Celestial Security Management System y Chong Xu Fengmin Gong S. Felix Wu Ilia Baldine Zhi Fu Chandru Sargor He Huang Frank Jou Duke University MCNC North Carolina State University [email protected] [email protected] [email protected] Abstract tion by developing a security management architecture that can 1 automatically discover e ective security There has been a vast amount of research and devel- p olicies and mechanisms along any network path, 2 opment e ort aimed at providing solutions and prod- dynamically con gure security mechanisms across pro- ucts that address the security needs in the information to col layers and across the network, 3 adaptively re- age. Each solution tends to address only a particu- con gure these mechanisms to maintain certain levels lar facet of the security problem and only accessible to of security services when the network is under stress. limitedprotocols or applications. Moreover, ad hoc de- A prototyp e system referred to as Celestial has b een ployment of some solutions e.g., rewal ls and IPsec implemented to demonstrate the viability and use- can hinder our ability to col laborate across networks. fulness of this architecture. Main security mecha- A very important question is how any application can nisms integrated include a cryptographic library in discover policy restrictions brought about by these so- user space, IPsec, and ATM cell encryption. Key lutions/mechanisms, and make ecient use of them to comp onents of this system include the Security Man- satisfy the application's security goals. The Celestial agement Agent architecture SMA, a security service project addresses this question by developing a secu- API, and an inter-SMA communication proto col. The rity management architecture that can 1 automat- rest of the pap er is organized as follows. The remain- ical ly discover e ective security policies and mecha- der of this section intro duces the terminology that will nisms along any network path, 2 dynamical ly con- help in the following discussion and describ es the prob- guresecurity mechanisms across protocol layers and lem. Section 2 presents the Celestial architecture and across the network, 3 adaptively re-con gure these its main comp onents. Section 3 describ es the API. mechanisms to maintain certain levels of security ser- Section 4 presents the inter-SMA communication pro- vices when the network is under stress. This paper to col. Section 5 rep orts the implementation and the describes the Celestial system design and implementa- status of the system. In Section 6we review the re- tion, and reports the current status of the project. lated work in the area. We discuss the future work in 1 Intro duction Section 7 and conclude the pap er with our thanks to In spite of our serious concerns over the informa- the reviwers. tion security issues, secure networking is yet to be 1.1 Basic terminology widely practiced. One reason is the lack of under- Before discussing the security management problem standing of security issues at a systematic level, e.g., and our solution to it, a brief intro duction of the terms is security protection more imp ortant than qaulityof we will b e using should b e helpful. service QoS requirement and how to address b oth security and the traditional QoS in the same service- Secure communications are made p ossible through provisioning framework? Furthermore, there is an the use of security services, such as message con den- overall lack of \secure information-ware", to ols for tiality encryption, integrity, authenticity, and non- navigating the information space securely and success- repudiation. Security services are provided by secu- fully. The Celestial pro ject is addressing this ques- rity mechanisms that are software or hardware mo d- ules by which security functions are implemented. For This work is supp orted in part byDARPA/ITO through instance, the Data Encryption Standard DES [1] [2] Federal Contract DABT63-97-C-0045 y Please send all corresp ondence to this author. is a security mechanism that provides a data encryp- 0-7695-0490-6/99 $10.00 (c) 1999 IEEE tion service. Security capability describ es a sp eci c DOMAIN6 DOMAIN5 tation of a security mechanism. The net- implemen HOST6 HOST5 work nodes refers to end-hosts, routers, and switches. FIREWALL1 SWITCH2 A secure gateway is a router or a switch on which se- curity p olicies are enforced and security mechanisms vided. are pro HOST1 SWITCH1 HOST4 ATM BACKBONE y security mechanisms. We will only There are man IP BACKBONE EDGE-ROUTER1 SWITCH3 DOMAIN1 DOMAIN4 use IPsec [3, 3,5,?] and CellCase [4] throughout this pap er to illustrate the heterogeneity of security mech- FIREWALL2 EDGE-ROUTER2 anisms. * HOST1, HOST2, HOST4, HOST5 and HOST6 are IPsec-capable * FIREWALL1 and FIREWALL2 are IPsec-capable Problem description 1.2 * SWTCH1 and SWITCH2 are CellCase-capable HOST2 HOST3 DOMAIN2 DOMAIN3 Advances in network technology have greatly changed the waywe share and exchange information Figure 1: Heterogeneous network environment and have b o omed many new online activities suchas e-commerce. As the Internet gives rise to a new world of global communication, more and more p eople are applicable at the link layer. One disadvantage of b ecoming concerned with the protection of their on- link layer security mechanisms is that authentica- line activities. Researchers have b een aware of the tion, including signatures, can be provided only lack of security in the communication network infras- on a host basis. Furthermore, although message tructure for years. For example, Internet Engineering con dentiality can b e provided, message integrity Task Force IETF has several working groups aimed can b e more dicult to ensure if the link is byte- at enhancing the security of network proto cols. In the oriented, rather than frame-oriented. meantime, industry has b een quick to catchupby de- veloping many security pro ducts. Network layer. Many researchers and engineers Di erent e orts have led to di erent security solu- argue that Internet Proto col IP layer is a go o d tions, which means di erent security mechanisms can place to enforce security b ecause all the pack- b e used to provide the same security service and they ets received by the lower-layer proto cols and all can b e employed at di erent network proto col layers. the packets sent from the higher-layer proto cols Meanwhile, di erent organizations and individuals de- and the applications go through it. The biggest ne security di erently by enforcing di erent security advantage of network layer security is its trans- p olicies. Moreover, di erent network applications may parency. It can be provided without requiring havevarying security service requirements. All of this changes to applications, any other higher layer diversity results in a highly heterogeneous network en- proto cols, or network comp onents that do not vironment. Figure 1 is an illustration of suchanenvi- need security functions. IPsec [3, 5,6] is the net- ronment. The heterogeneity causes diculties in set- work layer mechanism b eing standardized by the ting up secure communication channels b ecause two IETF. communication end-p oints may not share common se- curity mechanisms or the security p olicies for some Transp ort layer. Providing security at the no des on the path maybe violated. Let us examine transp ort layer p ermits transp ort layer p eers to the heterogeneity in closer detail. communicate securely over insecure networks. The ma jor advantage of providing security mech- Security mechanisms can be applied at di er- anisms at the transp ort layer, as opp osed to at ent proto col layers. The TCP/IP proto col stack the network layer, is that applications can p oten- has four layers, i.e., data link layer, network layer, tially cho ose di erent security mechanisms and transp ort layer, and application layer. Network secu- p olicies. The reason is that the transp ort layer rity can b e enforced at any of these layers. Enforcing typically keeps state that maps to individual ap- security at di erentlayers has its advantages and dis- plications. The primary drawback of transp ort advantages. layer security is that it is more dicult to enforce Data link layer. Link layer security mechanisms a tunneling scheme and the rewall con guration. can op erate at link sp eed, hence they put little Examples of transp ort layer security mechanisms p erformance burden on the network no des. En- are Secure So cket Layer[7] and Transp ort Layer cryption is the most common security mechanism Security Proto col[8]. 0-7695-0490-6/99 $10.00 (c) 1999 IEEE con guration of security mechanisms will not b e able Application layer. Implementing security func- to meet every application's requirement. tions directly at the application layer provides the most exible way of handling the application- sp eci c requirements. Advantages of providing security functions at the application layer are that Survivability over a public network. Talking they are made available to all the applications, ab out secure communications, we have to take into and they can be selectively invoked by the ap- account not only the two end-p oints of a communica- plications when needed, thus limiting the p erfor- tion, but also the condition of the path in which the mance cost. However, the ability of the appli- data packets travel. They b oth in uence what p olicies cations to cho ose whether to utilize the security are to b e enforced and what security mechanisms can functions or not makes it harder to enforce the b e used.