Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503
AGENCY USE ONLY (Leave blank)2. REPORT DATE
October 2002
REPORT TYPE AND DATES COVEREDFinal May 98 -Jun 02
TITLE AND SUBTITLE
BUILDING A DYNAMIC INTEROPERABLE SECURITY ARCHITECTURE FOR ACTIVE NETWORKS
AUTHOR(S)Roy H. Campbell and M. Dennis Mickunas
FUNDING NUMBERSC -F30602-98-1-0192 PE -62301E PR -G378 TA -00 WU -01
PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)University of Illinois Grants and Contracts Office 109 Coble Hall -801 South Wright Street Champaign Illinois 61820-6242
PERFORMING ORGANIZATION REPORT NUMBER
SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES)Defense
12b. DISTRIBUTION CODE
ABSTRACT (Maximum 200 Words)Security is viewed as one of the major obstacles to the widespread deployment active networks. A significant challenge is to develop mechanisms to change software state on routers dynamically, without sacrificing protection guarantees. The Seraphim projects leverages the inherent dynamism in the paradigm to build dynamic security mechanisms for active networks. Seraphim's security architecture is component based, dynamically extensible, and reflective, and supports a variety of policy strategies and enforcement mechanisms. This enabled the development of customizable, interoperable, domain-specific, or task-specific security policies and mechanisms, to meet the security requirements of active network entities. Administrators were able to develop security policies as active network capsules, called dynamic policies, and enforce these policies by executing them in a suitable software context on active network routers. A suite of confidentiality, integrity, authentication and access-control mechanisms was developed to secure the node of an active network. This suite was based on standardized APIs and provided support for customized Quality of Protection guarantees. Customized dynamic policies were created and installed at run-time, trading functionality for performance, to implement low-overhead solutions that were able to successfully counter threats and attack, without sacrificing protection guarantees.
SUMMARYIn an active network, new protocols and services can be injected into the network using smart packets to carry customized software components. This technology increases the degree and sophistication of the network architecture and enables fast deployment of new protocols and services. However, a...