Secure Mobile Ad hoc Network A proposal for NISSC grants related to Homeland Security and Homeland Defense for

the summer 2003 performance period By Dr. C. d!ard Cho! Summary "o#ile Ad$hoc Net!or%ing &"AN '( is recei)ing gro!ing attention as a means of pro)iding communications in en)ironments !here there is no e*isting infrastructure. +irst responders at a disaster site or soldiers in a #attlefield must pro)ide their o!n communications. A "AN ' is a possi#le solution for this need to ,uic%ly esta#lish communications in a mo#ile and transient en)ironment. A "AN ' has se)eral security )ulnera#ilities. 'his proposal !ill study these )ulnera#ilities and in)estigate possi#le solutions. Closing these security )ulnera#ilities !ill influence the accepta#ility of a "AN ' for critical applications. A secure "AN ' system- called S"AN '- !ill #e created. S"AN ' !ill secure routing updates- enhance intrusion detection and respond to intrusion !ith an enhanced group %ey distri#ution scheme. Vulnerabilities A "AN ' node has se)eral physical )ulnera#ilities. It is light!eight in order to pro)ide mo#ility and thus can #e easily captured or tampered !ith. Its #attery limits its po!er supply and computation capa#ility. 'his lea)es a "AN ' node prey to denial of ser)ice &DoS( attac%s designed to diminish its po!er supply and o)er!helm its computational capa#ility. 'he "AN ' net!or% itself is mo#ile and transient !ith fre,uent changes in topology. It lac%s central control and depends upon cooperation #et!een nodes. 'hese characteristics in)ite .man in the middle/ or usurpation attac%s !here a rogue impersonates a trusted node. A mo#ile attac%er may see% out a "AN ' or lie in !ait for it li%e a su#marine in the path of a fleet. By the )ery nature of the !ireless medium- a transmission can #e intercepted or 0ammed. 1assi)e attac%s can occur from an ea)esdropper !ho can decipher and compromise the transmitted information. Acti)e attac%s can ta%e many forms. An impersonator or usurper may disrupt pac%et routing #y sending misleading control information. 'he attac%er can create a .Blac% Hole/ #y ad)ertising that it has the shortest path to a gi)en destination and intercepting the pac%ets sent to it. 'he attac%er may create routes that do not e*ist and o)erflo! the routing ta#les. Ser)ice may #e denied #y unnecessarily for!arding pac%ets or re,uesting ser)ices. Proposal

A grant of 320-000 is re,uested for the computer science group lead #y Dr. Cho! to carry out the research and de)elopment of a secure "AN '. A 32-000 portion of the grant !ill #e used for !ireless e,uipment purchases to include a mo#ile computer and !ireless 402.22 1C"CIA cards. 'his study !ill in)estigate and de)elop methods of securing a "AN ' from the most ostensi#le forms of attac%. 'hese security methods !ill include authenticating routing updates- erecting a !ireless fire!all- detecting !ireless intrusion attempts and responding !ith group re%eying measures designed to isolate the attac%er. Authentication of Routing Updates A !ired production net!or% normally employs community strings- fire!alls and filtering mechanisms- such as B516- to pre)ent unauthori7ed updates to its routing ta#les and policies. Such mechanisms to pre)ent unauthori7ed routing updates are not commonly employed in !ireless "AN ' net!or%s. 'his study !ill in)estigate and analy7e the Secure Ad$hoc 8n Demand Distance 9ector &SA8D9( protocol :;apata2002<. SA8D9 is an e*tension of A8D9 that employs signatures or message digests to secure routing updates :A8D91BD2002<. 'hese e*tensions pro)ide integrity- authentication and non$ repudiation for the routing mechanism. 'he in)estigation !ill determine the compati#ility of SA8D9 !ith a group %ey management scheme. Wireless irewall At the perimeter of a !ired net!or%- a fire!all is esta#lished at the gate!ays or entry points to the net!or%. In a !ireless net!or%- the perimeters and lin%s are constantly shifting and e)ery node is a potential entry point. Hence- e)ery node of a S"AN ' must contain a fire!all that acts as a first line of defense against intrusion. 'his fire!all must act as a filter to identify pac%ets- permit #ona fide pac%ets and #loc% pac%ets that emanate from rogue nodes. A =ni* fire!all !ill #e implemented !ith a pac%et filter to permit #ona fide pac%ets and route suspect pac%ets to an intrusion detection system &IDS(.

!ntrusion "etection # !solation Protocol $!"!P% An intrusion detection system &IDS( for a !ired net!or% normally is focused on detecting e*ternal threats. 'he detection of a rogue host or node is usually an issue for physical security personnel. In contrast- "AN ' intrusion detection systems must place a priority on the detection of a rogue or .man in the middle/ attac%er. A "AN ' IDS must detect such threats since the capture or compromise of a single node can compromise the entire "AN '. A possi#le response to a compromised node may #e the redistri#ution of a ne! group %ey to the remaining nodes. An Intrusion Detection and Isolation 1rotocol &IDI1( !ill #e implemented :IDI1<. 'his study !ill identify characteristics of %no!n !ireless attac% signatures. 'he signatures to #e gathered include those of .Blac% Hole/ attac%s- routing ta#le o)erflo! attac%s- and certain DoS attac%s. 'hese signatures can #e stored in a data#ase and used for identifying future attac%s. Snort- a highly$capa#le and fle*i#le free!are$#ased soft!are pac%age !ill #e programmed !ith the identified attac% signatures to detect intrusion :Snort<. Snort !ill #e used as an IDI1 trigger to initiate a response to the intrusion. 'hat response may include the distri#ution of a ne! group %ey to the remaining nodes of the "AN ' and updates to the !ireless fire!alls.

&roup 'ey "istribution A %ey can #e used to authenticate a pac%et. A group %ey can #e distri#uted to the nodes of a "AN ' to allo! the authentication of routing updates. >hen a node is captured or the original %ey is compromised- then a group re$%eying scheme is used to redistri#ute a ne! %ey to the remaining nodes of the "AN '. >e !ill install and study soft!are pac%ages that implement security policies through the distri#ution and use of group %eys. 'he Antigone secure group communication system from the =ni)ersity of "ichigan and the ?eystone %ey tree management ser)ice from the =ni)ersity of 'e*as at Austin !ill #e installed and studied in our la#oratories :Antigone- "cDaniel2002- ;@@2003<.

ield (ests +ield tests of the secure "AN ' !ill #e conducted to integrate the authentication- IDI1 and group re%ey capa#ilities. >e !ill su#0ect the S"AN ' to !ireless attac%s to measure its a#ility to identify the attac%- select the proper response and issue a group re%ey operation if necessary. 'he test scenarios !ill include the capture and compromise of a node or %ey. 'he intrusion methods !ill include the .Blac% Hole/ attac% and false ad)ertisements designed to induce a routing ta#le o)erflo!.

8ur metrics !ill measure the a#ility of the S"AN ' to respond #y isolating the attac%er- redistri#uting a ne! group %ey ,uic%ly to the trusted nodes and restoring the correct routing ta#les. )urrent Research )apability In the =CCS Computer Science Net!or% @a#oratory- !e ha)e implemented net!or%s and test #eds that pro)ide us !ith the e*perience !e need to understand ho! to deli)er relia#le and secure net!or% ser)ices to the hostile operating en)ironments faced #y first responders and soldiers. >e ha)e a !ireless security net!or% comprised of a Cisco Aironet 2200 access point !ith clients and ser)ers to implement 1 A1 and ''@S authentication protocols. Se)eral 402.22&#( nodes comprise a "AN ' #ased on the Ad$hoc 8n$demand Distance 9ector &A8D9( protocol. 8ne of these nodes is a gate!ay that pro)ides Internet access as !ell as DHC1 and address translation ser)ices to the other !ireless nodes. 'his "AN ' !ill #e used to e)aluate multiple path !ireless routing protocols. 8)er the !ireless net!or%s- !e ha)e conducted e*periments to e)aluate the performance of 9oI1 using #oth 402.22&a( and 402.22&#( data lin% protocols. >e ha)e a 6$node "1@S and 91N test #ed that pro)ides AoS and I1Sec$#ased secure communications. It is currently #eing used to e*periment !ith the iSCSI protocol for secure storage net!or%ing. +or net!or% sur)i)a#ility- !e ha)e designed and de)eloped fast net!or% restoration algorithms and implemented simulators for comparing se)eral state of the art sur)i)a#le architectures. Among these architectures is a high a)aila#ility content s!itch system that uses a heart#eat protocol to monitor the a)aila#ility of the content s!itch and uses the .mon/ soft!are pac%age to monitor the health status of the #ac% end ser)ers. 'he heart#eat and mon soft!are can address the fault tolerance issue in secure group communications systems. +or intrusion detection- the content s!itching system can e*amine the headers and contents of the pac%ets as they tra)erse the net!or%. 8ur current research topics that address intrusion detection includeB BIND dynamic update !ith 8penSS@ Autonomous Anti$DDoS net!or% &A2D2( :Cearns2002< A2D2 )ersion 2.0 !ith Intrusion Detection and Isolation 1rotocol &IDI1(. Security Related Areas >e !ill in)estigate topics in the area of .Decision "anagement and Control/ and deal !ith situations in)ol)ingB Communications- including net!or%s- infrastructures and 2st responder systems. mergency preparedness. >e !ill also in)estigate Cy#er$security and Information 1rotection and deals !ith the follo!ing su#$areasB Computer net!or% security >ireless security 6

Cryptography- encryption- authentication Information Assurance.

(o *e Accomplished 'his pro0ect !ill create S"AN '- a secure !ireless group communication system. 'his system !ill ensure that information is distri#uted in a secure- relia#le and efficient manner and in accordance !ith the security policies in effect. Pro+ect Personnel 'he people !ho !ill complete this pro0ect !ill include Dr. C. d!ard Cho! and his students of the Department of Computer Science at the =ni)ersity of Colorado at Colorado Springs. (imeframe 'imeframe CD02D2003 E CD30D2003 GD02D2003 E GD32D2003 4D2D 2003 E 4D32D2003 "ay e*tend to +all 2003 References :A8D9< Ad$hoc 8n$demand Distance 9ector 1rotocol. httpBDD!3.antd.nist.go)D!ctgDaod)H%ernelD. :Antigone< Antigone Secure 5roup!are httpBDDantigone.citi.umich.eduDcontentDantigone$2.0.22DdocsDhtmlDalpha.html :Cearns2002< Cearns- Angela. .Design of an Autonomous Anti$DDoS net!or% &A2D2(./ "asters thesis. :IDI1< Net!or% Associates @a#s F Boeing. .IDI1 Architecture./ httpBDD7en.ece.ohiou.eduDIin#oundsDD8CSDreldocsDIDI1HArchitecture.doc- 2002. :"cDaniel2002< "cDaniel- 1atric% D. &2002(- .1olicy "anagement in Secure 5roup Communication./ 1hD dissertation. =ni)ersity of "ichigan. 'as% to #e completed Design F implement SA8D9 routing authentication system. Implement !ireless fire!all !ith pac%et filtering. Determine attac% signatures and program Snort IDS. Install F test Antigone F ?eystone security systems. Create test support and #enchmar% soft!are. Conduct S"AN ' field trials.

:1BD2002< Charles . 1er%ins- li7a#eth ". Belding$Koyer- and Samir Das. LAd Hoc 8n Demand Distance 9ector &A8D9( Kouting.L IETF Internet draft- draft$ietf$manet$ aod)$22.t*t- Mune 2002 &>or% in 1rogress(. :Snort< Snort )ersion 2.0- the open source net!or% intrusion detection system. httpBDD!!!.snort.orgD. :;apata2002< ;apata- ".5. .Secure Ad Hoc 8n$Demand Distance 9ector &SA8D9( Kouting./ httpBDD!!!.ietf.orgDinternet$draftsDdraft$guerrero$manet$saod)$00.t*t- Internet Draft- 8cto#er 2002. :;@@2003< N. Brian ;hang- Simon S. @am- and D$O @ee- .5roup Ke%eying !ith @imited =nicast Keco)ery-/ 'echnical Keport- 'K$02$3C Ke)ised +e#ruary 2003. httpBDD!!!.cs.ute*as.eduDusersDlamD9itaD"iscDre%eyH'K.pdf