Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deny-by-Default Distributed Security Policy Enforcement in MANETs Joint work with Mansoor AlicherryAngelos D. Keromytis Columbia University Angelos Stavrou.

Published byLouisa Watts Modified over 9 years ago

Similar presentations

Presentation on theme: "Deny-by-Default Distributed Security Policy Enforcement in MANETs Joint work with Mansoor AlicherryAngelos D. Keromytis Columbia University Angelos Stavrou."— Presentation transcript:

1 Deny-by-Default Distributed Security Policy Enforcement in MANETs Joint work with Mansoor AlicherryAngelos D. Keromytis Columbia University Angelos Stavrou George Mason University

2 MANETs

3 Traditional Firewalls  Keep away malicious traffic from set of nodes  Placed on the perimeter Enforce policies of the perimeter  Nodes inside trusted; outside potential enemies  MANETs: There is not well defined perimeter

4 Our Solution  Policy enforcement framework Capability: Access rules and bandwidth constraints represented using capabilities Deny-by-default: Every packet in the network need to have an associated capability Distributed Enforcement: All the intermediate nodes enforce the capability policy  Unauthorized traffic dropped closer to the source Protects end-host resources and network bandwidth

5 Related Work: Network Capabilities  Capability implemented in early computer systems [Lev84]  “visas” for packets [EMT89]  Network capabilities to prevent DoS in wired networks [ARW03] Capability assigned by receivers Links in the path between a sender and receiver cannot be snooped

6 Network Capabilities  Access control and bandwidth limitation represented using capability (KeyNote style) Identity of the principal Identity of the destination Type of service and bandwidth Expiration date Issuer & Signature  Policy tokens Issued by the administrator  Network capability Issued by the receiving node Contains policy authorizing it to issue

7 Policy Token Example serial: 130745 owner: unit01.nj.army.mil (public key) destination: *.nj.army.mil service: https bandwidth: 50kbps expiration: 2010-12-31 23:59:59 issuer: captain.nj.army.mil signature: sig-rsa 23455656767543566678

8 Network Capability Example serial: 1567 owner: unit01.nj.army.mil (public key) destination: unit02.nj.army.mil bandwidth: 150kbps expiration: 2009:10:21 13:05:35 issuer: unit02.nj.army.mil comment: Policy allowing the receiver to issue this capability. signature: sig-rsa 238769789789898

9 Protocol  Capability associated with each communication session Transaction identifier and signature  Capability Establishment Source node informs the intermediate nodes about transaction identifier, capability and key for signature  Smaller keys used for per packet signature|  Sender Adds transaction id, sequence number and signature to the packet  Intermediate nodes and Receiver Verifies the packet (probabilistically) for signature and bandwidth

10 System Architecture

11 Conclusions and Future Work  Architecture for enforcing security policies Extending the use of capabilities for MANETs Deny-by-default much stronger than regular Internet Protects end-host-resources and network resources  Future work Explore the cost of protection in Delay Tolerant Networks Trade-offs between full policy Enforcement vs probabilistic schemes Generation of “enclaves” with different policies

Download ppt "Deny-by-Default Distributed Security Policy Enforcement in MANETs Joint work with Mansoor AlicherryAngelos D. Keromytis Columbia University Angelos Stavrou."

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Chris Karlof and David Wagner

Chris Karlof and David Wagner
Data Communications and Networking

Data Communications and Networking
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL 6788 11.

Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.

Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Challenge: Securing Routing Protocols Adrian Perrig

Challenge: Securing Routing Protocols Adrian Perrig
Implementing a Distributed Firewall

Implementing a Distributed Firewall
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Similar presentations

Ads by Google