Distributed Firewall For MANETs

Mobile Ad-hoc Networks (MANETs) are increasingly used in military tactical situations and in civil rapiddeployment networks, including emergency rescue operations and ad hoc disaster-relief networks. The flexibility of MANETs comes at a price, when compared to wired and basestationbased wireless networks: MANETs are susceptible to both insider (compromised node) and outsider attacks due to the lack of a well-defined perimeter in which to deploy firewalls, intrusion detection systems, and other mechanisms commonly used for network access and admission control. In this paper, we define a distributed firewall architecture that is designed specifically for MANETs. Our approach harnesses and extends the concept of a network capability, and is especially suited for environments where the communicating nodes have different roles and hence different communication requirements, such as in tactical networks. Our model enforces communication restrictions among MANET nodes and services, allowing hopby-hop policy enforcement in a distributed manner. We use a “deny-by-default” model where compromised nodes have access only to authorized services, without the ability to disrupt or interfere with end-to-end service connectivity and nodes beyond their local communication radius. Our simulations show that our solution has minimal overhead in terms of bandwidth and latency, works well even in the presence of routing changes due to mobile nodes, and is effective in containing misbehaving nodes.

[1]  Ricardo Staciarini Puttini,et al.  Security in Ad Hoc Networks: a General Intrusion Detection Architecture Enhancing Trust Based Approaches , 2002, Wireless Information Systems.

[2]  Sushil Jajodia,et al.  LEAP - efficient security mechanisms for large-scale distributed sensor networks , 2003, SenSys.

[3]  Elaine Shi,et al.  Detection of denial-of-message attacks on sensor network broadcasts , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[4]  Sushil Jajodia,et al.  An interleaved hop-by-hop authentication scheme for filtering of injected false data in sensor networks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[5]  Wenke Lee,et al.  Intrusion detection in wireless ad-hoc networks , 2000, MobiCom '00.

[6]  Yih-Chun Hu,et al.  Rushing attacks and defense in wireless ad hoc network routing protocols , 2003, WiSe '03.

[7]  R. Srikant,et al.  DARWIN: distributed and adaptive reputation mechanism for wireless ad-hoc networks , 2007, MobiCom '07.

[8]  Donggang Liu,et al.  Establishing pairwise keys in distributed sensor networks , 2005, TSEC.

[9]  Deborah Estrin,et al.  Visa protocols for controlling interorganizational datagram flow , 1989, IEEE J. Sel. Areas Commun..

[10]  Angelos D. Keromytis,et al.  Trust management for IPsec , 2002, TSEC.

[11]  Haiyun Luo,et al.  Security in mobile ad hoc networks: challenges and solutions , 2004, IEEE Wireless Communications.

[12]  John Ioannidis,et al.  Trust Management for IPsec. , 2001 .

[13]  Amitabh Mishra,et al.  Intrusion detection in wireless ad hoc networks , 2004, IEEE Wireless Communications.

[14]  Karl N. Levitt,et al.  DEMEM: Distributed Evidence-Driven Message Exchange Intrusion Detection Model for MANET , 2006, RAID.

[15]  Yih-Chun Hu,et al.  Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks , 2002, MobiCom '02.

[16]  Pekka Nikander,et al.  Integrating Security, Mobility and Multi-Homing in a HIP Way , 2003, NDSS.

[17]  Virgil D. Gligor,et al.  A key-management scheme for distributed sensor networks , 2002, CCS '02.

[18]  Peng Ning,et al.  TinySeRSync: secure and resilient time synchronization in wireless sensor networks , 2006, CCS '06.

[19]  David Evans,et al.  Using Directional Antennas to Prevent Wormhole Attacks , 2004, NDSS.

[20]  Martín Abadi,et al.  Authentication in the Taos operating system , 1994, TOCS.

[21]  Yunghsiang Sam Han,et al.  A pairwise key predistribution scheme for wireless sensor networks , 2005, TSEC.

[22]  Shiyong Zhang,et al.  A New Routing Attack in Mobile Ad Hoc Networks , 2005 .

[23]  Martín Abadi,et al.  Authentication in the Taos operating system , 1993, SOSP '93.

[24]  Tobias Bucher,et al.  Modelling and Analysis of Attacks on the MANET Routing in AODV , 2006, ADHOC-NOW.

[25]  Elaine Shi,et al.  Designing secure sensor networks , 2004, IEEE Wireless Communications.

[26]  Dawn Xiaodong Song,et al.  Secure hierarchical in-network aggregation in sensor networks , 2006, CCS '06.

[27]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM 2007.

[28]  Dawn Xiaodong Song,et al.  Random key predistribution schemes for sensor networks , 2003, 2003 Symposium on Security and Privacy, 2003..

[29]  Yunghsiang Sam Han,et al.  A pairwise key pre-distribution scheme for wireless sensor networks , 2003, CCS '03.

[30]  Wenke Lee,et al.  Attack Analysis and Detection for Ad Hoc Routing Protocols , 2004, RAID.

[31]  Charles E. Perkins,et al.  Ad hoc On-Demand Distance Vector (AODV) Routing , 2001, RFC.

[32]  Karl N. Levitt,et al.  Cost-Sensitive Intrusion Responses for Mobile Ad Hoc Networks , 2007, RAID.

[33]  Jean-Pierre Hubaux,et al.  The quest for security in mobile ad hoc networks , 2001, MobiHoc '01.

[34]  Veljko M. Milutinovic,et al.  Routing and security in mobile ad hoc networks , 2004, Computer.

[35]  Zygmunt J. Haas,et al.  Securing ad hoc networks , 1999, IEEE Netw..

[36]  Adrian Perrig,et al.  Distributed detection of node replication attacks in sensor networks , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).