Deny-by-Default Distributed Security Policy Enforcement in Mobile Ad Hoc Networks

Alicherry, Mansoor; Keromytis, Angelos D.; Stavrou, Angelos

doi:10.1007/978-3-642-05284-2_3

Deny-by-Default Distributed Security Policy Enforcement in Mobile Ad Hoc Networks

Mansoor Alicherry¹⁸,
Angelos D. Keromytis¹⁸ &
Angelos Stavrou¹⁹

Conference paper

620 Accesses
16 Citations

Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST,volume 19)

Abstract

Mobile Ad-hoc Networks (MANETs) are increasingly employed in tactical military and civil rapid-deployment networks, including emergency rescue operations and ad hoc disaster-relief networks. However, this flexibility of MANETs comes at a price, when compared to wired and base station-based wireless networks: MANETs are susceptible to both insider and outsider attacks. This is mainly because of the lack of a well-defined defense perimeter preventing the effective use of wired defenses including firewalls and intrusion detection systems.

We introduce a novel distributed security policy enforcement architecture that is designed specifically for MANETs. Our approach harnesses and extends the concept of network capabilities and is especially suited for mobile and heterogeneous communication environments. Our model imposes communication restrictions between MANET nodes by enforcing hop-by-hop policies in a distributed manner. We use a deny-by-default principle, allowing compromised nodes to access only authorized services. This significantly limits their ability disrupt or even interfere with end-to-end connectivity and nodes beyond their local communication radius. In this short paper, we only present the overall architecture of the system.

Keywords

MANETs
Capabilities
Distributed Firewall

This is a preview of subscription content, access via your institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 109.00; Price excludes VAT (USA)

Softcover Book: USD 139.00; Price excludes VAT (USA)

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Akbania, R., Korkmaz, T., Raju, G.: HEAP: A packet authentication scheme for mobile ad hoc networks. In: Communications and Networking Simulation Symposium (2007)
Google Scholar
Anderson, T., Roscoe, T., Wetherall, D.: Preventing internet denial-of-service with capabilities. In: Proc. of Hotnets-II (2003)
Google Scholar
Blaze, M., Ioannidis, J., Keromytis, A.: Trust management for ipsec. In: Symposium on Network and Distributed Systems Security, SNDSS (2001)
Google Scholar
Estrin, D., Mogul, J.C., Tsudik, G.: Visa protocls for controlling interorganizational datagram flow. IEEE Journal on Selected Areas in Communications (May 1989)
Google Scholar
Ioannidis, S., Keromytis, A.D., Bellovin, S.M., Smith, J.M.: Implementing a distributed firewall, pp. 190–199 (2000)
Google Scholar
Jaramillo, J., Srikant, R.: Darwin: Distributed and adaptive reputation mechanism for wireless ad-hoc networks. In: MOBICOM (2007)
Google Scholar
Lee, R.: Netware 4.x performance tuning and optimization: Part 3 (October 1993), http://support.novell.com/techcenter/articles/ana19931001.html
Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., Hu, Y.-C.: Portcullis: protecting connection setup from denial-of-capability attacks. SIGCOMM Comput. Commun. Rev. 37(4), 289–300 (2007)
CrossRef Google Scholar
Shi, E., Perrig, A.: Designing secure sensor networks. IEEE Wireless Communications (2004)
Google Scholar
Wobber, E., Abadi, M., Burrows, M., Lampson, B.: Authentication in the taos operating system. ACM Transactions on Computer Systems 12 (February 1994)
Google Scholar
Wu, B., Chen, J., Wu, J., Cardei, M.: A survey on attacks and countermeasures in manets. In: Wireless/Mobile Network Security, ch. 12. Springer, Heidelberg (2006)
Google Scholar
Wu, X., Yau, D.K.Y.: Mitigating Denial-of-Service Attacks in MANET by Distributed Packet Filtering: A Game-theoretic Approach. In: ASIACCS (March 2007)
Google Scholar
Yang, H., Luo, H., Ye, F., Lu, S., Zhang, L.: Security in mobile ad hoc networks: Challenges and solutions. IEEE Wireless Communications (2004)
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Computer Science, Columbia University, USA
Mansoor Alicherry & Angelos D. Keromytis
Department of Computer Science, George Mason University, USA
Angelos Stavrou

Authors

Mansoor Alicherry
View author publications
You can also search for this author in PubMed Google Scholar
Angelos D. Keromytis
View author publications
You can also search for this author in PubMed Google Scholar
Angelos Stavrou
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Electrical Engineering and Computer Science, Robert R. McCormick School of Engineering and Application Science, Northwestern University, 2145 Sheridian Road, 60208-3118, Evanston, IL, USA
Yan Chen
Athens Information Technology, Markopoulo Ave., GR-19002, Peania, Greece
Tassos D. Dimitriou
Institute for Infocomm Research, 1 Fusionopolis Way, 21-01 Connexis, South Tower, 138632, Singapore
Jianying Zhou

Rights and permissions

Reprints and Permissions

Copyright information

About this paper

Cite this paper

Alicherry, M., Keromytis, A.D., Stavrou, A. (2009). Deny-by-Default Distributed Security Policy Enforcement in Mobile Ad Hoc Networks. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds) Security and Privacy in Communication Networks. SecureComm 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 19. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05284-2_3

Download citation

DOI: https://doi.org/10.1007/978-3-642-05284-2_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-05283-5
Online ISBN: 978-3-642-05284-2
eBook Packages: Computer ScienceComputer Science (R0)