Manets Spanning The Entire Protocol Stack Computer Science

A huge attention has been given recently to the Mobile Ad hoc Networks due to their self-configuration and self-maintenance capabilities. Besides the focus on problems such as wireless channel access and multi-hop routing, security also has received a tremendous interest in order to protect the communication between nodes in a potentially hostile environment. Although security has been a major concern of researchers in wireless networks, the exclusive characteristics of MANETs introduce a new set of interesting and nontrivial challenges to security design. Such challenges include shared wireless medium, open network architecture, highly dynamic network topology and stringent resource constraints. As a consequence, it is not possible to directly apply the existing security solutions for wired networks to the MANETs [5].

The main objective of the security remedies for MANETs is to grant security services, such as authentication, integrity, confidentiality, availability and anonymity, to mobile users. In order to reach this goal, a complete protection spanning the entire protocol stack should be provided in any proposed security solution. Table 4.1 describes the security issues in each layer [5].

Table 4.1 The security solution for MANETs spanning the entire protocol stack.LayerSecurity issuesApplication layerDetecting and preventing viruses, worms, malicious codes, and application abusesTransport layerAuthenticating and securing end-to-end communications through data encryptionNetwork layerProtecting the ad hoc routing and forwarding protocolsLink layerProtecting the wireless MAC protocol and providing link-layer security supportPhysical layerPreventing signal jamming denial-of-service attacks

The lack of a clear line of defence in MANETs is considered a distinguishing characteristic of these networks from the security design point of view. Differently from wired networks which have dedicated routers, each mobile node in an ad hoc network may act as a router and forward packets for other peer nodes. The wireless channel can be accessed by both authorized network users and malicious attackers.

Security never comes for free. Introducing more security features into the network leads to increasing computation, communication and management overhead. As a result, network performance, in terms of service availability, scalability, robustness and others becomes a crucial matter in a resource-constrained ad hoc network. In many recent proposals, the major focus is on the security strength of the solutions from the cryptographic prospective, while the network performance aspect is largely left unaddressed. As a matter of fact, the two aspects, security strength and network performance, are equally important, and attaining a good trade-off between them is one basic challenge in security design for Mobile Ad hoc Networks [5].

Security architecture for Mobile Ad hoc Networks

As it has been learnt from the history of Internet attacks, security is an important aspect in networking and cannot be considered separately after designing the whole infrastructure of network. As a specific example, IPsec is the result of lack of methodology in network security protocol design. Although it is technically complex to deploy, it also has conflicting requirement [28].

Security must not be considered as a separable part from the development of network, and not as mechanisms added after thought. Also, security should not be considered from a separate layer view. Today there are a lot of security mechanisms which work in different layers based on the OSI reference model's view: there is frequency hopping technique working in physical layer, WEP, 802.11x protecting data in data link layer, IPsec in network layer, and SSL/TLS, SSH in upper transport layer, and many application layer security protocols like Secure Electronic Transactions (SET), Privacy Enhanced Mail (PEM), etc [27].

The designs of these security protocols are specific for some security requirements and their overlapping functionalities make the whole system inefficient and complex and make it difficult for users to choose and deploy. Despite the fact that there is a huge work has been done to increase the security of MANETs, none of them considers designing security mechanisms from a system architectural standpoint. A misplacement of security mechanisms and overlapping of security functionalities can be caused by the lack of methodology to manage the complexity of security requirements in variant situations. Most of the relevant effort done so far deals either with establishing the trust infrastructure alone, or just with securing routing protocol based on certain assumptions that security associations are already established. Following the OSI model applied in designing network protocols, authors in [27] presented a layered secure architecture for MANETs that can be applied in designing security protocols. The figure 4.1 depicts five-layer security architecture for MANETs, and the functionalities of each layer are illustrated below.

End-to-End SecurityNetwork SecurityRouting SecurityCommunication SecurityTrust Infrastructure SecuritySecurity Layer 5Security Layer 4Security Layer 3Security Layer 2Security Layer 1Figure 4.1 Security Architecture for MANETsSecurity Layer 1 - Trust Infrastructure Layer

This layer refers to the basic trust relationship between nodes. Because of the lack of the centralized authority in MANETs which helps to establish the trust relationship between communicating devices, the security mechanisms in this layer are considered the basic building block of the whole security system and expected to be constructed in a distributed manner. Therefore, this layer creates a great challenge to system security designers. Any security mechanisms established in this layer must serve for the upper layer security mechanisms [27].

Security Layer 2 - Communications Security Layer

The security mechanisms in this layer are responsible for securely transmitting data frames in a node-to-node manner, such as the Wired Equivalent Privacy protocol (WEP), or physical protection like frequency hopping. These security mechanisms provide techniques to keep data frame from interception, eavesdropping, alteration, or dropping from unauthorized party along the route from the source to the destination.

Security Layer 3 - Routing Security Layer

All the security mechanisms applied to routing protocols are deployed in this layer. Nodes in MANETs exchange information about the connectivity of their neighbours and build a view of the network topology so that they can route the data packets to the correct destinations. Every node is involved in the routing activity and routing itself is an important part to keep the network connected.

Two aspects are considered within the routing security layer: secure routing and secure data forwarding. In the former aspect, nodes have to cooperate to share correct routing information to keep the network connected efficiently; in the latter aspect, data packets being transmitted should be protected from dropping, tampering and altering by any unauthorized party [27].

Security Layer 4 - Network Security Layer

The network security layer is related to the security mechanisms used by the network protocols which perform sub-network access operations from end system to end system. For example, the security services like peer entity authentication, confidentiality and integrity can be achieved by the network layer security protocol IPsec, another example is the SMT mechanism from [29].

Security Layer 5 - End-to-End Security Layer

This layer is connected to end system security, such as SSH, SSL and any application specific security protocol. Since the security mechanisms in this layer are restricted to only intended parties, its security protocols are independent of the underlying networking technology. The provision of any security service in this layer is highly dependent upon security requirements related to specific applications [27].

Dividing the security architecture into five layers has a straightforward objective. The fifth layer describes the security mechanisms linked with end application system, like Secure Electronic Transaction protocol (SET), thus this layer should be differentiated from the underlying layers. The forth layer is concerned with network access control and network layer data packet protection. It is in fact working at the end of network framework. Any unsolved network security problems from the underlying routing protocols can be dealt with by the mechanisms deployed in this layer. One good example is SMT [29] which is a solution for the unreliable routing protocol. Including the routing security layer (Security Layer 3) in the architecture is due to the inherent cooperative nature in MANETs which demands every node to act as a host which needs other nodes sending information for it and also as a router to provide routing and relaying functions to other nodes. The security mechanisms in this layer are related to the network topology and are always designed with respect to specific routing protocol in use. Hop-to-hop communications security is provided by the second layer which is related to the data link security and physical layer security in the wireless communications channel. A trust infrastructure in the first layer is required to be established before communication begin to function securely, an example is the trust infrastructure established using distributed threshold cryptography in [30].

Mechanisms like encryption and signature which are intrusion prevention do not omit the need for intrusion/misbehaviour detection and response. Even if the latter mechanisms are not distinctively specified in the system architecture, they are actually very essential in MANETs security system and can be deployed in any layer of the system architecture according to the security requirements in each layer.

Security objectives

Security in general is an important issue for any kind of communication so is for mobile ad hoc networks, in particular for those security-sensitive applications. To secure a mobile ad hoc network, the following attributes should be considered: availability, confidentiality, integrity, authentication, and non-repudiation [30].

Availability

It makes sure that the network services can survive despite denial of service attacks. Any layer of a mobile ad hoc network is threatened by the denial of service attack. On the physical and media access control layers, a jamming could be employed by an adversary to interfere with communication on physical channels. On the network layer, an attacker could interrupt the routing protocol and cause the network to be disconnected. On the higher layers, an adversary might be able to bring down high-level services. One such target is the key management service, an essential service for any security framework.

Confidentiality

Confidentiality ensures that any piece of information which considered confidential cannot be disclosed to unauthorized entities. Confidentiality is highly required in any network transmission of sensitive information, such as strategic or tactical military information. The consequences of the leakage of such information to enemies could be devastating. Routing information also in some cases might be valuable for enemies to identify and to locate their targets in a battlefield; therefore they must remain confidential in such cases.

Integrity

With integrity, there is a guarantee that a message being transmitted is never corrupted. Benign failures could be sometimes a cause of corrupting a message, such failures as radio propagation impairment, or because of malicious attacks on the network.

Authentication

This mechanism enables a node to be sure of the identity of the peer node it is communicating with. The lack of authentication may enable an attacker to masquerade a node, hence getting unauthorized access to resource and security-sensitive information and interfering with the operation of other nodes.

Non-repudiation

This attribute guarantees that the source of a message cannot disclaim having sent the message. Non-repudiation can be useful to detect and isolate of compromised nodes. This can be illustrated as in the case of receiving an erroneous message by a node A from a node B; non-repudiation allows the destination node A to accuse the source node B using this message and to convince other nodes that B is compromised.

Security Threats in Mobile Ad Hoc NetworksTypes of Attacks

Attacks against MANETs can be divided into two groups: Passive attacks and active attacks. The former are typically involve only eavesdropping of data. The latter involve actions performed by attackers, for example trying to replicate, modify and delete exchanged data. External attacks are considered one kind of active attacks that are intended to cause congestion, propagate incorrect routing information, prevent services from working properly or shut down them completely. Such attacks are possibly to be prevented by using standard security mechanisms such as firewalls, encryption and so on. The more severe attacks are internal attacks, since malicious insider nodes already belong to the network as an authorized party and are thus protected with the security mechanisms the network and its services offer. Therefore, such malicious insiders, who might even operate in a team, may employ the standard security means to actually protect their attacks. These kind of malicious parties are called compromised nodes, as their actions compromise the security of the whole ad hoc network [32].

Denial of Service

This kind of threat, denial of service, can be generated either by an unintentional failure or malicious action, creates a severe security risk in any distributed system. The effects of such attacks depend on the application area of the ad hoc network. For example, any nodes of an ad hoc network formed inside a classroom, teacher's centralized node or students' handheld devices, can crash or be shut down without completely destroying anything, the class can continue their work normally by using other tools. On the other hand, the efficient operation of the soldiers in the battlefield scenario depends on the proper operation of the ad hoc network which their devices are connected to. If this network can be shut down by the enemy, the whole soldiers team may be separated into vulnerable units that cannot communicate with each other or to the headquarters.

There are many forms of the denial of service attack: in the centralized scheme, the well-known method is to flood the centralized resource so that it crashes or at least no longer functions correctly. However, this might be an inapplicable technique in ad hoc networks due to the distribution of responsibility. A more serious threat is the distributed denial of service attack: if an enough computing power and bandwidth are provided to an attacker to operate with, smaller ad hoc networks can be easily either crashed or congested. However, as discussed in [31] there are more severe threats to ad hoc networks: compromised nodes might be capable of reconfiguring the routing protocol or any part of it so that they can be able to send routing information very frequently, therefore causing congestion or preventing nodes to obtain new information about the changed topology of the network.

The worst case scenario is when the attacker can change routing protocol to function in an invalid way he/she wants. The inability to detect any of neither the compromised nodes nor the changes to the routing protocol can lead to serious consequences, as from the nodes point of view the network may seem to operate in a normal way. This kind of invalid operation of the network initiated by malicious nodes is called a byzantine failure [32].

Impersonation

This kind of attacks creates a great security risk in all levels of ad hoc networking. The lack of a proper authentication of parties may enable compromised nodes in network layer to, for example, undetectably join the network or send false routing information masqueraded as some other trusted node. Within network management, an access to the configuration system as a super user can be granted to the attacker. In service level, it is possible for a malicious party to have its public key certified even without proper credentials. Therefore impersonation attacks concern all critical operations in ad hoc networks. In the classroom scenario, however, the impersonation attack is improbable or even unfeasible. If the impersonation can be achieved by a malicious student on the teacher's node, he might be able to access or damage data that is saved in teacher's or students' devices or exchanged between them. The advantage of the attack is not big: it will most likely be detected very quickly and the data that can be manipulated or accessed is not that crucial to make the attack worthwhile. In the battlefield example the possible effects of successful impersonation are much more severe: a hostile device controlled by the enemy might be able to undetectably join the ad hoc network and permanently damage other nodes or services. A malicious party may be able to masquerade itself as any of the friendly nodes and give false orders or status information to other nodes [32].

Mitigating impersonation threats can be achieved by deploying strong authentication methods in contexts where a party has to be able to trust the origin of data it has received or stored. Most often this means in every layer the application of digital signature or keyed fingerprints over routing messages, configuration or status information or exchanged payload data of the services in use. Digital signatures executed with public-key cryptography are considered a problematical issue within ad hoc networks, as a relatively much computation power is required by them along with an efficient and secure key management service. Therefore in many cases lighter remedies are needed, kinds of these solutions are the use of keyed hash functions or a priori negotiated and certified keys and session identifiers. However, they do not eliminate the demand for secure key management or proper confidentiality protection mechanisms.

Disclosure

Eavesdropping is a serious threat and any communication, whenever confidential information is exchanged, must be protected from it. Also unauthorized access to any node stores critical data must be prevented. In ad hoc networks such information can involve almost anything for instance specific status details of a node, the location of nodes, private or secret keys, passwords and phrases. The control data sometimes is more important information from the security point of view than the actual exchanged data. For example the routing instructions in packet headers such as the identity or location of the nodes can sometimes have value more than the application-level messages. This can be applied especially in critical military applications. Such as the battlefield scenario, in this case the data of a handshaking packet exchanged between nodes might not be considered interesting from the enemy point of view. Instead the identities of the observed nodes - compared to the previous traffic patterns of the same nodes - or the detected radio transmissions the nodes generate may be the information just the enemy needs to launch a well-targeted attack. On the contrary, in the classroom example the disclosure of exchanged or stored information is critical "only" from the viewpoint of a person's privacy [32].

Criteria for Protecting Mobile Ad hoc NetworksPhysical Security

Nodes in mobile ad hoc networks are significantly more susceptible to physical attacks than wired nodes in traditional networks. However, the ad hoc networking approach and the environment in which the nodes operate have an impact on deciding the importance of the physical security in the overall protection of the network. For example the physical security of single nodes in ad hoc networks that consist of independent nodes and work in a hostile battlefield may be severely threatened. Thus protecting nodes in such scenarios cannot rely only on physical security. On the other hand, the physical security of the node in the classroom example is considered an important issue to the owner of the node, maybe for privacy reasons, but intruding and trying to break the physical security does not affect the security of the whole system [32].

Security of Network Operations

Protecting the data-link or network layer can be sometimes a significant factor for the security of the ad hoc networks. In some ad-hoc solutions, the link layer provides strong security services to protect confidentiality and authenticity, in which case all of the security requirements need not be addressed in the network or upper layers. For example, in some wireless LANs link layer encryption is applied. However this does not mean that the security services are not implemented in higher layers, for instance in network layer, where many ad hoc networks employ IP-based routing and recommend or suggest the use of IPSec [32].

Most Mobile Ad hoc Network routing protocols as stated in [30] seem to deal rather well with the rapid changes to the networking environment. As the routing protocol has the responsibility for specifying and maintaining the necessary routing fabric for the nodes, the protocol itself must be protected from any attack against the attributes mentioned in the previous section, confidentiality, authenticity, integrity, non-repudiation and availability.

If confidentiality of the routing information comes under a threat, the attacker could be able by eavesdropping the routing traffic between the nodes to identify or locate these nodes. The confidentiality in the military applications is considered and important issue, as discussed in [33], since without any guarantee of protecting location, identity and communication the users of the ad hoc network are very susceptible to all kinds of attacks. On the other hand, when availability of the network is broken which means the communication channels are broken or compromised, the users may not be able to continue their mission at all.

When public key cryptosystems are in use, authenticity and integrity of routing information are often handled in parallel, since digital signatures are deployed to confirm the origin of the data and its integrity. Not applying any integrity protection enables the attacker to destroy messages, manoeuvre packet headers or even generate false traffic in order to make it difficult to distinguish these actions from being hardware or network failures. Authenticity of the routing data plays an important role for the nodes to confirm the source of new or changed routing information. In case of not applying authenticity, there is a possibility of performing impersonation attacks, diverting traffic to arbitrary destinations or even scrambling the routing fabric with the purpose that connectivity is severely broken in the ad hoc network. In worst case the attacker can perform his actions and leave the network without being regarded as a malicious party [32].

Non-repudiation is to some degree connected with authenticity: traces must be left behind routing traffic so that any node transmitting routing information cannot later deny of having propagated the data to other nodes of the network. The same security requirements are required by both the network management data and the routing traffic: a protection from disclosure must be granted to the management information when it contains vulnerable information such as status data that the nodes collect. The protection of management traffic against tampering and impersonation attacks is maybe even more important. For instance, if there is no authentication or protection against integrity attacks in the status information the nodes send to the management system, a malicious node is able of capturing the valid information and instead sending invalid status data. This may lead to wrong assumptions about the condition of the nodes within the management system and lead to the use of invalid configuration data, as a reaction to the observed changes to statuses of nodes. Obviously, the impersonation attacks against the exchanged configuration information may have severe and unpredictable consequences - especially if the adversary can at the same time control the sending of status information from the nodes. Moreover, as in ad hoc networks the manual configuration of nodes may be impossible, the configuration data may have to be exchanged dynamically and on-demand, thus making the management operations even more vulnerable to the discussed attacks. In the worst case the adversary can arbitrarily configure any node and thus control the management system, which may interpret the observed inconsistencies as "natural" failures, not malicious actions generated by an active attacker [32].

Service Aspects

Ad hoc networks might use either hierarchical or flat infrastructure both in logical and physical layers independently. Because in some flat ad hoc networks the nodes themselves maintain the connectivity of the network, it is not possible or even practicible for the network to rely on any kind of centralized services. In such networks the essential services such as key management and routing of packets have to be distributed in order that all nodes have responsibility in providing the service. As there is a lack of dedicated server nodes, any node might be able to provide the necessary service to another. In addition, the availability of the services in ad hoc networks is not affected by crashing or leaving a tolerable amount of nodes. Finally, it is in theory impossible to protect services against denial of service. In ad hoc networks redundancies in the communication channels give an advantage of increasing the possibility that each node can receive proper routing information. However, such approaches produce more overhead both in computation resources and network traffic. But from the security point of view, these redundancies in the communication paths may reduce the denial of service attack and allow the system to detect malicious nodes from performing malicious actions more easily than in service provisioning approaches that rely on single paths between the source and destination [32].

Availability is a central issue in ad hoc networks that must operate in dynamic and unpredictable conditions. The network nodes may be idle or even be shut down once for a while. Thus the ad hoc network cannot make any assumptions about availability of specific nodes at any given time. For commercial applications using ad hoc networks availability is often the most important issue from the viewpoint of the clients. The routing protocol must guarantee the robustness of the routing fabric so that the connectivity of the network is maintained even when threatened by rapid changes in topology or attackers. Similarly, in the higher layers, the services must be able to rely on that the lower layers maintain the packet-forwarding services at any time. Finally, many ad hoc networking protocols are applied in conditions where the topology must scale up and down efficiently, e.g. due to network partitions or merges. The scalability requirements also directly affect the scalability requirements targeted to various security services such as key management. In networks where the area of application restricts the possible size of the network, assumptions can be made about the scalability requirements of the security services as well.

Security of Key Management

As in any distributed system, in ad hoc networks the security is based on the use of a proper key management system. As ad hoc networks significantly vary from each other in many respects, an environment-specific and efficient key management system is needed. To be able to protect nodes e.g. against eavesdropping by using encryption, the nodes must have made a mutual agreement on a shared secret or exchanged public keys. For very rapidly changing ad hoc networks the exchange of encryption keys may have to be addressed on-demand, thus without assumptions about a priori negotiated secrets. In less dynamic environments like in the classroom example above, the keys may be mutually agreed proactively or even configured manually (if encryption is even needed) [32].

If public-key cryptography is applied, the whole protection mechanism relies on the security of the private key. Consequently, as the physical security of nodes may be poor, private keys have to be stored in the nodes confidentially, for instance encrypted with a system key. For dynamic ad hoc networks this is not a wanted feature and thus the security of the private key must be guaranteed with proper hardware protection (smart cards) or by distributing the key in parts to several nodes. Hardware protection is, however, never alone an adequate solution for preventing attacks as such. In ad hoc networks a centralized approach in key management may not be an available option, as there may not exist any centralized resources. Moreover, centralized approaches are vulnerable as single point of failures. The mechanical replication of the private keys or other information is an inadequate protection approach, since e.g. the private keys of the nodes simply have then a multiple possibility to be compromised. Thus a distributed approach in key management - for any cryptosystem in use - is needed, as proposed e.g. in [30].

Access Control

The access control is an applicable concept also within ad hoc networking, as there usually exist a need for controlling the access to the network and to the services it provides. Moreover, as the networking approach may allow or require the forming of groups in for instance network layer, several access control mechanisms working in parallel may be needed. In the network layer the routing protocol must guarantee that no authorized nodes are allowed to join the network or a packet forwarding group such as the clusters in the hierarchical routing approach. For example in the battlefield example of the introduction the routing protocol the ad hoc network applies must control so that no hostile node can join and leave the group undetectable from the viewpoint of the other nodes in the group. In application level the access control mechanism must guarantee that unauthorized parties cannot have accesses to services, for instance the vital key management service [32].

Access control is often related to the identification and authentication. The main issue in the identification and authentication is that the parties can be confirmed to be authorized to gain the access. In some systems, however, identification or authentication of nodes is not required: nodes may be given e.g. delegate certificates with which the nodes can gain access to services. In this case actual authentication mechanisms are not needed, if the nodes are able to present adequate credentials to the access control system. In some ad hoc networks services may be centralized, while in other networks they are applied in a distributed manner, which may require the use of different access control mechanisms.

Moreover, the required security level in access control also affects the way the access control must be implemented. If a centralized ad hoc networking approach with low security requirements is applied - as in the classroom example - the access control can be managed by the server party with simple means such as user id - password scheme. In ad hoc networks that operate in more difficult conditions without any centralized resources as in the battlefield scenario, the implementation of access control is much more difficult. Either the access to the network, its groups and resources must be defined when the network is formed, which is very inflexible. The other possibility is to define and use a very complex, scalable and dynamic access control protocol, which brings flexibility but is prone to various kinds of attacks and it may even be impossible to apply properly and efficiently [32].

Article name: Manets Spanning The Entire Protocol Stack Computer Science essay, research paper, dissertation