IPsec tunnels vs. identity-only obfuscation techniques for moving target networks

There has been recent interest in applying moving target approaches to computer networks. The ability to obfuscate the adversary's view of an organization's internal network is thought to confound the adversary's network reconnaissance steps, causing certain inefficiencies in nation state actors' attack processes. Novel Moving Target Network (MTN) techniques have been proposed specifically to hide communicating endpoint identities, blinding the adversary's view of the nodes in the network. To date, however, no published work has evaluated identity-only obfuscation approaches against using IPsec ESP tunnels as a way of hiding endpoint identities. The question is, are there some network configurations where identity-only obfuscation techniques work better than IPsec ESP tunnels? We present arguments that low-overhead MTN identity-only obfuscation approaches may work more efficiently on wireless mobile, tactical, peer-to-peer networks where processing energies and transmission bandwidth are constrained and we also discuss features of metrics for measuring the success of moving target network approaches, helping to guide future research in this area.

[1]  Michael Atighetchi,et al.  Adaptive use of network-centric mechanisms in cyber-defense , 2003, Sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing, 2003..

[2]  Joseph G. Tront,et al.  MT6D: A Moving Target IPv6 Defense , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[3]  Bob Blakley,et al.  The Emperor's old armor , 1996, NSPW '96.

[4]  Erik Lee,et al.  Network Security Mechanisms Utilizing Dynamic Network Address Translation LDRD Project , 2002 .

[5]  Brian Weis,et al.  Multicast Extensions to the Security Architecture for the Internet Protocol , 2008, RFC.

[6]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[7]  Anh Nguyen-Tuong,et al.  Effectiveness of Moving Target Defenses , 2011, Moving Target Defense.

[8]  Sophie Engle,et al.  AN INTRODUCTION TO ARP SPOOFING , 2001 .

[9]  Zhenhua Liu,et al.  Port and Address Hopping for Active Cyber-Defense , 2007, PAISI.

[10]  Dapeng Wu,et al.  On Cracking Direct-sequence Spread-spectrum Systems † , 2022 .

[11]  Ehab Al-Shaer,et al.  Toward Network Configuration Randomization for Moving Target Defense , 2011, Moving Target Defense.

[12]  S. K. Barton Introduction to CDMA , 1993 .

[13]  Janet Lepanto,et al.  Camouflage of network traffic to resist attack (CONTRA) , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[14]  H. Seifert,et al.  Automatic multicast IPsec by using a proactive IPsec discovery protocol and a group key management , 2008 .

[15]  Joseph G. Tront,et al.  The Blind Man's Bluff Approach to Security Using IPv6 , 2012, IEEE Security & Privacy.

[16]  Dhananjay S. Phatak,et al.  Spread-Identity mechanisms for DOS resilience and Security. , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[17]  D. Kewley,et al.  Dynamic approaches to thwart adversary intelligence gathering , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[18]  Paul F. Syverson,et al.  Onion routing , 1999, CACM.