FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation

Pages:   || 2 | 3 | 4 |


-- [ Page 1 ] --

International Journal of Network Security & Its Applications (IJNSA), Vol.2, No.4, October 2010




Soumya Maity1, P Bera1, S K Ghosh1, Pallab Dasgupta2

School of Information Technology,

Indian Institute of Technology, Kharagpur, India

soumyam@iitkgp.ac.in, bera.padmalochan@gmail.com, skg@iitkgp.ac.in Department of Computer Science and Engineering, Indian Institute of Technology, Kharagpur, India pallab@cse.iitkgp.ernet.in


The continuous advancement of wireless technologies especially for enterprise Wireless local area networks (LANs), demands well defined security mechanisms with appropriate architectural support to overcome various security loopholes. Implementing security policies on the basis of Role based Access Control (RBAC) models is an emerging field of research in WLAN security. However, verifying the correctness of the implemented policies over the distributed network devices with changes in topology, remains unexplored in the aforesaid domain. The enforcement of organizational security policies in WLANs require protection over the network resources from unauthorized access. Hence, it is required to ensure correct distribution of access control rules to the network access points conforming to the security policy. In WLAN security policy management, the standard IP based access control mechanisms are not sufficient to meet the organizational requirements due to its dynamic topology characteristics. In an enterprise network environments, the role-based access control (RBAC) mechanisms can be deployed to strengthen the security perimeter over the network resources. Further, there is a need to model the time and location dependent access constraints. In this paper, we propose a WLAN security management system supported by a formal spatio-temporal RBAC (STRBAC) model and a Boolean satisfiability (SAT) based verification framework. The concept of mobile IP has been used to ensure fixed layer 3 address mapping for the mobile hosts in a dynamic scenario. The system stems from logical partitioning of the WLAN topology into various security policy zones. It includes a Global Policy Server (GPS) that formalises the organisational access policies and determines the high level policy configurations for different policy zones; a Central Authentication & Role Server (CARS) which authenticates the users (or nodes) and the access points (AP) in various zones and also assigns appropriate roles to the users. Every host has to register their unique MAC address to a Central Authentication and Role Server(CARS). Each policy zone consists of an Wireless Policy Zone Controller (WPZCon) that coordinates with a dedicated Local Role Server (LRS) to extract the low level access configurations corresponding to the zone access router. We also propose a formal spatio-temporal RBAC (STRBAC) model to represent the global security policies formally and a SAT based verification framework to verify the access configurations


WLAN, Security Policy, Verification, Mobile IP

–  –  –

1. INTRODUCTION The widespread deployment and dynamic topology characteristics of wireless networks make the security management in wireless networks (WLAN) increasingly difficult. Mobile users (with laptops and hand-held devices) remotely access the internal network from a public network zone;

hence may violate the organisational security policies. Typically, organisational security policy provides a set of rules to access network objects by various users in the network. It requires a strong security policy management system with appropriate access control models to meet the organisational security need.

An enterprise LAN demands the security policies to be implemented over the distributed network for proper functionality of the policy based security management system. For policy based security management a primary concern is partitioning the network topology into different logical policy zones, and thus enforcing the security policies in the policy zones through a set of functional elements. It requires proper distribution of the system functionality (or functional rules) into various architectural elements. However, the deployment of policy based security management in wireless network (WLAN) require appropriate access control models (such as role-based access control (RBAC), spatio-temporal RBAC) for representing and enforcing the security policies. This is due to the dynamic topology characteristics of wireless networks as wireless nodes may not bind to a specific IP address. Due to the dynamic topology characteristics of wireless networks mobile IP is used. The mobile IP [17] is always specific to a host and does not change from location to location. The background and standards for policy based security management can be found in RFC 3198 [5]. The use of mobile IP to implement the security policy, which increases the performance of the system and gives better results compared to MAC based models as referred in [2] and [18].

Role based access control (RBAC) mechanisms are already being used for controlled access management in commercial organizations. In RBAC, permissions are attached to roles and users must be assigned to these roles to get the permissions for accessing the resources. Recently, temporal RBAC (TRBAC) and spatio-temporal RBAC (STRBAC) models are also evolved for location and time dependent access control. In wireless LAN security management, the STRBAC model can be used where the users associated to a role can access network objects, i they satisfy certain location and time constraints. For example, in an academic network, Students are not allowed to access internet from their residential halls during class time (say, 08:00-18:00 in weekdays). However, they are always allowed to access internet from the academic departments.

• Home Agent is a designated router in the home network of the mobile node, maintains the mobility binding in a mobility binding table where each entry is identified by the tuple α, τ, ˜l where α is permanent home address, τ is temporary care-of address and ˜l is association lifetime.

• Foreign Agent are specialized routers on the foreign network where the mobile node is currently visiting. The foreign agent maintains a visitor list which contains information about the mobile nodes currently visiting that network. Each entry in the visitor list is identified by the tuple α, ψ, w, ˜l,where ψ is address of Home agent and w is MAC address of the mobile node.

Foreign agent provides the new τ to a host.

• Central Authentication & Role Server (CARS) which authenticates the users (or nodes) and access points (AP) and also assigns appropriate roles to the users based on user credentials.

• Local Role Servers (LRS) corresponding to the respective policy zones are populated with the International Journal of Network Security & Its Applications (IJNSA), Vol.2, No.4, October 2010 user-role information from the CARS.

• The Global Policy Server formally models the global security policy, GP; determines the high level policy configurations (represented as, GPZ1,..., GPZN ) for various policy zones.

• The distributed Wireless Policy Zone Controllers (WPZCons) determine the low level access configurations (represented as, LPZ1,..., LPZN ) coordinating with the local role servers and validates the access configurations with high level policy configurations.

• We propose a formal STRBAC model to represent the security policies and access configurations in the system.

• A SAT based framework has been presented to verify the low level access configuration with respect to the global policy.

The rest of the paper is organized as follows. The related work in the areas of Wireless LAN policy based security management and spatio-temporal RBAC models has been described in section 2. In section 3, we describe the architecture and operational flow of the proposed WLAN policy management system. Section 4 describes the proposed spatio-temporal RBAC model to support our policy management system. The analysis of the framework with a case study has been presented in section 5. Section 6 describes the SAT based verification procedure for analyzing the access configurations with respect to the global policy.

2. RELATED WORK Wireless networks are facing the premature stage of deployment of network policy based security management whereas several research has been performed in this area on wired LAN. Westrinen et al. [5] standardised the terminologies and functional elements for policy based management. The research outcome of IST-POSITIF project [1] is policy-based security framework in local area networks. The IETF Policy working group developed a framework for network policy based admission control [4]. It consists of a central policy server that interprets the policies, makes policy decisions and communicates them to various policy enforcement International Journal of Network Security & Its Applications (IJNSA), Vol.2, No.4, October 2010

–  –  –

points. J Burns et al. propose a framework [3] for automatic management of network security policies based on central policy engine. The policy engine gets populated by the models of network elements and services, validates policies and computes new configurations for network elements when policies are violated. But, the framework considers very simple set of policy constraints. A recent work [2] has been proposed by Lapiotis et al. on policy based security management in wireless LAN. They propose a distributed policy based architecture which includes a central policy engine and distributed wireless domain managers with consistent local policy autonomy. But, they do not describe the type of security policies enforced and also do not describe the formal validation of the policies.

Role based access control (RBAC) model [6] is used for addressing the access requirements of commercial organizations. Several work has been done to improve RBAC functionalities incorporating time and location information. Joshi et al. [7] propose a Generalized Tempo- ral Role Based Access Control Model (GTRBAC) incorporating time to the RBAC model.

Temporal constraints determine when the role can be enabled or disabled. In this work, the authors introduce the concept of time-based role hierarchy. GEO-RBAC [8] is an extension RBAC incorporating spatial information. Here, the roles are activated based on location.

Ray and Toahchoodee [9] propose a Spatio-Temporal Role-Based Access Control Model incorporating both time and location information. We introduce the notion of wireless policy zone to represent location in our model. The role permissions to access network objects are modeled through policy rules containing both policy zone(location) and temporal constraints.

RFC 4271 describes the working principles of mobile IP. The detail concept was elaborated in 1998 by Perkins [19]. Lapiotis et. al. [2] has proposed the policybsed management over link layer. This work was extended in our previous work [18]. The application of spatio-temporal RBAC model in wireless network security is in its infancy. Laborde et al. [11] presents a colored Petri Net based tool which allows to describe graphically given network topology, the security mechanism and the goals required. In this work, the authors model the security policies through generalized RBAC without considering time and location dependent service International Journal of Network Security & Its Applications (IJNSA), Vol.2, No.4, October 2010 access. Moreover, the proposed tool is not applicable in wireless networks. To the best of our knowledge, the only work which uses spatio-temporal RBAC in wireless network is by Tomur and Erten [10]. They present a layered security architecture to control access in organizational wireless networks based STRBAC model using tested wired network components such as VPNs and Firewalls. However, this work does not describe the modeling of STRBAC policies using existing ACL standards. In our proposed WLAN policy management system, the global access policies are represented through a formal STRBAC model and implemented through distributed wireless policy zone controllers which outsource the high level policy configurations from the global policy server, derives correct low level access configuration and validates it. This makes the task of policy enforcement and validation easier and efficient.


The proposed WLAN policy management system shown in Fig.1 stems from the notion of Wireless policy zones. A policy zone comprises of one or more wireless Access Points (AP), a dedicated Wireless Policy Zone Controller (WPZCon), a home agent(HA), a foreign agent(FA) and a Local Role Server (LRS) separated from other zones by a zone router.

Pages:   || 2 | 3 | 4 |

Similar works:

«PROGRESS REPORT ON INCLUSION OF ENHANCED CONTRACTUAL PROVISIONS IN INTERNATIONAL September 2015 SOVEREIGN BOND CONTRACTS IMF staff regularly produces papers proposing new IMF policies, exploring options for reform, or reviewing existing IMF policies and operations. The report was prepared by IMF staff and presented to the Executive Board in an informal session on September 25, 2015. Such informal sessions are used to brief Executive Directors on policy issues. No decisions are taken at these...»

«Introduction Edward P. Lazear This book is an outgrowth of the desire at the Hoover Institution to focus on issues that are of essential policy relevance. Right now, few issues are more important in the United States than improving education. This introduction summarizes the key arguments made in the book’s essays. The summary is followed by a discussion of some of the key policy questions in education. More will be said on the nature of the book below, but let us get to the essence first....»

«2014 HANDBOOK OF IMF FACILITIES FOR LOW-INCOME February 2015 COUNTRIES IMF staff regularly produces papers proposing new IMF policies, exploring options for reform, or reviewing existing IMF policies and operations. The following document has been released and is included in this package: The Policy Paper on 2014 Handbook of IMF Facilities for Low-Income Countries, prepared  by IMF staff and completed in July 2014 and sent to the Executive Board for information on August 28, 2014. The policy...»

«Court Services and Offender Supervision Agency for the District of Columbia Policy Statement 1000 Effective date: 11/25/2003 Page 2 III. POLICY Agency senior staff and managers shall issue policy and procedures and disseminate other information pertaining to policy and procedures in accordance with the procedures appended to this Policy Statement.More specifically, these procedures: • Require that Agency policy must be issued in the form of Policy Statements; • Require that Agency...»

«Page 1 of 6 The evolution of the policy making process: will there ever be a community forestry bill? Pearmsak Makarabhirom Legislation to legitimize community forest management was once again stymied by the dissolution of the Thai Parliament in November 2000. Continuing differences on how to resolve several key issues, such as where communities can manage forest area and who should have final decision-making power, have stalled attempts to institutionalize community-based forest management....»

«X Congreso Internacional del CLAD sobre la Reforma del Estado y de la Administración Pública, Santiago, Chile, 18 21 Oct. 2005 Concepts and theories of horizontal policy management B. Guy Peters Department of Political Science University of Pittsburgh Pittsburgh, PA Coordination and coherence are familiar themes in the discussion of shortcomings of public administration and public policy. Governments have long sought to discover means of making the policies adopted in one department or agency...»

«WPS5871 Public Disclosure Authorized Policy Research Working Paper 5871 Public Disclosure Authorized Cross Border Banking Supervision Incentive Conflicts in Supervisory Information Sharing between Home and Host Supervisors Katia D’Hulster Public Disclosure Authorized Public Disclosure Authorized The World Bank Financial and Private Sector Development Financial Systems Practice November 2011 Policy Research Working Paper 5871 Abstract The global financial crisis has uncovered a number of upon...»

«INTERNATIONAL MONETARY FUND The Role of the Fund in Low-Income Countries Prepared by the Policy Development and Review Department (In consultation with other departments) Approved by Mark Allen June 13, 2008 Contents Executive Summary I. Introduction II. Supporting Sound Macroeconomic Foundations for Growth A. Context for Fund Advice B. Policy Advice in Key Areas III. How the Fund Engages with LICs Surveillance Financial and Policy Support Capacity Building IV. Cooperation and External...»

«SCALABLE ACCESS POLICY ADMINISTRATION (INVITED PAPER) Opinions and a Research Agenda Arnon Rosenthal The MITRE Corporation Abstract: The emerging world of large, loosely coupled information systems requires major changes to the way we approach security research. For many years, we have proposed construct after construct to enhance the power and scope of policy languages. Unfortunately, this focus has led to models whose complexity is unmanageable, to reinventing technologies that other...»

«TOWARDS A REEVALUATION OF THE TONINÁ POLITY Eric TaladoirE Unité Mixte de Recherche, “Archéologie des Amériques”, Université Paris 1 Panthéon-Sorbonne AbstrAct: Among the numerous polities of the Usumacinta region, Toniná stands as the worst defined. In spite of its reduced population, Toniná developed an aggressive policy, and won several victories upon close-by and distant cities as well. This article tries, from the available archaeological and epigraphic data, to draw a more...»

«THE BROOKINGS INSTITUTION CENTER FOR EAST ASIA POLICY STUDIES WHITHER NORTHEAST ASIA? MANAGING TENSIONS AND AVOIDING CONFLICT IN A TROUBLED REGION Evans J.R. Revere Nonresident Senior Fellow Center for East Asia Policy Studies The Brookings Institution December 2013 THE BROOKINGS INSTITUTION 1775 Massachusetts Avenue, NW Washington D.C. 20036-2188 Tel: (202)797-6000 Fax: (202)797-2485 http://www.brookings.edu Summary Tensions are rising in Northeast Asia, threatening more than a generation of...»

«ПЕР Occasional Papers No. 71 F R O M POLICY ANALYSIS T O POLICY FORMULATION A N D POLICY IMPLEMENTATION: THE PERSPECTIVE OF THE NATIONAL EDUCATION COUNCIL, THAILAND Sanghirun Uraiwan Unesco: International Institute for Educational Planning F r o m policy analysis to policy formulation and policy 71 implementation: the perspective of the National Education Council, Thailand Sanghirun Uraiwan F r o m policy analysis to policy formulation and policy implementation: the perspective of the...»

<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.