programmable networks.
- The Network Associates Labs SANP project has access to the existing connection to the DARPA CAIRN research network to interact with other Active Network researchers who are also connected to the CAIRN as part of the Active Network backbone (ABONE) network. Other Active Networks researchers in the ABONE have begun to port the strong authentication protections implemented in the SANP project to their own research projects.
- As an extension of the ANTS package, the Network Associates Labs prototypes run on any system supporting the Java Virtual Machine and Java 2 platforms, including Win32 operating systems. Solaris 2.5.1, and Redhat Linux 5.2. The prototypes have been run on a Sparc Ultra with 128MB RAM and on Pentium platforms from 133MHz processors with 64MB RAM to 1GHz processors with 512MB RAM. For information, contact anets@tislabs.com.